csrss.exe

• File Path: C:\Windows\system32\csrss.exe
• Description: Client Server Runtime Process

Hashes

Type	Hash
MD5	7D64128BC1EECE41196858897596EBC8
SHA1	779B8AFC3FA2528B090F400EF3D592E0E2775955
SHA256	FB40ED0FFA6BC795923A941DAB6B7D6B43583D0F152A6DF4D8953D2C1A0CB417
SHA384	2826B9684B1297FB729AD0A964CB6FD08FC5EAFC7DE521E9FFB02151A55985F123CBB9F3FA26D692141CFD762FE35D36
SHA512	23E87A86B1D0B206047DD24ABD053F6C5472CD969A870EEBE7DBF01F0FA3237F77D3AA5D5526D6165DAA21F6ADCE7449E1B838F64AE129B0829CF8B82D40090D
SSDEEP	192:rnbFaItc7IqC+DlmHW5nnWELKN7OwDBQABJtW7KKEaeqnaj8mOgp22PM:sDUHW5nnWFNHDBRJw/Zell22PM
IMP	A96FA9912E09E361274AD77F1A4B252C
PESHA1	DE0BBE376A6C75AA21D1DD642AFE705048B1567F
PE256	5541F15C0428407AF00D4F5C7E716DCFB365840B44C9ECBCF6DAAA27866B5789

Signature

• Status: Signature verified.
• Serial: 33000001C422B2F79B793DACB20000000001C4
• Thumbprint: AE9C1AE54763822EEC42474983D8B635116C8452
• Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
• Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

• Original Filename: CSRSS.Exe.MUI
• Product Name: Microsoft Windows Operating System
• Company Name: Microsoft Corporation
• File Version: 10.0.17763.1 (WinBuild.160101.0800)
• Product Version: 10.0.17763.1
• Language: English (United States)
• Legal Copyright: Microsoft Corporation. All rights reserved.
• Machine Type: 64-bit

File Scan

• VirusTotal Detections: 0/71
• VirusTotal Link: https://www.virustotal.com/gui/file/fb40ed0ffa6bc795923a941dab6b7d6b43583d0f152a6df4d8953d2c1a0cb417/detection/

File Similarity (ssdeep match)

File	Score
C:\Windows\system32\69fe178f-26e7-43a9-aa7d-2b616b672dde_eventlogservice.dll	30
C:\Windows\system32\bootstr.dll	33
C:\WINDOWS\system32\csrss.exe	57
C:\Windows\system32\csrss.exe	46
C:\Windows\system32\downlevel\api-ms-win-core-datetime-l1-1-0.dll	38
C:\Windows\system32\downlevel\api-ms-win-core-datetime-l1-1-1.dll	30
C:\Windows\system32\downlevel\api-ms-win-core-debug-l1-1-0.dll	32
C:\Windows\system32\downlevel\api-ms-win-core-errorhandling-l1-1-0.dll	35
C:\Windows\system32\downlevel\api-ms-win-core-fibers-l1-1-1.dll	36
C:\Windows\system32\downlevel\api-ms-win-core-file-l1-2-0.dll	32
C:\Windows\system32\downlevel\api-ms-win-core-handle-l1-1-0.dll	36
C:\Windows\system32\downlevel\api-ms-win-core-heap-l1-1-0.dll	35
C:\Windows\system32\downlevel\api-ms-win-core-io-l1-1-0.dll	33
C:\Windows\system32\downlevel\API-MS-Win-Core-Kernel32-Private-L1-1-0.dll	35
C:\Windows\system32\downlevel\API-MS-Win-Core-Kernel32-Private-L1-1-1.dll	33
C:\Windows\system32\downlevel\api-ms-win-core-libraryloader-l1-1-0.dll	33
C:\Windows\system32\downlevel\api-ms-win-core-localization-l1-2-1.dll	32
C:\Windows\system32\downlevel\API-MS-Win-core-localization-obsolete-l1-2-0.dll	33
C:\Windows\system32\downlevel\api-ms-win-core-memory-l1-1-0.dll	33
C:\Windows\system32\downlevel\api-ms-win-core-memory-l1-1-2.dll	33
C:\Windows\system32\downlevel\api-ms-win-core-privateprofile-l1-1-0.dll	33
C:\Windows\system32\downlevel\api-ms-win-core-processenvironment-l1-2-0.dll	32
C:\Windows\system32\downlevel\api-ms-win-core-processthreads-l1-1-2.dll	32
C:\Windows\system32\downlevel\api-ms-win-core-realtime-l1-1-0.dll	36
C:\Windows\system32\downlevel\api-ms-win-core-string-l1-1-0.dll	32
C:\Windows\system32\downlevel\api-ms-win-core-stringloader-l1-1-1.dll	33
C:\Windows\system32\downlevel\api-ms-win-core-synch-l1-2-0.dll	33
C:\Windows\system32\downlevel\api-ms-win-core-threadpool-legacy-l1-1-0.dll	33
C:\Windows\system32\downlevel\api-ms-win-core-timezone-l1-1-0.dll	30
C:\Windows\system32\downlevel\api-ms-win-core-xstate-l1-1-0.dll	33
C:\Windows\system32\downlevel\api-ms-win-crt-conio-l1-1-0.dll	32
C:\Windows\system32\downlevel\api-ms-win-crt-convert-l1-1-0.dll	30
C:\Windows\system32\downlevel\api-ms-win-crt-environment-l1-1-0.dll	35
C:\Windows\system32\downlevel\api-ms-win-crt-heap-l1-1-0.dll	33
C:\Windows\system32\downlevel\api-ms-win-crt-locale-l1-1-0.dll	29
C:\Windows\system32\downlevel\API-MS-Win-EventLog-Legacy-L1-1-0.dll	33
C:\Windows\system32\downlevel\API-MS-Win-Security-Lsalookup-L2-1-1.dll	32
C:\Windows\system32\downlevel\api-ms-win-service-winsvc-l1-1-0.dll	30
C:\Windows\system32\downlevel\api-ms-win-shcore-stream-l1-1-0.dll	30
C:\Windows\system32\kd.dll	33
C:\Windows\system32\uxlibres.dll	32
C:\Windows\SysWOW64\backgroundTaskHost.exe	33
C:\Windows\SysWOW64\downlevel\api-ms-win-core-com-l1-1-0.dll	29
C:\Windows\SysWOW64\downlevel\api-ms-win-core-console-l1-1-0.dll	33
C:\Windows\SysWOW64\downlevel\api-ms-win-core-datetime-l1-1-0.dll	40
C:\Windows\SysWOW64\downlevel\api-ms-win-core-datetime-l1-1-1.dll	33
C:\Windows\SysWOW64\downlevel\api-ms-win-core-debug-l1-1-1.dll	33
C:\Windows\SysWOW64\downlevel\api-ms-win-core-delayload-l1-1-0.dll	30
C:\Windows\SysWOW64\downlevel\api-ms-win-core-errorhandling-l1-1-0.dll	33
C:\Windows\SysWOW64\downlevel\api-ms-win-core-errorhandling-l1-1-1.dll	32
C:\Windows\SysWOW64\downlevel\api-ms-win-core-fibers-l1-1-0.dll	36
C:\Windows\SysWOW64\downlevel\api-ms-win-core-fibers-l1-1-1.dll	30
C:\Windows\SysWOW64\downlevel\api-ms-win-core-file-l1-1-0.dll	30
C:\Windows\SysWOW64\downlevel\api-ms-win-core-file-l1-2-0.dll	38
C:\Windows\SysWOW64\downlevel\api-ms-win-core-file-l1-2-1.dll	33
C:\Windows\SysWOW64\downlevel\API-MS-Win-core-file-l2-1-0.dll	33
C:\Windows\SysWOW64\downlevel\api-ms-win-core-handle-l1-1-0.dll	32
C:\Windows\SysWOW64\downlevel\API-MS-Win-Core-Heap-Obsolete-L1-1-0.dll	33
C:\Windows\SysWOW64\downlevel\api-ms-win-core-io-l1-1-0.dll	32
C:\Windows\SysWOW64\downlevel\API-MS-Win-Core-Kernel32-Private-L1-1-0.dll	32
C:\Windows\SysWOW64\downlevel\API-MS-Win-Core-Kernel32-Private-L1-1-1.dll	33
C:\Windows\SysWOW64\downlevel\api-ms-win-core-libraryloader-l1-1-0.dll	32
C:\Windows\SysWOW64\downlevel\api-ms-win-core-localization-l1-2-1.dll	32
C:\Windows\SysWOW64\downlevel\api-ms-win-core-memory-l1-1-0.dll	32
C:\Windows\SysWOW64\downlevel\api-ms-win-core-memory-l1-1-1.dll	35
C:\Windows\SysWOW64\downlevel\api-ms-win-core-privateprofile-l1-1-1.dll	30
C:\Windows\SysWOW64\downlevel\api-ms-win-core-processenvironment-l1-1-0.dll	32
C:\Windows\SysWOW64\downlevel\api-ms-win-core-processthreads-l1-1-1.dll	33
C:\Windows\SysWOW64\downlevel\api-ms-win-core-processthreads-l1-1-2.dll	33
C:\Windows\SysWOW64\downlevel\api-ms-win-core-processtopology-obsolete-l1-1-0.dll	32
C:\Windows\SysWOW64\downlevel\api-ms-win-core-profile-l1-1-0.dll	33
C:\Windows\SysWOW64\downlevel\api-ms-win-core-realtime-l1-1-0.dll	33
C:\Windows\SysWOW64\downlevel\api-ms-win-core-registry-l1-1-0.dll	35
C:\Windows\SysWOW64\downlevel\api-ms-win-core-rtlsupport-l1-1-0.dll	30
C:\Windows\SysWOW64\downlevel\api-ms-win-core-shlwapi-obsolete-l1-1-0.dll	32
C:\Windows\SysWOW64\downlevel\api-ms-win-core-string-l1-1-0.dll	32
C:\Windows\SysWOW64\downlevel\api-ms-win-core-stringloader-l1-1-1.dll	36
C:\Windows\SysWOW64\downlevel\API-MS-Win-core-string-obsolete-l1-1-0.dll	35
C:\Windows\SysWOW64\downlevel\api-ms-win-core-synch-l1-2-0.dll	32
C:\Windows\SysWOW64\downlevel\api-ms-win-core-sysinfo-l1-1-0.dll	36
C:\Windows\SysWOW64\downlevel\api-ms-win-core-sysinfo-l1-2-0.dll	32
C:\Windows\SysWOW64\downlevel\api-ms-win-core-sysinfo-l1-2-1.dll	35
C:\Windows\SysWOW64\downlevel\api-ms-win-core-url-l1-1-0.dll	36
C:\Windows\SysWOW64\downlevel\api-ms-win-core-util-l1-1-0.dll	33
C:\Windows\SysWOW64\downlevel\api-ms-win-core-version-l1-1-0.dll	30
C:\Windows\SysWOW64\downlevel\API-MS-Win-core-xstate-l2-1-0.dll	33
C:\Windows\SysWOW64\downlevel\api-ms-win-crt-conio-l1-1-0.dll	32
C:\Windows\SysWOW64\downlevel\api-ms-win-crt-convert-l1-1-0.dll	33
C:\Windows\SysWOW64\downlevel\api-ms-win-crt-process-l1-1-0.dll	32
C:\Windows\SysWOW64\downlevel\api-ms-win-crt-runtime-l1-1-0.dll	32
C:\Windows\SysWOW64\downlevel\api-ms-win-crt-time-l1-1-0.dll	35
C:\Windows\SysWOW64\downlevel\API-MS-Win-Eventing-Controller-L1-1-0.dll	32
C:\Windows\SysWOW64\downlevel\API-MS-Win-Eventing-Legacy-L1-1-0.dll	36
C:\Windows\SysWOW64\downlevel\API-MS-Win-Eventing-Provider-L1-1-0.dll	30
C:\Windows\SysWOW64\downlevel\API-MS-Win-EventLog-Legacy-L1-1-0.dll	30
C:\Windows\SysWOW64\downlevel\API-MS-Win-Security-Lsalookup-L2-1-0.dll	33
C:\Windows\SysWOW64\downlevel\API-MS-Win-Security-Lsalookup-L2-1-1.dll	32
C:\Windows\SysWOW64\downlevel\API-MS-Win-security-lsapolicy-l1-1-0.dll	30
C:\Windows\SysWOW64\downlevel\API-MS-Win-security-provider-L1-1-0.dll	35
C:\Windows\SysWOW64\downlevel\api-ms-win-service-core-l1-1-0.dll	32
C:\Windows\SysWOW64\downlevel\api-ms-win-service-core-l1-1-1.dll	32
C:\Windows\SysWOW64\downlevel\api-ms-win-service-management-l2-1-0.dll	32
C:\Windows\SysWOW64\downlevel\api-ms-win-service-private-l1-1-1.dll	32
C:\Windows\SysWOW64\downlevel\api-ms-win-shcore-stream-l1-1-0.dll	30
C:\Windows\SysWOW64\sfc.dll	30
C:\Windows\SysWOW64\uxlibres.dll	30

Possible Misuse

The following table contains possible examples of csrss.exe being misused. While csrss.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source	Source File	Example	License
sigma	win_susp_lsass_dump_generic.yml	- '\csrss.exe'	DRL 1.0
sigma	file_event_win_creation_system_file.yml	- '\csrss.exe'	DRL 1.0
sigma	proc_access_win_cred_dump_lsass_access.yml	# - '\csrss.exe'	DRL 1.0
sigma	proc_creation_win_abusing_debug_privilege.yml	- '\csrss.exe'	DRL 1.0
sigma	proc_creation_win_proc_wrong_parent.yml	- '\csrss.exe'	DRL 1.0
sigma	proc_creation_win_system_exe_anomaly.yml	- '\csrss.exe'	DRL 1.0
malware-ioc	glupteba.misp-event.json	"value": "csrss.exe\|1645ad8468a2fb54763c0ebeb766dfd8c643f3db",	© ESET 2014-2018
malware-ioc	glupteba	\|1645AD8468A2FB54763C0EBEB766DFD8C643F3DB\|csrss.exe \|Win32/Agent.SVE	© ESET 2014-2018
malware-ioc	nukesped_lazarus	.csrss.exe``{:.highlight .language-cmhg}	© ESET 2014-2018
malware-ioc	rtm	csrss.exe	© ESET 2014-2018
malware-ioc	misp-turla-crutch-event.json	"value": "C:\\Intel\\~csrss.exe",	© ESET 2014-2018
malware-ioc	turla	* ++C:\Intel~csrss.exe++``{:.highlight .language-cmhg}	© ESET 2014-2018
signature-base	generic_anomalies.yar	description = “Detects uncommon file size of csrss.exe”	CC BY-NC 4.0
signature-base	generic_anomalies.yar	and filename == “csrss.exe”	CC BY-NC 4.0
signature-base	thor_inverse_matches.yar	description = “Anomaly rule looking for certain strings in a system file (maybe false positive on certain systems) - file csrss.exe”	CC BY-NC 4.0
signature-base	thor_inverse_matches.yar	$s4 = “name="Microsoft.Windows.CSRSS"” fullword ascii	CC BY-NC 4.0
signature-base	thor_inverse_matches.yar	filename == “csrss.exe”	CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.