Retrieve a full summary of a requested filename or hash.

External Documentation

To learn more, visit the EchoTrail documentation.

Parameters

ParameterDescription
QueryThe name or hash of an endpoint process to lookup.
Must be a Windows filename with extension, a SHA256 hash of a windows process, or a md5 hash of a windows process.
If the search yields no results, the response will include the message: EchoTrail has never observed X executing in the wild.

Example Output

{
	"description": "Svchost.exe is the name for services that run from dynamic-linked libraries (DLLs). The Service Host... ",
	"rank": 11,
	"host_prev": "95.3",
	"eps": "96.70",
	"paths": [
		[
			"c:\\windows\\system32",
			"99.99"
		],
		[
			"c:\\windows\\syswow64",
			"0.00"
		],
		[
			"c:\\windows\\temp",
			"0.00"
		]
	],
	"parents": [
		[
			"services.exe",
			"99.88"
		],
		[
			"msmpeng.exe",
			"0.11"
		],
		[
			"svchost.exe",
			"0.00"
		]
	],
	"children": [
		[
			"wmiprvse.exe",
			"19.99"
		],
		[
			"backgroundtaskhost.exe",
			"11.60"
		],
		[
			"runtimebroker.exe",
			"6.47"
		],
		[
			"dllhost.exe",
			"6.30"
		]
	],
	"grandparents": [
		[
			"wininit.exe",
			"99.87"
		],
		[
			"services.exe",
			"0.13"
		],
		[
			"explorer.exe",
			"0.00"
		]
	],
	"hashes": [
		[
			"b868487f8edbd0571d30d89573f087bfeac3da190652344afd351b1868ea0f8b",
			"65.81"
		],
		[
			"9f21e51442209bcec0ea4a468ef8a4741685ae204d5063f4c3e45e1f8cf72643",
			"26.25"
		],
		[
			"c9a28dc8004c3e043cbf8e3a194fda2b756ce90740df2175488337281b485f69",
			"4.12"
		],
		[
			"c7db4ae8175c33a47baa3ddfa089fad17bc8e362f21e835d78ab22c9231fe370",
			"1.81"
		],
		[
			"438b6ccd84f4dd32d9684ed7d58fd7d1e5a75fe3f3d12ab6c788e6bb0ffad5e7",
			"1.15"
		]
	],
	"network": [
		[
			"443",
			"45.15"
		],
		[
			"80",
			"32.48"
		],
		[
			"5355",
			"0.61"
		],
		[
			"1900",
			"0.39"
		],
		[
			"5353",
			"0.30"
		]
	],
	"intel": "It is normal to see many svchost processes running on a single machine. It usually has elevated privileges and... "
}

Workflow Library Example

Insights Search with Echotrail and Send Results Via Email

Preview this Workflow on desktop

Retrieve a full summary of a requested filename or hash.

External Documentation

To learn more, visit the EchoTrail documentation.

Parameters

ParameterDescription
QueryThe name or hash of an endpoint process to lookup.
Must be a Windows filename with extension, a SHA256 hash of a windows process, or a md5 hash of a windows process.
If the search yields no results, the response will include the message: EchoTrail has never observed X executing in the wild.

Example Output

{
	"description": "Svchost.exe is the name for services that run from dynamic-linked libraries (DLLs). The Service Host... ",
	"rank": 11,
	"host_prev": "95.3",
	"eps": "96.70",
	"paths": [
		[
			"c:\\windows\\system32",
			"99.99"
		],
		[
			"c:\\windows\\syswow64",
			"0.00"
		],
		[
			"c:\\windows\\temp",
			"0.00"
		]
	],
	"parents": [
		[
			"services.exe",
			"99.88"
		],
		[
			"msmpeng.exe",
			"0.11"
		],
		[
			"svchost.exe",
			"0.00"
		]
	],
	"children": [
		[
			"wmiprvse.exe",
			"19.99"
		],
		[
			"backgroundtaskhost.exe",
			"11.60"
		],
		[
			"runtimebroker.exe",
			"6.47"
		],
		[
			"dllhost.exe",
			"6.30"
		]
	],
	"grandparents": [
		[
			"wininit.exe",
			"99.87"
		],
		[
			"services.exe",
			"0.13"
		],
		[
			"explorer.exe",
			"0.00"
		]
	],
	"hashes": [
		[
			"b868487f8edbd0571d30d89573f087bfeac3da190652344afd351b1868ea0f8b",
			"65.81"
		],
		[
			"9f21e51442209bcec0ea4a468ef8a4741685ae204d5063f4c3e45e1f8cf72643",
			"26.25"
		],
		[
			"c9a28dc8004c3e043cbf8e3a194fda2b756ce90740df2175488337281b485f69",
			"4.12"
		],
		[
			"c7db4ae8175c33a47baa3ddfa089fad17bc8e362f21e835d78ab22c9231fe370",
			"1.81"
		],
		[
			"438b6ccd84f4dd32d9684ed7d58fd7d1e5a75fe3f3d12ab6c788e6bb0ffad5e7",
			"1.15"
		]
	],
	"network": [
		[
			"443",
			"45.15"
		],
		[
			"80",
			"32.48"
		],
		[
			"5355",
			"0.61"
		],
		[
			"1900",
			"0.39"
		],
		[
			"5353",
			"0.30"
		]
	],
	"intel": "It is normal to see many svchost processes running on a single machine. It usually has elevated privileges and... "
}

Workflow Library Example

Insights Search with Echotrail and Send Results Via Email

Preview this Workflow on desktop