psr.exe
- File Path:
C:\Windows\system32\psr.exe - Description: Steps Recorder
Hashes
| Type | Hash |
|---|---|
| MD5 | 93F9974E3ED1946C71D823925F6AC60E |
| SHA1 | C1A74D9AD21A9AA89668A22F58A82642AACE78CA |
| SHA256 | 31304BC037A0D07078D13E83B927FBCB32668C74A9F0A280AEBFBF068A0B0DCD |
| SHA384 | 276FCB076B179D6E595F2A7D5877266661D18BCC0E74B4E5E5C29BA87F77EEE6AF4A89B4CCCC4F2EEAC86D29D75FB0BB |
| SHA512 | B3CBAB15BDB94CFD2E774A93F67BB06CB0CF7A70CEDE7476EB32A7DB5197CAC18708CE2B04FE5E372A88C55BF59BF348D09016A03CA8A7958E74F149C4F8FCFF |
| SSDEEP | 12288:Kb1fpCwfIJlwX9VKHcD8pellpco//EH1:Kb93fIJO9VK8ApeCoXEH |
Signature
- Status: Signature verified.
- Serial:
3300000266BD1580EFA75CD6D3000000000266 - Thumbprint:
A4341B9FD50FB9964283220A36A1EF6F6FAA7840 - Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
File Metadata
- Original Filename: psr.exe.mui
- Product Name: Microsoft Windows Operating System
- Company Name: Microsoft Corporation
- File Version: 10.0.14393.0 (rs1_release.160715-1616)
- Product Version: 10.0.14393.0
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
File Similarity (ssdeep match)
| File | Score |
|---|---|
| C:\Windows\system32\psr.exe | 60 |
| C:\windows\system32\psr.exe | 54 |
| C:\windows\SysWOW64\psr.exe | 60 |
| C:\Windows\SysWOW64\psr.exe | 58 |
| C:\Windows\SysWOW64\psr.exe | 60 |
Possible Misuse
The following table contains possible examples of psr.exe being misused. While psr.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
| Source | Source File | Example | License |
|---|---|---|---|
| sigma | proc_creation_win_susp_psr_capture_screenshots.yml | title: Psr.exe Capture Screenshots |
DRL 1.0 |
| sigma | proc_creation_win_susp_psr_capture_screenshots.yml | description: The psr.exe captures desktop screenshots and saves them on the local machine |
DRL 1.0 |
| sigma | proc_creation_win_susp_psr_capture_screenshots.yml | Image\|endswith: '\Psr.exe' |
DRL 1.0 |
| LOLBAS | Psr.yml | Name: Psr.exe |
|
| LOLBAS | Psr.yml | - Command: psr.exe /start /gui 0 /output c:\users\user\out.zip |
|
| LOLBAS | Psr.yml | - Command: psr.exe /start /maxsc 100 /gui 0 /output c:\users\user\out.zip |
|
| LOLBAS | Psr.yml | - Command: psr.exe /stop |
|
| LOLBAS | Psr.yml | - C:\Windows\System32\Psr.exe |
|
| LOLBAS | Psr.yml | - C:\Windows\SysWOW64\Psr.exe |
|
| LOLBAS | Psr.yml | Name: Psr.exe |
|
| LOLBAS | Psr.yml | - Command: psr.exe /start /output D:\test.zip /sc 1 /gui 0 |
|
| LOLBAS | Psr.yml | Description: Record a user screen without creating a GUI. You should use "psr.exe /stop" to stop recording and create output file. |
|
| LOLBAS | Psr.yml | - Path: c:\windows\system32\psr.exe |
|
| LOLBAS | Psr.yml | - Path: c:\windows\syswow64\psr.exe |
|
| LOLBAS | Psr.yml | - IOC: psr.exe spawned |
|
| atomic-red-team | T1113.md | Use Psr.exe binary to collect screenshots of user display. Test will do left mouse click to simulate user behaviour | MIT License. © 2018 Red Canary |
| atomic-red-team | T1113.md | cmd /c start /b psr.exe /start /output #{output_file} /sc 1 /gui 0 /stopevent 12 | MIT License. © 2018 Red Canary |
| atomic-red-team | T1113.md | cmd /c “timeout #{recording_time} > NULL && psr.exe /stop” | MIT License. © 2018 Red Canary |
MIT License. Copyright (c) 2020-2021 Strontic.