psr.exe
- File Path:
C:\WINDOWS\system32\psr.exe - Description: Steps Recorder
Hashes
| Type | Hash |
|---|---|
| MD5 | 6A092DEAB717C3B5080151571FC37398 |
| SHA1 | B89AA6167215B57FF47384C1CA11519D35CD5C7D |
| SHA256 | 293F0A48D00E5909335257775BD8091F09DB3A0FE6A9A1B3F2FDBCA3A2DEFE5E |
| SHA384 | 97E8BBB765A27180C4AE158E8F4158D91DFD83D87E6E48273E413C4413343A9522A178953E6976CA2616C1A098415C37 |
| SHA512 | 474F0A865C1FF7B52122A9B0E26AF25B176A65DFBE74E9D9BBB11CFDB735953AE276C6CA41C22A1C9C81E625E49C180002EDCA8D4C5C855EB35B437DB073B01D |
| SSDEEP | 3072:q4o1bGuH2WKspjQEyudPKGE86d/iaI5ufsoxQnO5JrGNv7JD:5o1bpHWs21WKGEDd/iaI5ufso8OsX |
| IMP | CC6433D1B159B8C05ABCDBA9650AC2EB |
| PESHA1 | EC75F6AFBC90EEC7148125CB60BF3D90B4605D09 |
| PE256 | 8ACF407D49C9857B51022953E7F5A65DB606575C5497722D0953AEBA6EEBCA68 |
Signature
- Status: Signature verified.
- Serial:
33000002ED2C45E4C145CF48440000000002ED - Thumbprint:
312860D2047EB81F8F58C29FF19ECDB4C634CF6A - Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
File Metadata
- Original Filename: psr.exe.mui
- Product Name: Microsoft Windows Operating System
- Company Name: Microsoft Corporation
- File Version: 10.0.22000.1 (WinBuild.160101.0800)
- Product Version: 10.0.22000.1
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
- Machine Type: 64-bit
File Scan
- VirusTotal Detections: 0/72
- VirusTotal Link: https://www.virustotal.com/gui/file/293f0a48d00e5909335257775bd8091f09db3a0fe6a9a1b3f2fdbca3a2defe5e/detection
Possible Misuse
The following table contains possible examples of psr.exe being misused. While psr.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
| Source | Source File | Example | License |
|---|---|---|---|
| sigma | proc_creation_win_susp_psr_capture_screenshots.yml | title: Psr.exe Capture Screenshots |
DRL 1.0 |
| sigma | proc_creation_win_susp_psr_capture_screenshots.yml | description: The psr.exe captures desktop screenshots and saves them on the local machine |
DRL 1.0 |
| sigma | proc_creation_win_susp_psr_capture_screenshots.yml | Image\|endswith: '\Psr.exe' |
DRL 1.0 |
| LOLBAS | Psr.yml | Name: Psr.exe |
|
| LOLBAS | Psr.yml | - Command: psr.exe /start /gui 0 /output c:\users\user\out.zip |
|
| LOLBAS | Psr.yml | - Command: psr.exe /start /maxsc 100 /gui 0 /output c:\users\user\out.zip |
|
| LOLBAS | Psr.yml | - Command: psr.exe /stop |
|
| LOLBAS | Psr.yml | - C:\Windows\System32\Psr.exe |
|
| LOLBAS | Psr.yml | - C:\Windows\SysWOW64\Psr.exe |
|
| LOLBAS | Psr.yml | Name: Psr.exe |
|
| LOLBAS | Psr.yml | - Command: psr.exe /start /output D:\test.zip /sc 1 /gui 0 |
|
| LOLBAS | Psr.yml | Description: Record a user screen without creating a GUI. You should use "psr.exe /stop" to stop recording and create output file. |
|
| LOLBAS | Psr.yml | - Path: c:\windows\system32\psr.exe |
|
| LOLBAS | Psr.yml | - Path: c:\windows\syswow64\psr.exe |
|
| LOLBAS | Psr.yml | - IOC: psr.exe spawned |
|
| atomic-red-team | T1113.md | Use Psr.exe binary to collect screenshots of user display. Test will do left mouse click to simulate user behaviour | MIT License. © 2018 Red Canary |
| atomic-red-team | T1113.md | cmd /c start /b psr.exe /start /output #{output_file} /sc 1 /gui 0 /stopevent 12 | MIT License. © 2018 Red Canary |
| atomic-red-team | T1113.md | cmd /c “timeout #{recording_time} > NULL && psr.exe /stop” | MIT License. © 2018 Red Canary |
MIT License. Copyright (c) 2020-2021 Strontic.