psr.exe

  • File Path: C:\Windows\system32\psr.exe
  • Description: Steps Recorder

Hashes

Type Hash
MD5 93F9974E3ED1946C71D823925F6AC60E
SHA1 C1A74D9AD21A9AA89668A22F58A82642AACE78CA
SHA256 31304BC037A0D07078D13E83B927FBCB32668C74A9F0A280AEBFBF068A0B0DCD
SHA384 276FCB076B179D6E595F2A7D5877266661D18BCC0E74B4E5E5C29BA87F77EEE6AF4A89B4CCCC4F2EEAC86D29D75FB0BB
SHA512 B3CBAB15BDB94CFD2E774A93F67BB06CB0CF7A70CEDE7476EB32A7DB5197CAC18708CE2B04FE5E372A88C55BF59BF348D09016A03CA8A7958E74F149C4F8FCFF
SSDEEP 12288:Kb1fpCwfIJlwX9VKHcD8pellpco//EH1:Kb93fIJO9VK8ApeCoXEH

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: psr.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.14393.0 (rs1_release.160715-1616)
  • Product Version: 10.0.14393.0
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

File Similarity (ssdeep match)

File Score
C:\Windows\system32\psr.exe 60
C:\windows\system32\psr.exe 54
C:\windows\SysWOW64\psr.exe 60
C:\Windows\SysWOW64\psr.exe 58
C:\Windows\SysWOW64\psr.exe 60

Possible Misuse

The following table contains possible examples of psr.exe being misused. While psr.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_susp_psr_capture_screenshots.yml title: Psr.exe Capture Screenshots DRL 1.0
sigma proc_creation_win_susp_psr_capture_screenshots.yml description: The psr.exe captures desktop screenshots and saves them on the local machine DRL 1.0
sigma proc_creation_win_susp_psr_capture_screenshots.yml Image\|endswith: '\Psr.exe' DRL 1.0
LOLBAS Psr.yml Name: Psr.exe  
LOLBAS Psr.yml - Command: psr.exe /start /gui 0 /output c:\users\user\out.zip  
LOLBAS Psr.yml - Command: psr.exe /start /maxsc 100 /gui 0 /output c:\users\user\out.zip  
LOLBAS Psr.yml - Command: psr.exe /stop  
LOLBAS Psr.yml - C:\Windows\System32\Psr.exe  
LOLBAS Psr.yml - C:\Windows\SysWOW64\Psr.exe  
LOLBAS Psr.yml Name: Psr.exe  
LOLBAS Psr.yml - Command: psr.exe /start /output D:\test.zip /sc 1 /gui 0  
LOLBAS Psr.yml Description: Record a user screen without creating a GUI. You should use "psr.exe /stop" to stop recording and create output file.  
LOLBAS Psr.yml - Path: c:\windows\system32\psr.exe  
LOLBAS Psr.yml - Path: c:\windows\syswow64\psr.exe  
LOLBAS Psr.yml - IOC: psr.exe spawned  
atomic-red-team T1113.md Use Psr.exe binary to collect screenshots of user display. Test will do left mouse click to simulate user behaviour MIT License. © 2018 Red Canary
atomic-red-team T1113.md cmd /c start /b psr.exe /start /output #{output_file} /sc 1 /gui 0 /stopevent 12 MIT License. © 2018 Red Canary
atomic-red-team T1113.md cmd /c “timeout #{recording_time} > NULL && psr.exe /stop” MIT License. © 2018 Red Canary

MIT License. Copyright (c) 2020-2021 Strontic.