csrss.exe

Daniel Monteiro

The executable csrss.exe has been detected as malware by 5 anti-virus scanners. It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘KernelSys32M’.
Publisher:
Daniel Monteiro  (signed and verified)

MD5:
c5d9e5d500fc6124ca90c30d56c7b49d

SHA-1:
c8743eb56c554f1294e94baf4c8846f53d015146

SHA-256:
4c0b4ad3486899fcddf1f1b7deb9afbfd48ccd5c45736a44f65be22d8a1b2b64

Scanner detections:
5 / 68

Status:
Malware

Analysis date:
11/25/2024 8:47:00 PM UTC  (today)

Scan engine
Detection
Engine version

ESET NOD32
Win32/LogicielsEspions.C potentially unsafe (variant)
10.11377

Fortinet FortiGate
W32/LogicielsEspions.C
8/7/2016

K7 AntiVirus
Trojan
13.202.15381

McAfee
Artemis!C5D9E5D500FC
5600.6315

Sophos
Mal/Behav-053
4.98

File size:
1.5 MB (1,602,736 bytes)

File type:
Executable application (Win32 EXE)

Digital Signature
Signed by:

Authority:
COMODO CA Limited

Valid from:
2/11/2014 1:00:00 AM

Valid to:
2/12/2016 12:59:59 AM

Subject:
CN=Daniel Monteiro, O=Daniel Monteiro, STREET="Rua Dois,601 Costa Nova", L=Caraguatatuba, S=SP, PostalCode=11678-122, C=BR

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00DFF6D1C08352FE36A9B12F50EC41A883

File PE Metadata
Compilation timestamp:
6/20/1992 12:22:17 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

CTPH (ssdeep):
24576:Jz2OiQL8W5AjY24I57kP9w+Pqo2vrgZUXiOxWPTCc9z3FTq3wKe2WM:Jzf6HCw+PqobUymaTX9zV8wb2WM

Entry address:
0xDCC00

Entry point:
55, 8B, EC, 83, C4, F0, B8, E8, C7, 4D, 00, E8, 04, A4, F2, FF, A1, 3C, 5D, 4E, 00, 8B, 00, E8, 1C, 3C, F8, FF, 8B, 0D, 78, 5E, 4E, 00, A1, 3C, 5D, 4E, 00, 8B, 00, 8B, 15, 8C, 47, 4D, 00, E8, 1C, 3C, F8, FF, 8B, 0D, B8, 5E, 4E, 00, A1, 3C, 5D, 4E, 00, 8B, 00, 8B, 15, 88, E6, 4C, 00, E8, 04, 3C, F8, FF, A1, 3C, 5D, 4E, 00, 8B, 00, E8, 78, 3C, F8, FF, E8, D7, 7A, F2, FF, 8D, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Developed / compiled with:
Microsoft Visual C++

Code size:
879.5 KB (900,608 bytes)

Startup File (All Users Run)
Registry location:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
KernelSys32M

Command:
C:\msc\sp\csrss.exe rke


Remove csrss.exe - Powered by Reason Core Security