File name:

Advanced_IP_Scanner_2.5.4594.1.exe

Full analysis: https://app.any.run/tasks/452bb0e5-61c1-4e77-a775-164366f85336
Verdict: Malicious activity
Analysis date: August 22, 2024, 04:18:45
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
scan
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

5537C708EDB9A2C21F88E34E8A0F1744

SHA1:

86233A285363C2A6863BF642DEAB7E20F062B8EB

SHA256:

26D5748FFE6BD95E3FEE6CE184D388A1A681006DC23A0F08D53C083C593C193B

SSDEEP:

393216:Plu7Txs0NDmNh9D4HaSYz2Kj0Cz1gEVmWdQOjM/y3tFfs5IRRViGmMQZ+Bw5i:A7Th9mT97S7CzNwWCJK05IRTX+Fi

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • Advanced_IP_Scanner_2.5.4594.1.exe (PID: 7024)
      • Advanced_IP_Scanner_2.5.4594.1.tmp (PID: 7136)

    • Drops the executable file immediately after the start

      • Advanced_IP_Scanner_2.5.4594.1.exe (PID: 7024)
      • Advanced_IP_Scanner_2.5.4594.1.tmp (PID: 7136)
      • msiexec.exe (PID: 6228)

    • Reads the Windows owner or organization settings

      • Advanced_IP_Scanner_2.5.4594.1.tmp (PID: 7136)
      • msiexec.exe (PID: 6228)

    • Process drops legitimate windows executable

      • Advanced_IP_Scanner_2.5.4594.1.tmp (PID: 7136)
      • msiexec.exe (PID: 6228)

    • Checks Windows Trust Settings

      • msiexec.exe (PID: 6228)

    • The process drops C-runtime libraries

      • msiexec.exe (PID: 6228)

    • Reads security settings of Internet Explorer

      • msiexec.exe (PID: 6228)

    • Detection of a Network Scan

      • advanced_ip_scanner.exe (PID: 7092)

    • There is functionality for taking screenshot (YARA)

      • advanced_ip_scanner.exe (PID: 7092)

  • INFO

    • Reads the computer name

      • Advanced_IP_Scanner_2.5.4594.1.tmp (PID: 7136)
      • msiexec.exe (PID: 6228)
      • msiexec.exe (PID: 6792)
      • msiexec.exe (PID: 6652)
      • advanced_ip_scanner.exe (PID: 7092)

    • Checks supported languages

      • Advanced_IP_Scanner_2.5.4594.1.exe (PID: 7024)
      • Advanced_IP_Scanner_2.5.4594.1.tmp (PID: 7136)
      • msiexec.exe (PID: 6228)
      • msiexec.exe (PID: 6792)
      • msiexec.exe (PID: 6652)
      • advanced_ip_scanner.exe (PID: 7092)

    • Create files in a temporary directory

      • Advanced_IP_Scanner_2.5.4594.1.exe (PID: 7024)
      • Advanced_IP_Scanner_2.5.4594.1.tmp (PID: 7136)

    • Reads the machine GUID from the registry

      • msiexec.exe (PID: 6228)
      • advanced_ip_scanner.exe (PID: 7092)

    • Reads the software policy settings

      • msiexec.exe (PID: 6228)

    • Creates files or folders in the user directory

      • msiexec.exe (PID: 6228)

    • Reads Environment values

      • msiexec.exe (PID: 6792)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 6228)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 6228)

    • Reads Microsoft Office registry keys

      • msiexec.exe (PID: 6228)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | InstallShield setup (80.2)
.exe | Win32 Executable (generic) (8.4)
.exe | Win16/32 Executable Delphi generic (3.8)
.exe | Generic Win/DOS Executable (3.7)
.exe | DOS Executable Generic (3.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2013:01:30 14:21:56+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 65024
InitializedDataSize: 73728
UninitializedDataSize: -
EntryPoint: 0x113bc
OSVersion: 5
ImageVersion: 6
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 2.5.4594.1
ProductVersionNumber: 2.5.4594.1
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName: Famatech Corp.
FileDescription: Advanced IP Scanner Setup
FileVersion: 2.5.4594.1
LegalCopyright: Copyright © 2002-2022 Famatech Corp. and its licensors. All rights reserved.
ProductName: Advanced IP Scanner
ProductVersion: 2.5.4594.1
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
128
Monitored processes
6
Malicious processes
1
Suspicious processes
2

Behavior graph

Click at the process to see the details
start advanced_ip_scanner_2.5.4594.1.exe advanced_ip_scanner_2.5.4594.1.tmp msiexec.exe msiexec.exe no specs msiexec.exe no specs THREAT advanced_ip_scanner.exe

Process information

PID
CMD
Path
Indicators
Parent process
6228C:\WINDOWS\system32\msiexec.exe /VC:\Windows\System32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
6652C:\Windows\syswow64\MsiExec.exe -Embedding 378B9B83945F09686A9EAE168BBBF947 E Global\MSI0000C:\Windows\SysWOW64\msiexec.exemsiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
6792C:\Windows\syswow64\MsiExec.exe -Embedding FD858351B2CDBA0D286D889DCCD65C44C:\Windows\SysWOW64\msiexec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
7024"C:\Users\admin\Desktop\Advanced_IP_Scanner_2.5.4594.1.exe" C:\Users\admin\Desktop\Advanced_IP_Scanner_2.5.4594.1.exe
explorer.exe
User:
admin
Company:
Famatech Corp.
Integrity Level:
MEDIUM
Description:
Advanced IP Scanner Setup
Exit code:
0
Version:
2.5.4594.1
Modules
Images
c:\users\admin\desktop\advanced_ip_scanner_2.5.4594.1.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
7092"C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner.exe"C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner.exe
Advanced_IP_Scanner_2.5.4594.1.tmp
User:
admin
Company:
Famatech Corp.
Integrity Level:
MEDIUM
Description:
Advanced IP Scanner
Version:
2.5.4594.1
Modules
Images
c:\program files (x86)\advanced ip scanner\advanced_ip_scanner.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
7136"C:\Users\admin\AppData\Local\Temp\is-D04JS.tmp\Advanced_IP_Scanner_2.5.4594.1.tmp" /SL5="$603C8,20439558,139776,C:\Users\admin\Desktop\Advanced_IP_Scanner_2.5.4594.1.exe" C:\Users\admin\AppData\Local\Temp\is-D04JS.tmp\Advanced_IP_Scanner_2.5.4594.1.tmp
Advanced_IP_Scanner_2.5.4594.1.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-d04js.tmp\advanced_ip_scanner_2.5.4594.1.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
Total events
10 397
Read events
10 098
Write events
284
Delete events
15

Modification events

(PID) Process:(7136) Advanced_IP_Scanner_2.5.4594.1.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:Owner
Value:
E01B0000B479BB684AF4DA01
(PID) Process:(7136) Advanced_IP_Scanner_2.5.4594.1.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:SessionHash
Value:
CD240404C318038D3D187021F993CA4DC0652FF54A040FA19E1543BEE1F7A0CB
(PID) Process:(7136) Advanced_IP_Scanner_2.5.4594.1.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:Sequence
Value:
1
(PID) Process:(7136) Advanced_IP_Scanner_2.5.4594.1.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:RegFiles0000
Value:
C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner.exe
(PID) Process:(7136) Advanced_IP_Scanner_2.5.4594.1.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:RegFilesHash
Value:
1CBB1DBFAFC116601841FD3D2A4B548596233DB89F369C4F2C778E07B6D63DA1
(PID) Process:(6228) msiexec.exeKey:HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Microsoft\RestartManager\Session0001
Operation:writeName:Owner
Value:
54180000CD96736E4AF4DA01
(PID) Process:(6228) msiexec.exeKey:HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Microsoft\RestartManager\Session0001
Operation:writeName:SessionHash
Value:
5CA14B2AFFFDDC4F1E230EC39459355B7B0A94B026DD625B3AEC943880DC74B3
(PID) Process:(6228) msiexec.exeKey:HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Microsoft\RestartManager\Session0001
Operation:writeName:Sequence
Value:
1
(PID) Process:(6792) msiexec.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Script\Settings
Operation:writeName:JITDebug
Value:
0
(PID) Process:(6792) msiexec.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Script\Settings\Telemetry\msiexec.exe
Operation:writeName:JScriptSetScriptStateStarted
Value:
ED28120000000000
Executable files
63
Suspicious files
52
Text files
40
Unknown types
16

Dropped files

PID
Process
Filename
Type
7136Advanced_IP_Scanner_2.5.4594.1.tmpC:\Users\admin\AppData\Local\Temp\is-23VEG.tmp\is-01C8C.tmp
MD5:
SHA256:
7136Advanced_IP_Scanner_2.5.4594.1.tmpC:\Users\admin\AppData\Local\Temp\is-23VEG.tmp\ip_scan_en_us_Release_2.5.4594.1.msi
MD5:
SHA256:
6228msiexec.exeC:\Windows\Installer\121c98.msi
MD5:
SHA256:
6228msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8828F39C7C0CE9A14B25C7EB321181BA_DC03E45EC7611F50ADAEBABE405A8C4Cbinary
MD5:7CD2196A425D40C814903CF7D3B7741C
SHA256:B62A5EC95BBB1177806796C8BB7017E7E9AF5B4232910C840D10B11644D95434
6228msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8828F39C7C0CE9A14B25C7EB321181BA_3DF94EB797096674F7793A562A778C5Fbinary
MD5:4842E206E4CFFF2954901467AD54169E
SHA256:2ACAB1228E8935D5DFDD1756B8A19698B6C8B786C90F87993CE9799A67A96E4E
7136Advanced_IP_Scanner_2.5.4594.1.tmpC:\Users\admin\AppData\Local\Temp\is-23VEG.tmp\_isetup\_setup64.tmpexecutable
MD5:C8871EFD8AF2CF4D9D42D1FF8FADBF89
SHA256:E4FC574A01B272C2D0AED0EC813F6D75212E2A15A5F5C417129DD65D69768F40
6228msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8828F39C7C0CE9A14B25C7EB321181BA_DC03E45EC7611F50ADAEBABE405A8C4Cbinary
MD5:4842E206E4CFFF2954901467AD54169E
SHA256:2ACAB1228E8935D5DFDD1756B8A19698B6C8B786C90F87993CE9799A67A96E4E
6228msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0972B7C417F696E06E186AEB26286F01_8F26572777FCD745CB8E13A9C3A2485Bbinary
MD5:5BFA51F3A417B98E7443ECA90FC94703
SHA256:BEBE2853A3485D1C2E5C5BE4249183E0DDAFF9F87DE71652371700A89D937128
6228msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A3D5BF1283C2E63D8C8A8C72F0051F5Abinary
MD5:A0AF4D81B2B19A99A3D01BE89D5F99D9
SHA256:DE9F05CEB1610CF9964F0DEF09D525005569602993C82A647743F192E9414D4A
6228msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0972B7C417F696E06E186AEB26286F01_8F26572777FCD745CB8E13A9C3A2485Bbinary
MD5:25E236170B575B8B413208F040588C51
SHA256:425D4FF0F484911F127B251B1247B8700E5C6E09EFBDE4A00652F69D424843BD
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
17
DNS requests
9
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6228
msiexec.exe
GET
200
152.199.19.74:80
http://s.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEBkaMst1nJe4z6wRjdUSf0k%3D
unknown
whitelisted
6228
msiexec.exe
POST
200
152.199.19.74:80
http://s.symcd.com/
unknown
6228
msiexec.exe
GET
200
192.229.221.95:80
http://s.symcb.com/pca3-g5.crl
unknown
whitelisted
6228
msiexec.exe
GET
200
152.199.19.74:80
http://sw.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSbgiNwvmjR4M%2B9oE39sZR%2FxyzMPwQUFmbeSjTjUKcRhgOxbKnGrM1ZbpsCEGiQCmGXQyqAc98MLL9U12U%3D
unknown
whitelisted
6228
msiexec.exe
GET
200
152.199.19.74:80
http://sw.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSbgiNwvmjR4M%2B9oE39sZR%2FxyzMPwQUFmbeSjTjUKcRhgOxbKnGrM1ZbpsCEGiQCmGXQyqAc98MLL9U12U%3D
unknown
whitelisted
6228
msiexec.exe
GET
200
192.229.221.95:80
http://sw.symcb.com/sw.crl
unknown
whitelisted
7092
advanced_ip_scanner.exe
GET
200
188.40.30.100:80
http://www.advanced-ip-scanner.com/checkupdate.php?lng=en&ver=2-5-4594-1&beta=n&type=upd&rmode=i&product=aips
unknown
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:138
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2456
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
2580
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6228
msiexec.exe
152.199.19.74:80
s.symcd.com
EDGECAST
US
unknown
6228
msiexec.exe
192.229.221.95:80
s.symcb.com
EDGECAST
US
whitelisted
4
System
192.168.100.255:137
whitelisted
7092
advanced_ip_scanner.exe
188.40.30.100:80
www.advanced-ip-scanner.com
Hetzner Online GmbH
DE
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 20.73.194.208
whitelisted
google.com
  • 216.58.212.142
whitelisted
s.symcd.com
  • 152.199.19.74
shared
s.symcb.com
  • 192.229.221.95
whitelisted
sw.symcd.com
  • 152.199.19.74
whitelisted
sw.symcb.com
  • 192.229.221.95
whitelisted
www.advanced-ip-scanner.com
  • 188.40.30.100
shared

Threats

PID
Process
Class
Message
Detection of a Network Scan
ET ADWARE_PUP IP Scanner Tool Update Request (GET)
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Advanced_IP_Scanner_2.5.4594.1.exe