psr.exe
- File Path:
C:\WINDOWS\SysWOW64\psr.exe - Description: Steps Recorder
Hashes
| Type | Hash |
|---|---|
| MD5 | 1AA5BCE93A418B811DF9AE0DBA8DB6C6 |
| SHA1 | 46752DDCE861524C0FB0029641AA3FC235728E07 |
| SHA256 | 51A76E0E6F76A65CBB09084B03B4BD958C81C877C6833ECAA118A451CDC2DBC9 |
| SHA384 | C2A2E5591D3707AD90DB6DFFF747AF5035F8409D16126331712B3B58F41B664A6427F94CB4AF9E21B9AF55372C5F752F |
| SHA512 | C28AD59D89CECD2FBD9DD4BD768C117DD3FEA4A4DAF9C724323D7666BAB6B5ED50F25435ECB72952CF42A713232D319078540CC9EFFEFDDAA673ABCA2769EEEC |
| SSDEEP | 3072:/I61pJa1ik1Bdaw2CBvaaFNIt4Ja7rxWF7HoO8qE8:rciGdiCBvBF6yaPx27IOO |
| IMP | 2E5FD6B8059B0A606D0F5D6ECE797554 |
| PESHA1 | 4879F68A612B78D90C10B85CE235370ADE240265 |
| PE256 | 24F7E326C124878CDE2969BCB5E20B6821BF02EE76C28962572140213CDBFB5F |
Signature
- Status: Signature verified.
- Serial:
33000002ED2C45E4C145CF48440000000002ED - Thumbprint:
312860D2047EB81F8F58C29FF19ECDB4C634CF6A - Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
File Metadata
- Original Filename: psr.exe
- Product Name: Microsoft Windows Operating System
- Company Name: Microsoft Corporation
- File Version: 10.0.22000.1 (WinBuild.160101.0800)
- Product Version: 10.0.22000.1
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
- Machine Type: 32-bit
File Scan
- VirusTotal Detections: 0/73
- VirusTotal Link: https://www.virustotal.com/gui/file/51a76e0e6f76a65cbb09084b03b4bd958c81c877c6833ecaa118a451cdc2dbc9/detection
Possible Misuse
The following table contains possible examples of psr.exe being misused. While psr.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
| Source | Source File | Example | License |
|---|---|---|---|
| sigma | proc_creation_win_susp_psr_capture_screenshots.yml | title: Psr.exe Capture Screenshots |
DRL 1.0 |
| sigma | proc_creation_win_susp_psr_capture_screenshots.yml | description: The psr.exe captures desktop screenshots and saves them on the local machine |
DRL 1.0 |
| sigma | proc_creation_win_susp_psr_capture_screenshots.yml | Image\|endswith: '\Psr.exe' |
DRL 1.0 |
| LOLBAS | Psr.yml | Name: Psr.exe |
|
| LOLBAS | Psr.yml | - Command: psr.exe /start /gui 0 /output c:\users\user\out.zip |
|
| LOLBAS | Psr.yml | - Command: psr.exe /start /maxsc 100 /gui 0 /output c:\users\user\out.zip |
|
| LOLBAS | Psr.yml | - Command: psr.exe /stop |
|
| LOLBAS | Psr.yml | - C:\Windows\System32\Psr.exe |
|
| LOLBAS | Psr.yml | - C:\Windows\SysWOW64\Psr.exe |
|
| LOLBAS | Psr.yml | Name: Psr.exe |
|
| LOLBAS | Psr.yml | - Command: psr.exe /start /output D:\test.zip /sc 1 /gui 0 |
|
| LOLBAS | Psr.yml | Description: Record a user screen without creating a GUI. You should use "psr.exe /stop" to stop recording and create output file. |
|
| LOLBAS | Psr.yml | - Path: c:\windows\system32\psr.exe |
|
| LOLBAS | Psr.yml | - Path: c:\windows\syswow64\psr.exe |
|
| LOLBAS | Psr.yml | - IOC: psr.exe spawned |
|
| atomic-red-team | T1113.md | Use Psr.exe binary to collect screenshots of user display. Test will do left mouse click to simulate user behaviour | MIT License. © 2018 Red Canary |
| atomic-red-team | T1113.md | cmd /c start /b psr.exe /start /output #{output_file} /sc 1 /gui 0 /stopevent 12 | MIT License. © 2018 Red Canary |
| atomic-red-team | T1113.md | cmd /c “timeout #{recording_time} > NULL && psr.exe /stop” | MIT License. © 2018 Red Canary |
MIT License. Copyright (c) 2020-2021 Strontic.