Veritas

Cross-case IOC pivot

Type any entity - a hash, IP, PID, registry key - and see every case it appears in. This is one indexed Aurora query across the entire corpus; the file-based engine cannot do it.

Showing entities that appear in more than one case.

EntityKindCasesFactsSeen in
8128pid312
rd01 (rerun)rd01 (golden)rd01 (opus)
8712pid312
rd01 (rerun)rd01 (golden)rd01 (opus)
1096pid39
rd01 (rerun)rd01 (golden)rd01 (opus)
8260pid37
rd01 (rerun)rd01 (golden)rd01 (opus)
sysvol/windows/temp/ncpa-2.0.4.exeappcompatcache36
rd01 (rerun)rd01 (golden)rd01 (opus)
6036pid36
rd01 (rerun)rd01 (golden)rd01 (opus)
7868pid36
rd01 (rerun)rd01 (golden)rd01 (opus)
pid:1096:irtimer:28handle33
rd01 (rerun)rd01 (golden)rd01 (opus)
pid:1096:etwregistration:104handle33
rd01 (rerun)rd01 (golden)rd01 (opus)
pid:1096:tpworkerfactory:16handle33
rd01 (rerun)rd01 (golden)rd01 (opus)
pid:1096:etwregistration:40handle33
rd01 (rerun)rd01 (golden)rd01 (opus)
pid:1096:etwregistration:108handle33
rd01 (rerun)rd01 (golden)rd01 (opus)
pid:1096:etwregistration:112handle33
rd01 (rerun)rd01 (golden)rd01 (opus)
pid:1096:etwregistration:132handle33
rd01 (rerun)rd01 (golden)rd01 (opus)
pid:1096:directory:knowndlls32handle33
rd01 (rerun)rd01 (golden)rd01 (opus)
pid:1096:directory:knowndllshandle33
rd01 (rerun)rd01 (golden)rd01 (opus)
pid:2216cmdline33
rd01 (rerun)rd01 (golden)rd01 (opus)
pid:1096:etwregistration:152handle33
rd01 (rerun)rd01 (golden)rd01 (opus)
pid:1096:etwregistration:156handle33
rd01 (rerun)rd01 (golden)rd01 (opus)
pid:1096:etwregistration:160handle33
rd01 (rerun)rd01 (golden)rd01 (opus)
pid:1096:etwregistration:168handle33
rd01 (rerun)rd01 (golden)rd01 (opus)
pid:1096:etwregistration:36handle33
rd01 (rerun)rd01 (golden)rd01 (opus)
pid:1096:etwregistration:148handle33
rd01 (rerun)rd01 (golden)rd01 (opus)
pid:1096:etwregistration:44handle33
rd01 (rerun)rd01 (golden)rd01 (opus)
pid:1096:etwregistration:52handle33
rd01 (rerun)rd01 (golden)rd01 (opus)
pid:1096:event:120handle33
rd01 (rerun)rd01 (golden)rd01 (opus)
pid:1096:event:124handle33
rd01 (rerun)rd01 (golden)rd01 (opus)
pid:1096:event:4handle33
rd01 (rerun)rd01 (golden)rd01 (opus)
pid:1096:event:56handle33
rd01 (rerun)rd01 (golden)rd01 (opus)
pid:1096:event:60handle33
rd01 (rerun)rd01 (golden)rd01 (opus)
pid:1096:directory:basenamedobjectshandle33
rd01 (rerun)rd01 (golden)rd01 (opus)
pid:1096:iocompletion:12handle33
rd01 (rerun)rd01 (golden)rd01 (opus)
pid:1096:file:\device\harddiskvolume2\windows\syswow64handle33
rd01 (rerun)rd01 (golden)rd01 (opus)
pid:1096:etwregistration:144handle33
rd01 (rerun)rd01 (golden)rd01 (opus)
pid:1096:iocompletion:164handle33
rd01 (rerun)rd01 (golden)rd01 (opus)
pid:1096:iocompletion:80handle33
rd01 (rerun)rd01 (golden)rd01 (opus)
pid:1096:irtimer:180handle33
rd01 (rerun)rd01 (golden)rd01 (opus)
pid:1096:irtimer:188handle33
rd01 (rerun)rd01 (golden)rd01 (opus)
pid:1096:irtimer:20handle33
rd01 (rerun)rd01 (golden)rd01 (opus)
pid:1096:file:\device\harddiskvolume2\windowshandle33
rd01 (rerun)rd01 (golden)rd01 (opus)