Technical Information
- [<HKLM>\Software\Microsoft\Windows\CurrentVerSion\Run] 'SiMayServiceEx' = '%WINDIR%\SysWOW64\csrss.exe'
- %WINDIR%\syswow64\csrss.exe
- %WINDIR%\syswow64\csrss.exe
- from <Full path to file> to %TEMP%\1079640\....\temporaryfile
- http://12#.##.195.147:5210/csrss.exe via 12#.#1.195.147
- '%WINDIR%\syswow64\csrss.exe'