Ticket#3460304/STONEHENGE/[##304011##] Low - SentinelOne Threat - Stonehenge Advisors, Inc - ScreenConnect.Client.exe - 02/19/ -- has been updated - user@withoutemail.com

This ticket has been updated by Christopher Clarke

Christopher Clarke

2/19/2026 3:02 PM

Reviewed threat file detected (ScreenConnect.Client.exe)
Looked at the age of the file and the certificate status
I found this is a old screenconnect installer and the certificate was revoked as newer versions have replaced it
Due to this being an old installer, it is not needed as the installed screenconnect we use for device management is up-to-date
We will keep this quarantined
No additional actions needed
Closing alert

Summary:

[##304011##] Low - SentinelOne Threat - Stonehenge Advisors, Inc - ScreenConnect.Client.exe - 02/19/

Status:

Completed

Ticket #

3460304

Company:

Stonehenge Advisors, Inc

Contact:

Dan Sablosky (POC)

Phone:

(215) 320-3777

Address:

4328-42 Ridge Avenue
Suite 104
Philadelphia, PA 19129

View Ticket

Discussion

Christopher Clarke

2/19/2026 3:02 PM-3:16 PM

Dan Sablosky (POC)

2/19/2026 12:06 PM-

{      "@context": "http://schema.org",      "@type": "EmailMessage",      "potentialAction": {        "@type": "ViewAction",        "target": "https://desk.cyflare.cloud/portal/ticket/304011",        "name": "View Ticket "      },      "description": "View Ticket"    }

Dear IH-Atlantic_Stonehenge Advisors,

A ticket has been created with the following details:

Account Name: Atlantic_Stonehenge Advisors
Ticket ID:  304011
Priority:  Low
Subject:  Low - SentinelOne Threat - Stonehenge Advisors, Inc - ScreenConnect.Client.exe - 02/19/26
Description:

Description: SentinelOne flagged ScreenConnect.Client.exe (sha1: 3b3b1268ff469be9e68379b8fb3cc9aedfbef2a8, sha256: 3e61172a...) located at \Device\HarddiskVolume3\Users\WFS Maintenance\Downloads\ScreenConnect.Client.exe. Agent policy initiated mitigations (quarantine, kill) successfully. Indicators: imports debugger/kernel-exception functions, runtime dynamic linking, file/registry persistence behaviors, OpenSSL RSA use, file read/write and process termination capabilities. File path is in a user Downloads folder, not a standard Windows install location; this reduces likelihood of being a legitimate system component.

Threat Status: Mitigated - Contained
Priority: Low

Time Of Detection:2026-02-19 12:00:43 UTC-05
Alert Link:https://usea1-008.sentinelone.net/incidents/threats/2418365587363666779/overview

Threat Details:
Threat Name: ScreenConnect.Client.exe
Threat Classification: General
Detection Engine: On-Write DFI - Suspicious

File Path: \Device\HarddiskVolume3\Users\WFS Maintenance\Downloads\ScreenConnect.Client.exe
File SHA1 Hash: 3b3b1268ff469be9e68379b8fb3cc9aedfbef2a8
File Publisher Name: CONNECTWISE, LLC
File Publisher Signed & Verified: Revoked

Command Line:

Threat Status:
Threat Quarantine status: quarantine
Threat Killed status: kill

Endpoint Details:
Endpoint Name: DESKTOP-C17AEOC
Endpoint IP Address: 192.168.58.149
Site Name: Atlantic_Stonehenge Advisors
Group Name: Stonehenge Advisors Inc - HQ

SentinelOne Mitigation Policy: protect
SentinelOne Mitigation Status: mitigated

SOC Response Actions:

Isolate Endpoint: N/A
Initiate Full Disk Scan: N/A
Timeline for additional findings:

Alfie AI Summarization (Beta)
* The threat indicators describe a malicious file capable of various harmful actions while avoiding detection. It can raise kernel exceptions and import debugger functions, indicating advanced capabilities. The file can delay its execution to evade security measures and has the ability to list files on the system and retrieve specific values. It poses a significant risk by being able to encrypt data using OpenSSL RSA. Additionally, it can create, open, and write to files, terminate processes, and accept command line arguments, highlighting its potential for persistence and data manipulation on the system.
SOC Recommended Actions
1. Quarantine the endpoint DESKTOP-C17AEOC (agent UUID 7ed87071d94f47899ff91f3a7236df93) to prevent further execution of ScreenConnect.Client.exe.

Remove the file at \Device\HarddiskVolume3\Users\WFS Maintenance\Downloads\ScreenConnect.Client.exe and delete any additional copies from the user profile and common download locations.
Disable or remove the local user account WFS Maintenance if not required, and rotate credentials for any accounts that used this endpoint.
Block the publisher CONNECTWISE, LLC and the file hash 3e61172ad78b61fce351b0b3dd4bb170d51ffaaa85c0a67b4a47c76034ca1207 at the endpoint and in central allow/block lists.
Reimage the affected system if reinstallation is feasible, or perform a full malware remediation and verify the agent version is updated to 25.1.3.334 with agent mitigation mode set to protect.
Alfie Insights (Beta)
Case Details

Case Created Time: 02/19/2026 12:01:56 EST

Case Assigned Time: None
Ticket Creation Time: None
Ticket Number: None
Case Closed Time: None
Case Name: SCREENCONNECT.CLIENT.EXE
Case Source: SentinelOneV2
Org Name: Atlantic_Stonehenge Advisors
Msp Name: Atlantic
Entity Enrichment

Sentinelonev2:
Client Knowledge Base Lookup:

Threat Hunting

Stellar Searches:

Ticket Correlation

Ticket Searches:
* Query: Tickets related to the same Alert Type with the same Hash
Result: 0 matching tickets
Threshold Checks

Verified for the presence of any suspicious entities

Verified if the mitigation mode is detect only

Confirmed if the client is subscribed to Stellar

Verified if the hash is marked malicious or not in OSINT

Verified if the threat status is mitigated - contained

Confirmed whether the case is flagged as malicious in S1 or not

Verified whether the hash is flagged as malicious in OSINT or not

Verified if the threat name contains Ransomware or Interactive Session OR Isolation

Validated the activity was on the blocklist

Validated the activity was mitigated

Response Actions

None
You can view all details here: 304011

View Ticket