--REPLY above this line to respond--
This ticket has been updated by John Lewis
John Lewis4/29/2026 2:17 PMReviewed the S1 alert and confirmed this was our Screen Connect Client.Checked the machine backstage and the only RMM agents on the machine are from Atlantic. Marking as a false positive and adding to the exclusions.No further action required.Closing ticket.
Summary:
[##336332##] High - SentinelOne Threat - Stonehenge Advisors, Inc - ScreenConnect.ClientSetup.exe -
Status:
Closed
Ticket #
3523215
Company:
Stonehenge Advisors, Inc
Contact:
Dan Sablosky (POC)
Phone:
(215) 320-3777
Address:
4328-42 Ridge AvenueSuite 104Philadelphia, PA 19129
View Ticket
Discussion
John Lewis4/29/2026 2:17 PM-2:21 PMReviewed the S1 alert and confirmed this was our Screen Connect Client.Checked the machine backstage and the only RMM agents on the machine are from Atlantic. Marking as a false positive and adding to the exclusions.No further action required.Closing ticket.Dan Sablosky (POC)4/29/2026 2:05 AM-{ "@context": "http://schema.org", "@type": "EmailMessage", "potentialAction": { "@type": "ViewAction", "target": "https://desk.cyflare.cloud/portal/ticket/336332", "name": "View Ticket " }, "description": "View Ticket" } Dear IH-Atlantic_Stonehenge Advisors,A ticket has been created with the following details:Account Name: Atlantic_Stonehenge AdvisorsTicket ID: 336332Priority: HighSubject: High - SentinelOne Threat - Stonehenge Advisors, Inc - ScreenConnect.ClientSetup.exe - 04/29/26Description: EDR: ScreenConnect.ClientSetup.exeCustomer: Stonehenge Advisors, Inc | Detected: 2026-04-29 01:56:39 UTC-04Priority: HighSource: SentineloneThreat status: Mitigated - contained by socKill: SuccessQuarantine: SuccessAlert Link:EDR AlertExecutive Summary AI-AssistedA security agent detected suspicious software on an employee's desktop used by lisad, classified as a high-risk event due to strong malicious confidence and revocation of its certificate; the threat was successfully contained by the endpoint protection platform. The affected device is a Windows desktop and the mitigation actions have completed. Business impact is limited but could have included unauthorized access or operational disruption if not contained, so ongoing monitoring is advised.SOC Response ActionsActions the SOC performed (or attempted). Follow this link for further information on Use Case #5 and Use Case #6.ActionStatus--- ---DESKTOP-LisaD, no full disk scan command was sent. Not ConfiguredDESKTOP-LisaD, endpoint was not isolated from the network. Not ConfiguredRecommended Remediation[Containment] Isolate host 'DESKTOP-LisaD' from the network and disable its external IP 70.91.36.137 in perimeter controls.[Eradication] Remove the file '\Device\HarddiskVolume3\windows\SystemTemp\ScreenConnect\24.2.10.8991\ScreenConnect.ClientSetup.exe' and ensure the file hash 'da6461465247022bae455d548efc31ff5161147fec953643dd2bbf2af7a1a6d4' is blocked in endpoint prevention policies.[Eradication] Uninstall unauthorized ConnectWise/ScreenConnect software and revoke any associated certificates issued to 'CONNECTWISE, LLC'.[Hardening] Force password reset for user 'lisad' and invalidate active sessions and remote access credentials.[Hardening] Apply endpoint agent update to version >=25.2.5.437 where available, enforce application allowlisting, and block execution from SystemTemp paths.Key DetailsThreat ClassificationGeneralEndpoint NameDESKTOP-LisaDDetection EngineSentinelOne CloudEndpoint IP Address192.168.1.111File Path\Device\HarddiskVolume3\windows\SystemTemp\ScreenConnect\24.2.10.8991\ScreenConnect.ClientSetup.exeSite NameStonehenge AdvisorsFile Hashda6461465247022bae455d548efc31ff5161147fec953643dd2bbf2af7a1a6d4 MaliciousGroup NameStonehenge Advisors Inc - HQFile Publisher NameCONNECTWISE, LLCSentinelOne Mitigation PolicyprotectFile Publisher Signed & VerifiedRevokedSentinelOne Mitigation StatusmitigatedCommand LineSOC FindingsThreat Intelligence & ReputationVirusTotal da646146...f7a1a6d4 MaliciousFile hash detected by 31 security engines. Classified under the meaningful name /home/petik/ss/malware/2026-03-19_f07a87485bd2333bb7e91f26bd5b8700_amadey_elex_glassworm_hellokitty_hijackloader_icedid_luca-stealer_njrat_remcos_smoke-loader_vidar.Hybrid-Analysis da646146...f7a1a6d4 No Relevant ResultsNo behavioral or reputation data returned for this hash at the time of analysis.Indicators of CompromiseNo threat indicators flagged by source toolCross-Service Intelligence Markdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Sy...Below is additional context from other services subscribed by the customer. ServiceSourceRelevant InsightReference--- --- --- ---ESN/ANo relevant tools configured for enrichment.Need help or want us to take additional actions? Reply to this ticket and the SOC will assist. You can view all details here: 336332
Dan Sablosky (POC)4/28/2026 6:51 PM-{ "@context": "http://schema.org", "@type": "EmailMessage", "potentialAction": { "@type": "ViewAction", "target": "https://desk.cyflare.cloud/portal/ticket/336079", "name": "View Ticket " }, "description": "View Ticket" } Dear IH-Atlantic_Stonehenge Advisors,A ticket has been created with the following details:Account Name: Atlantic_Stonehenge AdvisorsTicket ID: 336079Priority: HighSubject: High - SentinelOne Threat - Stonehenge Advisors, Inc - ScreenConnect.ClientSetup.exe - 04/28/26Description: EDR: ScreenConnect.ClientSetup.exeCustomer: Stonehenge Advisors, Inc | Detected: 2026-04-28 18:41:51 UTC-04Priority: HighSource: SentineloneThreat status: Mitigated - contained by socQuarantine: SuccessKill: SuccessAlert Link:EDR AlertExecutive Summary AI-AssistedA security tool detected suspicious software on a laptop used by user 'jennifer_b', assessed as high risk due to a malicious verdict from the detection engine; the device was protected and the activity was successfully mitigated. The incident is contained and not actively spreading. Business impact could include potential disruption to that user’s work and temporary loss of confidence in remote support tools if similar software were widespread.SOC Response ActionsActions the SOC performed (or attempted). Follow this link for further information on Use Case #5 and Use Case #6.ActionStatus--- ---DESKTOP-100MB9F, no full disk scan command was sent. Not ConfiguredDESKTOP-100MB9F, endpoint was not isolated from the network. Not ConfiguredRecommended Remediation[Containment] Isolate the affected endpoint 'DESKTOP-100MB9F' from the network (disable Wi‑Fi and remove wired connections) until further remediation is applied.[Eradication] Remove the file '\Device\HarddiskVolume3\WINDOWS\SystemTemp\ScreenConnect\24.2.10.8991\ScreenConnect.ClientSetup.exe' and ensure the quarantined copy is preserved per incident handling policy.[Eradication] Delete any remaining instances of the identified binary hash 'da6461465247022bae455d548efc31ff5161147fec953643dd2bbf2af7a1a6d4' from endpoints and endpoint management repositories.[Hardening] Revoke and replace any certificates associated with publisher 'CONNECTWISE, LLC' used on the affected host if they are not verified as valid.[Hardening] Ensure the user 'jennifer_b' has a password reset and enforce multifactor authentication for their account.Key DetailsThreat ClassificationGeneralEndpoint NameDESKTOP-100MB9FDetection EngineSentinelOne CloudEndpoint IP Address192.168.1.193File Path\Device\HarddiskVolume3\WINDOWS\SystemTemp\ScreenConnect\24.2.10.8991\ScreenConnect.ClientSetup.exeSite NameStonehenge AdvisorsFile Hashda6461465247022bae455d548efc31ff5161147fec953643dd2bbf2af7a1a6d4 MaliciousGroup Name Stonehenge Advisors Inc - LYNDON KPG-MCG Curtis Tenant LLCFile Publisher NameCONNECTWISE, LLCSentinelOne Mitigation PolicyprotectFile Publisher Signed & VerifiedRevokedSentinelOne Mitigation StatusmitigatedCommand LineSOC FindingsThreat Intelligence & ReputationVirusTotal da646146...f7a1a6d4 MaliciousFile hash detected by 31 security engines. Classified under the meaningful name /home/petik/ss/malware/2026-03-19_f07a87485bd2333bb7e91f26bd5b8700_amadey_elex_glassworm_hellokitty_hijackloader_icedid_luca-stealer_njrat_remcos_smoke-loader_vidar.Hybrid-Analysis da646146...f7a1a6d4 No Relevant ResultsNo behavioral or reputation data returned for this hash at the time of analysis.Indicators of CompromiseNo threat indicators flagged by source toolCross-Service Intelligence Markdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Sy...Below is additional context from other services subscribed by the customer. ServiceSourceRelevant InsightReference--- --- --- ---ESN/ANo relevant tools configured for enrichment.Need help or want us to take additional actions? Reply to this ticket and the SOC will assist. You can view all details here: 336079
Dan Sablosky (POC)4/28/2026 5:53 PM-{ "@context": "http://schema.org", "@type": "EmailMessage", "potentialAction": { "@type": "ViewAction", "target": "https://desk.cyflare.cloud/portal/ticket/336034", "name": "View Ticket " }, "description": "View Ticket" } Dear IH-Atlantic_Stonehenge Advisors,A ticket has been created with the following details:Account Name: Atlantic_Stonehenge AdvisorsTicket ID: 336034Priority: HighSubject: High - SentinelOne Threat - Stonehenge Advisors, Inc - ScreenConnect.ClientSetup.exe - 04/28/26Description: EDR: ScreenConnect.ClientSetup.exeCustomer: Stonehenge Advisors, Inc | Detected: 2026-04-28 17:46:29 UTC-04Priority: HighSource: SentineloneThreat status: Mitigated - contained by socKill: SuccessQuarantine: SuccessAlert Link:EDR AlertExecutive Summary AI-AssistedA security agent detected suspicious software on a Windows desktop used by user 'olgag', rated as a high-risk event due to the software's revoked certificate and malicious verdict. The device was automatically isolated and remediation actions completed to stop the activity, so immediate spread has been prevented. While no active threats remain on that endpoint, the event posed a moderate-to-high business risk because such software could enable unauthorized access or disruption if it had run unchecked. Continued monitoring of endpoints and user accounts is recommended.SOC Response ActionsActions the SOC performed (or attempted). Follow this link for further information on Use Case #5 and Use Case #6.ActionStatus--- ---DESKTOP-J36C9TV, no full disk scan command was sent. Not ConfiguredDESKTOP-J36C9TV, endpoint was not isolated from the network. Not ConfiguredRecommended Remediation[Containment] Isolate the affected endpoint 'DESKTOP-J36C9TV' from the network and remove its external IP '70.91.36.137' from any remote-access allowlists.[Eradication] Uninstall the file 'ScreenConnect.ClientSetup.exe' located at '\Device\HarddiskVolume3\WINDOWS\SystemTemp\ScreenConnect\24.2.10.8991\ScreenConnect.ClientSetup.exe' and delete the file hashes 'da6461465247022bae455d548efc31ff5161147fec953643dd2bbf2af7a1a6d4' and '5e1c517442e30b54586627886ae4e745890dc936' from endpoints and central file shares.[Eradication] Revoke or replace the certificate issued to 'CONNECTWISE, LLC' used by the identified binary and block execution of processes signed by that certificate across the environment.[Hardening] Force password reset for user 'olgag' and ensure multifactor authentication is enabled for that account.[Hardening] Implement application allowlisting to prevent execution from temporary system folders (for example, paths under '\Device\HarddiskVolume3\WINDOWS\SystemTemp') and block execution of revoked-signed binaries.Key DetailsThreat ClassificationGeneralEndpoint NameDESKTOP-J36C9TVDetection EngineSentinelOne CloudEndpoint IP Address192.168.1.106File Path\Device\HarddiskVolume3\WINDOWS\SystemTemp\ScreenConnect\24.2.10.8991\ScreenConnect.ClientSetup.exeSite NameStonehenge AdvisorsFile Hashda6461465247022bae455d548efc31ff5161147fec953643dd2bbf2af7a1a6d4 MaliciousGroup NameStonehenge Advisors Inc - HQFile Publisher NameCONNECTWISE, LLCSentinelOne Mitigation PolicyprotectFile Publisher Signed & VerifiedRevokedSentinelOne Mitigation StatusmitigatedCommand LineSOC FindingsFile Hash CorrelationThe following file hash DA6461465247022BAE455D548EFC31FF5161147FEC953643DD2BBF2AF7A1A6D4 was detected as 'SCREENCONNECT.CLIENTSETUP.EXE' on endpoint DESKTOP-FG7FIBT and 'SCREENCONNECT.CLIENTSETUP.EXE' on endpoint DESKTOP-J36C9TV.Threat Intelligence & ReputationVirusTotal da646146...f7a1a6d4 MaliciousFile hash detected by 31 security engines. Classified under the meaningful name /home/petik/ss/malware/2026-03-19_f07a87485bd2333bb7e91f26bd5b8700_amadey_elex_glassworm_hellokitty_hijackloader_icedid_luca-stealer_njrat_remcos_smoke-loader_vidar.Hybrid-Analysis da646146...f7a1a6d4 No Relevant ResultsNo behavioral or reputation data returned for this hash at the time of analysis.Indicators of CompromiseNo threat indicators flagged by source toolCross-Service Intelligence Markdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Sy...Below is additional context from other services subscribed by the customer. ServiceSourceRelevant InsightReference--- --- --- ---ESN/ANo relevant tools configured for enrichment.Need help or want us to take additional actions? Reply to this ticket and the SOC will assist. You can view all details here: 336034
View Ticket
