csrss.exe

Client Server Runtime Process

ABDULKADIR SAHIN

While the file properties state the file is developed by 'Microsoft Corporation', this is not the case and it is designed just to look like a legitimate Microsoft system file. The application csrss.exe, “Client Server Runtime Process” by ABDULKADIR SAHIN has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat.
Publisher:
Microsoft Corporation  (signed by ABDULKADIR SAHIN)

Product:
Microsoft® Windows® Operating System

Description:
Client Server Runtime Process

Version:
6.1.7600.16385

MD5:
69defb3500feb890ba62f7046932978c

SHA-1:
d87e419223b531ef8e6f165ec4fa1c10f8d3d070

SHA-256:
11069c52aadf39daae25110f0609651592029dd923a8375d58191ae70d32c875

Scanner detections:
1 / 68

Status:
Adware

Note:
Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Analysis date:
11/14/2024 2:23:53 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.ABDULKAD (M)
16.6.26.15

File size:
193.8 KB (198,480 bytes)

Product version:
6.1.7600.16385

Copyright:
© Microsoft Corporation. All rights reserved.

Original file name:
startupnew.exe

File type:
Executable application (Win32 EXE)

Language:
Turkish (Turkey)

Common path:
C:\ProgramData\csrss.exe

Digital Signature
Authority:
VeriSign, Inc.

Valid from:
1/18/2013 2:00:00 AM

Valid to:
3/20/2014 1:59:59 AM

Subject:
CN=ABDULKADIR SAHIN, OU=Individual Developer, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=No Organization Affiliation, L=ANKARA, S=KECIOREN, C=TR

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
516CAE126302D8B129C8550A077CDF6F

File PE Metadata
Compilation timestamp:
6/12/2010 1:58:00 AM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
3072:hRvcEC2Oi8NXC797F8TBfFvj4bq5731uOKk9eUHsyfyEqBbVEulbMc:hBC2F8NXC796TB9vj483//jHN0iRc

Entry address:
0xFFEF

Entry point:
E8, 12, 5B, 00, 00, E9, A4, FE, FF, FF, 6A, 0C, 68, 38, 11, 42, 00, E8, 67, 0D, 00, 00, 6A, 0E, E8, 68, 02, 00, 00, 59, 83, 65, FC, 00, 8B, 75, 08, 8B, 4E, 04, 85, C9, 74, 2F, A1, F4, 37, 42, 00, BA, F0, 37, 42, 00, 89, 45, E4, 85, C0, 74, 11, 39, 08, 75, 2C, 8B, 48, 04, 89, 4A, 04, 50, E8, D9, E7, FF, FF, 59, FF, 76, 04, E8, D0, E7, FF, FF, 59, 83, 66, 04, 00, C7, 45, FC, FE, FF, FF, FF, E8, 0A, 00, 00, 00, E8, 56, 0D, 00, 00, C3, 8B, D0, EB, C5, 6A, 0E, E8, 33, 01, 00, 00, 59, C3, CC, CC, CC, CC, CC, CC...
 
[+]

Code size:
102 KB (104,448 bytes)

Remove csrss.exe - Powered by Reason Core Security