psr.exe
- File Path:
C:\Windows\SysWOW64\psr.exe - Description: Steps Recorder
Hashes
| Type | Hash |
|---|---|
| MD5 | A1B3839290C9485182436E2D2B12A644 |
| SHA1 | 2842A3C8875BD3C214633554DDE47AC401EFE559 |
| SHA256 | 7D944CE0DFE4FAB3D6D56D7D30F2AF8615C6E4CF4311B589022C3BBAFB3B7411 |
| SHA384 | 125EE29982914E1BF9264FA2B11DFA4DD55ACBAADE7D8BA5A673CF5B0D24C6C7B20919991AA32D9E2CFA244915782A1D |
| SHA512 | 18F5C1273D6F23EE73F1E3CF81A015888C48FCA469C4607120C376D1D310851F6C3C01204F5A22273FA30F6F80C0B49AF835D3F83F773CF51DC374C24061DB57 |
| SSDEEP | 6144:XskrYkkRu4JYf/DDVrkv2tde70JAVcD8LPhSiWofQr2k5l8BmMxowi/EH1qf:/hc9oLDVw2fucD8pellpco//EH1 |
| IMP | 712ABE6C53B8E8EA9FE1C6BA6DB384D2 |
| PESHA1 | 974EE29D5F7A0E30C3E69D260477A2869DA0F192 |
| PE256 | 99D6C5EE8309E81F2E2F00BBBECC90C391A421612F1B9E0B738F2E1779476773 |
Signature
- Status: Signature verified.
- Serial:
3300000266BD1580EFA75CD6D3000000000266 - Thumbprint:
A4341B9FD50FB9964283220A36A1EF6F6FAA7840 - Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
File Metadata
- Original Filename: psr.exe
- Product Name: Microsoft Windows Operating System
- Company Name: Microsoft Corporation
- File Version: 10.0.17763.1282 (WinBuild.160101.0800)
- Product Version: 10.0.17763.1282
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
- Machine Type: 32-bit
File Scan
- VirusTotal Detections: 0/72
- VirusTotal Link: https://www.virustotal.com/gui/file/7d944ce0dfe4fab3d6d56d7d30f2af8615c6e4cf4311b589022c3bbafb3b7411/detection/
File Similarity (ssdeep match)
| File | Score |
|---|---|
| C:\Windows\system32\psr.exe | 60 |
| C:\windows\system32\psr.exe | 58 |
| C:\Windows\system32\psr.exe | 58 |
| C:\windows\SysWOW64\psr.exe | 65 |
| C:\Windows\SysWOW64\psr.exe | 71 |
Possible Misuse
The following table contains possible examples of psr.exe being misused. While psr.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
| Source | Source File | Example | License |
|---|---|---|---|
| sigma | proc_creation_win_susp_psr_capture_screenshots.yml | title: Psr.exe Capture Screenshots |
DRL 1.0 |
| sigma | proc_creation_win_susp_psr_capture_screenshots.yml | description: The psr.exe captures desktop screenshots and saves them on the local machine |
DRL 1.0 |
| sigma | proc_creation_win_susp_psr_capture_screenshots.yml | Image\|endswith: '\Psr.exe' |
DRL 1.0 |
| LOLBAS | Psr.yml | Name: Psr.exe |
|
| LOLBAS | Psr.yml | - Command: psr.exe /start /gui 0 /output c:\users\user\out.zip |
|
| LOLBAS | Psr.yml | - Command: psr.exe /start /maxsc 100 /gui 0 /output c:\users\user\out.zip |
|
| LOLBAS | Psr.yml | - Command: psr.exe /stop |
|
| LOLBAS | Psr.yml | - C:\Windows\System32\Psr.exe |
|
| LOLBAS | Psr.yml | - C:\Windows\SysWOW64\Psr.exe |
|
| LOLBAS | Psr.yml | Name: Psr.exe |
|
| LOLBAS | Psr.yml | - Command: psr.exe /start /output D:\test.zip /sc 1 /gui 0 |
|
| LOLBAS | Psr.yml | Description: Record a user screen without creating a GUI. You should use "psr.exe /stop" to stop recording and create output file. |
|
| LOLBAS | Psr.yml | - Path: c:\windows\system32\psr.exe |
|
| LOLBAS | Psr.yml | - Path: c:\windows\syswow64\psr.exe |
|
| LOLBAS | Psr.yml | - IOC: psr.exe spawned |
|
| atomic-red-team | T1113.md | Use Psr.exe binary to collect screenshots of user display. Test will do left mouse click to simulate user behaviour | MIT License. © 2018 Red Canary |
| atomic-red-team | T1113.md | cmd /c start /b psr.exe /start /output #{output_file} /sc 1 /gui 0 /stopevent 12 | MIT License. © 2018 Red Canary |
| atomic-red-team | T1113.md | cmd /c “timeout #{recording_time} > NULL && psr.exe /stop” | MIT License. © 2018 Red Canary |
MIT License. Copyright (c) 2020-2021 Strontic.