csrss.exe

  • File Path: C:\Windows\system32\csrss.exe
  • Description: Client Server Runtime Process

Hashes

Type Hash
MD5 72565E7A0145E0657E586F6CF7696DC7
SHA1 11EBA7B1E26CC7D492A2C161AC48370811D0B01E
SHA256 6F1C9B4C187669BC0371260D121CAF48D65F829A9104C483BEFBD8FC0BED24F5
SHA384 F712FBA0FFF93FEC038D0AE8ED05C0C15BA26DAAABEF590F26793BB106947C261675DCE039A4DBD82731C20141E7BB2A
SHA512 E099AC9C0E6ED1FF8C3307F17CCB13A0306178679A3F7F5AB4B23699FAD859B3101243E2782771CA2B9B8FA2785437FBE71A7F04633F45732EB3E0C998603D20
SSDEEP 384:yXrUnRpvW5cnWeA0lqMDBRJsYoiFWSlGsxoA:gUfpK0ld1PsHPe
IMP A96FA9912E09E361274AD77F1A4B252C
PESHA1 ACA5D490C63032FD7085EA14450BBA96B54FF230
PE256 9B83649A6A0DA465D35C294C1BC23B7B488494233DF5E36CB79B4B4537999FA9

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: CSRSS.Exe.MUI
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.1 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/76
  • VirusTotal Link: https://www.virustotal.com/gui/file/6f1c9b4c187669bc0371260d121caf48d65f829a9104c483befbd8fc0bed24f5/detection

File Similarity (ssdeep match)

File Score
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe 43

Possible Misuse

The following table contains possible examples of csrss.exe being misused. While csrss.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma win_susp_lsass_dump_generic.yml - '\csrss.exe' DRL 1.0
sigma file_event_win_creation_system_file.yml - '\csrss.exe' DRL 1.0
sigma proc_access_win_cred_dump_lsass_access.yml # - '\csrss.exe' DRL 1.0
sigma proc_creation_win_abusing_debug_privilege.yml - '\csrss.exe' DRL 1.0
sigma proc_creation_win_proc_wrong_parent.yml - '\csrss.exe' DRL 1.0
sigma proc_creation_win_system_exe_anomaly.yml - '\csrss.exe' DRL 1.0
malware-ioc glupteba.misp-event.json "value": "csrss.exe\|1645ad8468a2fb54763c0ebeb766dfd8c643f3db", © ESET 2014-2018
malware-ioc glupteba \|1645AD8468A2FB54763C0EBEB766DFD8C643F3DB\|csrss.exe \|Win32/Agent.SVE © ESET 2014-2018
malware-ioc nukesped_lazarus .csrss.exe``{:.highlight .language-cmhg} © ESET 2014-2018
malware-ioc rtm csrss.exe © ESET 2014-2018
malware-ioc misp-turla-crutch-event.json "value": "C:\\Intel\\~csrss.exe", © ESET 2014-2018
malware-ioc turla * ++C:\Intel~csrss.exe++``{:.highlight .language-cmhg} © ESET 2014-2018
signature-base generic_anomalies.yar description = “Detects uncommon file size of csrss.exe” CC BY-NC 4.0
signature-base generic_anomalies.yar and filename == “csrss.exe” CC BY-NC 4.0
signature-base thor_inverse_matches.yar description = “Anomaly rule looking for certain strings in a system file (maybe false positive on certain systems) - file csrss.exe” CC BY-NC 4.0
signature-base thor_inverse_matches.yar $s4 = “name="Microsoft.Windows.CSRSS"” fullword ascii CC BY-NC 4.0
signature-base thor_inverse_matches.yar filename == “csrss.exe” CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.