psr.exe
- File Path:
C:\windows\system32\psr.exe - Description: Steps Recorder
Hashes
| Type | Hash |
|---|---|
| MD5 | 4ABD52BC6FF33F33C8B930A8EB78D591 |
| SHA1 | 3F4316B15CADBDEAC4D9C1287A14298699EDB56B |
| SHA256 | 1453645897C643FA8870081FE1C592BFECD8DE9755665EED239729FD801AB5AC |
| SHA384 | 5A378D762F6DA2230FC94885CCA0E4A909B313C58FA9CD867EAE35EDFC1B4021020035F8D79DEC243A736A1271CD60F7 |
| SHA512 | 35922219108089E6D636451C9E8402A85DA4031CD181B5E58F28264517BA8F580A99A5F025F2F83C3593882CBE11081BCCA3C4E95EC024EEBB19CC8529949E34 |
| SSDEEP | 12288:IsHs2pR/4o1E39jxXcD8pellpco//EH1:w2Ha9jqApeCoXEH |
Signature
- Status: The file C:\windows\system32\psr.exe is not digitally signed. You cannot run this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170
- Serial: ``
- Thumbprint: ``
- Issuer:
- Subject:
File Metadata
- Original Filename: psr.exe.mui
- Product Name: Microsoft Windows Operating System
- Company Name: Microsoft Corporation
- File Version: 6.3.9600.16384 (winblue_rtm.130821-1623)
- Product Version: 6.3.9600.16384
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
File Similarity (ssdeep match)
| File | Score |
|---|---|
| C:\Windows\system32\psr.exe | 60 |
| C:\Windows\system32\psr.exe | 54 |
| C:\windows\SysWOW64\psr.exe | 60 |
| C:\Windows\SysWOW64\psr.exe | 58 |
| C:\Windows\SysWOW64\psr.exe | 60 |
Possible Misuse
The following table contains possible examples of psr.exe being misused. While psr.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
| Source | Source File | Example | License |
|---|---|---|---|
| sigma | proc_creation_win_susp_psr_capture_screenshots.yml | title: Psr.exe Capture Screenshots |
DRL 1.0 |
| sigma | proc_creation_win_susp_psr_capture_screenshots.yml | description: The psr.exe captures desktop screenshots and saves them on the local machine |
DRL 1.0 |
| sigma | proc_creation_win_susp_psr_capture_screenshots.yml | Image\|endswith: '\Psr.exe' |
DRL 1.0 |
| LOLBAS | Psr.yml | Name: Psr.exe |
|
| LOLBAS | Psr.yml | - Command: psr.exe /start /gui 0 /output c:\users\user\out.zip |
|
| LOLBAS | Psr.yml | - Command: psr.exe /start /maxsc 100 /gui 0 /output c:\users\user\out.zip |
|
| LOLBAS | Psr.yml | - Command: psr.exe /stop |
|
| LOLBAS | Psr.yml | - C:\Windows\System32\Psr.exe |
|
| LOLBAS | Psr.yml | - C:\Windows\SysWOW64\Psr.exe |
|
| LOLBAS | Psr.yml | Name: Psr.exe |
|
| LOLBAS | Psr.yml | - Command: psr.exe /start /output D:\test.zip /sc 1 /gui 0 |
|
| LOLBAS | Psr.yml | Description: Record a user screen without creating a GUI. You should use "psr.exe /stop" to stop recording and create output file. |
|
| LOLBAS | Psr.yml | - Path: c:\windows\system32\psr.exe |
|
| LOLBAS | Psr.yml | - Path: c:\windows\syswow64\psr.exe |
|
| LOLBAS | Psr.yml | - IOC: psr.exe spawned |
|
| atomic-red-team | T1113.md | Use Psr.exe binary to collect screenshots of user display. Test will do left mouse click to simulate user behaviour | MIT License. © 2018 Red Canary |
| atomic-red-team | T1113.md | cmd /c start /b psr.exe /start /output #{output_file} /sc 1 /gui 0 /stopevent 12 | MIT License. © 2018 Red Canary |
| atomic-red-team | T1113.md | cmd /c “timeout #{recording_time} > NULL && psr.exe /stop” | MIT License. © 2018 Red Canary |
MIT License. Copyright (c) 2020-2021 Strontic.