psr.exe

• File Path: C:\Windows\system32\psr.exe
• Description: Steps Recorder

Hashes

Type	Hash
MD5	402F1EFF59C025CF3BB134B27CB1E729
SHA1	11BF3A146940D214D9BBAD019E17C432F041481C
SHA256	43BFF52AEC02A3851737CB2DD5799A5196BD0C3EDF30FB482F9F0AA2326910DA
SHA384	96663EFAA7ED6D337B45F71F883C251F1D423D4AEB33BB6B11EA3CB242051AE8604A0472998163BCB4A8FFC3C8C9A68F
SHA512	60ACB47B3616C26BC2BBF27F6BE706A7ADFBEB66DDF32C64F2457EBE031F331FBD43E8EE64992B9024DB824392A433894B86CFE80CC06ED2338798F373B45FDF
SSDEEP	6144:z1yxV51DmDVQwwwoHsmbM/NzV/JAVcD8LPhSiWofQr2k5l8BmMxowi/EH1:z1yr5EVoHjbM/WcD8pellpco//EH1
IMP	12931ABAD86FDA80B59207BCB7A378CA
PESHA1	A289A8982856FC4AD5D898D840C220D444D77AAD
PE256	4D1FAD768148DEDEA18F108FCD190EF7B60787D11BC711F9E117A57098E11496

Signature

• Status: Signature verified.
• Serial: 3300000266BD1580EFA75CD6D3000000000266
• Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
• Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
• Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

• Original Filename: psr.exe.mui
• Product Name: Microsoft Windows Operating System
• Company Name: Microsoft Corporation
• File Version: 10.0.17763.1 (WinBuild.160101.0800)
• Product Version: 10.0.17763.1
• Language: English (United States)
• Legal Copyright: Microsoft Corporation. All rights reserved.
• Machine Type: 64-bit

File Scan

• VirusTotal Detections: 0/72
• VirusTotal Link: https://www.virustotal.com/gui/file/43bff52aec02a3851737cb2dd5799a5196bd0c3edf30fb482f9f0aa2326910da/detection/

File Similarity (ssdeep match)

File	Score
C:\windows\system32\psr.exe	60
C:\Windows\system32\psr.exe	60
C:\windows\SysWOW64\psr.exe	68
C:\Windows\SysWOW64\psr.exe	60
C:\Windows\SysWOW64\psr.exe	65

Possible Misuse

The following table contains possible examples of psr.exe being misused. While psr.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source	Source File	Example	License
sigma	proc_creation_win_susp_psr_capture_screenshots.yml	title: Psr.exe Capture Screenshots	DRL 1.0
sigma	proc_creation_win_susp_psr_capture_screenshots.yml	description: The psr.exe captures desktop screenshots and saves them on the local machine	DRL 1.0
sigma	proc_creation_win_susp_psr_capture_screenshots.yml	Image\|endswith: '\Psr.exe'	DRL 1.0
LOLBAS	Psr.yml	Name: Psr.exe
LOLBAS	Psr.yml	- Command: psr.exe /start /gui 0 /output c:\users\user\out.zip
LOLBAS	Psr.yml	- Command: psr.exe /start /maxsc 100 /gui 0 /output c:\users\user\out.zip
LOLBAS	Psr.yml	- Command: psr.exe /stop
LOLBAS	Psr.yml	- C:\Windows\System32\Psr.exe
LOLBAS	Psr.yml	- C:\Windows\SysWOW64\Psr.exe
LOLBAS	Psr.yml	Name: Psr.exe
LOLBAS	Psr.yml	- Command: psr.exe /start /output D:\test.zip /sc 1 /gui 0
LOLBAS	Psr.yml	Description: Record a user screen without creating a GUI. You should use "psr.exe /stop" to stop recording and create output file.
LOLBAS	Psr.yml	- Path: c:\windows\system32\psr.exe
LOLBAS	Psr.yml	- Path: c:\windows\syswow64\psr.exe
LOLBAS	Psr.yml	- IOC: psr.exe spawned
atomic-red-team	T1113.md	Use Psr.exe binary to collect screenshots of user display. Test will do left mouse click to simulate user behaviour	MIT License. © 2018 Red Canary
atomic-red-team	T1113.md	cmd /c start /b psr.exe /start /output #{output_file} /sc 1 /gui 0 /stopevent 12	MIT License. © 2018 Red Canary
atomic-red-team	T1113.md	cmd /c “timeout #{recording_time} > NULL && psr.exe /stop”	MIT License. © 2018 Red Canary

MIT License. Copyright (c) 2020-2021 Strontic.