Hi all,
I am currently in the process of setting up VMware and I have a few questions about it being as stealthy as possible. I have watched a number of videos on setup and I am now at the point of altering the reg edit files, which I understand is very important, but my question is, is it enough?
Yesterday I watched a video from 2018, where the scambaiter had already performed all of these ‘stealth’ tasks, but the scammer still figured out he was running VMware, by running certain commands and/or looking for key indicators that appear to be a dead giveaway.
The scammer was very suspicious from the moment he took the call. After connecting through GoToAssist, the first thing the scammer did was look up the PC’s system specs, then he ran was APPWIZ.CPL which allowed him to view ‘install or change a program’. The scammer then ran PREFETCH which opened up a mess of temporary files, some of which were clearly VM related. After some pointless banter, the scammer then performs a taskkill/ f / im explorer.exe command which closed IE. The call then ended.
Were the specs of the scambaiter PC a dead giveaway? I am running an HP Elite 8100 SFF (circa 2010) with an i7, 16GB RAM, 1TB HD and a 1050 2GB video card. Should I set my specs at 2 Cores, 2 Processors, 4GB RAM and 250GB/320GB HD, which are fairly common specs for older PC’s like this? The scambaiters PC ran 6GB of RAM and a tiny 60gb HD. When the scammer ran APPWIZ.CPL this allowed him to see all installation dates of the programs on the PC. These were quite close to the videos production date and all around the same period. Is there a way to edit the VM’s internal dates to alter this? Will flushing your temporary files dispose of the PREFETCH evidence? Is there a way to prevent scambaiters from accessing this area? If I created another user profile in the VM that wasn’t the admin account, could I lock this folder down?
What is your opinion on running, for example: a Linux VM, which then runs a Windows VM?
Comments/advice most welcome.
Regards,
75R
JK