csrss.exe

  • File Path: C:\WINDOWS\system32\csrss.exe
  • Description: Client Server Runtime Process

Hashes

Type Hash
MD5 23019322FFECB179746210BE52D6DE60
SHA1 2038501676866B87CEE4514CEFF77DAEA9729F30
SHA256 F2C7D894ABE8AC0B4C2A597CAA6B3EFE7AD2BDB4226845798D954C5AB9C9BF15
SHA384 74E39B8019CC3F799FB6BB8CD34DF8D05B9F124FC6AB59913BDC99CBE8BEF3AF5F88910F7905FC6AC3E7FF8A8FF6201E
SHA512 8BCDFCBF40F7B4ACFA494AAFF6EE4B00C44D564C3D99FE8626E3CD71A01A87DF2A6BDA729D6FF86AC0C7122F4F45AA8975562E68902F2C475B1A4C84B0F0DD35
SSDEEP 192:UjnbFaItcWHiJ8n9COMFm3W59nWQKN7OwDBQABJcxW/amJqnajgrTZutRnPw:UPM03W59nWRNHDBRJcUJl0huHnPw

Signature

  • Status: Signature verified.
  • Serial: 330000023241FB59996DCC4DFF000000000232
  • Thumbprint: FF82BC38E1DA5E596DF374C53E3617F7EDA36B06
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: CSRSS.Exe.MUI
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.18362.1 (WinBuild.160101.0800)
  • Product Version: 10.0.18362.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

File Similarity (ssdeep match)

File Score
C:\Windows\system32\csrss.exe 57
C:\Windows\system32\csrss.exe 47

Possible Misuse

The following table contains possible examples of csrss.exe being misused. While csrss.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma win_susp_lsass_dump_generic.yml - '\csrss.exe' DRL 1.0
sigma file_event_win_creation_system_file.yml - '\csrss.exe' DRL 1.0
sigma proc_access_win_cred_dump_lsass_access.yml # - '\csrss.exe' DRL 1.0
sigma proc_creation_win_abusing_debug_privilege.yml - '\csrss.exe' DRL 1.0
sigma proc_creation_win_proc_wrong_parent.yml - '\csrss.exe' DRL 1.0
sigma proc_creation_win_system_exe_anomaly.yml - '\csrss.exe' DRL 1.0
malware-ioc glupteba.misp-event.json "value": "csrss.exe\|1645ad8468a2fb54763c0ebeb766dfd8c643f3db", © ESET 2014-2018
malware-ioc glupteba \|1645AD8468A2FB54763C0EBEB766DFD8C643F3DB\|csrss.exe \|Win32/Agent.SVE © ESET 2014-2018
malware-ioc nukesped_lazarus .csrss.exe``{:.highlight .language-cmhg} © ESET 2014-2018
malware-ioc rtm csrss.exe © ESET 2014-2018
malware-ioc misp-turla-crutch-event.json "value": "C:\\Intel\\~csrss.exe", © ESET 2014-2018
malware-ioc turla * ++C:\Intel~csrss.exe++``{:.highlight .language-cmhg} © ESET 2014-2018
signature-base generic_anomalies.yar description = “Detects uncommon file size of csrss.exe” CC BY-NC 4.0
signature-base generic_anomalies.yar and filename == “csrss.exe” CC BY-NC 4.0
signature-base thor_inverse_matches.yar description = “Anomaly rule looking for certain strings in a system file (maybe false positive on certain systems) - file csrss.exe” CC BY-NC 4.0
signature-base thor_inverse_matches.yar $s4 = “name="Microsoft.Windows.CSRSS"” fullword ascii CC BY-NC 4.0
signature-base thor_inverse_matches.yar filename == “csrss.exe” CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.