0712c54c-69fd-41f2-950a-da678ac51246
STProcessMonitor.sys 
Description
Safetica Technologies process monitoring kernel driver vulnerable to BYOVD-style process termination via IOCTL. CVE-2025-70795. 18 execution parents observed in VirusTotal indicating active abuse by threat actors. 1/73 detections. Driver facilitates arbitrary process kill from kernel context, enabling EDR/AV bypass.
- UUID: 0712c54c-69fd-41f2-950a-da678ac51246
- Created: 2026-03-20
- Author: Michael Haag
This download link contains the vulnerable driver!
Block STProcessMonitor.sys across your endpoints
Add this driver to your block policy in minutes with MagicSword, threat-driven application control. Free for up to 100 endpoints.
Start Blocking for FreeCommands
sc.exe create STProcessMonitor binPath=C:\windows\temp\STProcessMonitor.sys type=kernel && sc.exe start STProcessMonitor
| Use Case | Privileges | Operating System |
|---|---|---|
| Disable security tools | kernel | Windows 10 |
Detections
YARA 🏹
Expand
with header and size limitation
without header and size limitation
for renamed driver files
Resources
Known Vulnerable Samples
| Property | Value |
|---|---|
| Filename | STProcessMonitor.sys |
| Creation Timestamp | 2026-02-04 12:24:39 |
| MD5 | 5761bd63da03686fc480245da7bd1e9f |
| SHA1 | 68fec379f2ae76c3d2ce913f7be650cea1d06990 |
| SHA256 | 5b4f59236a9b950bcd5191b35d19125f60cfb9e1a1e1aa2e4f914b6745dde9df |
| Authentihash MD5 | 7590bc612d1cb940d6acf2d7ae384638 |
| Authentihash SHA1 | 01bf6090818731e8121674a339a5f22cb18cf41d |
| Authentihash SHA256 | 0376d4554b4828a7e3721327cb4c9977301c02eb8c50d10d376d3be623d71e3a |
| RichPEHeaderHash MD5 | 6eb21f070cb73b6994e6b9aab3f72279 |
| RichPEHeaderHash SHA1 | ebe9c1483d5dc68041bbbf053dfd08c4651931e8 |
| RichPEHeaderHash SHA256 | a0b5c0bad77a66d6a25df16f7a2500b6df550eda8ba62333b5d1eccfeee7bf27 |
| Publisher | Microsoft Windows Hardware Compatibility Publisher |
| Date | 2026-02-04 12:24:39 |
| Company | Safetica Technologies |
| Description | ProcessMonitor Driver |
| Product | Safetica |
| OriginalFilename | ProcessMonitorDriver |
Certificates
Expand
Certificate 330000013c4a61fb3578d2b6dd00000000013c
| Field | Value |
|---|---|
| ToBeSigned (TBS) MD5 | 93354b540685ae615b51e692ea0895de |
| ToBeSigned (TBS) SHA1 | b38cd5d491c85bd55e9b111e98430171a01e9515 |
| ToBeSigned (TBS) SHA256 | 037c041a283132dc57d29bc339b4d0d006787e32ac0a60afd7206c41c9fbf61f |
| Subject | C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher |
| ValidFrom | 2025-11-13 19:59:40 |
| ValidTo | 2026-11-10 19:59:40 |
| Signature | 86e91c9dd77bcbe24e9c811c4ec9c47116d9d554243f04666bef14828edbfeb665280fa10b643a59d05c4db8b5f2bae0657af9a75457236e455f956ed7ba65f7e8019355d00e322f681ab15f14718b34bff1e50d8cde1217dc158c31a875b17fa45f015b4b2a30c471d43345257c729d83c2287716b3d19c177ed341da95687f8af92cfebc42e1e4439eb4304762e17feb85a09316afe8153e4783a98153d91249d29da0bca831ea6ccd93bace88fc284e82987df65bcd8ab0263a2da5e178e710c26e8abec12fe398782d1f1bc669ec9c5cbf3010f8e2600133a59fb8269daba61e5b2facee4f96ba19f9cfaef3fdb21e933a65c3245f6de70cb08f28f2c818 |
| SignatureAlgorithmOID | 1.2.840.113549.1.1.11 |
| IsCertificateAuthority | False |
| SerialNumber | 330000013c4a61fb3578d2b6dd00000000013c |
| Version | 3 |
Certificate 610baac1000000000009
| Field | Value |
|---|---|
| ToBeSigned (TBS) MD5 | a569061297e8e824767dbc3184a69bea |
| ToBeSigned (TBS) SHA1 | adbb26a587a8f44b4fccaecb306f980d1c55a150 |
| ToBeSigned (TBS) SHA256 | cec1afd0e310c55c1dcc601ab8e172917706aa32fb5eaf826813547fdf02dd46 |
| Subject | C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2012 |
| ValidFrom | 2012-04-18 23:48:38 |
| ValidTo | 2027-04-18 23:58:38 |
| Signature | 5a8a67daccd5fd0d264177bf0a4678b4b3de12692b7723c2652f015fd203f461ba509d2e8c3972f36c3e6ab11e766decb7f382dcccbbc56970287366173f54ebee011648c446d91b80ae813a8d0f796d68b09eea2d3f39d3ca387ebd5e7c086e19dcc6c2f438336861e2524783e1000156d2bacb878205310a418b4ee77f5f5fed5fd3392d45eba213bffd1ec298417161165fc80a70257c59693124e471e70abb0417f79f721ec9d2bb1abe3d02fe090cb243b4591a99539396215fe0d6b72601429536ac27fdbef48577683d18bdf4be98882211865216f345ec0397107087a37043713cdbc98603170cf5735bc67de15c64edd7c548d7ed32e2d1aad3cfa7f6574e61f977eb67f288b3de00da038fd08a34373e1dd862b8d2b1f3e12f8b723b81967c6ffcec667672601b24f2a0896d5b6d002eef28dd868705c2b4b9e5be64c22af24a155c98e2c42785ff52e3627e0fb2020bd766c70ab2d33d200414503259830a7d9bed5a38120152ba2f5e20728e4af1fde771028c3be107bec973f4dd47d8b4efb4a4b330b9893e76cab90098567eabea8ab8a5d038ab6977130b142fe9aa411ff7babd3a2b348aee0aab63e663f788248e200d2b3b9de3c24952ac9f1f0e393b5dd46e506ae67d523aaa7c3315290d265e0158a74ea93d7a846f743f609fe4324f3600af6d71d33ea646655f8174f1fec171da4ca0415a82ddf11f |
| SignatureAlgorithmOID | 1.2.840.113549.1.1.11 |
| IsCertificateAuthority | True |
| SerialNumber | 610baac1000000000009 |
| Version | 3 |
Imports
Expand
- FLTMGR.SYS
- ntoskrnl.exe
Imported Functions
Expand
- FltDeletePushLock
- FltAcquirePushLockExclusiveEx
- FltAcquirePushLockSharedEx
- FltReleasePushLockEx
- FltInitializePushLock
- DbgPrintEx
- KeGetCurrentIrql
- ExFreePoolWithTag
- ObfReferenceObject
- ObfDereferenceObject
- PsGetCurrentProcessId
- PsGetCurrentThreadId
- RtlInitUnicodeString
- RtlCreateSecurityDescriptor
- RtlSetDaclSecurityDescriptor
- RtlGetVersion
- KeSetEvent
- KeEnterCriticalRegion
- KeLeaveCriticalRegion
- ExAllocatePoolWithTag
- IofCompleteRequest
- IoCreateDevice
- IoCreateSymbolicLink
- IoDeleteDevice
- IoDeleteSymbolicLink
- ObReferenceObjectByHandle
- ZwClose
- PsSetCreateProcessNotifyRoutineEx
- ZwTerminateProcess
- ZwOpenProcess
- RtlCreateAcl
- RtlAddAccessAllowedAce
- ObOpenObjectByPointer
- ZwSetSecurityObject
- ExEventObjectType
- SeExports
- ZwSetInformationFile
- KeLowerIrql
- KfRaiseIrql
- KeInitializeDpc
- KeInsertQueueDpc
- KeReleaseSemaphore
- KeDelayExecutionThread
- KeAcquireSpinLockRaiseToDpc
- KeReleaseSpinLock
- ExQueueWorkItem
- ExReleaseResourceLite
- ZwCreateFile
- ZwWriteFile
- ExAcquireResourceSharedLite
- ZwOpenFile
- _vsnwprintf
Exported Functions
Expand
- _debugBootBuffer
Sections
Expand
- .text
- .rdata
- .data
- .pdata
- .edata
- INIT
- .rsrc
- .reloc
Signature
Expand
{
"Certificates": [
{
"CertificateType": "Leaf (Code Signing)",
"IsCA": false,
"IsCertificateAuthority": false,
"IsCodeSigning": true,
"SerialNumber": "330000013c4a61fb3578d2b6dd00000000013c",
"Signature": "86e91c9dd77bcbe24e9c811c4ec9c47116d9d554243f04666bef14828edbfeb665280fa10b643a59d05c4db8b5f2bae0657af9a75457236e455f956ed7ba65f7e8019355d00e322f681ab15f14718b34bff1e50d8cde1217dc158c31a875b17fa45f015b4b2a30c471d43345257c729d83c2287716b3d19c177ed341da95687f8af92cfebc42e1e4439eb4304762e17feb85a09316afe8153e4783a98153d91249d29da0bca831ea6ccd93bace88fc284e82987df65bcd8ab0263a2da5e178e710c26e8abec12fe398782d1f1bc669ec9c5cbf3010f8e2600133a59fb8269daba61e5b2facee4f96ba19f9cfaef3fdb21e933a65c3245f6de70cb08f28f2c818",
"SignatureAlgorithmOID": "1.2.840.113549.1.1.11",
"Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher",
"TBS": {
"MD5": "93354b540685ae615b51e692ea0895de",
"SHA1": "b38cd5d491c85bd55e9b111e98430171a01e9515",
"SHA256": "037c041a283132dc57d29bc339b4d0d006787e32ac0a60afd7206c41c9fbf61f",
"SHA384": "bbef5ad51ba2a76ba3f0e39459837c9533a56420db0da55814511346155922c98ae905d6541df5a79895ce1a51d53491"
},
"ValidFrom": "2025-11-13 19:59:40",
"ValidTo": "2026-11-10 19:59:40",
"Version": 3
},
{
"CertificateType": "CA",
"IsCA": true,
"IsCertificateAuthority": true,
"IsCodeSigning": false,
"SerialNumber": "610baac1000000000009",
"Signature": "5a8a67daccd5fd0d264177bf0a4678b4b3de12692b7723c2652f015fd203f461ba509d2e8c3972f36c3e6ab11e766decb7f382dcccbbc56970287366173f54ebee011648c446d91b80ae813a8d0f796d68b09eea2d3f39d3ca387ebd5e7c086e19dcc6c2f438336861e2524783e1000156d2bacb878205310a418b4ee77f5f5fed5fd3392d45eba213bffd1ec298417161165fc80a70257c59693124e471e70abb0417f79f721ec9d2bb1abe3d02fe090cb243b4591a99539396215fe0d6b72601429536ac27fdbef48577683d18bdf4be98882211865216f345ec0397107087a37043713cdbc98603170cf5735bc67de15c64edd7c548d7ed32e2d1aad3cfa7f6574e61f977eb67f288b3de00da038fd08a34373e1dd862b8d2b1f3e12f8b723b81967c6ffcec667672601b24f2a0896d5b6d002eef28dd868705c2b4b9e5be64c22af24a155c98e2c42785ff52e3627e0fb2020bd766c70ab2d33d200414503259830a7d9bed5a38120152ba2f5e20728e4af1fde771028c3be107bec973f4dd47d8b4efb4a4b330b9893e76cab90098567eabea8ab8a5d038ab6977130b142fe9aa411ff7babd3a2b348aee0aab63e663f788248e200d2b3b9de3c24952ac9f1f0e393b5dd46e506ae67d523aaa7c3315290d265e0158a74ea93d7a846f743f609fe4324f3600af6d71d33ea646655f8174f1fec171da4ca0415a82ddf11f",
"SignatureAlgorithmOID": "1.2.840.113549.1.1.11",
"Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2012",
"TBS": {
"MD5": "a569061297e8e824767dbc3184a69bea",
"SHA1": "adbb26a587a8f44b4fccaecb306f980d1c55a150",
"SHA256": "cec1afd0e310c55c1dcc601ab8e172917706aa32fb5eaf826813547fdf02dd46",
"SHA384": "e947cac936803f5683196e4ff1b259096073395d0b908522ddce90d57597c9f7b57f7ddcdbe021ba863d843c340da8ba"
},
"ValidFrom": "2012-04-18 23:48:38",
"ValidTo": "2027-04-18 23:58:38",
"Version": 3
}
],
"CertificatesInfo": "",
"Signer": [
{
"Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2012",
"SerialNumber": "330000013c4a61fb3578d2b6dd00000000013c",
"Version": 1
}
],
"SignerInfo": ""
}
last_updated: 2026-04-06