A BlackByte Ransomware intrusion case study
Published May 19 2024 03:03 AM 8,946 Views
Microsoft

Introduction 

As ransomware attacks grow in number and sophistication every year, threat actors can quickly impact business operations if organizations are not well prepared. In this blog, we detail an investigation into a ransomware event. During this intrusion the threat actor progressed through the full attack chain, from initial access through to impact, in less than five days, causing significant business disruption for the victim organization.  

During the investigation, the Microsoft Incident Response team (formerly known as DART) identified the threat actor employing a range of tools & techniques to achieve their objectives, including:  

  • Exploitation of unpatched internet exposed Microsoft Exchange Servers 
  • Web Shell deployment facilitating remote access 
  • Use of living of the land tools for persistence and reconnaissance 
  • Cobalt Strike beacons for command and control 
  • Process Hollowing and the use of vulnerable drivers for defense evasion 
  • Deployment of custom developed backdoors to facilitate persistence 
  • Deployment of a custom developed data collection and exfiltration tool 

Forensic analysis

 

Initial Access 

 

In order to obtain initial access into the victim’s environment, the Threat Actor was observed exploiting known vulnerabilities (ProxyShell) on unpatched Microsoft Exchange Servers: 

  • CVE-2021-34473  
  • CVE-2021-34523 
  • CVE-2021-31207 

The exploitation of these vulnerabilities allowed the Threat Actor to: 

  • Attain SYSTEM level privileges on the compromised Exchange host  
  • Enumerate LegacyDN of users by sending an Autodiscover requests, including SIDs of users 
  • Construct a valid authentication token and use it against the Exchange Powershell backend 
  • Impersonate domain admin users and creates a web shell by using the New-MailboxExportRequest cmdlet 
  • Create web shells in order to obtain remote control on the affected servers

 

The Threat Actor was observed operating from the following IP to exploit ProxyShell and access the web shell: 

  • 185.225.73[.]244 

 

Persistence 

 

Backdoor 

Microsoft IR identified the creation of Registry Run Keys, a common persistence mechanism employed by threat actors to maintain access to a compromised device, where a payload is executed each time a specific user logs in. 

Registry Key 

ValueName 

ValueData 

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 

 

MsEdgeMsE 

rundll32 C:\Users\user\Downloads\api-msvc.dll,Default 

 

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 

 

MsEdgeMsE 

rundll32 C:\temp\api-msvc.dll,Default 

 

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 

 

MsEdgeMsE 

rundll32 C:\systemtest\api-system.png,Default 

 

api-msvc.dll, detected by Microsoft Defender Antivirus as Trojan:Win32/Kovter!MSR, was determined to be a backdoor capable of collecting system information such as installed antivirus products, device name and IP address. This information is then sent via HTTP POST request to a command and control (C2) channel: 

  • hxxps://myvisit[.]alteksecurity[.]org/t 

FileName 

SHA-256 

api-msvc.dll 

4a066569113a569a6feb8f44257ac8764ee8f2011765009fdfd82fe3f4b92d3e 

 

Unfortunately, the organization was not using Microsoft Defender as the primary AV/EDR solution, preventing to take action against the malicious code.

 

An additional file name, api-system.png, was identified with similarities to api-msvc.dll.  This file behaved like a DLL, had the same default export function, and also leveraged Run Keys for persistence.  

 

Cobalt Strike Beacon 

The threat actor leveraged Cobalt Strike, a common commercial penetration testing tool, to achieve persistence.  The file sys.exe, detected by Microsoft Defender Antivirus as Trojan:Win64/CobaltStrike!MSR, was determined to be a Cobalt Strike beacon and was downloaded directly from the file sharing service temp.sh: 

  • hxxps://temp[.]sh/szAyn/sys.exe 

This beacon was configured to communicate with the following command and control (C2) channel: 

  • 109.206.243[.]59:443 

FileName 

SHA-256 

sys.exe 

5f37b85687780c089607670040dbb3da2749b91b8adc0aa411fd6280b5fa7103 

 

AnyDesk 

Microsoft IR frequently observes threat actors leveraging legitimate remote access during an intrusion, in an effort to blend in on a victim network. In this case, the threat actor utilized AnyDesk, a common remote administration tool to maintain persistence and move laterally within the network. AnyDesk was installed as a Service and was executed from the following paths: 

  • C:\systemtest\anydesk\AnyDesk.exe 
  • C:\Program Files (x86)\AnyDesk\AnyDesk.exe
  • C:\Scripts\AnyDesk.exe 

Successful connections were observed in AnyDesk Logs (ad_svc.trace) involving anonymizer service IP addresses linked to TOR and MULLVAD VPN. This is a common technique that actors employ to obscure their source IP ranges.  

 

 

Reconnaissance and Privilege Escalation 

 

Microsoft IR found the presence and execution of the network discovery tool NetScan being used by the threat actor to perform network enumeration, under the following executable names: 

  • netscan.exe 
  • netapp.exe 

FileName 

SHA-256 

netscan.exe 

1b9badb1c646a19cdf101ac4f6fdd23bc61eaab8c9f925eb41848cea9fd0738e 

netapp.exe 

1b9badb1c646a19cdf101ac4f6fdd23bc61eaab8c9f925eb41848cea9fd0738e 

 

In addition, execution of AdFind, an Active Directory reconnaissance tool, was observed in the environment.  

FileName 

SHA-256 

adfind.exe 

f157090fd3ccd4220298c06ce8734361b724d80459592b10ac632acc624f455e 

 

 

Credential Access 

 

Evidence of likely Mimikatz usage, a credential theft tool commonly used by threat actors, was also uncovered, through the presence of a related log file mimikatz.log. 

Microsoft IR assesses that Mimikatz was likely used to attain credentials for privileged accounts.  

 

 

Lateral Movement 

 

Using compromised domain admin credentials, the threat actor used Remote Desktop Protocol and Powershell Remoting to obtain access to other servers in the environment, including Domain Controllers. 

 

 

Data Staging and Data Exfiltration 

 

A suspicious file named “explorer.exe” was identified. The file was recognized by Microsoft Defender Antivirus as “Trojan:Win64/WinGoObfusc.LK!MT” and quarantined, but after disabling Windows Defender Antivirus service, the threat actor was able to execute the file using the following command: 

  • explorer.exe P@$$w0rd 

FileName 

SHA-256 

explorer.exe 

2d078d18e64c0085278245e284112e01aa64c69a1485bf07a6d649773293faf6 

 

Explorer.exe was reverse engineered by Microsoft IR and determined to be ExByte, a GoLang based tool developed and commonly used in BlackByte ransomware attacks for collection and exfiltration of files from victim networks. 

The binary is capable of enumerating files of interest across the network, and upon execution creates a log file containing a list of files and associated metadata.  

Multiple log files were uncovered during the investigation in the path:  

  • C:\Exchange\MSExchLog.log 

Analysis of the binary revealed a list of file extensions which are targeted for enumeration. 

PabloMejias_0-1686149350770.png

Binary analysis showing file extensions enumerated by explorer.exe 

 

Forensic analysis identified a file named data.txt that was created and later deleted after ExByte execution. This file contained obfuscated credentials which ExByte leveraged to authenticate to the popular file sharing platform Mega NZ, via it’s API at: 

  • hxxps://g.api.mega.co[.]nz 

PabloMejias_1-1686149350771.png

Binary analysis showing explorer.exe functionality for connecting to file sharing service MEGA NZ 

 

Microsoft IR also determined that this tool was crafted specifically for the victim, as it contained a hardcoded device name belonging to the victim and an internal IP address. 

 

Execution Flow 

Upon execution ExByte decodes several strings and checks if the process is running with privileged access by reading \\.\PHYSICALDRIVE0: 

  • If this check fails, ShellExecuteW is invoked with IpOperation parameter RunAs which runs explorer.exe with elevated privilege. 

After this access check, explorer.exe attempts to read data.txt file in the current location: 

  • If the text file doesn’t exist, it invokes a command for self-deletion and exits from memory: 

C:\Windows\system32\cmd.exe /c ping 1.1.1.1 -n 10 > nul & Del <PATH>\explorer.exe /F /Q 

  • If data.txt exists, explorer.exe reads the file, passes the buffer to Base64 decode function and then decrypts the data using the key provided in the command-line. The decrypted data is then parsed as JSON below and fed for login function: 

{ 

“a”:”us0”, 

“user”:”<CONTENT FROM data.txt>” 

} 

Finally, it then forms an URL for login to the API of file sharing service MEGA NZ: 

  • hxxps://g.api.mega.co[.]nz/cs?id=1674017543 

 

 

Data Encryption and Destruction 

 

MICROSOFT IR found several devices where files had been encrypted and identified suspicious executables, detected by Microsoft Defender Antivirus as Trojan:Win64/BlackByte!MSR, with the following names: 

  • wEFT.exe 
  • schillerized.exe 

The files were analyzed and determined to be BlackByte 2.0 binaries responsible for encryption across the environment. This binary requires an 8-digit key number to encrypt files. 

Two modes of execution were identified: 

  • When the -s parameter is provided, the ransomware self-deletes and encrypts the machine it was executed on 
  • When the -a parameter is provided, the ransomware conducts enumeration and uses an UPX packed version of PsExec to deploy across the network. 
  • Several domain admin credentials were hardcoded in the binary, facilitating the deployment of the binary across the network. 

Depending on the switch (-s or -a), execution may create below files: 

  • C:\SystemData\M8yl89s7.exe (Random Name – UPX Packed PsExec) 
  • C:\SystemData\wEFT.exe (Additional BlackByte binary) 
  • C:\SystemData\MsExchangeLog1.log (Log file)
  • C:\SystemData\rENEgOtiAtES
  • A Vulnerable (CVE-2019-16098) driver RtCore64.sys, used to evade detection by installed AV/EDR software
  • C:\SystemData\iHu6c4.ico (Random Name – BlackBytes icon)
  • C:\SystemData\BB_Readme_file.txt (BlackByte ReadMe File)
  • C:\SystemData\skip_bypass.txt (Unknown) 

 

FileName 

SHA-256 

M8yl89s7.exe (RANDOM NAME) 

ba3ec3f445683d0d0407157fda0c26fd669c0b8cc03f21770285a20b3133098f 

rENEgOtiAtES 

01aa278b07b58dc46c84bd0b1b5c8e9ee4e62ea0bf7a695862444af32e87f1fd 

 

Some capabilities identified for the BlackByte 2.0 ransomware were: 

AV/EDR Bypass: 

  • The file rENEgOtiAtES created matches RTCore64.sys, a vulnerable driver (CVE-2049-16098) that allows any authenticated user to read/write to arbitrary memory. 
  • The BlackByte binary then creates and starts a service named RABAsSaa calling rENEgOtiAtES, and exploits this service to evade detection by installed AV/EDR software. 

Process Hollowing 

  • Invokes svchost.exe, injects to it to complete device encryption, and self-deletes by executing the following command: 
  • cmd.exe /c ping 1.1.1.1 -n 10 > Nul & Del “PATH_TO_BLACKBYTE” /F /Q 

Modification / Disabling of Windows Firewall 

  • The following commands are executed to either modify existing Windows Firewall rules, or to disable Windows Firewall entirely: 
  • cmd /c netsh advfirewall set allprofiles state off 
  • cmd /c netsh advfirewall firewall set rule group=”File and Printer Sharing” new enable=Yes 
  • cmd /c netsh advfirewall firewall set rule group=”Network Discovery” new enable=Yes 

Modification of Volume Shadow Copies 

  • The following commands are executed to destroy volume shadow copies on the machine: 
  • cmd /c vssadmin Resize ShadowStorge /For=B:\ /On=B:\ /MaxSuze=401MB 
  • cmd /c vssadmin Resize ShadowStorage /For=B:\ /On=B:\ /MaxSize=UNBOUNDED 

Modification of Registry Keys/Values 

  • The following commands are executed to modify the registry, facilitating elecated execution on the device: 
  • cmd /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f 
  • cmd /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f 
  • cmd /c reg add HKLM\\SYSTEM\\CurrentControlSet\\Control\\FileSystem /v LongPathsEnabled /t REG_DWORD /d 1 /f 

Additional Functionality 

  • Ability to terminate running services and processes. 
  • Ability to enumerate and mount volumes and network shares for encryption. 
  • Perform anti-forensics technique time-stomping (sets the file time of encrypted and ReadMe file to 2000-01-01 00:00:00) 
  • Ability to perform anti-debugging techniques.

Recommendations

To guard against BlackByte ransomware attacks, Microsoft IR recommends the following:  

  • Ensure that you have a patch management process in place and that patching for internet exposed devices is prioritized.  
  • Implement an EDR solution like Microsoft Defender for Endpoint to gain visibility of malicious activity in real time across your network 
  • Ensure antivirus signatures are updated regularly and that your AV solution is configured to block threats 
  • Block inbound traffic from Ips specified in the Indicators of Compromise table 
  • Block inbound traffic from TOR Exit Nodes 
  • Block inbound access from unauthorized public VPN services 

Indicators of compromise (IOC)

The table below shows IOCs observed during our investigation. We encourage our customers to investigate these indicators in their environments and implement detections and protections to identify past related activity and prevent future attacks against their systems. 

Indicator 

Type 

Description 

api-msvc.dll 

(Backdoor installed through RunKeys) 

SHA-256 

4a066569113a569a6feb8f44257ac8764ee8f2011765009fdfd82fe3f4b92d3e 

sys.exe 

(Cobalt Strike Beacon) 

SHA-256 

5f37b85687780c089607670040dbb3da2749b91b8adc0aa411fd6280b5fa7103 

explorer.exe 

(Exbyte, file enumeration and exfiltration tool) 

SHA-256 

2d078d18e64c0085278245e284112e01aa64c69a1485bf07a6d649773293faf6 

rENEgOtiAtES 

(Vulnerable driver RtCore64.sys created by BlackByte binary) 

SHA-256 

01aa278b07b58dc46c84bd0b1b5c8e9ee4e62ea0bf7a695862444af32e87f1fd 

[RANDOM_NAME].exe 

(UPX Packed PsExec created by BlackByte binary) 

SHA-256 

ba3ec3f445683d0d0407157fda0c26fd669c0b8cc03f21770285a20b3133098f 

“netscan.exe”, 

“netapp.exe 

(Netscan network discovery tool) 

SHA-256 

1b9badb1c646a19cdf101ac4f6fdd23bc61eaab8c9f925eb41848cea9fd0738e 

AdFind.exe 

(Active Directory information gathering tool) 

SHA-256 

f157090fd3ccd4220298c06ce8734361b724d80459592b10ac632acc624f455e 

hxxps://myvisit[.]alteksecurity[.]org/t 

URL 

C2 for backdoor api-msvc.dll 

hxxps://temp[.]sh/szAyn/sys.exe 

URL 

Download URL for sys.exe 

109.206.242[.]59 

IP Address 

C2 for Cobalt Strike beacon sys.exe 

185.225.73[.]44 

IP Address 

Originating IP address for ProxyShell exploitation and web shell interaction 

 

NOTE: These indicators should not be considered exhaustive for this observed activity. 

 

Detections

 

Microsoft 365 Defender 

Microsoft Defender Antivirus 

  • Trojan:Win32/Kovter!MSR 
  • Trojan:Win64/WinGoObfusc.LK!MT
  • Trojan:Win64/BlackByte!MSR
  • HackTool:Win32/AdFind!MSR
  • Trojan:Win64/CobaltStrike!MSR

 

Microsoft Defender for Endpoint 

Microsoft Defender for Endpoint customers should watch for these alerts that can detect behavior observed in this campaign. Note however that these alerts are not indicative of threats unique to the campaign or actor groups described in this report.

  • 'CVE-2021-31207' exploit malware was detected 
  • An active 'NetShDisableFireWall' malware in a command line was prevented from executing. 
  • Suspicious registry modification. 
  • ‘Rtcore64’ hacktool was detected 
  • Possible ongoing hands-on-keyboard activity (Cobalt Strike) 
  • A file or network connection related to a ransomware-linked emerging threat activity group detected 
  • Suspicious sequence of exploration activities 
  • A process was injected with potentially malicious code 
  • Suspicious behavior by cmd.exe was observed 
  • 'Blackbyte' ransomware was detected 

 

Microsoft Defender Vulnerability Management 

Microsoft Defender Vulnerability Management surfaces impacted devices that may be affected by the Exchange (ProxyShell) and drivers vulnerabilities used in the attack: 

  • CVE-2021-34473 
  • CVE-2021-34523 
  • CVE-2021-31207 
  • CVE-2019-16098 

Advanced hunting queries

Microsoft 365 Defender and Microsoft Sentinel

 

ProxyShell Web Shell Creation Events 

DeviceProcessEvents 

| where ProcessCommandLine has_any ("ExcludeDumpster","New-ExchangeCertificate") and ProcessCommandLine has_any (("-RequestFile","-FilePath") 

 

Suspicious Vssadmin Events 

DeviceProcessEvents 

| where ProcessCommandLine has_any ("vssadmin","vssadmin.exe") and ProcessCommandLine has "Resize ShadowStorage" and ProcessCommandLine has_any ("MaxSize=401MB"," MaxSize=UNBOUNDED") 

 

Conclusions

BlackByte Ransomware attacks are still targeting organizations having infrastructure with old unpatched vulnerabilities, allowing them to accomplish their objectives with a minimum effort.  According to Shodan, at the time this blog was written, there are nearly 3300 public facing servers still affected to ProxyShell vulnerabilities, making this an easy target for threat actors looking to impact organizations around the world. 

As Microsoft shows in the Microsoft Digital Defense Report, key practices like “Keep up to date” in conjunction to other good practices mentioned from a basic security hygiene strategy, could protect against 98 percent of attacks. 

As new tools are being developed by threat actors, a modern threat protection solution M365 Defender is necessary to prevent and detect the multiple techniques used in the attack chain, especially where the threat actor attempts to evade or disable specific defense mechanisms.  

Hunting for malicious behavior should be performed regularly in order to detect potential attacks that could evade detections, as a complementary activity for continuous monitoring from security tools alerts and incidents. 

To understand how Microsoft can help you secure your network and respond to network compromise, visit https://aka.ms/MicrosoftIR. 

 

Appendix

 

Encryption 

 

Different file extensions are targeted by BlackByte binary for Encryption: 

.4dd 

.4dl 

.accdb 

.accdc 

.accde 

.accdr 

.accdt 

.accft 

.adb 

.ade 

.adf 

.adp 

.arc 

.ora 

.alf 

.ask 

.btr 

.bdf 

.cat 

.cdb 

.ckp 

.cma 

.cpd 

.dacpac 

.dad 

.dadiagrams 

.daschema 

.db 

.db-shm 

.db-wal 

.db3 

.dbc 

.dbf 

.dbs 

.dbt 

.dbv 

. dbx 

. dcb 

. dct 

. dcx 

. ddl 

. dlis 

. dp1 

. dqy 

. dsk 

. dsn 

. dtsx 

. dxl 

. eco 

. ecx 

. edb 

. epim 

. exb 

. fcd 

. fdb 

. fic 

. fmp 

. fmp12 

. fmpsl 

. fol 

.fp3 

. fp4 

. fp5 

. fp7 

. fpt 

. frm 

. gdb 

. grdb 

. gwi 

. hdb 

. his 

. ib 

. idb 

. ihx 

. itdb 

. itw 

. jet 

. jtx 

. kdb 

. kexi 

. kexic 

. kexis 

. lgc 

. lwx 

. maf 

. maq 

. mar 

. masmav 

. mdb 

. mpd 

. mrg 

. mud 

. mwb 

. myd 

. ndf 

. nnt 

. nrmlib 

. ns2 

. ns3 

. ns4 

. nsf 

. nv 

. nv2 

. nwdb 

. nyf 

. odb 

. ogy 

. orx 

. owc 

. p96 

. p97 

. pan 

. pdb 

. pdm 

. pnz 

. qry 

. qvd 

. rbf 

. rctd 

. rod 

. rodx 

. rpd 

. rsd 

. sas7bdat 

. sbf 

. scx 

. sdb 

. sdc 

. sdf 

. sis 

. spg 

. sql 

. sqlite 

. sqlite3 

. sqlitedb 

. te 

. temx 

. tmd 

. tps 

. trc 

. trm 

. udb 

. udl 

. usr 

. v12 

. vis 

. vpd 

. vvv 

. wdb 

. wmdb 

. wrk 

. xdb 

. xld 

. xmlff 

. abcddb 

. abs 

. abx 

. accdw 

. and 

. db2 

. fm5 

. hjt 

. icg 

. icr 

. kdb 

. lut 

. maw 

. mdn 

. mdt 

  

  

  

  

  

  

 

File extensions targeted by BlackByte binary for encryption 

 

Also, the following Shared Folders are targeted to encrypt: 

Users 

Backup 

Veeam 

homes 

home 

media 

common 

Storage Server 

Public 

Web 

Images 

Downloads 

BackupData 

ActiveBackupForBusiness 

Backups 

NAS-DC 

DCBACKUP 

DirectorFiles 

share 

 

 

Example: \\IP_Address\Downloads 

 

Extensions ignored: 

.ini 

.url 

.msilog 

.log 

.ldf 

.lock 

.theme 

.msi 

.sys 

.wpx 

.cpl 

.adv 

.msc 

.scr 

.key 

.ico 

.dll 

.hta 

.deskthemepack 

.nomedia 

.msu 

.rtp 

.msp 

.idx 

.ani 

.386 

.diagcfg 

.bin 

.mod 

.ics 

.com 

.hlp 

 .spl 

.nls 

.cab 

.exe 

.diagpkg 

.icl 

.ocx 

.rom 

.prf 

.thempack 

.msstyles 

.icns 

.mpa 

.drv 

.cur 

.diagcab 

.cmd 

.shs 

 

 

 

 

 

 

 

Folders ignored: 

windows 

boot 

program files (x86) 

windows.old 

programdata 

intel 

bitdefender 

trend micro 

windowsapps 

appdata 

application data 

system volume information 

perflogs 

msocache 

 

 

Files ignored: 

bootnxt 

ntldr 

bootmgr 

thumbs.db 

ntuser.dat 

bootsect.bak 

autoexec.bat 

iconcache.db 

bootfont.bin 

 

 

 

 

Process terminated by BlackByte binary 

teracopy 

teamviewer 

nsservice 

nsctrl 

uranium 

processhacker 

procmon 

pestudio 

procmon64 

x32dbg 

x64dbg 

cff explorer 

procexp 

pslist 

tcpview 

tcpvcon 

dbgview 

rammap 

rammap64 

vmmap 

ollydbg 

autoruns 

autorunssc 

filemon 

regmon 

idaq 

idaq64 

immunitydebugger 

wireshark 

dumpcap 

hookexplorer 

importrec 

petools 

lordpe 

sysinspector 

proc_analyzer 

sysanalyzer 

sniff_hit 

windbg 

joeboxcontrol 

joeboxserver 

resourcehacker 

fiddler 

httpdebugger 

dumpit 

rammap 

rammap64 

vmmap 

agntsvc 

cntaosmgr 

dbeng50 

dbsnmp 

encsvc 

infopath 

isqlplussvc 

mbamtray 

msaccess 

msftesql 

mspub 

mydesktopqos 

mydesktopservice 

mysqld 

mysqld-nt 

mysqld-opt 

Ntrtscan 

ocautoupds 

ocomm 

ocssd 

onenote 

oracle 

outlook 

PccNTMon 

powerpnt 

sqbcoreservice 

sql 

sqlagent 

sqlbrowser 

sqlservr 

sqlwriter 

steam 

synctime 

tbirdconfig 

thebat 

thebat64 

thunderbird 

tmlisten 

visio 

winword 

wordpad 

xfssvccon 

zoolz 

 

 

 

 

 

Services terminated by BlackByte binary  

 

CybereasonRansomFree 

vnetd 

bpcd 

SamSs 

TeraCopyService 

msftesql 

nsService 

klvssbridge64 

vapiendpoint 

ShMonitor 

Smcinst 

SmcService 

SntpService 

svcGenericHost 

Swi_ 

TmCCSF 

tmlisten 

TrueKey 

TrueKeyScheduler 

TrueKeyServiceHelper 

WRSVC 

McTaskManager 

OracleClientCache80 

mfefire 

wbengine 

mfemms 

RESvc 

mfevtp 

sacsvr 

SAVAdminService 

SepMasterService 

PDVFSService 

ESHASRV 

SDRSVC 

FA_Scheduler 

KAVFS 

KAVFS_KAVFSGT 

kavfsslp 

klnagent 

macmnsvc 

masvc 

MBAMService 

MBEndpointAgent 

McShield 

audioendpointbuilder 

Antivirus 

AVP 

DCAgent 

bedbg 

EhttpSrv 

MMS 

ekrn 

EPSecurityService 

EPUpdateService 

ntrtscan 

EsgShKernel 

msexchangeadtopology 

AcrSch2Svc 

MSOLAP$TPSAMA 

Intel(R) PROSet Monitoring 

msexchangeimap4 

ARSM 

unistoresvc_1af40a 

ReportServer$TPS 

MSOLAP$SYSTEM_BGC 

W3Svc 

MSExchangeSRS 

ReportServer$TPSAMA 

Zoolz 2 Service 

MSOLAP$TPS 

aphidmonitorservice 

SstpSvc 

MSExchangeMTA 

ReportServer$SYSTEM_BGC 

Symantec System Recovery 

UI0Detect 

MSExchangeSA 

MSExchangeIS 

ReportServer 

MsDtsServer110 

POP3Svc 

MSExchangeMGMT 

SMTPSvc 

MsDtsServer 

IisAdmin 

MSExchangeES 

EraserSvc11710 

Enterprise Client Service 

MsDtsServer100 

NetMsmqActivator 

stc_raw_agent 

VSNAPVSS 

PDVFSService 

AcrSch2Svc 

Acronis 

CASAD2DWebSvc 

CAARCUpdateSvc 

McAfee 

avpsus 

DLPAgentService 

mfewc 

BMR Boot Service 

DefWatch 

ccEvtMgr 

ccSetMgr 

SavRoam 

RTVsc 

screenconnect 

ransom 

sqltelemetry 

msexch 

vnc 

teamviewer 

msolap 

veeam 

backup 

sql 

memtas 

vss 

sophos 

svc$ 

mepocs 

wuauserv 

 

 

 

 

EDR/AV drivers Blackbyte can bypass 

 

360avflt.sys 

360box.sys 

360fsflt.sys 

360qpesv.sys 

5nine.cbt.sys 

a2acc.sys 

a2acc64.sys 

a2ertpx64.sys 

a2ertpx86.sys 

a2gffi64.sys 

a2gffx64.sys 

a2gffx86.sys 

aaf.sys 

aalprotect.sys 

abrpmon.sys 

accessvalidator.sys 

acdriver.sys 

acdrv.sys 

adaptivaclientcache32.sys 

adaptivaclientcache64.sys 

adcvcsnt.sys 

adspiderdoc.sys 

aefilter.sys 

agentrtm64.sys 

agfsmon.sys 

agseclock.sys 

agsyslock.sys 

ahkamflt.sys 

ahksvpro.sys 

ahkusbfw.sys 

ahnrghlh.sys 

aictracedrv_am.sys 

airship-filter.sys 

ajfsprot.sys 

alcapture.sys 

alfaff.sys 

altcbt.sys 

amfd.sys 

amfsm.sys 

amm6460.sys 

amm8660.sys 

amsfilter.sys 

amznmon.sys 

antileakfilter.sys 

antispyfilter.sys 

anvfsm.sys 

apexsqlfilterdriver.sys 

appcheckd.sys 

appguard.sys 

appvmon.sys 

arfmonnt.sys 

arta.sys 

arwflt.sys 

asgard.sys 

ashavscan.sys 

asiofms.sys 

aswfsblk.sys 

aswmonflt.sys 

aswsnx.sys 

aswsp.sys 

aszfltnt.sys 

atamptnt.sys 

atc.sys 

atdragent.sys 

atdragent64.sys 

aternityregistryhook.sys 

atflt.sys 

atrsdfw.sys 

auditflt.sys 

aupdrv.sys 

avapsfd.sys 

avc3.sys 

avckf.sys 

avfsmn.sys 

avgmfi64.sys 

avgmfrs.sys 

avgmfx64.sys 

avgmfx86.sys 

avgntflt.sys 

avgtpx64.sys 

avgtpx86.sys 

avipbb.sys 

avkmgr.sys 

avmf.sys 

awarecore.sys 

axfltdrv.sys 

axfsysmon.sys 

ayfilter.sys 

b9kernel.sys 

backupreader.sys 

bamfltr.sys 

bapfecpt.sys 

bbfilter.sys 

bd0003.sys 

bddevflt.sys 

bdfiledefend.sys 

bdfilespy.sys 

bdfm.sys 

bdfsfltr.sys 

bdprivmon.sys 

bdrdfolder.sys 

bdsdkit.sys 

bdsfilter.sys 

bdsflt.sys 

bdsvm.sys 

bdsysmon.sys 

bedaisy.sys 

bemk.sys 

bfaccess.sys 

bfilter.sys 

bfmon.sys 

bhdrvx64.sys 

bhdrvx86.sys 

bhkavka.sys 

bhkavki.sys 

bkavautoflt.sys 

bkavsdflt.sys 

blackbirdfsa.sys 

blackcat.sys 

bmfsdrv.sys 

bmregdrv.sys 

boscmflt.sys 

bosfsfltr.sys 

bouncer.sys 

boxifier.sys 

brcow_x_x_x_x.sys 

brfilter.sys 

brnfilelock.sys 

brnseclock.sys 

browsermon.sys 

bsrfsflt.sys 

bssaudit.sys 

bsyaed.sys 

bsyar.sys 

bsydf.sys 

bsyirmf.sys 

bsyrtm.sys 

bsysp.sys 

bsywl.sys 

bwfsdrv.sys 

bzsenspdrv.sys 

bzsenth.sys 

bzsenyaradrv.sys 

caadflt.sys 

caavfltr.sys 

cancelsafe.sys 

carbonblackk.sys 

catflt.sys 

catmf.sys 

cbelam.sys 

cbfilter20.sys 

cbfltfs4.sys 

cbfsfilter2017.sys 

cbfsfilter2020.sys 

cbsampledrv.sys 

cdo.sys 

cdrrsflt.sys 

cdsgfsfilter.sys 

centrifyfsf.sys 

cfrmd.sys 

cfsfdrv 

cgwmf.sys 

change.sys 

changelog.sys 

chemometecfilter.sys 

ciscoampcefwdriver.sys 

ciscoampheurdriver.sys 

ciscosam.sys 

clumiochangeblockmf.sys 

cmdccav.sys 

cmdcwagt.sys 

cmdguard.sys 

cmdmnefs.sys 

cmflt.sys 

code42filter.sys 

codex.sys 

conduantfsfltr.sys 

containermonitor.sys 

cpavfilter.sys 

cpavkernel.sys 

cpepmon.sys 

crexecprev.sys 

crncache32.sys 

crncache64.sys 

crnsysm.sys 

cruncopy.sys 

csaam.sys 

csaav.sys 

csacentr.sys 

csaenh.sys 

csagent.sys 

csareg.sys 

csascr.sys 

csbfilter.sys 

csdevicecontrol.sys 

csfirmwareanalysis.sys 

csflt.sys 

csmon.sys 

cssdlp.sys 

ctamflt.sys 

ctifile.sys 

ctinet.sys 

ctrpamon.sys 

ctx.sys 

cvcbt.sys 

cvofflineflt32.sys 

cvofflineflt64.sys 

cvsflt.sys 

cwdriver.sys 

cwmem2k64.sys 

cybkerneltracker.sys 

cylancedrv64.sys 

cyoptics.sys 

cyprotectdrv32.sys 

cyprotectdrv64.sys 

cytmon.sys 

cyverak.sys 

cyvrfsfd.sys 

cyvrlpc.sys 

cyvrmtgn.sys 

datanow_driver.sys 

dattofsf.sys 

da_ctl.sys 

dcfafilter.sys 

dcfsgrd.sys 

dcsnaprestore.sys 

deepinsfs.sys 

delete_flt.sys 

devmonminifilter.sys 

dfmfilter.sys 

dgedriver.sys 

dgfilter.sys 

dgsafe.sys 

dhwatchdog.sys 

diflt.sys 

diskactmon.sys 

dkdrv.sys 

dkrtwrt.sys 

dktlfsmf.sys 

dnafsmonitor.sys 

docvmonk.sys 

docvmonk64.sys 

dpmfilter.sys 

drbdlock.sys 

drivesentryfilterdriver2lite.sys 

drsfile.sys 

drvhookcsmf.sys 

drvhookcsmf_amd64.sys 

drwebfwflt.sys 

drwebfwft.sys 

dsark.sys 

dsdriver.sys 

dsfemon.sys 

dsflt.sys 

dsfltfs.sys 

dskmn.sys 

dtdsel.sys 

dtpl.sys 

dwprot.sys 

dwshield.sys 

dwshield64.sys 

eamonm.sys 

easeflt.sys 

easyanticheat.sys 

eaw.sys 

ecatdriver.sys 

edevmon.sys 

ednemfsfilter.sys 

edrdrv.sys 

edrsensor.sys 

edsigk.sys 

eectrl.sys 

eetd32.sys 

eetd64.sys 

eeyehv.sys 

eeyehv64.sys 

egambit.sys 

egfilterk.sys 

egminflt.sys 

egnfsflt.sys 

ehdrv.sys 

elock2fsctldriver.sys 

emxdrv2.sys 

enigmafilemondriver.sys 

enmon.sys 

epdrv.sys 

epfw.sys 

epfwwfp.sys 

epicfilter.sys 

epklib.sys 

epp64.sys 

epregflt.sys 

eps.sys 

epsmn.sys 

equ8_helper.sys 

eraser.sys 

esensor.sys 

esprobe.sys 

estprmon.sys 

estprp.sys 

estregmon.sys 

estregp.sys 

estrkmon.sys 

estrkr.sys 

eventmon.sys 

evmf.sys 

evscase.sys 

excfs.sys 

exprevdriver.sys 

failattach.sys 

failmount.sys 

fam.sys 

fangcloud_autolock_driver.sys 

fapmonitor.sys 

farflt.sys 

farwflt.sys 

fasdriver 

fcnotify.sys 

fcontrol.sys 

fdrtrace.sys 

fekern.sys 

fencry.sys 

ffcfilt.sys 

ffdriver.sys 

fildds.sys 

filefilter.sys 

fileflt.sys 

fileguard.sys 

filehubagent.sys 

filemon.sys 

filemonitor.sys 

filenamevalidator.sys 

filescan.sys 

filesharemon.sys 

filesightmf.sys 

filesystemcbt.sys 

filetrace.sys 

file_monitor.sys 

file_protector.sys 

file_tracker.sys 

filrdriver.sys 

fim.sys 

fiometer.sys 

fiopolicyfilter.sys 

fjgsdis2.sys 

fjseparettifilterredirect.sys 

flashaccelfs.sys 

flightrecorder.sys 

fltrs329.sys 

flyfs.sys 

fmdrive.sys 

fmkkc.sys 

fmm.sys 

fortiaptfilter.sys 

fortimon2.sys 

fortirmon.sys 

fortishield.sys 

fpav_rtp.sys 

fpepflt.sys 

fsafilter.sys 

fsatp.sys 

fsfilter.sys 

fsgk.sys 

fshs.sys 

fsmon.sys 

fsmonitor.sys 

fsnk.sys 

fsrfilter.sys 

fstrace.sys 

fsulgk.sys 

fsw31rj1.sys 

gagsecurity.sys 

gbpkm.sys 

gcffilter.sys 

gddcv.sys 

gefcmp.sys 

gemma.sys 

geprotection.sys 

ggc.sys 

gibepcore.sys 

gkff.sys 

gkff64.sys 

gkpfcb.sys 

gkpfcb64.sys 

gofsmf.sys 

gpminifilter.sys 

groundling32.sys 

groundling64.sys 

gtkdrv.sys 

gumhfilter.sys 

gzflt.sys 

hafsnk.sys 

hbflt.sys 

hbfsfltr.sys 

hcp_kernel_acq.sys 

hdcorrelatefdrv.sys 

hdfilemon.sys 

hdransomoffdrv.sys 

hdrfs.sys 

heimdall.sys 

hexisfsmonitor.sys 

hfileflt.sys 

hiofs.sys 

hmpalert.sys 

hookcentre.sys 

hooksys.sys 

hpreg.sys 

hsmltmon.sys 

hsmltwhl.sys 

hssfwhl.sys 

hvlminifilter.sys 

ibr2fsk.sys 

iccfileioad.sys 

iccfilteraudit.sys 

iccfiltersc.sys 

icfclientflt.sys 

icrlmonitor.sys 

iderafilterdriver.sys 

ielcp.sys 

ieslp.sys 

ifs64.sys 

ignis.sys 

iguard.sys 

iiscache.sys 

ikfilesec.sys 

im.sys 

imffilter.sys 

imfilter.sys 

imgguard.sys 

immflex.sys 

immunetprotect.sys 

immunetselfprotect.sys 

inisbdrv64.sys 

ino_fltr.sys 

intelcas.sys 

intmfs.sys 

inuse.sys 

invprotectdrv.sys 

invprotectdrv64.sys 

ionmonwdrv.sys 

iothorfs.sys 

ipcomfltr.sys 

ipfilter.sys 

iprotect.sys 

iridiumswitch.sys 

irongatefd.sys 

isafekrnl.sys 

isafekrnlmon.sys 

isafermon 

isecureflt.sys 

isedrv.sys 

isfpdrv.sys 

isirmfmon.sys 

isregflt.sys 

isregflt64.sys 

issfltr.sys 

issregistry.sys 

it2drv.sys 

it2reg.sys 

ivappmon.sys 

iwdmfs.sys 

iwhlp.sys 

iwhlp2.sys 

iwhlpxp.sys 

jdppsf.sys 

jdppwf.sys 

jkppob.sys 

jkppok.sys 

jkpppf.sys 

jkppxk.sys 

k7sentry.sys 

kavnsi.sys 

kawachfsminifilter.sys 

kc3.sys 

kconv.sys 

kernelagent32.sys 

kewf.sys 

kfac.sys 

kfileflt.sys 

kisknl.sys 

klam.sys 

klbg.sys 

klboot.sys 

kldback.sys 

kldlinf.sys 

kldtool.sys 

klfdefsf.sys 

klflt.sys 

klgse.sys 

klhk.sys 

klif.sys 

klifaa.sys 

klifks.sys 

klifsm.sys 

klrsps.sys 

klsnsr.sys 

klupd_klif_arkmon.sys 

kmkuflt.sys 

kmnwch.sys 

kmxagent.sys 

kmxfile.sys 

kmxsbx.sys 

ksfsflt.sys 

ktfsfilter.sys 

ktsyncfsflt.sys 

kubwksp.sys 

lafs.sys 

lbd.sys 

lbprotect.sys 

lcgadmon.sys 

lcgfile.sys 

lcgfilemon.sys 

lcmadmon.sys 

lcmfile.sys 

lcmfilemon.sys 

lcmprintmon.sys 

ldsecdrv.sys 

libwamf.sys 

livedrivefilter.sys 

llfilter.sys 

lmdriver.sys 

lnvscenter.sys 

locksmith.sys 

lragentmf.sys 

lrtp.sys 

magicbackupmonitor.sys 

magicprotect.sys 

majoradvapi.sys 

marspy.sys 

maxcryptmon.sys 

maxproc64.sys 

maxprotector.sys 

mbae64.sys 

mbam.sys 

mbamchameleon.sys 

mbamshuriken.sys 

mbamswissarmy.sys 

mbamwatchdog.sys 

mblmon.sys 

mcfilemon32.sys 

mcfilemon64.sys 

mcstrg.sys 

mearwfltdriver.sys 

message.sys 

mfdriver.sys 

mfeaack.sys 

mfeaskm.sys 

mfeavfk.sys 

mfeclnrk.sys 

mfeelamk.sys 

mfefirek.sys 

mfehidk.sys 

mfencbdc.sys 

mfencfilter.sys 

mfencoas.sys 

mfencrk.sys 

mfeplk.sys 

mfewfpk.sys 

miniicpt.sys 

minispy.sys 

minitrc.sys 

mlsaff.sys 

mmpsy32.sys 

mmpsy64.sys 

monsterk.sys 

mozycorpfilter.sys 

mozyenterprisefilter.sys 

mozyentfilter.sys 

mozyhomefilter.sys 

mozynextfilter.sys 

mozyoemfilter.sys 

mozyprofilter.sys 

mpfilter.sys 

mpkernel.sys 

mpksldrv.sys 

mpxmon.sys 

mracdrv.sys 

mrxgoogle.sys 

mscan-rt.sys 

msiodrv4.sys 

msixpackagingtoolmonitor.sys 

msnfsflt.sys 

mspy.sys 

mssecflt.sys 

mtsvcdf.sys 

mumdi.sys 

mwac.sys 

mwatcher.sys 

mwfsmfltr.sys 

mydlpmf.sys 

namechanger.sys 

nanoavmf.sys 

naswsp.sys 

ndgdmk.sys 

neokerbyfilter 

netaccctrl.sys 

netaccctrl64.sys 

netguard.sys 

netpeeker.sys 

ngscan.sys 

nlcbhelpi64.sys 

nlcbhelpx64.sys 

nlcbhelpx86.sys 

nlxff.sys 

nmlhssrv01.sys 

nmpfilter.sys 

nntinfo.sys 

novashield.sys 

nowonmf.sys 

npetw.sys 

nprosec.sys 

npxgd.sys 

npxgd64.sys 

nravwka.sys 

nrcomgrdka.sys 

nrcomgrdki.sys 

nregsec.sys 

nrpmonka.sys 

nrpmonki.sys 

nsminflt.sys 

nsminflt64.sys 

ntest.sys 

ntfsf.sys 

ntguard.sys 

ntps_fa.sys 

nullfilter.sys 

nvcmflt.sys 

nvmon.sys 

nwedriver.sys 

nxfsmon.sys 

nxrmflt.sys 

oadevice.sys 

oavfm.sys 

oczminifilter.sys 

odfsfilter.sys 

odfsfimfilter.sys 

odfstokenfilter.sys 

offsm.sys 

omfltlh.sys 

osiris.sys 

ospfile_mini.sys 

ospmon.sys 

parity.sys 

passthrough.sys 

path8flt.sys 

pavdrv.sys 

pcpifd.sys 

pctcore.sys 

pctcore64.sys 

pdgenfam.sys 

pecfilter.sys 

perfectworldanticheatsys.sys 

pervac.sys 

pfkrnl.sys 

pfracdrv.sys 

pgpfs.sys 

pgpwdefs.sys 

phantomd.sys 

phdcbtdrv.sys 

pkgfilter.sys 

pkticpt.sys 

plgfltr.sys 

plpoffdrv.sys 

pointguardvista64f.sys 

pointguardvistaf.sys 

pointguardvistar32.sys 

pointguardvistar64.sys 

procmon11.sys 

proggerdriver.sys 

psacfileaccessfilter.sys 

pscff.sys 

psgdflt.sys 

psgfoctrl.sys 

psinfile.sys 

psinproc.sys 

psisolator.sys 

pwipf6.sys 

pwprotect.sys 

pzdrvxp.sys 

qdocumentref.sys 

qfapflt.sys 

qfilter.sys 

qfimdvr.sys 

qfmon.sys 

qminspec.sys 

qmon.sys 

qqprotect.sys 

qqprotectx64.sys 

qqsysmon.sys 

qqsysmonx64.sys 

qutmdrv.sys 

ranpodfs.sys 

ransomdefensexxx.sys 

ransomdetect.sys 

reaqtor.sys 

redlight.sys 

regguard.sys 

reghook.sys 

regmonex.sys 

repdrv.sys 

repmon.sys 

revefltmgr.sys 

reveprocprotection.sys 

revonetdriver.sys 

rflog.sys 

rgnt.sys 

rmdiskmon.sys 

rmphvmonitor.sys 

rpwatcher.sys 

rrmon32.sys 

rrmon64.sys 

rsfdrv.sys 

rsflt.sys 

rspcrtw.sys 

rsrtw.sys 

rswctrl.sys 

rswmon.sys 

rtologon.sys 

rtw.sys 

ruaff.sys 

rubrikfileaudit.sys 

ruidiskfs.sys 

ruieye.sys 

ruifileaccess.sys 

ruimachine.sys 

ruiminispy.sys 

rvsavd.sys 

rvsmon.sys 

rw7fsflt.sys 

rwchangedrv.sys 

ryfilter.sys 

ryguard.sys 

safe-agent.sys 

safsfilter.sys 

sagntflt.sys 

sahara.sys 

sakfile.sys 

sakmfile.sys 

samflt.sys 

samsungrapidfsfltr.sys 

sanddriver.sys 

santa.sys 

sascan.sys 

savant.sys 

savonaccess.sys 

scaegis.sys 

scauthfsflt.sys 

scauthiodrv.sys 

scensemon.sys 

scfltr.sys 

scifsflt.sys 

sciptflt.sys 

sconnect.sys 

scred.sys 

sdactmon.sys 

sddrvldr.sys 

sdvfilter.sys 

se46filter.sys 

secdodriver.sys 

secone_filemon10.sys 

secone_proc10.sys 

secone_reg10.sys 

secone_usb.sys 

secrmm.sys 

secufile.sys 

secure_os.sys 

secure_os_mf.sys 

securofsd_x64.sys 

sefo.sys 

segf.sys 

segiraflt.sys 

segmd.sys 

segmp.sys 

sentinelmonitor.sys 

serdr.sys 

serfs.sys 

sfac.sys 

sfavflt.sys 

sfdfilter.sys 

sfpmonitor.sys 

sgresflt.sys 

shdlpmedia.sys 

shdlpsf.sys 

sheedantivirusfilterdriver.sys 

sheedselfprotection.sys 

shldflt.sys 

si32_file.sys 

si64_file.sys 

sieflt.sys 

simrep.sys 

sisipsfilefilter 

sk.sys 

skyamdrv.sys 

skyrgdrv.sys 

skywpdrv.sys 

slb_guard.sys 

sld.sys 

smbresilfilter.sys 

smdrvnt.sys 

sndacs.sys 

snexequota.sys 

snilog.sys 

snimg.sys 

snscore.sys 

snsrflt.sys 

sodatpfl.sys 

softfilterxxx.sys 

soidriver.sys 

solitkm.sys 

sonar.sys 

sophosdt2.sys 

sophosed.sys 

sophosntplwf.sys 

sophossupport.sys 

spbbcdrv.sys 

spellmon.sys 

spider3g.sys 

spiderg3.sys 

spiminifilter.sys 

spotlight.sys 

sprtdrv.sys 

sqlsafefilterdriver.sys 

srminifilterdrv.sys 

srtsp.sys 

srtsp64.sys 

srtspit.sys 

ssfmonm.sys 

ssrfsf.sys 

ssvhook.sys 

stcvsm.sys 

stegoprotect.sys 

stest.sys 

stflt.sys 

stkrnl64.sys 

storagedrv.sys 

strapvista.sys 

strapvista64.sys 

svcbt.sys 

swcommfltr.sys 

swfsfltr.sys 

swfsfltrv2.sys 

swin.sys 

symafr.sys 

symefa.sys 

symefa64.sys 

symefasi.sys 

symevent.sys 

symevent64x86.sys 

symevnt.sys 

symevnt32.sys 

symhsm.sys 

symrg.sys 

sysdiag.sys 

sysmon.sys 

sysmondrv.sys 

sysplant.sys 

szardrv.sys 

szdfmdrv.sys 

szdfmdrv_usb.sys 

szedrdrv.sys 

szpcmdrv.sys 

taniumrecorderdrv.sys 

taobserveflt.sys 

tbfsfilt.sys 

tbmninifilter.sys 

tbrdrv.sys 

tdevflt.sys 

tedrdrv.sys 

tenrsafe2.sys 

tesmon.sys 

tesxnginx.sys 

tesxporter.sys 

tffregnt.sys 

tfsflt.sys 

tgfsmf.sys 

thetta.sys 

thfilter.sys 

threatstackfim.sys 

tkdac2k.sys 

tkdacxp.sys 

tkdacxp64.sys 

tkfsavxp.sys 

tkfsavxp64.sys 

tkfsft.sys 

tkfsft64.sys 

tkpcftcb.sys 

tkpcftcb64.sys 

tkpl2k.sys 

tkpl2k64.sys 

tksp2k.sys 

tkspxp.sys 

tkspxp64.sys 

tmactmon.sys 

tmcomm.sys 

tmesflt.sys 

tmevtmgr.sys 

tmeyes.sys 

tmfsdrv2.sys 

tmkmsnsr.sys 

tmnciesc.sys 

tmpreflt.sys 

tmumh.sys 

tmums.sys 

tmusa.sys 

tmxpflt.sys 

topdogfsfilt.sys 

trace.sys 

trfsfilter.sys 

tritiumfltr.sys 

trpmnflt.sys 

trufos.sys 

trustededgeffd.sys 

tsifilemon.sys 

tss.sys 

tstfilter.sys 

tstfsredir.sys 

tstregredir.sys 

tsyscare.sys 

tvdriver.sys 

tvfiltr.sys 

tvmfltr.sys 

tvptfile.sys 

tvspfltr.sys 

twbdcfilter.sys 

txfilefilter.sys 

txregmon.sys 

uamflt.sys 

ucafltdriver.sys 

ufdfilter.sys 

uncheater.sys 

upguardrealtime.sys 

usbl_ifsfltr.sys 

usbpdh.sys 

usbtest.sys 

uvmcifsf.sys 

uwfreg.sys 

uwfs.sys 

v3flt2k.sys 

v3flu2k.sys 

v3ift2k.sys 

v3iftmnt.sys 

v3mifint.sys 

varpffmon.sys 

vast.sys 

vcdriv.sys 

vchle.sys 

vcmfilter.sys 

vcreg.sys 

veeamfct.sys 

vfdrv.sys 

vfilefilter.sys 

vfpd.sys 

vfsenc.sys 

vhddelta.sys 

vhdtrack.sys 

vidderfs.sys 

vintmfs.sys 

virtfile.sys 

virtualagent.sys 

vk_fsf.sys 

vlflt.sys 

vmwvvpfsd.sys 

vollock.sys 

vpdrvnt.sys 

vradfil2.sys 

vraptdef.sys 

vraptflt.sys 

vrarnflt.sys 

vrbbdflt.sys 

vrexpdrv.sys 

vrfsftm.sys 

vrfsftmx.sys 

vrnsfilter.sys 

vrsdam.sys 

vrsdcore.sys 

vrsdetri.sys 

vrsdetrix.sys 

vrsdfmx.sys 

vrvbrfsfilter.sys 

vsepflt.sys 

vsscanner.sys 

vtsysflt.sys 

vxfsrep.sys 

wats_se.sys 

wbfilter.sys 

wcsdriver.sys 

wdcfilter.sys 

wdfilter.sys 

wdocsafe.sys 

wfp_mrt.sys 

wgfile.sys 

whiteshield.sys 

windbdrv.sys 

windd.sys 

winfladrv.sys 

winflahdrv.sys 

winfldrv.sys 

winfpdrv.sys 

winload.sys 

winteonminifilter.sys 

wiper.sys 

wlminisecmod.sys 

wntgpdrv.sys 

wraekernel.sys 

wrcore.sys 

wrcore.x64.sys 

wrdwizfileprot.sys 

wrdwizregprot.sys 

wrdwizscanner.sys 

wrdwizsecure64.sys 

wrkrn.sys 

wrpfv.sys 

wsafefilter.sys 

wscm.sys 

xcpl.sys 

xendowflt.sys 

xfsgk.sys 

xhunter1.sys 

xhunter64.sys 

xiaobaifs.sys 

xiaobaifsr.sys 

xkfsfd.sys 

xoiv8x64.sys 

xomfcbt8x64.sys 

yahoostorage.sys 

yfsd.sys 

yfsd2.sys 

yfsdr.sys 

yfsrd.sys 

zampit_ml.sys 

zesfsmf.sys 

zqfilter.sys 

zsfprt.sys 

zwasatom.sys 

zwpxesvr.sys 

zxfsfilt.sys 

zyfm.sys 

zzpensys.sys 

  

 

 

Co-Authors
Version history
Last update:
‎Jun 19 2023 08:20 AM
Updated by: