Ticket#3536083/STONEHENGE/[##342681##] High - SentinelOne Threat - Stonehenge Advisors, Inc - 87f3.rbf - 05/11/26 -- has been updated - Alle Aktuellen E-Mails

This ticket has been updated by John Lewis

John Lewis

5/18/2026 1:21 PM

Reviewed the alert in the S1 portal.
The file 87f3.rbf is related to Screen Connect.
I confirmed the only Screen Connect clients installed on the machine are from Atlantic.
No further action is required.
Closing ticket.

Summary:

[##342681##] High - SentinelOne Threat - Stonehenge Advisors, Inc - 87f3.rbf - 05/11/26

Status:

Closed

Ticket #

3536083

Company:

Stonehenge Advisors, Inc

Contact:

Dan Sablosky (POC)

Phone:

(215) 320-3777

Address:

4328-42 Ridge Avenue
Suite 104
Philadelphia, PA 19129

View Ticket

Discussion

John Lewis

5/18/2026 1:21 PM-1:23 PM

Dan Sablosky (POC)

5/11/2026 1:04 PM-

{      "@context": "http://schema.org",      "@type": "EmailMessage",      "potentialAction": {        "@type": "ViewAction",        "target": "https://desk.cyflare.cloud/portal/ticket/342681",        "name": "View Ticket "      },      "description": "View Ticket"    }

Dear IH-Atlantic_Stonehenge Advisors,

A ticket has been created with the following details:

Account Name: Atlantic_Stonehenge Advisors
Ticket ID:  342681
Priority:  High
Subject:  High - SentinelOne Threat - Stonehenge Advisors, Inc - 87f3.rbf - 05/11/26
Description:

EDR: 87f3.rbf

Customer: Stonehenge Advisors, Inc |                            Detected: 2025-10-06 09:51:11 UTC-04

Priority: HighSource: SentineloneThreat status: Mitigated - contained by socKill: SuccessQuarantine: Partial
Alert Link:EDR Alert

Executive Summary                AI-Assisted

A suspicious software execution was detected on an endpoint used by an unspecified user on a workstation, rated as high severity due to attempts to access sensitive system information and persistence techniques that could allow continued access; the SOC applied containment actions with partial success and some agents fully remediated the activity. Business risk includes potential credential exposure and unauthorized access that could disrupt operations or lead to data loss.

SOC Response Actions
Actions the SOC performed (or attempted). Follow this link for further information on Use Case #5 and Use Case #6.
ActionStatus

--- ---
LyndonPC2, no full disk scan command was sent.                        Not Configured
LyndonPC2, endpoint was not isolated from the network.                        Not Configured

Recommended Remediation

[Containment] Isolate 'LyndonPC2' from the network immediately (disconnect wired/wireless and remove from VPN) to prevent further lateral movement.
[Eradication] Remove the file '\Device\HarddiskVolume3\Config.Msi\87f3.rbf' and any related ScreenConnect client installers from the endpoint and from any software distribution shares.
[Eradication] Terminate and remove the process 'ScreenConnect.ClientService.exe' on the affected host and ensure the service/executable is uninstalled.
[Hardening] Reset local and domain passwords for accounts that access the endpoint and force reissue of any existing remote-access credentials used by ConnectWise/ScreenConnect integrations.
[Hardening] Audit and remove unauthorized autoruns, services, and registry run keys related to ScreenConnect or unknown installers and restrict installer rights to administrators only.

Key Details
Threat ClassificationMalwareEndpoint NameLyndonPC2
Detection EngineOn-Write DFI - SuspiciousEndpoint IP Address20.13.55.205
File Path\Device\HarddiskVolume3\Config.Msi\87f3.rbfSite NameStonehenge Advisors
File Hashbc0b03a340d46c23a4a2f91ebd7ed4d0fcf92fc7c4323f522c86369ad483f68a MaliciousGroup Name Stonehenge Advisors Inc - LYNDON KPG-MCG Curtis Tenant LLC
File Publisher NameSentinelOne Mitigation Policyprotect
File Publisher Signed & VerifiedNotSignedSentinelOne Mitigation Statusmitigated
Command Line"?e=Access&y=Guest&h=screenconnect.tomorrowsoffice.com&p=8041&s=3041da1c-b9f4-44f5-9d10-051099a38f16&k=BgIAAACkAABSU0ExAAgAAAEAAQBr%2fYjy1QXt%2bWq0PQcM7Y%2fOggxTrpC5Qn0ovPzrCEJtXf9ue1sSb4MP%2bCu7kdVb94w5mk815nVpc4eJFvG8ImFga%2bMZvFe%2f8kL13ik9UdzRepFroDvVgqsyHGtPrXEqc64BaKLxFQ65aoVVPEcs2UyrhdxbJWEcNjKZZQtattpkWfKEL2ehJv5C7G6IRztbrZYFinsQV5utfwjQDWDUDdDO3Dqjq2qOFsEorkfP9rYhVH%2fSVKgMmO9maEuO%2fTqqu8As4owhCXiHBya%2bVv4%2f%2bXf9yP8s%2fwt1pqbxsc%2f6fzUTRCIvNiapcdNcZcRB8vLnn7NvpxFsBv5r1e0g9TJEB2%2fK&v=AQAAANCMnd8BFdERjHoAwE%2fCl%2bsBAAAAYWJCnpS3nUiQzd3DSd0yNQAAAAACAAAAAAAQZgAAAAEAACAAAADvz7hL29LjK4wk8Uj%2fN%2bOFJdlR226FcM%2bNXtGQ92yhjQAAAAAOgAAAAAIAACAAAABN%2bX0S6PMCnkDnez97QlIXp%2fepwdbSolhiHxmB7YYuW6AEAADfrPuLkEf1Ug0Jtp%2bsZ7fbsELyp169DrOKmzZfyVouqQm97oSiOwvOXF9RdJTxB9ocPk09usk2tSRBwAOMFP3KBGMqFS5xT0k7c%2f%2b84fn4uty%2fdJZluCY9TCV%2bIT4FFO0%2byeNFTDrgJUrQuWWIlXIb7TTiDv0N8kajp99X72QHWKB0k3%2fvOIj5BBaB04p2ZQlbIfLb7TzbKoBYktyCLSrKvgMJTp9RnfqZ1P8ZlJElVfB2fjLpmuSp2CpFPDJPiESh1Ol9iOCKdcBWSKSvVe94ndOeZLw8zFE1VrepEznyztC7j%2f14uAdDTGJ%2faxtCd8dKYrGOGoEBHoeTylCnivn4sj8iOkNIA7u1Mkl%2feCfmMxyxpWDS2KJF%2bns1qtNQxn4wPSJEr%2bAfUrH1dgr6SEBT5CTcB9X%2b0m6%2bfwOmNMcZn2jv68iAItZ9ijGjGj%2fBIG%2fgyhqXvAVvHj0EUzQDQEwRAX6YFsKvmfJqNPx0Y6KTIcb37zKtjjjAs1W4HQNNj0Uw83ETpu7qLlQZg4h26Lwzm0qXbLS9%2bdpKI7G8rQOe9BmqQJqlIi7kVqT0bRVtVUMjnQcweBYYXVQ9qltSNwxohL1FZnMDjtz4C4cCKq1NUzUMZRw%2fY96EZO8f6TASf2V8gGjRq22MCD6S7OsnXFTuEA%2bvTFEmPVEu0YW7IUQ8soj23LE5rJouYnqwDvNpvHecmzAWo1%2bfR6FG8mDs%2bkKYwEa9MXCZI3R2J1Pq4rsVW9udrSR7Sc3d8qW7aeg2Ri1vMuuly4wazO%2bHz9R340Kxhydpk0VWbpej2vzzgV%2fXW28pcAetYbG9FsrWoAu7u2zwLvVxfnJAgbIyDMKA%2bqNec%2fOUvOC5nvpp4K%2fU7GTLrtKhtKVz4it9i58lHOsTY1%2bgqlrKrNPYUD5MF1FWiuwrBhB%2f2aM9Hpv0GR4v%2bvbfIMa395t25pIiCrd5ZSHjdhSeBUYHvh3BZH6wTxhAxE%2brhyKTT9%2f8WLOefJsoNUDslZIb8p8Fp76owNuz1XaubQlTJNynRrNl0MHOPcPvLZUXv3f6WPMOrG4%2ffKfhUJ4U5Pp7Fu%2fKNR1o6bj8gipvRfo07rRX%2bceCTlFjpgpuQMFdjbH0hozesRWvBg5Ml7N6EgqVMTYfH%2f5nBbxoSCzizQcfNtlNUg7brqsr54C00EyDMnsBKvUFD7%2bY4h6MhQec98vSSWFuxtA%2fvtYOENVXOR6UEtwyhC5LaLQg4yOp8LDeOAD59%2bOyQkIMtq%2f%2fKklpJF9GzGJfUwCO7%2bCt1oUf2OSHOny2hWJGBo%2bA3nMRl8O3FUHE2KyohDWyjJDv%2f1k8TxXWnAF1uM2KYZqM4iS%2buTVkg1haeBZWcUAWeUThARv29NlnoDzagiElzK37DMwfA%2fFImP0qqYKje5xueql3d%2fmQ9onHkMyrRdSg%2bDzp4dBdUYqVghHh6%2fdhbgZU4sK9yC0KxWA%2fZ1Z60XNPPehep6VaMhNcnUi3Bdxv1xxsX81VxCmCrlFUTcaSEYXrWsE28BsLF1dgXfrK8AzLkBilFkTdcNCLEUxkPyJX%2fvqX2RouF8GKBCaelB1BbgIO8s4V2UAAAAAWCBWA2BnLuUPMHfp4Rpv3Y9TG767Tpm7RVfbNLRlWnwcbqDTjjc7DL08MDsK3RbjgRu6mYE3gMG6vFuorp%2bX%2b&t=&c=&c=&c=&c=&c=&c=&c=&c=%2fConnectWiseControl.ClientSetup.msi"
SOC Findings
Threat Intelligence & Reputation
VirusTotal

bc0b03a3...d483f68a
Malicious
File hash detected by 9 security engines. Classified under the meaningful name c:\users\BKatz\AppData\Local\Apps\2.0\H052W98T.2WV\K6Y89DCD.PVN\scre...exe_0000000000000000_0019.0004_none_6f38569aabb4da9b\ScreenConnect.ClientService.exe.
Hybrid-Analysis

bc0b03a3...d483f68a
No Relevant Results
No behavioral or reputation data returned for this hash at the time of analysis.
Indicators of Compromise

The threat indicators outline severe security threats. An application has been hijacked by a suspicious DLL, and there are signs of a packed process. Evasion techniques include suspicious executions of regsvr32 or rundll32, along with attempts to tamper with Event Viewer logs and SentinelOne registry keys. Multiple infostealing attempts have been detected, such as reading sensitive information from LSASS and installing a keylogger. The application has registered itself for persistence in various ways, including autoruns and safe mode. Additionally, reconnaissance activities using WMI queries indicate that the system is being actively scanned for vulnerabilities, necessitating immediate security measures.

Network Connections

20.231.45.162 (Outbound, Port 8041): outbound IP Connect attempts from ScreenConnect client to external service

20.124.27.177 (Outbound, Port 8041): outbound IP Connect attempts from ScreenConnect client to external service
Process Involved

ScreenConnect.ClientService.exe (Legitimacy: Third-Party Trusted): Remote support client repeatedly established TCP connections to external IPs on port 8041

ScreenConnect.ClientService.exe (Legitimacy: Third-Party Trusted): Multiple distinct ScreenConnect client instances (different PIDs) connecting outbound to same destination

ScreenConnect.ClientService.exe (Legitimacy: Third-Party Trusted): Persistent service process observed across many timestamps initiating network connects

ScreenConnect.ClientService.exe (Legitimacy: Third-Party Trusted): Service process tied to agent 'LyndonPC2' responsible for remote access traffic

ScreenConnect.ClientService.exe (Legitimacy: Third-Party Trusted): Recurrent outbound TCP connections indicate active remote session activity
Cross-Service Intelligence            Markdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Sy...

Below is additional context from other services subscribed by the customer.
ServiceSourceRelevant InsightReference
--- --- --- ---
ESN/ANo relevant tools configured for enrichment.
Need help or want us to take additional actions? Reply to this ticket and the SOC will assist.

You can view all details here: 342681

View Ticket