Windows Problem Steps Recorder, used to record screen and clicks.

Paths:

c:\windows\system32\psr.exe
c:\windows\syswow64\psr.exe

Detection: psr.exe spawned suspicious activity when running with “/gui 0” flag

Reconnaissance

Record a user screen without creating a GUI. You should use “psr.exe /stop” to stop recording and create output file.

psr.exe /start /output D:\test.zip /sc 1 /gui 0