This email is to inform you that ticket 3537199 has been marked completed and will be closed in one day.
Should you feel that this ticket has not been resolved satisfactorily, please let us know how we may assist by replying to this email or call 212-507-9420.
Hi Team,
The detected file
BackUp.exe was observed in the path
\Device\HarddiskVolume1\Documents\Old Files\Saber2002\BackUp.exe and is not
digitallysigned. The file was executed by
explorer.exe under the user **account DESKTOP-494JT93\ccayl, **as checked the hash associated with the file was marked as malicious by multiple security vendors.
![[image]](https://na.myconnectwise.net/v4_6_release/api/newinlineimages/ATLANTICMSP/9f4fa918-a9e8-4190-8e23-fc7d953c3802/77b545a7-4b5d-41c5-b21a-ada9182af96c)
Also, as checked the instance has been mitigated [Killed and quarantined] by the sentinelOne.
As a precautionary measure, we have initiated a full disk scan on the machine
DESKTOP-494JT93, as the machine was not found on RMM.Closing this as true positive and blacklisting the hash.{ "@context": "http://schema.org", "@type": "EmailMessage", "potentialAction": { "@type": "ViewAction", "target": "https://desk.cyflare.cloud/portal/ticket/343373", "name": "View Ticket " }, "description": "View Ticket" }
Dear IH-Atlantic_Stonehenge Advisors,
A ticket has been created with the following details:Account Name: Atlantic_Stonehenge Advisors
Ticket ID: 343373
Priority: High
Subject: High - SentinelOne Threat - Stonehenge Advisors, Inc - BackUp.exe - 05/12/26
Description: EDR: BackUp.exe
Customer:
Stonehenge Advisors, Inc | Detected:
2026-05-12 10:53:49 UTC-04Priority: High
Source: Sentinelone
Threat status: Mitigated - contained by soc
Kill: Success
Quarantine: Success
Alert Link:
EDR AlertExecutive Summary AI-Assisted
A suspicious, likely obfuscated executable was detected on a desktop used by user 'DESKTOP-494JT93\ccayl', rated as a moderate risk due to signs it may be intentionally hidden and capable of dynamic behavior; the agent successfully contained and mitigated the file, so the immediate threat is resolved. Business impact could include temporary loss of productivity for that user and a small risk of data exposure if similar files existed elsewhere. Continuous monitoring is recommended.
SOC Response Actions
Actions the SOC performed (or attempted). Follow this link for further information on
Use Case #5 and
Use Case #6.
ActionStatus
--- ---
DESKTOP-494JT93, no full disk scan command was sent. Not Configured
DESKTOP-494JT93, endpoint was not isolated from the network. Not Configured
Recommended Remediation
- [Containment] Isolate the endpoint 'DESKTOP-494JT93' from the network (disconnect Ethernet and disable Wi‑Fi) and remove physical access until remediation is complete.
- [Eradication] Remove or securely delete the file '\Device\HarddiskVolume1\Documents\Old Files\Saber2002\BackUp.exe' and any known copies from user-accessible locations on the affected device.
- [Eradication] For user 'DESKTOP-494JT93\ccayl', perform a full local credential reset (change local account password) and revoke any persistent authentication tokens or stored credentials.
- [Hardening] Ensure Windows 11 Home system is fully patched and enable reputable endpoint protection features, including preventing execution from the user’s 'Documents' folder via application control policies where supported.
- [Hardening] Validate backups and ensure backup software does not use the same local credentials; restrict write permissions to backup destinations and implement least-privilege access for user 'DESKTOP-494JT93\ccayl'.
Key Details
Threat ClassificationGeneralEndpoint NameDESKTOP-494JT93
Detection EngineOn-Write DFI - SuspiciousEndpoint IP Address10.1.10.251
File Path\Device\HarddiskVolume1\Documents\Old Files\Saber2002\BackUp.exeSite NameStonehenge Advisors
File Hash1d6233682a257cb9d0d278c7983a60d20638f302769fbea8082a9b291ba9f6da MaliciousGroup NameStonehenge Advisors Inc - HQ
File Publisher NameSentinelOne Mitigation Policyprotect
File Publisher Signed & VerifiedNotSignedSentinelOne Mitigation Statusmitigated
Command Line
SOC Findings
Threat Intelligence & Reputation
VirusTotal
1d623368...1ba9f6da
Malicious
File hash detected by 3 security engines. Classified under the meaningful name BackUp.exe.
Hybrid-Analysis
1d623368...1ba9f6da
No Relevant Results
No behavioral or reputation data returned for this hash at the time of analysis.
Indicators of Compromise
- The threat indicators reveal that this is a VisualBasic 6 executable with several concerning features. It has 'abnormal section names,' suggesting it may have been created with unusual development tools. The entry point is located in a section not typically marked for code, which is unusual. Additionally, the file can dynamically link functions during execution and has been packed using the ASPack tool. The high entropy in its sections indicates potential obfuscation or packing, suggesting it may contain encrypted or compressed data, raising further security concerns.
Cross-Service Intelligence
Markdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Sy...Below is additional context from other services subscribed by the customer.
ServiceSourceRelevant InsightReference
--- --- --- ---
ESN/ANo relevant tools configured for enrichment.
Need help or want us to take additional actions? Reply to this ticket and the SOC will assist.
You can view all details here: 343373