I stopped all VMWare Services, made them all manual Start, then started VMWare. Sure enough, I couldn't get an IP Address until I started VMNAT,exe, and the service shows us as the Syswow64 version. There are 3 other VMNAT,exe files on my PC, all in directories that have the words "Duplicate Data" in the folder name somewhere. All the certificates for those application files expired in 2010, and just feature SHA1, The Syswow64 version expires in 2026, and includes SHA256. So, it seems that the Syswow64 version is the correct one - though VMWare perhaps could have cleaned up the old ones, and found a different place to put this application? (I have had VMWare Workstation for a long time, multiple upgrades.)
What it doesn't explain is the network activity. Yesterday at about 1 PM, Norton detected VMNat.exe attempting to transmit data to 104.28,1.101:80, and blocked the attempt, accusing VMNat.exe as the culprit. My firewall logs showed that a similar attempt was successful at about 11:30 that morning, for 54 seconds to the same IP Address. A lot of data can be transferred in 54 seconds. The previous time the IP Address was 166.52.27.58. Both were from my base OS Windows system, and I never use it to browse.
So, I am still worried that somehow VMNAT,EXE is corrupted somehow.