VMAware
VMAware copied to clipboard
Published
20 hours ago •
kernelwernel
kernelwernel
RepetitiveProcess Check
i was exploring a vt sbies, and yeah one of them deploy thing called RepetitiveProcess (to bypass count check on how many programs are running) you can check godefender and maybe implement it. PoC:
ProcessName Id
----------- --
conhost 2888
conhost 5652
conhost 5828
csrss 432
csrss 532
ctfmon 3408
dwm 1008
explorer 3652
fontdrvhost 820
fontdrvhost 824
Idle 0
jjDqCcyUYXzHxYpufe 364
jjDqCcyUYXzHxYpufe 436
jjDqCcyUYXzHxYpufe 588
jjDqCcyUYXzHxYpufe 604
jjDqCcyUYXzHxYpufe 748
jjDqCcyUYXzHxYpufe 816
jjDqCcyUYXzHxYpufe 836
jjDqCcyUYXzHxYpufe 1032
jjDqCcyUYXzHxYpufe 1064
jjDqCcyUYXzHxYpufe 1140
jjDqCcyUYXzHxYpufe 1148
jjDqCcyUYXzHxYpufe 1204
jjDqCcyUYXzHxYpufe 1256
jjDqCcyUYXzHxYpufe 1296
jjDqCcyUYXzHxYpufe 1364
jjDqCcyUYXzHxYpufe 1384
jjDqCcyUYXzHxYpufe 1788
jjDqCcyUYXzHxYpufe 1800
jjDqCcyUYXzHxYpufe 1896
jjDqCcyUYXzHxYpufe 1928
jjDqCcyUYXzHxYpufe 2024
jjDqCcyUYXzHxYpufe 2032
jjDqCcyUYXzHxYpufe 2268
jjDqCcyUYXzHxYpufe 2412
jjDqCcyUYXzHxYpufe 2416
jjDqCcyUYXzHxYpufe 2424
jjDqCcyUYXzHxYpufe 2548
jjDqCcyUYXzHxYpufe 2596
jjDqCcyUYXzHxYpufe 2692
jjDqCcyUYXzHxYpufe 2696
jjDqCcyUYXzHxYpufe 2732
jjDqCcyUYXzHxYpufe 2772
jjDqCcyUYXzHxYpufe 2784
jjDqCcyUYXzHxYpufe 2800
jjDqCcyUYXzHxYpufe 2832
jjDqCcyUYXzHxYpufe 2892
jjDqCcyUYXzHxYpufe 2944
jjDqCcyUYXzHxYpufe 2972
jjDqCcyUYXzHxYpufe 3040
jjDqCcyUYXzHxYpufe 3056
jjDqCcyUYXzHxYpufe 3068
jjDqCcyUYXzHxYpufe 3088
jjDqCcyUYXzHxYpufe 3180
jjDqCcyUYXzHxYpufe 3204
jjDqCcyUYXzHxYpufe 3216
jjDqCcyUYXzHxYpufe 3224
jjDqCcyUYXzHxYpufe 3352
jjDqCcyUYXzHxYpufe 3540
jjDqCcyUYXzHxYpufe 3604
jjDqCcyUYXzHxYpufe 3632
jjDqCcyUYXzHxYpufe 3636
jjDqCcyUYXzHxYpufe 3700
jjDqCcyUYXzHxYpufe 3716
jjDqCcyUYXzHxYpufe 3752
jjDqCcyUYXzHxYpufe 3832
jjDqCcyUYXzHxYpufe 3896
jjDqCcyUYXzHxYpufe 3936
jjDqCcyUYXzHxYpufe 4072
jjDqCcyUYXzHxYpufe 4092
jjDqCcyUYXzHxYpufe 4244
jjDqCcyUYXzHxYpufe 4256
jjDqCcyUYXzHxYpufe 4332
jjDqCcyUYXzHxYpufe 4468
jjDqCcyUYXzHxYpufe 4508
jjDqCcyUYXzHxYpufe 4548
jjDqCcyUYXzHxYpufe 4844
jjDqCcyUYXzHxYpufe 4880
jjDqCcyUYXzHxYpufe 4884
jjDqCcyUYXzHxYpufe 4888
jjDqCcyUYXzHxYpufe 4972
jjDqCcyUYXzHxYpufe 4980
jjDqCcyUYXzHxYpufe 4984
jjDqCcyUYXzHxYpufe 5124
jjDqCcyUYXzHxYpufe 5144
jjDqCcyUYXzHxYpufe 5164
jjDqCcyUYXzHxYpufe 5184
jjDqCcyUYXzHxYpufe 5208
jjDqCcyUYXzHxYpufe 5232
jjDqCcyUYXzHxYpufe 5248
jjDqCcyUYXzHxYpufe 5296
lsass 676
obf 5644
powershell 5772
powershell 5788
powershell 5800
Registry 92
RuntimeBroker 3284
RuntimeBroker 4224
RuntimeBroker 4720
SearchApp 4140
services 664
SgrmBroker 1244
SIHClient 6120
sihost 3092
smss 340
StartMenuExperienceHost 3824
svchost 380
svchost 660
svchost 792
svchost 912
svchost 964
svchost 1056
svchost 1096
svchost 1104
svchost 1124
svchost 1152
svchost 1168
svchost 1236
svchost 1288
svchost 1320
svchost 1324
svchost 1332
svchost 1392
svchost 1436
svchost 1480
svchost 1544
svchost 1556
svchost 1644
svchost 1672
svchost 1684
svchost 1704
svchost 1792
svchost 1820
svchost 1848
svchost 1860
svchost 1884
svchost 1960
svchost 1968
svchost 2056
svchost 2136
svchost 2144
svchost 2260
svchost 2276
svchost 2296
svchost 2300
svchost 2336
svchost 2344
svchost 2352
svchost 2368
svchost 2432
svchost 2572
svchost 2916
svchost 2984
svchost 3112
svchost 3160
svchost 3324
svchost 3360
svchost 3372
svchost 3564
svchost 3660
svchost 3840
svchost 4864
System 4
wininit 524
winlogon 592
WmiPrvSE 864
WmiPrvSE 2940
WmiPrvSE 5044
WmiPrvSE 5632
As you can see jjDqCcyUYXzHxYpufe is just a some process that is supposed to be deployed there to bypass antivm check.
