6e0786f5-2168-40a8-a068-e261c4eb10e7
throttlestop.sys 
Description
ThrottleStop is developed by TechPowerUp and is designed to monitor for and correct CPU throttling issues. However, Kaspersky researchers from the Global Emergency Response Team (GERT) found out that it is being abused by attackers to terminate defense mechanisms.
- UUID: 6e0786f5-2168-40a8-a068-e261c4eb10e7
- Created: 2025-05-29
- Author: Cristian Souza
This download link contains the vulnerable driver!
Commands
sc.exe create throttlestop.sys binPath= C:\windows\temp\throttlestop.sys type=kernel && sc.exe start throttlestop.sys
| Use Case | Privileges | Operating System |
|---|---|---|
| Elevate privileges | kernel | Windows 10 |
Detections
YARA 🏹
Expand
with header and size limitation
without header and size limitation
for renamed driver files
Resources
Known Vulnerable Samples
| Property | Value |
|---|---|
| Filename | throttlestop.sys |
| Creation Timestamp | 2020-10-06 17:34:27 |
| MD5 | 6bc8e3505d9f51368ddf323acb6abc49 |
| SHA1 | 82ed942a52cdcf120a8919730e00ba37619661a3 |
| SHA256 | 16f83f056177c4ec24c7e99d01ca9d9d6713bd0497eeedb777a3ffefa99c97f0 |
| Authentihash MD5 | c89a0c0aa99c8bed0f5c7eec6282f421 |
| Authentihash SHA1 | 77badfeebc7f448e6b8a52dcf15f48506a0e9a58 |
| Authentihash SHA256 | 51ad864af75441b537ab0a37cf045f19117eab5e10fc179ef1e8164d9ef5d2e0 |
| RichPEHeaderHash MD5 | 469c4d196bcfba84c6c942f8cc62115c |
| RichPEHeaderHash SHA1 | 21b05fbac6983a5d0b343a5c9e9e710718efe130 |
| RichPEHeaderHash SHA256 | 7e09462f801fa1d5d414e57fc008d759e74dac1d65c145f2ddff762b9c56aff8 |
| Description | Low-Level Driver |
| Product | Low-Level Driver |
Certificates
Expand
Certificate 61204db4000000000027
| Field | Value |
|---|---|
| ToBeSigned (TBS) MD5 | 8e3ffc222fbcebdbb8b23115ab259be7 |
| ToBeSigned (TBS) SHA1 | ee20bff28ffe13be731c294c90d6ded5aae0ec0e |
| ToBeSigned (TBS) SHA256 | 59826b69bc8c28118c96323b627da59aaca0b142cc5d8bad25a8fcfd399aa821 |
| Subject | C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA |
| ValidFrom | 2011-04-15 19:45:33 |
| ValidTo | 2021-04-15 19:55:33 |
| Signature | 208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410 |
| SignatureAlgorithmOID | 1.2.840.113549.1.1.5 |
| IsCertificateAuthority | True |
| SerialNumber | 61204db4000000000027 |
| Version | 3 |
Certificate 0afc69772ae1ea9a285731b6aa4523c6
| Field | Value |
|---|---|
| ToBeSigned (TBS) MD5 | 8092ae05898c55302543adff23e8d5bf |
| ToBeSigned (TBS) SHA1 | 307e52adab5b03498fc63b5dbd4923a062a71166 |
| ToBeSigned (TBS) SHA256 | c4929a2019eaa5ee564ede2fe402dc3fb4cc80436829a6c72651541b71e4f903 |
| Subject | ??=US, ??=Washington, ??=Private Organization, serialNumber=604 057 982, C=US, ST=Washington, L=Spokane, O=TechPowerUp LLC, CN=TechPowerUp LLC |
| ValidFrom | 2019-08-10 00:00:00 |
| ValidTo | 2022-06-15 12:00:00 |
| Signature | 4384432152977ded7405b677aeaccf0f77976f3fc5ef542e99175672e48ffbc43950444c565620bd8824b94637ecb900001c02525a1cc27bac59574988698e3594bff43723f956c56a484dd5ba6512f77082ac9ffd76f6e39e29c20a70e5d89933c1e06ad48616cff5fb283b180ac45fb2f2fc922cf07aced1b9f89f4e0ba33b9bc9d2384780fe0364b6abf0f756919ef0188da554d9c5e33c6064e16d14ea64de273f1278e802c769c630f5beee2fcd7708cad6a3b7505ba5f0de85828339362364ff0b2c50f223a883c18f02f3569698229bef4adb91ce6287a957dd0405d558c64a5af821a66652909537d01a48acf40221265e1d3bfbe87acc96c95ce87f |
| SignatureAlgorithmOID | 1.2.840.113549.1.1.5 |
| IsCertificateAuthority | False |
| SerialNumber | 0afc69772ae1ea9a285731b6aa4523c6 |
| Version | 3 |
Certificate 03019a023aff58b16bd6d5eae617f066
| Field | Value |
|---|---|
| ToBeSigned (TBS) MD5 | a752afee44f017e8d74e3f3eb7914ae3 |
| ToBeSigned (TBS) SHA1 | 8eca80a6b80e9c69dcef7745748524afb8019e2d |
| ToBeSigned (TBS) SHA256 | 82560fa7efec30b5ff82af643e6f3bf3d46868bbd5e7d76f93db185e9e3553a1 |
| Subject | C=US, O=DigiCert, CN=DigiCert Timestamp Responder |
| ValidFrom | 2014-10-22 00:00:00 |
| ValidTo | 2024-10-22 00:00:00 |
| Signature | 9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844 |
| SignatureAlgorithmOID | 1.2.840.113549.1.1.5 |
| IsCertificateAuthority | False |
| SerialNumber | 03019a023aff58b16bd6d5eae617f066 |
| Version | 3 |
Certificate 0dd0e3374ac95bdbfa6b434b2a48ec06
| Field | Value |
|---|---|
| ToBeSigned (TBS) MD5 | f92649915476229b093c211c2b18e6c4 |
| ToBeSigned (TBS) SHA1 | 2d54c16a8f8b69ccdea48d0603c132f547a5cf75 |
| ToBeSigned (TBS) SHA256 | 2cd702a7dec30aa441345672e8992ef9770ce4946f276d767b45b0ed627658fb |
| Subject | C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA |
| ValidFrom | 2012-04-18 12:00:00 |
| ValidTo | 2027-04-18 12:00:00 |
| Signature | 9e5b963a2e1288acab016da49f75e40187a3a532d7bcbaa97ea3d61417f7c2136b7c738f2b6ae50f265968b08e259b6ceffa6c939208c14dcf459e9c46d61e74a19b14a3fa012f4ab101e1724048111368b9369d914bd7c2391210c1c4dcbb6214142a615d4f387c661fc61bffadbe4f7f945b7343000f4d73b751cf0ef677c05bcd348cd96313aa0e6111d6f28e27fcb47bb8b91120918678ea0ed428ff2ad52438e837b2ec96bb9fbc4a1650e15ebf517d23a032c7c1949e7ac9c026a2cc2587a0127e749f2d8db1c8e784beb9d1e9debb6a4e887371e12238cb2487e9737e51b2ff98eb4e7e2fe0ca0efab35ed1ba0542a8489f83f63fc4caa8df68a05061 |
| SignatureAlgorithmOID | 1.2.840.113549.1.1.5 |
| IsCertificateAuthority | True |
| SerialNumber | 0dd0e3374ac95bdbfa6b434b2a48ec06 |
| Version | 3 |
Certificate 06fdf9039603adea000aeb3f27bbba1b
| Field | Value |
|---|---|
| ToBeSigned (TBS) MD5 | 4e5ad189638cf52ba9cd881d4d44668c |
| ToBeSigned (TBS) SHA1 | cdc115e98d798b33904c820d63cc1e1afc19251d |
| ToBeSigned (TBS) SHA256 | 37560fb9d548ab62cc3ed4669a4ab74828b5a108e67e829937ffb2d10a5f78dd |
| Subject | C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1 |
| ValidFrom | 2006-11-10 00:00:00 |
| ValidTo | 2021-11-10 00:00:00 |
| Signature | 46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026 |
| SignatureAlgorithmOID | 1.2.840.113549.1.1.5 |
| IsCertificateAuthority | True |
| SerialNumber | 06fdf9039603adea000aeb3f27bbba1b |
| Version | 3 |
Imports
Expand
- ntoskrnl.exe
- HAL.dll
Imported Functions
Expand
- RtlInitUnicodeString
- IoDeleteDevice
- RtlCopyUnicodeString
- IoDeleteSymbolicLink
- IoRegisterShutdownNotification
- ExAllocatePoolWithTag
- IoUnregisterShutdownNotification
- ExFreePoolWithTag
- IofCompleteRequest
- IoCreateSymbolicLink
- _vsnwprintf
- __C_specific_handler
- MmBuildMdlForNonPagedPool
- IoAllocateMdl
- MmMapIoSpace
- MmUnmapIoSpace
- PsGetCurrentProcessId
- IoFreeMdl
- MmUnmapLockedPages
- MmMapLockedPagesSpecifyCache
- RtlFreeUnicodeString
- DbgPrint
- wcsrchr
- _vsnprintf
- MmGetSystemRoutineAddress
- IoCreateDevice
- ZwClose
- ObOpenObjectByPointer
- ZwSetSecurityObject
- IoDeviceObjectType
- _snwprintf
- RtlLengthSecurityDescriptor
- SeCaptureSecurityDescriptor
- RtlCreateSecurityDescriptor
- RtlSetDaclSecurityDescriptor
- RtlAbsoluteToSelfRelativeSD
- IoIsWdmVersionAvailable
- SeExports
- wcschr
- _wcsnicmp
- RtlLengthSid
- RtlAddAccessAllowedAce
- RtlGetSaclSecurityDescriptor
- RtlGetDaclSecurityDescriptor
- RtlGetGroupSecurityDescriptor
- RtlGetOwnerSecurityDescriptor
- ZwOpenKey
- ZwCreateKey
- ZwQueryValueKey
- ZwSetValueKey
- KeBugCheckEx
- HalSetBusDataByOffset
- HalGetBusDataByOffset
Exported Functions
Expand
Sections
Expand
- .text
- .rdata
- .data
- .pdata
- PAGE
- INIT
- .rsrc
- .reloc
Signature
Expand
{
"Certificates": [
{
"IsCertificateAuthority": true,
"SerialNumber": "61204db4000000000027",
"Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410",
"SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
"Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA",
"TBS": {
"MD5": "8e3ffc222fbcebdbb8b23115ab259be7",
"SHA1": "ee20bff28ffe13be731c294c90d6ded5aae0ec0e",
"SHA256": "59826b69bc8c28118c96323b627da59aaca0b142cc5d8bad25a8fcfd399aa821",
"SHA384": "f2dab7e56a33298654924501499487f6ba72c7d9477476a186e1ed7a9be031fade0e35ac09eff5e56bbbab95ae5374e7"
},
"ValidFrom": "2011-04-15 19:45:33",
"ValidTo": "2021-04-15 19:55:33",
"Version": 3
},
{
"IsCertificateAuthority": false,
"SerialNumber": "0afc69772ae1ea9a285731b6aa4523c6",
"Signature": "4384432152977ded7405b677aeaccf0f77976f3fc5ef542e99175672e48ffbc43950444c565620bd8824b94637ecb900001c02525a1cc27bac59574988698e3594bff43723f956c56a484dd5ba6512f77082ac9ffd76f6e39e29c20a70e5d89933c1e06ad48616cff5fb283b180ac45fb2f2fc922cf07aced1b9f89f4e0ba33b9bc9d2384780fe0364b6abf0f756919ef0188da554d9c5e33c6064e16d14ea64de273f1278e802c769c630f5beee2fcd7708cad6a3b7505ba5f0de85828339362364ff0b2c50f223a883c18f02f3569698229bef4adb91ce6287a957dd0405d558c64a5af821a66652909537d01a48acf40221265e1d3bfbe87acc96c95ce87f",
"SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
"Subject": "??=US, ??=Washington, ??=Private Organization, serialNumber=604 057 982, C=US, ST=Washington, L=Spokane, O=TechPowerUp LLC, CN=TechPowerUp LLC",
"TBS": {
"MD5": "8092ae05898c55302543adff23e8d5bf",
"SHA1": "307e52adab5b03498fc63b5dbd4923a062a71166",
"SHA256": "c4929a2019eaa5ee564ede2fe402dc3fb4cc80436829a6c72651541b71e4f903",
"SHA384": "a7623d27b4444a5f3b68c76448202abd485be8db319ffcdd8343634e83df7a226312033645f94846fc8c9111b80d0040"
},
"ValidFrom": "2019-08-10 00:00:00",
"ValidTo": "2022-06-15 12:00:00",
"Version": 3
},
{
"IsCertificateAuthority": false,
"SerialNumber": "03019a023aff58b16bd6d5eae617f066",
"Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844",
"SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
"Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder",
"TBS": {
"MD5": "a752afee44f017e8d74e3f3eb7914ae3",
"SHA1": "8eca80a6b80e9c69dcef7745748524afb8019e2d",
"SHA256": "82560fa7efec30b5ff82af643e6f3bf3d46868bbd5e7d76f93db185e9e3553a1",
"SHA384": "e8b11408c88f877ade4ca51114a175fb5dfd2d18d2a66be547c1c9e080fa8f592c7870e30dfab1c04d234993dd0907f3"
},
"ValidFrom": "2014-10-22 00:00:00",
"ValidTo": "2024-10-22 00:00:00",
"Version": 3
},
{
"IsCertificateAuthority": true,
"SerialNumber": "0dd0e3374ac95bdbfa6b434b2a48ec06",
"Signature": "9e5b963a2e1288acab016da49f75e40187a3a532d7bcbaa97ea3d61417f7c2136b7c738f2b6ae50f265968b08e259b6ceffa6c939208c14dcf459e9c46d61e74a19b14a3fa012f4ab101e1724048111368b9369d914bd7c2391210c1c4dcbb6214142a615d4f387c661fc61bffadbe4f7f945b7343000f4d73b751cf0ef677c05bcd348cd96313aa0e6111d6f28e27fcb47bb8b91120918678ea0ed428ff2ad52438e837b2ec96bb9fbc4a1650e15ebf517d23a032c7c1949e7ac9c026a2cc2587a0127e749f2d8db1c8e784beb9d1e9debb6a4e887371e12238cb2487e9737e51b2ff98eb4e7e2fe0ca0efab35ed1ba0542a8489f83f63fc4caa8df68a05061",
"SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
"Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA",
"TBS": {
"MD5": "f92649915476229b093c211c2b18e6c4",
"SHA1": "2d54c16a8f8b69ccdea48d0603c132f547a5cf75",
"SHA256": "2cd702a7dec30aa441345672e8992ef9770ce4946f276d767b45b0ed627658fb",
"SHA384": "511b0e0d7f3a48935cf2413348ff5f327887dc1e58f887bb5ed528d09f79173b55ab6439cf097fc7693b5749f7304ace"
},
"ValidFrom": "2012-04-18 12:00:00",
"ValidTo": "2027-04-18 12:00:00",
"Version": 3
},
{
"IsCertificateAuthority": true,
"SerialNumber": "06fdf9039603adea000aeb3f27bbba1b",
"Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026",
"SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
"Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1",
"TBS": {
"MD5": "4e5ad189638cf52ba9cd881d4d44668c",
"SHA1": "cdc115e98d798b33904c820d63cc1e1afc19251d",
"SHA256": "37560fb9d548ab62cc3ed4669a4ab74828b5a108e67e829937ffb2d10a5f78dd",
"SHA384": "173bfb77183785621ef15f43ea807338cea6a02e8183317d9ef050c7237adda3fa2a5bdcd5a4c96da9f2c55900675b9f"
},
"ValidFrom": "2006-11-10 00:00:00",
"ValidTo": "2021-11-10 00:00:00",
"Version": 3
}
],
"CertificatesInfo": "",
"Signer": [
{
"Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA",
"SerialNumber": "0afc69772ae1ea9a285731b6aa4523c6",
"Version": 1
}
],
"SignerInfo": ""
}
last_updated: 2026-01-07