Company Name: Stonehenge Advisors, Inc
Contact: Sablosky (POC), Dan
Phone Number: (215) 320-3777

Hello Dan,

     Your ticket 3523808 is actively being worked on by Denny Baez

Discussion Denny Baez 4/30/2026 5:25 PM-6:15 PM Upon further review, this appears to be a false positive. The activity is associated with the HP application located at: C:\ProgramData\HP\Security Update Service\Temp\Remote-Upgrade-20250806-093831.149-0400.log Dan Sablosky (POC) 4/29/2026 11:38 AM- {      "@context": "http://schema.org",      "@type": "EmailMessage",      "potentialAction": {        "@type": "ViewAction",        "target": "https://desk.cyflare.cloud/portal/ticket/336646",        "name": "View Ticket "      },      "description": "View Ticket"    }     Dear IH-Atlantic_Stonehenge Advisors, A ticket has been created with the following details: Account Name: Atlantic_Stonehenge Advisors Ticket ID:  336646 Priority:  High Subject:  High - SentinelOne Threat - Stonehenge Advisors, Inc - 26637.rbf - 04/29/26 Description: EDR: 26637.rbf Customer: Stonehenge Advisors, Inc |                            Detected: 2025-08-06 09:38:15 UTC-04 Priority: HighSource: SentineloneThreat status: Mitigated - containedQuarantine: SuccessKill: Pending-reboot Alert Link:EDR Alert Executive Summary                AI-Assisted A suspicious software activity was detected on an endpoint used by an identified user on a workstation, indicating attempts to evade security and access sensitive data; this is rated high severity due to actions that can hide activity and target credentials. The device is currently mitigated with quarantine and kill actions applied, some requiring a reboot to complete. Business risk includes potential data exposure, credential compromise, and disruption to operations if residual access remains. SOC Response Actions Actions the SOC performed (or attempted). Follow this link for further information on Use Case #5 and Use Case #6. ActionStatus --- --- No isolation measures were implemented, as the alert was not identified as Interactive Session Ransomware or Lateral Movement..                        Not Configured Recommended Remediation Containment: Isolate affected endpoint 'LyndonPC2' from the network and power-cycle if required to complete agent remediation. Eradication: Remove the malicious file '\Device\HarddiskVolume3\Config.Msi\26637.rbf' and any related dropped files from the system; uninstall unauthorized service registrations created by 'services.exe'. Credentials: Because classification is 'Ransomware' and Chrome/LSASS memory access indicators exist, enforce credential resets for privileged accounts and any local accounts that had active sessions on the endpoint (do not reuse previous passwords). Recovery: Verify and restore affected data from clean backups and ensure backups are offline or immutable prior to restore. Hardening: Apply latest OS and endpoint protection updates, restrict 'NT AUTHORITY\SYSTEM' service account exposures where possible, and remove unnecessary service startup entries and COM/autorun registrations to prevent persistence. Key Details Threat ClassificationRansomwareEndpoint NameLyndonPC2 Detection EngineOn-Write DFI - SuspiciousEndpoint IP Address192.168.137.1,20.13.55.205 File Path\Device\HarddiskVolume3\Config.Msi\26637.rbfSite NameStonehenge Advisors File Hashf25ad428c49d3242bdf5a7474b8bdc27f15faa81093c3ef575b6ed3cefa3c92c UnknownGroup Name Stonehenge Advisors Inc - LYNDON KPG-MCG Curtis Tenant LLC File Publisher NameSentinelOne Mitigation Policyprotect File Publisher Signed & VerifiedNotSignedSentinelOne Mitigation Statusmitigated Command Lineservice SOC Findings Threat Intelligence & Reputation VirusTotal                                 f25ad428...efa3c92c                                 No Relevant Results No behavioral or reputation data returned for this hash at the time of analysis. Hybrid-Analysis                                 f25ad428...efa3c92c                                 No Relevant Results No behavioral or reputation data returned for this hash at the time of analysis. Indicators of Compromise The threat indicators reveal a range of serious security issues. An application has been hijacked by a 'suspicious DLL,' and code injection has occurred during the initialization of a target process. There are multiple signs of infostealer activity, including attempts to access private memory from browsers and read sensitive information from LSASS. Various evasion tactics are evident, such as suspicious file executions and registry tampering. Additionally, ransomware activity is indicated by file operations, and a suspicious Kerberoasting attack has been detected. These findings suggest a coordinated effort to exploit, steal data, and maintain unauthorized access, requiring immediate action. Process Involved SecurityUpdateService.exe (Parent: msiexec.exe (interactive session) | Third-Party Unknown): Installer/service component observed spawning multiple child processes during MSI activity. msiexec.exe (interactive session) (Parent: msiexec.exe (Remote-Upgrade-20250806-095538.972-0400.log) | System): MSI installer process coordinating package installation and launching services. conhost.exe (Parent: SecurityUpdateService.exe | System): Console host instances launched by service commands during installation. BrService.exe (Parent: msiexec.exe (interactive session) | Third-Party Unknown): HP-related service process started by installer as part of deployment. ScreenConnect.WindowsClient.exe (Parent: ScreenConnect.ClientService.exe | Third-Party Trusted): Remote support client executed with RunRole arguments during the same activity Network Connections 172.64.148.95 (Outbound, 443): outbound TLS connection to external IP over HTTPS 147.75.62.184 (Outbound, 443): outbound TLS connection to external IP over HTTPS 104.18.39.161 (Outbound, 443): outbound TLS connection to external IP over HTTPS 104.18.35.85 (Outbound, 443): outbound TLS connection to external IP over HTTPS 23.24.19.166 (Outbound, ): process-level event referenced agent IP present but no destination port provided Cross-Service Intelligence            Markdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Sy... Below is additional context from other services subscribed by the customer.         ServiceSourceRelevant InsightReference --- --- --- --- ESN/ANo relevant tools configured for enrichment. Need help or want us to take additional actions? Reply to this ticket and the SOC will assist.         You can view all details here: 336646

You can check the status of your Service Ticket by calling our Customer Care Hotline at (212) 507-9420

134 West 26th Street | New York, NY 10001 | ©2020 Atlantic.