F011LOWBenign / FPvalidator: passed
subject_srv.exe remote-management listener (C2/Remote access)
Unusual subject_srv.exe listener (F-Response remote subject)
Analyst narrative
subject_srv.exe PID 1096 running from C:\windows\subject_srv.exe listening on port 3262 with established connection from 172.16.5.50. Command line references base-hunt.shieldbase.lan:5682. amcache sha1 3b7d3e24ae0f54cfdf490924bfd4d34b4ae8f1da. Candidates cand-0042/cand-0046.
Claims asserted
pid-vol_pstreevol_netscanvol_cmdlineget_amcache
connection-vol_pstreevol_netscanvol_cmdlineget_amcache
hashsubject_srv.exe
3b7d3e24ae0f54cfdf490924bfd4d34b4ae8f1davol_pstreevol_netscanvol_cmdlineget_amcacheProof chain · 139 facts
Every confirmed claim links by foreign key to the typed fact that validated it, and to the forensic tool that produced that fact. This is one finding_trace() query.
•file execution factsha1:3b7d3e24ae0f54cfdf490924bfd4d34b4ae8f1daget_amcache›
file execution fact
sha1:3b7d3e24ae0f54cfdf490924bfd4d34b4ae8f1daget_amcache
Raw tool output · ae1b23b1c41876d700e43e104db7683b01462499
{"path": "C:\\Windows\\subject_srv.exe", "sha1": "3b7d3e24ae0f54cfdf490924bfd4d34b4ae8f1da", "first_run": "", "publisher": null, "file_size": null}⊞handle facthandle:pid:1096:event:4vol_handles›
handle fact
handle:pid:1096:event:4vol_handles
Raw tool output · 8e484ccde5f1345001771bbf824b02c7d29e1b80
{"GrantedAccess": 2031619, "HandleValue": 4, "Name": null, "Offset": 154518753469712, "PID": 1096, "Process": "subject_srv.ex", "Type": "Event", "TreeDepth": 0}⊞handle facthandle:pid:1096:waitcompletionpacket:8vol_handles›
handle fact
handle:pid:1096:waitcompletionpacket:8vol_handles
Raw tool output · 3d9c3e9bf020439942f1a2f33f51fe112707840e
{"GrantedAccess": 1, "HandleValue": 8, "Name": null, "Offset": 154518797421568, "PID": 1096, "Process": "subject_srv.ex", "Type": "WaitCompletionPacket", "TreeDepth": 0}⊞handle facthandle:pid:1096:iocompletion:12vol_handles›
handle fact
handle:pid:1096:iocompletion:12vol_handles
Raw tool output · 55380ee6183b1de797affd2cdce389022d4f8bf6
{"GrantedAccess": 2031619, "HandleValue": 12, "Name": null, "Offset": 154518788636800, "PID": 1096, "Process": "subject_srv.ex", "Type": "IoCompletion", "TreeDepth": 0}⊞handle facthandle:pid:1096:tpworkerfactory:16vol_handles›
handle fact
handle:pid:1096:tpworkerfactory:16vol_handles
Raw tool output · 57fd454efd1ea0cd18b15a86b04eb69622b40dfe
{"GrantedAccess": 983295, "HandleValue": 16, "Name": null, "Offset": 154518825579952, "PID": 1096, "Process": "subject_srv.ex", "Type": "TpWorkerFactory", "TreeDepth": 0}⊞handle facthandle:pid:1096:irtimer:20vol_handles›
handle fact
handle:pid:1096:irtimer:20vol_handles
Raw tool output · 8e5a566ca2d83c518587040a06df46744483eae0
{"GrantedAccess": 1048578, "HandleValue": 20, "Name": null, "Offset": 154518821408864, "PID": 1096, "Process": "subject_srv.ex", "Type": "IRTimer", "TreeDepth": 0}⊞handle facthandle:pid:1096:waitcompletionpacket:24vol_handles›
handle fact
handle:pid:1096:waitcompletionpacket:24vol_handles
Raw tool output · 64379487c0709335e4e830ed92b433eaa83bbc64
{"GrantedAccess": 1, "HandleValue": 24, "Name": null, "Offset": 154518826540128, "PID": 1096, "Process": "subject_srv.ex", "Type": "WaitCompletionPacket", "TreeDepth": 0}⊞handle facthandle:pid:1096:irtimer:28vol_handles›
handle fact
handle:pid:1096:irtimer:28vol_handles
Raw tool output · a45eadddf26a7bc4362cb987e0396b690a8b2a1a
{"GrantedAccess": 1048578, "HandleValue": 28, "Name": null, "Offset": 154518764971840, "PID": 1096, "Process": "subject_srv.ex", "Type": "IRTimer", "TreeDepth": 0}⊞handle facthandle:pid:1096:waitcompletionpacket:32vol_handles›
handle fact
handle:pid:1096:waitcompletionpacket:32vol_handles
Raw tool output · b4eae131ccf1491e67c0ed2f34d069c4a1cb0f41
{"GrantedAccess": 1, "HandleValue": 32, "Name": null, "Offset": 154518839574208, "PID": 1096, "Process": "subject_srv.ex", "Type": "WaitCompletionPacket", "TreeDepth": 0}⊞handle facthandle:pid:1096:etwregistration:36vol_handles›
handle fact
handle:pid:1096:etwregistration:36vol_handles
Raw tool output · 7ebcb90380303b946df72a2e5a5a099a8a314e36
{"GrantedAccess": 2052, "HandleValue": 36, "Name": null, "Offset": 154518756472080, "PID": 1096, "Process": "subject_srv.ex", "Type": "EtwRegistration", "TreeDepth": 0}⊞handle facthandle:pid:1096:etwregistration:40vol_handles›
handle fact
handle:pid:1096:etwregistration:40vol_handles
Raw tool output · 3f1362bf029db94f14e676603b89f610e3610280
{"GrantedAccess": 2052, "HandleValue": 40, "Name": null, "Offset": 154518799794064, "PID": 1096, "Process": "subject_srv.ex", "Type": "EtwRegistration", "TreeDepth": 0}⊞handle facthandle:pid:1096:etwregistration:44vol_handles›
handle fact
handle:pid:1096:etwregistration:44vol_handles
Raw tool output · 1bc93469a8185f1ef2c62f6dfb78628ab4f494ef
{"GrantedAccess": 2052, "HandleValue": 44, "Name": null, "Offset": 154518742639792, "PID": 1096, "Process": "subject_srv.ex", "Type": "EtwRegistration", "TreeDepth": 0}⊞handle facthandle:pid:1096:directory:knowndllsvol_handles›
handle fact
handle:pid:1096:directory:knowndllsvol_handles
Raw tool output · 319aaef7ef3259ca32241a1be4298f8bfe5669b3
{"GrantedAccess": 3, "HandleValue": 48, "Name": "KnownDlls", "Offset": 229276702421120, "PID": 1096, "Process": "subject_srv.ex", "Type": "Directory", "TreeDepth": 0}⊞handle facthandle:pid:1096:etwregistration:52vol_handles›
handle fact
handle:pid:1096:etwregistration:52vol_handles
Raw tool output · 6acd9a7070cab751993a8e874b7ce94cc65bf12b
{"GrantedAccess": 2052, "HandleValue": 52, "Name": null, "Offset": 154518846283888, "PID": 1096, "Process": "subject_srv.ex", "Type": "EtwRegistration", "TreeDepth": 0}⊞handle facthandle:pid:1096:event:56vol_handles›
handle fact
handle:pid:1096:event:56vol_handles
Raw tool output · ec667cbbfd46ac99b9ee08bfca7961717020d23d
{"GrantedAccess": 2031619, "HandleValue": 56, "Name": null, "Offset": 154518685088544, "PID": 1096, "Process": "subject_srv.ex", "Type": "Event", "TreeDepth": 0}⊞handle facthandle:pid:1096:event:60vol_handles›
handle fact
handle:pid:1096:event:60vol_handles
Raw tool output · 6dda60088abb7e16489f428211b50cf5f7f1137f
{"GrantedAccess": 2031619, "HandleValue": 60, "Name": null, "Offset": 154518799423072, "PID": 1096, "Process": "subject_srv.ex", "Type": "Event", "TreeDepth": 0}⊞handle facthandle:pid:1096:file:\device\harddiskvolume2\windowsvol_handles›
handle fact
handle:pid:1096:file:\device\harddiskvolume2\windowsvol_handles
Raw tool output · 3b2cfe1dc747f01eca94c1168867d09996472f8c
{"GrantedAccess": 1048608, "HandleValue": 64, "Name": "\\Device\\HarddiskVolume2\\Windows", "Offset": 154518834090112, "PID": 1096, "Process": "subject_srv.ex", "Type": "File", "TreeDepth": 0}⊞handle facthandle:pid:1096:event:68vol_handles›
handle fact
handle:pid:1096:event:68vol_handles
Raw tool output · 9f2be305a389224a50f5daa7f3249fee105222ee
{"GrantedAccess": 2031619, "HandleValue": 68, "Name": null, "Offset": 154518732087952, "PID": 1096, "Process": "subject_srv.ex", "Type": "Event", "TreeDepth": 0}⊞handle facthandle:pid:1096:directory:knowndlls32vol_handles›
handle fact
handle:pid:1096:directory:knowndlls32vol_handles
Raw tool output · 8853c17b667b4edbd26640f39b0d02df2c70fe82
{"GrantedAccess": 3, "HandleValue": 72, "Name": "KnownDlls32", "Offset": 229276702275152, "PID": 1096, "Process": "subject_srv.ex", "Type": "Directory", "TreeDepth": 0}⊞handle facthandle:pid:1096:waitcompletionpacket:76vol_handles›
handle fact
handle:pid:1096:waitcompletionpacket:76vol_handles
Raw tool output · 50bf90897b3ebffdc4e0633bf4ee02795e35ac52
{"GrantedAccess": 1, "HandleValue": 76, "Name": null, "Offset": 154518725879520, "PID": 1096, "Process": "subject_srv.ex", "Type": "WaitCompletionPacket", "TreeDepth": 0}⊞handle facthandle:pid:1096:iocompletion:80vol_handles›
handle fact
handle:pid:1096:iocompletion:80vol_handles
Raw tool output · d6138dd0f033268391edb127dce55b6bf7f804d9
{"GrantedAccess": 2031619, "HandleValue": 80, "Name": null, "Offset": 154518740086656, "PID": 1096, "Process": "subject_srv.ex", "Type": "IoCompletion", "TreeDepth": 0}⊞handle facthandle:pid:1096:tpworkerfactory:84vol_handles›
handle fact
handle:pid:1096:tpworkerfactory:84vol_handles
Raw tool output · 06caf2279cfa414b013cdfb7f20b862c5b78264a
{"GrantedAccess": 983295, "HandleValue": 84, "Name": null, "Offset": 154518834098272, "PID": 1096, "Process": "subject_srv.ex", "Type": "TpWorkerFactory", "TreeDepth": 0}⊞handle facthandle:pid:1096:irtimer:88vol_handles›
handle fact
handle:pid:1096:irtimer:88vol_handles
Raw tool output · a8a2a929e362fe9cf503e74dd67bfb0eccbe080c
{"GrantedAccess": 1048578, "HandleValue": 88, "Name": null, "Offset": 154518806026272, "PID": 1096, "Process": "subject_srv.ex", "Type": "IRTimer", "TreeDepth": 0}⊞handle facthandle:pid:1096:waitcompletionpacket:92vol_handles›
handle fact
handle:pid:1096:waitcompletionpacket:92vol_handles
Raw tool output · f5a446a10febbcf8eb29aaa854f5bc5cdf867324
{"GrantedAccess": 1, "HandleValue": 92, "Name": null, "Offset": 154518760657856, "PID": 1096, "Process": "subject_srv.ex", "Type": "WaitCompletionPacket", "TreeDepth": 0}⊞handle facthandle:pid:1096:irtimer:96vol_handles›
handle fact
handle:pid:1096:irtimer:96vol_handles
Raw tool output · 67a7575707c52fb1e04917baa7808a7a6eb0dac9
{"GrantedAccess": 1048578, "HandleValue": 96, "Name": null, "Offset": 154518722004784, "PID": 1096, "Process": "subject_srv.ex", "Type": "IRTimer", "TreeDepth": 0}⊞handle facthandle:pid:1096:waitcompletionpacket:100vol_handles›
handle fact
handle:pid:1096:waitcompletionpacket:100vol_handles
Raw tool output · 6fb601b6792fcac8ea4d99fc454a8ecda9b9a9e3
{"GrantedAccess": 1, "HandleValue": 100, "Name": null, "Offset": 154518801338464, "PID": 1096, "Process": "subject_srv.ex", "Type": "WaitCompletionPacket", "TreeDepth": 0}⊞handle facthandle:pid:1096:etwregistration:104vol_handles›
handle fact
handle:pid:1096:etwregistration:104vol_handles
Raw tool output · 1e963d18ab8e40928e9f725ba15a4ab790c9d577
{"GrantedAccess": 2052, "HandleValue": 104, "Name": null, "Offset": 154518785192848, "PID": 1096, "Process": "subject_srv.ex", "Type": "EtwRegistration", "TreeDepth": 0}⊞handle facthandle:pid:1096:etwregistration:108vol_handles›
handle fact
handle:pid:1096:etwregistration:108vol_handles
Raw tool output · d7acfbed3ccd34635854dc5e1642e421c47fc1d6
{"GrantedAccess": 2052, "HandleValue": 108, "Name": null, "Offset": 154518743641088, "PID": 1096, "Process": "subject_srv.ex", "Type": "EtwRegistration", "TreeDepth": 0}⊞handle facthandle:pid:1096:etwregistration:112vol_handles›
handle fact
handle:pid:1096:etwregistration:112vol_handles
Raw tool output · ac34682fa684af64474d40a6b8bc8a1228907966
{"GrantedAccess": 2052, "HandleValue": 112, "Name": null, "Offset": 154518730065744, "PID": 1096, "Process": "subject_srv.ex", "Type": "EtwRegistration", "TreeDepth": 0}⊞handle facthandle:pid:1096:event:120vol_handles›
handle fact
handle:pid:1096:event:120vol_handles
Raw tool output · bbacfd5943cc9073273b5e8967d081d6189afb25
{"GrantedAccess": 2031619, "HandleValue": 120, "Name": null, "Offset": 154518743468096, "PID": 1096, "Process": "subject_srv.ex", "Type": "Event", "TreeDepth": 0}⊞handle facthandle:pid:1096:event:124vol_handles›
handle fact
handle:pid:1096:event:124vol_handles
Raw tool output · cb510a1d4e10605f40e2ba80499b74b3d551dacf
{"GrantedAccess": 2031619, "HandleValue": 124, "Name": null, "Offset": 154518827644144, "PID": 1096, "Process": "subject_srv.ex", "Type": "Event", "TreeDepth": 0}⊞handle facthandle:pid:1096:file:\device\harddiskvolume2\windows\syswow64vol_handles›
handle fact
handle:pid:1096:file:\device\harddiskvolume2\windows\syswow64vol_handles
Raw tool output · 267e7264a659577641e223a5503aff273bf3a75e
{"GrantedAccess": 1048608, "HandleValue": 128, "Name": "\\Device\\HarddiskVolume2\\Windows\\SysWOW64", "Offset": 154518721259264, "PID": 1096, "Process": "subject_srv.ex", "Type": "File", "TreeDepth": 0}⊞handle facthandle:pid:1096:etwregistration:132vol_handles›
handle fact
handle:pid:1096:etwregistration:132vol_handles
Raw tool output · ad9f2df6fac4e9f21bda104678968d5a6f695f23
{"GrantedAccess": 2052, "HandleValue": 132, "Name": null, "Offset": 154518827241088, "PID": 1096, "Process": "subject_srv.ex", "Type": "EtwRegistration", "TreeDepth": 0}⊞handle facthandle:pid:1096:etwregistration:136vol_handles›
handle fact
handle:pid:1096:etwregistration:136vol_handles
Raw tool output · ca63631e325bfe0bc805359356dec590cefae2d4
{"GrantedAccess": 2052, "HandleValue": 136, "Name": null, "Offset": 154518847192576, "PID": 1096, "Process": "subject_srv.ex", "Type": "EtwRegistration", "TreeDepth": 0}⊞handle facthandle:pid:1096:alpc port:140vol_handles›
handle fact
handle:pid:1096:alpc port:140vol_handles
Raw tool output · 8e20a5dec32cb3391e7e71635f892534d95b6463
{"GrantedAccess": 2031617, "HandleValue": 140, "Name": null, "Offset": 154518786494576, "PID": 1096, "Process": "subject_srv.ex", "Type": "ALPC Port", "TreeDepth": 0}⊞handle facthandle:pid:1096:etwregistration:144vol_handles›
handle fact
handle:pid:1096:etwregistration:144vol_handles
Raw tool output · ca741eda539f3df6b73be2cdd3ea141a8a9d3286
{"GrantedAccess": 2052, "HandleValue": 144, "Name": null, "Offset": 154518716402400, "PID": 1096, "Process": "subject_srv.ex", "Type": "EtwRegistration", "TreeDepth": 0}⊞handle facthandle:pid:1096:etwregistration:148vol_handles›
handle fact
handle:pid:1096:etwregistration:148vol_handles
Raw tool output · 157906adf5ab14fcf8cee7e78f933559502b5f9c
{"GrantedAccess": 2052, "HandleValue": 148, "Name": null, "Offset": 154518793649664, "PID": 1096, "Process": "subject_srv.ex", "Type": "EtwRegistration", "TreeDepth": 0}⊞handle facthandle:pid:1096:etwregistration:152vol_handles›
handle fact
handle:pid:1096:etwregistration:152vol_handles
Raw tool output · 30076e30bf65ac15df2aebec6c15840557a36460
{"GrantedAccess": 2052, "HandleValue": 152, "Name": null, "Offset": 154518836134000, "PID": 1096, "Process": "subject_srv.ex", "Type": "EtwRegistration", "TreeDepth": 0}⊞handle facthandle:pid:1096:etwregistration:156vol_handles›
handle fact
handle:pid:1096:etwregistration:156vol_handles
Raw tool output · 763352305e4c535ae51ab8c834be73a72750d3e8
{"GrantedAccess": 2052, "HandleValue": 156, "Name": null, "Offset": 154518798271648, "PID": 1096, "Process": "subject_srv.ex", "Type": "EtwRegistration", "TreeDepth": 0}⊞handle facthandle:pid:1096:etwregistration:160vol_handles›
handle fact
handle:pid:1096:etwregistration:160vol_handles
Raw tool output · 8fec781621bfe8d2ab448398967e6f14a5260a95
{"GrantedAccess": 2052, "HandleValue": 160, "Name": null, "Offset": 154518828959616, "PID": 1096, "Process": "subject_srv.ex", "Type": "EtwRegistration", "TreeDepth": 0}⊞handle facthandle:pid:1096:iocompletion:164vol_handles›
handle fact
handle:pid:1096:iocompletion:164vol_handles
Raw tool output · e6f341e0351f1cef37bf156e4c6eea5c13982c97
{"GrantedAccess": 2031619, "HandleValue": 164, "Name": null, "Offset": 154518825468608, "PID": 1096, "Process": "subject_srv.ex", "Type": "IoCompletion", "TreeDepth": 0}⊞handle facthandle:pid:1096:etwregistration:168vol_handles›
handle fact
handle:pid:1096:etwregistration:168vol_handles
Raw tool output · 94f7675686b8ee940e14d34529b44d6839d85738
{"GrantedAccess": 2052, "HandleValue": 168, "Name": null, "Offset": 154518704325216, "PID": 1096, "Process": "subject_srv.ex", "Type": "EtwRegistration", "TreeDepth": 0}⊞handle facthandle:pid:1096:tpworkerfactory:172vol_handles›
handle fact
handle:pid:1096:tpworkerfactory:172vol_handles
Raw tool output · 4697fdb03a8a60396c588bf8ce11e4fd21c7e658
{"GrantedAccess": 983295, "HandleValue": 172, "Name": null, "Offset": 154518789521504, "PID": 1096, "Process": "subject_srv.ex", "Type": "TpWorkerFactory", "TreeDepth": 0}⊞handle facthandle:pid:1096:directory:basenamedobjectsvol_handles›
handle fact
handle:pid:1096:directory:basenamedobjectsvol_handles
Raw tool output · 584152ff11f6d12f63830abbb73946fee54cabd1
{"GrantedAccess": 15, "HandleValue": 176, "Name": "BaseNamedObjects", "Offset": 229276810769120, "PID": 1096, "Process": "subject_srv.ex", "Type": "Directory", "TreeDepth": 0}⊞handle facthandle:pid:1096:irtimer:180vol_handles›
handle fact
handle:pid:1096:irtimer:180vol_handles
Raw tool output · fbe987792a64947f2ff6ee3b4780d347ec697388
{"GrantedAccess": 1048578, "HandleValue": 180, "Name": null, "Offset": 154518827535424, "PID": 1096, "Process": "subject_srv.ex", "Type": "IRTimer", "TreeDepth": 0}⊞handle facthandle:pid:1096:waitcompletionpacket:184vol_handles›
handle fact
handle:pid:1096:waitcompletionpacket:184vol_handles
Raw tool output · b8ece8106241e158e9642e32cf17d61fced1ac84
{"GrantedAccess": 1, "HandleValue": 184, "Name": null, "Offset": 154518784239584, "PID": 1096, "Process": "subject_srv.ex", "Type": "WaitCompletionPacket", "TreeDepth": 0}⊞handle facthandle:pid:1096:irtimer:188vol_handles›
handle fact
handle:pid:1096:irtimer:188vol_handles
Raw tool output · 105d5b98e0d77dfd4c3003204e73d1640ae63141
{"GrantedAccess": 1048578, "HandleValue": 188, "Name": null, "Offset": 154518835146848, "PID": 1096, "Process": "subject_srv.ex", "Type": "IRTimer", "TreeDepth": 0}⊞handle facthandle:pid:1096:waitcompletionpacket:192vol_handles›
handle fact
handle:pid:1096:waitcompletionpacket:192vol_handles
Raw tool output · b97f996d46339bc2660c33fa17f7575485702656
{"GrantedAccess": 1, "HandleValue": 192, "Name": null, "Offset": 154518834406144, "PID": 1096, "Process": "subject_srv.ex", "Type": "WaitCompletionPacket", "TreeDepth": 0}⊞handle facthandle:pid:1096:event:196vol_handles›
handle fact
handle:pid:1096:event:196vol_handles
Raw tool output · 2ecd7369ba30077592a62ac322c3bf0df710c438
{"GrantedAccess": 2031619, "HandleValue": 196, "Name": null, "Offset": 154518796276640, "PID": 1096, "Process": "subject_srv.ex", "Type": "Event", "TreeDepth": 0}⊞handle facthandle:pid:1096:key:machine\system\controlset001\control\session managervol_handles›
handle fact
handle:pid:1096:key:machine\system\controlset001\control\session managervol_handles
Raw tool output · abd74b02bc6cfe5d945b762b360d592c8f896f17
{"GrantedAccess": 1, "HandleValue": 200, "Name": "MACHINE\\SYSTEM\\CONTROLSET001\\CONTROL\\SESSION MANAGER", "Offset": 229276794111136, "PID": 1096, "Process": "subject_srv.ex", "Type": "Key", "TreeDepth": 0}⊞handle facthandle:pid:1096:key:machine\system\controlset001\control\nls\sorting\versionsvol_handles›
handle fact
handle:pid:1096:key:machine\system\controlset001\control\nls\sorting\versionsvol_handles
Raw tool output · 5438eb8466f11f2fadafac6d32bb2bd4d5c67100
{"GrantedAccess": 131097, "HandleValue": 204, "Name": "MACHINE\\SYSTEM\\CONTROLSET001\\CONTROL\\NLS\\SORTING\\VERSIONS", "Offset": 229276926321760, "PID": 1096, "Process": "subject_srv.ex", "Type": "Key", "TreeDepth": 0}⊞handle facthandle:pid:1096:etwregistration:208vol_handles›
handle fact
handle:pid:1096:etwregistration:208vol_handles
Raw tool output · e32b86d6707ecf13c86f3344c00c0b92185e5e65
{"GrantedAccess": 2052, "HandleValue": 208, "Name": null, "Offset": 154518729951120, "PID": 1096, "Process": "subject_srv.ex", "Type": "EtwRegistration", "TreeDepth": 0}⊞handle facthandle:pid:1096:key:machine\software\microsoft\windows nt\currentversion\image file execution optionsvol_handles›
handle fact
handle:pid:1096:key:machine\software\microsoft\windows nt\currentversion\image file execution optionsvol_handles
Raw tool output · 03d6a779a30977d43ac70273c8244c3a60fd47f7
{"GrantedAccess": 9, "HandleValue": 212, "Name": "MACHINE\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\IMAGE FILE EXECUTION OPTIONS", "Offset": 229276796980272, "PID": 1096, "Process": "subject_srv.ex", "Type": "Key", "TreeDepth": 0}⊞handle facthandle:pid:1096:semaphore:sm0:1096:168:wilstaging_02_p0vol_handles›
handle fact
handle:pid:1096:semaphore:sm0:1096:168:wilstaging_02_p0vol_handles
Raw tool output · 6d8c13690af0ceda56d7c46d1337d7b608f570a3
{"GrantedAccess": 2031619, "HandleValue": 216, "Name": "SM0:1096:168:WilStaging_02_p0", "Offset": 154518686251136, "PID": 1096, "Process": "subject_srv.ex", "Type": "Semaphore", "TreeDepth": 0}⊞handle facthandle:pid:1096:waitcompletionpacket:220vol_handles›
handle fact
handle:pid:1096:waitcompletionpacket:220vol_handles
Raw tool output · 7b66867f9a3f1e5ff937c0e3c9535bf024e91978
{"GrantedAccess": 1, "HandleValue": 220, "Name": null, "Offset": 154518797669584, "PID": 1096, "Process": "subject_srv.ex", "Type": "WaitCompletionPacket", "TreeDepth": 0}⊞handle facthandle:pid:1096:mutant:sm0:1096:168:wilstaging_02vol_handles›
handle fact
handle:pid:1096:mutant:sm0:1096:168:wilstaging_02vol_handles
Raw tool output · 386c268657190145da56d82017ae3836a8be2f38
{"GrantedAccess": 2031617, "HandleValue": 224, "Name": "SM0:1096:168:WilStaging_02", "Offset": 154518796953440, "PID": 1096, "Process": "subject_srv.ex", "Type": "Mutant", "TreeDepth": 0}⊞handle facthandle:pid:1096:event:228vol_handles›
handle fact
handle:pid:1096:event:228vol_handles
Raw tool output · 07c0e4a94af01ec154e766a321f61d4d73ce1ccc
{"GrantedAccess": 2031619, "HandleValue": 228, "Name": null, "Offset": 154518720412640, "PID": 1096, "Process": "subject_srv.ex", "Type": "Event", "TreeDepth": 0}⊞handle facthandle:pid:1096:iocompletion:232vol_handles›
handle fact
handle:pid:1096:iocompletion:232vol_handles
Raw tool output · caee18cdf94fe066dcca8387abdbce7dae382a29
{"GrantedAccess": 2031619, "HandleValue": 232, "Name": null, "Offset": 154518826566592, "PID": 1096, "Process": "subject_srv.ex", "Type": "IoCompletion", "TreeDepth": 0}⊞handle facthandle:pid:1096:windowstation:service-0x0-3e7$vol_handles›
handle fact
handle:pid:1096:windowstation:service-0x0-3e7$vol_handles
Raw tool output · 9706f00b9bc36e0f566bb12331d78b9ee16425df
{"GrantedAccess": 983406, "HandleValue": 236, "Name": "Service-0x0-3e7$", "Offset": 154518742082144, "PID": 1096, "Process": "subject_srv.ex", "Type": "WindowStation", "TreeDepth": 0}⊞handle facthandle:pid:1096:desktop:defaultvol_handles›
handle fact
handle:pid:1096:desktop:defaultvol_handles
Raw tool output · 007fc3b2a1c98c6a3d117bd214129b117948545a
{"GrantedAccess": 983247, "HandleValue": 240, "Name": "Default", "Offset": 154518745783008, "PID": 1096, "Process": "subject_srv.ex", "Type": "Desktop", "TreeDepth": 0}⊞handle facthandle:pid:1096:key:machine\system\controlset001\control\nls\customlocalevol_handles›
handle fact
handle:pid:1096:key:machine\system\controlset001\control\nls\customlocalevol_handles
Raw tool output · d725bcc3c41f4b2dfd8aff5eaea52cc93461f296
{"GrantedAccess": 1, "HandleValue": 248, "Name": "MACHINE\\SYSTEM\\CONTROLSET001\\CONTROL\\NLS\\CUSTOMLOCALE", "Offset": 229276937443664, "PID": 1096, "Process": "subject_srv.ex", "Type": "Key", "TreeDepth": 0}⊞handle facthandle:pid:1096:key:machinevol_handles›
handle fact
handle:pid:1096:key:machinevol_handles
Raw tool output · 27c247faf18be5e1aa0fa0cf95f842d2c8c8cae8
{"GrantedAccess": 983103, "HandleValue": 252, "Name": "MACHINE", "Offset": 229276956687648, "PID": 1096, "Process": "subject_srv.ex", "Type": "Key", "TreeDepth": 0}⊞handle facthandle:pid:1096:etwregistration:256vol_handles›
handle fact
handle:pid:1096:etwregistration:256vol_handles
Raw tool output · 1da775976acf79ba6a313390a21b3e908f283fc3
{"GrantedAccess": 2052, "HandleValue": 256, "Name": null, "Offset": 154518767939472, "PID": 1096, "Process": "subject_srv.ex", "Type": "EtwRegistration", "TreeDepth": 0}⊞handle facthandle:pid:1096:etwregistration:260vol_handles›
handle fact
handle:pid:1096:etwregistration:260vol_handles
Raw tool output · 1051ff57ac82b598e24efedda85fa93355bb340e
{"GrantedAccess": 2052, "HandleValue": 260, "Name": null, "Offset": 154518833504368, "PID": 1096, "Process": "subject_srv.ex", "Type": "EtwRegistration", "TreeDepth": 0}⊞handle facthandle:pid:1096:file:\device\cngvol_handles›
handle fact
handle:pid:1096:file:\device\cngvol_handles
Raw tool output · 5491c27434ee10006690600156f817de9a609cb9
{"GrantedAccess": 1048577, "HandleValue": 264, "Name": "\\Device\\CNG", "Offset": 154518820843648, "PID": 1096, "Process": "subject_srv.ex", "Type": "File", "TreeDepth": 0}⊞handle facthandle:pid:1096:semaphore:268vol_handles›
handle fact
handle:pid:1096:semaphore:268vol_handles
Raw tool output · 345080b25ea31b717d98962fb1afa992c360935e
{"GrantedAccess": 1048579, "HandleValue": 268, "Name": null, "Offset": 154518796670048, "PID": 1096, "Process": "subject_srv.ex", "Type": "Semaphore", "TreeDepth": 0}⊞handle facthandle:pid:1096:semaphore:272vol_handles›
handle fact
handle:pid:1096:semaphore:272vol_handles
Raw tool output · 95b3345b0ed829da6d3827c5c51f0978bab4e4e9
{"GrantedAccess": 1048579, "HandleValue": 272, "Name": null, "Offset": 154518825572656, "PID": 1096, "Process": "subject_srv.ex", "Type": "Semaphore", "TreeDepth": 0}⊞handle facthandle:pid:1096:file:\device\deviceapi\cmapivol_handles›
handle fact
handle:pid:1096:file:\device\deviceapi\cmapivol_handles
Raw tool output · ebfc82945f4365537d689ee9596e3c354a749e41
{"GrantedAccess": 1179785, "HandleValue": 276, "Name": "\\Device\\DeviceApi\\CMApi", "Offset": 154518745950512, "PID": 1096, "Process": "subject_srv.ex", "Type": "File", "TreeDepth": 0}⊞handle facthandle:pid:1096:key:machine\software\microsoft\olevol_handles›
handle fact
handle:pid:1096:key:machine\software\microsoft\olevol_handles
Raw tool output · 8a6c36b2bd278c9fec9c2ec873911678955656b0
{"GrantedAccess": 131097, "HandleValue": 284, "Name": "MACHINE\\SOFTWARE\\MICROSOFT\\OLE", "Offset": 229276914092464, "PID": 1096, "Process": "subject_srv.ex", "Type": "Key", "TreeDepth": 0}⊞handle facthandle:pid:1096:event:288vol_handles›
handle fact
handle:pid:1096:event:288vol_handles
Raw tool output · bf474f9e6c13d1e30178698ab98b9be11500d111
{"GrantedAccess": 2031619, "HandleValue": 288, "Name": null, "Offset": 154518824796128, "PID": 1096, "Process": "subject_srv.ex", "Type": "Event", "TreeDepth": 0}⊞handle facthandle:pid:1096:key:user\.default\software\classes\local settings\software\microsoftvol_handles›
handle fact
handle:pid:1096:key:user\.default\software\classes\local settings\software\microsoftvol_handles
Raw tool output · 572ba8ab873f7984618408d02c907ccf27f2859d
{"GrantedAccess": 131097, "HandleValue": 292, "Name": "USER\\.DEFAULT\\SOFTWARE\\CLASSES\\LOCAL SETTINGS\\SOFTWARE\\MICROSOFT", "Offset": 229276800344176, "PID": 1096, "Process": "subject_srv.ex", "Type": "Key", "TreeDepth": 0}⊞handle facthandle:pid:1096:key:user\.default\software\classes\local settingsvol_handles›
handle fact
handle:pid:1096:key:user\.default\software\classes\local settingsvol_handles
Raw tool output · 444004c9e7c91bd5156dcee7eb2b2a30277553c0
{"GrantedAccess": 131097, "HandleValue": 296, "Name": "USER\\.DEFAULT\\SOFTWARE\\CLASSES\\LOCAL SETTINGS", "Offset": 229276792804016, "PID": 1096, "Process": "subject_srv.ex", "Type": "Key", "TreeDepth": 0}⊞handle facthandle:pid:1096:event:300vol_handles›
handle fact
handle:pid:1096:event:300vol_handles
Raw tool output · 5a3919f303a5bea9a104d8982a98a387b8995256
{"GrantedAccess": 2031619, "HandleValue": 300, "Name": null, "Offset": 154518717844672, "PID": 1096, "Process": "subject_srv.ex", "Type": "Event", "TreeDepth": 0}⊞handle facthandle:pid:1096:etwregistration:304vol_handles›
handle fact
handle:pid:1096:etwregistration:304vol_handles
Raw tool output · 1a7edb468d21d18c11eda74d2316abcf32e1b1b1
{"GrantedAccess": 2052, "HandleValue": 304, "Name": null, "Offset": 154518730187664, "PID": 1096, "Process": "subject_srv.ex", "Type": "EtwRegistration", "TreeDepth": 0}⊞handle facthandle:pid:1096:etwregistration:308vol_handles›
handle fact
handle:pid:1096:etwregistration:308vol_handles
Raw tool output · 3e843610e95fbd6d2196ca47fde513ff52f70c69
{"GrantedAccess": 2052, "HandleValue": 308, "Name": null, "Offset": 154518820162016, "PID": 1096, "Process": "subject_srv.ex", "Type": "EtwRegistration", "TreeDepth": 0}⊞handle facthandle:pid:1096:etwregistration:312vol_handles›
handle fact
handle:pid:1096:etwregistration:312vol_handles
Raw tool output · b23ee93d92c3f9921e26a01ebab432de8fe48ff6
{"GrantedAccess": 2052, "HandleValue": 312, "Name": null, "Offset": 154518794373360, "PID": 1096, "Process": "subject_srv.ex", "Type": "EtwRegistration", "TreeDepth": 0}⊞handle facthandle:pid:1096:event:316vol_handles›
handle fact
handle:pid:1096:event:316vol_handles
Raw tool output · 885431a6fac4704d6ea627b87d27338ffe4b8da7
{"GrantedAccess": 2031619, "HandleValue": 316, "Name": null, "Offset": 154518681659264, "PID": 1096, "Process": "subject_srv.ex", "Type": "Event", "TreeDepth": 0}⊞handle facthandle:pid:1096:event:320vol_handles›
handle fact
handle:pid:1096:event:320vol_handles
Raw tool output · f504c9ca35624b9aa67b9014dae19e1ca66d2e32
{"GrantedAccess": 2031619, "HandleValue": 320, "Name": null, "Offset": 154518830797520, "PID": 1096, "Process": "subject_srv.ex", "Type": "Event", "TreeDepth": 0}⊞handle facthandle:pid:1096:event:324vol_handles›
handle fact
handle:pid:1096:event:324vol_handles
Raw tool output · 992076614b9a666d1e7c0d523a6493060f0dccff
{"GrantedAccess": 2031619, "HandleValue": 324, "Name": null, "Offset": 154518847760528, "PID": 1096, "Process": "subject_srv.ex", "Type": "Event", "TreeDepth": 0}⊞handle facthandle:pid:1096:event:328vol_handles›
handle fact
handle:pid:1096:event:328vol_handles
Raw tool output · 11793f2c9049bf53827326e3bd8329ed13019b25
{"GrantedAccess": 2031619, "HandleValue": 328, "Name": null, "Offset": 154518723913856, "PID": 1096, "Process": "subject_srv.ex", "Type": "Event", "TreeDepth": 0}⊞handle facthandle:pid:1096:event:332vol_handles›
handle fact
handle:pid:1096:event:332vol_handles
Raw tool output · 15874f9d345bc57b2aa836b2988effdb6b9ade46
{"GrantedAccess": 2031619, "HandleValue": 332, "Name": null, "Offset": 154518754600800, "PID": 1096, "Process": "subject_srv.ex", "Type": "Event", "TreeDepth": 0}⊞handle facthandle:pid:1096:event:336vol_handles›
handle fact
handle:pid:1096:event:336vol_handles
Raw tool output · 5b5a235c798221c916971411df263e1bf2df4443
{"GrantedAccess": 2031619, "HandleValue": 336, "Name": null, "Offset": 154518708150784, "PID": 1096, "Process": "subject_srv.ex", "Type": "Event", "TreeDepth": 0}⊞handle facthandle:pid:1096:etwregistration:340vol_handles›
handle fact
handle:pid:1096:etwregistration:340vol_handles
Raw tool output · 04e2b0102dda05caa42e5b111c3e16fba417ee9a
{"GrantedAccess": 2052, "HandleValue": 340, "Name": null, "Offset": 154518812672912, "PID": 1096, "Process": "subject_srv.ex", "Type": "EtwRegistration", "TreeDepth": 0}⊞handle facthandle:pid:1096:etwregistration:344vol_handles›
handle fact
handle:pid:1096:etwregistration:344vol_handles
Raw tool output · f282aa1f946b668f91417e949a64072fbb8d81c5
{"GrantedAccess": 2052, "HandleValue": 344, "Name": null, "Offset": 154518832751168, "PID": 1096, "Process": "subject_srv.ex", "Type": "EtwRegistration", "TreeDepth": 0}⊞handle facthandle:pid:1096:etwregistration:348vol_handles›
handle fact
handle:pid:1096:etwregistration:348vol_handles
Raw tool output · 09ddb3feecabe34830d201d63d91dd5d790b21c0
{"GrantedAccess": 2052, "HandleValue": 348, "Name": null, "Offset": 154518823127232, "PID": 1096, "Process": "subject_srv.ex", "Type": "EtwRegistration", "TreeDepth": 0}⊞handle facthandle:pid:1096:etwregistration:352vol_handles›
handle fact
handle:pid:1096:etwregistration:352vol_handles
Raw tool output · 175fa6f8b32f12db107f376234d7c01669db3651
{"GrantedAccess": 2052, "HandleValue": 352, "Name": null, "Offset": 154518812138784, "PID": 1096, "Process": "subject_srv.ex", "Type": "EtwRegistration", "TreeDepth": 0}⊞handle facthandle:pid:1096:etwregistration:356vol_handles›
handle fact
handle:pid:1096:etwregistration:356vol_handles
Raw tool output · 3c90b51e9036575b9db5fe72df1b4c31fb3ee56e
{"GrantedAccess": 2052, "HandleValue": 356, "Name": null, "Offset": 154518679464704, "PID": 1096, "Process": "subject_srv.ex", "Type": "EtwRegistration", "TreeDepth": 0}⊞handle facthandle:pid:1096:etwregistration:360vol_handles›
handle fact
handle:pid:1096:etwregistration:360vol_handles
Raw tool output · 348146f2874f6febd2359193a17ea700f4a4ec71
{"GrantedAccess": 2052, "HandleValue": 360, "Name": null, "Offset": 154518818273408, "PID": 1096, "Process": "subject_srv.ex", "Type": "EtwRegistration", "TreeDepth": 0}⊞handle facthandle:pid:1096:etwregistration:364vol_handles›
handle fact
handle:pid:1096:etwregistration:364vol_handles
Raw tool output · c208256422e36f73ba0e0321f2a53ca6ade8323e
{"GrantedAccess": 2052, "HandleValue": 364, "Name": null, "Offset": 154518791729264, "PID": 1096, "Process": "subject_srv.ex", "Type": "EtwRegistration", "TreeDepth": 0}⊞handle facthandle:pid:1096:etwregistration:368vol_handles›
handle fact
handle:pid:1096:etwregistration:368vol_handles
Raw tool output · 1760b2ee9bd108dfea2d0ea0c9e02965a46a291b
{"GrantedAccess": 2052, "HandleValue": 368, "Name": null, "Offset": 154518701411056, "PID": 1096, "Process": "subject_srv.ex", "Type": "EtwRegistration", "TreeDepth": 0}⊞handle facthandle:pid:1096:etwregistration:372vol_handles›
handle fact
handle:pid:1096:etwregistration:372vol_handles
Raw tool output · 700531a62a1bc2bfea065db3698372b3eb9b1d1f
{"GrantedAccess": 2052, "HandleValue": 372, "Name": null, "Offset": 154518795829360, "PID": 1096, "Process": "subject_srv.ex", "Type": "EtwRegistration", "TreeDepth": 0}⊞handle facthandle:pid:1096:etwregistration:376vol_handles›
handle fact
handle:pid:1096:etwregistration:376vol_handles
Raw tool output · 071b3c3333a36dfead724127b4cb44ba2bfa8add
{"GrantedAccess": 2052, "HandleValue": 376, "Name": null, "Offset": 154518745154256, "PID": 1096, "Process": "subject_srv.ex", "Type": "EtwRegistration", "TreeDepth": 0}⊞handle facthandle:pid:1096:etwregistration:380vol_handles›
handle fact
handle:pid:1096:etwregistration:380vol_handles
Raw tool output · 91fde9f959305279f8b1a1a85c6ee691ab8fb984
{"GrantedAccess": 2052, "HandleValue": 380, "Name": null, "Offset": 154518828047824, "PID": 1096, "Process": "subject_srv.ex", "Type": "EtwRegistration", "TreeDepth": 0}⊞handle facthandle:pid:1096:etwregistration:384vol_handles›
handle fact
handle:pid:1096:etwregistration:384vol_handles
Raw tool output · 276417029b39b4423a4801425f11998c11300de2
{"GrantedAccess": 2052, "HandleValue": 384, "Name": null, "Offset": 154518839192160, "PID": 1096, "Process": "subject_srv.ex", "Type": "EtwRegistration", "TreeDepth": 0}⊞handle facthandle:pid:1096:etwregistration:388vol_handles›
handle fact
handle:pid:1096:etwregistration:388vol_handles
Raw tool output · c5e031b531e0bc8749c4e6875620b21f5d2faa83
{"GrantedAccess": 2052, "HandleValue": 388, "Name": null, "Offset": 154518774252704, "PID": 1096, "Process": "subject_srv.ex", "Type": "EtwRegistration", "TreeDepth": 0}⊞handle facthandle:pid:1096:etwregistration:392vol_handles›
handle fact
handle:pid:1096:etwregistration:392vol_handles
Raw tool output · 6768ed9f453dabbf047fda96b10c58ff5e0d0380
{"GrantedAccess": 2052, "HandleValue": 392, "Name": null, "Offset": 154518742788032, "PID": 1096, "Process": "subject_srv.ex", "Type": "EtwRegistration", "TreeDepth": 0}⊞handle facthandle:pid:1096:etwregistration:396vol_handles›
handle fact
handle:pid:1096:etwregistration:396vol_handles
Raw tool output · 5b2d90060bfe8506fb6e173c5cf616947ae72cd8
{"GrantedAccess": 2052, "HandleValue": 396, "Name": null, "Offset": 154518754740608, "PID": 1096, "Process": "subject_srv.ex", "Type": "EtwRegistration", "TreeDepth": 0}•network connection factnet:172.16.6.11:49788-172.16.4.10:8080vol_netscan›
network connection fact
net:172.16.6.11:49788-172.16.4.10:8080vol_netscan
Raw tool output · 45d4b7c2f777e9f81d108fdb0c35dcb3cd371886
{"Created": null, "ForeignAddr": "172.16.4.10", "ForeignPort": 8080, "LocalAddr": "172.16.6.11", "LocalPort": 49788, "Offset": 154518679887024, "Owner": null, "PID": null, "Proto": "TCPv4", "State": "ESTABLISHED", "TreeDepth": 0}▣network connection factpid:9088vol_netscan›
network connection fact
pid:9088vol_netscan
Raw tool output · 0479e83c55bb3a9f97be35caa60f18cd3eb7c35b
{"Created": "2018-08-30T13:55:00+00:00", "ForeignAddr": "*", "ForeignPort": 0, "LocalAddr": "172.16.6.11", "LocalPort": 51201, "Offset": 154518682425664, "Owner": "svchost.exe", "PID": 9088, "Proto": "UDPv4", "State": "", "TreeDepth": 0}•network connection factnet:172.16.6.11:52703-172.16.4.10:8080vol_netscan›
network connection fact
net:172.16.6.11:52703-172.16.4.10:8080vol_netscan
Raw tool output · fe28080ea5e105743a465f19a1aa8bc81315c5ff
{"Created": null, "ForeignAddr": "172.16.4.10", "ForeignPort": 8080, "LocalAddr": "172.16.6.11", "LocalPort": 52703, "Offset": 154518690153728, "Owner": null, "PID": null, "Proto": "TCPv4", "State": "CLOSE_WAIT", "TreeDepth": 0}•network connection factnet:172.16.6.11:50253-172.16.4.10:8080vol_netscan›
network connection fact
net:172.16.6.11:50253-172.16.4.10:8080vol_netscan
Raw tool output · eb2d424706139a55a1b8caf8f665d269ca9e42bc
{"Created": null, "ForeignAddr": "172.16.4.10", "ForeignPort": 8080, "LocalAddr": "172.16.6.11", "LocalPort": 50253, "Offset": 154518692227712, "Owner": null, "PID": null, "Proto": "TCPv4", "State": "CLOSE_WAIT", "TreeDepth": 0}•network connection factnet:172.16.6.11:50263-172.16.4.10:8080vol_netscan›
network connection fact
net:172.16.6.11:50263-172.16.4.10:8080vol_netscan
Raw tool output · 8240d15b6f90596d65d9ce49eb06acabf6e2a8aa
{"Created": null, "ForeignAddr": "172.16.4.10", "ForeignPort": 8080, "LocalAddr": "172.16.6.11", "LocalPort": 50263, "Offset": 154518692506208, "Owner": null, "PID": null, "Proto": "TCPv4", "State": "CLOSE_WAIT", "TreeDepth": 0}•network connection factnet:172.16.6.11:63826-172.16.4.5:3389vol_netscan›
network connection fact
net:172.16.6.11:63826-172.16.4.5:3389vol_netscan
Raw tool output · aeb9209ea4368f567ce272e01203d0a200e2b524
{"Created": null, "ForeignAddr": "172.16.4.5", "ForeignPort": 3389, "LocalAddr": "172.16.6.11", "LocalPort": 63826, "Offset": 154518692996752, "Owner": null, "PID": null, "Proto": "TCPv4", "State": "CLOSED", "TreeDepth": 0}•network connection factnet:172.16.6.11:50259-172.16.4.10:8080vol_netscan›
network connection fact
net:172.16.6.11:50259-172.16.4.10:8080vol_netscan
Raw tool output · 73371a820927922ddc29f6f811bae01b09352b55
{"Created": null, "ForeignAddr": "172.16.4.10", "ForeignPort": 8080, "LocalAddr": "172.16.6.11", "LocalPort": 50259, "Offset": 154518694399152, "Owner": null, "PID": null, "Proto": "TCPv4", "State": "CLOSE_WAIT", "TreeDepth": 0}•network connection factnet:172.16.6.11:59352-172.16.7.15:445vol_netscan›
network connection fact
net:172.16.6.11:59352-172.16.7.15:445vol_netscan
Raw tool output · 9a78f1990baabbfb213815c38baf3de2eca500bd
{"Created": null, "ForeignAddr": "172.16.7.15", "ForeignPort": 445, "LocalAddr": "172.16.6.11", "LocalPort": 59352, "Offset": 154518694659152, "Owner": null, "PID": null, "Proto": "TCPv4", "State": "ESTABLISHED", "TreeDepth": 0}▣network connection factpid:692vol_netscan›
network connection fact
pid:692vol_netscan
Raw tool output · 40f62b286451ff6ac82c166792107e871ea9c6a7
{"Created": "2018-08-30T13:53:54+00:00", "ForeignAddr": "0.0.0.0", "ForeignPort": 0, "LocalAddr": "172.16.6.11", "LocalPort": 5040, "Offset": 154518715144704, "Owner": "svchost.exe", "PID": 692, "Proto": "TCPv4", "State": "LISTENING", "TreeDepth": 0}•network connection factnet:172.16.6.11:49774-172.16.4.10:8080vol_netscan›
network connection fact
net:172.16.6.11:49774-172.16.4.10:8080vol_netscan
Raw tool output · 52eb5529a86798cbf807b242ba07f4e4be093f65
{"Created": null, "ForeignAddr": "172.16.4.10", "ForeignPort": 8080, "LocalAddr": "172.16.6.11", "LocalPort": 49774, "Offset": 154518715368640, "Owner": null, "PID": null, "Proto": "TCPv4", "State": "CLOSE_WAIT", "TreeDepth": 0}•network connection factnet:172.16.6.11:49782-13.89.220.65:443vol_netscan›
network connection fact
net:172.16.6.11:49782-13.89.220.65:443vol_netscan
Raw tool output · 8d5932d9b0576f65f07029e72d9e4ef5e644b20c
{"Created": null, "ForeignAddr": "13.89.220.65", "ForeignPort": 443, "LocalAddr": "172.16.6.11", "LocalPort": 49782, "Offset": 154518715500448, "Owner": null, "PID": null, "Proto": "TCPv4", "State": "CLOSED", "TreeDepth": 0}▣network connection factpid:4vol_netscan›
network connection fact
pid:4vol_netscan
Raw tool output · 9b268e648672ae208d5c9239da8015936175146e
{"Created": "2018-08-30T13:52:22+00:00", "ForeignAddr": "0.0.0.0", "ForeignPort": 0, "LocalAddr": "172.16.6.11", "LocalPort": 139, "Offset": 154518717071376, "Owner": "System", "PID": 4, "Proto": "TCPv4", "State": "LISTENING", "TreeDepth": 0}•network connection factnet:172.16.6.11:50257-172.16.4.10:8080vol_netscan›
network connection fact
net:172.16.6.11:50257-172.16.4.10:8080vol_netscan
Raw tool output · d2c17272872caf1e215e31b676a6baa675c8e639
{"Created": null, "ForeignAddr": "172.16.4.10", "ForeignPort": 8080, "LocalAddr": "172.16.6.11", "LocalPort": 50257, "Offset": 154518720063824, "Owner": null, "PID": null, "Proto": "TCPv4", "State": "CLOSE_WAIT", "TreeDepth": 0}▣network connection factpid:4vol_netscan›
network connection fact
pid:4vol_netscan
Raw tool output · 76a48cd2750e404abea09669bccde1534f1fe61d
{"Created": "2018-08-30T13:52:22+00:00", "ForeignAddr": "*", "ForeignPort": 0, "LocalAddr": "172.16.6.11", "LocalPort": 137, "Offset": 154518723210944, "Owner": "System", "PID": 4, "Proto": "UDPv4", "State": "", "TreeDepth": 0}•network connection factnet:172.16.6.11:49763-172.16.4.5:445vol_netscan›
network connection fact
net:172.16.6.11:49763-172.16.4.5:445vol_netscan
Raw tool output · ff3db042d5cb036bf168fa4b21fcd3477e6c0198
{"Created": null, "ForeignAddr": "172.16.4.5", "ForeignPort": 445, "LocalAddr": "172.16.6.11", "LocalPort": 49763, "Offset": 154518739399760, "Owner": null, "PID": null, "Proto": "TCPv4", "State": "ESTABLISHED", "TreeDepth": 0}•network connection factnet:172.16.6.11:63834-172.16.4.5:3389vol_netscan›
network connection fact
net:172.16.6.11:63834-172.16.4.5:3389vol_netscan
Raw tool output · 405beeb570082cbe9e89df17ff6d6da38904065b
{"Created": null, "ForeignAddr": "172.16.4.5", "ForeignPort": 3389, "LocalAddr": "172.16.6.11", "LocalPort": 63834, "Offset": 154518742383024, "Owner": null, "PID": null, "Proto": "TCPv4", "State": "CLOSED", "TreeDepth": 0}▣network connection factpid:4vol_netscan›
network connection fact
pid:4vol_netscan
Raw tool output · 3463442a527eccd5c71f05a8be0b0d91fa0306ff
{"Created": "2018-08-30T13:52:22+00:00", "ForeignAddr": "*", "ForeignPort": 0, "LocalAddr": "172.16.6.11", "LocalPort": 138, "Offset": 154518746994880, "Owner": "System", "PID": 4, "Proto": "UDPv4", "State": "", "TreeDepth": 0}•network connection factnet:172.16.6.11:63828-172.16.4.5:3389vol_netscan›
network connection fact
net:172.16.6.11:63828-172.16.4.5:3389vol_netscan
Raw tool output · 0f1fa89fc3ba9d753331710bc918bda45828d2f9
{"Created": null, "ForeignAddr": "172.16.4.5", "ForeignPort": 3389, "LocalAddr": "172.16.6.11", "LocalPort": 63828, "Offset": 154518754851184, "Owner": null, "PID": null, "Proto": "TCPv4", "State": "CLOSED", "TreeDepth": 0}•network connection factnet:172.16.6.11:63958-172.16.4.5:3389vol_netscan›
network connection fact
net:172.16.6.11:63958-172.16.4.5:3389vol_netscan
Raw tool output · 6e7b21f9db76f724fcb16f9bf65a79c5be53e861
{"Created": null, "ForeignAddr": "172.16.4.5", "ForeignPort": 3389, "LocalAddr": "172.16.6.11", "LocalPort": 63958, "Offset": 154518756274192, "Owner": null, "PID": null, "Proto": "TCPv4", "State": "CLOSED", "TreeDepth": 0}▣network connection factpid:9088vol_netscan›
network connection fact
pid:9088vol_netscan
Raw tool output · 5ff044be3e6e0538d23b1ce4e375aee7905bf59c
{"Created": "2018-08-30T13:55:00+00:00", "ForeignAddr": "*", "ForeignPort": 0, "LocalAddr": "172.16.6.11", "LocalPort": 1900, "Offset": 154518760493072, "Owner": "svchost.exe", "PID": 9088, "Proto": "UDPv4", "State": "", "TreeDepth": 0}•network connection factnet:172.16.6.11:50254-172.16.4.10:8080vol_netscan›
network connection fact
net:172.16.6.11:50254-172.16.4.10:8080vol_netscan
Raw tool output · 21d0b079670960346cbf62318b356b9b83230116
{"Created": null, "ForeignAddr": "172.16.4.10", "ForeignPort": 8080, "LocalAddr": "172.16.6.11", "LocalPort": 50254, "Offset": 154518766804144, "Owner": null, "PID": null, "Proto": "TCPv4", "State": "CLOSE_WAIT", "TreeDepth": 0}•network connection factnet:172.16.6.11:50258-172.16.4.10:8080vol_netscan›
network connection fact
net:172.16.6.11:50258-172.16.4.10:8080vol_netscan
Raw tool output · 063cb3cd2c0c96a76efc4bb37108c4b4bc2cca8d
{"Created": null, "ForeignAddr": "172.16.4.10", "ForeignPort": 8080, "LocalAddr": "172.16.6.11", "LocalPort": 50258, "Offset": 154518774604992, "Owner": null, "PID": null, "Proto": "TCPv4", "State": "CLOSE_WAIT", "TreeDepth": 0}•network connection factnet:172.16.6.11:3262-172.16.5.50:39372vol_netscan›
network connection fact
net:172.16.6.11:3262-172.16.5.50:39372vol_netscan
Raw tool output · f3681a99312046d05d017452339a36616bda5e39
{"Created": null, "ForeignAddr": "172.16.5.50", "ForeignPort": 39372, "LocalAddr": "172.16.6.11", "LocalPort": 3262, "Offset": 154518785087184, "Owner": null, "PID": null, "Proto": "TCPv4", "State": "ESTABLISHED", "TreeDepth": 0}▣network connection factpid:1096vol_netscan›
network connection fact
pid:1096vol_netscan
Raw tool output · 61b678dd25041e53d481ea4b7d5d01874e6ac55f
{"Created": "2018-09-06T18:28:32+00:00", "ForeignAddr": "0.0.0.0", "ForeignPort": 0, "LocalAddr": "0.0.0.0", "LocalPort": 3262, "Offset": 154518787381776, "Owner": "subject_srv.ex", "PID": 1096, "Proto": "TCPv4", "State": "LISTENING", "TreeDepth": 0}▣network connection factpid:1096vol_netscan›
network connection fact
pid:1096vol_netscan
Raw tool output · ad85a3557e89d6ccf531daafab369c4432e9e35d
{"Created": "2018-09-06T18:28:32+00:00", "ForeignAddr": "::", "ForeignPort": 0, "LocalAddr": "::", "LocalPort": 3262, "Offset": 154518787381776, "Owner": "subject_srv.ex", "PID": 1096, "Proto": "TCPv6", "State": "LISTENING", "TreeDepth": 0}•network connection factnet:172.16.6.11:56345-172.16.4.4:389vol_netscan›
network connection fact
net:172.16.6.11:56345-172.16.4.4:389vol_netscan
Raw tool output · a06e6c11912b6fd9cf66931a52d3965c0e44029a
{"Created": null, "ForeignAddr": "172.16.4.4", "ForeignPort": 389, "LocalAddr": "172.16.6.11", "LocalPort": 56345, "Offset": 154518791757840, "Owner": null, "PID": null, "Proto": "TCPv4", "State": "CLOSED", "TreeDepth": 0}•network connection factnet:172.16.6.11:63848-172.16.4.5:3389vol_netscan›
network connection fact
net:172.16.6.11:63848-172.16.4.5:3389vol_netscan
Raw tool output · c287666702eb8f1a5812e152a6ca658068dd7b24
{"Created": null, "ForeignAddr": "172.16.4.5", "ForeignPort": 3389, "LocalAddr": "172.16.6.11", "LocalPort": 63848, "Offset": 154518792675744, "Owner": null, "PID": null, "Proto": "TCPv4", "State": "CLOSED", "TreeDepth": 0}•network connection factnet:172.16.6.11:63823-172.16.4.5:3389vol_netscan›
network connection fact
net:172.16.6.11:63823-172.16.4.5:3389vol_netscan
Raw tool output · 24bc6ebbe4d10f91ce96ca8921b39e7e33782e2f
{"Created": null, "ForeignAddr": "172.16.4.5", "ForeignPort": 3389, "LocalAddr": "172.16.6.11", "LocalPort": 63823, "Offset": 154518804605376, "Owner": null, "PID": null, "Proto": "TCPv4", "State": "CLOSED", "TreeDepth": 0}•network connection factnet:172.16.6.11:63841-172.16.4.5:3389vol_netscan›
network connection fact
net:172.16.6.11:63841-172.16.4.5:3389vol_netscan
Raw tool output · 419365dd4d760daf13900223644b67a1fe7ad7a7
{"Created": null, "ForeignAddr": "172.16.4.5", "ForeignPort": 3389, "LocalAddr": "172.16.6.11", "LocalPort": 63841, "Offset": 154518806287488, "Owner": null, "PID": null, "Proto": "TCPv4", "State": "CLOSED", "TreeDepth": 0}•network connection factnet:172.16.6.11:63835-172.16.4.5:3389vol_netscan›
network connection fact
net:172.16.6.11:63835-172.16.4.5:3389vol_netscan
Raw tool output · e86027055d20ad56a1baecd5f41c330f26ba1e69
{"Created": null, "ForeignAddr": "172.16.4.5", "ForeignPort": 3389, "LocalAddr": "172.16.6.11", "LocalPort": 63835, "Offset": 154518820071680, "Owner": null, "PID": null, "Proto": "TCPv4", "State": "CLOSED", "TreeDepth": 0}•network connection factnet:172.16.6.11:445-172.16.6.14:65368vol_netscan›
network connection fact
net:172.16.6.11:445-172.16.6.14:65368vol_netscan
Raw tool output · a19cc14d223a05f1dda6f207bfdb770e5df5bbf8
{"Created": null, "ForeignAddr": "172.16.6.14", "ForeignPort": 65368, "LocalAddr": "172.16.6.11", "LocalPort": 445, "Offset": 154518820254832, "Owner": null, "PID": null, "Proto": "TCPv4", "State": "ESTABLISHED", "TreeDepth": 0}•network connection factnet:172.16.6.11:63931-172.16.4.10:8080vol_netscan›
network connection fact
net:172.16.6.11:63931-172.16.4.10:8080vol_netscan
Raw tool output · b952b56ef64df8581e1aa604faaacb30bb3f85bd
{"Created": null, "ForeignAddr": "172.16.4.10", "ForeignPort": 8080, "LocalAddr": "172.16.6.11", "LocalPort": 63931, "Offset": 154518826270736, "Owner": null, "PID": null, "Proto": "TCPv4", "State": "CLOSED", "TreeDepth": 0}•network connection factnet:172.16.6.11:49790-172.16.4.10:8080vol_netscan›
network connection fact
net:172.16.6.11:49790-172.16.4.10:8080vol_netscan
Raw tool output · 3f36c971b486b7ff307956461dd2d61654777753
{"Created": null, "ForeignAddr": "172.16.4.10", "ForeignPort": 8080, "LocalAddr": "172.16.6.11", "LocalPort": 49790, "Offset": 154518828363792, "Owner": null, "PID": null, "Proto": "TCPv4", "State": "CLOSED", "TreeDepth": 0}•network connection factnet:172.16.6.11:49787-172.16.4.10:8080vol_netscan›
network connection fact
net:172.16.6.11:49787-172.16.4.10:8080vol_netscan
Raw tool output · e392f5b73c6f58acd8bcfbe3d21a21608a73493a
{"Created": null, "ForeignAddr": "172.16.4.10", "ForeignPort": 8080, "LocalAddr": "172.16.6.11", "LocalPort": 49787, "Offset": 154518829561024, "Owner": null, "PID": null, "Proto": "TCPv4", "State": "ESTABLISHED", "TreeDepth": 0}•network connection factnet:172.16.6.11:49360-52.16.55.11:443vol_netscan›
network connection fact
net:172.16.6.11:49360-52.16.55.11:443vol_netscan
Raw tool output · 0970c338a07a54d32016c46c5470dfb476d0b791
{"Created": null, "ForeignAddr": "52.16.55.11", "ForeignPort": 443, "LocalAddr": "172.16.6.11", "LocalPort": 49360, "Offset": 154518829570624, "Owner": null, "PID": null, "Proto": "TCPv4", "State": "CLOSED", "TreeDepth": 0}•network connection factnet:172.16.6.11:49735-172.16.4.10:8080vol_netscan›
network connection fact
net:172.16.6.11:49735-172.16.4.10:8080vol_netscan
Raw tool output · a3d6adec60488c187a6d12c31139174433984f05
{"Created": null, "ForeignAddr": "172.16.4.10", "ForeignPort": 8080, "LocalAddr": "172.16.6.11", "LocalPort": 49735, "Offset": 154518833790992, "Owner": null, "PID": null, "Proto": "TCPv4", "State": "CLOSED", "TreeDepth": 0}•network connection factnet:172.16.6.11:65294-172.16.5.20:443vol_netscan›
network connection fact
net:172.16.6.11:65294-172.16.5.20:443vol_netscan
Raw tool output · 23d50e5d62f96012434d891394333cb91e3ec70d
{"Created": null, "ForeignAddr": "172.16.5.20", "ForeignPort": 443, "LocalAddr": "172.16.6.11", "LocalPort": 65294, "Offset": 154518834879664, "Owner": null, "PID": null, "Proto": "TCPv4", "State": "CLOSED", "TreeDepth": 0}•network connection factnet:172.16.6.11:49791-172.16.5.21:5985vol_netscan›
network connection fact
net:172.16.6.11:49791-172.16.5.21:5985vol_netscan
Raw tool output · 93af04c5a34a0af5441fe618fdda658fc0872e0d
{"Created": null, "ForeignAddr": "172.16.5.21", "ForeignPort": 5985, "LocalAddr": "172.16.6.11", "LocalPort": 49791, "Offset": 154518835141808, "Owner": null, "PID": null, "Proto": "TCPv4", "State": "CLOSED", "TreeDepth": 0}•network connection factnet:172.16.6.11:49786-172.16.4.10:8080vol_netscan›
network connection fact
net:172.16.6.11:49786-172.16.4.10:8080vol_netscan
Raw tool output · 0cc280c297fb251385dbd928ce5126267bb989f9
{"Created": null, "ForeignAddr": "172.16.4.10", "ForeignPort": 8080, "LocalAddr": "172.16.6.11", "LocalPort": 49786, "Offset": 154518847709200, "Owner": null, "PID": null, "Proto": "TCPv4", "State": "ESTABLISHED", "TreeDepth": 0}•network ioc fact172.16.6.11extract_network_iocs›
network ioc fact
172.16.6.11extract_network_iocs
Raw tool output · 68f14fd4fad8ecb4e951f3c801abfcdf20d4118c
{"type": "ipv4", "value": "172.16.6.11", "original_value": "172.16.6.11", "classification": "private", "port": null, "source_tools": ["vol_netscan"], "sources": [{"source_tool": "vol_netscan", "source_field": "LocalAddr", "source_index": 9, "source_path": "vol_netscan.output[9].LocalAddr", "context": "172.16.6.11", "offset": 0}, {"source_tool": "vol_netscan", "source_field": "LocalAddr", "source_index": 10, "source_path": "vol_netscan.output[10].LocalAddr", "context": "172.16.6.11", "offset": 0}, {"source_tool": "vol_netscan", "source_field": "LocalAddr", "source_index": 13, "source_path": "vo▣process factpid:1096vol_psscan›
process fact
pid:1096vol_psscan
Raw tool output · 5a4143d0a265feb6053585c9b30adca0e101ff4f
{"CreateTime": "2018-09-06T18:28:30+00:00", "ExitTime": null, "File output": "Disabled", "Handles": null, "ImageFileName": "subject_srv.ex", "Offset(V)": 154518835576960, "PID": 1096, "PPID": 740, "SessionId": 0, "Threads": 11, "Wow64": true, "TreeDepth": 0}▣process relationship factpid:1096->pid:740vol_psscanvol_pstree›
process relationship fact
pid:1096->pid:740vol_psscanvol_pstree
Raw tool output · fee2c0f8d9266a2533ddca1a7c89a95b2a286227
{"CreateTime": "2018-09-06T18:28:30+00:00", "ExitTime": null, "File output": "Disabled", "Handles": null, "ImageFileName": "subject_srv.ex", "Offset(V)": 154518835576960, "PID": 1096, "PPID": 740, "SessionId": 0, "Threads": 11, "Wow64": true, "TreeDepth": 0}Source tools
get_amcachevol_cmdlinevol_netscanvol_pstree