sense5ext.sys
POORTRY variant (sense5ext)
sense5ext.sys is a variant of POORTRY, the kernel-mode component of a malicious toolkit publicly disclosed by SentinelOne and Mandiant in December 2022. Like poortry.sysDriverpoortry.sysPOORTRY: Microsoft-signed kernel malwareOpen plate →, poortry1.sysDriverpoortry1.sysPOORTRY variantOpen plate →, and poortry2.sysDriverpoortry2.sysPOORTRY variantOpen plate →, it was signed through Microsoft's Windows Hardware Quality Labs (WHQL) program after the operators abused developer accounts in the Microsoft Partner Center. Microsoft published advisory ADV220005 and revoked the certificates.
The driver's purpose is straightforward: terminate antivirus and EDR processes from kernel mode so the user-mode loader (STONESTOP) can deploy its payload without interference. The toolkit has been attributed to UNC3944 and linked to SIM-swap attacks on telecommunications providers and intrusions against gaming publishers.
Not a legitimate vendor driver. Unlike most entries in this catalog, there is no innocent explanation for its presence. If found on a system, treat as evidence of compromise and escalate to incident response. See the poortry.sys entry for the full story.
sense5ext.sys is listed as malicious on the public LOLDrivers project. 2 distinct binary hashes matching this filename are on record, meaning multiple versions of the file have been observed.
Status data comes from the public LOLDrivers project, a community-curated registry of drivers known to be vulnerable or malicious. The snapshot Vera uses was refreshed July 10, 2026. CVE links go to the NIST National Vulnerability Database.
Vera Project. “sense5ext.sys.” Vera Field Guide (Driver). The Vera Project. https://www.veraproject.xyz/field-guide/drivers/sense5ext-sys
