× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 25e4d8354c882eaea94b52039a96cc6d969a2dec8486557351cfa1d05c3b8984
File name: csrss.exe
Detection ratio: 47 / 68
Analysis date: 2018-07-23 10:25:54 UTC ( 2 months, 3 weeks ago )
Antivirus Result Update
Ad-Aware Gen:Heur.MSIL.Krypt.2 20180723
AegisLab Gen.Heur.Msil!c 20180723
AhnLab-V3 Spyware/Win32.Majikpos.C1861368 20180723
ALYac Trojan.Agent.Majikpos 20180723
Antiy-AVL Trojan[Backdoor]/MSIL.Agent 20180723
Arcabit Trojan.MSIL.Krypt.2 20180723
Avast Win32:Malware-gen 20180723
AVG Win32:Malware-gen 20180723
Avira (no cloud) HEUR/AGEN.1008530 20180723
AVware Trojan.Win32.Generic!BT 20180723
BitDefender Gen:Heur.MSIL.Krypt.2 20180723
CAT-QuickHeal Trojanspy.Majikpos 20180723
CrowdStrike Falcon (ML) malicious_confidence_80% (D) 20180530
Cybereason malicious.1dc951 20180225
Cylance Unsafe 20180723
Cyren W32/Trojan.YUEA-8464 20180723
DrWeb Trojan.DownLoader23.51858 20180723
Emsisoft Gen:Heur.MSIL.Krypt.2 (B) 20180723
Endgame malicious (moderate confidence) 20180711
ESET-NOD32 a variant of MSIL/Agent.RRY 20180723
F-Secure Gen:Heur.MSIL.Krypt.2 20180723
Fortinet W32/Agent.XIB!tr.bdr 20180723
GData Gen:Heur.MSIL.Krypt.2 20180723
Ikarus PUA.BrowseSmart 20180723
K7AntiVirus Trojan ( 700000121 ) 20180723
K7GW Trojan ( 700000121 ) 20180723
Kaspersky HEUR:Trojan.MSIL.MajikPOS.a 20180723
MAX malware (ai score=100) 20180723
McAfee Artemis!FBA46391DC95 20180723
McAfee-GW-Edition Artemis!Trojan 20180723
Microsoft TrojanSpy:MSIL/Majikpos.A 20180723
eScan Gen:Heur.MSIL.Krypt.2 20180723
NANO-Antivirus Trojan.Win32.Agent.elmshq 20180723
Palo Alto Networks (Known Signatures) generic.ml 20180723
Panda Trj/GdSda.A 20180722
Qihoo-360 Win32/Trojan.d60 20180723
Rising Backdoor.Agent!8.C5D (CLOUD) 20180723
Sophos AV Mal/Generic-S 20180723
Symantec Trojan.Majikpos 20180723
Tencent Msil.Backdoor.Agent.Egee 20180723
TrendMicro TSPY_MAJIKPOS.SMA 20180723
TrendMicro-HouseCall TSPY_MAJIKPOS.SMA 20180723
VBA32 Backdoor.MSIL.Agent 20180720
VIPRE Trojan.Win32.Generic!BT 20180723
Webroot Trojan.Downloader.Gen 20180723
Zillya Backdoor.Agent.Win32.60664 20180720
ZoneAlarm by Check Point HEUR:Trojan.MSIL.MajikPOS.gen 20180723
Alibaba 20180713
Avast-Mobile 20180723
Babable 20180406
Baidu 20180723
Bkav 20180723
ClamAV 20180723
CMC 20180723
Comodo 20180723
eGambit 20180723
F-Prot 20180723
Sophos ML 20180717
Jiangmin 20180723
Kingsoft 20180723
Malwarebytes 20180723
SentinelOne (Static ML) 20180701
SUPERAntiSpyware 20180722
TACHYON 20180723
TheHacker 20180723
TotalDefense 20180722
Trustlook 20180723
ViRobot 20180723
Yandex 20180720
Zoner 20180723
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows command line subsystem.
FileVersionInfo properties
Copyright
Copyright © Microsoft 2016

Product Client Server Runtime Process
Original name csrss.exe
Internal name csrss.exe
File version 1.0.0.0
Description Client Server Runtime Process
Comments Client Server Runtime Process
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2017-01-27 14:19:53
Entry Point 0x0000DDC6
Number of sections 3
.NET details
Module Version ID 67821740-fd14-4976-b494-c3a5513ed5d2
TypeLib ID 70f5fd1d-a713-4cca-961c-62daeafe371e
PE sections
PE imports
_CorExeMain
Number of PE resources by type
RT_MANIFEST 1
RT_VERSION 1
Number of PE resources by language
NEUTRAL 2
PE resources
ExifTool file metadata
SubsystemVersion
4.0

Comments
Client Server Runtime Process

LinkerVersion
8.0

ImageVersion
0.0

FileSubtype
0

FileVersionNumber
1.0.0.0

LanguageCode
Neutral

FileFlagsMask
0x003f

FileDescription
Client Server Runtime Process

CharacterSet
Unicode

InitializedDataSize
2560

EntryPoint
0xddc6

OriginalFileName
csrss.exe

MIMEType
application/octet-stream

LegalCopyright
Copyright Microsoft 2016

FileVersion
1.0.0.0

TimeStamp
2017:01:27 15:19:53+01:00

FileType
Win32 EXE

PEType
PE32

InternalName
csrss.exe

ProductVersion
1.0.0.0

UninitializedDataSize
0

OSVersion
4.0

FileOS
Win32

Subsystem
Windows command line

MachineType
Intel 386 or later, and compatibles

CompanyName
Microsoft

CodeSize
48640

ProductName
Client Server Runtime Process

ProductVersionNumber
1.0.0.0

FileTypeExtension
exe

ObjectFileType
Executable application

AssemblyVersion
1.0.0.0

CarbonBlack CarbonBlack acts as a surveillance camera for computers
While monitoring an end-user machine in-the-wild, CarbonBlack noticed the following files in execution wrote this sample to disk.
File identification
MD5 fba46391dc951fbe653f560623fe2842
SHA1 556ac921abd347d55a69b494f1b63156f7288d6d
SHA256 25e4d8354c882eaea94b52039a96cc6d969a2dec8486557351cfa1d05c3b8984
ssdeep
1536:DdARPfz4KbrCy/mzvsQqfq04B7bCz/hK:5kTAyOv/B7bCz5K

authentihash 8dac925f31245508511f2de6de5d396870ed10fea7cbb0b20c6cbe77b334e6fb
imphash f34d5f2d4577ed6d9ceec516c1f5a744
File size 50.5 KB ( 51712 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (console) Intel 80386 32-bit Mono/.Net assembly

TrID Generic CIL Executable (.NET, Mono, etc.) (55.8%)
Win64 Executable (generic) (21.0%)
Windows screen saver (9.9%)
Win32 Dynamic Link Library (generic) (5.0%)
Win32 Executable (generic) (3.4%)
Tags
peexe assembly

VirusTotal metadata
First submission 2017-02-03 02:32:45 UTC ( 1 year, 8 months ago )
Last submission 2018-05-14 14:58:53 UTC ( 5 months ago )
File names ff1b.tmp
ad3a.tmp
9e4.tmp
be9a.tmp
eff0.tmp
655.tmp
cc00.tmp
bd5.tmp
c383.tmp
8e6.tmp
c82b0000.$$$
9c21.tmp
95060000.$$$
dd5.tmp
837.tmp
cc0.tmp
7be6.tmp
e2.tmp
9aec0000.$$$
d5600000.$$$
a29d.tmp
8cfe.tmp
902f0000.$$$
47d60000.$$$
ce6a0000.$$$
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!