csrss.exe

  • File Path: C:\Windows\system32\csrss.exe
  • Description: Client Server Runtime Process

Hashes

Type Hash
MD5 7D64128BC1EECE41196858897596EBC8
SHA1 779B8AFC3FA2528B090F400EF3D592E0E2775955
SHA256 FB40ED0FFA6BC795923A941DAB6B7D6B43583D0F152A6DF4D8953D2C1A0CB417
SHA384 2826B9684B1297FB729AD0A964CB6FD08FC5EAFC7DE521E9FFB02151A55985F123CBB9F3FA26D692141CFD762FE35D36
SHA512 23E87A86B1D0B206047DD24ABD053F6C5472CD969A870EEBE7DBF01F0FA3237F77D3AA5D5526D6165DAA21F6ADCE7449E1B838F64AE129B0829CF8B82D40090D
SSDEEP 192:rnbFaItc7IqC+DlmHW5nnWELKN7OwDBQABJtW7KKEaeqnaj8mOgp22PM:sDUHW5nnWFNHDBRJw/Zell22PM
IMP A96FA9912E09E361274AD77F1A4B252C
PESHA1 DE0BBE376A6C75AA21D1DD642AFE705048B1567F
PE256 5541F15C0428407AF00D4F5C7E716DCFB365840B44C9ECBCF6DAAA27866B5789

Signature

  • Status: Signature verified.
  • Serial: 33000001C422B2F79B793DACB20000000001C4
  • Thumbprint: AE9C1AE54763822EEC42474983D8B635116C8452
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: CSRSS.Exe.MUI
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.17763.1 (WinBuild.160101.0800)
  • Product Version: 10.0.17763.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/71
  • VirusTotal Link: https://www.virustotal.com/gui/file/fb40ed0ffa6bc795923a941dab6b7d6b43583d0f152a6df4d8953d2c1a0cb417/detection/

File Similarity (ssdeep match)

File Score
C:\Windows\system32\69fe178f-26e7-43a9-aa7d-2b616b672dde_eventlogservice.dll 30
C:\Windows\system32\bootstr.dll 33
C:\WINDOWS\system32\csrss.exe 57
C:\Windows\system32\csrss.exe 46
C:\Windows\system32\downlevel\api-ms-win-core-datetime-l1-1-0.dll 38
C:\Windows\system32\downlevel\api-ms-win-core-datetime-l1-1-1.dll 30
C:\Windows\system32\downlevel\api-ms-win-core-debug-l1-1-0.dll 32
C:\Windows\system32\downlevel\api-ms-win-core-errorhandling-l1-1-0.dll 35
C:\Windows\system32\downlevel\api-ms-win-core-fibers-l1-1-1.dll 36
C:\Windows\system32\downlevel\api-ms-win-core-file-l1-2-0.dll 32
C:\Windows\system32\downlevel\api-ms-win-core-handle-l1-1-0.dll 36
C:\Windows\system32\downlevel\api-ms-win-core-heap-l1-1-0.dll 35
C:\Windows\system32\downlevel\api-ms-win-core-io-l1-1-0.dll 33
C:\Windows\system32\downlevel\API-MS-Win-Core-Kernel32-Private-L1-1-0.dll 35
C:\Windows\system32\downlevel\API-MS-Win-Core-Kernel32-Private-L1-1-1.dll 33
C:\Windows\system32\downlevel\api-ms-win-core-libraryloader-l1-1-0.dll 33
C:\Windows\system32\downlevel\api-ms-win-core-localization-l1-2-1.dll 32
C:\Windows\system32\downlevel\API-MS-Win-core-localization-obsolete-l1-2-0.dll 33
C:\Windows\system32\downlevel\api-ms-win-core-memory-l1-1-0.dll 33
C:\Windows\system32\downlevel\api-ms-win-core-memory-l1-1-2.dll 33
C:\Windows\system32\downlevel\api-ms-win-core-privateprofile-l1-1-0.dll 33
C:\Windows\system32\downlevel\api-ms-win-core-processenvironment-l1-2-0.dll 32
C:\Windows\system32\downlevel\api-ms-win-core-processthreads-l1-1-2.dll 32
C:\Windows\system32\downlevel\api-ms-win-core-realtime-l1-1-0.dll 36
C:\Windows\system32\downlevel\api-ms-win-core-string-l1-1-0.dll 32
C:\Windows\system32\downlevel\api-ms-win-core-stringloader-l1-1-1.dll 33
C:\Windows\system32\downlevel\api-ms-win-core-synch-l1-2-0.dll 33
C:\Windows\system32\downlevel\api-ms-win-core-threadpool-legacy-l1-1-0.dll 33
C:\Windows\system32\downlevel\api-ms-win-core-timezone-l1-1-0.dll 30
C:\Windows\system32\downlevel\api-ms-win-core-xstate-l1-1-0.dll 33
C:\Windows\system32\downlevel\api-ms-win-crt-conio-l1-1-0.dll 32
C:\Windows\system32\downlevel\api-ms-win-crt-convert-l1-1-0.dll 30
C:\Windows\system32\downlevel\api-ms-win-crt-environment-l1-1-0.dll 35
C:\Windows\system32\downlevel\api-ms-win-crt-heap-l1-1-0.dll 33
C:\Windows\system32\downlevel\api-ms-win-crt-locale-l1-1-0.dll 29
C:\Windows\system32\downlevel\API-MS-Win-EventLog-Legacy-L1-1-0.dll 33
C:\Windows\system32\downlevel\API-MS-Win-Security-Lsalookup-L2-1-1.dll 32
C:\Windows\system32\downlevel\api-ms-win-service-winsvc-l1-1-0.dll 30
C:\Windows\system32\downlevel\api-ms-win-shcore-stream-l1-1-0.dll 30
C:\Windows\system32\kd.dll 33
C:\Windows\system32\uxlibres.dll 32
C:\Windows\SysWOW64\backgroundTaskHost.exe 33
C:\Windows\SysWOW64\downlevel\api-ms-win-core-com-l1-1-0.dll 29
C:\Windows\SysWOW64\downlevel\api-ms-win-core-console-l1-1-0.dll 33
C:\Windows\SysWOW64\downlevel\api-ms-win-core-datetime-l1-1-0.dll 40
C:\Windows\SysWOW64\downlevel\api-ms-win-core-datetime-l1-1-1.dll 33
C:\Windows\SysWOW64\downlevel\api-ms-win-core-debug-l1-1-1.dll 33
C:\Windows\SysWOW64\downlevel\api-ms-win-core-delayload-l1-1-0.dll 30
C:\Windows\SysWOW64\downlevel\api-ms-win-core-errorhandling-l1-1-0.dll 33
C:\Windows\SysWOW64\downlevel\api-ms-win-core-errorhandling-l1-1-1.dll 32
C:\Windows\SysWOW64\downlevel\api-ms-win-core-fibers-l1-1-0.dll 36
C:\Windows\SysWOW64\downlevel\api-ms-win-core-fibers-l1-1-1.dll 30
C:\Windows\SysWOW64\downlevel\api-ms-win-core-file-l1-1-0.dll 30
C:\Windows\SysWOW64\downlevel\api-ms-win-core-file-l1-2-0.dll 38
C:\Windows\SysWOW64\downlevel\api-ms-win-core-file-l1-2-1.dll 33
C:\Windows\SysWOW64\downlevel\API-MS-Win-core-file-l2-1-0.dll 33
C:\Windows\SysWOW64\downlevel\api-ms-win-core-handle-l1-1-0.dll 32
C:\Windows\SysWOW64\downlevel\API-MS-Win-Core-Heap-Obsolete-L1-1-0.dll 33
C:\Windows\SysWOW64\downlevel\api-ms-win-core-io-l1-1-0.dll 32
C:\Windows\SysWOW64\downlevel\API-MS-Win-Core-Kernel32-Private-L1-1-0.dll 32
C:\Windows\SysWOW64\downlevel\API-MS-Win-Core-Kernel32-Private-L1-1-1.dll 33
C:\Windows\SysWOW64\downlevel\api-ms-win-core-libraryloader-l1-1-0.dll 32
C:\Windows\SysWOW64\downlevel\api-ms-win-core-localization-l1-2-1.dll 32
C:\Windows\SysWOW64\downlevel\api-ms-win-core-memory-l1-1-0.dll 32
C:\Windows\SysWOW64\downlevel\api-ms-win-core-memory-l1-1-1.dll 35
C:\Windows\SysWOW64\downlevel\api-ms-win-core-privateprofile-l1-1-1.dll 30
C:\Windows\SysWOW64\downlevel\api-ms-win-core-processenvironment-l1-1-0.dll 32
C:\Windows\SysWOW64\downlevel\api-ms-win-core-processthreads-l1-1-1.dll 33
C:\Windows\SysWOW64\downlevel\api-ms-win-core-processthreads-l1-1-2.dll 33
C:\Windows\SysWOW64\downlevel\api-ms-win-core-processtopology-obsolete-l1-1-0.dll 32
C:\Windows\SysWOW64\downlevel\api-ms-win-core-profile-l1-1-0.dll 33
C:\Windows\SysWOW64\downlevel\api-ms-win-core-realtime-l1-1-0.dll 33
C:\Windows\SysWOW64\downlevel\api-ms-win-core-registry-l1-1-0.dll 35
C:\Windows\SysWOW64\downlevel\api-ms-win-core-rtlsupport-l1-1-0.dll 30
C:\Windows\SysWOW64\downlevel\api-ms-win-core-shlwapi-obsolete-l1-1-0.dll 32
C:\Windows\SysWOW64\downlevel\api-ms-win-core-string-l1-1-0.dll 32
C:\Windows\SysWOW64\downlevel\api-ms-win-core-stringloader-l1-1-1.dll 36
C:\Windows\SysWOW64\downlevel\API-MS-Win-core-string-obsolete-l1-1-0.dll 35
C:\Windows\SysWOW64\downlevel\api-ms-win-core-synch-l1-2-0.dll 32
C:\Windows\SysWOW64\downlevel\api-ms-win-core-sysinfo-l1-1-0.dll 36
C:\Windows\SysWOW64\downlevel\api-ms-win-core-sysinfo-l1-2-0.dll 32
C:\Windows\SysWOW64\downlevel\api-ms-win-core-sysinfo-l1-2-1.dll 35
C:\Windows\SysWOW64\downlevel\api-ms-win-core-url-l1-1-0.dll 36
C:\Windows\SysWOW64\downlevel\api-ms-win-core-util-l1-1-0.dll 33
C:\Windows\SysWOW64\downlevel\api-ms-win-core-version-l1-1-0.dll 30
C:\Windows\SysWOW64\downlevel\API-MS-Win-core-xstate-l2-1-0.dll 33
C:\Windows\SysWOW64\downlevel\api-ms-win-crt-conio-l1-1-0.dll 32
C:\Windows\SysWOW64\downlevel\api-ms-win-crt-convert-l1-1-0.dll 33
C:\Windows\SysWOW64\downlevel\api-ms-win-crt-process-l1-1-0.dll 32
C:\Windows\SysWOW64\downlevel\api-ms-win-crt-runtime-l1-1-0.dll 32
C:\Windows\SysWOW64\downlevel\api-ms-win-crt-time-l1-1-0.dll 35
C:\Windows\SysWOW64\downlevel\API-MS-Win-Eventing-Controller-L1-1-0.dll 32
C:\Windows\SysWOW64\downlevel\API-MS-Win-Eventing-Legacy-L1-1-0.dll 36
C:\Windows\SysWOW64\downlevel\API-MS-Win-Eventing-Provider-L1-1-0.dll 30
C:\Windows\SysWOW64\downlevel\API-MS-Win-EventLog-Legacy-L1-1-0.dll 30
C:\Windows\SysWOW64\downlevel\API-MS-Win-Security-Lsalookup-L2-1-0.dll 33
C:\Windows\SysWOW64\downlevel\API-MS-Win-Security-Lsalookup-L2-1-1.dll 32
C:\Windows\SysWOW64\downlevel\API-MS-Win-security-lsapolicy-l1-1-0.dll 30
C:\Windows\SysWOW64\downlevel\API-MS-Win-security-provider-L1-1-0.dll 35
C:\Windows\SysWOW64\downlevel\api-ms-win-service-core-l1-1-0.dll 32
C:\Windows\SysWOW64\downlevel\api-ms-win-service-core-l1-1-1.dll 32
C:\Windows\SysWOW64\downlevel\api-ms-win-service-management-l2-1-0.dll 32
C:\Windows\SysWOW64\downlevel\api-ms-win-service-private-l1-1-1.dll 32
C:\Windows\SysWOW64\downlevel\api-ms-win-shcore-stream-l1-1-0.dll 30
C:\Windows\SysWOW64\sfc.dll 30
C:\Windows\SysWOW64\uxlibres.dll 30

Possible Misuse

The following table contains possible examples of csrss.exe being misused. While csrss.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma win_susp_lsass_dump_generic.yml - '\csrss.exe' DRL 1.0
sigma sysmon_creation_system_file.yml - '*\csrss.exe' DRL 1.0
sigma sysmon_cred_dump_lsass_access.yml - '\csrss.exe' DRL 1.0
sigma win_proc_wrong_parent.yml - '*\csrss.exe' DRL 1.0
sigma win_system_exe_anomaly.yml - '*\csrss.exe' DRL 1.0
sigma sysmon_raw_disk_access_using_illegitimate_tools.yml - '\csrss.exe' DRL 1.0
malware-ioc glupteba.misp-event.json "value": "csrss.exe\|1645ad8468a2fb54763c0ebeb766dfd8c643f3db", © ESET 2014-2018
malware-ioc glupteba \|1645AD8468A2FB54763C0EBEB766DFD8C643F3DB\|csrss.exe \|Win32/Agent.SVE © ESET 2014-2018
malware-ioc nukesped_lazarus .csrss.exe``{:.highlight .language-cmhg} © ESET 2014-2018
malware-ioc rtm csrss.exe © ESET 2014-2018
malware-ioc misp-turla-crutch-event.json "value": "C:\\Intel\\~csrss.exe", © ESET 2014-2018
malware-ioc turla * ++C:\Intel~csrss.exe++``{:.highlight .language-cmhg} © ESET 2014-2018
signature-base generic_anomalies.yar description = “Detects uncommon file size of csrss.exe” CC BY-NC 4.0
signature-base generic_anomalies.yar and filename == “csrss.exe” CC BY-NC 4.0
signature-base thor_inverse_matches.yar description = “Anomaly rule looking for certain strings in a system file (maybe false positive on certain systems) - file csrss.exe” CC BY-NC 4.0
signature-base thor_inverse_matches.yar $s4 = “name="Microsoft.Windows.CSRSS"” fullword ascii CC BY-NC 4.0
signature-base thor_inverse_matches.yar filename == “csrss.exe” CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.