От: "Atlantic Security Alert" <Security@tomorrowsoffice.com>
Кому: user@withoutemail.com
Дата: 2026-04-29T16:34:08.000Z
--REPLY above this line to respond--
This ticket has been updated by Christopher Clarke
Christopher Clarke4/29/2026 11:47 AMReviewed threat files foundWeb companion is a known malicious appStopped the process from running and removed all associated files with this appSystem is now clean and no further action is needed
Summary:
[##336032##] High - SentinelOne Threat - Stonehenge Advisors, Inc - WCInstaller.exe - 04/28/26
Status:
In Progress
Ticket #
3523049
Company:
Stonehenge Advisors, Inc
Contact:
Dan Sablosky (POC)
Phone:
(215) 320-3777
Address:
4328-42 Ridge AvenueSuite 104Philadelphia, PA 19129
View Ticket
Discussion
Christopher Clarke4/29/2026 11:47 AM-12:18 PMReviewed threat files foundWeb companion is a known malicious appStopped the process from running and removed all associated files with this appSystem is now clean and no further action is needed
Dan Sablosky (POC)4/28/2026 5:58 PM-{ "@context": "http://schema.org", "@type": "EmailMessage", "potentialAction": { "@type": "ViewAction", "target": "https://desk.cyflare.cloud/portal/ticket/336037", "name": "View Ticket " }, "description": "View Ticket" } Dear IH-Atlantic_Stonehenge Advisors,A ticket has been created with the following details:Account Name: Atlantic_Stonehenge AdvisorsTicket ID: 336037Priority: HighSubject: High - SentinelOne Threat - Stonehenge Advisors, Inc - WCInstaller.exe.old.134139263545531654 - 04/28/26Description: EDR: WCInstaller.exe.old.134139263545531654Customer: Stonehenge Advisors, Inc | Detected: 2026-04-28 17:51:01 UTC-04Priority: HighSource: SentineloneThreat status: Mitigated - contained by socKill: SuccessQuarantine: SuccessAlert Link:EDR AlertExecutive Summary AI-AssistedA security agent detected suspicious software on a desktop used by the Admin account, assessed as a high-risk malware classification due to strong malicious indicators; the system was automatically mitigated and quarantined successfully. This reduces immediate risk to the environment, but the presence of malicious software posed a potential threat to data integrity and productivity. Continued monitoring is recommended to ensure no residual impact.SOC Response ActionsActions the SOC performed (or attempted). Follow this link for further information on Use Case #5 and Use Case #6.ActionStatus--- ---Savoy-DskTop, no full disk scan command was sent. Not ConfiguredSavoy-DskTop, endpoint was not isolated from the network. Not ConfiguredRecommended Remediation[Containment] Isolate the affected endpoint 'Savoy-DskTop' from the network (disconnect Ethernet and disable Wi‑Fi) to prevent further spread.[Eradication] Remove the file '\Device\HarddiskVolume3\Users\Admin\AppData\Roaming\Lavasoft\Web Companion\Application\WCInstaller.exe.old.134139263545531654' from the device and delete any related persistence (uninstall Lavasoft Web Companion components for user 'Admin').[Hardening] Ensure the SentinelOne agent on 'Savoy-DskTop' is up to date (agent version 25.2.5.437) and that agent mitigation mode remains set to 'protect'.[Hardening] Confirm local user 'Admin' has a strong, unique password and enforce least-privilege by removing administrative rights if not required.[Hardening] Block the file hash '442bc697b5a800d886337718a224195656988958089111bc144759407d317de1' and '245d620540d21525354382e6e985b43d6a32a9cf' at endpoint protection and across email/web gateways.Key DetailsThreat ClassificationMalwareEndpoint NameSavoy-DskTopDetection EngineSentinelOne CloudEndpoint IP Address192.168.2.159File Path\Device\HarddiskVolume3\Users\Admin\AppData\Roaming\Lavasoft\Web Companion\Application\WCInstaller.exe.old.134139263545531654Site NameStonehenge AdvisorsFile Hash442bc697b5a800d886337718a224195656988958089111bc144759407d317de1 MaliciousGroup NameStonehenge Advisors Inc - SavoyFile Publisher NameSentinelOne Mitigation PolicyprotectFile Publisher Signed & VerifiedSignatureNotCheckedSentinelOne Mitigation StatusmitigatedCommand LineSOC FindingsThreat Intelligence & ReputationVirusTotal 442bc697...7d317de1 MaliciousFile hash detected by 24 security engines. Classified under the meaningful name WebCompanion.exe.Hybrid-Analysis 442bc697...7d317de1 No Relevant ResultsNo behavioral or reputation data returned for this hash at the time of analysis.Indicators of CompromiseNo threat indicators flagged by source toolCross-Service Intelligence Markdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Sy...Below is additional context from other services subscribed by the customer. ServiceSourceRelevant InsightReference--- --- --- ---ESN/ANo relevant tools configured for enrichment.Need help or want us to take additional actions? Reply to this ticket and the SOC will assist. You can view all details here: 336037
Dan Sablosky (POC)4/28/2026 5:57 PM-{ "@context": "http://schema.org", "@type": "EmailMessage", "potentialAction": { "@type": "ViewAction", "target": "https://desk.cyflare.cloud/portal/ticket/336036", "name": "View Ticket " }, "description": "View Ticket" } Dear IH-Atlantic_Stonehenge Advisors,A ticket has been created with the following details:Account Name: Atlantic_Stonehenge AdvisorsTicket ID: 336036Priority: HighSubject: High - SentinelOne Threat - Stonehenge Advisors, Inc - WebCompanion-Installer.exe - 04/28/26Description: EDR: WebCompanion-Installer.exeCustomer: Stonehenge Advisors, Inc | Detected: 2026-04-28 17:49:01 UTC-04Priority: HighSource: SentineloneThreat status: Mitigated - contained by socKill: SuccessQuarantine: SuccessAlert Link:EDR AlertExecutive Summary AI-AssistedA security agent detected suspicious software activity on a desktop used by the Admin account, rated as a high-severity risk due to confirmed malicious characteristics. The threat was automatically mitigated and is currently contained on the device. Business impact is limited but could include disruption to that user’s work and potential exposure of local data if similar activity occurred elsewhere.SOC Response ActionsActions the SOC performed (or attempted). Follow this link for further information on Use Case #5 and Use Case #6.ActionStatus--- ---Savoy-DskTop, no full disk scan command was sent. Not ConfiguredSavoy-DskTop, endpoint was not isolated from the network. Not ConfiguredRecommended Remediation[Containment] Isolate the host 'Savoy-DskTop' (agent UUID 826d83b648b64552849d9caa54ea335d) from the network and block its external IP '68.83.189.159' at the gateway to prevent further spread.[Eradication] Remove the file '\Device\HarddiskVolume3\Users\Admin\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion-Installer.exe' and any associated artifacts; ensure the quarantine created by the agent is retained for forensic export.[Eradication] Run full anti-malware remediation on the host using the approved enterprise AV solution and confirm the SentinelOne agent is up-to-date (version 25.2.5.437) before rejoining the network.[Hardening] Reset local account passwords for 'Admin' and any other local administrative accounts; enforce unique, complex passwords and disable unnecessary local admin accounts.[Hardening] Apply OS and application updates to Windows 11 Pro (revision 26200) and implement application allowlisting to prevent execution of unsigned or unfamiliar installers.Key DetailsThreat ClassificationMalwareEndpoint NameSavoy-DskTopDetection EngineSentinelOne CloudEndpoint IP Address192.168.2.159File Path\Device\HarddiskVolume3\Users\Admin\AppData\Roaming\Lavasoft\Web Companion\Application\WebCompanion-Installer.exeSite NameStonehenge AdvisorsFile Hash4bd014cb62bd10fc1d2e2bfd680a38af050db3ac47f3cc7fe27e001c91473129 MaliciousGroup NameStonehenge Advisors Inc - SavoyFile Publisher Name7270356 CANADA INC.SentinelOne Mitigation PolicyprotectFile Publisher Signed & VerifiedSignedVerifiedSentinelOne Mitigation StatusmitigatedCommand LineSOC FindingsThreat Intelligence & ReputationVirusTotal 4bd014cb...91473129 MaliciousFile hash detected by 25 security engines. Classified under the meaningful name WebCompanion.exe.Hybrid-Analysis 4bd014cb...91473129 No Relevant ResultsNo behavioral or reputation data returned for this hash at the time of analysis.Indicators of CompromiseNo threat indicators flagged by source toolCross-Service Intelligence Markdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Sy...Below is additional context from other services subscribed by the customer. ServiceSourceRelevant InsightReference--- --- --- ---ESN/ANo relevant tools configured for enrichment.Need help or want us to take additional actions? Reply to this ticket and the SOC will assist. You can view all details here: 336036
Dan Sablosky (POC)4/28/2026 5:53 PM-{ "@context": "http://schema.org", "@type": "EmailMessage", "potentialAction": { "@type": "ViewAction", "target": "https://desk.cyflare.cloud/portal/ticket/336032", "name": "View Ticket " }, "description": "View Ticket" } Dear IH-Atlantic_Stonehenge Advisors,A ticket has been created with the following details:Account Name: Atlantic_Stonehenge AdvisorsTicket ID: 336032Priority: HighSubject: High - SentinelOne Threat - Stonehenge Advisors, Inc - WCInstaller.exe - 04/28/26Description: EDR: WCInstaller.exeCustomer: Stonehenge Advisors, Inc | Detected: 2026-04-28 17:45:01 UTC-04Priority: HighSource: SentineloneThreat status: Mitigated - contained by socQuarantine: SuccessKill: SuccessAlert Link:EDR AlertExecutive Summary AI-AssistedA security agent on a desktop used by the Admin account detected and automatically mitigated suspicious software, assessed as high risk due to its malicious classification. The activity affected one Windows desktop and presented a significant risk because the software was flagged by cloud detection. Mitigation actions succeeded and the threat is contained. Business impact is low now but could have been disruptive if left unaddressed.SOC Response ActionsActions the SOC performed (or attempted). Follow this link for further information on Use Case #5 and Use Case #6.ActionStatus--- ---Savoy-DskTop, no full disk scan command was sent. Not ConfiguredSavoy-DskTop, endpoint was not isolated from the network. Not ConfiguredRecommended Remediation[Containment] Isolate host 'Savoy-DskTop' from the network and disable its external IP 68.83.189.159 at the perimeter to prevent further spread.[Eradication] Uninstall and remove the file '\Device\HarddiskVolume3\Users\Admin\AppData\Roaming\Lavasoft\Web Companion\Application\WCInstaller.exe' and related Lavasoft/Web Companion components from the affected endpoint.[Eradication] Quarantine and delete the file with SHA256 '45dc1edbea67f6171227d2e90024c5d1e72d9d9675c8ad615ab88c7540f33521' from backups and file stores to prevent reintroduction.[Hardening] Remove or disable the local 'Admin' user account's unnecessary startup entries and restrict write permissions to AppData\Roaming for non-administrator accounts.[Hardening] Ensure endpoint protection definitions are up to date and apply the latest SentinelOne agent update (version 25.2.5.437 already present) across the environment; verify policy 'protect' is enforced.Key DetailsThreat ClassificationGeneralEndpoint NameSavoy-DskTopDetection EngineSentinelOne CloudEndpoint IP Address192.168.2.159File Path\Device\HarddiskVolume3\Users\Admin\AppData\Roaming\Lavasoft\Web Companion\Application\WCInstaller.exeSite NameStonehenge AdvisorsFile Hash45dc1edbea67f6171227d2e90024c5d1e72d9d9675c8ad615ab88c7540f33521 MaliciousGroup NameStonehenge Advisors Inc - SavoyFile Publisher Name7270356 CANADA INC.SentinelOne Mitigation PolicyprotectFile Publisher Signed & VerifiedSignedVerifiedSentinelOne Mitigation StatusmitigatedCommand LineSOC FindingsThreat Intelligence & ReputationVirusTotal 45dc1edb...40f33521 MaliciousFile hash detected by 29 security engines. Classified under the meaningful name WebCompanion.exe.Hybrid-Analysis 45dc1edb...40f33521 No Relevant ResultsNo behavioral or reputation data returned for this hash at the time of analysis.Indicators of CompromiseNo threat indicators flagged by source toolCross-Service Intelligence Markdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Sy...Below is additional context from other services subscribed by the customer. ServiceSourceRelevant InsightReference--- --- --- ---ESN/ANo relevant tools configured for enrichment.Need help or want us to take additional actions? Reply to this ticket and the SOC will assist. You can view all details here: 336032
View Ticket
