home

csrss.exe

Daniel Monteiro

The executable csrss.exe has been detected as malware by 6 anti-virus scanners. It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘KernelSys32M’.
Publisher:
Daniel Monteiro  (signed and verified)

MD5:
9ce40a5e05c74ad1f9c50ef14437062c

SHA-1:
b32393af9c5cd53bf2462ad76a0e998865b4aca1

SHA-256:
ad502534482105dc0f590d1d993c9637fa9b5cd5c35be5deed484cd8ec3ba094

Scanner detections:
6 / 68

Status:
Malware

Analysis date:
11/25/2024 8:25:52 PM UTC  (today)

Scan engine
Detection
Engine version

AegisLab AV Signature
Uds.Dangerousobject.Multi!c
2.1.4+

ESET NOD32
Win32/LogicielsEspions.C potentially unsafe (variant)
10.13325

Fortinet FortiGate
W32/LogicielsEspions.C
8/23/2016

Kaspersky
UDS:DangerousObject.Multi.Generic
14.0.0.-294

McAfee
Artemis!9CE40A5E05C7
5600.6298

Sophos
Mal/Behav-053
4.98

File size:
1.7 MB (1,804,464 bytes)

File type:
Executable application (Win32 EXE)

Digital Signature
Signed by:
Daniel Monteiro

Authority:
COMODO CA Limited

Valid from:
2/11/2014 12:00:00 AM

Valid to:
2/11/2016 11:59:59 PM

Subject:
CN=Daniel Monteiro, O=Daniel Monteiro, STREET="Rua Dois,601 Costa Nova", L=Caraguatatuba, S=SP, PostalCode=11678-122, C=BR

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00DFF6D1C08352FE36A9B12F50EC41A883

File PE Metadata
Compilation timestamp:
6/19/1992 10:22:17 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

CTPH (ssdeep):
49152:hhwHazGgcJ1ACzT3onCyoyQ/jpjZIjoti8kMB8O:hhWaqh/Fon4yW1jZI4vSO

Entry address:
0xD5E84

Entry point:
55, 8B, EC, 83, C4, F0, B8, C4, 5A, 4D, 00, E8, 4C, 11, F3, FF, A1, D4, EC, 4D, 00, 8B, 00, E8, 50, A7, F8, FF, 8B, 0D, 10, EE, 4D, 00, A1, D4, EC, 4D, 00, 8B, 00, 8B, 15, 38, E0, 4C, 00, E8, 50, A7, F8, FF, 8B, 0D, 50, EE, 4D, 00, A1, D4, EC, 4D, 00, 8B, 00, 8B, 15, 48, 7F, 4C, 00, E8, 38, A7, F8, FF, A1, D4, EC, 4D, 00, 8B, 00, E8, AC, A7, F8, FF, E8, 53, E8, F2, FF, 8D, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Developed / compiled with:
Microsoft Visual C++

Code size:
852 KB (872,448 bytes)

Startup File (All Users Run)
Registry location:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
KernelSys32M

Command:
C:\msc\sp\csrss.exe rke


Remove csrss.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.