psr.exe
- File Path:
C:\windows\SysWOW64\psr.exe - Description: Steps Recorder
Hashes
| Type | Hash |
|---|---|
| MD5 | 61B53950F13B05BDA1653B0007C75F93 |
| SHA1 | B2EF50078B424A09168EFA611E57E8F999B5A634 |
| SHA256 | 0FF1A185FC4201CC2154B6E5EDBF1C4FF1A487D130FEED4E841BF688EF10BC3B |
| SHA384 | 8978A8210F748D84C0D1FFF1439BDE9DD82F842504828E9DDEE69B997400FB0D4CF13E8C09B20BDAA9CED7CD8E05A3E5 |
| SHA512 | DCEF7FA48B87D79AA93463196267D1576D6AD9AB4DF0F8DFFF683FF6ADA8B376A20D5F1881F401B9C0C09D12FDA6C3CBA4A7D3C6A2C2FA75524D86E3B0A6C43E |
| SSDEEP | 6144:rmCNmDzCA1x4X3PsjPJAVcD8LPhSiWofQr2k5l8BmMxowi/EH1:rz+RUfsicD8pellpco//EH1 |
Signature
- Status: The file C:\windows\SysWOW64\psr.exe is not digitally signed. You cannot run this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170
- Serial: ``
- Thumbprint: ``
- Issuer:
- Subject:
File Metadata
- Original Filename: psr.exe.mui
- Product Name: Microsoft Windows Operating System
- Company Name: Microsoft Corporation
- File Version: 6.3.9600.16384 (winblue_rtm.130821-1623)
- Product Version: 6.3.9600.16384
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
File Similarity (ssdeep match)
| File | Score |
|---|---|
| C:\Windows\system32\psr.exe | 68 |
| C:\windows\system32\psr.exe | 60 |
| C:\Windows\system32\psr.exe | 60 |
| C:\Windows\SysWOW64\psr.exe | 65 |
| C:\Windows\SysWOW64\psr.exe | 72 |
Possible Misuse
The following table contains possible examples of psr.exe being misused. While psr.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
| Source | Source File | Example | License |
|---|---|---|---|
| sigma | proc_creation_win_susp_psr_capture_screenshots.yml | title: Psr.exe Capture Screenshots |
DRL 1.0 |
| sigma | proc_creation_win_susp_psr_capture_screenshots.yml | description: The psr.exe captures desktop screenshots and saves them on the local machine |
DRL 1.0 |
| sigma | proc_creation_win_susp_psr_capture_screenshots.yml | Image\|endswith: '\Psr.exe' |
DRL 1.0 |
| LOLBAS | Psr.yml | Name: Psr.exe |
|
| LOLBAS | Psr.yml | - Command: psr.exe /start /gui 0 /output c:\users\user\out.zip |
|
| LOLBAS | Psr.yml | - Command: psr.exe /start /maxsc 100 /gui 0 /output c:\users\user\out.zip |
|
| LOLBAS | Psr.yml | - Command: psr.exe /stop |
|
| LOLBAS | Psr.yml | - C:\Windows\System32\Psr.exe |
|
| LOLBAS | Psr.yml | - C:\Windows\SysWOW64\Psr.exe |
|
| LOLBAS | Psr.yml | Name: Psr.exe |
|
| LOLBAS | Psr.yml | - Command: psr.exe /start /output D:\test.zip /sc 1 /gui 0 |
|
| LOLBAS | Psr.yml | Description: Record a user screen without creating a GUI. You should use "psr.exe /stop" to stop recording and create output file. |
|
| LOLBAS | Psr.yml | - Path: c:\windows\system32\psr.exe |
|
| LOLBAS | Psr.yml | - Path: c:\windows\syswow64\psr.exe |
|
| LOLBAS | Psr.yml | - IOC: psr.exe spawned |
|
| atomic-red-team | T1113.md | Use Psr.exe binary to collect screenshots of user display. Test will do left mouse click to simulate user behaviour | MIT License. © 2018 Red Canary |
| atomic-red-team | T1113.md | cmd /c start /b psr.exe /start /output #{output_file} /sc 1 /gui 0 /stopevent 12 | MIT License. © 2018 Red Canary |
| atomic-red-team | T1113.md | cmd /c “timeout #{recording_time} > NULL && psr.exe /stop” | MIT License. © 2018 Red Canary |
MIT License. Copyright (c) 2020-2021 Strontic.