psr.exe

  • File Path: C:\WINDOWS\system32\psr.exe
  • Description: Steps Recorder

Hashes

Type Hash
MD5 718958B7BA25BE86F1EFA0EDC41C8233
SHA1 DF7BB4566C82C0DEA0FD335CE7CF576691044841
SHA256 A12EBF100EF959BA9391683CA8D24C0BF4C16CC65D96249F09998ADEEDC79B94
SHA384 3B4B6D0C520EE04FF3EE2E93B810D457A3F2BBFDE41E3EAAFB7AE7B2437AB7AF934C301C30076F19D932264562FD828C
SHA512 A67EE86095B5D071C933D235C64959BA82F0FD86421454FCC2F2C4017EE8DEA72BEC2A2E9650208F70E9CED54310D21503BD7E9860D316F23F4406F65E92272F
SSDEEP 3072:/BHHC4xaQGcV5fFkWDgN6QLqAtxQG48Qc7gUi/TteDghATBLUri23R:/BHHC48lcjfA6y7tOh80/TteDghA9L

Signature

  • Status: Signature verified.
  • Serial: 330000023241FB59996DCC4DFF000000000232
  • Thumbprint: FF82BC38E1DA5E596DF374C53E3617F7EDA36B06
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: psr.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.18362.1 (WinBuild.160101.0800)
  • Product Version: 10.0.18362.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of psr.exe being misused. While psr.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_susp_psr_capture_screenshots.yml title: Psr.exe Capture Screenshots DRL 1.0
sigma proc_creation_win_susp_psr_capture_screenshots.yml description: The psr.exe captures desktop screenshots and saves them on the local machine DRL 1.0
sigma proc_creation_win_susp_psr_capture_screenshots.yml Image\|endswith: '\Psr.exe' DRL 1.0
LOLBAS Psr.yml Name: Psr.exe  
LOLBAS Psr.yml - Command: psr.exe /start /gui 0 /output c:\users\user\out.zip  
LOLBAS Psr.yml - Command: psr.exe /start /maxsc 100 /gui 0 /output c:\users\user\out.zip  
LOLBAS Psr.yml - Command: psr.exe /stop  
LOLBAS Psr.yml - C:\Windows\System32\Psr.exe  
LOLBAS Psr.yml - C:\Windows\SysWOW64\Psr.exe  
LOLBAS Psr.yml Name: Psr.exe  
LOLBAS Psr.yml - Command: psr.exe /start /output D:\test.zip /sc 1 /gui 0  
LOLBAS Psr.yml Description: Record a user screen without creating a GUI. You should use "psr.exe /stop" to stop recording and create output file.  
LOLBAS Psr.yml - Path: c:\windows\system32\psr.exe  
LOLBAS Psr.yml - Path: c:\windows\syswow64\psr.exe  
LOLBAS Psr.yml - IOC: psr.exe spawned  
atomic-red-team T1113.md Use Psr.exe binary to collect screenshots of user display. Test will do left mouse click to simulate user behaviour MIT License. © 2018 Red Canary
atomic-red-team T1113.md cmd /c start /b psr.exe /start /output #{output_file} /sc 1 /gui 0 /stopevent 12 MIT License. © 2018 Red Canary
atomic-red-team T1113.md cmd /c “timeout #{recording_time} > NULL && psr.exe /stop” MIT License. © 2018 Red Canary

MIT License. Copyright (c) 2020-2021 Strontic.