LUNA attack pattern and malware observations

LUNA Ransomware, which Elastic tracks as REF5264, is a Rust-based ransomware first identified by Kaspersky in their report introducing it in July 2022. Rust as a programming language is known in the developer community for being simpler to implement cross-platform software to work on various target operating systems. It’s able to do this through a convenient cluster of tools that abstract away some operating system peculiarities, likely allowing the malware author to focus more on core functionality.
From the Kaspersky report we were able to collect two LUNA Ransomware samples: (1) a Linux ELF binary, and (2) a Windows PE executable.
This research covers:
- Execution and behavior of each sample
- Description of the encryption mechanism
- Comparison across our samples
- Comparison to other ransomware
- Detection opportunities
Our Linux sample required an argument to execute. The options were -file [file] to encrypt a single file, or -dir [directory] to walk and encrypt the contents of a specified directory and drop a ransom note. If executed with no arguments, Linux LUNA returns a help page with instructions to use one of the two available arguments. If executed with both the -file and -dir arguments (including multiple files or directories), all arguments are used.

There are no functional protections against encrypting system directories or files. We were able to demonstrate this through encryption of /etc. The execution loop continued as expected until it encrypted the shadow and sudoers files and the process was unable to verify privileges for further file access. The test machine then became unresponsive and required reverting to a prior snapshot. Encryption of these critical system files prevents further encrypting of privileged files and directories the malware attempts to access.


All encrypted files are appended with a .Luna extension, i.e. /etc/passwd.Luna. If using the -dir flag, a readme-Luna.txt ransom note will be created at the root of each encrypted directory as well as subdirectories such as /etc/readme-Luna.txt and /etc/ssl\readme-Luna.txt. While there are no ransomware notes dropped when encrypting an individual file using the -file flag, the encrypted file is still appended with the .Luna extension.
You may notice the backslash instead of a forward slash in the above full path /etc/ssl\readme-Luna.txt. This is an interesting artifact of LUNA hardcoding a \ to append to subdirectories when building the full path for the ransom note. This behavior is expected and would go unnoticed in a Windows environment, but drew our attention when we saw it in Linux. It does not appear to hinder functionality.

The ransom note is embedded in the binary in a Base64 format and placed in the root of the targeted directories.

The ransom note contains grammatical and spelling errors, listing two ProtonMail email addresses. ProtonMail is an end-to-end encrypted email service based in Switzerland. ProtonMail is popular with privacy-minded individuals and organizations because it uses client-side encryption to protect email content and user data before they are sent to ProtonMail servers.
The phrase “All your files were moved to secure storage” may be either a translation error for “encrypted” or an attempt to trick the victim into believing their data has been encrypted and stolen to later be used for extortion. This could also refer to some operation that is to occur before encryption takes place. There is no network connectivity aspect of this malware.
There is a threat of extortion with the phrase “we can show your real face”, but no extortion site has been observed as other extortion activity groups, like CUBA Ransomware, have used.
Our Linux LUNA sample includes functional but largely unnecessary exclusions leftover from the Windows implementation. These checks are performed in the -dir execution flow before a file is sent to the add_file function for encryption. As an example, see the .ini, .exe, .dll, and .lnk extensions and OpenServer, Windows, Program Files, Recycle.Bin, ProgramData, AppData, and the All Users directories below. Of note, while the .Luna extension is included in the vestigial exclusions, it is present in both Windows and Linux.


File Extension Exclusions | Folder Exclusions |
.Luna .ini .exe .dll .lnk | OpenServer Windows Program Files Recycle.Bin ProgramData AppData All users |
Linux LUNA checks for Windows file extensions and folders and will not encrypt files with the specified extensions on a Linux victim.


The check for the .Luna extension is useful in that it prevents re-encrypting an already encrypted file.
The Windows sample we found was a more full-featured product that included much of the functionality present in other mature ransomware families. It still includes the -dir and -file flags, but now if the malware is run without arguments, the Windows LUNA will perform some preliminary defense evasion, file protection preparation, and enumeration measures before entering the -dir execution loop. Additionally within the -dir execution flow Windows LUNA file and directory exclusions are functional and serve to protect critical system processes from being corrupted by encryption. This is different from what was observed with the Linux LUNA implementation which does not exclude sensitive OS directories or files that can impact system stability.


LUNA uses service and process termination to de-conflict any files locked by other programs to successfully encrypt them along with disabling security products that may prevent ransomware execution. It does this by leveraging a built-in Rust process builder (std::sys::windows::process::Command::new) to call three new processes with their own pre-defined command-line arguments.
- Service Control
- Net
- TaskKill
Service Control is a Windows utility used to modify services’ entries in the registry and in the Service Control Manager database. In this case, it’s used to ensure a service that is stopped cannot be restarted and interrupt malware execution.

- "C:\WINDOWS\system32\sc.exe" config [service] start=disabled
- "C:\WINDOWS\system32\sc.exe": Service Control executable
- config [service]: Specifies the service (as an example, WinDefend) that will be modified
- start=disabled: Sets the start type of the service to “disabled”
LUNA does not check that a service exists before issuing the service disable command. So it will commonly get 1060 errors to the console indicating that sc.exe attempted to modify a service that does not exist.

Our LUNA sample attempts to disable 253 different services. See the Appendix: Windows Services Termination List for the complete list.
Net (net.exe) is a Windows utility used in command-line operations for the control of users, groups, services, and network connections. In this case, it is used to stop the running services that have already been prevented from restarting by sc.exe.

- "C:\WINDOWS\system32\net.exe" stop [service] /y
- "C:\WINDOWS\system32\net.exe": Net executable
- stop [service]: Specifies the name of the service (as an example, WinDefend) that will be stopped
- /y: Carries out the command without first prompting to confirm actions
Again there are no checks that the service is actually running on the victim machine. For Net, this manifests as 2185 errors printing to the console for each attempt to stop a nonexistent service.

TaskKill (taskkill.exe) is a Windows utility used to end a task or process by the process ID or image name. LUNA uses TaskKill to terminate processes by name that could interfere with the malware’s operation by maintaining file access locks on files targeted for encryption.

- "C:\WINDOWS\system32\taskkill.exe" /im [process name] /f
- "C:\WINDOWS\system32\taskkill.exe": TaskKill executable
- /im [process name]: Specifies the name of the process (as an example, msmpeng.exe) that will be terminated
- /f: Specifies that processes be forcefully ended
Once again, there are no checks that the process is actually running. TaskKill produces “process not found” errors printed to the console for attempts to kill non-existent processes.

Our sample contained a hardcoded list of 997 processes to kill. See the Appendix: Windows Process Termination List for the complete list.
Next, Windows LUNA executed with no arguments uses a function called get_all_drives to brute-force the enumeration of all the available drives by going through the English alphabet and verifying if the drives are mapped to the machine using Rust library std::fs::read_dir. If the volume exists, it will be flagged for encryption at a later stage.

All volumes identified are then passed to LUNA’s walk_dir function that will drop ransom notes, enumerate subdirectories, and encrypt files similar to the Linux version with the exact same ransomware note.

Unlike the Linux version, however, the Windows LUNA file and folder exclusions are respected to prevent making the targeted machine inoperable or inadvertently stopping encryption prematurely.
File Extension Exclusions | Folder Exclusions |
.Luna .ini .exe .dll .lnk | OpenServer Windows Program Files Recycle.Bin ProgramData AppData All users |
We compared these exclusions with those from our CUBA Ransomware Malware Analysis report. LUNA did not include the file extensions .sys or .vbm, both identified in the CUBA analysis. Also, LUNA excludes all of the \Program Files, \ProgramData, and \AppData directories and subdirectories, which CUBA encrypts - or has narrower exclusions to subfolders. This seems like an overly broad exclusion methodology as it misses some valuable data that would be disruptive if encrypted.

Within the add_file function, each time LUNA encounters a new file to encrypt, the malware will generate its own public/private key pair associated with that file. It does this by using the open source library x25519-dalek x25519 elliptic curve Diffie-Hellman key exchange with RngCore::fill_bytes random number generator used for entropy, which is built into Rust.

Elliptic curve (ECC) key generation offers several performance improvements over RSA for equivalent key size. Generally, for a given key size ECC offers greater cryptographic strength and is faster to derive a public key from a private key. This speed improvement helps when a new key pair is generated for every file to be encrypted on a victim machine.
At this point, there are two sets of public/private keys: the authors and the malware’s.
LUNA will then use the malware-generated private key and the author’s embedded public key to derive an AES key.

Files can then be encrypted by chunk with AES in the counter (CTR) mode and an initialization vector (IV). The hardcoded IV is the string “Luna” padded with zeros to be 16 bytes long as required by the AES-CTR cipher algorithm.

Initialization vectors are broadly used in cryptography to provide input to initialize the state of the cipher algorithm before the plaintext is encrypted. In most other contexts it is randomized and shared with the public key. This randomization provides a similar function to salt for hashed passwords.
Using the std::io::Seek trait, Rust is able to abstract the OS appropriate seek, ie lseek for Linux. The malware uses this function to read data from the target file, encrypt it, and write it back to the original file.
LUNA first overwrites the original file with the encrypted content, then appends the malware’s public key created for that file and the string “Luna” as a file marker. The extension .Luna is then added to the filename.


At this point, the AES and malware’s private keys are no longer needed and must be destroyed so only the author’s private key can be used for decryption.
LUNA then moves to the next file and starts again.
In order to decrypt a file encrypted with this method we need the AES key and the IV. The IV is hardcoded into the malware and already known, however, the AES key is discarded once the file is encrypted. The AES key was initially generated using the malware’s private key and the author’s public key, but the malware’s private key has also been discarded.
While we also have the malware’s public key in the encrypted file itself, the author’s private key is required, in combination with the malware's public key, to derive the AES key. The AES key in combination with the hardcoded IV can then be used to decrypt each encrypted chunk.

Below you can see a graphic outlining the encryption and decryption process of the LUNA ransomware.

Like many ransomware families, LUNA encrypts files differently based on size. This serves to enhance performance and allows the ransomware to make a larger volume of data unusable in a shorter period of time.
If the file is smaller than 320 kB the entire contents of the file are encrypted using the above-described method. If the file size is between 320 kB and approximately 3 MB then only the first 320 kB will be encrypted. For files larger than approximately 3 MB LUNA will encrypt 320 kB chunks deriving the space between chunks by a byte value calculated at run-time based on the file size.
If you're interested in trying this out yourself to see the encryption/decryption process in action, check out Elastic's Malware Analysis and Reverse Engineering (MARE) team's Python POC in the LUNA Encryption POC Appendix. This script illustrates the implementation of the LUNA encryption/decryption mechanism.

The samples were nearly identical in their core functionality of the -dir and -file execution paths, the encryption mechanisms utilized, and hard-coded values. Hardcoded value similarities include:
- Extension exclusion values
- Folder exclusion values
- Initialization vector
- Author’s public key
- Ransomware note
The most obvious difference between the two LUNA samples we looked at is the enhanced functionality of the Windows PE sample when provided no arguments and the adherence to the extension and folder exclusions for Windows.
There are many differences between the two OS packages; it is probably more convenient to provide a single decryption tool for all endpoints ransomed, irrespective of the OS. A uniform encryption and decryption framework could indicate that the LUNA ransomware is used in a Ransomware-as-a-Service implementation or that LUNA is provided as a kit that can be tailored to specific campaigns.
These differences and similarities lead us to the following assessments of these samples:
- The Windows sample is much more mature than the Linux sample as reflected in the drive enumeration, services disable/stop, process termination, and exclusions employed to enable the malware to be deployed broadly with little detailed knowledge of the victim machines.
- The Linux sample contains vestigial Windows features. The exclusions could be modified to fit some specific Linux distributions, but it could be a challenge to create one list that has broad coverage in the diverse Linux ecosystem.
- The service disable/stop and process terminate lists are very large when compared to other mature ransomware samples. While it does not impede the encryption function of the malware, it generates a tremendous amount of noise that could alert defenders. Calling sc config [service] start=disabled and net stop 253 times for many services that do not exist, or taskkill /im 997 times for processes that do not exist provides an excellent opportunity to interdict ransomware execution before encryption begins. This would be much quieter with prior service and process enumeration, as is common with other ransomware campaigns.
- The Linux sample did not include the safeguards built into the Windows variant. This caused the Linux sample to encrypt files needed to validate entitlements to system files, such as the sudoers and passwd files. Possibilities, why the Linux sample did not include safeguards :
- the malware authors did not have a firm enough understanding of Linux system files and directories to know what should be excluded;
- a time constraint prevented the completion of a mature Linux sample;
- a lack of widely available ransomware exclusions lists for Linux;
- inclusion of a Linux sample was opportunistic because the sample was developed in Rust, which is cross-platform; or
- Linux capabilities were included as a “selling point” for a Ransomware-as-a-Service offering
Using the MITRE ATT&CK® framework, tactics represent the why of a technique or sub-technique. It is the adversary’s tactical goal: the reason for performing an action.
Techniques and Sub techniques represent how an adversary achieves a tactical goal by performing an action.
Observed techniques/sub techniques:
For LUNA Windows and Linux variants, the YARA rule below detects strings embedded in the malware and byte sequences related to core functionality.
rule Multi_Ransomware_LUNA {
meta:
Author = “Elastic Security”
creation_date = "2022-08-02"
os = "Linux, Windows"
arch = "x86"
category_type = "Ransomware"
family = "LUNA"
threat_name = "Multi.Ransomware.LUNA"
reference_sample = "1cbbf108f44c8f4babde546d26425ca5340dccf878d306b90eb0fbec2f83ab51"
strings:
$str_extensions = ".ini.exe.dll.lnk"
$str_ransomnote_bs64 = "W1dIQVQgSEFQUEVORUQ/XQ0KDQpBbGwgeW91ciBmaWxlcyB3ZXJlIG1vdmVkIHRvIHNlY3VyZSBzdG9yYWdlLg0KTm9ib"
$str_path = "/home/username/"
$str_error1 = "Error while writing encrypted data to:"
$str_error2 = "Error while writing public key to:"
$str_error3 = "Error while renaming file:"
$chunk_calculation0 = { 48 8D ?? 00 00 48 F4 48 B9 8B 3D 10 B6 9A 5A B4 36 48 F7 E1 48 }
$chunk_calculation1 = { 48 C1 EA 12 48 89 D0 48 C1 E0 05 48 29 D0 48 29 D0 48 3D C4 EA 00 00 }
condition:
5 of ($str_*) or all of ($chunk_*)
}
Read more
For Windows LUNA there is the opportunity to prevent execution before encryption in the “no arguments” execution flow. As outlined in the previous sections, this execution flow attempts to disable and stop 253 services and terminate 997 processes whether or not they exist on the victim machine.
Our Threat Research And Detection Engineering team (TRADE) tuned and promoted a behavioral endpoint rule targeting these pre-encryption environmental preparation TTPs.
The below rule identifies and prevents attempts to disable the Windows Defender services.
query = '''
process where event.action == "start" and
process.pe.original_file_name : ("net.exe", "sc.exe", "cmd.exe") and
process.command_line : ("*disabled*", "*stop*") and process.command_line : ("*WdNisSvc*", "*WinDefend*") and
(process.parent.executable :
("?:\\Windows\\Microsoft.NET\\*",
"?:\\Users\\*",
"?:\\ProgramData\\*") or
process.parent.name : ("rundll32.exe", "regsvr32.exe", "wscript.exe", "cscript.exe", "powershell.exe", "mshta.exe"))
'''
optional_actions = []
[[actions]]
action = "kill_process"
field = "process.entity_id"
state = 0
Read more
The following were referenced throughout the above research:
We are providing an encryption POC, written in Python, that mimics and visualizes the encryption implementation of the LUNA ransomware.
Note: like LUNA, each time the script is run, the encrypted output will be different because the private keys are generated each time.
Prerequisites:
- Pyton 3
- cryptography and termcolor Python modules
Usage:
- Save the below script as luna_encryption_poc.py
- install the dependencies with pip install --user cryptography termcolor
- execute the script with python luna_encryption_poc.py
from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
from cryptography.hazmat.primitives.asymmetric import x25519
from termcolor import colored
# Malware author generates public key and embeds into malware, keeps private key for decryption later
author_private_key = x25519.X25519PrivateKey.generate() # Unknown author's priv_key generation method
author_embedded_public_key = author_private_key.public_key()
# Malware generates key pair
malware_private_key = x25519.X25519PrivateKey.generate()
malware_public_key = malware_private_key.public_key()
# Serialization of malware pub_key
malware_public_bytes = malware_public_key.public_bytes(encoding=serialization.Encoding.Raw,
format=serialization.PublicFormat.Raw)
print("Malware Public Key: ", colored(malware_public_bytes.hex(), "blue"))
# AES key generated by malware's private key and author's embedded public key
# malware_private_key is discarded after this step and not needed for decryption
shared_key_generated = malware_private_key.exchange(author_embedded_public_key)
print("Generated Shared Key (AES): " + colored(shared_key_generated.hex(), "cyan"))
# Encryption Step with AES + IV null-padded LUNA string
iv = bytearray(b'4c756e6100000000') # 'Luna....' 16 bytes sized needed for AES CTR
# AES stream cipher (CTR) created using AES shared key and IV
cipher = Cipher(algorithms.AES(shared_key_generated), modes.CTR(iv))
encryptor = cipher.encryptor()
# String to be encrypted
plaintext = b"You know, for search!"
print("Plaintext: ", colored(plaintext, "green"))
print("Plaintext.hex(): ", colored(plaintext.hex(), "green"))
# Encryption of string using AES stream cipher
ct = encryptor.update(plaintext) + encryptor.finalize()
# Mock encrypted file with cipher text + public bytes + file marker
file_marker = b"Luna" # 0x4c756e61
encrypted_file = ct + malware_public_bytes + file_marker
file_ciphertext = encrypted_file[:-36]
pub_key_from_encrypted_file = encrypted_file[-36:-4]
file_marker_from_encrypted_file = encrypted_file[-4:]
print("Encrypted File contents: \n",
colored(file_ciphertext.hex(), "red"),
colored(pub_key_from_encrypted_file.hex(), "blue"),
colored(file_marker_from_encrypted_file.hex(), "yellow"))
print("\t",
colored("Encrypted content", "red"), " ",
colored("Embedded malware's pub_key", "blue"), " ",
colored("Embedded file marker", "yellow"))
# Serialization
malware_public_key_from_file = x25519.X25519PublicKey.from_public_bytes(pub_key_from_encrypted_file)
# AES key derived from author's private key and malware embedded public key
shared_key_derived = author_private_key.exchange(malware_public_key_from_file)
print("Derived Shared Key (AES): ", colored(shared_key_derived.hex(), "cyan"))
# Decryption using derived AES shared key and IV
redo_cipher = Cipher(algorithms.AES(shared_key_derived), modes.CTR(iv))
decryptor = redo_cipher.decryptor()
result = decryptor.update(file_ciphertext) + decryptor.finalize()
print("Decrypted plaintext: ", colored(result, "green"))
Read more
This Python script will display the malware public key, the shared AES key, the plain text as a string, the plain text as a hex value, the encrypted text, and finally decrypt the encrypted text back into the original plain text as a string.

Acronis VSS Provider AcronisAgent AcrSch2Svc AdobeARMservice Alerter ARSM aswBcc avbackup BackupExecAgentAccelerator BackupExecAgentBrowser BackupExecDeviceMediaService BackupExecJobEngine BackupExecManagementService BackupExecRPCService BackupExecVSSProvider bcrservice bedbg BITS BlueStripeCollector BrokerInfrastructure ccEvtMgr ccSetMgr Cissesrv CpqRcmc3 CSAdmin CSAuth CSDbSync CSLog CSMon CSRadius CSTacacs DB2 DB2-0 DB2DAS00 DB2GOVERNOR_DB2COPY1 DB2INST2 DB2LICD_DB2COPY1 DB2MGMTSVC_DB2COPY1 DB2REMOTECMD_DB2COPY1 DCAgent EhttpSrv ekrn Enterprise Client Service epag EPIntegrationService EPProtectedService epredline EPSecurityService EPSecurityService EPUpdateService EPUpdateService EraserSvc11710 ERSvc EsgShKernel ESHASRV Eventlog FA_Scheduler GoogleChromeElevationService gupdate gupdatem HealthService IBMDataServerMgr IBMDSServer41 IDriverT IISAdmin IMAP4Svc ImapiService klnagent LogProcessorService LRSDRVX macmnsvc masvc MBAMService MBEndpointAgent McShield McTaskManager mfefire mfemms mfevtp mfewc MMS Mozyprobackup MsDtsServer100 MsDtsServer110 | MsDtsServer130 MSExchangeES MSExchangeIS MSExchangeMGMT MSExchangeMTA MSExchangeSA MSExchangeSRS msftesql$PROD MSMQ MSOLAP$SQL_2008 MSOLAP$SYSTEM_BGC MSOLAP$TPS MSOLAP$TPSAMA MSSQL$BKUPEXEC MSSQL$CITRIX_METAFRAME MSSQL$ECWDB2 MSSQL$EPOSERVER MSSQL$ITRIS MSSQL$NET2 MSSQL$PRACTICEMGT MSSQL$PRACTTICEBGC MSSQL$PROD MSSQL$PROFXENGAGEMENT MSSQL$SBSMONITORING MSSQL$SHAREPOINT MSSQL$SQL_2008 MSSQL$SQLEXPRESS MSSQL$SYSTEM_BGC MSSQL$TPS MSSQL$TPSAMA MSSQL$VEEAMSQL2008R2 MSSQL$VEEAMSQL2012 MSSQLFDLauncher MSSQLFDLauncher$ITRIS MSSQLFDLauncher$PROFXENGAGEMENT MSSQLFDLauncher$SBSMONITORING MSSQLFDLauncher$SHAREPOINT MSSQLFDLauncher$SQL_2008 MSSQLFDLauncher$SYSTEM_BGC MSSQLFDLauncher$TPS MSSQLFDLauncher$TPSAMA MSSQLLaunchpad$ITRIS MSSQLSERVER MSSQLServerADHelper MSSQLServerADHelper100 MSSQLServerOLAPService msvsmon90 MySQL57 Net2ClientSvc NetDDE NetMsmqActivator NetSvc NimbusWatcherService NtLmSsp NtmsSvc ntrtscan odserv OracleClientCache80 ose PDVFSService POP3Svc ProLiantMonitor ReportServer ReportServer$SQL_2008 ReportServer$SYSTEM_BGC ReportServer$TPS ReportServer$TPSAMA RSCDsvc sacsvr SamSs SAVService SDD_Service SDRSVC SentinelAgent SentinelHelperService SepMasterService SepMasterServiceMig ShMonitor Smcinst SmcService SMTPSvc SNAC | SnowInventoryClient SntpService SQL Backups SQLAgent$BKUPEXEC SQLAgent$CITRIX_METAFRAME SQLAgent$CXDB SQLAgent$ECWDB2 SQLAgent$EPOSERVER SQLAgent$ITRIS SQLAgent$NET2 SQLAgent$PRACTTICEBGC SQLAgent$PRACTTICEMGT SQLAgent$PROD SQLAgent$PROFXENGAGEMENT SQLAgent$SBSMONITORING SQLAgent$SHAREPOINT SQLAgent$SQL_2008 SQLAgent$SQLEXPRESS SQLAgent$SYSTEM_BGC SQLAgent$TPS SQLAgent$TPSAMA SQLAgent$VEEAMSQL2008R2 SQLAgent$VEEAMSQL2012 SQLBrowser SQLsafe Backup Service SQLsafe Filter Service SQLSafeOLRService SQLSERVERAGENT SQLTELEMETRY SQLTELEMETRY$ECWDB2 SQLTELEMETRY$ITRIS SQLWriter SSISTELEMETRY130 SstpSvc svcGenericHost swi_filter swi_service swi_update swi_update_64 Symantec Symantec System Recovery sysdown System Telemetryserver TlntSvr TmCCSF tmlisten TmPfw tpautoconnsvc TPVCGateway TrueKey TrueKeyScheduler TrueKeyServiceHelper TSM UI0Detect Veeam Backup Catalog Data Service VeeamBackupSvc VeeamBrokerSvc VeeamCatalogSvc VeeamCloudSvc VeeamDeploymentService VeeamDeploySvc VeeamEnterpriseManagerSvc VeeamHvIntegrationSvc VeeamMountSvc VeeamNFSSvc VeeamRESTSvc VeeamTransportSvc VGAuthService VMTools VMware VMwareCAFCommAmqpListener VMwareCAFManagementAgentHost vmware-converter-agent vmware-converter-server vmware-converter-worker W3Svc wbengine WdNisSvc WebClient WinDefend WinVNC4 WRSVC Zoolz 2 Service |
a2service.exe a2start.exe aawservice.exe acaas.exe acaegmgr.exe acaif.exe acais.exe acctmgr.exe aclient.exe aclntusr.exe ad-aware2007.exe administrator.exe adminserver.exe aesecurityservice.exe aexagentuihost.exe aexnsagent.exe aexnsrcvsvc.exe aexsvc.exe aexswdusr.exe aflogvw.exe afwserv.exe agntsvc.exe ahnrpt.exe ahnsd.exe ahnsdsv.exe alert.exe alertsvc.exe almon.exe alogserv.exe alsvc.exe alunotify.exe alupdate.exe aluschedulersvc.exe amsvc.exe amswmagt aphost.exe appsvc32.exe aps.exe apvxdwin.exe ashbug.exe ashchest.exe ashcmd.exe ashdisp.exe ashenhcd.exe ashlogv.exe ashmaisv.exe ashpopwz.exe ashquick.exe ashserv.exe ashsimp2.exe ashsimpl.exe ashskpcc.exe ashskpck.exe ashupd.exe ashwebsv.exe asupport.exe aswdisp.exe aswregsvr.exe aswserv.exe aswupdsv.exe aswwebsv.exe atrshost.exe atwsctsk.exe aupdrun.exe aus.exe auth8021x.exe autoup.exe avcenter.exe avconfig.exe avconsol.exe avengine.exe avesvc.exe avfwsvc.exe avkproxy.exe avkservice.exe avktray.exe avkwctl.exe avltmain.exe avmailc.exe avmcdlg.exe avnotify.exe avscan.exe avscc.exe avserver.exe avshadow.exe avsynmgr.exe avtask.exe avwebgrd.exe basfipm.exe bavtray.exe bcreporter.exe bcrservice.exe bdagent.exe bdc.exe bdlite.exe bdmcon.exe bdredline.exe bdss.exe bdsubmit.exe bhipssvc.exe bka.exe blackd.exe blackice.exe bluestripecollector.exe blupro.exe bmrt.exe bwgo0000 ca.exe caantispyware.exe caav.exe caavcmdscan.exe caavguiscan.exe caf.exe cafw.exe caissdt.exe calogdump.exe capfaem.exe capfasem.exe capfsem.exe capmuamagt.exe cappactiveprotection.exe casc.exe casecuritycenter.exe caunst.exe cavrep.exe cavrid.exe cavscan.exe cavtray.exe ccap.exe ccapp.exe ccemflsv.exe ccenter.exe ccevtmgr.exe ccflic0.exe ccflic4.exe cclaw.exe ccm messaging.exe ccnfagent.exe ccprovsp.exe ccproxy.exe ccpxysvc.exe ccschedulersvc.exe ccsetmgr.exe ccsmagtd.exe ccsvchst.exe ccsystemreport.exe cctray.exe ccupdate.exe cdm.exe certificateprovider.exe certificationmanagerservicent.exe cfftplugin.exe cfnotsrvd.exe cfp.exe cfpconfg.exe cfpconfig.exe cfplogvw.exe cfpsbmit.exe cfpupdat.exe cfsmsmd.exe checkup.exe chrome.exe cis.exe cistray.exe cka.exe clamscan.exe clamtray.exe clamwin.exe client.exe client64.exe clps.exe clpsla.exe clpsls.exe clshield.exe cmdagent.exe cmdinstall.exe cmgrdian.exe cntaosmgr.exe collwrap.exe comhost.exe config_api_service.exe console.exe control_panel.exe coreframeworkhost.exe coreserviceshell.exe cpd.exe cpdclnt.exe cpf.exe cpntsrv.exe cramtray.exe crashrep.exe crdm.exe crssvc.exe csacontrol.exe csadmin.exe csauth.exe csdbsync.exe csfalconservice.exe csinject.exe csinsm32.exe csinsmnt.exe cslog.exe csmon.exe csradius.exe csrss_tc.exe cssauth.exe cstacacs.exe ctdataload.exe cwbunnav.exe cylancesvc.exe cylanceui.exe dao_log.exe dbeng50.exe dbserv.exe dbsnmp.exe dbsrv9.exe defwatch defwatch.exe deloeminfs.exe deteqt.agent.exe diskmon.exe djsnetcn.exe dlservice.exe dltray.exe dolphincharge.e dolphincharge.exe doscan.exe dpmra.exe dr_serviceengine.exe drwagntd.exe drwagnui.exe drweb.exe drweb32.exe drweb32w.exe drweb386.exe drwebcgp.exe drwebcom.exe drwebdc.exe drwebmng.exe drwebscd.exe drwebupw.exe drwebwcl.exe drwebwin.exe drwinst.exe drwupgrade.exe dsmcad.exe dsmcsvc.exe dwarkdaemon.exe dwengine.exe dwhwizrd.exe dwnetfilter.exe dwrcst.exe dwwin.exe edisk.exe eeyeevnt.exe egui.exe ehttpsrv.exe ekrn.exe elogsvc.exe emlibupdateagentnt.exe emlproui.exe emlproxy.exe encsvc.exe endpointsecurity.exe engineserver.exe entitymain.exe epmd.exe era.exe erlsrv.exe esecagntservice.exe esecservice.exe esmagent.exe etagent.exe etconsole3.exe etcorrel.exe etloganalyzer.exe etreporter.exe etrssfeeds.exe etscheduler.exe etwcontrolpanel.exe euqmonitor.exe eventparser.exe evtarmgr.exe evtmgr.exe evtprocessecfile.exe ewidoctrl.exe excel.exe execstat.exe fameh32.exe fcappdb.exe fcdblog.exe fch32.exe fchelper64.exe fcsms.exe fcssas.exe fih32.exe firefox.exe firefoxconfig.exe firesvc.exe firetray.exe firewallgui.exe fmon.exe fnplicensingservice.exe forcefield.exe fpavserver.exe fprottray.exe frameworkservic frameworkservic.exe frameworkservice.exe frzstate2k.exe fsaa.exe fsaua.exe fsav32.exe fsavgui.exe fscuif.exe fsdfwd.exe fsgk32.exe fsgk32st.exe fsguidll.exe fsguiexe.exe fshdll32.exe fshoster32.exe fshoster64.exe fsm32.exe fsma32.exe fsmb32.exe fsorsp.exe fspc.exe fspex.exe fsqh.exe fssm32.exe fwcfg.exe fwinst.exe | fws.exe gcascleaner.exe gcasdtserv.exe gcasinstallhelper.exe gcasnotice.exe gcasserv.exe gcasservalert.exe gcasswupdater.exe Gdfirewalltray.exe gdfwsvc.exe gdscan.exe gfireporterservice.exe ghost_2.exe ghosttray.exe giantantispywaremain.exe giantantispywareupdater.exe googlecrashhandler.exe googlecrashhandler64.exe googleupdate.exe gziface.exe gzserv.exe hasplmv.exe hdb.exe healthservice.exe hpqwmiex.exe hwapi.exe icepack.exe idsinst.exe iface.exe igateway.exe ilicensesvc.exe inet_gethost.exe infopath.exe inicio.exe inonmsrv.exe inorpc.exe inort.exe inotask.exe inoweb.exe isafe.exe isafinst.exe isntsmtp.exe isntsysmonitor ispwdsvc.exe isqlplussvc.exe isscsf.exe issdaemon.exe issvc.exe isuac.exe iswmgr.exe itmrt_supportdiagnostics.exe itmrt_trace.exe itmrtsvc.exe ixaptsvc.exe ixavsvc.exe ixfwsvc.exe kabackreport.exe kaccore.exe kanmcmain.exe kansgui.exe kansvr.exe kb891711.exe keysvc.exe kis.exe kislive.exe kissvc.exe klnacserver.exe klnagent.exe klserver.exe klswd.exe klwtblfs.exe kmailmon.exe knownsvr.exe knupdatemain.exe kpf4gui.exe kpf4ss.exe kpfw32.exe kpfwsvc.exe krbcc32s.exe kswebshield.exe kvdetech.exe kvmonxp.kxp kvmonxp_2.kxp kvolself.exe kvsrvxp.exe kvsrvxp_1.exe kvxp.kxp kwatch.exe kwsprod.exe kxeserv.exe leventmgr.exe livesrv.exe lmon.exe log_qtine.exe loggetor.exe loggingserver.exe luall.exe lucallbackproxy.exe lucoms.exe lucoms~1.exe lucomserver.exe lwdmserver.exe macmnsvc.exe macompatsvc.exe managementagenthost.exe managementagentnt.exe mantispm.exe masalert.exe massrv.exe masvc.exe mbamservice.exe mbamtray.exe mcagent.exe mcapexe.exe mcappins.exe mcconsol.exe mcdash.exe mcdetect.exe mcepoc.exe mcepocfg.exe mcinfo.exe mcmnhdlr.exe mcmscsvc.exe mcnasvc.exe mcods.exe mcpalmcfg.exe mcpromgr.exe mcproxy.exe mcregwiz.exe mcsacore.exe mcscript_inuse.exe mcshell.exe mcshield.exe mcshld9x.exe mcsvhost.exe mcsysmon.exe mctray.exe mctskshd.exe mcui32.exe mcuimgr.exe mcupdate.exe mcupdmgr.exe mcvsftsn.exe mcvsrte.exe mcvsshld.exe mcwce.exe mcwcecfg.exe mfeann.exe mfecanary.exe mfeesp.exe mfefire.exe mfefw.exe mfehcs.exe mfemactl.exe mfemms.exe mfetp.exe mfevtps.exe mfewc.exe mfewch.exe mgavrtcl.exe mghtml.exe mgntsvc.exe monitoringhost.exe monsvcnt.exe monsysnt.exe mpcmdrun.exe mpf.exe mpfagent.exe mpfconsole.exe mpfservice.exe mpfsrv.exe mpftray.exe mps.exe mpsevh.exe mpsvc.exe mrf.exe msaccess.exe msascui.exe mscifapp.exe msdtssrvr.exe msftesql.exe mskagent.exe mskdetct.exe msksrver.exe msksrvr.exe msmdsrv.exe msmpeng.exe mspmspsv.exe mspub.exe msscli.exe msseces.exe msssrv.exe musnotificationux.exe myagttry.exe mydesktopqos.exe mydesktopservice.exe mysqld.exe mysqld-nt.exe mysqld-opt.exe nailgpip.exe naprdmgr.exe navectrl.exe navelog.exe navesp.exe navshcom.exe navw32.exe navwnt.exe ncdaemon.exe nd2svc.exe ndetect.exe ndrvs.exe ndrvx.exe neotrace.exe nerosvc.exe netalertclient.exe netcfg.exe netsession_win.exe networkagent.exe nexe ngctw32.exe ngserver.exe nimbus.exe nimcluster.exe nip.exe nipsvc.exe nisoptui.exe nisserv.exe nissrv.exe nisum.exe njeeves.exe nlclient.exe nlsvc.exe nmagent.exe nmain.exe nortonsecurity.exe npfmntor.exe npfmsg.exe npfmsg2.exe npfsvice.exe npmdagent.exe nprotect.exe npscheck.exe npssvc.exe nrmenctb.exe nscsrvce.exe nsctop.exe nslocollectorservice.exe nsmdemf.exe nsmdmon.exe nsmdreal.exe nsmdsch.exe nsmdtr.exe ntcaagent.exe ntcadaemon.exe ntcaservice.exe ntevl.exe ntrtscan.exe ntservices.exe nvcoas.exe nvcsched.exe nymse.exe oasclnt.exe ocautoupds.exe ocomm.exe ocssd.exe oespamtest.exe ofcdog.exe ofcpfwsvc.exe okclient.exe olfsnt40.exe omniagent.exe omslogmanager.exe omtsreco.exe onenote.exe onlinent.exe onlnsvc.exe op_viewer.exe opscan.exe oracle.exe outlook.exe outpost.exe paamsrv.exe padfsvr.exe pagent.exe pagentwd.exe pasystemtray.exe patch.exe patrolagent.exe patrolperf.exe pavbckpt.exe pavfires.exe pavfnsvr.exe pavjobs.exe pavkre.exe pavmail.exe pavreport.exe pavsched.exe pavsrv50.exe pavsrv51.exe pavsrv52.exe pavupg.exe paxton.net2.clientservice.exe paxton.net2.commsserverservice.exe pccclient.exe pccguide.exe pcclient.exe pccnt.exe pccntmon.exe pccntupd.exe pccpfw.exe pcctlcom.exe pcscan.exe pcscm.exe pcscnsrv.exe pcsws.exe pctsauxs.exe pctsgui.exe pctssvc.exe pctstray.exe pep.exe persfw.exe pmgreader.exe pmon.exe pnmsrv.exe pntiomon.exe Pop3pack.exe pop3trap.exe poproxy.exe powerpnt.exe ppclean.exe ppctlpriv.exe | ppmcativedetection.exe ppppwallrun.exe pqibrowser.exe pqv2isvc.exe pralarmmgr.exe prcalculationmgr.exe prconfigmgr.exe prdatabasemgr.exe premailengine.exe preventmgr.exe prevsrv.exe prftpengine.exe prgateway.exe printdevice.exe privacyiconclient.exe prlicensemgr.exe procexp.exe proficy administrator.exe proficyclient.exe4 proficypublisherservice.exe proficyserver.exe proficysts.exe proutil.exe prprintserver.exe prproficymgr.exe prrds.exe prreader.exe prrouter.exe prschedulemgr.exe prstubber.exe prsummarymgr.exe prunsrv.exe prwriter.exe psanhost.exe psctris.exe psctrls.exe psh_svc.exe pshost.exe psimreal.exe psimsvc.exe pskmssvc.exe psuamain.exe psuaservice.exe pthosttr.exe pview.exe pviewer.exe pwdfilthelp.exe pxemtftp.exe pxeservice.exe qclean.exe qdcsfs.exe qoeloader.exe qserver.exe rapapp.exe rapuisvc.exe ras.exe rasupd.exe rav.exe ravmon.exe ravmond.exe ravservice.exe ravstub.exe ravtask.exe ravtray.exe ravupdate.exe ravxp.exe rcsvcmon.exe rdrcef.exe realmon.exe redirsvc.exe regmech.exe remupd.exe repmgr64.exe reportersvc.exe reportingservicesservice.exe reportsvc.exe retinaengine.exe rfwmain.exe rfwproxy.exe rfwsrv.exe rfwstub.exe rnav.exe rnreport.exe routernt.exe rpcserv.exe rscd.exe rscdsvc.exe rsnetsvr.exe rssensor.exe rstray.exe rtvscan.exe rulaunch.exe safeservice.exe sahookmain.exe saservice.exe sav32cli.exe savfmsectrl.exe savfmselog.exe savfmsesjm.exe savfmsesp.exe savfmsespamstatsmanager.exe savfmsesrv.exe savfmsetask.exe savfmseui.exe savmain.exe savroam.exe savscan.exe savservice.exe savui.exe sbamsvc.exe sbserv.exe scan32.exe scanexplicit.exe scanfrm.exe scanmailoutlook.exe scanmsg.exe scanwscs.exe scfagent_64.exe scfmanager.exe scfservice.exe scftray.exe schdsrvc.exe schupd.exe sdrservice.exe sdtrayapp.exe seanalyzertool.exe seccenter.exe securitycenter.exe securitymanager.exe seestat.exe semsvc.exe server_eventlog.exe server_runtime.exe sesclu.exe setloadorder.exe setupguimngr.exe sevinst.exe sgbhp.exe shstat.exe sidebar.exe siteadv.exe slee81.exe smc.exe smcgui.exe smex_activeupda smex_master.exe smex_remoteconf smex_systemwatc smoutlookpack.exe sms.exe smsectrl.exe smselog.exe smsesjm.exe smsesp.exe smsesrv.exe smsetask.exe smseui.exe smsx.exe snac.exe sndmon.exe sndsrvc.exe snhwsrv.exe snicheckadm.exe snichecksrv.exe snicon.exe snsrv.exe spbbcsvc.exe spideragent.exe spiderml.exe spidernt.exe spiderui.exe spntsvc.exe spooler.exe spyemergency.exe spyemergencysrv.exe sqbcoreservice.exe sqlagent.exe sqlbrowser.exe sqlservr.exe sqlwriter.exe srvload.exe srvmon.exe sschk.exe ssecuritymanager.exe ssm.exe ssp.exe ssscheduler.exe starta.exe steam.exe stinger.exe stopa.exe stopp.exe stwatchdog.exe svcgenerichost svcharge.exe svcntaux.exe svdealer.exe svframe.exe svtray.exe swc_service.exe swdsvc.exe sweepsrv.sys swi_service.exe swnetsup.exe swnxt.exe swserver.exe symlcsvc.exe symproxysvc.exe symsport.exe symtray.exe symwsc.exe synctime.exe sysdoc32.exe sysoptenginesvc.exe taskhostw.exe tbirdconfig.exe tbmon.exe tclproc.exe tdimon.exe teamviewer_service.exe tfgui.exe tfservice.exe tftray.exe tfun.exe thebat.exe thebat64.exe thunderbird.exe tiaspn~1.exe tmas.exe tmlisten.exe tmntsrv.exe tmpfw.exe tmproxy.exe tnbutil.exe tnslsnr.exe toolbarupdater.exe tpsrv.exe traflnsp.exe traptrackermgr.exe trjscan.exe trupd.exe tsansrf.exe tsatisy.exe tscutynt.exe tsmpnt.exe ucservice.exe udaterui.exe uiseagnt.exe uiwatchdog.exe umxagent.exe umxcfg.exe umxfwhlp.exe umxpol.exe unsecapp.exe unvet32.exe up2date.exe update_task.exe updaterui.exe updtnv28.exe upfile.exe uplive.exe uploadrecord.exe upschd.exe url_response.exe urllstck.exe useractivity.exe useranalysis.exe usergate.exe usrprmpt.exe v2iconsole.exe v3clnsrv.exe v3exec.exe v3imscn.exe v3lite.exe v3main.exe v3medic.exe v3sp.exe v3svc.exe vetmsg.exe vettray.exe vgauthservice.exe visio.exe vmacthlp.exe vmtoolsd.exe vmware-converter.exe vmware-converter-a.exe vmwaretray.exe vpatch.exe vpc32.exe vpdn_lu.exe vprosvc.exe vprot.exe vptray.exe vrv.exe vrvmail.exe vrvmon.exe vrvnet.exe vshwin32.exe vsmain.exe vsmon.exe vsserv.exe vsstat.exe vstskmgr.exe webproxy.exe webscanx.exe websensecontrolservice.exe webtrapnt.exe wfxctl32.exe wfxmod32.exe wfxsnt40.exe win32sysinfo.exe winlog.exe winroute.exe winvnc4.exe winword.exe wordpad.exe workflowresttest.exe wrctrl.exe wrsa.exe wrspysetup.exe wscntfy.exe wssfcmai.exe wtusystemsuport.exe xcommsvr.exe xfilter.exe xfssvccon.exe zanda.exe zapro.exe zavcore.exe zillya.exe zlclient.exe zlh.exe zonealarm.exe zoolz.exe |