If you still use VMWare, your Windows guest system will benefit from an installation of VMWare Tools.

The VMWare Tools package is usually installed into this directory:

c:\Program Files\VMware\VMware Tools

It turns out that running the executable:

c:\Program Files\VMware\VMware Tools\VMwareResolutionSet.exe

leads to it trying to lead a phantom DLL:

c:\Program Files\VMware\VMware Tools\VMwareResolutionSet.dll

So, as usual, creating your own payload DLL and placing it in that location can help us to load it via proxy.

Similarly as in the previous case, wermgr.exe accepts many command line arguments:

-boot
-clean
-datacollectorcreate
-nonelevated
-outproc
-purgestores
-queuereporting
-queuereporting_svc
-queuereporting_s_machine
-upload
-uploadforce
-waitforpendingreports

The -boot one is interesting as it triggers the execution of program’s path that attempts to load the following phantom DLL:

C:\Windows\System32\offdmpsvc.dll

As such, placing your payload in the aforementioned DLL will lead to its execution when you launch the following command:

wermgr -boot