I have found the referenced Anomali article and DFIR report very helpful when identifying ScreenConnect launch parameters. I haven't figured out what r and i does.
- e as session type, can be Support, Meeting, Access .
- y as process type, can be Guest or Host .
- h as the URI to the relay service’s URI.
- p as the relay service’s port.
- s as a globally unique identifier for client identification.
- k as the encoded encryption key, used for identity verification.
- t as the optional session name.
References:
https://www.anomali.com/blog/probable-iranian-cyber-actors-static-kitten-conducting-cyberespionage-campaign-targeting-uae-and-kuwait-government-agencies
