Ticket#3536080/STONEHENGE/[##342677##] High - SentinelOne Threat - Stonehenge Advisors, Inc - Advanced_IP_Scanner_2.5.4594.1.e -- has been updated - Todos los Emails Recientes

This ticket has been updated by John Lewis

John Lewis

5/18/2026 1:17 PM

Reviewed the S1 alert
Advance IP scanner is a known tool used by our technicians.
Checked the timeline on this machine from the date 5/11 and confirmed one of our technicians was on the machine around this time.
Marking as a false positive.
No further action is required.
Closing ticket.

Summary:

[##342677##] High - SentinelOne Threat - Stonehenge Advisors, Inc - Advanced_IP_Scanner_2.5.4594.1.e

Status:

Closed

Ticket #

3536080

Company:

Stonehenge Advisors, Inc

Contact:

Dan Sablosky (POC)

Phone:

(215) 320-3777

Address:

4328-42 Ridge Avenue
Suite 104
Philadelphia, PA 19129

View Ticket

Discussion

John Lewis

5/18/2026 1:17 PM-1:20 PM

Dan Sablosky (POC)

5/11/2026 1:01 PM-

{      "@context": "http://schema.org",      "@type": "EmailMessage",      "potentialAction": {        "@type": "ViewAction",        "target": "https://desk.cyflare.cloud/portal/ticket/342677",        "name": "View Ticket "      },      "description": "View Ticket"    }

Dear IH-Atlantic_Stonehenge Advisors,

A ticket has been created with the following details:

Account Name: Atlantic_Stonehenge Advisors
Ticket ID:  342677
Priority:  High
Subject:  High - SentinelOne Threat - Stonehenge Advisors, Inc - Advanced_IP_Scanner_2.5.4594.1.exe - 05/11/26
Description:

EDR: Advanced_IP_Scanner_2.5.4594.1.exe

Customer: Stonehenge Advisors, Inc |                            Detected: 2026-05-11 12:43:11 UTC-04

Priority: HighSource: SentineloneThreat status: Mitigated - contained by socKill: SuccessQuarantine: Success
Alert Link:EDR Alert

Executive Summary                AI-Assisted

A security agent detected suspicious software on a desktop used by user 'LYNDONPC2\Jennifer', assessed as a moderate-severity discovery due to its potentially unwanted scanning capability and impact on visibility. The threat was automatically mitigated and quarantined by endpoint controls, so active risk is reduced. Business impact is limited but could include unauthorized network scanning and potential exposure of internal assets if similar activity occurred elsewhere.

SOC Response Actions
Actions the SOC performed (or attempted). Follow this link for further information on Use Case #5 and Use Case #6.
ActionStatus

--- ---
LyndonPC2, no full disk scan command was sent.                        Not Configured
LyndonPC2, endpoint was not isolated from the network.                        Not Configured

Recommended Remediation

[Containment] Isolate host 'LyndonPC2' from the network and block its external IP '23.24.19.166' at the firewall to prevent further lateral movement or data exfiltration.
[Eradication] Remove the file '\Device\HarddiskVolume3\Users\Jennifer\Documents\Atlantic Connect\Temp\Advanced_IP_Scanner_2.5.4594.1.exe' and any remaining copies from the endpoint and backups.
[Eradication] Uninstall unauthorized remote access software 'ScreenConnect.WindowsClient.exe' and validate no other remote-access tools are present on the host.
[Hardening] Reset credentials for user 'LYNDONPC2\Jennifer' and enforce MFA on the account to reduce risk of credential reuse.
[Hardening] Apply latest endpoint and OS security updates and ensure group policy or EDR policy prevents execution from user Temp directories and restricts use of hacktools like Advanced IP Scanner.

Key Details
Threat ClassificationMalwareEndpoint NameLyndonPC2
Detection EngineOn-Write DFI - SuspiciousEndpoint IP Address20.13.55.205
File Path\Device\HarddiskVolume3\Users\Jennifer\Documents\Atlantic Connect\Temp\Advanced_IP_Scanner_2.5.4594.1.exeSite NameStonehenge Advisors
File Hash26d5748ffe6bd95e3fee6ce184d388a1a681006dc23a0f08d53c083c593c193b MaliciousGroup Name Stonehenge Advisors Inc - LYNDON KPG-MCG Curtis Tenant LLC
File Publisher NameFAMATECH CORP.SentinelOne Mitigation Policyprotect
File Publisher Signed & VerifiedSignedVerifiedSentinelOne Mitigation Statusmitigated
Command Line
SOC Findings
Threat Intelligence & Reputation
VirusTotal

26d5748f...593c193b
Malicious
File hash detected by 2 security engines. Classified under the meaningful name Advanced_IP_Scanner_2.5.4594.1.exe.
Hybrid-Analysis

26d5748f...593c193b
Malicious
File hash detected by 3 security engines. Classified under the meaningful name Advanced_IP_Scanner_2.5.4594.1.exe.
Indicators of Compromise

The threat indicator reveals the detection of a hacking tool known as 'Advanced IP Scanner.' This tool is often used by attackers to scan networks for connected devices, potentially identifying vulnerabilities that could be exploited. Its presence on a system suggests that there may be unauthorized attempts to gather information about the network, which poses a significant security risk. Immediate action is needed to investigate and mitigate any potential threats associated with this tool to protect the system and its data.

Cross-Service Intelligence Markdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Sy...

Below is additional context from other services subscribed by the customer.
ServiceSourceRelevant InsightReference

--- --- --- ---
ESN/ANo relevant tools configured for enrichment.

Need help or want us to take additional actions? Reply to this ticket and the SOC will assist.

You can view all details here: 342677

View Ticket