F021LOWBenign / FPvalidator: passed

Dashlane.exe listening on localhost high port 49784

Dashlane.exe

Analyst narrative

Dashlane.exe (PID 7868) establishing TCP listener on 127.0.0.1:49784. Non-standard service port configuration may indicate attacker-modified service or credential stealing infrastructure.

Claims asserted

pid-vol_netscanvol_pstree

user_account-vol_cmdlinevol_handlesvol_pstree

Proof chain · 50 facts

Every confirmed claim links by foreign key to the typed fact that validated it, and to the forensic tool that produced that fact. This is one finding_trace() query.

⊞

handle facthandle:pid:7868:event:4

vol_handles

›

Raw tool output · 46c7f296e8cc9390d8d863edd0c88f0f522c6f8e

{"GrantedAccess": 2031619, "HandleValue": 4, "Name": null, "Offset": 154518715120000, "PID": 7868, "Process": "Dashlane.exe", "Type": "Event", "TreeDepth": 0}

⊞

handle facthandle:pid:7868:waitcompletionpacket:8

vol_handles

›

Raw tool output · 4c3700910bea2df3ae1dc785b6e07a340a94601f

{"GrantedAccess": 1, "HandleValue": 8, "Name": null, "Offset": 154518714204992, "PID": 7868, "Process": "Dashlane.exe", "Type": "WaitCompletionPacket", "TreeDepth": 0}

⊞

handle facthandle:pid:7868:iocompletion:12

vol_handles

›

Raw tool output · ff0a4bd5e83d49a45288f72978b2f54257af7d43

{"GrantedAccess": 2031619, "HandleValue": 12, "Name": null, "Offset": 154518724490496, "PID": 7868, "Process": "Dashlane.exe", "Type": "IoCompletion", "TreeDepth": 0}

⊞

handle facthandle:pid:7868:tpworkerfactory:16

vol_handles

›

Raw tool output · bba132707d00969b85e4605db82828eeabbb9d5a

{"GrantedAccess": 983295, "HandleValue": 16, "Name": null, "Offset": 154518733371136, "PID": 7868, "Process": "Dashlane.exe", "Type": "TpWorkerFactory", "TreeDepth": 0}

⊞

handle facthandle:pid:7868:irtimer:20

vol_handles

›

Raw tool output · e250aa239f67b53f73c4140a08c92daf45f0344b

{"GrantedAccess": 1048578, "HandleValue": 20, "Name": null, "Offset": 154518716138832, "PID": 7868, "Process": "Dashlane.exe", "Type": "IRTimer", "TreeDepth": 0}

⊞

handle facthandle:pid:7868:waitcompletionpacket:24

vol_handles

›

Raw tool output · 5e8a62f5c0be1cf956052d5cd5707ccfacfe3d4d

{"GrantedAccess": 1, "HandleValue": 24, "Name": null, "Offset": 154518716571984, "PID": 7868, "Process": "Dashlane.exe", "Type": "WaitCompletionPacket", "TreeDepth": 0}

⊞

handle facthandle:pid:7868:irtimer:28

vol_handles

›

Raw tool output · 188bd7100ad1a73c15659cf7ed90b2017f070f31

{"GrantedAccess": 1048578, "HandleValue": 28, "Name": null, "Offset": 154518718082336, "PID": 7868, "Process": "Dashlane.exe", "Type": "IRTimer", "TreeDepth": 0}

⊞

handle facthandle:pid:7868:waitcompletionpacket:32

vol_handles

›

Raw tool output · 714b906538b6f6aa076536fc9da47f99e07929ee

{"GrantedAccess": 1, "HandleValue": 32, "Name": null, "Offset": 154518715440336, "PID": 7868, "Process": "Dashlane.exe", "Type": "WaitCompletionPacket", "TreeDepth": 0}

⊞

handle facthandle:pid:7868:etwregistration:36

vol_handles

›

Raw tool output · 8b8c9cd8a4ede323fcdaee8c5e0f8919c59f9240

{"GrantedAccess": 2052, "HandleValue": 36, "Name": null, "Offset": 154518715274240, "PID": 7868, "Process": "Dashlane.exe", "Type": "EtwRegistration", "TreeDepth": 0}

⊞

handle facthandle:pid:7868:etwregistration:40

vol_handles

›

Raw tool output · 6ca94d57f82c8edc34b4d8d16da8b108c38ae187

{"GrantedAccess": 2052, "HandleValue": 40, "Name": null, "Offset": 154518702345312, "PID": 7868, "Process": "Dashlane.exe", "Type": "EtwRegistration", "TreeDepth": 0}

⊞

handle facthandle:pid:7868:etwregistration:44

vol_handles

›

Raw tool output · 936becab96f3b50b3a80e8e657a41eff3643a502

{"GrantedAccess": 2052, "HandleValue": 44, "Name": null, "Offset": 154518715511392, "PID": 7868, "Process": "Dashlane.exe", "Type": "EtwRegistration", "TreeDepth": 0}

⊞

handle facthandle:pid:7868:directory:knowndlls

vol_handles

›

Raw tool output · 8c68a6e5f8c2135527ca3def3ad3338fba23a1d1

{"GrantedAccess": 3, "HandleValue": 48, "Name": "KnownDlls", "Offset": 229276702421120, "PID": 7868, "Process": "Dashlane.exe", "Type": "Directory", "TreeDepth": 0}

⊞

handle facthandle:pid:7868:event:52

vol_handles

›

Raw tool output · 70f04d5f6efe0dfec8552d4ec043d3defbf8c0d1

{"GrantedAccess": 2031619, "HandleValue": 52, "Name": null, "Offset": 154518715119152, "PID": 7868, "Process": "Dashlane.exe", "Type": "Event", "TreeDepth": 0}

⊞

handle facthandle:pid:7868:event:56

vol_handles

›

Raw tool output · a5eb3d0df77f3c2905b83d32e014dfb024f19f34

{"GrantedAccess": 2031619, "HandleValue": 56, "Name": null, "Offset": 154518715119280, "PID": 7868, "Process": "Dashlane.exe", "Type": "Event", "TreeDepth": 0}

⊞

handle facthandle:pid:7868:file:\device\harddiskvolume2\windows

vol_handles

›

Raw tool output · 0f0878f25e36f9b1356bdef1319e76d845a9a49a

{"GrantedAccess": 1048608, "HandleValue": 60, "Name": "\\Device\\HarddiskVolume2\\Windows", "Offset": 154518717275888, "PID": 7868, "Process": "Dashlane.exe", "Type": "File", "TreeDepth": 0}

⊞

handle facthandle:pid:7868:event:64

vol_handles

›

Raw tool output · c84127656c47d0994c3096e4fc59a9892d854343

{"GrantedAccess": 2031619, "HandleValue": 64, "Name": null, "Offset": 154518725890416, "PID": 7868, "Process": "Dashlane.exe", "Type": "Event", "TreeDepth": 0}

⊞

handle facthandle:pid:7868:directory:knowndlls32

vol_handles

›

Raw tool output · a6304bcbe564f77a42bc48b16d5aae3a41623e2c

{"GrantedAccess": 3, "HandleValue": 68, "Name": "KnownDlls32", "Offset": 229276702275152, "PID": 7868, "Process": "Dashlane.exe", "Type": "Directory", "TreeDepth": 0}

⊞

handle facthandle:pid:7868:waitcompletionpacket:72

vol_handles

›

Raw tool output · f0be9dfd802a6a75af31827971eacceaaa97f307

{"GrantedAccess": 1, "HandleValue": 72, "Name": null, "Offset": 154518773412800, "PID": 7868, "Process": "Dashlane.exe", "Type": "WaitCompletionPacket", "TreeDepth": 0}

⊞

handle facthandle:pid:7868:iocompletion:76

vol_handles

›

Raw tool output · da8ee72e4e66517e0a57f06da2be9130984124d0

{"GrantedAccess": 2031619, "HandleValue": 76, "Name": null, "Offset": 154518715168256, "PID": 7868, "Process": "Dashlane.exe", "Type": "IoCompletion", "TreeDepth": 0}

⊞

handle facthandle:pid:7868:tpworkerfactory:80

vol_handles

›

Raw tool output · 8da813db145dde6937a8f49fc73f66520f4b49c4

{"GrantedAccess": 983295, "HandleValue": 80, "Name": null, "Offset": 154518717327328, "PID": 7868, "Process": "Dashlane.exe", "Type": "TpWorkerFactory", "TreeDepth": 0}

⊞

handle facthandle:pid:7868:irtimer:84

vol_handles

›

Raw tool output · dcb2df7d21e95b0d48e8a481fbbcdcea5b3a26fb

{"GrantedAccess": 1048578, "HandleValue": 84, "Name": null, "Offset": 154518716079952, "PID": 7868, "Process": "Dashlane.exe", "Type": "IRTimer", "TreeDepth": 0}

⊞

handle facthandle:pid:7868:waitcompletionpacket:88

vol_handles

›

Raw tool output · d1b86e679308f00bdbe80553d3deecc08450bc30

{"GrantedAccess": 1, "HandleValue": 88, "Name": null, "Offset": 154518724047200, "PID": 7868, "Process": "Dashlane.exe", "Type": "WaitCompletionPacket", "TreeDepth": 0}

⊞

handle facthandle:pid:7868:irtimer:92

vol_handles

›

Raw tool output · 7bea10996bbc23d168ba13652b5832677fe7503b

{"GrantedAccess": 1048578, "HandleValue": 92, "Name": null, "Offset": 154518715555936, "PID": 7868, "Process": "Dashlane.exe", "Type": "IRTimer", "TreeDepth": 0}

⊞

handle facthandle:pid:7868:waitcompletionpacket:96

vol_handles

›

Raw tool output · bd4125d754de06e9cc99b544db941e08b0cbc794

{"GrantedAccess": 1, "HandleValue": 96, "Name": null, "Offset": 154518678585440, "PID": 7868, "Process": "Dashlane.exe", "Type": "WaitCompletionPacket", "TreeDepth": 0}

⊞

handle facthandle:pid:7868:etwregistration:100

vol_handles

›

Raw tool output · ffc9d858c949c81e8ac59baad9268c257c1fb60b

{"GrantedAccess": 2052, "HandleValue": 100, "Name": null, "Offset": 154518678585696, "PID": 7868, "Process": "Dashlane.exe", "Type": "EtwRegistration", "TreeDepth": 0}

⊞

handle facthandle:pid:7868:etwregistration:104

vol_handles

›

Raw tool output · 7e2974be55f33dd4b594296e052ba892ff56b202

{"GrantedAccess": 2052, "HandleValue": 104, "Name": null, "Offset": 154518716263264, "PID": 7868, "Process": "Dashlane.exe", "Type": "EtwRegistration", "TreeDepth": 0}

⊞

handle facthandle:pid:7868:etwregistration:108

vol_handles

›

Raw tool output · 50b60c0bc9d34b5b552236ee8b31262f626c6f52

{"GrantedAccess": 2052, "HandleValue": 108, "Name": null, "Offset": 154518716263040, "PID": 7868, "Process": "Dashlane.exe", "Type": "EtwRegistration", "TreeDepth": 0}

⊞

handle facthandle:pid:7868:event:116

vol_handles

›

Raw tool output · 17ef8b353f9ac99af8620505eaf9e63c2c1adf74

{"GrantedAccess": 2031619, "HandleValue": 116, "Name": null, "Offset": 154518678569056, "PID": 7868, "Process": "Dashlane.exe", "Type": "Event", "TreeDepth": 0}

⊞

handle facthandle:pid:7868:event:120

vol_handles

›

Raw tool output · a7374e95da98bdadc64f4e3ffc97bffcc30f0391

{"GrantedAccess": 2031619, "HandleValue": 120, "Name": null, "Offset": 154518715912640, "PID": 7868, "Process": "Dashlane.exe", "Type": "Event", "TreeDepth": 0}

⊞

handle facthandle:pid:7868:file:\device\harddiskvolume2\windows\syswow64

vol_handles

›

Raw tool output · 0a60aa7bd867922ad322436f88c43dcc6e2dd264

{"GrantedAccess": 1048608, "HandleValue": 124, "Name": "\\Device\\HarddiskVolume2\\Windows\\SysWOW64", "Offset": 154518715904128, "PID": 7868, "Process": "Dashlane.exe", "Type": "File", "TreeDepth": 0}

⊞

handle facthandle:pid:7868:etwregistration:128

vol_handles

›

Raw tool output · b389fd0f5a1a574115940060c74ae1c9c403d020

{"GrantedAccess": 2052, "HandleValue": 128, "Name": null, "Offset": 154518715669344, "PID": 7868, "Process": "Dashlane.exe", "Type": "EtwRegistration", "TreeDepth": 0}

⊞

handle facthandle:pid:7868:etwregistration:132

vol_handles

›

Raw tool output · f5b8db588da3f20db9fea9d7d9f24159cff713bb

{"GrantedAccess": 2052, "HandleValue": 132, "Name": null, "Offset": 154518715669120, "PID": 7868, "Process": "Dashlane.exe", "Type": "EtwRegistration", "TreeDepth": 0}

⊞

handle facthandle:pid:7868:alpc port:136

vol_handles

›

Raw tool output · 2fb5b9127ae5d88759c68ae9262737e4718cd378

{"GrantedAccess": 2031617, "HandleValue": 136, "Name": null, "Offset": 154518715843600, "PID": 7868, "Process": "Dashlane.exe", "Type": "ALPC Port", "TreeDepth": 0}

⊞

handle facthandle:pid:7868:iocompletion:140

vol_handles

›

Raw tool output · 638f9d65da6fde2859989f775711cbf098d8f3c3

{"GrantedAccess": 2031619, "HandleValue": 140, "Name": null, "Offset": 154518715668928, "PID": 7868, "Process": "Dashlane.exe", "Type": "IoCompletion", "TreeDepth": 0}

⊞

handle facthandle:pid:7868:tpworkerfactory:144

vol_handles

›

Raw tool output · afa56d5e8399164a46c5e09790eaed3879222c93

{"GrantedAccess": 983295, "HandleValue": 144, "Name": null, "Offset": 154518720185520, "PID": 7868, "Process": "Dashlane.exe", "Type": "TpWorkerFactory", "TreeDepth": 0}

⊞

handle facthandle:pid:7868:irtimer:148

vol_handles

›

Raw tool output · 77e6d754eee0ad6178102896328f16fac2085459

{"GrantedAccess": 1048578, "HandleValue": 148, "Name": null, "Offset": 154518720162320, "PID": 7868, "Process": "Dashlane.exe", "Type": "IRTimer", "TreeDepth": 0}

⊞

handle facthandle:pid:7868:waitcompletionpacket:152

vol_handles

›

Raw tool output · b01fc0852939dc00720120d92d38c6c5d76157a5

{"GrantedAccess": 1, "HandleValue": 152, "Name": null, "Offset": 154518715668672, "PID": 7868, "Process": "Dashlane.exe", "Type": "WaitCompletionPacket", "TreeDepth": 0}

⊞

handle facthandle:pid:7868:irtimer:156

vol_handles

›

Raw tool output · 21ac18d9082e0f6bf19beea29cb0ca4822732d9b

{"GrantedAccess": 1048578, "HandleValue": 156, "Name": null, "Offset": 154518714888016, "PID": 7868, "Process": "Dashlane.exe", "Type": "IRTimer", "TreeDepth": 0}

⊞

handle facthandle:pid:7868:waitcompletionpacket:160

vol_handles

›

Raw tool output · 974c4417759a1f6181f750ef010edd032b9ea315

{"GrantedAccess": 1, "HandleValue": 160, "Name": null, "Offset": 154518720185312, "PID": 7868, "Process": "Dashlane.exe", "Type": "WaitCompletionPacket", "TreeDepth": 0}

⊞

handle facthandle:pid:7868:key:machine\system\controlset001\control\session manager

vol_handles

›

Raw tool output · e659ff0b5c3bfd5b5e719b076ee0d1b8d2e3908d

{"GrantedAccess": 1, "HandleValue": 164, "Name": "MACHINE\\SYSTEM\\CONTROLSET001\\CONTROL\\SESSION MANAGER", "Offset": 229276768730272, "PID": 7868, "Process": "Dashlane.exe", "Type": "Key", "TreeDepth": 0}

⊞

handle facthandle:pid:7868:semaphore:168

vol_handles

›

Raw tool output · a20e93c06b02f01152bd07385874417a2715fcfe

{"GrantedAccess": 1048579, "HandleValue": 168, "Name": null, "Offset": 154518715928880, "PID": 7868, "Process": "Dashlane.exe", "Type": "Semaphore", "TreeDepth": 0}

⊞

handle facthandle:pid:7868:key:machine\system\controlset001\control\nls\sorting\versions

vol_handles

›

Raw tool output · 327e8270cdc6a7c76123b13abef945c0fb4a6701

{"GrantedAccess": 131097, "HandleValue": 172, "Name": "MACHINE\\SYSTEM\\CONTROLSET001\\CONTROL\\NLS\\SORTING\\VERSIONS", "Offset": 229276774225056, "PID": 7868, "Process": "Dashlane.exe", "Type": "Key", "TreeDepth": 0}

⊞

handle facthandle:pid:7868:etwregistration:176

vol_handles

›

Raw tool output · 56eaa2cc60f217fbd763236da4241efca743634b

{"GrantedAccess": 2052, "HandleValue": 176, "Name": null, "Offset": 154518715044656, "PID": 7868, "Process": "Dashlane.exe", "Type": "EtwRegistration", "TreeDepth": 0}

⊞

handle facthandle:pid:7868:etwregistration:180

vol_handles

›

Raw tool output · 28dfbca6105cfb0fbe9c78bc6f08cb5517e05f77

{"GrantedAccess": 2052, "HandleValue": 180, "Name": null, "Offset": 154518715665824, "PID": 7868, "Process": "Dashlane.exe", "Type": "EtwRegistration", "TreeDepth": 0}

⊞

handle facthandle:pid:7868:file:\device\cng

vol_handles

›

Raw tool output · b4d3fa7616f1c189310e63a08289e00f954f4b17

{"GrantedAccess": 1048577, "HandleValue": 184, "Name": "\\Device\\CNG", "Offset": 154518715662464, "PID": 7868, "Process": "Dashlane.exe", "Type": "File", "TreeDepth": 0}

⊞

handle facthandle:pid:7868:semaphore:188

vol_handles

›

Raw tool output · 575480c4674987da21171bd9bc7c14aa94ec1313

{"GrantedAccess": 1048579, "HandleValue": 188, "Name": null, "Offset": 154518753506176, "PID": 7868, "Process": "Dashlane.exe", "Type": "Semaphore", "TreeDepth": 0}

⊞

handle facthandle:pid:7868:file:\device\namedpipe\kw_pipe_plugin_dp__________________________________wstdungan

vol_handles

›

Raw tool output · 590eda629c58ddb04377dabf6d9f2c16daf5c4ef

{"GrantedAccess": 1180063, "HandleValue": 192, "Name": "\\Device\\NamedPipe\\kw_pipe_plugin_dp__________________________________wstdungan", "Offset": 154518746056624, "PID": 7868, "Process": "Dashlane.exe", "Type": "File", "TreeDepth": 0}

▣

network connection factpid:7868

vol_netscan

›

Raw tool output · fa03c76fd975359ec9a92c29434832b032bbfc02

{"Created": "2018-08-30T13:54:12+00:00", "ForeignAddr": "0.0.0.0", "ForeignPort": 0, "LocalAddr": "127.0.0.1", "LocalPort": 49784, "Offset": 154518719985760, "Owner": "Dashlane.exe", "PID": 7868, "Proto": "TCPv4", "State": "LISTENING", "TreeDepth": 0}

▣

process factpid:7868

vol_psscan

›

Raw tool output · c3223f070384e49507a38d17a3036a21a413a571

{"CreateTime": "2018-08-30T13:54:03+00:00", "ExitTime": null, "File output": "Disabled", "Handles": null, "ImageFileName": "Dashlane.exe", "Offset(V)": 154518675366016, "PID": 7868, "PPID": 5988, "SessionId": 1, "Threads": 17, "Wow64": true, "TreeDepth": 0}

▣

process relationship factpid:7868->pid:5988

vol_psscanvol_pstree

›

Raw tool output · a7aa8e98c4b7b34425f97e02547d5091d419caf6

{"CreateTime": "2018-08-30T13:54:03+00:00", "ExitTime": null, "File output": "Disabled", "Handles": null, "ImageFileName": "Dashlane.exe", "Offset(V)": 154518675366016, "PID": 7868, "PPID": 5988, "SessionId": 1, "Threads": 17, "Wow64": true, "TreeDepth": 0}

Source tools

vol_cmdlinevol_handlesvol_netscanvol_pstree