FortiGuard Labs Threat Research
According to the 2020 Verizon Data Breach Investigations Report, ransomware accounted for 27% of malware incidents in 2019. This may not seem like a lot, but when you think of the impact it has on an organization you can understand why it’s often the malware that makes the news headlines. Over the last few years, the impact has worsened due to adversaries moving to a more targeted attack method, rather than the traditional “spray and pray” method of infecting as many potential victims as possible.
This up-front investment in time and resources has shown to be fruitful for attackers, especially as they focus on specific industries, with healthcare as well as states and local governments emerging as high-profile targets during the course of 2020. The latest industry targeted with ransomware is Industrial Control Systems/Operational Technology. This blog will break down at a high level the latest EKANS ransomware, general TTP trends, and related protections for targeted ransomware attacks.
Affected platforms: Windows Operating Systems
Impacted parties: Industrial Control Systems and a variety of applications
Impact: Data Encryption for Impact – Mitre ID:T1486
Severity level: High
Through one of our trusted partnerships, FortiGuard Labs was provided with an EKANS sample to analyze around the end of May. A more recent June version was independently sourced by FortiGuard Labs.
MD5 |
SHA256 |
May Variant |
|
47EBE9F8F5F73F07D456EC12BB49C75D |
2ED3E37608E65BE8B6E8C59F8C93240BD0EFE9A60C08C21F4889C00EB6082D74 |
|
|
June Variant |
|
ED3C05BDE9F0EA0F1321355B03AC42D0 |
D4DA69E424241C291C173C8B3756639C654432706E7DEF5025A649730868C4A1 |
Each of these samples are written in the GO programming language. The GO programming language first appeared around 2009 and has slowly gained popularity within the malware community.
One of the advantages of GO is that the code can be easily compiled to work on different platforms and architectures, such as MacOS, Microsoft Windows, and the Linux operating system when compared to other programming languages. One of the disadvantages, however, is that the binaries are noticeably larger in size. A simple “Hello World” program can produce a binary 1 MB in size. To combat bulky file sizes, GO allows a programmer to strip binaries during compilation. Most of the information that gets removed is typically used by debuggers.
As it turns out, this size problem is actually helpful to malware authors. By having a larger file size, manual analysis will inevitably take longer. Moreover, it can easily be overlooked since typical malware files have a much smaller file size in the first place. By stripping the binaries of debugging information, malware analysts will have another stumbling block to overcome.
Looking at the given files closer, we can see that they are indeed stripped and offer no clues for the malware analyst.
The typical malware may have hundreds of functions, and some will already be recognized in the malware analysis industry’s unofficial default disassembler, IDA. With stripped GO binaries, however, IDA is unable to recognize normal library files, leaving the malware analyst with more than 5000 functions to sift through.
Because of this problem, we developed an EKANS-specific IDA plugin in-house to help with analysis in conjunction with other GO-specific analysis techniques.
As can be seen above, there are over 2100 encrypted strings, almost 2400 obfuscated function names, and over 1200 strings that needed fixing in the May variant of EKANS.
Both of these variants perform all of the typical ransomware activities you would expect, such as encrypting files and leaving a ransom note telling the victim to contact them at a specified email address, to receive instructions on how to pay a ransom and decrypt their files. But they also perform actions that are not so typical. Below is a high-level list of these activities in sequence, with the main notable difference of turning off the host firewall, found in the June variant:
It is important to note that turning off the host firewall seems to have been a new addition to the malware family’s functionality. This was not present in the older May variant. Another interesting addition was to turn on the firewall before encrypting, probably to detect AVs and other defense solutions by blocking any communication from the agent.
The ransomware starts out by attempting to confirm its target by resolving the domain belonging to the victim’s company, as well as comparing the resolved domain to a specific IP. If the domain/IP is not available, the routine exits.
Looking deeper into the environmental checks, we noticed that the May variant of EKANS tries to resolve the IP address of the ADS.****.COM. The subdomain belongs to a global health care provider that specializes in the treatment of chronic kidney conditions.
This subdomain does not seem to be publicly available, which means that the May variant will only execute if it has infiltrated the network. If this is successful, then another check is performed. EKANS checks to see if “10.2.10.4” is the IP address of this subdomain.
Another piece of information that the May variant of EKANS is looking for is the current machine’s role within the domain.
A WMI query will be performed to determine this. Microsoft defines domain roles as the following.
0 |
Standalone Workstation |
1 |
Member Workstation |
2 |
Standalone Server |
3 |
Member Server |
4 |
Backup Domain Controller |
5 |
Primary Domain Controller |
EKANS is apparently looking to infect a domain controller on the network. If successful, this can affect security authentication requests within the network domain, thereby severely impacting networked users. With the aforementioned data points, EKANS will have enough to build a proper mutex.
The mutex will consist of the string “Global\” appended with “EKANS” and a part of the IP string. On a side note, the author(s) of EKANS may be a fan of The Highlander movies/TV series where the phrase “there can be only one” was popularized.
The next step taken by the June variant of the ransomware that FortiGuard Labs engineers encountered was that the malware executed the following netsh commands in order to block any inbound and outbound traffic that might interfere with the encryption process:
Next, the malware goes through its encryption functions, which like many ransomware variants are embedded in the malware. It encrypts data using RSA and by parsing the public key using the ParsePKCS1PublicKey function. It is XOR decoded.
In both variants, EKANS will decode strings associated with services and attempt to stop them. The May variant, for some reason, contains duplicate services.
Overall, there are nine services that are repeatedly decrypted in an attempt to stop them by the May variant of EKANS. They are:
MSSQLFDLauncher$PROFXENGAGEMENT, ReportServer$TPS, SQLBrowser, MSSQLServerADHelper, SQLAgent$PROD, msftesql$PROD, SQLAgent$SOPHOS, VeeamEnterpriseManagerSvc, and ArcserveUDPPS
After decoding all the required strings (see Appendix A), both variants of the ransomware open the SCM (OpenSCManager) and use EnumServicesStatusEx. It iterates on the services and stops any service contained in the decoded string list.
The service stop operation stops:
The ransomware then enumerates running processes and terminates each process within a predefined process list (See Appendix-B). The following code handles the process termination:
EKANS then deletes shadow copies, which is done via WMI’s WbemScripting.SWbemNamedValueSet object. The query that locates the shadow copies object is the regular:
This is common behavior with ransomware to make it more difficult to recover files. There are many ways to achieve this. If you’re interested in learning more, please read Ben Hunter’s “Stomping Shadow Copies – A second Look into Deletion Methods” blog.
The May variant accomplishes this by using COM programming. EKANS connects to the WMI service via COM objects in order to use shared libraries utilizing code similar to https://raw.githubusercontent.com/go-ole/go-ole/master/guid.go, which is used by various other legitimate GO software, as well as other malicious binaries.
Before running the encryption function, the ransomware decodes the strings of all of the relevant file extensions to encrypt, (see Appendix-C).
In order to keep the system able to at least spin up and load, certain files and folders are skipped from the encrypting process. These files are avoided in the May variant of EKANS.
At the same time, any files and folders that contain the following directories in their path are also skipped from the file encryption process by the May variant.
The following file types are also avoided by the May variant.
Both variants also build the following regex used to exclude encryption targets.
However, during the actual file encryption process, the list of targeted file types is not actually checked by the May variant of the ransomware. The May variant will encrypt any file type as long as it does not violate any of its avoidance rules.
The encryption details seem identical to the operating methods described here: https://www.ccn-cert.cni.es/pdf/5045-ccn-cert-id-15-20-snake-locker-english-1/file.html
First, it enumerates all valid drive letters from A to Z using GetLogicalDriveStringsW.
Interestingly enough, the code shown in the figure below shows that the May variant of EKANS only targets removable drives (such as thumb drives) and fixed drives (such as hard disks or flash storage devices). They do not try to infect machines on the network.
It then creates multiple threads for such drives.
Each thread then creates eight workers (threads) that perform the encryption. These workers use channels to sync themselves.
After creating the eight workers, the thread waits for them to finish. After all of them are done, it renames the files on the system by generating a random 5-digits string which is then appended to the file’s name.
The single file encryption flow is relatively simple:
First, initiates a cipher:
After the encryption process has completed, the May variant of EKANS drops the ransom note as “Decrypt-Your-Files.txt” either on the root system drive or on the user’s desktop.
For machines infected with the June variant, the ransomware ends with another command to turn off the firewall.
Execution
Defense Evasion
Discover
Impact
Understanding the ransomware and some of its indicators of compromise (IOC), such as hashes, URLs, IP addresses, and domains is a good first defense. But be warned that these IOCs often change and can circumvent legacy security controls. And because these attacks are more targeted, it’s also important to understand the activity the offensive operator takes once they’re in the environment. If you can disrupt their plans prior to the malware executing, the better off you will be. While every targeted attack is unique, there are some trends – especially in the way an attacker works – that if understood can provide a better view into your ability to detect their attack methods and more effectively block them.
Let’s take a look into some of the trends we often see from our FortiGuard Managed Detection and Response and Incident Response Services.
There are many ways to access a network, but the two we continue to observe are:
Once the adversary establishes their initial access into the environment, they need to continue penetrating deeper into the network. To do so, they first need the right access, which is why credential dumping is a common activity. There are many techniques to achieve the dumping of credentials, as the Windows Operating System has many different places it stores or caches its credentials. Below is one common technique we see as a trend:
If you want to read more on OS Credential Dumping, please view our Offense and Defense – A Tale of Two Sides: (Windows) OS Credential Dumping blog.
When the adversary has the right access to spread their malware from system to system, they simply need to copy and remotely execute the payload. One tool that can achieve just that is found on many Windows Operating Systems. It is called PSEXEC, which is part of the Sysinternals. This tool is used by many system admins to help administer the network, but it is also often used by the adversary.
As a security community we have gotten better at identifying malicious software and tools. As a result, adversaries have had to take that into consideration by adding additional steps to disable defensive controls such as anti-malware, or by disabling Windows event logging.
Eventually, the attacker will execute the ransomware (or malware in general) on targeted systems. An efficient way to do this, if the attacker has access to the domain controllers, is to leverage group policies (GPO) and Windows login scripts. GPOs and login scripts are used by system admins for central management and OS configuration setting for users’ environments. These tools, which are part of an Active Directory environment, are modified by an attacker to deploy and execute their malware.
In this blog we focused on not only one of the latest ransomware variants targeting ICS/OT environments, but also some of the TTP trends our FortiGuard team has observed over the last year or two. We encourage you to take a look at not only the techniques we described here, but also at the other techniques that are documented in the Mitre ATT&CK knowledge base. Then start testing your current security controls against these techniques to ensure you can detect or protect against them.
If you find gaps, document them and use them as a guide to build a prioritized action plan for improvement. Lastly, if you are responsible for the ICS environment there is now a Mitre ATT&CK ICS knowledge base specifically for adversary actions taking place in an Industrial Control System network.
Fortinet offers a suite of platforms and services to help protect organizations from ransomware and malware, including EKANS. Here’s how it works:
Fortinet’s FortiEDR Platform detects and blocks the EKANS malware. When activity tries to run, such as changing the Windows firewall settings or encrypting files, FortiEDR identifies and blocks the malicious activity.
FortiGuard Anti-Virus Services
These ransomware variants are blocked with the signatures W32/Ekans.42D0!tr.ransom, W32/Ekans.C75D!tr.ransom, and W32/Ekans.62B8!tr.ransom.
FortiDeceptor allows organizations to rapidly create a fabricated deception network through the automatic deployment of decoys and lures that seamlessly integrate with an existing IT/OT infrastructure, enticing attackers into revealing themselves. FortiDeceptor helps serve as an early warning system by providing accurate detection that correlates an attacker’s activity details and lateral movement that feeds up to a broader threat campaign. Threat intelligence captured from decoys is shared within the Security Fabric so automatic protection can be applied, disrupting attacks before any real damage is done.
Acronis VSS Provider, Enterprise Client Service, Sophos Agent, Sophos AutoUpdate Service, Sophos Clean Service, Sophos Device Control Service, Sophos File Scanner Service, Sophos Health Service, Sophos MCS Agent, Sophos MCS Client, Sophos Message Router, Sophos Safestore Service, Sophos System Protection Service, Sophos Web Control Service, SQLsafe Backup Service, SQLsafe Filter Service, Symantec System Recovery, Veeam Backup Catalog Data Service, AcronisAgent, AcrSch2Svc, Antivirus, ARSM, BackupExecAgentAccelerator, BackupExecAgentBrowser, BackupExecDeviceMediaService, BackupExecJobEngine, BackupExecManagementService, BackupExecRPCService, BackupExecVSSProvider, bedbg, DCAgent, EPSecurityService, EPUpdateService, EraserSvc11710, EsgShKernel, FA_Scheduler, IISAdmin, IMAP4Svc, macmnsvc, masvc, MBAMService, MBEndpointAgent, McAfeeEngineService, McAfeeFramework, McAfeeFrameworkMcAfeeFramework, McShield, McTaskManager, mfemms, mfevtp, mozyprobackup, MsDtsServer, MsDtsServer100, MsDtsServer110, MSExchangeES, MSExchangeIS, MSExchangeMGMT, MSExchangeMTA, MSExchangeSA, MSExchangeSRS, MSOLAP$SQL_2008, MSOLAP$SYSTEM_BGC, MSOLAP$TPS, MSOLAP$TPSAMA, MSSQL$BKUPEXEC, MSSQL$ECWDB2, MSSQL$PRACTICEMGT, MSSQL$PRACTTICEBGC, MSSQL$PROFXENGAGEMENT, MSSQL$SBSMONITORING, MSSQL$SHAREPOINT, MSSQL$SQL_2008, MSSQL$SYSTEM_BGC, MSSQL$TPS, MSSQL$TPSAMA, MSSQL$VEEAMSQL2008R2, MSSQL$VEEAMSQL2012, MSSQLFDLauncher, MSSQLFDLauncher$PROFXENGAGEMENT, MSSQLFDLauncher$SBSMONITORING, MSSQLFDLauncher$SHAREPOINT, MSSQLFDLauncher$SQL_2008, MSSQLFDLauncher$SYSTEM_BGC, MSSQLFDLauncher$TPS, MSSQLFDLauncher$TPSAMA, MSSQLSERVER, MSSQLServerADHelper100, MSSQLServerOLAPService, MySQL57, ntrtscan, OracleClientCache80, PDVFSService, POP3Svc, ReportServer, ReportServer$SQL_2008, ReportServer$SYSTEM_BGC, ReportServer$TPS, ReportServer$TPSAMA, RESvc, sacsvr, SamSs, SAVAdminService, SAVService, SDRSVC, SepMasterService, ShMonitor, Smcinst, SmcService, SMTPSvc, SNAC, SntpService, sophossps, SQLAgent$BKUPEXEC, SQLAgent$ECWDB2, SQLAgent$PRACTTICEBGC, SQLAgent$PRACTTICEMGT, SQLAgent$PROFXENGAGEMENT, SQLAgent$SBSMONITORING, SQLAgent$SHAREPOINT, SQLAgent$SQL_2008, SQLAgent$SYSTEM_BGC, SQLAgent$TPS, SQLAgent$TPSAMA, SQLAgent$VEEAMSQL2008R2, SQLAgent$VEEAMSQL2012, SQLBrowser, SQLSafeOLRService, SQLSERVERAGENT, SQLTELEMETRY, SQLTELEMETRY$ECWDB2, SQLWriter, SstpSvc, svcGenericHost, swi_filter, swi_service, swi_update_64, TmCCSF, tmlisten, TrueKey, TrueKeyScheduler, TrueKeyServiceHelper, UI0Detect, VeeamBackupSvc, VeeamBrokerSvc, VeeamCatalogSvc, VeeamCloudSvc, VeeamDeploymentService, VeeamDeploySvc, VeeamEnterpriseManagerSvc, VeeamMountSvc, VeeamNFSSvc, VeeamRESTSvc, VeeamTransportSvc, W3Svc, wbengine, WRSVC, VeeamHvIntegrationSvc, swi_update, SQLAgent$CXDB, SQLAgent$CITRIX_METAFRAME, SQL Backups, MSSQL$PROD, Zoolz 2 Service, MSSQLServerADHelper, SQLAgent$PROD, msftesql$PROD, NetMsmqActivator, EhttpSrv, ekrn, ESHASRV, MSSQL$SOPHOS, SQLAgent$SOPHOS, klnagent, MSSQL$SQLEXPRESS, SQLAgent$SQLEXPRESS, kavfsslp, KAVFSGT, KAVFS, mfefire, avast! Antivirus, aswBcc, Avast Business Console Client Antivirus Service, mfewc, Telemetryserver, WdNisSvc, WinDefend, MCAFEETOMCATSRV530, MCAFEEEVENTPARSERSRV, MSSQLFDLauncher$ITRIS, MSSQL$EPOSERVER, MSSQL$ITRIS, SQLAgent$EPOSERVER, SQLAgent$ITRIS, SQLTELEMETRY$ITRIS, MsDtsServer130, SSISTELEMETRY130, MSSQLLaunchpad$ITRIS, BITS, BrokerInfrastructure, epag, EPIntegrationService, EPProtectedService, epredline, TmPfw, SentinelAgent, SentinelHelperService, LogProcessorService, SentinelStaticEngine, DB2GOVERNOR_DB2COPY1, DB2LICD_DB2COPY1, DB2MGMTSVC_DB2COPY1, DB2REMOTECMD_DB2COPY1, DB2DAS00, DB2-0, DB2INST2, IBMDataServerMgr, IBMDSServer41, MSSQL$CITRIX_METAFRAME, RumorServer, myAgtSvc, McAfee SiteAdvisor Enterprise Service, Alerter, ERSvc, Eventlog, ImapiService, NetDDE, NtLmSsp, NtmsSvc, odserv, SnowInventoryClient, TlntSvr, VMTools, VMware, WebClient, WinVNC4, BlueStripeCollector, Cissesrv, CpqRcmc3, gupdate, gupdatem, HealthService, NimbusWatcherService, ProLiantMonitor, SDD_Service, sysdown, System, GoogleChromeElevationService, bcrservice, ccEvtMgr, ccSetMgr, CSAdmin, CSAuth, CSDbSync, CSLog, CSMon, CSRadius, CSTacacs, Symantec, VGAuthService, SepMasterServiceMig, vmware-converter-agent, vmware-converter-server, vmware-converter-worker, avbackup, MSSQL$NET2, Net2ClientSvc, NetSvc, SQLAgent$NET2, tpautoconnsvc, TPVCGateway, VMwareCAFCommAmqpListener, VMwareCAFManagementAgentHost, AdobeARMservice, RSCDsvc, LRSDRVX, msvsmon90, IDriverT, MSMQ, MMS, MSSQLFDLauncher$PROFXENGAGEMENT, ReportServer$TPS, SQLBrowser, MSSQLServerADHelper, SQLAgent$PROD, msftesql$PROD, SQLAgent$SOPHOS, AVP, VeeamEnterpriseManagerSvc, MySQL80, MSSQL$ARCSERVE_APP, ArcserveUDPPS, CAARCAppSvc, CASDatastoreSvc, CASARPSWebSVC, CAARCUpdateSvc, ArcserveUDPPS, CASAD2DwebSvc, ASLogWatch, FireEye Endpoint Agent, nxlog, SplunkForwarder, SAP, MSSQL, MySQL, OracleService, oracleservice, mssql, Sophos, Veeam, Cylance
AcrSch2Svc, Antivirus, ARSMbedbgDCAgent, EPUpdateService, EraserSvc11710, EsgShKernel, FA_Scheduler, IISAdminIMAP4Svcmacmnsvcmasvc, MBAMService, MBEndpointAgent, McAfeeFramework, McShieldmfemms, McTaskManager, MsDtsServer, MsDtsServer100, MsDtsServer110, MSExchangeES, MSExchangeIS, MSExchangeMGMT, MSExchangeMTA, MSExchangeSA, MSExchangeSRS, MSSQLFDLauncher, MSSQLSERVER, ntrtscanPOP3Svc, PDVFSService, ReportServer, sacsvr, SamSs, SAVServiceSAVAdminService, SDRSVCShMonitor, SepMasterServiceSmcinstSMTPSvc, SmcService, SNACSntpService, SQLBrowser, SQLSERVERAGENT, SQLTELEMETRY, SQLWriter, svcGenericHost, swi_filterTmCCSFswi_service, swi_update_64, tmlistenTrueKey, TrueKeySchedulerUI0DetectW3Svc, VeeamBackupSvc, VeeamBrokerSvc, VeeamCatalogSvc, VeeamCloudSvc, VeeamDeploySvc, VeeamMountSvc, VeeamNFSSvc, VeeamRESTSvc, wbengineWRSVC, swi_update, NetMsmqActivatorEhttpSrvekrn, ESHASRV, KAVFSmfefire, Telemetryserver, WdNisSvcBITSepagWinDefend, MsDtsServer130, SSISTELEMETRY130epredlineTmPfw, SentinelAgent, DB2INST2myAgtSvcIBMDataServerMgrIBMDSServer41, RumorServer, AlerterERSvc, EventlogNetDDE, ImapiService, NtLmSspNtmsSvc, odservTlntSvr, VMTools, VMware, WebClientWinVNC4CissesrvCpqRcmc3gupdate, gupdatemHealthService, ProLiantMonitor, SDD_Service, sysdown, System, bcrservice, ccEvtMgrccSetMgrCSAdmin, CSAuth, CSDbSyncCSLog, CSMon, CSRadiusCSTacacsSymantecVGAuthService, avbackupNetSvc, Net2ClientSvc, tpautoconnsvc, TPVCGateway, AdobeARMservice, RSCDsvcLRSDRVX, msvsmon90, IDriverTMSMQMMS, MySQL80nxlogSAP, ArcserveUDPPS, CAARCAppSvc, CASDatastoreSvc, CASARPSWebSVC, CAARCUpdateSvc, ArcserveUDPPS, CASAD2DwebSvc, ASLogWatch, SplunkForwarder, MSSQLMySQLmssql, OracleService, oracleservice, SophosVeeam, Cylance, OpenSCManagerW, BackupExecAgentAccelerator, BackupExecAgentBrowser, BackupExecDeviceMediaService, BackupExecJobEngine, BackupExecManagementService, BackupExecRPCService, BackupExecVSSProvider, EPSecurityService, McAfeeEngineService, McAfeeFrameworkMcAfeeFramework, MSSQLServerADHelper100, MSSQLServerOLAPService, OracleClientCache80, SQLSafeOLRService, TrueKeyServiceHelper, VeeamDeploymentService, VeeamEnterpriseManagerSvc, VeeamTransportSvc, VeeamHvIntegrationSvc, MSSQLServerADHelper, MCAFEETOMCATSRV530, MCAFEEEVENTPARSERSRV, BrokerInfrastructure, EPIntegrationService, EPProtectedService, SentinelHelperService, LogProcessorService, SentinelStaticEngine, DB2GOVERNOR_DB2COPY1, DB2MGMTSVC_DB2COPY1, DB2REMOTECMD_DB2COPY1, SnowInventoryClient, BlueStripeCollector, NimbusWatcherService, GoogleChromeElevationService, SepMasterServiceMig, VMwareCAFCommAmqpListener, VMwareCAFManagementAgentHost, MSSQLServerADHelper, VeeamEnterpriseManagerSvc
Below is a list of every known process targeted by EKANS in May and June 2020.
ccflic0.exe, ccflic4.exe, healthservice.exe, ilicensesvc.exe, nimbus.exe, prlicensemgr.exe, certificateprovider.exe, proficypublisherservice.exe, proficysts.exe, erlsrv.exe, vmtoolsd.exe, managementagenthost.exe, vgauthservice.exe, epmd.exe, hasplmv.exe, spooler.exe, hdb.exe, ntservices.exe, n.exe, monitoringhost.exe, win32sysinfo.exe, inet_gethost.exe, taskhostw.exe, proficy administrator.exe, ntevl.exe, prproficymgr.exe, prrds.exe, prrouter.exe, prconfigmgr.exe, prgateway.exe, premailengine.exe, pralarmmgr.exe, prftpengine.exe, prcalculationmgr.exe, prprintserver.exe, prdatabasemgr.exe, preventmgr.exe, prreader.exe, prwriter.exe, prsummarymgr.exe, prstubber.exe, prschedulemgr.exe, cdm.exe, musnotificationux.exe, npmdagent.exe, client64.exe, keysvc.exe, server_eventlog.exe, proficyserver.exe, server_runtime.exe, config_api_service.exe, fnplicensingservice.exe, workflowresttest.exe, proficyclient.exe, vmacthlp.exe, msdtssrvr.exe, sqlservr.exe, msmdsrv.exe, reportingservicesservice.exe, dsmcsvc.exe, winvnc4.exe, client.exe, collwrap.exe, bluestripecollector.exe, sqlbrowser.exe, dsmcad.exe, nimcluster.exe, googleupdate.exe, smc.exe, bcrservice.exe, dbsrv9.exe, rtvscan.exe, bcreporter.exe, csadmin.exe, csdbsync.exe, csmon.exe, csauth.exe, cslog.exe, csradius.exe, cstacacs.exe, url_response.exe, vmware-converter-a.exe, vmware-converter.exe, avagent.exe, paxton.net2.clientservice.exe, paxton.net2.commsserverservice.exe, avscc.exe, prunsrv.exe, googlecrashhandler.exe, googlecrashhandler64.exe, vmwaretray.exe, nd2svc.exe, tnslsnr.exe, omtsreco.exe, oracle.exe, patrolagent.exe, scfagent_64.exe, patrolperf.exe, rscdsvc.exe, rscd.exe, pmgreader.exe, firefox.exe, chrome.exe, netsession_win.exe, pcsws.exe, pcscm.exe, cwbunnav.exe, rdrcef.exe, ndrvx.exe, ndrvs.exe, dr_serviceengine.exe, teamviewer_service.exe, sqlagent.exe, dwrcst.exe, ccm messaging.exe, zoolz.exe, agntsvc.exe, dbeng50.exe, dbsnmp.exe, encsvc.exe, excel.exe, firefoxconfig.exe, infopath.exe, isqlplussvc.exe, msaccess.exe, msftesql.exe, mspub.exe, mydesktopqos.exe, mydesktopservice.exe, mysqld.exe, mysqld-nt.exe, mysqld-opt.exe, ocautoupds.exe, ocomm.exe, ocssd.exe, onenote.exe, outlook.exe, powerpnt.exe, sqbcoreservice.exe, sqlwriter.exe, steam.exe, synctime.exe, tbirdconfig.exe, thebat.exe, thebat64.exe, thunderbird.exe, visio.exe, winword.exe, wordpad.exe, xfssvccon.exe, tmlisten.exe, pccntmon.exe, cntaosmgr.exe, ntrtscan.exe, mbamtray.exe, qhactivedefense.exe, qhwatchdog.exe, qhsafetray.exe, avgsvc.exe, avgui.exe, v3lite.exe, v3main.exe, v3sp.exe, avastui.exe, avastsvc.exe, avguard.exe, avshadow.exe, avgnt.exe, avira.servicehost.exe, avira.systray.exe, bdagent.exe, bdredline.exe, bdss.exe, bullguardbhvscanner.exe, bullguardscanner.exe, bullguardtray.exe, bullguardupdate.exe, bullguard.exe, cmdagent.exe, cistray.exe, cis.exe, spideragent.exe, dwengine.exe, dwarkdaemon.exe, dwnetfilter.exe, a2service.exe, a2guard.exe.a2start.exe, egui.exe, ekrn.exe, fshoster32.exe, fshoster64.exe, fortisslvpndaemon.exe, fortiesnac.exe, fortiwf.exe, fortitray.exe, fchelper64.exe, fortiproxy.exe, fcappdb.exe, fcdblog.exe, avp.exe, avpui.exe, mbamservice.exe, mcsacore.exe, mcapexe.exe, mcshield.exe, mcsvhost.exe, nortonsecurity.exe, psuaservice.exe, psuamain.exe, psanhost.exe, sdrservice.exe, swc_service.exe, swi_service.exe, ssp.exe, ccsvchst.exe, smcgui.exe, coreserviceshell.exe, coreframeworkhost.exe, uiwatchdog.exe, uiseagnt.exe, paamsrv.exe, psh_svc.exe, aupdrun.exe, acaas.exe, acaegmgr.exe, acaif.exe, acais.exe, ahnsd.exe, ahnsdsv.exe, autoup.exe, v3clnsrv.exe, v3medic.exe, v3svc.exe, aflogvw.exe, ahnrpt.exe, atwsctsk.exe, v3exec.exe, v3imscn.exe, monsvcnt.exe, monsysnt.exe, aexnsrcvsvc.exe, aexsvc.exe, atrshost.exe, ctdataload.exe, aexagentuihost.exe, aexnsagent.exe, aclntusr.exe, aexswdusr.exe, pxemtftp.exe, aclient.exe, securitycenter.exe, starta.exe, stopa.exe, anvir.exe, csrss_tc.exe, ashavast.exe, ashbug.exe, ashchest.exe, ashcmd.exe, ashdisp.exe, ashenhcd.exe, ashlogv.exe, ashmaisv.exe, ashpopwz.exe, ashquick.exe, ashserv.exe, ashsimp2.exe, ashsimpl.exe, ashskpcc.exe, ashskpck.exe, ashupd.exe, ashwebsv.exe, aswdisp.exe, aswregsvr.exe, aswserv.exe, aswupdsv.exe, aswwebsv.exe, avengine.exe, afwserv.exe, avastemupdate.exe, unsecapp.exe, avgamsvr.exe, avgas.exe, avgcc32.exe, avgcc.exe, avgctrl.exe, avgdiag.exe, avgemc.exe, avgfws8.exe, avgfwsrv.exe, avginet.exe, avgmsvr.exe, avgrssvc.exe, avgscanx.exe, avgserv9.exe, avgserv.exe, avgupd.exe, avgupdln.exe, avgupsvc.exe, avgvv.exe, avgwb.dat, avgw.exe, avgwizfw.exe, guard.exe, avgcsrvx.exe, avgidsagent.exe, avgidsmonitor.exe, avgidsui.exe, avgidswatcher.exe, avgam.exe, avgnsx.exe, avgfws9.exe, avgrsx.exe, avgtray.exe, avgwdsvc.exe, sidebar.exe, avgchsvx.exe, avgcmgr.exe, avgemcx.exe, avgfws.exe, avgmfapx.exe, avgcefrend.exe, avgcsrva.exe, avgemca.exe, avgnsa.exe, avgrsa.exe, loggingserver.exe, toolbarupdater.exe, wtusystemsuport.exe, avgregcl.exe, avgsystx.exe, vprot.exe, avcenter.exe, avconfig.exe, avesvc.exe, avmailc.exe, avmcdlg.exe, avnotify.exe, avscan.exe, guardgui.exe, avadmin.exe, avfwsvc.exe, avwebgrd.exe, fwinst.exe, sysoptenginesvc.exe, bavtray.exe, bhipssvc.exe, bmrt.exe, seccenter.exe, gziface.exe, gzserv.exe, bdc.exe, bdlite.exe, bdmcon.exe, bdsubmit.exe, deloeminfs.exe, livesrv.exe, setloadorder.exe, vsserv.exe, xcommsvr.exe, bka.exe, bkavsystemserver.exe, blupro.exe, blackd.exe, blackice.exe, proutil.exe, rapapp.exe, basfipm.exe, isafe.exe, cavrid.exe, vetmsg.exe, amswmagt, caf.exe, capmuam, agt.exe, ccnfagent.exe, ccsmagtd.exe, cfftplugin.exe, cfnotsrvd.exe, cfsmsmd.exe, alert.exe, igateway.exe, inotask.exe, caantispyware.exe, caavcmdscan.exe, caav.exe, caavguiscan.exe, cafw.exe, calogdump.exe, capfaem.exe, capfsem.exe, cappactiveprotection.exe, casecuritycenter.exe, caunst.exe, cavrep.exe, cctray.exe, ccupdate.exe, isafinst.exe, itmrt_supportdiagnostics.exe, itmrtsvc.exe, itmrt_trace.exe, ppclean.exe, umxagent.exe, umxcfg.exe, umxfwhlp.exe, umxpol.exe, unvet32.exe, capfasem.exe, ccprovsp.exe, ppctlpriv.exe, casc.exe, ccschedulersvc.exe, ccsystemreport.exe, inonmsrv.exe, inoweb.exe, auth8021x.exe, krbcc32s.exe, pep.exe, realmon.exe, repmgr64.exe, csacontrol.exe, leventmgr.exe, okclient.exe, clamscan.exe, clamtray.exe, clamwin.exe, ccemflsv.exe, cssauth.exe, cavscan.exe, clps.exe, clpsla.exe, clpsls.exe, cmdinstall.exe, cfpconfig.exe, cfp.exe, cfplogvw.exe, cfpsbmit.exe, cfpupdat.exe, crashrep.exe, cpf.exe, cfpconfg.exe, csfalconservice.exe, cylanceui.exe, cylancesvc.exe, cramtray.exe, crssvc.exe, amsvc.exe, frzstate2k.exe, drwagnui.exe, drweb32.exe, drweb32w.exe, drweb386.exe, drwebcgp.exe, drwebdc.exe, drweb.exe, drwebmng.exe, drwebscd.exe, drwebupw.exe, drwebwcl.exe, drwebwin.exe, drwinst.exe, spiderml.exe, spidernt.exe, spiderui.exe, drwagntd.exe, drwupgrade.exe, drwebcom.exe, eeyeevnt.exe, retinaengine.exe, a2guard.exe, a2start.exe, administrator.exe, control_panel.exe, usergate.exe, esmagent.exe, era.exe, ppmcativedetection.exe, vettray.exe, cavtray.exe, inorpc.exe, inort.exe, ca.exe, caissdt.exe, etagent.exe, etloganalyzer.exe, etrssfeeds.exe, evtarmgr.exe, evtmgr.exe, etreporter.exe, etconsole3.exe, etwcontrolpanel.exe, useranalysis.exe, etcorrel.exe, evtprocessecfile.exe, etscheduler.exe, useractivity.exe, traptrackermgr.exe, ewidoctrl.exe, ewidoguard.exe, nslocollectorservice.exe, fmon.exe, fortifw.exe, update_task.exe, fpavserver.exe, fprottray.exe, fameh32.exe, fspex.exe, fsaa.exe, bwgo0000, fch32.exe, fih32.exe, fsaua.exe, fsav32.exe, fscuif.exe, fsdfwd.exe, fsgk32.exe, fsgk32st.exe, fsguidll.exe, fsguiexe.exe, fshdll32.exe, fsm32.exe, fsma32.exe, fsmb32.exe, fsorsp.exe, fspc.exe, fsqh.exe, fssm32.exe, setupguimngr.exe, tnbutil.exe, fsavgui.exe, gdscan.exe, avkproxy.exe, avkservice.exe, avktray.exe, avkwctl.exe, gdfirewalltray.exe, gdfwsvc.exe, endpointsecurity.exe, esecservice.exe, gfireporterservice.exe, esecagntservice.exe, rcsvcmon.exe, dolphincharge.e, dolphincharge.exe, loggetor.exe, netalertclient.exe, printdevice.exe, pwdfilthelp.exe, pthosttr.exe, hpqwmiex.exe, ntcaagent.exe, ntcadaemon.exe, ntcaservice.exe, privacyiconclient.exe, rapuisvc.exe, vpatch.exe, tclproc.exe, isscsf.exe, issdaemon.exe, kvdetech.exe, kvmonxp_2.kxp, kvmonxp.kxp, kvolself.exe, kvsrvxp_1.exe, kvsrvxp.exe, kvxp.kxp, ppppwallrun.exe, avpcc.exe, avpexec.exe, avpm.exe, avpncc.exe, avps.exe, avpupd.exe, kav.exe, kavisarv.exe, kavmm.exe, kavss.exe, kavsvc.exe, kis.exe, klnagent.exe, klswd.exe, klwtblfs.exe, kwsprod.exe, up2date.exe, klserver.exe, oespamtest.exe, kavadapterexe.exe, kavlotsingleton.exe, kavfsgt.exe, kavfsrcn.exe, kavfs.exe, kavfswp.exe, kavshell.exe, klnacserver.exe, avpdtagt.exe, netcfg.exe, kavfsscs.exe, kavtray.exe, persfw.exe, avserver.exe, winroute.exe, wrctrl.exe, kabackreport.exe, kaccore.exe, kanmcmain.exe, kastray.exe, kislive.exe, kmailmon.exe, knupdatemain.exe, kswebshield.exe, kxeserv.exe, uplive.exe, kansgui.exe, kansvr.exe, kavstart.exe, kpfwsvc.exe, kwatch.exe, kav32.exe, kissvc.exe, kpfw32.exe, system.exe, wssfcmai.exe, aawservice.exe, ad-aware2007.exe, nlsvc.exe, engineserver.exe, eventparser.exe, log_qtine.exe, mfeann.exe, nailgpip.exe, rpcserv.exe, srvmon.exe, mcagent.exe, mfemactl.exe, macmnsvc.exe, masvc.exe, masalert.exe, msssrv.exe, massrv.exe, msscli.exe, mcshld9x.exe, mgavrtcl.exe, mcappins.exe, mfecanary.exe, macompatsvc.exe, mcvsrte.exe, mfefire.exe, dao_log.exe, firesvc.exe, firetray.exe, mfeesp.exe, naprdmgr.exe, cpd.exe, mfefw.exe, frameworkservic, cmgrdian.exe, mcshell.exe, mfehcs.exe, mcinfo.exe, hwapi.exe, mcafeedatabackup.exe, mcmscsvc.exe, mcnasvc.exe, mcods.exe, mcpromgr.exe, mcproxy.exe, mcuimgr.exe, mpfsrv.exe, mpsevh.exe, mps.exe, msksrver.exe, redirsvc.exe, saservice.exe, siteadv.exe, mfemms.exe, neotrace.exe, vshwin32.exe, mpfagent.exe, mpfconsole.exe, mpf.exe, mpfservice.exe, mpftray.exe, mscifapp.exe, mfevtps.exe, qclean.exe, mcregwiz.exe, rssensor.exe, safeservice.exe, ncdaemon.exe, mcdash.exe, mcdetect.exe, ssscheduler.exe, sahookmain.exe, mskdetct.exe, msksrvr.exe, mskagent.exe, stinger.exe, mcsysmon.exe, mctskshd.exe, mfetp.exe, myagttry.exe, mcupdmgr.exe, rulaunch.exe, mcvsshld.exe, tbmon.exe, alogserv.exe, mcmnhdlr.exe, mghtml.exe, edisk.exe, scan32.exe, frameworkservice.exe, mcconsol.exe, mcscript_inuse.exe, mctray.exe, mcupdate.exe, shstat.exe, udaterui.exe, updaterui.exe, mcepoc.exe, mcepocfg.exe, mcpalmcfg.exe, mcwcecfg.exe, mcwce.exe, frameworkservic.exe, vsmain.exe, oasclnt.exe, vsstat.exe, mcvsftsn.exe, avconsol.exe, avsynmgr.exe, vstskmgr.exe, webscanx.exe, mfewc.exe, mfewch.exe, giantantispywaremain.exe, giantantispywareupdater.exe, gcasservalert.exe, gcascleaner.exe, gcasinstallhelper.exe, gcasnotice.exe, gcasdtserv.exe, gcasserv.exe, gcasswupdater.exe, fcsms.exe, fcssas.exe, nissrv.exe, dpmra.exe, msseces.exe, wscntfy.exe, securitymanager.exe, aesecurityservice.exe, deteqt.agent.exe, omniagent.exe, nerosvc.exe, seanalyzertool.exe, spyemergency.exe, spyemergencysrv.exe, nlclient.exe, crdm.exe, nmagent.exe, ehttpsrv.exe, nod32.exe, nod32krn.exe, nod32kui.exe, nod32view.exe, cclaw.exe, elogsvc.exe, nip.exe, nipsvc.exe, njeeves.exe, npfmsg2.exe, npfmsg.exe, npfsvice.exe, nrmenctb.exe, nvcoas.exe, nvcsched.exe, nymse.exe, zanda.exe, zlh.exe, ixaptsvc.exe, ixavsvc.exe, ixfwsvc.exe, emlproui.exe, emlproxy.exe, mpsvc.exe, onlinent.exe, onlnsvc.exe, scanmsg.exe, scanwscs.exe, tsansrf.exe, tsatisy.exe, tscutynt.exe, tsmpnt.exe, upschd.exe, xfilter.exe, aps.exe, aus.exe, outpost.exe, adminserver.exe, avtask.exe, clshield.exe, console.exe, cpntsrv.exe, padfsvr.exe, pasystemtray.exe, pavfnsvr.exe, pavkre.exe, pavprot.exe, pavreport.exe, pnmsrv.exe, psimsvc.exe, pavupg.exe, remupd.exe, iface.exe, pavfires.exe, pavmail.exe, pavprsrv.exe, pavsched.exe, pavsrv50.exe, pavsrv51.exe, pavsrv52.exe, prevsrv.exe, tpsrv.exe, pagent.exe, pagentwd.exe, psctris.exe, apvxdwin.exe, inicio.exe, pavbckpt.exe, pavjobs.exe, psctrls.exe, pshost.exe, psimreal.exe, pskmssvc.exe, srvload.exe, webproxy.exe, avltmain.exe, firewallgui.exe, pviewer.exe, pview.exe, pmon.exe, qoeloader.exe, fws.exe, ccenter.exe, ravxp.exe, rfwproxy.exe, rfwstub.exe, knownsvr.exe, ras.exe, rasupd.exe, upfile.exe, rstray.exe, ravalert.exe, rav.exe, ravmond.exe, ravmon.exe, ravservice.exe, ravstub.exe, ravtask.exe, ravtray.exe, ravupdate.exe, rnreport.exe, rsnetsvr.exe, scanfrm.exe, rfwmain.exe, rfwsrv.exe, winlog.exe, omslogmanager.exe, snhwsrv.exe, snicheckadm.exe, snichecksrv.exe, snicon.exe, snsrv.exe, smsx.exe, svcharge.exe, svdealer.exe, svframe.exe, svtray.exe, sschk.exe, trjscan.exe, trupd.exe, ssecuritymanager.exe, dltray.exe, dlservice.exe, almon.exe, lmon.exe, savadminservice.exe, savservice.exe, sweepsrv.sys, swnetsup.exe, alsvc.exe, alupdate.exe, savmain.exe, sav32cli.exe, certificationmanagerservicent.exe, emlibupdateagentnt.exe, managementagentnt.exe, mgntsvc.exe, routernt.exe, schdsrvc.exe, scfmanager.exe, scfservice.exe, scftray.exe, op_viewer.exe, sgbhp.exe, pctsauxs.exe, pctsgui.exe, pctssvc.exe, pctstray.exe, regmech.exe, sdtrayapp.exe, svcntaux.exe, swdsvc.exe, swnxt.exe, execstat.exe, seestat.exe, swserver.exe, slee81.exe, kpf4gui.exe, kpf4ss.exe, wrspysetup.exe, acctmgr.exe, alertsvc.exe, alunotify.exe, aluschedulersvc.exe, appsvc32.exe, ccap.exe, ccapp.exe, ccevtmgr.exe, ccproxy.exe, ccpxysvc.exe, ccsetmgr.exe, checkup.exe, cka.exe, comhost.exe, cpdclnt.exe, csinject.exe, csinsm32.exe, csinsmnt.exe, dbserv.exe, defwatch.exe, defwatch, diskmon.exe, djsnetcn.exe, doscan.exe, dwhwizrd.exe, fwcfg.exe, ghost_2.exe, ghosttray.exe, icepack.exe, idsinst.exe, ispwdsvc.exe, issvc.exe, isuac.exe, luall.exe, lucallbackproxy.exe, lucoms~1.exe, lucoms.exe, mcui32.exe, navapsvc.exe, navapw32.exe, navectrl.exe, navelog.exe, navesp.exe, navshcom.exe, navw32.exe, navwnt.exe, ndetect.exe, ngctw32.exe, ngserver.exe, nisoptui.exe, nisserv.exe, nisum.exe, nmain.exe, npfmntor.exe, nprotect.exe, npscheck.exe, npssvc.exe, nscsrvce.exe, nsctop.exe, nsmdtr.exe, olfsnt40.exe, opscan.exe, poproxy.exe, pqibrowser.exe, pqv2isvc.exe, pxeservice.exe, qdcsfs.exe, qserver.exe, reportersvc.exe, rnav.exe, savfmsesp.exe, savroam.exe, savscan.exe, savui.exe, sbserv.exe, scan, explicit.exe, semsvc.exe, sesclu.exe, sevinst.exe, smsectrl.exe, smselog.exe, smsesjm.exe, smsesp.exe, smsesrv.exe, smsetask.exe, smseui.exe, sms.exe, sndmon.exe, sndsrvc.exe, spbbcsvc.exe, symlcsvc.exe, symproxysvc.exe, symsport.exe, symtray.exe, symwsc.exe, sysdoc32.exe, ucservice.exe, updtnv28.exe, urllstck.exe, usrprmpt.exe, v2iconsole.exe, vpc32.exe, vpdn_lu.exe, vprosvc.exe, wfxctl32.exe, wfxmod32.exe, wfxsnt40.exe, lucomserver.exe, savfmselog.exe, savfmsesjm.exe, savfmsectrl.exe, savfmsespamstatsmanager.exe, savfmsesrv.exe, savfmsetask.exe, savfmseui.exe, snac.exe, ssm.exe, reportsvc.exe, vptray.exe, procexp.exe, tdimon.exe, tfun.exe, tfgui.exe, tfservice.exe, tftray.exe, tiaspn~1.exe, traflnsp.exe, asupport.exe, isntsmtp.exe, nsmdemf.exe, nsmdmon.exe, nsmdreal.exe, nsmdsch.exe, ofcdog.exe, pccnt.exe, pccntupd.exe, pcctlcom.exe, pcscnsrv.exe, schupd.exe, tmntsrv.exe, tmpfw.exe, tmproxy.exe, tmas.exe, entitymain.exe, aphost.exe, lwdmserver.exe, mrf.exe, isntsysmonitor, ofcpfwsvc.exe, dwwin.exe, patch.exe, pccclient.exe, pccguide.exe, pcclient.exe, pccpfw.exe, pcscan.exe, pntiomon.exe, pop3pack.exe, pop3trap.exe, scanmailoutlook.exe, smoutlookpack.exe, webtrapnt.exe, euqmonitor.exe, smex_activeupda, smex_master.exe, smex_remoteconf, smex_systemwatc, svcgenerichost, spntsvc.exe, stopp.exe, stwatchdog.exe, usbguard.exe, uploadrecord.exe, sbamsvc.exe, vrvmail.exe, vrvmon.exe, vrvnet.exe, vrv.exe, wrsa.exe, networkagent.exe, websensecontrolservice.exe, mpcmdrun.exe, msascui.exe, msmpeng.exe, mspmspsv.exe, kb891711.exe, zavaux.exe, zavcore.exe, zillya.exe, zlclient.exe, vsmon.exe, forcefield.exe, iswmgr.exe, zapro.exe, zonealarm.exe, mantispm.exe, GDDServer.exe
avsynmgr.exe, vstskmgr.exe, webscanx.exe, c.exe, ch.exe, gcascleaner.exe, gcasnotice.exe, gcasdtserv.exe, gcasserv.exe, fcsms.exe, fcssas.exe, nissrv.exe, dpmra.exe, msseces.exe, wscntfy.exe, deteqt.agent.exeomniagent.exe, nerosvc.exe, spyemergency.exenlclient.exe, crdm.exenip.exe, nmagent.exe, ehttpsrv.exe, nod32.exe, nod32krn.exe, nod32kui.exe, nod32view.exe, cclaw.exe, elogsvc.exe, nipsvc.exe, njeeves.exe, npfmsg2.exe, npfmsg.exe, npfsvice.exe, nrmenctb.exe, nvcoas.exe, nvcsched.exe, nymse.exezlh.exezanda.exe, ixaptsvc.exe, ixavsvc.exe, ixfwsvc.exe, emlproui.exe, emlproxy.exe, mpsvc.exeaps.exeonlinent.exe, onlnsvc.exe, scanmsg.exe, scanwscs.exe, tsansrf.exe, tsatisy.exe, tscutynt.exe, tsmpnt.exe, upschd.exe, xfilter.exe, aus.exeiface.exeoutpost.exe, adminserver.exe, avtask.exe, clshield.exe, console.exe, cpntsrv.exe, padfsvr.exe, pasystemtray.exepavfnsvr.exe, pavkre.exe, pavprot.exe, pavreport.exe, pnmsrv.exe, psimsvc.exe, pavupg.exe, remupd.exe, pavfires.exe, pavmail.exe, pavprsrv.exe, pavsched.exe, pavsrv50.exe, pavsrv51.exe, pavsrv52.exe, prevsrv.exe, tpsrv.exe, pagent.exe, pagentwd.exe, psctris.exe, apvxdwin.exe, inicio.exe, pavbckpt.exe, pavjobs.exe, psctrls.exe, pshost.exe, psimreal.exe, pskmssvc.exe, srvload.exe, webproxy.exe, avltmain.exe, firewallgui.exe, pviewer.exe, pview.exe, pmon.exefws.exe, qoeloader.exe, ccenter.exe, ravxp.exeras.exerfwproxy.exe, rfwstub.exe, knownsvr.exe, rasupd.exe, upfile.exe, rstray.exe, ravalert.exe, rav.exesnsrv.exeravmond.exe, ravmon.exe, ravservice.exe, ravstub.exe, ravtask.exe, ravtray.exe, ravupdate.exe, rnreport.exe, rsnetsvr.exe, scanfrm.exe, rfwmain.exe, rfwsrv.exe, winlog.exe, snhwsrv.exe, snicheckadm.exe, snichecksrv.exe, snicon.exe, smsx.exelmon.exesvcharge.exe, svdealer.exe, svframe.exe, svtray.exe, sschk.exe, trjscan.exe, trupd.exe, dltray.exe, dlservice.exe, almon.exe, savservice.exe, sweepsrv.sys, swnetsup.exe, alsvc.exe, alupdate.exe, savmain.exe, sav32cli.exe, mgntsvc.exe, routernt.exe, schdsrvc.exe, scfmanager.exe, scfservice.exe, scftray.exe, op_viewer.exe, sgbhp.exe, pctsauxs.exe, pctsgui.exe, pctssvc.exe, pctstray.exe, regmech.exe, sdtrayapp.exe, svcntaux.exe, swdsvc.exe, swnxt.exe, execstat.exe, seestat.exe, swserver.exe, slee81.exe, kpf4gui.exe, kpf4ss.exe, wrspysetup.exe, acctmgr.exe, alertsvc.exe, alunotify.exe, appsvc32.exe, ccap.execka.exe, ccapp.exe, ccevtmgr.exe, ccproxy.exe, ccpxysvc.exe, ccsetmgr.exe, checkup.exe, comhost.exe, cpdclnt.exe, csinject.exe, csinsm32.exe, csinsmnt.exe, dbserv.exe, defwatch.exe, defwatchrnav.exediskmon.exe, djsnetcn.exe, doscan.exe, dwhwizrd.exe, fwcfg.exe, ghost_2.exe, ghosttray.exe, icepack.exe, idsinst.exe, ispwdsvc.exe, issvc.exe, isuac.exe, luall.exe, lucoms.exe, mcui32.exe, navapsvc.exe, navapw32.exe, navectrl.exe, navelog.exe, navesp.exe, navshcom.exe, navw32.exe, navwnt.exe, ndetect.exe, ngctw32.exe, ngserver.exe, nisoptui.exe, nisserv.exe, nisum.exe, nmain.exe, npfmntor.exe, nprotect.exe, npscheck.exe, npssvc.exe, nscsrvce.exe, nsctop.exe, nsmdtr.exe, olfsnt40.exe, opscan.exe, poproxy.exe, pqibrowser.exe, pqv2isvc.exe, pxeservice.exe, qdcsfs.exe, qserver.exe, reportersvc.exe, savfmsesp.exe, savroam.exe, savscan.exe, savui.exe, scansbserv.exe, explicit.exe, semsvc.exe, sesclu.exe, sevinst.exe, smsectrl.exe, smselog.exe, smsesjm.exe, smsesp.exe, smsesrv.exe, smsetask.exe, smseui.exe, sms.exevpc32.exesndmon.exe, sndsrvc.exe, spbbcsvc.exe, symlcsvc.exe, symproxysvc.exe, symsport.exe, symtray.exe, symwsc.exe, sysdoc32.exe, ucservice.exe, updtnv28.exe, urllstck.exe, usrprmpt.exe, v2iconsole.exe, vpdn_lu.exe, vprosvc.exe, wfxctl32.exe, wfxmod32.exe, wfxsnt40.exe, lucomserver.exe, savfmselog.exe, savfmsesjm.exe, savfmsectrl.exe, savfmsesrv.exe, savfmsetask.exe, savfmseui.exe, snac.exessm.exe, reportsvc.exe, vptray.exe, procexp.exe, tdimon.exe, tfun.exetmas.exetfgui.exe, tfservice.exe, tftray.exe, traflnsp.exe, asupport.exe, isntsmtp.exe, nsmdemf.exe, nsmdmon.exe, nsmdreal.exe, nsmdsch.exe, ofcdog.exe, pccnt.exe, pccntupd.exe, pcctlcom.exe, pcscnsrv.exe, schupd.exe, tmntsrv.exe, tmpfw.exe, tmproxy.exe, entitymain.exe, aphost.exe, lwdmserver.exe, mrf.exedwwin.exeisntsysmonitor, fcpfwsvc.exe, patch.exevrv.exepccclient.exe, pccguide.exe, pcclient.exe, pccpfw.exe, pcscan.exe, pntiomon.exe, pop3pack.exe, pop3trap.exe, webtrapnt.exe, euqmonitor.exe, smex_activeupda, smex_master.exe, smex_remoteconf, smex_systemwatc, svcgenerichost, spntsvc.exe, stopp.exe, stwatchdog.exe, usbguard.exe, uploadrecord.exesbamsvc.exe, vrvmail.exe, vrvmon.exe, vrvnet.exe, wrsa.exexagt.exenetworkagent.exempcmdrun.exe, msascui.exe, msmpeng.exe, mspmspsv.exe, kb891711.exe, zavaux.exe, zavcore.exe, thebat.exe, thebat64.exe, thunderbird.exe, visio.exe, winword.exe, wordpad.exe, xfssvccon.exe, tmlisten.exe, pccntmon.exe, cntaosmgr.exe, ntrtscan.exe, mbamtray.exe, qhwatchdog.exe, qhsafetray.exe, avgsvc.exe, avgui.exe, v3lite.exe, v3main.exe, avastui.exe, avastsvc.exe, avguard.exe, avshadow.exe, avgnt.exe, bdagent.exe, bdredline.exe, bdss.execis.exe, bullguard.exe, cmdagent.exe, cistray.exe, spideragent.exe, dwengine.exe, dwarkdaemon.exe, dwnetfilter.exe, a2service.exe, egui.exeekrn.exefshoster32.exe, fshoster64.exe, fortiesnac.exe, fortiwf.exe, fortitray.exe, fchelper64.exe, fortiproxy.exe, fcappdb.exe, fcdblog.exe, avp.exeavpui.exembamservice.exe, mcsacore.exe, mcapexe.exe, mcshield.exe, mcsvhost.exe, psuaservice.exe, psuamain.exe, psanhost.exe, sdrservice.exe, swc_service.exe, swi_service.exe, ssp.exeacaas.execcsvchst.exe, smcgui.exe, uiwatchdog.exe, uiseagnt.exe, paamsrv.exe, psh_svc.exe, aupdrun.exe, acaegmgr.exe, acaif.exe, acais.exe, ahnsd.exe, ahnsdsv.exe, autoup.exe, v3clnsrv.exe, v3medic.exe, v3svc.exe, aflogvw.exe, ahnrpt.exe, atwsctsk.exe, v3exec.exe, v3imscn.exe, monsvcnt.exe, monsysnt.exe, aexnsrcvsvc.exe, aexsvc.exe, atrshost.exe, ctdataload.exe, aexnsagent.exe, aclntusr.exe, aexswdusr.exe, pxemtftp.exe, aclient.exe, starta.exe, stopa.exe, anvir.exe, csrss_tc.exe, ashavast.exe, ashbug.exe, ashchest.exe, ashcmd.exe, ashdisp.exe, ashenhcd.exe, ashlogv.exe, ashmaisv.exe, ashpopwz.exe, ashquick.exe, ashserv.exe, ashsimp2.exe, ashsimpl.exe, ashskpcc.exe, ashskpck.exe, ashupd.exe, ashwebsv.exe, aswdisp.exe, aswregsvr.exe, aswserv.exe, aswupdsv.exe, aswwebsv.exe, avengine.exe, afwserv.exe, unsecapp.exe, avgamsvr.exe, avgas.exe, avgcc32.exe, avgcc.exe, avgctrl.exe, avgdiag.exe, avgemc.exe, avgfws8.exe, avgfwsrv.exe, avginet.exe, avgmsvr.exe, avgrssvc.exe, avgscanx.exe, avgserv9.exe, avgserv.exe, avgupd.exe, avgupdln.exe, avgupsvc.exe, avgvv.exe, avgwb.dat, avgw.exebmrt.exeavgwizfw.exe, guard.exe, avgcsrvx.exe, avgidsagent.exe, avgidsui.exe, avgam.exe, avgnsx.exe, avgfws9.exe, avgrsx.exe, avgtray.exe, avgwdsvc.exe, sidebar.exe, avgchsvx.exe, avgcmgr.exe, avgemcx.exe, avgfws.exe, avgmfapx.exe, avgcefrend.exe, avgcsrva.exe, avgemca.exe, avgnsa.exe, avgrsa.exe, avgregcl.exe, avgsystx.exe, vprot.exe, avcenter.exe, avconfig.exe, avesvc.exe, avmailc.exe, avmcdlg.exe, avnotify.exe, avscan.exe, guardgui.exe, avadmin.exe, avfwsvc.exe, avwebgrd.exe, fwinst.exe, bavtray.exe, bhipssvc.exe, seccenter.exe, gziface.exe, gzserv.exe, bdc.exebka.exe, bdlite.exe, bdmcon.exe, bdsubmit.exe, deloeminfs.exe, livesrv.exe, setloadorder.exevsserv.exe, xcommsvr.exe, blupro.exe, blackd.exe, blackice.exe, proutil.exe, rapapp.exe, basfipm.exe, isafe.exe, cavrid.exe, vetmsg.exe, amswmagtcaf.exe, capmuamagt.exe, ccnfagent.exe, ccsmagtd.exe, cfftplugin.exe, cfnotsrvd.exe, cfsmsmd.exe, alert.exe, igateway.exe, inotask.exe, caavcmdscan.exe, caav.execafw.execaavguiscan.exe, calogdump.exe, capfaem.exe, capfsem.exe, caunst.exe, cavrep.exe, cctray.exe, ccupdate.exe, isafinst.exe, itmrtsvc.exe, itmrt_trace.exe, ppclean.exe, umxagent.exe, umxcfg.exe, umxfwhlp.exe, umxpol.exe, unvet32.exe, capfasem.exe, ccprovsp.exe, ppctlpriv.exe, casc.exepep.exe, inonmsrv.exe, inoweb.exe, auth8021x.exe, krbcc32s.exe, realmon.exe, repmgr64.exe, csacontrol.exe, leventmgr.exe, okclient.exe, clamscan.exe, clamtray.exe, clamwin.exe, ccemflsv.exe, cssauth.exe, cavscan.exe, clps.execfp.exe, clpsla.exe, clpsls.exe, cmdinstall.exe, cfpconfig.exe, cfplogvw.exe, cfpsbmit.exe, cfpupdat.exe, crashrep.exe, cpf.exeamsvc.execfpconfg.exe, cylanceui.exe, cylancesvc.exe, cramtray.exe, crssvc.exe, frzstate2k.exe, drwagnui.exe, drweb32.exe, drweb32w.exe, drweb386.exe, drwebcgp.exe, drwebdc.exe, drweb.exeera.exedrwebmng.exe, drwebscd.exe, drwebupw.exe, drwebwcl.exe, drwebwin.exe, drwinst.exe, spiderml.exe, spidernt.exe, spiderui.exe, drwagntd.exe, drwupgrade.exe, drwebcom.exe, eeyeevnt.exe, retinaengine.exea2guard.exe, a2start.exe, usergate.exe, esmagent.exe, vettray.exe, cavtray.exe, inorpc.exe, inort.exe, ca.execaissdt.exe, etagent.exe, etrssfeeds.exe, evtarmgr.exe, evtmgr.exe, etreporter.exe, etconsole3.exe, useranalysis.exeetcorrel.exe, etscheduler.exe, useractivity.exeewidoctrl.exe, ewidoguard.exe, fmon.exefsaa.exefortifw.exe, update_task.exe, fpavserver.exe, fprottray.exe, fameh32.exe, fspex.exe, bwgo0000fspc.exefch32.exe, fih32.exe, fsaua.exe, fsav32.exe, fscuif.exe, fsdfwd.exe, fsgk32.exe, fsgk32st.exe, fsguidll.exe, fsguiexe.exe, fshdll32.exe, fsm32.exe, fsma32.exe, fsmb32.exe, fsorsp.exe, fsqh.exekvxp.kxpfssm32.exe, setupguimngr.exetnbutil.exe, fsavgui.exe, gdscan.exe, avkproxy.exe, avkservice.exe, avktray.exe, avkwctl.exe, gdfwsvc.exe, esecservice.exe, rcsvcmon.exe, dolphincharge.e, loggetor.exe, printdevice.exe, pwdfilthelp.exe, pthosttr.exe, hpqwmiex.exe, ntcaagent.exe, ntcadaemon.exe, ntcaservice.exe, rapuisvc.exe, vpatch.exe, tclproc.exe, isscsf.exe, issdaemon.exe, kvdetech.exe, kvmonxp_2.kxp, kvmonxp.kxp, kvolself.exe, kvsrvxp_1.exe, kvsrvxp.exe, ppppwallrun.exe, avpcc.exe, avpexec.exe, avpm.exeavps.exeavpncc.exe, avpupd.exe, kav.exekavmm.exekavisarv.exe, kavss.exekis.exekavsvc.exe, klnagent.exe, klswd.execpd.exeklwtblfs.exe, kwsprod.exe, up2date.exe, klserver.exe, oespamtest.exe, kavfsgt.exe, kavfsrcn.exe, kavfs.exe, kavfswp.exe, kavshell.exe, klnacserver.exe, avpdtagt.exe, netcfg.exe, kavfsscs.exe, kavtray.exe, persfw.exe, avserver.exe, winroute.exe, wrctrl.exe, kabackreport.exekaccore.exe, kanmcmain.exe, kastray.exe, kislive.exe, kmailmon.exe, knupdatemain.exekswebshield.exe, kxeserv.exe, uplive.exe, kansgui.exe, kansvr.exe, kavstart.exe, kpfwsvc.exe, kwatch.exe, kav32.exe, kissvc.exe, kpfw32.exe, system.exe, wssfcmai.exe, aawservice.exe, engineserver.exeeventparser.exe, log_qtine.exe, mfeann.exe, nailgpip.exe, rpcserv.exe, srvmon.exe, mcagent.exe, mfemactl.exe, macmnsvc.exe, masvc.exe, masalert.exe, msssrv.exe, massrv.exe, msscli.exe, mcshld9x.exe, mgavrtcl.exe, mcappins.exe, mfecanary.exe, macompatsvc.exe, mcvsrte.exe, mfefire.exe, dao_log.exe, firesvc.exe, firetray.exe, mfeesp.exe, naprdmgr.exe, mfefw.exemps.exeframeworkservic, cmgrdian.exe, mcshell.exe, mfehcs.exe, mcinfo.exe, hwapi.exe, mcmscsvc.exe, mcnasvc.exe, mcods.exe, mcpromgr.exe, mcproxy.exe, mcuimgr.exe, mpfsrv.exe, mpsevh.exe, msksrver.exe, redirsvc.exe, saservice.exe, siteadv.exe, mfemms.exe, neotrace.exe, vshwin32.exe, mpfagent.exe, mpfconsole.exe, mpf.exemfetp.exempfservice.exe, mpftray.exe, mscifapp.exe, mfevtps.exe, qclean.exe, mcregwiz.exe, rssensor.exe, safeservice.exe, ncdaemon.exe, mcdash.exe, mcdetect.exe, ssscheduler.exe, sahookmain.exe, mskdetct.exe, msksrvr.exe, mskagent.exe, stinger.exe, mcsysmon.exe, mctskshd.exe, myagttry.exe, mcupdmgr.exe, rulaunch.exe, mcvsshld.exe, tbmon.exe, alogserv.exe, mcmnhdlr.exe, mghtml.exe, edisk.exe, scan32.exe, mcconsol.exe, mctray.exe, mcupdate.exe, shstat.exe, udaterui.exe, updaterui.exe, mcepoc.exe, mcepocfg.exe, mcpalmcfg.exe, mcwcecfg.exe, mcwce.exe, vsmain.exe, oasclnt.exe, vsstat.exe, mcvsftsn.exe, avconsol.exe, kavlotsingleton.exe, mcafeedatabackup.exe, frameworkservice.exe, mcscript_inuse.exe, frameworkservic.exe, giantantispywaremain.exe, giantantispywareupdater.exe, gcasservalert.exe, gcasinstallhelper.exe, gcasswupdater.exe, securitymanager.exe, aesecurityservice.exe, seanalyzertool.exe, spyemergencysrv.exe, omslogmanager.exe, ssecuritymanager.exe, savadminservice.exe, emlibupdateagentnt.exe, managementagentnt.exe, aluschedulersvc.exe, lucallbackproxy.exe, savfmsespamstatsmanager.exe, scanmailoutlook.exe, smoutlookpack.exe, websensecontrolservice.exe
.docx, .accdb, .accde, .accdr, .accdt, .asp, .aspx, .back, .backup, .backupdb, .bak, .mdb, .mdc, .mdf, .war, .xls, .xlsx, .xlsm, .xlr, .zip, .rar, .sqlitedb, .sql, .py, .ppam, .pps, .ppsm, .ppsx, .ppt, pptm, .pptx, .hpp, .java, .jsp, .php, .doc, .docm, .pst, .psd, .dot, dotm, .cpp, .cs, .csv, .bkp, .db, .db-journal, .csproj, .sln, .md, .pl, .js, .html, .htm, .dbf, .rdo, .arc, .vhd, .vmdk, .vdi, .vhdx, .edb, .c, .h
FortiGuard Labs has shared the findings of this research analysis with fellow Cyber Threat Alliance members. CTA members use this intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors. For more information on the Cyber Threat Alliance, visit cyberthreatalliance.org.
Learn more about FortiGuard Labs threat research and the FortiGuard Security Subscriptions and Services portfolio. Sign up for the weekly Threat Brief from FortiGuard Labs.