← All drivers
malicious
Driver

air_system10.sys

POORTRY variant (air_system10)

From No legitimate vendor (POORTRY family malware)
Status
On a known malicious list
Known variants
1 distinct hashes
Field notes

air_system10.sys is one of the observed filenames for a POORTRY sample, the kernel-mode component of a malicious toolkit publicly disclosed by SentinelOne and Mandiant in December 2022. The plain-looking name is a disguise; it is not a system component. Like the other POORTRY variants in this catalog (poortry.sysDriverpoortry.sysPOORTRY: Microsoft-signed kernel malwareOpen plate →, sense5ext.sysDriversense5ext.sysPOORTRY variant (sense5ext)Open plate →, and others), it was signed through Microsoft's Windows Hardware Quality Labs (WHQL) program after the operators abused developer accounts in the Microsoft Partner Center. Microsoft published advisory ADV220005 and revoked the certificates.

The driver's job is to terminate antivirus and EDR processes from kernel mode so a user-mode loader can deploy its payload. Mandiant categorized this signed sample as POORTRY in its reporting on attestation-signed malware; the toolkit has been linked to UNC3944 and intrusions against telecommunications providers and gaming publishers.

Not a legitimate vendor driver. Unlike most entries in this catalog, there is no innocent explanation for its presence. If found on a system, treat as evidence of compromise and escalate to incident response. See the poortry.sys entry for the full story.

What the record shows

air_system10.sys is listed as malicious on the public LOLDrivers project. One distinct binary hash matching this filename is on record.

What this means, plainly
Presence is not proof of misuse. This filename matches a public malicious list. Vera notes it as evidence on a record; the meaning still belongs to the people with the context.
Source

Status data comes from the public LOLDrivers project, a community-curated registry of drivers known to be vulnerable or malicious. The snapshot Vera uses was refreshed July 10, 2026. CVE links go to the NIST National Vulnerability Database.

Cite this entry

Vera Project. “air_system10.sys.” Vera Field Guide (Driver). The Vera Project. https://www.veraproject.xyz/field-guide/drivers/air-system10-sys