csrss.exe

File Path: C:\Windows\system32\csrss.exe
Description: Client Server Runtime Process

Hashes

Type	Hash
MD5	`A976339058116FCF346437D797C7EEC1`
SHA1	`69A1DCF6A41BC750CACEC3185C99839C079275BD`
SHA256	`8EBF4096D28A78E8AB36E5084784ACC90464EB4A74D972C942F147EA59E5134B`
SHA384	`DD8EB1A01A8EC79580D8493B43E836783C0ADE408BC9D6DC3C519C82C8BF5606E2B505EBC5F8EFB2D55EE898D82052C1`
SHA512	`72BAC6EA896D9B7F817EF5644ADBDEA80BC7F852BE124F08487507A4507FB0C0AEC167EC03B9DFB8C4EDE7F0DBCBDC8343BD3C114EEA62BB1B842160FCE324A4`
SSDEEP	`192:OGOblXioAyoBxQCwUmHW5MnWOuzCssCNDBQABJKPWo4Nbkwqnaj0A:cXroCpHW5MnWOuz4CNDBRJ9XlIA`
IMP	`A96FA9912E09E361274AD77F1A4B252C`
PESHA1	`9AB2220BF0C75DD265CDC10C2AA298E5D96052CC`
PE256	`66C8CCB5F90CFE1458DF74E2B144530468B8AF879D8DABDCE2669E6C9EBEDA91`

Signature

Status: Signature verified.
Serial: 3300000266BD1580EFA75CD6D3000000000266
Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

Original Filename: CSRSS.Exe.MUI
Product Name: Microsoft Windows Operating System
Company Name: Microsoft Corporation
File Version: 10.0.19041.1 (WinBuild.160101.0800)
Product Version: 10.0.19041.1
Language: English (United States)
Legal Copyright: Microsoft Corporation. All rights reserved.
Machine Type: 64-bit

File Scan

VirusTotal Detections: 0/65
VirusTotal Link: https://www.virustotal.com/gui/file/8ebf4096d28a78e8ab36e5084784acc90464eb4a74d972c942f147ea59e5134b/detection/

File Similarity (ssdeep match)

File	Score
C:\Program Files (x86)\Windows Kits\10\bin\10.0.19041.0\arm\1033\wstraceutilresources.dll	29
C:\Program Files (x86)\Windows Kits\10\bin\10.0.19041.0\arm64\extidgen.exe	27
C:\Program Files (x86)\Windows Kits\10\bin\10.0.19041.0\x64\extidgen.exe	29
C:\Program Files (x86)\Windows Kits\10\Debuggers\arm64\breakin.exe	27
C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\dumpchk.exe	29
C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\dumpexam.exe	33
C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\api-ms-win-eventing-provider-l1-1-0.dll	25
C:\Program Files (x86)\Windows Kits\10\Redist\10.0.19041.0\ucrt\DLLs\x64\api-ms-win-core-debug-l1-1-0.dll	29
C:\Program Files (x86)\Windows Kits\10\Redist\10.0.19041.0\ucrt\DLLs\x64\api-ms-win-core-string-l1-1-0.dll	29
C:\Program Files (x86)\Windows Kits\10\Redist\10.0.19041.0\ucrt\DLLs\x64\api-ms-win-crt-convert-l1-1-0.dll	29
C:\Program Files (x86)\Windows Kits\10\Redist\10.0.19041.0\ucrt\DLLs\x64\api-ms-win-crt-filesystem-l1-1-0.dll	33
C:\Program Files (x86)\Windows Kits\10\Windows Performance Toolkit\api-ms-win-core-interlocked-l1-1-0.dll	30
C:\Program Files (x86)\Windows Kits\10\Windows Performance Toolkit\api-ms-win-core-sysinfo-l1-1-0.dll	30
C:\Program Files (x86)\Windows Kits\10\Windows Performance Toolkit\api-ms-win-core-util-l1-1-0.dll	27
C:\Program Files (x86)\Windows Kits\10\Windows Performance Toolkit\api-ms-win-crt-heap-l1-1-0.dll	32
C:\Program Files (x86)\Windows Kits\10\Windows Performance Toolkit\api-ms-win-crt-runtime-l1-1-0.dll	25
C:\Program Files (x86)\Windows Kits\10\Windows Performance Toolkit\api-ms-win-crt-utility-l1-1-0.dll	29

Possible Misuse

The following table contains possible examples of csrss.exe being misused. While csrss.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source	Source File	Example	License
sigma	win_susp_lsass_dump_generic.yml	`- '\csrss.exe'`	DRL 1.0
sigma	file_event_win_creation_system_file.yml	`- '\csrss.exe'`	DRL 1.0
sigma	proc_access_win_cred_dump_lsass_access.yml	`# - '\csrss.exe'`	DRL 1.0
sigma	proc_creation_win_abusing_debug_privilege.yml	`- '\csrss.exe'`	DRL 1.0
sigma	proc_creation_win_proc_wrong_parent.yml	`- '\csrss.exe'`	DRL 1.0
sigma	proc_creation_win_system_exe_anomaly.yml	`- '\csrss.exe'`	DRL 1.0
malware-ioc	glupteba.misp-event.json	`"value": "csrss.exe\\|1645ad8468a2fb54763c0ebeb766dfd8c643f3db",`	© ESET 2014-2018
malware-ioc	glupteba	`\\|`1645AD8468A2FB54763C0EBEB766DFD8C643F3DB`\\|csrss.exe \\|Win32/Agent.SVE`	© ESET 2014-2018
malware-ioc	nukesped_lazarus	`.`csrss.exe``{:.highlight .language-cmhg}	© ESET 2014-2018
malware-ioc	rtm	`csrss.exe`	© ESET 2014-2018
malware-ioc	misp-turla-crutch-event.json	`"value": "C:\\Intel\\~csrss.exe",`	© ESET 2014-2018
malware-ioc	turla	`*` ++C:\Intel~csrss.exe++``{:.highlight .language-cmhg}	© ESET 2014-2018
signature-base	generic_anomalies.yar	description = “Detects uncommon file size of csrss.exe”	CC BY-NC 4.0
signature-base	generic_anomalies.yar	and filename == “csrss.exe”	CC BY-NC 4.0
signature-base	thor_inverse_matches.yar	description = “Anomaly rule looking for certain strings in a system file (maybe false positive on certain systems) - file csrss.exe”	CC BY-NC 4.0
signature-base	thor_inverse_matches.yar	$s4 = “name="Microsoft.Windows.CSRSS"” fullword ascii	CC BY-NC 4.0
signature-base	thor_inverse_matches.yar	filename == “csrss.exe”	CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.