You could try and work out how it is identifying if it is running under vmware with a debugger/other analysis tools.
Also it is likely that it is just using common published techniques to identify that it is running in a VM, eg looking at the network adapter vendor etc...
Here is an example article that shows two ways to identify the process is running under a VM using the CPUID instruction, and then a solution so the example code no longer succeeds:
https://rayanfam.com/topics/defeating-malware-anti-vm-techniques-cpuid-based-instructions/
|