csrss.exe

  • File Path: C:\windows\system32\csrss.exe
  • Description: Client Server Runtime Process

Hashes

Type Hash
MD5 B2D3F07F5E8A13AF988A8B3C0A800880
SHA1 C79E4586989EBB8E8F8084B5EB49AFBFD243A625
SHA256 CB41E9D0E8107AA9337DBD1C56F22461131AD0952A2472B4477E2649D16ECB15
SHA384 C8D33DC3CD6B6B216B464E1858C75B463B517E464340A8C1DDE8EA4459DB66B8EE0A0F2B94A40791975CD7557193335D
SHA512 E2C338707BB01E4818B10650F1A7BF6757EA1BAA917F331889D0057C5ADE451AAB15D610AD0DD19F1345D98F6E43B1C387040BA93CD4F691FA80351F0E76C2A8
SSDEEP 384:APBCQXAxTW57tnWKSWHDBRJqlYa88Yu3:Av2AP1PpaGY

Signature

  • Status: Signature verified.
  • Serial: 330000000ECB1DE44CF76049B800000000000E
  • Thumbprint: 1D17F6631C3F4E9C4B563AF01A1E811D83E15B95
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows Publisher, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: CSRSS.Exe.MUI
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 6.3.9600.16384 (winblue_rtm.130821-1623)
  • Product Version: 6.3.9600.16384
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of csrss.exe being misused. While csrss.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma win_susp_lsass_dump_generic.yml - '\csrss.exe' DRL 1.0
sigma file_event_win_creation_system_file.yml - '\csrss.exe' DRL 1.0
sigma proc_access_win_cred_dump_lsass_access.yml # - '\csrss.exe' DRL 1.0
sigma proc_creation_win_abusing_debug_privilege.yml - '\csrss.exe' DRL 1.0
sigma proc_creation_win_proc_wrong_parent.yml - '\csrss.exe' DRL 1.0
sigma proc_creation_win_system_exe_anomaly.yml - '\csrss.exe' DRL 1.0
malware-ioc glupteba.misp-event.json "value": "csrss.exe\|1645ad8468a2fb54763c0ebeb766dfd8c643f3db", © ESET 2014-2018
malware-ioc glupteba \|1645AD8468A2FB54763C0EBEB766DFD8C643F3DB\|csrss.exe \|Win32/Agent.SVE © ESET 2014-2018
malware-ioc nukesped_lazarus .csrss.exe``{:.highlight .language-cmhg} © ESET 2014-2018
malware-ioc rtm csrss.exe © ESET 2014-2018
malware-ioc misp-turla-crutch-event.json "value": "C:\\Intel\\~csrss.exe", © ESET 2014-2018
malware-ioc turla * ++C:\Intel~csrss.exe++``{:.highlight .language-cmhg} © ESET 2014-2018
signature-base generic_anomalies.yar description = “Detects uncommon file size of csrss.exe” CC BY-NC 4.0
signature-base generic_anomalies.yar and filename == “csrss.exe” CC BY-NC 4.0
signature-base thor_inverse_matches.yar description = “Anomaly rule looking for certain strings in a system file (maybe false positive on certain systems) - file csrss.exe” CC BY-NC 4.0
signature-base thor_inverse_matches.yar $s4 = “name="Microsoft.Windows.CSRSS"” fullword ascii CC BY-NC 4.0
signature-base thor_inverse_matches.yar filename == “csrss.exe” CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.