File name:

Advanced_IP_Scanner_2.5.4594.1.exe

Full analysis: https://app.any.run/tasks/452bb0e5-61c1-4e77-a775-164366f85336
Verdict: Malicious activity
Analysis date: August 22, 2024, 04:18:45
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
scan
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

5537C708EDB9A2C21F88E34E8A0F1744

SHA1:

86233A285363C2A6863BF642DEAB7E20F062B8EB

SHA256:

26D5748FFE6BD95E3FEE6CE184D388A1A681006DC23A0F08D53C083C593C193B

SSDEEP:

393216:Plu7Txs0NDmNh9D4HaSYz2Kj0Cz1gEVmWdQOjM/y3tFfs5IRRViGmMQZ+Bw5i:A7Th9mT97S7CzNwWCJK05IRTX+Fi

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Drops the executable file immediately after the start

      • Advanced_IP_Scanner_2.5.4594.1.exe (PID: 7024)
      • Advanced_IP_Scanner_2.5.4594.1.tmp (PID: 7136)
      • msiexec.exe (PID: 6228)

    • Process drops legitimate windows executable

      • Advanced_IP_Scanner_2.5.4594.1.tmp (PID: 7136)
      • msiexec.exe (PID: 6228)

    • Executable content was dropped or overwritten

      • Advanced_IP_Scanner_2.5.4594.1.exe (PID: 7024)
      • Advanced_IP_Scanner_2.5.4594.1.tmp (PID: 7136)

    • Reads the Windows owner or organization settings

      • Advanced_IP_Scanner_2.5.4594.1.tmp (PID: 7136)
      • msiexec.exe (PID: 6228)

    • Checks Windows Trust Settings

      • msiexec.exe (PID: 6228)

    • The process drops C-runtime libraries

      • msiexec.exe (PID: 6228)

    • Reads security settings of Internet Explorer

      • msiexec.exe (PID: 6228)

    • Detection of a Network Scan

      • advanced_ip_scanner.exe (PID: 7092)

    • There is functionality for taking screenshot (YARA)

      • advanced_ip_scanner.exe (PID: 7092)

  • INFO

    • Checks supported languages

      • Advanced_IP_Scanner_2.5.4594.1.tmp (PID: 7136)
      • Advanced_IP_Scanner_2.5.4594.1.exe (PID: 7024)
      • msiexec.exe (PID: 6228)
      • msiexec.exe (PID: 6792)
      • msiexec.exe (PID: 6652)
      • advanced_ip_scanner.exe (PID: 7092)

    • Reads the computer name

      • msiexec.exe (PID: 6228)
      • Advanced_IP_Scanner_2.5.4594.1.tmp (PID: 7136)
      • msiexec.exe (PID: 6792)
      • msiexec.exe (PID: 6652)
      • advanced_ip_scanner.exe (PID: 7092)

    • Create files in a temporary directory

      • Advanced_IP_Scanner_2.5.4594.1.exe (PID: 7024)
      • Advanced_IP_Scanner_2.5.4594.1.tmp (PID: 7136)

    • Reads the machine GUID from the registry

      • msiexec.exe (PID: 6228)
      • advanced_ip_scanner.exe (PID: 7092)

    • Reads the software policy settings

      • msiexec.exe (PID: 6228)

    • Creates files or folders in the user directory

      • msiexec.exe (PID: 6228)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 6228)

    • Reads Microsoft Office registry keys

      • msiexec.exe (PID: 6228)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 6228)

    • Reads Environment values

      • msiexec.exe (PID: 6792)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | InstallShield setup (80.2)
.exe | Win32 Executable (generic) (8.4)
.exe | Win16/32 Executable Delphi generic (3.8)
.exe | Generic Win/DOS Executable (3.7)
.exe | DOS Executable Generic (3.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2013:01:30 14:21:56+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 65024
InitializedDataSize: 73728
UninitializedDataSize: -
EntryPoint: 0x113bc
OSVersion: 5
ImageVersion: 6
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 2.5.4594.1
ProductVersionNumber: 2.5.4594.1
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName: Famatech Corp.
FileDescription: Advanced IP Scanner Setup
FileVersion: 2.5.4594.1
LegalCopyright: Copyright © 2002-2022 Famatech Corp. and its licensors. All rights reserved.
ProductName: Advanced IP Scanner
ProductVersion: 2.5.4594.1
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
128
Monitored processes
6
Malicious processes
1
Suspicious processes
2

Behavior graph

Click at the process to see the details
start advanced_ip_scanner_2.5.4594.1.exe advanced_ip_scanner_2.5.4594.1.tmp msiexec.exe msiexec.exe no specs msiexec.exe no specs THREAT advanced_ip_scanner.exe

Process information

PID
CMD
Path
Indicators
Parent process
6228C:\WINDOWS\system32\msiexec.exe /VC:\Windows\System32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
6652C:\Windows\syswow64\MsiExec.exe -Embedding 378B9B83945F09686A9EAE168BBBF947 E Global\MSI0000C:\Windows\SysWOW64\msiexec.exemsiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
6792C:\Windows\syswow64\MsiExec.exe -Embedding FD858351B2CDBA0D286D889DCCD65C44C:\Windows\SysWOW64\msiexec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
7024"C:\Users\admin\Desktop\Advanced_IP_Scanner_2.5.4594.1.exe" C:\Users\admin\Desktop\Advanced_IP_Scanner_2.5.4594.1.exe
explorer.exe
User:
admin
Company:
Famatech Corp.
Integrity Level:
MEDIUM
Description:
Advanced IP Scanner Setup
Exit code:
0
Version:
2.5.4594.1
Modules
Images
c:\users\admin\desktop\advanced_ip_scanner_2.5.4594.1.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
7092"C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner.exe"C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner.exe
Advanced_IP_Scanner_2.5.4594.1.tmp
User:
admin
Company:
Famatech Corp.
Integrity Level:
MEDIUM
Description:
Advanced IP Scanner
Version:
2.5.4594.1
Modules
Images
c:\program files (x86)\advanced ip scanner\advanced_ip_scanner.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
7136"C:\Users\admin\AppData\Local\Temp\is-D04JS.tmp\Advanced_IP_Scanner_2.5.4594.1.tmp" /SL5="$603C8,20439558,139776,C:\Users\admin\Desktop\Advanced_IP_Scanner_2.5.4594.1.exe" C:\Users\admin\AppData\Local\Temp\is-D04JS.tmp\Advanced_IP_Scanner_2.5.4594.1.tmp
Advanced_IP_Scanner_2.5.4594.1.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-d04js.tmp\advanced_ip_scanner_2.5.4594.1.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
Total events
10 397
Read events
10 098
Write events
284
Delete events
15

Modification events

(PID) Process:(7136) Advanced_IP_Scanner_2.5.4594.1.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:Owner
Value:
E01B0000B479BB684AF4DA01
(PID) Process:(7136) Advanced_IP_Scanner_2.5.4594.1.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:SessionHash
Value:
CD240404C318038D3D187021F993CA4DC0652FF54A040FA19E1543BEE1F7A0CB
(PID) Process:(7136) Advanced_IP_Scanner_2.5.4594.1.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:Sequence
Value:
1
(PID) Process:(7136) Advanced_IP_Scanner_2.5.4594.1.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:RegFiles0000
Value:
C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner.exe
(PID) Process:(7136) Advanced_IP_Scanner_2.5.4594.1.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:RegFilesHash
Value:
1CBB1DBFAFC116601841FD3D2A4B548596233DB89F369C4F2C778E07B6D63DA1
(PID) Process:(6228) msiexec.exeKey:HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Microsoft\RestartManager\Session0001
Operation:writeName:Owner
Value:
54180000CD96736E4AF4DA01
(PID) Process:(6228) msiexec.exeKey:HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Microsoft\RestartManager\Session0001
Operation:writeName:SessionHash
Value:
5CA14B2AFFFDDC4F1E230EC39459355B7B0A94B026DD625B3AEC943880DC74B3
(PID) Process:(6228) msiexec.exeKey:HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Microsoft\RestartManager\Session0001
Operation:writeName:Sequence
Value:
1
(PID) Process:(6792) msiexec.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Script\Settings
Operation:writeName:JITDebug
Value:
0
(PID) Process:(6792) msiexec.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Script\Settings\Telemetry\msiexec.exe
Operation:writeName:JScriptSetScriptStateStarted
Value:
ED28120000000000
Executable files
63
Suspicious files
52
Text files
40
Unknown types
16

Dropped files

PID
Process
Filename
Type
7136Advanced_IP_Scanner_2.5.4594.1.tmpC:\Users\admin\AppData\Local\Temp\is-23VEG.tmp\is-01C8C.tmp
MD5:
SHA256:
7136Advanced_IP_Scanner_2.5.4594.1.tmpC:\Users\admin\AppData\Local\Temp\is-23VEG.tmp\ip_scan_en_us_Release_2.5.4594.1.msi
MD5:
SHA256:
6228msiexec.exeC:\Windows\Installer\121c98.msi
MD5:
SHA256:
7136Advanced_IP_Scanner_2.5.4594.1.tmpC:\Users\admin\AppData\Local\Temp\is-23VEG.tmp\_isetup\_setup64.tmpexecutable
MD5:C8871EFD8AF2CF4D9D42D1FF8FADBF89
SHA256:E4FC574A01B272C2D0AED0EC813F6D75212E2A15A5F5C417129DD65D69768F40
7136Advanced_IP_Scanner_2.5.4594.1.tmpC:\Users\admin\AppData\Local\Temp\is-23VEG.tmp\_isetup\_shfoldr.dllexecutable
MD5:92DC6EF532FBB4A5C3201469A5B5EB63
SHA256:9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
7024Advanced_IP_Scanner_2.5.4594.1.exeC:\Users\admin\AppData\Local\Temp\is-D04JS.tmp\Advanced_IP_Scanner_2.5.4594.1.tmpexecutable
MD5:B87639F9A6CF5BA8C9E1F297C5745A67
SHA256:EC8252A333F68865160E26DC95607F2C49AF00F78C657F7F8417AB9D86E90BF7
7136Advanced_IP_Scanner_2.5.4594.1.tmpC:\Users\admin\AppData\Local\Temp\is-23VEG.tmp\aips_is_install_dll.dllexecutable
MD5:57E73855FAD786A59893D6581E9FB5B9
SHA256:3A7A8AA906C65124C4EE82AACB81D723CE69864CCAF041F631B8131DE59E4A88
6228msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8828F39C7C0CE9A14B25C7EB321181BA_DC03E45EC7611F50ADAEBABE405A8C4Cbinary
MD5:7CD2196A425D40C814903CF7D3B7741C
SHA256:B62A5EC95BBB1177806796C8BB7017E7E9AF5B4232910C840D10B11644D95434
6228msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A3D5BF1283C2E63D8C8A8C72F0051F5Abinary
MD5:A8D62E609FE667A597F3368466A2934E
SHA256:50946CC1B9AEE759CD6910DEF63BE9000EC5A8B17FC9CC87E77BD1B26ED4C7FE
6228msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A3D5BF1283C2E63D8C8A8C72F0051F5Abinary
MD5:A0AF4D81B2B19A99A3D01BE89D5F99D9
SHA256:DE9F05CEB1610CF9964F0DEF09D525005569602993C82A647743F192E9414D4A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
17
DNS requests
9
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6228
msiexec.exe
GET
200
152.199.19.74:80
http://s.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEBkaMst1nJe4z6wRjdUSf0k%3D
unknown
whitelisted
6228
msiexec.exe
POST
200
152.199.19.74:80
http://s.symcd.com/
unknown
unknown
6228
msiexec.exe
GET
200
192.229.221.95:80
http://s.symcb.com/pca3-g5.crl
unknown
whitelisted
6228
msiexec.exe
GET
200
152.199.19.74:80
http://sw.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSbgiNwvmjR4M%2B9oE39sZR%2FxyzMPwQUFmbeSjTjUKcRhgOxbKnGrM1ZbpsCEGiQCmGXQyqAc98MLL9U12U%3D
unknown
whitelisted
6228
msiexec.exe
GET
200
152.199.19.74:80
http://sw.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSbgiNwvmjR4M%2B9oE39sZR%2FxyzMPwQUFmbeSjTjUKcRhgOxbKnGrM1ZbpsCEGiQCmGXQyqAc98MLL9U12U%3D
unknown
whitelisted
6228
msiexec.exe
GET
200
192.229.221.95:80
http://sw.symcb.com/sw.crl
unknown
whitelisted
7092
advanced_ip_scanner.exe
GET
200
188.40.30.100:80
http://www.advanced-ip-scanner.com/checkupdate.php?lng=en&ver=2-5-4594-1&beta=n&type=upd&rmode=i&product=aips
unknown
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:138
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2456
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
2580
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6228
msiexec.exe
152.199.19.74:80
s.symcd.com
EDGECAST
US
unknown
6228
msiexec.exe
192.229.221.95:80
s.symcb.com
EDGECAST
US
whitelisted
4
System
192.168.100.255:137
whitelisted
7092
advanced_ip_scanner.exe
188.40.30.100:80
www.advanced-ip-scanner.com
Hetzner Online GmbH
DE
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 20.73.194.208
whitelisted
google.com
  • 216.58.212.142
whitelisted
s.symcd.com
  • 152.199.19.74
shared
s.symcb.com
  • 192.229.221.95
whitelisted
sw.symcd.com
  • 152.199.19.74
whitelisted
sw.symcb.com
  • 192.229.221.95
whitelisted
www.advanced-ip-scanner.com
  • 188.40.30.100
shared

Threats

PID
Process
Class
Message
7092
advanced_ip_scanner.exe
Detection of a Network Scan
ET ADWARE_PUP IP Scanner Tool Update Request (GET)
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Advanced_IP_Scanner_2.5.4594.1.exe