Ticket#3523677/STONEHENGE/[##336534##] High - SentinelOne Threat - Stonehenge Advisors, Inc - ScreenConnect.ClientSetup.exe - -- has been updated - user@withoutemail.com

This ticket has been updated by John Lewis

John Lewis

4/29/2026 5:27 PM

Reviewed the S1 alert and confirmed this was our Screen Connect Client.
Checked the machine backstage and the only RMM agents on the machine are from Atlantic.
[image]

Marking as a false positive and adding to the exclusions.
No further action required.
Closing ticket.

Summary:

[##336534##] High - SentinelOne Threat - Stonehenge Advisors, Inc - ScreenConnect.ClientSetup.exe -

Status:

Closed

Ticket #

3523677

Company:

Stonehenge Advisors, Inc

Contact:

Dan Sablosky (POC)

Phone:

(215) 320-3777

Address:

4328-42 Ridge Avenue
Suite 104
Philadelphia, PA 19129

View Ticket

Discussion

John Lewis

4/29/2026 5:27 PM-5:30 PM

Reviewed the S1 alert and confirmed this was our Screen Connect Client.
Checked the machine backstage and the only RMM agents on the machine are from Atlantic.
[image]

Marking as a false positive and adding to the exclusions.
No further action required.
Closing ticket.

Dan Sablosky (POC)

4/29/2026 10:10 AM-

{      "@context": "http://schema.org",      "@type": "EmailMessage",      "potentialAction": {        "@type": "ViewAction",        "target": "https://desk.cyflare.cloud/portal/ticket/336534",        "name": "View Ticket "      },      "description": "View Ticket"    }

Dear IH-Atlantic_Stonehenge Advisors,

A ticket has been created with the following details:

Account Name: Atlantic_Stonehenge Advisors
Ticket ID:  336534
Priority:  High
Subject:  High - SentinelOne Threat - Stonehenge Advisors, Inc - ScreenConnect.ClientSetup.exe - 04/29/26
Description:

EDR: ScreenConnect.ClientSetup.exe

Customer: Stonehenge Advisors, Inc |                            Detected: 2026-04-29 10:01:26 UTC-04

Priority: HighSource: SentineloneThreat status: Mitigated - contained by socKill: SuccessQuarantine: Success
Alert Link:EDR Alert

Executive Summary                AI-Assisted

A suspicious software file was detected and automatically removed on a laptop used by the user Miranda; the event was rated high severity because the file was determined malicious by security controls. The device is a company-managed laptop and the threat has been mitigated successfully. Business impact is limited given the rapid containment, though there is potential risk to data or operations if similar items run elsewhere.

SOC Response Actions
Actions the SOC performed (or attempted). Follow this link for further information on Use Case #5 and Use Case #6.
ActionStatus

--- ---
1810-LT-4FFCC5E, no full disk scan command was sent.                        Not Configured
1810-LT-4FFCC5E, endpoint was not isolated from the network.                        Not Configured

Recommended Remediation

[Containment] Isolate the affected endpoint '1810-LT-4FFCC5E' from the network (disconnect Wi‑Fi and unplug Ethernet) and keep the device powered on for forensic preservation.
[Eradication] Remove the quarantined file 'ScreenConnect.ClientSetup.exe' (sha256: da6461465247022bae455d548efc31ff5161147fec953643dd2bbf2af7a1a6d4) from the endpoint and ensure any related ScreenConnect installation paths (\Device\HarddiskVolume3\WINDOWS\SystemTemp\ScreenConnect) are deleted.
[Eradication] Uninstall any unauthorized remote‑access software from the endpoint and revoke any certificates issued to 'CONNECTWISE, LLC' for this agent if found.
[Hardening] Reset local user credentials for 'Miranda' and any other local accounts on the device; enforce strong unique passwords and enable MFA where supported.
[Hardening] Ensure SentinelOne agent is up to date (current version reported 25.2.5.437) and confirm group/site policies for 'Stonehenge Advisors Inc - HQ' enforce automatic quarantine for revoked/suspicious executables.

Key Details
Threat ClassificationGeneralEndpoint Name1810-LT-4FFCC5E
Detection EngineSentinelOne CloudEndpoint IP Address10.1.10.187
File Path\Device\HarddiskVolume3\WINDOWS\SystemTemp\ScreenConnect\24.2.10.8991\ScreenConnect.ClientSetup.exeSite NameStonehenge Advisors
File Hashda6461465247022bae455d548efc31ff5161147fec953643dd2bbf2af7a1a6d4 MaliciousGroup NameStonehenge Advisors Inc - HQ
File Publisher NameCONNECTWISE, LLCSentinelOne Mitigation Policyprotect
File Publisher Signed & VerifiedRevokedSentinelOne Mitigation Statusmitigated
Command Line
SOC Findings
Threat Intelligence & Reputation
VirusTotal

da646146...f7a1a6d4
Malicious
File hash detected by 31 security engines. Classified under the meaningful name /home/petik/ss/malware/2026-03-19_f07a87485bd2333bb7e91f26bd5b8700_amadey_elex_glassworm_hellokitty_hijackloader_icedid_luca-stealer_njrat_remcos_smoke-loader_vidar.
Hybrid-Analysis

da646146...f7a1a6d4
No Relevant Results
No behavioral or reputation data returned for this hash at the time of analysis.
Indicators of Compromise

No threat indicators flagged by source tool

Cross-Service Intelligence Markdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Sy...

Below is additional context from other services subscribed by the customer.
ServiceSourceRelevant InsightReference

--- --- --- ---
ESN/ANo relevant tools configured for enrichment.

Need help or want us to take additional actions? Reply to this ticket and the SOC will assist.

You can view all details here: 336534

View Ticket