csrss.exe

  • File Path: C:\Windows\system32\csrss.exe
  • Description: Client Server Runtime Process

Hashes

Type Hash
MD5 A976339058116FCF346437D797C7EEC1
SHA1 69A1DCF6A41BC750CACEC3185C99839C079275BD
SHA256 8EBF4096D28A78E8AB36E5084784ACC90464EB4A74D972C942F147EA59E5134B
SHA384 DD8EB1A01A8EC79580D8493B43E836783C0ADE408BC9D6DC3C519C82C8BF5606E2B505EBC5F8EFB2D55EE898D82052C1
SHA512 72BAC6EA896D9B7F817EF5644ADBDEA80BC7F852BE124F08487507A4507FB0C0AEC167EC03B9DFB8C4EDE7F0DBCBDC8343BD3C114EEA62BB1B842160FCE324A4
SSDEEP 192:OGOblXioAyoBxQCwUmHW5MnWOuzCssCNDBQABJKPWo4Nbkwqnaj0A:cXroCpHW5MnWOuz4CNDBRJ9XlIA
IMP A96FA9912E09E361274AD77F1A4B252C
PESHA1 9AB2220BF0C75DD265CDC10C2AA298E5D96052CC
PE256 66C8CCB5F90CFE1458DF74E2B144530468B8AF879D8DABDCE2669E6C9EBEDA91

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: CSRSS.Exe.MUI
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.1 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/65
  • VirusTotal Link: https://www.virustotal.com/gui/file/8ebf4096d28a78e8ab36e5084784acc90464eb4a74d972c942f147ea59e5134b/detection/

File Similarity (ssdeep match)

File Score
C:\Program Files (x86)\Windows Kits\10\bin\10.0.19041.0\arm\1033\wstraceutilresources.dll 29
C:\Program Files (x86)\Windows Kits\10\bin\10.0.19041.0\arm64\extidgen.exe 27
C:\Program Files (x86)\Windows Kits\10\bin\10.0.19041.0\x64\extidgen.exe 29
C:\Program Files (x86)\Windows Kits\10\Debuggers\arm64\breakin.exe 27
C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\dumpchk.exe 29
C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\dumpexam.exe 33
C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\api-ms-win-eventing-provider-l1-1-0.dll 25
C:\Program Files (x86)\Windows Kits\10\Redist\10.0.19041.0\ucrt\DLLs\x64\api-ms-win-core-debug-l1-1-0.dll 29
C:\Program Files (x86)\Windows Kits\10\Redist\10.0.19041.0\ucrt\DLLs\x64\api-ms-win-core-string-l1-1-0.dll 29
C:\Program Files (x86)\Windows Kits\10\Redist\10.0.19041.0\ucrt\DLLs\x64\api-ms-win-crt-convert-l1-1-0.dll 29
C:\Program Files (x86)\Windows Kits\10\Redist\10.0.19041.0\ucrt\DLLs\x64\api-ms-win-crt-filesystem-l1-1-0.dll 33
C:\Program Files (x86)\Windows Kits\10\Windows Performance Toolkit\api-ms-win-core-interlocked-l1-1-0.dll 30
C:\Program Files (x86)\Windows Kits\10\Windows Performance Toolkit\api-ms-win-core-sysinfo-l1-1-0.dll 30
C:\Program Files (x86)\Windows Kits\10\Windows Performance Toolkit\api-ms-win-core-util-l1-1-0.dll 27
C:\Program Files (x86)\Windows Kits\10\Windows Performance Toolkit\api-ms-win-crt-heap-l1-1-0.dll 32
C:\Program Files (x86)\Windows Kits\10\Windows Performance Toolkit\api-ms-win-crt-runtime-l1-1-0.dll 25
C:\Program Files (x86)\Windows Kits\10\Windows Performance Toolkit\api-ms-win-crt-utility-l1-1-0.dll 29

Possible Misuse

The following table contains possible examples of csrss.exe being misused. While csrss.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma win_susp_lsass_dump_generic.yml - '\csrss.exe' DRL 1.0
sigma file_event_win_creation_system_file.yml - '\csrss.exe' DRL 1.0
sigma proc_access_win_cred_dump_lsass_access.yml # - '\csrss.exe' DRL 1.0
sigma proc_creation_win_abusing_debug_privilege.yml - '\csrss.exe' DRL 1.0
sigma proc_creation_win_proc_wrong_parent.yml - '\csrss.exe' DRL 1.0
sigma proc_creation_win_system_exe_anomaly.yml - '\csrss.exe' DRL 1.0
malware-ioc glupteba.misp-event.json "value": "csrss.exe\|1645ad8468a2fb54763c0ebeb766dfd8c643f3db", © ESET 2014-2018
malware-ioc glupteba \|1645AD8468A2FB54763C0EBEB766DFD8C643F3DB\|csrss.exe \|Win32/Agent.SVE © ESET 2014-2018
malware-ioc nukesped_lazarus .csrss.exe``{:.highlight .language-cmhg} © ESET 2014-2018
malware-ioc rtm csrss.exe © ESET 2014-2018
malware-ioc misp-turla-crutch-event.json "value": "C:\\Intel\\~csrss.exe", © ESET 2014-2018
malware-ioc turla * ++C:\Intel~csrss.exe++``{:.highlight .language-cmhg} © ESET 2014-2018
signature-base generic_anomalies.yar description = “Detects uncommon file size of csrss.exe” CC BY-NC 4.0
signature-base generic_anomalies.yar and filename == “csrss.exe” CC BY-NC 4.0
signature-base thor_inverse_matches.yar description = “Anomaly rule looking for certain strings in a system file (maybe false positive on certain systems) - file csrss.exe” CC BY-NC 4.0
signature-base thor_inverse_matches.yar $s4 = “name="Microsoft.Windows.CSRSS"” fullword ascii CC BY-NC 4.0
signature-base thor_inverse_matches.yar filename == “csrss.exe” CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.