Technical Information
- [HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'zhiyuan' = '%WINDIR%\system\winsock.exe'
- [HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'winsock' = '<SYSTEM32>\winsock.exe'
- %WINDIR%\system\winsock.exe
- %WINDIR%\syswow64\winsock.exe
- <Current directory>\kzzwhmcdw.vbs
- %WINDIR%\system\winsock.exe
- %WINDIR%\syswow64\winsock.exe
- <Current directory>\kzzwhmcdw.vbs
- <Current directory>\kzzwhmcdw.vbs
- 'localhost':9999
- '%WINDIR%\syswow64\winsock.exe'
- '%WINDIR%\syswow64\wscript.exe' "<Current directory>\kzzwhmcdw.vbs"
- '%WINDIR%\syswow64\winsock.exe' ' (with hidden window)