scrnsave.scr

  • File Path: C:\Windows\SysWOW64\scrnsave.scr
  • Description: Blank Screen Saver

Screenshot

scrnsave.scr

Hashes

Type Hash
MD5 4F5B56F1A6B259FA15D0B77FF625D41F
SHA1 11A04C52536A14652E3DE300EC9AFCCD9F78BE6F
SHA256 32E047D1029404ED1D41D324D4819FD16327D803A61A7FD7F573E0AFFE67296D
SHA384 6B4C862A99F34A662C5033AD0409E139AF80646A90359CFFC9A60227E30421BCBE319DFA31325FC72B3B8A295D73FD6F
SHA512 5F5FC780362CF26B6507454D9F20C557A11E5F24805157DC95BAAF8DFE3289F1261E6F2685E639D4ECA0BFDDABB6F2E6260B97E298F9AEF9E0B348702BA5F9E3
SSDEEP 384:rycQHVX4hBfKL+ZDMOVNwE2iGFcAMkpplkxMlvVXA1OWiZ/aOvSj27lNICeWSl2h:rycPLSOIEsVMMpSS38UhIclNICuc
IMP 4D46E014C69A115F410E9BAB963E857F
PESHA1 D777DC21E64D5210C0C492C024103E32D5114B36
PE256 CAD3A06DF6350DC06BF340E306F1E856FD804FDE117B140A1B9C94A0DDE51FA5

Runtime Data

Window Title:

Blank Screen Saver

Open Handles:

Path Type
(R-D) C:\Windows\Fonts\StaticCache.dat File
(R-D) C:\Windows\System32\en-US\duser.dll.mui File
(R-D) C:\Windows\SystemResources\imageres.dll.mun File
(R-D) C:\Windows\SysWOW64\en-US\scrnsave.scr.mui File
(R-D) C:\Windows\WinSxS\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_en-us_130e63d987a738df\comctl32.dll.mui File
(RW-) C:\Users\user File
(RW-) C:\Windows File
(RW-) C:\Windows\WinSxS\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_en-us_130e63d987a738df File
(RW-) C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.746_none_11afeb8d2fff49aa File
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000002.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2 Section
\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 Section
\BaseNamedObjects\NLS_CodePage_437_3_2_0_0 Section
\Sessions\1\Windows\Theme3205582532 Section
\Windows\Theme3800351183 Section

Loaded Modules:

Path
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\wow64.dll
C:\Windows\System32\wow64cpu.dll
C:\Windows\System32\wow64win.dll
C:\Windows\SysWOW64\scrnsave.scr

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: scrnsave
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.1 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/76
  • VirusTotal Link: https://www.virustotal.com/gui/file/32e047d1029404ed1d41d324d4819fd16327d803a61a7fd7f573e0affe67296d/detection

Possible Misuse

The following table contains possible examples of scrnsave.scr being misused. While scrnsave.scr is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
atomic-red-team T1546.002.md <blockquote>Adversaries may establish persistence by executing malicious content triggered by user inactivity. Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension.(Citation: Wikipedia Screensaver) The Windows screensaver application scrnsave.scr is located in C:\Windows\System32\, and C:\Windows\sysWOW64\ on 64-bit Windows systems, along with screensavers included with base Windows installations. MIT License. © 2018 Red Canary

MIT License. Copyright (c) 2020-2021 Strontic.