This detection rule targets the execution of the Advanced IP Scanner application, which is frequently utilized in attack scenarios associated with ransomware groups. The rule leverages specific indicators indicating the presence of the software based on process creation events in Windows. It identifies execution attempts by looking for particular characteristics in the image name, original file name, and description. Additionally, command line arguments typically associated with the portable version of the application are also monitored. Given that some legitimate administrative tasks may involve the use of IP scanning tools, the rule includes a note about potential false positives. The background references underscore the connection between Advanced IP Scanner and various ransomware tactics, providing context on its relevance in threat detection.