» csrss.exe
Overview
Analysis
File Details
Behaviors (1)

csrss.exe

µTorrent

BitTorrent Inc.

The application csrss.exe has been detected as a potentially unwanted program by 21 anti-malware scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘Winlogon’.

File name:

csrss.exe

Publisher:

BitTorrent Inc.

Product:

µTorrent

Version:

3.4.2.34944

MD5:

7ec46a5266b7015fd025a729d41698a3

SHA-1:

7cb815b9d19dd1c53068e4daf1d94f592c2c9d5a

SHA-256:

f14c86c3c8de1b3d3e72643f298459268ce8e3b3adf5ea89497d25db6143554a

Scanner detections:

21 / 68

Status:

Potentially unwanted

Analysis date:

4/23/2024 3:09:49 PM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Trojan.GenericKD.2043203

684

Avira AntiVirus

TR/Confuser.913920

7.11.198.180

avast!

MSIL:GenMalicious-BIU [Trj]

141214-1

Baidu Antivirus

Backdoor.Win32.DarkKomet

4.0.3.15323

Bitdefender

Trojan.GenericKD.2043203

1.0.20.410

Comodo Security

UnclassifiedMalware

20534

Emsisoft Anti-Malware

Trojan.GenericKD.2043203

8.15.03.23.05

ESET NOD32

MSIL/Packed.Confuser.J suspicious application

7.0.302.0

Fortinet FortiGate

W32/DarkKomet.EESY!tr.bdr

3/23/2015

F-Secure

Trojan.GenericKD.2043203

11.2015-23-03_2

G Data

Trojan.GenericKD.2043203

15.3.24

K7 AntiVirus

Unwanted-Program

13.188.14496

Kaspersky

Backdoor.Win32.DarkKomet

15.0.0.543

McAfee

Artemis!7EC46A5266B7

5600.6818

MicroWorld eScan

Trojan.GenericKD.2043203

16.0.0.246

NANO AntiVirus

Trojan.Win32.DarkKomet.dlbhqg

0.30.0.64448

nProtect

Trojan.GenericKD.2043203

14.12.30.01

Panda Antivirus

Generic Suspicious

15.03.23.05

Qihoo 360 Security

Malware.QVM03.Gen

1.0.0.1015

Sophos

Mal/Generic-S

4.98

Trend Micro House Call

TROJ_GEN.R047H07LL14

7.2.82

File size:

892.5 KB (913,920 bytes)

Product version:

3.4.2.34944

Original file name:

uTorrent.exe

File type:

Executable application (Win32 EXE)

Language:

English (United States)

Common path:

C:\users\{user}\appdata\roaming\subfolder\subfolder\csrss.exe

File PE Metadata

Compilation timestamp:

11/23/2014 9:06:05 AM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

11.0

.NET CLR dependent:

Yes

CTPH (ssdeep):

12288:YqY5+qOOZgjqXbCARVTtvDxGUynUPnCXVODsZPmK2IGjhjnRPxltgAu5BvFCzWa+:YqYerOBLTtvVGsPJhtIGb736dCzFLq

Entry address:

0x9A37E

Entry point:

FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00... 
[+]

Entropy:

7.5511

Developed / compiled with:

Microsoft Visual C# / Basic .NET

Code size:

609 KB (623,616 bytes)

Startup File (User Run)

Registry location:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:

Winlogon

Command:

C:\users\{user}\appdata\roaming\subfolder\subfolder\winlogon.exe

Remove csrss.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.