psr.exe
- File Path:
C:\Windows\SysWOW64\psr.exe - Description: Steps Recorder
Hashes
| Type | Hash |
|---|---|
| MD5 | D1D04E03BE76897B60E4CF5500007CAE |
| SHA1 | EA8D1EE5C696B05EA379A1D58489FF577BA03DCA |
| SHA256 | E8B207E3B896E8864BF098203FF4B1677A88A4E6BB638103EFE44780EC4DF6B4 |
| SHA384 | 9A19A34A5B2BD8649345F43FA77967962635E34F5404CD260DCEC34975BB5E07BABA2D4E3B5F152CE1073826085746FE |
| SHA512 | 8C9C463DC6ED89A602CBB7CDA3ECA6744DA749488910A085C14E39636D6D81BCEA39D5A228F12E43156D13FFAB0EE96A9044B7B355EA3B0FB251D3BA8AF5A08B |
| SSDEEP | 6144:ZIT4UtEKMwWGFCysoCJAVcD8LPhSiWofQr2k5l8BmMxowi/EH1g:ZAVEwrcD8pellpco//EH1g |
Signature
- Status: Signature verified.
- Serial:
3300000266BD1580EFA75CD6D3000000000266 - Thumbprint:
A4341B9FD50FB9964283220A36A1EF6F6FAA7840 - Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
File Metadata
- Original Filename: psr.exe.mui
- Product Name: Microsoft Windows Operating System
- Company Name: Microsoft Corporation
- File Version: 10.0.14393.0 (rs1_release.160715-1616)
- Product Version: 10.0.14393.0
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
File Similarity (ssdeep match)
| File | Score |
|---|---|
| C:\Windows\system32\psr.exe | 65 |
| C:\windows\system32\psr.exe | 60 |
| C:\Windows\system32\psr.exe | 60 |
| C:\windows\SysWOW64\psr.exe | 72 |
| C:\Windows\SysWOW64\psr.exe | 71 |
Possible Misuse
The following table contains possible examples of psr.exe being misused. While psr.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
| Source | Source File | Example | License |
|---|---|---|---|
| sigma | proc_creation_win_susp_psr_capture_screenshots.yml | title: Psr.exe Capture Screenshots |
DRL 1.0 |
| sigma | proc_creation_win_susp_psr_capture_screenshots.yml | description: The psr.exe captures desktop screenshots and saves them on the local machine |
DRL 1.0 |
| sigma | proc_creation_win_susp_psr_capture_screenshots.yml | Image\|endswith: '\Psr.exe' |
DRL 1.0 |
| LOLBAS | Psr.yml | Name: Psr.exe |
|
| LOLBAS | Psr.yml | - Command: psr.exe /start /gui 0 /output c:\users\user\out.zip |
|
| LOLBAS | Psr.yml | - Command: psr.exe /start /maxsc 100 /gui 0 /output c:\users\user\out.zip |
|
| LOLBAS | Psr.yml | - Command: psr.exe /stop |
|
| LOLBAS | Psr.yml | - C:\Windows\System32\Psr.exe |
|
| LOLBAS | Psr.yml | - C:\Windows\SysWOW64\Psr.exe |
|
| LOLBAS | Psr.yml | Name: Psr.exe |
|
| LOLBAS | Psr.yml | - Command: psr.exe /start /output D:\test.zip /sc 1 /gui 0 |
|
| LOLBAS | Psr.yml | Description: Record a user screen without creating a GUI. You should use "psr.exe /stop" to stop recording and create output file. |
|
| LOLBAS | Psr.yml | - Path: c:\windows\system32\psr.exe |
|
| LOLBAS | Psr.yml | - Path: c:\windows\syswow64\psr.exe |
|
| LOLBAS | Psr.yml | - IOC: psr.exe spawned |
|
| atomic-red-team | T1113.md | Use Psr.exe binary to collect screenshots of user display. Test will do left mouse click to simulate user behaviour | MIT License. © 2018 Red Canary |
| atomic-red-team | T1113.md | cmd /c start /b psr.exe /start /output #{output_file} /sc 1 /gui 0 /stopevent 12 | MIT License. © 2018 Red Canary |
| atomic-red-team | T1113.md | cmd /c “timeout #{recording_time} > NULL && psr.exe /stop” | MIT License. © 2018 Red Canary |
MIT License. Copyright (c) 2020-2021 Strontic.