The malware immediately terminates inside a VM, unlike Lab 12-2 Solutions, which performs process replacement on svchost.exe.
If you force the jumps at 0x4019A1, 0x4019C0, and 0x401467 to be taken, and the jump at 0x401A2F to not be taken, the malware performs process replacement using a keylogger from its resource section.
The malware uses four different anti-VM techniques:
It uses the backdoor I/O communication port.
It searches the registry key
SYSTEM\CurrentControlSet\Control\DeviceClasses for the string
It checks the MAC address to see if it is the default used by VMware.
It searches the process list with a string-hashing function for processes starting with the
To avoid the anti-VM techniques ...