Thanks! Chapter Points have been updated in description!

Hey, if the connection is still live there are many tools, I like using ProcessHacker for that, since I can correlate Ip to the process, and then obvs with PH I can get SO MUCH - parent-child, cert, modules, memory info, strings etc. Just keep in mind that if it's a beacon (ie intermittent connection), it will only show the moment there is a connection, when it disconnects it disappears again. A cool thing about using a GUI/live-update vs netstat in this case is with netstat you'll need to run the command over and over until you happen to run it at the exact moment the connection is live. With Process Hacker you can see a green bar - connections made - and then it turns into a red bar - connection killed. So it really pops, just wait the moment until it's live, you'll see the PID and then you can have at it.