Ticket#3523049/Stonehenge Advisors, Inc/COMPLETED STATUS - user@withoutemail.com

THIS IS AN AUTOMATED EMAIL RESPONSE; NO REPLY IS NECCESSAR

Company Name: Stonehenge Advisors, Inc
Contact: Dan Sablosky (POC)
Ticket #: 3523049
Summary: [##336032##] High - SentinelOne Threat - Stonehenge Advisors, Inc - WCInstaller.exe - 04/28/26

This email is to inform you that ticket 3523049 has been marked completed and will be closed in one day.

Should you feel that this ticket has not been resolved satisfactorily, please let us know how we may assist by replying to this email or call 212-507-9420.

Wed 4/29/2026/11:47 AM UTC-04/ Christopher Clarke (time)-

Reviewed threat files found
Web companion is a known malicious app
Stopped the process from running and removed all associated files with this app
System is now clean and no further action is needed

Tue 4/28/2026/5:58 PM UTC-04/ Dan Sablosky (POC)

{      "@context": "http://schema.org",      "@type": "EmailMessage",      "potentialAction": {        "@type": "ViewAction",        "target": "https://desk.cyflare.cloud/portal/ticket/336037",        "name": "View Ticket "      },      "description": "View Ticket"    }

Dear IH-Atlantic_Stonehenge Advisors,

A ticket has been created with the following details:

Account Name: Atlantic_Stonehenge Advisors
Ticket ID:  336037
Priority:  High
Subject:  High - SentinelOne Threat - Stonehenge Advisors, Inc - WCInstaller.exe.old.134139263545531654 - 04/28/26
Description:

EDR: WCInstaller.exe.old.134139263545531654

Customer: Stonehenge Advisors, Inc |                            Detected: 2026-04-28 17:51:01 UTC-04

Priority: HighSource: SentineloneThreat status: Mitigated - contained by socKill: SuccessQuarantine: Success
Alert Link:EDR Alert

Executive Summary                AI-Assisted

A security agent detected suspicious software on a desktop used by the Admin account, assessed as a high-risk malware classification due to strong malicious indicators; the system was automatically mitigated and quarantined successfully. This reduces immediate risk to the environment, but the presence of malicious software posed a potential threat to data integrity and productivity. Continued monitoring is recommended to ensure no residual impact.

SOC Response Actions
Actions the SOC performed (or attempted). Follow this link for further information on Use Case #5 and Use Case #6.
ActionStatus

--- ---
Savoy-DskTop, no full disk scan command was sent.                        Not Configured
Savoy-DskTop, endpoint was not isolated from the network.                        Not Configured

Recommended Remediation

[Containment] Isolate the affected endpoint 'Savoy-DskTop' from the network (disconnect Ethernet and disable Wi‑Fi) to prevent further spread.
[Eradication] Remove the file '\Device\HarddiskVolume3\Users\Admin\AppData\Roaming\Lavasoft\Web Companion\Application\WCInstaller.exe.old.134139263545531654' from the device and delete any related persistence (uninstall Lavasoft Web Companion components for user 'Admin').
[Hardening] Ensure the SentinelOne agent on 'Savoy-DskTop' is up to date (agent version 25.2.5.437) and that agent mitigation mode remains set to 'protect'.
[Hardening] Confirm local user 'Admin' has a strong, unique password and enforce least-privilege by removing administrative rights if not required.
[Hardening] Block the file hash '442bc697b5a800d886337718a224195656988958089111bc144759407d317de1' and '245d620540d21525354382e6e985b43d6a32a9cf' at endpoint protection and across email/web gateways.

Key Details
Threat ClassificationMalwareEndpoint NameSavoy-DskTop
Detection EngineSentinelOne CloudEndpoint IP Address192.168.2.159
File Path\Device\HarddiskVolume3\Users\Admin\AppData\Roaming\Lavasoft\Web Companion\Application\WCInstaller.exe.old.134139263545531654Site NameStonehenge Advisors
File Hash442bc697b5a800d886337718a224195656988958089111bc144759407d317de1 MaliciousGroup NameStonehenge Advisors Inc - Savoy
File Publisher NameSentinelOne Mitigation Policyprotect
File Publisher Signed & VerifiedSignatureNotCheckedSentinelOne Mitigation Statusmitigated
Command Line
SOC Findings
Threat Intelligence & Reputation
VirusTotal

442bc697...7d317de1
Malicious
File hash detected by 24 security engines. Classified under the meaningful name WebCompanion.exe.
Hybrid-Analysis

442bc697...7d317de1
No Relevant Results
No behavioral or reputation data returned for this hash at the time of analysis.
Indicators of Compromise

No threat indicators flagged by source tool

Cross-Service Intelligence Markdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Sy...

Below is additional context from other services subscribed by the customer.
ServiceSourceRelevant InsightReference

--- --- --- ---
ESN/ANo relevant tools configured for enrichment.

Need help or want us to take additional actions? Reply to this ticket and the SOC will assist.

You can view all details here: 336037

Tue 4/28/2026/5:57 PM UTC-04/ Dan Sablosky (POC)

{      "@context": "http://schema.org",      "@type": "EmailMessage",      "potentialAction": {        "@type": "ViewAction",        "target": "https://desk.cyflare.cloud/portal/ticket/336036",        "name": "View Ticket "      },      "description": "View Ticket"    }

Dear IH-Atlantic_Stonehenge Advisors,

A ticket has been created with the following details:

Account Name: Atlantic_Stonehenge Advisors
Ticket ID:  336036
Priority:  High
Subject:  High - SentinelOne Threat - Stonehenge Advisors, Inc - WebCompanion-Installer.exe - 04/28/26
Description:

EDR: WebCompanion-Installer.exe

Customer: Stonehenge Advisors, Inc |                            Detected: 2026-04-28 17:49:01 UTC-04

Priority: HighSource: SentineloneThreat status: Mitigated - contained by socKill: SuccessQuarantine: Success
Alert Link:EDR Alert

Executive Summary                AI-Assisted

A security agent detected suspicious software activity on a desktop used by the Admin account, rated as a high-severity risk due to confirmed malicious characteristics. The threat was automatically mitigated and is currently contained on the device. Business impact is limited but could include disruption to that user’s work and potential exposure of local data if similar activity occurred elsewhere.

SOC Response Actions
Actions the SOC performed (or attempted). Follow this link for further information on Use Case #5 and Use Case #6.
ActionStatus

--- ---
Savoy-DskTop, no full disk scan command was sent.                        Not Configured
Savoy-DskTop, endpoint was not isolated from the network.                        Not Configured

Recommended Remediation

[Containment] Isolate the host 'Savoy-DskTop' (agent UUID 826d83b648b64552849d9caa54ea335d) from the network and block its external IP '68.83.189.159' at the gateway to prevent further spread.
[Eradication] Remove the file '\Device\HarddiskVolume3\Users\Admin\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion-Installer.exe' and any associated artifacts; ensure the quarantine created by the agent is retained for forensic export.
[Eradication] Run full anti-malware remediation on the host using the approved enterprise AV solution and confirm the SentinelOne agent is up-to-date (version 25.2.5.437) before rejoining the network.
[Hardening] Reset local account passwords for 'Admin' and any other local administrative accounts; enforce unique, complex passwords and disable unnecessary local admin accounts.
[Hardening] Apply OS and application updates to Windows 11 Pro (revision 26200) and implement application allowlisting to prevent execution of unsigned or unfamiliar installers.

Key Details
Threat ClassificationMalwareEndpoint NameSavoy-DskTop
Detection EngineSentinelOne CloudEndpoint IP Address192.168.2.159
File Path\Device\HarddiskVolume3\Users\Admin\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion-Installer.exeSite NameStonehenge Advisors
File Hash4bd014cb62bd10fc1d2e2bfd680a38af050db3ac47f3cc7fe27e001c91473129 MaliciousGroup NameStonehenge Advisors Inc - Savoy
File Publisher Name7270356 CANADA INC.SentinelOne Mitigation Policyprotect
File Publisher Signed & VerifiedSignedVerifiedSentinelOne Mitigation Statusmitigated
Command Line
SOC Findings
Threat Intelligence & Reputation
VirusTotal

4bd014cb...91473129
Malicious
File hash detected by 25 security engines. Classified under the meaningful name WebCompanion.exe.
Hybrid-Analysis

4bd014cb...91473129
No Relevant Results
No behavioral or reputation data returned for this hash at the time of analysis.
Indicators of Compromise

No threat indicators flagged by source tool

--- --- --- ---
ESN/ANo relevant tools configured for enrichment.

Need help or want us to take additional actions? Reply to this ticket and the SOC will assist.

You can view all details here: 336036

Tue 4/28/2026/5:53 PM UTC-04/ Dan Sablosky (POC)

{      "@context": "http://schema.org",      "@type": "EmailMessage",      "potentialAction": {        "@type": "ViewAction",        "target": "https://desk.cyflare.cloud/portal/ticket/336032",        "name": "View Ticket "      },      "description": "View Ticket"    }

Dear IH-Atlantic_Stonehenge Advisors,

A ticket has been created with the following details:

Account Name: Atlantic_Stonehenge Advisors
Ticket ID:  336032
Priority:  High
Subject:  High - SentinelOne Threat - Stonehenge Advisors, Inc - WCInstaller.exe - 04/28/26
Description:

EDR: WCInstaller.exe

Customer: Stonehenge Advisors, Inc |                            Detected: 2026-04-28 17:45:01 UTC-04

Priority: HighSource: SentineloneThreat status: Mitigated - contained by socQuarantine: SuccessKill: Success
Alert Link:EDR Alert

Executive Summary                AI-Assisted

A security agent on a desktop used by the Admin account detected and automatically mitigated suspicious software, assessed as high risk due to its malicious classification. The activity affected one Windows desktop and presented a significant risk because the software was flagged by cloud detection. Mitigation actions succeeded and the threat is contained. Business impact is low now but could have been disruptive if left unaddressed.

SOC Response Actions
Actions the SOC performed (or attempted). Follow this link for further information on Use Case #5 and Use Case #6.
ActionStatus

--- ---
Savoy-DskTop, no full disk scan command was sent.                        Not Configured
Savoy-DskTop, endpoint was not isolated from the network.                        Not Configured

Recommended Remediation

[Containment] Isolate host 'Savoy-DskTop' from the network and disable its external IP 68.83.189.159 at the perimeter to prevent further spread.
[Eradication] Uninstall and remove the file '\Device\HarddiskVolume3\Users\Admin\AppData\Roaming\Lavasoft\Web Companion\Application\WCInstaller.exe' and related Lavasoft/Web Companion components from the affected endpoint.
[Eradication] Quarantine and delete the file with SHA256 '45dc1edbea67f6171227d2e90024c5d1e72d9d9675c8ad615ab88c7540f33521' from backups and file stores to prevent reintroduction.
[Hardening] Remove or disable the local 'Admin' user account's unnecessary startup entries and restrict write permissions to AppData\Roaming for non-administrator accounts.
[Hardening] Ensure endpoint protection definitions are up to date and apply the latest SentinelOne agent update (version 25.2.5.437 already present) across the environment; verify policy 'protect' is enforced.

Key Details
Threat ClassificationGeneralEndpoint NameSavoy-DskTop
Detection EngineSentinelOne CloudEndpoint IP Address192.168.2.159
File Path\Device\HarddiskVolume3\Users\Admin\AppData\Roaming\Lavasoft\Web Companion\Application\WCInstaller.exeSite NameStonehenge Advisors
File Hash45dc1edbea67f6171227d2e90024c5d1e72d9d9675c8ad615ab88c7540f33521 MaliciousGroup NameStonehenge Advisors Inc - Savoy
File Publisher Name7270356 CANADA INC.SentinelOne Mitigation Policyprotect
File Publisher Signed & VerifiedSignedVerifiedSentinelOne Mitigation Statusmitigated
Command Line
SOC Findings
Threat Intelligence & Reputation
VirusTotal

45dc1edb...40f33521
Malicious
File hash detected by 29 security engines. Classified under the meaningful name WebCompanion.exe.
Hybrid-Analysis

45dc1edb...40f33521
No Relevant Results
No behavioral or reputation data returned for this hash at the time of analysis.
Indicators of Compromise

No threat indicators flagged by source tool

--- --- --- ---
ESN/ANo relevant tools configured for enrichment.

Need help or want us to take additional actions? Reply to this ticket and the SOC will assist.

You can view all details here: 336032

Thank you,

You can check the status of your Service Ticket by calling our Customer Care Hotline at (212) 507-9420.

View Ticket