F033Inconclusivevalidator: blocked
SafeBoot registry modification for persistence
SafeBoot AlternateShell registry persistence
Analyst narrative
HKLM\System\ControlSet001\Control\SafeBoot\AlternateShell registry key modified, pointing to attacker-controlled shell executable. This allows code execution during Safe Mode boot, a high-risk persistence mechanism.
Claims asserted
pathSafeBoot AlternateShell registry key
Proof chain · 0 facts
Every confirmed claim links by foreign key to the typed fact that validated it, and to the forensic tool that produced that fact. This is one finding_trace() query.
Source tools
parse_registry_persistence