| executable | code_signature.subject_name | code_signature.serial_number |
|---|---|---|
| C:\Program Files (x86)\ScreenConnect\Bin\ScreenConnect.Service.exe | Connectwise, LLC | 0b9360051bccf66642998998d5ba97ce |
| C:\Program Files (x86)\ScreenConnect\Bin\ScreenConnect.Client.exe | Connectwise, LLC | 0b9360051bccf66642998998d5ba97ce |
| C:\Windows\LTSvc\LTSVC.exe | Connectwise, LLC | |
| C:\Users\*\Downloads\ConnectWiseControl.Client.exe | Connectwise, LLC |
Notes:
-
Connectwise Automate / Labtech is a paid tool, whereas Connectwise Control / Screenconnect has a free version.
-
I've seen the former abused when an MSP is breached, whereas the latter is frequently used to blend in with existing tooling.
-
You can install multiple Screenconnect instances on one device, notated by the GUID after the software name shown in appwiz.cpl.
-
Different ScreenConnect instantces can be also differentiated by the domain name the ScreenConnect binary reaches out to.