F024LOWBenign / FPvalidator: passed

Remote access service subject_srv.exe listening with external connection

subject_srv.exe listening on port 3262 (F-Response remote tool)

Analyst narrative

candidate cand-0042/cand-0046: subject_srv.exe PID 1096 runs from C:\windows\ and listens on TCP 3262 with established connection from 172.16.5.50. fact_ids=process_fact-0000192, network_connection_fact-0000084/85

Claims asserted

pid-vol_netscanvol_psscanvol_pstree

Proof chain · 50 facts

Every confirmed claim links by foreign key to the typed fact that validated it, and to the forensic tool that produced that fact. This is one finding_trace() query.

⊞

handle facthandle:pid:1096:event:4

vol_handles

›

Raw tool output · 8e484ccde5f1345001771bbf824b02c7d29e1b80

{"GrantedAccess": 2031619, "HandleValue": 4, "Name": null, "Offset": 154518753469712, "PID": 1096, "Process": "subject_srv.ex", "Type": "Event", "TreeDepth": 0}

⊞

handle facthandle:pid:1096:waitcompletionpacket:8

vol_handles

›

Raw tool output · 3d9c3e9bf020439942f1a2f33f51fe112707840e

{"GrantedAccess": 1, "HandleValue": 8, "Name": null, "Offset": 154518797421568, "PID": 1096, "Process": "subject_srv.ex", "Type": "WaitCompletionPacket", "TreeDepth": 0}

⊞

handle facthandle:pid:1096:iocompletion:12

vol_handles

›

Raw tool output · 55380ee6183b1de797affd2cdce389022d4f8bf6

{"GrantedAccess": 2031619, "HandleValue": 12, "Name": null, "Offset": 154518788636800, "PID": 1096, "Process": "subject_srv.ex", "Type": "IoCompletion", "TreeDepth": 0}

⊞

handle facthandle:pid:1096:tpworkerfactory:16

vol_handles

›

Raw tool output · 57fd454efd1ea0cd18b15a86b04eb69622b40dfe

{"GrantedAccess": 983295, "HandleValue": 16, "Name": null, "Offset": 154518825579952, "PID": 1096, "Process": "subject_srv.ex", "Type": "TpWorkerFactory", "TreeDepth": 0}

⊞

handle facthandle:pid:1096:irtimer:20

vol_handles

›

Raw tool output · 8e5a566ca2d83c518587040a06df46744483eae0

{"GrantedAccess": 1048578, "HandleValue": 20, "Name": null, "Offset": 154518821408864, "PID": 1096, "Process": "subject_srv.ex", "Type": "IRTimer", "TreeDepth": 0}

⊞

handle facthandle:pid:1096:waitcompletionpacket:24

vol_handles

›

Raw tool output · 64379487c0709335e4e830ed92b433eaa83bbc64

{"GrantedAccess": 1, "HandleValue": 24, "Name": null, "Offset": 154518826540128, "PID": 1096, "Process": "subject_srv.ex", "Type": "WaitCompletionPacket", "TreeDepth": 0}

⊞

handle facthandle:pid:1096:irtimer:28

vol_handles

›

Raw tool output · a45eadddf26a7bc4362cb987e0396b690a8b2a1a

{"GrantedAccess": 1048578, "HandleValue": 28, "Name": null, "Offset": 154518764971840, "PID": 1096, "Process": "subject_srv.ex", "Type": "IRTimer", "TreeDepth": 0}

⊞

handle facthandle:pid:1096:waitcompletionpacket:32

vol_handles

›

Raw tool output · b4eae131ccf1491e67c0ed2f34d069c4a1cb0f41

{"GrantedAccess": 1, "HandleValue": 32, "Name": null, "Offset": 154518839574208, "PID": 1096, "Process": "subject_srv.ex", "Type": "WaitCompletionPacket", "TreeDepth": 0}

⊞

handle facthandle:pid:1096:etwregistration:36

vol_handles

›

Raw tool output · 7ebcb90380303b946df72a2e5a5a099a8a314e36

{"GrantedAccess": 2052, "HandleValue": 36, "Name": null, "Offset": 154518756472080, "PID": 1096, "Process": "subject_srv.ex", "Type": "EtwRegistration", "TreeDepth": 0}

⊞

handle facthandle:pid:1096:etwregistration:40

vol_handles

›

Raw tool output · 3f1362bf029db94f14e676603b89f610e3610280

{"GrantedAccess": 2052, "HandleValue": 40, "Name": null, "Offset": 154518799794064, "PID": 1096, "Process": "subject_srv.ex", "Type": "EtwRegistration", "TreeDepth": 0}

⊞

handle facthandle:pid:1096:etwregistration:44

vol_handles

›

Raw tool output · 1bc93469a8185f1ef2c62f6dfb78628ab4f494ef

{"GrantedAccess": 2052, "HandleValue": 44, "Name": null, "Offset": 154518742639792, "PID": 1096, "Process": "subject_srv.ex", "Type": "EtwRegistration", "TreeDepth": 0}

⊞

handle facthandle:pid:1096:directory:knowndlls

vol_handles

›

Raw tool output · 319aaef7ef3259ca32241a1be4298f8bfe5669b3

{"GrantedAccess": 3, "HandleValue": 48, "Name": "KnownDlls", "Offset": 229276702421120, "PID": 1096, "Process": "subject_srv.ex", "Type": "Directory", "TreeDepth": 0}

⊞

handle facthandle:pid:1096:etwregistration:52

vol_handles

›

Raw tool output · 6acd9a7070cab751993a8e874b7ce94cc65bf12b

{"GrantedAccess": 2052, "HandleValue": 52, "Name": null, "Offset": 154518846283888, "PID": 1096, "Process": "subject_srv.ex", "Type": "EtwRegistration", "TreeDepth": 0}

⊞

handle facthandle:pid:1096:event:56

vol_handles

›

Raw tool output · ec667cbbfd46ac99b9ee08bfca7961717020d23d

{"GrantedAccess": 2031619, "HandleValue": 56, "Name": null, "Offset": 154518685088544, "PID": 1096, "Process": "subject_srv.ex", "Type": "Event", "TreeDepth": 0}

⊞

handle facthandle:pid:1096:event:60

vol_handles

›

Raw tool output · 6dda60088abb7e16489f428211b50cf5f7f1137f

{"GrantedAccess": 2031619, "HandleValue": 60, "Name": null, "Offset": 154518799423072, "PID": 1096, "Process": "subject_srv.ex", "Type": "Event", "TreeDepth": 0}

⊞

handle facthandle:pid:1096:file:\device\harddiskvolume2\windows

vol_handles

›

Raw tool output · 3b2cfe1dc747f01eca94c1168867d09996472f8c

{"GrantedAccess": 1048608, "HandleValue": 64, "Name": "\\Device\\HarddiskVolume2\\Windows", "Offset": 154518834090112, "PID": 1096, "Process": "subject_srv.ex", "Type": "File", "TreeDepth": 0}

⊞

handle facthandle:pid:1096:event:68

vol_handles

›

Raw tool output · 9f2be305a389224a50f5daa7f3249fee105222ee

{"GrantedAccess": 2031619, "HandleValue": 68, "Name": null, "Offset": 154518732087952, "PID": 1096, "Process": "subject_srv.ex", "Type": "Event", "TreeDepth": 0}

⊞

handle facthandle:pid:1096:directory:knowndlls32

vol_handles

›

Raw tool output · 8853c17b667b4edbd26640f39b0d02df2c70fe82

{"GrantedAccess": 3, "HandleValue": 72, "Name": "KnownDlls32", "Offset": 229276702275152, "PID": 1096, "Process": "subject_srv.ex", "Type": "Directory", "TreeDepth": 0}

⊞

handle facthandle:pid:1096:waitcompletionpacket:76

vol_handles

›

Raw tool output · 50bf90897b3ebffdc4e0633bf4ee02795e35ac52

{"GrantedAccess": 1, "HandleValue": 76, "Name": null, "Offset": 154518725879520, "PID": 1096, "Process": "subject_srv.ex", "Type": "WaitCompletionPacket", "TreeDepth": 0}

⊞

handle facthandle:pid:1096:iocompletion:80

vol_handles

›

Raw tool output · d6138dd0f033268391edb127dce55b6bf7f804d9

{"GrantedAccess": 2031619, "HandleValue": 80, "Name": null, "Offset": 154518740086656, "PID": 1096, "Process": "subject_srv.ex", "Type": "IoCompletion", "TreeDepth": 0}

⊞

handle facthandle:pid:1096:tpworkerfactory:84

vol_handles

›

Raw tool output · 06caf2279cfa414b013cdfb7f20b862c5b78264a

{"GrantedAccess": 983295, "HandleValue": 84, "Name": null, "Offset": 154518834098272, "PID": 1096, "Process": "subject_srv.ex", "Type": "TpWorkerFactory", "TreeDepth": 0}

⊞

handle facthandle:pid:1096:irtimer:88

vol_handles

›

Raw tool output · a8a2a929e362fe9cf503e74dd67bfb0eccbe080c

{"GrantedAccess": 1048578, "HandleValue": 88, "Name": null, "Offset": 154518806026272, "PID": 1096, "Process": "subject_srv.ex", "Type": "IRTimer", "TreeDepth": 0}

⊞

handle facthandle:pid:1096:waitcompletionpacket:92

vol_handles

›

Raw tool output · f5a446a10febbcf8eb29aaa854f5bc5cdf867324

{"GrantedAccess": 1, "HandleValue": 92, "Name": null, "Offset": 154518760657856, "PID": 1096, "Process": "subject_srv.ex", "Type": "WaitCompletionPacket", "TreeDepth": 0}

⊞

handle facthandle:pid:1096:irtimer:96

vol_handles

›

Raw tool output · 67a7575707c52fb1e04917baa7808a7a6eb0dac9

{"GrantedAccess": 1048578, "HandleValue": 96, "Name": null, "Offset": 154518722004784, "PID": 1096, "Process": "subject_srv.ex", "Type": "IRTimer", "TreeDepth": 0}

⊞

handle facthandle:pid:1096:waitcompletionpacket:100

vol_handles

›

Raw tool output · 6fb601b6792fcac8ea4d99fc454a8ecda9b9a9e3

{"GrantedAccess": 1, "HandleValue": 100, "Name": null, "Offset": 154518801338464, "PID": 1096, "Process": "subject_srv.ex", "Type": "WaitCompletionPacket", "TreeDepth": 0}

⊞

handle facthandle:pid:1096:etwregistration:104

vol_handles

›

Raw tool output · 1e963d18ab8e40928e9f725ba15a4ab790c9d577

{"GrantedAccess": 2052, "HandleValue": 104, "Name": null, "Offset": 154518785192848, "PID": 1096, "Process": "subject_srv.ex", "Type": "EtwRegistration", "TreeDepth": 0}

⊞

handle facthandle:pid:1096:etwregistration:108

vol_handles

›

Raw tool output · d7acfbed3ccd34635854dc5e1642e421c47fc1d6

{"GrantedAccess": 2052, "HandleValue": 108, "Name": null, "Offset": 154518743641088, "PID": 1096, "Process": "subject_srv.ex", "Type": "EtwRegistration", "TreeDepth": 0}

⊞

handle facthandle:pid:1096:etwregistration:112

vol_handles

›

Raw tool output · ac34682fa684af64474d40a6b8bc8a1228907966

{"GrantedAccess": 2052, "HandleValue": 112, "Name": null, "Offset": 154518730065744, "PID": 1096, "Process": "subject_srv.ex", "Type": "EtwRegistration", "TreeDepth": 0}

⊞

handle facthandle:pid:1096:event:120

vol_handles

›

Raw tool output · bbacfd5943cc9073273b5e8967d081d6189afb25

{"GrantedAccess": 2031619, "HandleValue": 120, "Name": null, "Offset": 154518743468096, "PID": 1096, "Process": "subject_srv.ex", "Type": "Event", "TreeDepth": 0}

⊞

handle facthandle:pid:1096:event:124

vol_handles

›

Raw tool output · cb510a1d4e10605f40e2ba80499b74b3d551dacf

{"GrantedAccess": 2031619, "HandleValue": 124, "Name": null, "Offset": 154518827644144, "PID": 1096, "Process": "subject_srv.ex", "Type": "Event", "TreeDepth": 0}

⊞

handle facthandle:pid:1096:file:\device\harddiskvolume2\windows\syswow64

vol_handles

›

Raw tool output · 267e7264a659577641e223a5503aff273bf3a75e

{"GrantedAccess": 1048608, "HandleValue": 128, "Name": "\\Device\\HarddiskVolume2\\Windows\\SysWOW64", "Offset": 154518721259264, "PID": 1096, "Process": "subject_srv.ex", "Type": "File", "TreeDepth": 0}

⊞

handle facthandle:pid:1096:etwregistration:132

vol_handles

›

Raw tool output · ad9f2df6fac4e9f21bda104678968d5a6f695f23

{"GrantedAccess": 2052, "HandleValue": 132, "Name": null, "Offset": 154518827241088, "PID": 1096, "Process": "subject_srv.ex", "Type": "EtwRegistration", "TreeDepth": 0}

⊞

handle facthandle:pid:1096:etwregistration:136

vol_handles

›

Raw tool output · ca63631e325bfe0bc805359356dec590cefae2d4

{"GrantedAccess": 2052, "HandleValue": 136, "Name": null, "Offset": 154518847192576, "PID": 1096, "Process": "subject_srv.ex", "Type": "EtwRegistration", "TreeDepth": 0}

⊞

handle facthandle:pid:1096:alpc port:140

vol_handles

›

Raw tool output · 8e20a5dec32cb3391e7e71635f892534d95b6463

{"GrantedAccess": 2031617, "HandleValue": 140, "Name": null, "Offset": 154518786494576, "PID": 1096, "Process": "subject_srv.ex", "Type": "ALPC Port", "TreeDepth": 0}

⊞

handle facthandle:pid:1096:etwregistration:144

vol_handles

›

Raw tool output · ca741eda539f3df6b73be2cdd3ea141a8a9d3286

{"GrantedAccess": 2052, "HandleValue": 144, "Name": null, "Offset": 154518716402400, "PID": 1096, "Process": "subject_srv.ex", "Type": "EtwRegistration", "TreeDepth": 0}

⊞

handle facthandle:pid:1096:etwregistration:148

vol_handles

›

Raw tool output · 157906adf5ab14fcf8cee7e78f933559502b5f9c

{"GrantedAccess": 2052, "HandleValue": 148, "Name": null, "Offset": 154518793649664, "PID": 1096, "Process": "subject_srv.ex", "Type": "EtwRegistration", "TreeDepth": 0}

⊞

handle facthandle:pid:1096:etwregistration:152

vol_handles

›

Raw tool output · 30076e30bf65ac15df2aebec6c15840557a36460

{"GrantedAccess": 2052, "HandleValue": 152, "Name": null, "Offset": 154518836134000, "PID": 1096, "Process": "subject_srv.ex", "Type": "EtwRegistration", "TreeDepth": 0}

⊞

handle facthandle:pid:1096:etwregistration:156

vol_handles

›

Raw tool output · 763352305e4c535ae51ab8c834be73a72750d3e8

{"GrantedAccess": 2052, "HandleValue": 156, "Name": null, "Offset": 154518798271648, "PID": 1096, "Process": "subject_srv.ex", "Type": "EtwRegistration", "TreeDepth": 0}

⊞

handle facthandle:pid:1096:etwregistration:160

vol_handles

›

Raw tool output · 8fec781621bfe8d2ab448398967e6f14a5260a95

{"GrantedAccess": 2052, "HandleValue": 160, "Name": null, "Offset": 154518828959616, "PID": 1096, "Process": "subject_srv.ex", "Type": "EtwRegistration", "TreeDepth": 0}

⊞

handle facthandle:pid:1096:iocompletion:164

vol_handles

›

Raw tool output · e6f341e0351f1cef37bf156e4c6eea5c13982c97

{"GrantedAccess": 2031619, "HandleValue": 164, "Name": null, "Offset": 154518825468608, "PID": 1096, "Process": "subject_srv.ex", "Type": "IoCompletion", "TreeDepth": 0}

⊞

handle facthandle:pid:1096:etwregistration:168

vol_handles

›

Raw tool output · 94f7675686b8ee940e14d34529b44d6839d85738

{"GrantedAccess": 2052, "HandleValue": 168, "Name": null, "Offset": 154518704325216, "PID": 1096, "Process": "subject_srv.ex", "Type": "EtwRegistration", "TreeDepth": 0}

⊞

handle facthandle:pid:1096:tpworkerfactory:172

vol_handles

›

Raw tool output · 4697fdb03a8a60396c588bf8ce11e4fd21c7e658

{"GrantedAccess": 983295, "HandleValue": 172, "Name": null, "Offset": 154518789521504, "PID": 1096, "Process": "subject_srv.ex", "Type": "TpWorkerFactory", "TreeDepth": 0}

⊞

handle facthandle:pid:1096:directory:basenamedobjects

vol_handles

›

Raw tool output · 584152ff11f6d12f63830abbb73946fee54cabd1

{"GrantedAccess": 15, "HandleValue": 176, "Name": "BaseNamedObjects", "Offset": 229276810769120, "PID": 1096, "Process": "subject_srv.ex", "Type": "Directory", "TreeDepth": 0}

⊞

handle facthandle:pid:1096:irtimer:180

vol_handles

›

Raw tool output · fbe987792a64947f2ff6ee3b4780d347ec697388

{"GrantedAccess": 1048578, "HandleValue": 180, "Name": null, "Offset": 154518827535424, "PID": 1096, "Process": "subject_srv.ex", "Type": "IRTimer", "TreeDepth": 0}

⊞

handle facthandle:pid:1096:waitcompletionpacket:184

vol_handles

›

Raw tool output · b8ece8106241e158e9642e32cf17d61fced1ac84

{"GrantedAccess": 1, "HandleValue": 184, "Name": null, "Offset": 154518784239584, "PID": 1096, "Process": "subject_srv.ex", "Type": "WaitCompletionPacket", "TreeDepth": 0}

⊞

handle facthandle:pid:1096:irtimer:188

vol_handles

›

Raw tool output · 105d5b98e0d77dfd4c3003204e73d1640ae63141

{"GrantedAccess": 1048578, "HandleValue": 188, "Name": null, "Offset": 154518835146848, "PID": 1096, "Process": "subject_srv.ex", "Type": "IRTimer", "TreeDepth": 0}

▣

network connection factpid:1096

vol_netscan

›

Raw tool output · 61b678dd25041e53d481ea4b7d5d01874e6ac55f

{"Created": "2018-09-06T18:28:32+00:00", "ForeignAddr": "0.0.0.0", "ForeignPort": 0, "LocalAddr": "0.0.0.0", "LocalPort": 3262, "Offset": 154518787381776, "Owner": "subject_srv.ex", "PID": 1096, "Proto": "TCPv4", "State": "LISTENING", "TreeDepth": 0}

▣

network connection factpid:1096

vol_netscan

›

Raw tool output · ad85a3557e89d6ccf531daafab369c4432e9e35d

{"Created": "2018-09-06T18:28:32+00:00", "ForeignAddr": "::", "ForeignPort": 0, "LocalAddr": "::", "LocalPort": 3262, "Offset": 154518787381776, "Owner": "subject_srv.ex", "PID": 1096, "Proto": "TCPv6", "State": "LISTENING", "TreeDepth": 0}

▣

process factpid:1096

vol_psscan

›

Raw tool output · 5a4143d0a265feb6053585c9b30adca0e101ff4f

{"CreateTime": "2018-09-06T18:28:30+00:00", "ExitTime": null, "File output": "Disabled", "Handles": null, "ImageFileName": "subject_srv.ex", "Offset(V)": 154518835576960, "PID": 1096, "PPID": 740, "SessionId": 0, "Threads": 11, "Wow64": true, "TreeDepth": 0}

▣

process relationship factpid:1096->pid:740

vol_psscanvol_pstree

›

Raw tool output · fee2c0f8d9266a2533ddca1a7c89a95b2a286227

{"CreateTime": "2018-09-06T18:28:30+00:00", "ExitTime": null, "File output": "Disabled", "Handles": null, "ImageFileName": "subject_srv.ex", "Offset(V)": 154518835576960, "PID": 1096, "PPID": 740, "SessionId": 0, "Threads": 11, "Wow64": true, "TreeDepth": 0}

Source tools

vol_netscanvol_psscanvol_pstree