F027Suspiciousvalidator: blocked
Persistence via SafeBoot alternate shell registry modification
HKLM\System\ControlSet001\Control\SafeBoot\AlternateShell
Analyst narrative
Registry keys HKLM\System\ControlSet001 and ControlSet002 SafeBoot\AlternateShell modified, enabling arbitrary shell invocation in Safe Boot mode. Indicates persistence mechanism allowing malware recovery without normal boot sequence.
Claims asserted
pathSafeBoot AlternateShell modification
Proof chain · 0 facts
Every confirmed claim links by foreign key to the typed fact that validated it, and to the forensic tool that produced that fact. This is one finding_trace() query.
Source tools
parse_registry_persistence