From 4cda4b058641cbf0dc14fe465368cd31fa196c91 Mon Sep 17 00:00:00 2001
From: Alexey Bukhteyev <46046582+chkp-alexeybu@users.noreply.github.com>
Date: Tue, 9 Jul 2024 18:24:00 +0300
Subject: [PATCH] Added evasions from Styx Stealer

---
 _src/Evasions/techniques/processes.md | 19 +++++++++++++++++--
 1 file changed, 17 insertions(+), 2 deletions(-)

diff --git a/_src/Evasions/techniques/processes.md b/_src/Evasions/techniques/processes.md
index 43ed7ad..5990290 100644
--- a/_src/Evasions/techniques/processes.md
+++ b/_src/Evasions/techniques/processes.md
@@ -129,7 +129,7 @@ bool check_process_is_running(const std::string &proc_name) {
     <td>vmusrvc.exe</td>
   </tr>
   <tr>
-    <th rowspan="6">VMware</th>
+    <th rowspan="7">VMware</th>
     <td>vmtoolsd.exe</td>
   </tr>
   <tr>
@@ -147,6 +147,9 @@ bool check_process_is_running(const std::string &proc_name) {
   <tr>
     <td>vmount2.exe</td>
   </tr>
+  <tr>
+    <td>vmwareservice.exe</td>
+  </tr>
   <tr>
     <th rowspan="2">Xen</th>
     <td>xenservice.exe</td>
@@ -154,14 +157,26 @@ bool check_process_is_running(const std::string &proc_name) {
   <tr>
     <td>xsvc_depriv.exe</td>
   </tr>
+  <tr>
+    <th>QEMU</th>
+    <td>qemu-ga.exe</td>
+  </tr>
   <tr>
     <th>WPE Pro</th>
     <td>WPE Pro.exe</td>
   </tr>
+  <tr>
+    <th>KsDumper</th>
+    <td>ksdumperclient.exe</td>
+  </tr>
 </table>
 
 <br />
-<i>Note: WPE Pro is a sniffer, not VM, however it is used along with VM detects.</i>
+<i>Notes:</i> 
+<ul>
+  <li><tt><i>WPE Pro is a sniffer, not a VM or a sandbox, however it is used along with VM detects.</i></tt></li>
+  <li><tt><i>KsDumper is a kernel-mode process dumper, not a VM or a sandbox, however it is used along with VM detects in Styx Stealer.</i></tt></li>
+</ul>
 
 <br />
 <h4><a class="a-dummy" name="check-if-specific-libraries-are-loaded">1.2. Check if specific libraries are loaded in the process address space</a></h4>