» csrss.exe
Overview
Analysis
File Details
Behaviors (1)

csrss.exe

Daniel Monteiro

The executable csrss.exe has been detected as malware by 5 anti-virus scanners. It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘KernelSys32M’.

File name:

csrss.exe

Publisher:

Daniel Monteiro (signed and verified)

MD5:

c5d9e5d500fc6124ca90c30d56c7b49d

SHA-1:

c8743eb56c554f1294e94baf4c8846f53d015146

SHA-256:

4c0b4ad3486899fcddf1f1b7deb9afbfd48ccd5c45736a44f65be22d8a1b2b64

Scanner detections:

5 / 68

Status:

Malware

Analysis date:

11/25/2024 8:47:00 PM UTC (today)

Scan engine

Detection

Engine version

ESET NOD32

Win32/LogicielsEspions.C potentially unsafe (variant)

10.11377

Fortinet FortiGate

W32/LogicielsEspions.C

8/7/2016

K7 AntiVirus

Trojan

13.202.15381

McAfee

Artemis!C5D9E5D500FC

5600.6315

Sophos

Mal/Behav-053

4.98

File size:

1.5 MB (1,602,736 bytes)

File type:

Executable application (Win32 EXE)

Digital Signature

Signed by:

Daniel Monteiro

Authority:

COMODO CA Limited

Valid from:

2/11/2014 1:00:00 AM

Valid to:

2/12/2016 12:59:59 AM

Subject:

CN=Daniel Monteiro, O=Daniel Monteiro, STREET="Rua Dois,601 Costa Nova", L=Caraguatatuba, S=SP, PostalCode=11678-122, C=BR

Issuer:

CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:

00DFF6D1C08352FE36A9B12F50EC41A883

File PE Metadata

Compilation timestamp:

6/20/1992 12:22:17 AM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

2.25

CTPH (ssdeep):

24576:Jz2OiQL8W5AjY24I57kP9w+Pqo2vrgZUXiOxWPTCc9z3FTq3wKe2WM:Jzf6HCw+PqobUymaTX9zV8wb2WM

Entry address:

0xDCC00

Entry point:

55, 8B, EC, 83, C4, F0, B8, E8, C7, 4D, 00, E8, 04, A4, F2, FF, A1, 3C, 5D, 4E, 00, 8B, 00, E8, 1C, 3C, F8, FF, 8B, 0D, 78, 5E, 4E, 00, A1, 3C, 5D, 4E, 00, 8B, 00, 8B, 15, 8C, 47, 4D, 00, E8, 1C, 3C, F8, FF, 8B, 0D, B8, 5E, 4E, 00, A1, 3C, 5D, 4E, 00, 8B, 00, 8B, 15, 88, E6, 4C, 00, E8, 04, 3C, F8, FF, A1, 3C, 5D, 4E, 00, 8B, 00, E8, 78, 3C, F8, FF, E8, D7, 7A, F2, FF, 8D, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00... 
[+]

Developed / compiled with:

Microsoft Visual C++

Code size:

879.5 KB (900,608 bytes)

Startup File (All Users Run)

Registry location:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:

KernelSys32M

Command:

C:\msc\sp\csrss.exe rke

Remove csrss.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.