In watching recent traffic generated by my Exchange Server 2019 Version 15.2 (Build 858.5). I see this as a newer traffic since updating with the latest "patches" from earlier this month (March 2021). According to healthchecker.ps1 and every other scan I can get my hands on, I don't have a "nasty" in my network. Specifically usually a TCP connection attempt to various ports to the AD Servers in the organization from the E2019 VM. This is the script that is running. The only change I see is the hexadecimal number changes after .\pipe\iisipm c:\windows\system32\inetsrv\w3wp.exe () -ap "msexchangepowershellapppool" -v "v4.0" -c "C:\Program Files\Microsoft\Exchange Server\V15\bin\GenericAppPoolConfigWithGCServerEnabledFalse.config" -a \.\pipe\iisipm2102ad39-516e-4a5c-a934-228a22f08eb5 () -h "C:\inetpub\temp\apppools\MSExchangePowerShellAppPool\MSExchangePowerShellAppPool.config" -w "" -m 0 Does anyone know if this is normal behavior? I am currently block the process through our internal behavior monitoring software.