--REPLY above this line to respond--
This ticket has been updated by John Lewis
John Lewis4/30/2026 6:45 PMReviewed the alert and confirmed this was temporarily used by one of our techs.Reviewed the installed applications and no suspicious programs installed. No further actions requiredClosing ticket.
Summary:
[##336645##] High - SentinelOne Threat - Stonehenge Advisors, Inc - Advanced_IP_Scanner_2.5.3850.exe
Status:
Closed
Ticket #
3523805
Company:
Stonehenge Advisors, Inc
Contact:
Dan Sablosky (POC)
Phone:
(215) 320-3777
Address:
4328-42 Ridge AvenueSuite 104Philadelphia, PA 19129
View Ticket
Discussion
John Lewis4/30/2026 6:45 PM-6:50 PMReviewed the alert and confirmed this was temporarily used by one of our techs.Reviewed the installed applications and no suspicious programs installed. No further actions requiredClosing ticket.Dan Sablosky (POC)4/29/2026 12:00 PM-{ "@context": "http://schema.org", "@type": "EmailMessage", "potentialAction": { "@type": "ViewAction", "target": "https://desk.cyflare.cloud/portal/ticket/336662", "name": "View Ticket " }, "description": "View Ticket" } Dear IH-Atlantic_Stonehenge Advisors,A ticket has been created with the following details:Account Name: Atlantic_Stonehenge AdvisorsTicket ID: 336662Priority: HighSubject: High - SentinelOne Threat - Stonehenge Advisors, Inc - Advanced_IP_Scanner_2.5.3850.exe - 04/29/26Description: EDR: Advanced_IP_Scanner_2.5.3850.exeCustomer: Stonehenge Advisors, Inc | Detected: 2026-04-29 11:52:39 UTC-04Priority: HighSource: SentineloneThreat status: Mitigated - contained by socKill: SuccessQuarantine: SuccessAlert Link:EDR AlertExecutive Summary AI-AssistedA suspicious software item was detected and automatically contained on a desktop used by user 'NT AUTHORITY\SYSTEM' (local system account), indicating potential unauthorized tool usage on that endpoint. The finding is rated as a moderate concern due to its nature as a utility that can be used for discovery, which could expose internal information. The agent successfully mitigated and quarantined the item, and the device remains protected. Business impact is limited for now, but if similar tools run with elevated access it could increase exposure of internal assets.SOC Response ActionsActions the SOC performed (or attempted). Follow this link for further information on Use Case #5 and Use Case #6.ActionStatus--- ---DESKTOP-O1QCSNV, no full disk scan command was sent. Not ConfiguredDESKTOP-O1QCSNV, endpoint was not isolated from the network. Not ConfiguredRecommended RemediationContainment: Isolate the affected endpoint 'DESKTOP-O1QCSNV' from the network until remediation is complete (disconnect Wi‑Fi and remove any wired connections).Eradication: Remove the detected file '\Device\HarddiskVolume3\Windows\System32\config\systemprofile\Documents\ScreenConnect\Temp\Advanced_IP_Scanner_2.5.3850.exe' and any known copies from the device and removable media.Credentials: Require password resets for any accounts that interacted with the endpoint; include the local user 'MiledysBurgos' in the password reset scope.Hardening: Uninstall unauthorized remote-support software instances (e.g., ScreenConnect client) or reconfigure to enforce strict access controls and signed-session validation.Hardening: Apply OS and endpoint agent updates (Windows 11 revision 26200 and SentinelOne agent version 25.2.5.437) and ensure host requires the pending reboot to complete updates.Key DetailsThreat ClassificationHacktoolEndpoint NameDESKTOP-O1QCSNVDetection EngineOn-Write DFI - SuspiciousEndpoint IP Address20.13.55.178File Path\Device\HarddiskVolume3\Windows\System32\config\systemprofile\Documents\ScreenConnect\Temp\Advanced_IP_Scanner_2.5.3850.exeSite NameStonehenge AdvisorsFile Hash87bfb05057f215659cc801750118900145f8a22fa93ac4c6e1bfd81aa98b0a55 MaliciousGroup Name Stonehenge Advisors Inc - LYNDON KPG-MCG Curtis Tenant LLCFile Publisher NameFAMATECH CORP.SentinelOne Mitigation PolicyprotectFile Publisher Signed & VerifiedSignedVerifiedSentinelOne Mitigation StatusmitigatedCommand LineSOC FindingsThreat Intelligence & ReputationVirusTotal 87bfb050...a98b0a55 MaliciousFile hash detected by 4 security engines. Classified under the meaningful name C:\Users\Standard\Downloads\Advanced_IP_Scanner_2.5.3850.exe.Hybrid-Analysis 87bfb050...a98b0a55 Not MaliciousNo malicious engines were detected when the file hash was scanned against known threat indicators.Indicators of CompromiseThe threat indicator shows that an 'Advanced IP Scanner hacktool' has been detected. This tool is often used by attackers to scan networks and identify devices connected to them, allowing them to find vulnerabilities to exploit. Its detection suggests that someone may be trying to gather sensitive information about the network for malicious purposes. This raises concerns about potential unauthorized access or cyberattacks, emphasizing the need for immediate security measures to protect the network and its data from possible threats.Cross-Service Intelligence Markdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Sy...Below is additional context from other services subscribed by the customer. ServiceSourceRelevant InsightReference--- --- --- ---ESN/ANo relevant tools configured for enrichment.Need help or want us to take additional actions? Reply to this ticket and the SOC will assist. You can view all details here: 336662
Dan Sablosky (POC)4/29/2026 11:40 AM-{ "@context": "http://schema.org", "@type": "EmailMessage", "potentialAction": { "@type": "ViewAction", "target": "https://desk.cyflare.cloud/portal/ticket/336648", "name": "View Ticket " }, "description": "View Ticket" } Dear IH-Atlantic_Stonehenge Advisors,A ticket has been created with the following details:Account Name: Atlantic_Stonehenge AdvisorsTicket ID: 336648Priority: HighSubject: High - SentinelOne Threat - Stonehenge Advisors, Inc - advanced_ip_scanner_console.exe - 04/29/26Description: EDR: advanced_ip_scanner_console.exeCustomer: Stonehenge Advisors, Inc | Detected: 2026-04-29 11:31:13 UTC-04Priority: HighSource: SentineloneThreat status: Mitigated - contained by socQuarantine: SuccessKill: SuccessAlert Link:EDR AlertExecutive Summary AI-AssistedA suspicious software detection occurred on a desktop used by user 'AzureAD\MiledysBurgos'; the issue was rated moderately severe due to the software's nature as a discovery tool that can reveal network details. The agent successfully contained and mitigated the software, so the device is currently protected. Business risk is moderate because such tools can expose internal systems if misused, but immediate disruption has been prevented.SOC Response ActionsActions the SOC performed (or attempted). Follow this link for further information on Use Case #5 and Use Case #6.ActionStatus--- ---DESKTOP-O1QCSNV, no full disk scan command was sent. Not ConfiguredDESKTOP-O1QCSNV, endpoint was not isolated from the network. Not ConfiguredRecommended Remediation[Containment] Isolate host 'DESKTOP-O1QCSNV' from the network and disable its network interfaces until remediation is complete.[Eradication] Remove the file '\Device\HarddiskVolume3\Users\MiledysBurgos\AppData\Local\Temp\Advanced IP Scanner 2\advanced_ip_scanner_console.exe' and delete the related temporary directory.[Eradication] Terminate any running remnants of 'Advanced_IP_Scanner_2.5.3850.tmp' and ensure the process is not present on the endpoint.[Hardening] Require password reset for user 'AzureAD\MiledysBurgos' and enforce multifactor authentication for their account.[Hardening] Block execution and distribution of 'advanced_ip_scanner_console.exe' via endpoint application control/allowlist and add its SHA256 'f20721945a0a4150470e63bc81c9316cbb5802a60615ae4393283273a62cf8a2' to denial lists.Key DetailsThreat ClassificationHacktoolEndpoint NameDESKTOP-O1QCSNVDetection EngineOn-Write DFI - SuspiciousEndpoint IP Address20.13.55.178File Path\Device\HarddiskVolume3\Users\MiledysBurgos\AppData\Local\Temp\Advanced IP Scanner 2\advanced_ip_scanner_console.exeSite NameStonehenge AdvisorsFile Hashf20721945a0a4150470e63bc81c9316cbb5802a60615ae4393283273a62cf8a2 MaliciousGroup Name Stonehenge Advisors Inc - LYNDON KPG-MCG Curtis Tenant LLCFile Publisher NameFAMATECH CORP.SentinelOne Mitigation PolicyprotectFile Publisher Signed & VerifiedSignedVerifiedSentinelOne Mitigation StatusmitigatedCommand LineSOC FindingsThreat Intelligence & ReputationVirusTotal f2072194...a62cf8a2 MaliciousFile hash detected by 1 security engines. Classified under the meaningful name advanced_ip_scanner_console.exe.Hybrid-Analysis f2072194...a62cf8a2 MaliciousFile hash detected by 1 security engines. Classified under the meaningful name advanced_ip_scanner_console.exe.Indicators of CompromiseThe threat indicator shows that an 'Advanced IP Scanner hacktool' has been detected. This tool is often used by attackers to scan networks and identify connected devices, which helps them find potential weaknesses to exploit. Its detection suggests that someone may be attempting to gather information about the network for malicious purposes. This situation poses a risk of unauthorized access or attacks, emphasizing the importance of taking immediate action to secure the network and protect sensitive information.Cross-Service Intelligence Markdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Sy...Below is additional context from other services subscribed by the customer. ServiceSourceRelevant InsightReference--- --- --- ---ESN/ANo relevant tools configured for enrichment.Need help or want us to take additional actions? Reply to this ticket and the SOC will assist. You can view all details here: 336648
Dan Sablosky (POC)4/29/2026 11:40 AM-{ "@context": "http://schema.org", "@type": "EmailMessage", "potentialAction": { "@type": "ViewAction", "target": "https://desk.cyflare.cloud/portal/ticket/336649", "name": "View Ticket " }, "description": "View Ticket" } Dear IH-Atlantic_Stonehenge Advisors,A ticket has been created with the following details:Account Name: Atlantic_Stonehenge AdvisorsTicket ID: 336649Priority: HighSubject: High - SentinelOne Threat - Stonehenge Advisors, Inc - advanced_ip_scanner.exe - 04/29/26Description: EDR: advanced_ip_scanner.exeCustomer: Stonehenge Advisors, Inc | Detected: 2026-04-29 11:31:13 UTC-04Priority: HighSource: SentineloneThreat status: Mitigated - contained by socKill: SuccessQuarantine: SuccessAlert Link:EDR AlertExecutive Summary AI-AssistedA suspicious, unauthorized software execution was detected on an endpoint used by user 'AzureAD\MiledysBurgos' running on a desktop, rated as moderate severity due to its discovery by security controls and potential to be a scanning tool; the agent successfully mitigated and quarantined the item and the device remains protected. Business impact is limited but could include brief disruption to the user and potential exposure of network discovery data if similar tools run unchecked.SOC Response ActionsActions the SOC performed (or attempted). Follow this link for further information on Use Case #5 and Use Case #6.ActionStatus--- ---DESKTOP-O1QCSNV, no full disk scan command was sent. Not ConfiguredDESKTOP-O1QCSNV, endpoint was not isolated from the network. Not ConfiguredRecommended Remediation[Containment] Isolate endpoint 'DESKTOP-O1QCSNV' from the network (disconnect wired/Wi‑Fi and remove VPN access) until remediation is complete.[Eradication] Uninstall Advanced IP Scanner and delete file '\Device\HarddiskVolume3\Users\MiledysBurgos\AppData\Local\Temp\Advanced IP Scanner 2\advanced_ip_scanner.exe' and related temp folders for user 'AzureAD\MiledysBurgos'.[Eradication] Run full endpoint antivirus/EDR scan and ensure quarantined items are removed; if remediation requires, perform a full system restore or rebuild the device.[Hardening] Ensure the device OS and SentinelOne agent are updated to latest supported versions and apply pending OS patches and required reboots (reboot required flag present).[Hardening] Verify certificate-based execution policies and block execution from user temp paths via application control/whitelisting to prevent execution of signed tools from Temp directories.Key DetailsThreat ClassificationMalwareEndpoint NameDESKTOP-O1QCSNVDetection EngineOn-Write DFI - SuspiciousEndpoint IP Address20.13.55.178File Path\Device\HarddiskVolume3\Users\MiledysBurgos\AppData\Local\Temp\Advanced IP Scanner 2\advanced_ip_scanner.exeSite NameStonehenge AdvisorsFile Hash722fff8f38197d1449df500ae31a95bb34a6ddaba56834b13eaaff2b0f9f1c8b MaliciousGroup Name Stonehenge Advisors Inc - LYNDON KPG-MCG Curtis Tenant LLCFile Publisher NameFAMATECH CORP.SentinelOne Mitigation PolicyprotectFile Publisher Signed & VerifiedSignedVerifiedSentinelOne Mitigation StatusmitigatedCommand LineSOC FindingsThreat Intelligence & ReputationVirusTotal 722fff8f...0f9f1c8b MaliciousFile hash detected by 2 security engines. Classified under the meaningful name advanced_ip_scanner.exe.Hybrid-Analysis 722fff8f...0f9f1c8b Not MaliciousNo malicious engines were detected when the file hash was scanned against known threat indicators.Indicators of CompromiseThe threat indicator shows that an 'Advanced IP Scanner hacktool' has been detected. This tool is often used by attackers to scan and map out networks, identifying active devices and their vulnerabilities. Its presence suggests that someone may be attempting to gather information about the network for malicious purposes. This raises concerns about potential unauthorized access or cyberattacks, emphasizing the need for immediate action to secure the network and protect sensitive information.Cross-Service Intelligence Markdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Sy...Below is additional context from other services subscribed by the customer. ServiceSourceRelevant InsightReference--- --- --- ---ESN/ANo relevant tools configured for enrichment.Need help or want us to take additional actions? Reply to this ticket and the SOC will assist. You can view all details here: 336649
Dan Sablosky (POC)4/29/2026 11:36 AM-{ "@context": "http://schema.org", "@type": "EmailMessage", "potentialAction": { "@type": "ViewAction", "target": "https://desk.cyflare.cloud/portal/ticket/336645", "name": "View Ticket " }, "description": "View Ticket" } Dear IH-Atlantic_Stonehenge Advisors,A ticket has been created with the following details:Account Name: Atlantic_Stonehenge AdvisorsTicket ID: 336645Priority: HighSubject: High - SentinelOne Threat - Stonehenge Advisors, Inc - Advanced_IP_Scanner_2.5.3850.exe - 04/29/26Description: EDR: Advanced_IP_Scanner_2.5.3850.exeCustomer: Stonehenge Advisors, Inc | Detected: 2026-04-29 11:25:16 UTC-04Priority: HighSource: SentineloneThreat status: Mitigated - contained by socKill: SuccessQuarantine: SuccessAlert Link:EDR AlertExecutive Summary AI-AssistedA piece of suspicious software was detected and blocked on a desktop used by user 'NT AUTHORITY\SYSTEM' (system-level activity), rated as a moderate risk because it is a discovery-type tool that could expose internal network information. The device is a Windows desktop and the agent successfully mitigated the item, so immediate disruption was contained. Business impact is low to moderate: if left unchecked such tools can reveal network details that might aid an attacker, but current controls prevented further activity.SOC Response ActionsActions the SOC performed (or attempted). Follow this link for further information on Use Case #5 and Use Case #6.ActionStatus--- ---LyndonPC2, no full disk scan command was sent. Not ConfiguredLyndonPC2, endpoint was not isolated from the network. Not ConfiguredRecommended Remediation[Containment] Isolate host 'LyndonPC2' from the network immediately (disconnect wired/Wi‑Fi and remove from VPN) to prevent further lateral discovery by the hacktool.[Eradication] Uninstall ScreenConnect client and remove the file '\Device\HarddiskVolume3\windows\System32\config\systemprofile\Documents\ScreenConnect\Temp\Advanced_IP_Scanner_2.5.3850.exe' and any related temporary artifacts; ensure quarantined items are deleted.[Eradication] Validate and remove any unauthorized scheduled tasks or startup entries created by 'ScreenConnect.WindowsClient.exe' and the Advanced IP Scanner executable.[Hardening] Apply pending Windows updates and require host reboot to complete installation (agent indicates reboot required).[Hardening] Enforce least-privilege on systems: ensure services and remote‑access tools run under non‑SYSTEM service accounts where possible and restrict remote support tool usage to approved, signed binaries only.Key DetailsThreat ClassificationHacktoolEndpoint NameLyndonPC2Detection EngineOn-Write DFI - SuspiciousEndpoint IP Address192.168.137.1,20.13.55.205File Path\Device\HarddiskVolume3\windows\System32\config\systemprofile\Documents\ScreenConnect\Temp\Advanced_IP_Scanner_2.5.3850.exeSite NameStonehenge AdvisorsFile Hash87bfb05057f215659cc801750118900145f8a22fa93ac4c6e1bfd81aa98b0a55 UnknownGroup Name Stonehenge Advisors Inc - LYNDON KPG-MCG Curtis Tenant LLCFile Publisher NameFAMATECH CORP.SentinelOne Mitigation PolicyprotectFile Publisher Signed & VerifiedSignedVerifiedSentinelOne Mitigation StatusmitigatedCommand LineSOC FindingsThreat Intelligence & ReputationVirusTotal 87bfb050...a98b0a55 MaliciousFile hash detected by 4 security engines. Classified under the meaningful name Advanced_IP_Scanner_2.5.3850.exe.Hybrid-Analysis 87bfb050...a98b0a55 Not MaliciousNo malicious engines were detected when the file hash was scanned against known threat indicators.Indicators of CompromiseThe threat indicator reveals the detection of an 'Advanced IP Scanner hacktool.' This tool is commonly used by attackers to scan networks and identify active devices, helping them gather information about the network's structure and potential vulnerabilities. Its presence suggests that someone may be trying to map out the network for malicious purposes. This situation raises concerns about unauthorized access or malicious activities, highlighting the need for immediate investigation and protective measures to secure the network and its devices.Cross-Service Intelligence Markdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Sy...Below is additional context from other services subscribed by the customer. ServiceSourceRelevant InsightReference--- --- --- ---ESN/ANo relevant tools configured for enrichment.Need help or want us to take additional actions? Reply to this ticket and the SOC will assist. You can view all details here: 336645
View Ticket
