The changed_files_windows_sophos provides information on all new or updated executables from the windows devices that have information in the data lake.
NOTE: global_rep and global_rep data only has information for executables with some level of suspicion. Similarly the ml_score and ml_score_data is filled in when we hae a machine learning evaluation of the executable. (NOTE TO DEV: We need to document the Reputation, ML, PUA score information and describe the JSON blobs for each)
We extend the changed_files_windows_sophos query results with the common decorations, generic and data lake information available for all scheduled queries.
changed_files_windows_sophos Scheduled Query
| core_file_info | string | Core file info |
| ctime | long | Time of the change event |
| file_size | long | File size now |
| filename | string | Name of the file that has changed |
| global_rep | int | The machine learning global reputation now |
| global_rep_data | string | All global reputation data |
| local_rep | int | The machine learning local reputation now |
| local_rep_data | string | All local reputation now |
| ml_score | int | The machine learning malware score now |
| ml_score_data | string | All ML score data |
| path | string | Full path to the value |
| pua_score | int | The machine learning PUA score now |
| sha1 | string | SHA1 of the file now |
| sha256 | string | SHA256 of the file now |
-- changed_files_windows_sophos INFO SELECT -- Device ID DETAILS meta_hostname, meta_ip_address, -- Query Details query_name, core_file_info, ctime, file_size, filename, global_rep, global_rep_data, local_rep, local_rep_data, ml_score, ml_score_data, path, pua_score, sha1, sha256, -- Decoration meta_boot_time, meta_eid, meta_endpoint_type, meta_ip_mask, meta_mac_address, meta_os_name, meta_os_platform, meta_os_type, meta_os_version, meta_public_ip, meta_query_pack_version, meta_username, --- Generic calendar_time, counter, epoch, host_identifier, numerics osquery_action, unix_time, -- Data Lake customer_id, endpoint_id, upload_size FROM xdr_data WHERE query_name = 'changed_files_windows_sophos'
RESULTS
+-----------------+-------------------+------------------------------+------------------------------------------------+------------+-------------+----------------------------------------------------------------------+--------------+-----------------------------------------------------------------------------------------------------------------+-------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------+-------------+------------------------------------------+------------------------------------------------------------------+------------------+--------------------------------------+----------------------+----------------+--------------------+------------------------------+--------------------+----------------+-------------------+------------------+---------------------------+-----------------+----------------------+-----------+------------+-------------------+------------------+----------------------+--------------------------------------+--------------------------------------+---------------+
| meta_hostname | meta_ip_address | query_name | core_file_info | ctime | file_size | filename | global_rep | global_rep_data | local_rep | local_rep_data | ml_score | ml_score_data | path | pua_score | sha1 | sha256 | meta_boot_time | meta_eid | meta_endpoint_type | meta_ip_mask | meta_mac_address | meta_os_name | meta_os_platform | meta_os_type | meta_os_version | meta_public_ip | meta_query_pack_version | meta_username | calendar_time | counter | epoch | host_identifier | osquery_action | unix_time | customer_id | endpoint_id | upload_size |
|-----------------+-------------------+------------------------------+------------------------------------------------+------------+-------------+----------------------------------------------------------------------+--------------+-----------------------------------------------------------------------------------------------------------------+-------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------+-------------+------------------------------------------+------------------------------------------------------------------+------------------+--------------------------------------+----------------------+----------------+--------------------+------------------------------+--------------------+----------------+-------------------+------------------+---------------------------+-----------------+----------------------+-----------+------------+-------------------+------------------+----------------------+--------------------------------------+--------------------------------------+---------------|
| Victim1-EDR | 192.168.100.164 | changed_files_windows_sophos | {"isSavWinPE":true,"isWinPE":true,"version":2} | 1602043283 | 2373104 | setup.exe | 0 | | 91 | {"configVersion":"cb89f02f0e1c42a057a1264416d35768d5b8c9e4aab0db2f97c75779e27d14d1","cryptoStrength":112,"lookupType":7,"reputation":91,"reputationData":{"details":{"CompanyName":"Google LLC","FileDescription":"Google Chrome Installer","FileVersion":"85.0.4183.121","InternalName":"setup","LegalCopyright":"Copyright 2020 Google LLC. All rights reserved.","ProductName":"Google Chrome Installer","ProductVersion":"85.0.4183.121"},"isSigned":true,"signerInfo":[{"cryptoAlgorithm":32780,"cryptoStrength":112,"isValid":true,"signatureLocation":0,"signer":"Google LLC","thumbprint":"3ca4fc0489e3e25b1a6a8514a9486b257fd8b80b9f3181af20a34fa9ef5ab282"}]},"sampleRate":10000,"sfsVersion":17236689,"version":1} | 7 | {"configVersion":"d0fcdf880c38244da5736b94b900c93f7a7e59c4c2dcfbbeb40874d4911a0cc1","expireTime":0,"peMalwareScore":7,"pePuaScore":17,"vdlFlags":0,"version":2} | C:\Windows\Temp\CR_D0A1F.tmp\setup.exe | 17 | fd662a8d9101a5d45525b83a8e1a009256465ec2 | 6f9dd4196c1c20a2178f5bee1a96f03dc08582985c9eeaf102ccf0a401ca0576 | 1601905070 | 3d5d8411-6066-04f4-4872-ec787ed9b973 | computer | 255.255.255.0 | 00:50:56:25:94:3c | Microsoft Windows 7 Ultimate | windows | client | 6.1.7601 | 73.69.54.187 | 1.1.12 | test | 2020-10-07T04:04:57Z | 226 | 1601805150 | Victim1-EDR | False | 2020-10-07T04:04:57Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | d3d54811-0666-404f-8427-ce87e79d9b37 | 2017 |
| DESKTOP-RB61UC8 | 192.168.1.173 | changed_files_windows_sophos | {"isSavWinPE":true,"isWinPE":true,"version":2} | 1601985719 | 1803784 | 24f0be87dccdb499bd2160a6ab7f0a60a0c88ab8392f9f3c8de330a729789407.tmp | | | 91 | {"configVersion":"cb89f02f0e1c42a057a1264416d35768d5b8c9e4aab0db2f97c75779e27d14d1","cryptoStrength":112,"lookupType":7,"reputation":91,"reputationData":{"details":{"CompanyName":"Sophos Limited","FileDescription":"Sophos File Scanner Service","FileVersion":"1.7.721.0","InternalName":"SophosFS.exe","LegalCopyright":"Copyright 1989-2020 Sophos Limited. All rights reserved.","OriginalFilename":"SophosFS.exe","ProductName":"Sophos File Scanner","ProductVersion":"1.7"},"isSigned":true,"signerInfo":[{"cryptoAlgorithm":32780,"cryptoStrength":112,"isValid":true,"signatureLocation":0,"signer":"Sophos Ltd","thumbprint":"44e319d9e913676a311e521a671d687c16846a291bd86a83900fd425c77aca0f"}]},"sampleRate":1000,"sfsVersion":17236689,"version":1} | 5 | {"configVersion":"d0fcdf880c38244da5736b94b900c93f7a7e59c4c2dcfbbeb40874d4911a0cc1","expireTime":0,"peMalwareScore":5,"pePuaScore":11,"vdlFlags":0,"version":2} | C:\Windows\Temp\24f0be87dccdb499bd2160a6ab7f0a60a0c88ab8392f9f3c8de330a729789407.tmp | 11 | a8499a01851f4ec3840d36fe8a74d31c2b7fb83c | 0e4d00a4f9cb8ef34d8e830e017d278d7eb9b0f5507b7327ecf0f0eb3bd86745 | 1601472790 | eface84e-4db6-344f-a89d-90801856834f | | 255.255.255.0 | 5c:ea:1d:c1:aa:55 | Microsoft Windows 10 Pro | windows | client | 10.0.19041 | 73.69.54.187 | 1.1.12 | Admin | 2020-10-06T12:08:19Z | 686 | 1601772041 | DESKTOP-RB61UC8 | False | 2020-10-06T12:08:19Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | feca8ee4-d46b-43f4-8ad9-0908816538f4 | 2168 |
| DESKTOP-RB61UC8 | 192.168.1.173 | changed_files_windows_sophos | {"isSavWinPE":true,"isWinPE":true,"version":2} | 1601985719 | 3117760 | 817c7f33c0147bddd7e4981ca7da586a8f57e376e597765def15f8ff8c6e1fcd.tmp | | | 91 | {"configVersion":"cb89f02f0e1c42a057a1264416d35768d5b8c9e4aab0db2f97c75779e27d14d1","cryptoStrength":112,"lookupType":7,"reputation":91,"reputationData":{"details":{"CompanyName":"Sophos Limited","FileDescription":"Sophos File Scanner","FileVersion":"1.7.721.0","InternalName":"SophosFileScanner.exe","LegalCopyright":"Copyright 1989-2020 Sophos Limited. All rights reserved.","OriginalFilename":"SophosFileScanner.exe","ProductName":"Sophos File Scanner","ProductVersion":"1.7"},"isSigned":true,"signerInfo":[{"cryptoAlgorithm":32780,"cryptoStrength":112,"isValid":true,"signatureLocation":0,"signer":"Sophos Ltd","thumbprint":"44e319d9e913676a311e521a671d687c16846a291bd86a83900fd425c77aca0f"}]},"sampleRate":1000,"sfsVersion":17236689,"version":1} | 6 | {"configVersion":"d0fcdf880c38244da5736b94b900c93f7a7e59c4c2dcfbbeb40874d4911a0cc1","expireTime":0,"peMalwareScore":6,"pePuaScore":12,"vdlFlags":0,"version":2} | C:\Windows\Temp\817c7f33c0147bddd7e4981ca7da586a8f57e376e597765def15f8ff8c6e1fcd.tmp | 12 | 87089666810c57880a4aa73ffa1e840f01108dcd | 28d4f27956081b498ac0e56a414c824690cb9c6404cbdc7a5b0b9895c18233a0 | 1601472790 | eface84e-4db6-344f-a89d-90801856834f | | 255.255.255.0 | 5c:ea:1d:c1:aa:55 | Microsoft Windows 10 Pro | windows | client | 10.0.19041 | 73.69.54.187 | 1.1.12 | Admin | 2020-10-06T12:08:19Z | 686 | 1601772041 | DESKTOP-RB61UC8 | False | 2020-10-06T12:08:19Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | feca8ee4-d46b-43f4-8ad9-0908816538f4 | 2178 |
| DESKTOP-RB61UC8 | 192.168.1.173 | changed_files_windows_sophos | {"isSavWinPE":true,"isWinPE":true,"version":2} | 1601985719 | 1803272 | b5ea99ee6c0334663460adc13f2ce61271d7c41f084b917f7d284ec895ec3419.tmp | | | 91 | {"configVersion":"72369f0be2933ffa66a5c1675ca640aa178bc0eecf1f1d1671bb109f3b1edba9","cryptoStrength":112,"lookupType":7,"reputation":91,"reputationData":{"details":{"CompanyName":"Sophos Limited","FileDescription":"Sophos File Scanner uninstaller","FileVersion":"1.7.721.0","InternalName":"Uninstall.exe","LegalCopyright":"Copyright 1989-2020 Sophos Limited. All rights reserved.","OriginalFilename":"Uninstall.exe","ProductName":"Sophos File Scanner","ProductVersion":"1.7"},"isSigned":true,"signerInfo":[{"cryptoAlgorithm":32780,"cryptoStrength":112,"isValid":true,"signatureLocation":0,"signer":"Sophos Ltd","thumbprint":"44e319d9e913676a311e521a671d687c16846a291bd86a83900fd425c77aca0f"}]},"sampleRate":1000,"sfsVersion":17236689,"version":1} | 6 | {"configVersion":"34e70ee9f4748024619d2ea8b607e99f04ced7b4e3b74ed9efbad297f733072d","expireTime":0,"peMalwareScore":6,"pePuaScore":11,"vdlFlags":0,"version":2} | C:\Windows\Temp\b5ea99ee6c0334663460adc13f2ce61271d7c41f084b917f7d284ec895ec3419.tmp | 11 | 522c3bd2769dd919eef8cdf2fda152657fa748f0 | 26684c8a867d11df52d07e87aaad0cc8b5a6621e6acd9fc66c909a631e5b2fea | 1601472790 | eface84e-4db6-344f-a89d-90801856834f | | 255.255.255.0 | 5c:ea:1d:c1:aa:55 | Microsoft Windows 10 Pro | windows | client | 10.0.19041 | 73.69.54.187 | 1.1.12 | Admin | 2020-10-06T12:08:19Z | 686 | 1601772041 | DESKTOP-RB61UC8 | False | 2020-10-06T12:08:19Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | feca8ee4-d46b-43f4-8ad9-0908816538f4 | 2174 |
| DESKTOP-RB61UC8 | 192.168.1.173 | changed_files_windows_sophos | {"isSavWinPE":true,"isWinPE":true,"version":2} | 1601985719 | 382928 | dfe423c5a34e98e30a0507bdc54b876bc04cfb55d56042c12e14a1ae73457130.tmp | | | 91 | {"configVersion":"72369f0be2933ffa66a5c1675ca640aa178bc0eecf1f1d1671bb109f3b1edba9","cryptoStrength":112,"lookupType":7,"reputation":91,"reputationData":{"details":{"CompanyName":"Sophos Limited","FileDescription":"Sophos File Scanner Telemetry","FileVersion":"1.7.721.0","InternalName":"SophosFSTelemetry.exe","LegalCopyright":"Copyright 1989-2020 Sophos Limited. All rights reserved.","OriginalFilename":"SophosFSTelemetry.exe","ProductName":"Sophos File Scanner","ProductVersion":"1.7"},"isSigned":true,"signerInfo":[{"cryptoAlgorithm":32780,"cryptoStrength":112,"isValid":true,"signatureLocation":0,"signer":"Sophos Ltd","thumbprint":"44e319d9e913676a311e521a671d687c16846a291bd86a83900fd425c77aca0f"}]},"sampleRate":1000,"sfsVersion":17236689,"version":1} | 6 | {"configVersion":"34e70ee9f4748024619d2ea8b607e99f04ced7b4e3b74ed9efbad297f733072d","expireTime":0,"peMalwareScore":6,"pePuaScore":15,"vdlFlags":0,"version":2} | C:\Windows\Temp\dfe423c5a34e98e30a0507bdc54b876bc04cfb55d56042c12e14a1ae73457130.tmp | 15 | fd422c2e8c165ce7b6e0ebbb3a00c5d78ff9754a | 7ba229aa6a32b08e249d38a43dc4bed580699fc9a9112c2449419f95bcc1d723 | 1601472790 | eface84e-4db6-344f-a89d-90801856834f | | 255.255.255.0 | 5c:ea:1d:c1:aa:55 | Microsoft Windows 10 Pro | windows | client | 10.0.19041 | 73.69.54.187 | 1.1.12 | Admin | 2020-10-06T12:08:19Z | 686 | 1601772041 | DESKTOP-RB61UC8 | False | 2020-10-06T12:08:19Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | feca8ee4-d46b-43f4-8ad9-0908816538f4 | 2187 |
| Victim4-Win10 | 192.168.100.162 | changed_files_windows_sophos | {"isSavWinPE":true,"isWinPE":true,"version":2} | 1602421273 | 841016 | CbsProvider.dll | 0 | | 91 | {"configVersion":"18909eb811363b0eea090c0ce6f57a57e5371ae648b1bae49f429dde030c834c","cryptoStrength":112,"lookupType":7,"reputation":91,"reputationData":{"details":{"CompanyName":"Microsoft Corporation","FileDescription":"DISM Package Provider","FileVersion":"10.0.18362.900 (WinBuild.160101.0800)","InternalName":"CbsProvider.dll","LegalCopyright":"\u00a9 Microsoft Corporation. All rights reserved.","OriginalFilename":"CbsProvider.dll","ProductName":"Microsoft\u00ae Windows\u00ae Operating System","ProductVersion":"10.0.18362.900"},"isSigned":true,"signerInfo":[{"cryptoAlgorithm":32780,"cryptoStrength":112,"isValid":true,"signatureLocation":0,"signer":"Microsoft Windows","thumbprint":"26fadd5610bb56e43d61a21b42a146c6a4568d8fc21db5d78e70be0ac390e9c3"}]},"sampleRate":1000,"sfsVersion":17236689,"version":1} | 3 | {"configVersion":"8a1d0e8272c15d764b2cbeff6d0201e59f4e9a987702d6e1ac2ec8e4048ef780","expireTime":0,"peMalwareScore":3,"pePuaScore":15,"vdlFlags":0,"version":2} | C:\Windows\Temp\5B429AB7-2917-40C4-BC9E-77EFEB35CF24\CbsProvider.dll | 15 | c91fd3359411db33538ea1cef0c98a9750518726 | 80de3b857cb9e8b16eed351f2cbdd2ce4eeddbe95d77ddd2ff649abb10c54a0b | 1601910645 | 2fd10d5e-3267-4476-aa1c-182846a3eac0 | computer | 255.255.255.0 | 00:50:56:3c:c7:00 | Microsoft Windows 10 Pro | windows | client | 10.0.18363 | 73.69.54.187 | 1.1.12 | Admin | 2020-10-11T13:05:08Z | 334 | 1602321709 | Victim4-Win10 | False | 2020-10-11T13:05:08Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | f21dd0e5-2376-4467-aac1-8182643aae0c | 2174 |
| Victim4-Win10 | 192.168.100.162 | changed_files_windows_sophos | {"isSavWinPE":true,"isWinPE":true,"version":2} | 1602421273 | 181288 | DismCorePS.dll | 0 | | 91 | {"configVersion":"18909eb811363b0eea090c0ce6f57a57e5371ae648b1bae49f429dde030c834c","cryptoStrength":112,"lookupType":7,"reputation":91,"reputationData":{"details":{"CompanyName":"Microsoft Corporation","FileDescription":"DismCore Proxy Stub","FileVersion":"10.0.18362.1 (WinBuild.160101.0800)","InternalName":"DismProvPS.dll","LegalCopyright":"\u00a9 Microsoft Corporation. All rights reserved.","OriginalFilename":"DismProvPS.DLL","ProductName":"Microsoft\u00ae Windows\u00ae Operating System","ProductVersion":"10.0.18362.1"},"isSigned":true,"signerInfo":[{"cryptoAlgorithm":32780,"cryptoStrength":112,"isValid":true,"signatureLocation":0,"signer":"Microsoft Windows","thumbprint":"9b8fdf4d32972e0f17a78a6dd24b418c7b888c89cd0aac350bba0f7f5c3190a3"}]},"sampleRate":1000,"sfsVersion":17236689,"version":1} | 1 | {"configVersion":"8a1d0e8272c15d764b2cbeff6d0201e59f4e9a987702d6e1ac2ec8e4048ef780","expireTime":0,"peMalwareScore":1,"pePuaScore":16,"vdlFlags":0,"version":2} | C:\Windows\Temp\5B429AB7-2917-40C4-BC9E-77EFEB35CF24\DismCorePS.dll | 16 | 5e64cbf111c555975baa906e96e2b8b1262d4f8e | 686abf941aa328a138344b1c2c449c0d9e28ae4835f4b0d6c50f3fa20d107ca1 | 1601910645 | 2fd10d5e-3267-4476-aa1c-182846a3eac0 | computer | 255.255.255.0 | 00:50:56:3c:c7:00 | Microsoft Windows 10 Pro | windows | client | 10.0.18363 | 73.69.54.187 | 1.1.12 | Admin | 2020-10-11T13:05:08Z | 334 | 1602321709 | Victim4-Win10 | False | 2020-10-11T13:05:08Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | f21dd0e5-2376-4467-aac1-8182643aae0c | 2164 |
| Victim4-Win10 | 192.168.100.162 | changed_files_windows_sophos | {"isSavWinPE":true,"isWinPE":true,"version":2} | 1602421273 | 136712 | DismHost.exe | 0 | | 91 | {"configVersion":"18909eb811363b0eea090c0ce6f57a57e5371ae648b1bae49f429dde030c834c","cryptoStrength":112,"lookupType":7,"reputation":91,"reputationData":{"details":{"CompanyName":"Microsoft Corporation","FileDescription":"Dism Host Servicing Process","FileVersion":"10.0.18362.1 (WinBuild.160101.0800)","InternalName":"dismhost","LegalCopyright":"\u00a9 Microsoft Corporation. All rights reserved.","OriginalFilename":"DismHost.exe","ProductName":"Microsoft\u00ae Windows\u00ae Operating System","ProductVersion":"10.0.18362.1"},"isSigned":true,"signerInfo":[{"cryptoAlgorithm":32780,"cryptoStrength":112,"isValid":true,"signatureLocation":0,"signer":"Microsoft Windows","thumbprint":"9b8fdf4d32972e0f17a78a6dd24b418c7b888c89cd0aac350bba0f7f5c3190a3"}]},"sampleRate":1000,"sfsVersion":17236689,"version":1} | 4 | {"configVersion":"8a1d0e8272c15d764b2cbeff6d0201e59f4e9a987702d6e1ac2ec8e4048ef780","expireTime":0,"peMalwareScore":4,"pePuaScore":16,"vdlFlags":0,"version":2} | C:\Windows\Temp\5B429AB7-2917-40C4-BC9E-77EFEB35CF24\DismHost.exe | 16 | 6d2bb75f77fa1fa5071d88eb147f7ee30a006510 | 5108587a0713975bbd79a0e1a56b0dd0d0e63d89d7b681d1e0bf7979e21080b0 | 1601910645 | 2fd10d5e-3267-4476-aa1c-182846a3eac0 | computer | 255.255.255.0 | 00:50:56:3c:c7:00 | Microsoft Windows 10 Pro | windows | client | 10.0.18363 | 73.69.54.187 | 1.1.12 | Admin | 2020-10-11T13:05:08Z | 334 | 1602321709 | Victim4-Win10 | False | 2020-10-11T13:05:08Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | f21dd0e5-2376-4467-aac1-8182643aae0c | 2160 |
| Victim4-Win10 | 192.168.100.162 | changed_files_windows_sophos | {"isSavWinPE":true,"isWinPE":true,"version":2} | 1602421273 | 248120 | DismProv.dll | 0 | | 91 | {"configVersion":"18909eb811363b0eea090c0ce6f57a57e5371ae648b1bae49f429dde030c834c","cryptoStrength":112,"lookupType":7,"reputation":91,"reputationData":{"details":{"CompanyName":"Microsoft Corporation","FileDescription":"DISM Provider Store","FileVersion":"10.0.18362.900 (WinBuild.160101.0800)","InternalName":"DismProv.dll","LegalCopyright":"\u00a9 Microsoft Corporation. All rights reserved.","OriginalFilename":"DismProv.dll","ProductName":"Microsoft\u00ae Windows\u00ae Operating System","ProductVersion":"10.0.18362.900"},"isSigned":true,"signerInfo":[{"cryptoAlgorithm":32780,"cryptoStrength":112,"isValid":true,"signatureLocation":0,"signer":"Microsoft Windows","thumbprint":"26fadd5610bb56e43d61a21b42a146c6a4568d8fc21db5d78e70be0ac390e9c3"}]},"sampleRate":1000,"sfsVersion":17236689,"version":1} | 3 | {"configVersion":"8a1d0e8272c15d764b2cbeff6d0201e59f4e9a987702d6e1ac2ec8e4048ef780","expireTime":0,"peMalwareScore":3,"pePuaScore":16,"vdlFlags":0,"version":2} | C:\Windows\Temp\5B429AB7-2917-40C4-BC9E-77EFEB35CF24\DismProv.dll | 16 | 0334b5eae7de67e772948f94913f190cdd4c0075 | b2430ecf003606cfdfeb008f987d1d1cbf9d016a616fd04918c6815ffa07ffb8 | 1601910645 | 2fd10d5e-3267-4476-aa1c-182846a3eac0 | computer | 255.255.255.0 | 00:50:56:3c:c7:00 | Microsoft Windows 10 Pro | windows | client | 10.0.18363 | 73.69.54.187 | 1.1.12 | Admin | 2020-10-11T13:05:08Z | 334 | 1602321709 | Victim4-Win10 | False | 2020-10-11T13:05:08Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | f21dd0e5-2376-4467-aac1-8182643aae0c | 2160 |
| Victim4-Win10 | 192.168.100.162 | changed_files_windows_sophos | {"isSavWinPE":true,"isWinPE":true,"version":2} | 1602421273 | 77328 | LogProvider.dll | 0 | | 91 | {"configVersion":"18909eb811363b0eea090c0ce6f57a57e5371ae648b1bae49f429dde030c834c","cryptoStrength":112,"lookupType":7,"reputation":91,"reputationData":{"details":{"CompanyName":"Microsoft Corporation","FileDescription":"DISM Logging Provider","FileVersion":"10.0.18362.1 (WinBuild.160101.0800)","InternalName":"LogProvider.dll","LegalCopyright":"\u00a9 Microsoft Corporation. All rights reserved.","OriginalFilename":"LogProvider.dll","ProductName":"Microsoft\u00ae Windows\u00ae Operating System","ProductVersion":"10.0.18362.1"},"isSigned":true,"signerInfo":[{"cryptoAlgorithm":32780,"cryptoStrength":112,"isValid":true,"signatureLocation":0,"signer":"Microsoft Windows","thumbprint":"9b8fdf4d32972e0f17a78a6dd24b418c7b888c89cd0aac350bba0f7f5c3190a3"}]},"sampleRate":1000,"sfsVersion":17236689,"version":1} | 3 | {"configVersion":"8a1d0e8272c15d764b2cbeff6d0201e59f4e9a987702d6e1ac2ec8e4048ef780","expireTime":0,"peMalwareScore":3,"pePuaScore":14,"vdlFlags":0,"version":2} | C:\Windows\Temp\5B429AB7-2917-40C4-BC9E-77EFEB35CF24\LogProvider.dll | 14 | 9c9718fc48f3acf1eb7d33d445b7cb62659ddd99 | 601cdb1064dfb25f15e10da892b181a458f4cc3cc98927df0a2e5d67255a6ae3 | 1601910645 | 2fd10d5e-3267-4476-aa1c-182846a3eac0 | computer | 255.255.255.0 | 00:50:56:3c:c7:00 | Microsoft Windows 10 Pro | windows | client | 10.0.18363 | 73.69.54.187 | 1.1.12 | Admin | 2020-10-11T13:05:08Z | 334 | 1602321709 | Victim4-Win10 | False | 2020-10-11T13:05:08Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | f21dd0e5-2376-4467-aac1-8182643aae0c | 2169 |
| Victim4-Win10 | 192.168.100.162 | changed_files_windows_sophos | {"isSavWinPE":true,"isWinPE":true,"version":2} | 1602421273 | 144912 | OSProvider.dll | 0 | | 91 | {"configVersion":"18909eb811363b0eea090c0ce6f57a57e5371ae648b1bae49f429dde030c834c","cryptoStrength":112,"lookupType":7,"reputation":91,"reputationData":{"details":{"CompanyName":"Microsoft Corporation","FileDescription":"DISM OS Services Provider","FileVersion":"10.0.18362.719 (WinBuild.160101.0800)","InternalName":"OSProvider.dll","LegalCopyright":"\u00a9 Microsoft Corporation. All rights reserved.","OriginalFilename":"OSProvider.dll","ProductName":"Microsoft\u00ae Windows\u00ae Operating System","ProductVersion":"10.0.18362.719"},"isSigned":true,"signerInfo":[{"cryptoAlgorithm":32780,"cryptoStrength":112,"isValid":true,"signatureLocation":0,"signer":"Microsoft Windows","thumbprint":"e866d202865ed3d83c35dff4cde3a2d0fc1d2b17c084e8b26dd0ca28a8c75cfb"}]},"sampleRate":1000,"sfsVersion":17236689,"version":1} | 3 | {"configVersion":"8a1d0e8272c15d764b2cbeff6d0201e59f4e9a987702d6e1ac2ec8e4048ef780","expireTime":0,"peMalwareScore":3,"pePuaScore":16,"vdlFlags":0,"version":2} | C:\Windows\Temp\5B429AB7-2917-40C4-BC9E-77EFEB35CF24\OSProvider.dll | 16 | 020f434ba97cd0df2c1eebd2ba8a2e1513d5c891 | d1b6e809ff9fdf453754e2a470bbb15f111d08eb492b6e9d0638cbf44d54db69 | 1601910645 | 2fd10d5e-3267-4476-aa1c-182846a3eac0 | computer | 255.255.255.0 | 00:50:56:3c:c7:00 | Microsoft Windows 10 Pro | windows | client | 10.0.18363 | 73.69.54.187 | 1.1.12 | Admin | 2020-10-11T13:05:08Z | 334 | 1602321709 | Victim4-Win10 | False | 2020-10-11T13:05:08Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | f21dd0e5-2376-4467-aac1-8182643aae0c | 2174 |
| DESKTOP-RB61UC8 | 192.168.1.173 | changed_files_windows_sophos | {"isSavWinPE":true,"isWinPE":true,"version":2} | 1602606126 | 2321704 | Cisco_WebEx_Add-On.exe | 0 | | 81 | {"configVersion":"18909eb811363b0eea090c0ce6f57a57e5371ae648b1bae49f429dde030c834c","cryptoStrength":112,"lookupType":7,"reputation":81,"reputationData":{"details":{},"isSigned":true,"signerInfo":[{"cryptoAlgorithm":32772,"cryptoStrength":80,"isValid":true,"signatureLocation":0,"signer":"Cisco WebEx LLC","thumbprint":"26cedfe2683f553dc0163311cbfc0d01110e295a75d6419a543cfffab67d98d9"},{"cryptoAlgorithm":32780,"cryptoStrength":112,"isValid":true,"signatureLocation":0,"signer":"Cisco WebEx LLC","thumbprint":"26cedfe2683f553dc0163311cbfc0d01110e295a75d6419a543cfffab67d98d9"}]},"sampleRate":100,"sfsVersion":17236689,"version":1} | 7 | {"configVersion":"d38fc0782b2278da06a7babf2373f70d66af922960a61aff40300b4c7695062d","expireTime":0,"peMalwareScore":7,"pePuaScore":16,"vdlFlags":0,"version":2} | C:\Users\kacke\Desktop\Cisco_WebEx_Add-On.exe | 16 | a314d23cd7b291285e370436a2dfb1118a2f13a2 | 6c6c1bbba271fe2c2801645814ed4d18a38b66aba5a3198bd599c8d1f1bd8905 | 1601472786 | eface84e-4db6-344f-a89d-90801856834f | computer | 255.255.255.0 | 5c:ea:1d:c1:aa:55 | Microsoft Windows 10 Pro | windows | client | 10.0.19041 | 73.69.54.187 | 1.1.12 | Admin | 2020-10-13T16:28:21Z | 1026 | 1602286841 | DESKTOP-RB61UC8 | False | 2020-10-13T16:28:21Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | feca8ee4-d46b-43f4-8ad9-0908816538f4 | 1960 |
| DESKTOP-RB61UC8 | 192.168.1.173 | changed_files_windows_sophos | {"isSavWinPE":true,"isWinPE":true,"version":2} | 1602606126 | 2321704 | Cisco_WebEx_Add-On.exe | 0 | | 81 | {"configVersion":"18909eb811363b0eea090c0ce6f57a57e5371ae648b1bae49f429dde030c834c","cryptoStrength":112,"lookupType":7,"reputation":81,"reputationData":{"details":{},"isSigned":true,"signerInfo":[{"cryptoAlgorithm":32772,"cryptoStrength":80,"isValid":true,"signatureLocation":0,"signer":"Cisco WebEx LLC","thumbprint":"26cedfe2683f553dc0163311cbfc0d01110e295a75d6419a543cfffab67d98d9"},{"cryptoAlgorithm":32780,"cryptoStrength":112,"isValid":true,"signatureLocation":0,"signer":"Cisco WebEx LLC","thumbprint":"26cedfe2683f553dc0163311cbfc0d01110e295a75d6419a543cfffab67d98d9"}]},"sampleRate":100,"sfsVersion":17236689,"version":1} | 7 | {"configVersion":"d38fc0782b2278da06a7babf2373f70d66af922960a61aff40300b4c7695062d","expireTime":0,"peMalwareScore":7,"pePuaScore":16,"vdlFlags":0,"version":2} | C:\Users\kacke\Desktop\OLD DESKTOP\Cisco_WebEx_Add-On.exe | 16 | a314d23cd7b291285e370436a2dfb1118a2f13a2 | 6c6c1bbba271fe2c2801645814ed4d18a38b66aba5a3198bd599c8d1f1bd8905 | 1601472786 | eface84e-4db6-344f-a89d-90801856834f | computer | 255.255.255.0 | 5c:ea:1d:c1:aa:55 | Microsoft Windows 10 Pro | windows | client | 10.0.19041 | 73.69.54.187 | 1.1.12 | Admin | 2020-10-13T16:28:21Z | 1026 | 1602286841 | DESKTOP-RB61UC8 | False | 2020-10-13T16:28:21Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | feca8ee4-d46b-43f4-8ad9-0908816538f4 | 1973 |
| DESKTOP-RB61UC8 | 192.168.1.173 | changed_files_windows_sophos | {"isSavWinPE":true,"isWinPE":true,"version":2} | 1602606125 | 1572344 | SophosSetup.exe | 0 | | 91 | {"configVersion":"18909eb811363b0eea090c0ce6f57a57e5371ae648b1bae49f429dde030c834c","cryptoStrength":112,"lookupType":7,"reputation":91,"reputationData":{"details":{"CompanyName":"Sophos Limited","FileDescription":"Sophos Setup","FileVersion":"1.9.100.0","InternalName":"SophosSetup.exe","LegalCopyright":"Copyright 1989-2020 Sophos Limited.","OriginalFilename":"SophosSetup.exe","ProductName":"Sophos Setup","ProductVersion":"1.9"},"isSigned":true,"signerInfo":[{"cryptoAlgorithm":32780,"cryptoStrength":112,"isValid":true,"signatureLocation":0,"signer":"Sophos Ltd","thumbprint":"44e319d9e913676a311e521a671d687c16846a291bd86a83900fd425c77aca0f"}]},"sampleRate":1000,"sfsVersion":17236689,"version":1} | 8 | {"configVersion":"d38fc0782b2278da06a7babf2373f70d66af922960a61aff40300b4c7695062d","expireTime":0,"peMalwareScore":8,"pePuaScore":16,"vdlFlags":0,"version":2} | C:\Users\kacke\Desktop\OLD DESKTOP\SophosSetup.exe | 16 | d47cf485d27680f60384ce31bb7a2adf42ca6152 | ed52413f63f19c80ce50985eebd215bff49c2995fc4e9997d2ddf1170f640365 | 1601472786 | eface84e-4db6-344f-a89d-90801856834f | computer | 255.255.255.0 | 5c:ea:1d:c1:aa:55 | Microsoft Windows 10 Pro | windows | client | 10.0.19041 | 73.69.54.187 | 1.1.12 | Admin | 2020-10-13T16:28:21Z | 1026 | 1602286841 | DESKTOP-RB61UC8 | False | 2020-10-13T16:28:21Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | feca8ee4-d46b-43f4-8ad9-0908816538f4 | 2047 |
| DESKTOP-RB61UC8 | 192.168.1.173 | changed_files_windows_sophos | {"isSavWinPE":true,"isWinPE":true,"version":2} | 1602606125 | 1572344 | SophosSetup.exe | 0 | | 91 | {"configVersion":"18909eb811363b0eea090c0ce6f57a57e5371ae648b1bae49f429dde030c834c","cryptoStrength":112,"lookupType":7,"reputation":91,"reputationData":{"details":{"CompanyName":"Sophos Limited","FileDescription":"Sophos Setup","FileVersion":"1.9.100.0","InternalName":"SophosSetup.exe","LegalCopyright":"Copyright 1989-2020 Sophos Limited.","OriginalFilename":"SophosSetup.exe","ProductName":"Sophos Setup","ProductVersion":"1.9"},"isSigned":true,"signerInfo":[{"cryptoAlgorithm":32780,"cryptoStrength":112,"isValid":true,"signatureLocation":0,"signer":"Sophos Ltd","thumbprint":"44e319d9e913676a311e521a671d687c16846a291bd86a83900fd425c77aca0f"}]},"sampleRate":1000,"sfsVersion":17236689,"version":1} | 8 | {"configVersion":"d38fc0782b2278da06a7babf2373f70d66af922960a61aff40300b4c7695062d","expireTime":0,"peMalwareScore":8,"pePuaScore":16,"vdlFlags":0,"version":2} | C:\Users\kacke\Desktop\SophosSetup.exe | 16 | d47cf485d27680f60384ce31bb7a2adf42ca6152 | ed52413f63f19c80ce50985eebd215bff49c2995fc4e9997d2ddf1170f640365 | 1601472786 | eface84e-4db6-344f-a89d-90801856834f | computer | 255.255.255.0 | 5c:ea:1d:c1:aa:55 | Microsoft Windows 10 Pro | windows | client | 10.0.19041 | 73.69.54.187 | 1.1.12 | Admin | 2020-10-13T16:28:21Z | 1026 | 1602286841 | DESKTOP-RB61UC8 | False | 2020-10-13T16:28:21Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | feca8ee4-d46b-43f4-8ad9-0908816538f4 | 2034 |
| DESKTOP-RB61UC8 | 192.168.1.173 | changed_files_windows_sophos | {"isSavWinPE":true,"isWinPE":true,"version":2} | 1602606126 | 26777232 | python-3.8.5.exe | 0 | | 71 | {"configVersion":"18909eb811363b0eea090c0ce6f57a57e5371ae648b1bae49f429dde030c834c","cryptoStrength":128,"lookupType":7,"reputation":71,"reputationData":{"details":{"CompanyName":"Python Software Foundation","FileDescription":"Python 3.8.5 (32-bit)","FileVersion":"3.8.5150.0","InternalName":"setup","LegalCopyright":"Copyright (c) Python Software Foundation. All rights reserved.","OriginalFilename":"python-3.8.5.exe","ProductName":"Python 3.8.5 (32-bit)","ProductVersion":"3.8.5150.0"},"isSigned":true,"signerInfo":[{"cryptoAlgorithm":32780,"cryptoStrength":128,"isValid":true,"signatureLocation":0,"signer":"Python Software Foundation","thumbprint":"7793a3110357540ec2cadc9f5956ffe8965dbb50b37c35e9d42ae0282af440f6"}]},"sampleRate":10,"sfsVersion":17236689,"version":1} | 6 | {"configVersion":"d38fc0782b2278da06a7babf2373f70d66af922960a61aff40300b4c7695062d","expireTime":0,"peMalwareScore":6,"pePuaScore":16,"vdlFlags":0,"version":2} | C:\Users\kacke\Desktop\OLD DESKTOP\python-3.8.5.exe | 16 | 3aa5a0bb797977f5d26a39785ae4d87bb52023d3 | f5fe57aeaa90ff4c5afed629b51880b53e4cabd0ebcadb33f56ca56fa1654de8 | 1601472786 | eface84e-4db6-344f-a89d-90801856834f | computer | 255.255.255.0 | 5c:ea:1d:c1:aa:55 | Microsoft Windows 10 Pro | windows | client | 10.0.19041 | 73.69.54.187 | 1.1.12 | Admin | 2020-10-13T16:28:21Z | 1026 | 1602286841 | DESKTOP-RB61UC8 | False | 2020-10-13T16:28:21Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | feca8ee4-d46b-43f4-8ad9-0908816538f4 | 2120 |
| DESKTOP-RB61UC8 | 192.168.1.173 | changed_files_windows_sophos | {"isSavWinPE":true,"isWinPE":true,"version":2} | 1602606126 | 26777232 | python-3.8.5.exe | 0 | | 71 | {"configVersion":"18909eb811363b0eea090c0ce6f57a57e5371ae648b1bae49f429dde030c834c","cryptoStrength":128,"lookupType":7,"reputation":71,"reputationData":{"details":{"CompanyName":"Python Software Foundation","FileDescription":"Python 3.8.5 (32-bit)","FileVersion":"3.8.5150.0","InternalName":"setup","LegalCopyright":"Copyright (c) Python Software Foundation. All rights reserved.","OriginalFilename":"python-3.8.5.exe","ProductName":"Python 3.8.5 (32-bit)","ProductVersion":"3.8.5150.0"},"isSigned":true,"signerInfo":[{"cryptoAlgorithm":32780,"cryptoStrength":128,"isValid":true,"signatureLocation":0,"signer":"Python Software Foundation","thumbprint":"7793a3110357540ec2cadc9f5956ffe8965dbb50b37c35e9d42ae0282af440f6"}]},"sampleRate":10,"sfsVersion":17236689,"version":1} | 6 | {"configVersion":"d38fc0782b2278da06a7babf2373f70d66af922960a61aff40300b4c7695062d","expireTime":0,"peMalwareScore":6,"pePuaScore":16,"vdlFlags":0,"version":2} | C:\Users\kacke\Desktop\python-3.8.5.exe | 16 | 3aa5a0bb797977f5d26a39785ae4d87bb52023d3 | f5fe57aeaa90ff4c5afed629b51880b53e4cabd0ebcadb33f56ca56fa1654de8 | 1601472786 | eface84e-4db6-344f-a89d-90801856834f | computer | 255.255.255.0 | 5c:ea:1d:c1:aa:55 | Microsoft Windows 10 Pro | windows | client | 10.0.19041 | 73.69.54.187 | 1.1.12 | Admin | 2020-10-13T16:28:21Z | 1026 | 1602286841 | DESKTOP-RB61UC8 | False | 2020-10-13T16:28:21Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | feca8ee4-d46b-43f4-8ad9-0908816538f4 | 2107 |
| DESKTOP-RB61UC8 | 192.168.1.173 | changed_files_windows_sophos | {"isSavWinPE":true,"isWinPE":true,"version":2} | 1602606127 | 4782232 | webex.exe | 30 | {"expireTime":132470800399399561,"lookupType":1,"reputation":30,"reputationData":"","sampleRate":1,"version":1} | -1 | {"configVersion":"18909eb811363b0eea090c0ce6f57a57e5371ae648b1bae49f429dde030c834c","cryptoStrength":0,"lookupType":0,"reputation":-1,"reputationData":{"details":{"CompanyName":"Cisco Webex LLC","FileDescription":"Cisco Webex Meeting","FileVersion":"10051,7,2020,0714","InternalName":"CiscoWebExStart","LegalCopyright":"\u00a9 2019 Cisco and/or its affiliates. All rights reserved.","OriginalFilename":"CiscoWebExStart.exe","ProductName":"Cisco Webex Meeting","ProductVersion":"10051,7,2020,0714"},"isSigned":false,"signerInfo":[{"cryptoAlgorithm":32780,"cryptoStrength":112,"isValid":false,"signatureLocation":0,"signer":"Cisco WebEx LLC","thumbprint":"133667a64977a1152c138afad7a160b5523b6f724e9f61d905397cc9ce1fbf59"}]},"sampleRate":0,"sfsVersion":17236689,"version":1} | 8 | {"configVersion":"d38fc0782b2278da06a7babf2373f70d66af922960a61aff40300b4c7695062d","expireTime":0,"peMalwareScore":8,"pePuaScore":17,"vdlFlags":0,"version":2} | C:\Users\kacke\Desktop\OLD DESKTOP\REFI\webex.exe | 17 | 649c97422f2910fe943cd53231e78fd62a07cef0 | 00c5f48063af8c524c51b292ea22d0308cacfcacfa24db46b57a8ba406bee7f9 | 1601472786 | eface84e-4db6-344f-a89d-90801856834f | computer | 255.255.255.0 | 5c:ea:1d:c1:aa:55 | Microsoft Windows 10 Pro | windows | client | 10.0.19041 | 73.69.54.187 | 1.1.12 | Admin | 2020-10-13T16:28:21Z | 1026 | 1602286841 | DESKTOP-RB61UC8 | False | 2020-10-13T16:28:21Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | feca8ee4-d46b-43f4-8ad9-0908816538f4 | 2238 |
| Victim5-Win10 | 192.168.100.129 | changed_files_windows_sophos | {"isSavWinPE":true,"isWinPE":true,"version":2} | 1602090661 | 525112 | AppxProvider.dll | 0 | | 91 | {"configVersion":"cb89f02f0e1c42a057a1264416d35768d5b8c9e4aab0db2f97c75779e27d14d1","cryptoStrength":112,"lookupType":7,"reputation":91,"reputationData":{"details":{"CompanyName":"Microsoft Corporation","FileDescription":"DISM App Package (.appx) Provider","FileVersion":"10.0.18362.997 (WinBuild.160101.0800)","InternalName":"AppxProvider.dll","LegalCopyright":"\u00a9 Microsoft Corporation. All rights reserved.","OriginalFilename":"AppxProvider.dll","ProductName":"Microsoft\u00ae Windows\u00ae Operating System","ProductVersion":"10.0.18362.997"},"isSigned":true,"signerInfo":[{"cryptoAlgorithm":32780,"cryptoStrength":112,"isValid":true,"signatureLocation":0,"signer":"Microsoft Windows","thumbprint":"26fadd5610bb56e43d61a21b42a146c6a4568d8fc21db5d78e70be0ac390e9c3"}]},"sampleRate":1000,"sfsVersion":17236689,"version":1} | 3 | {"configVersion":"d0fcdf880c38244da5736b94b900c93f7a7e59c4c2dcfbbeb40874d4911a0cc1","expireTime":0,"peMalwareScore":3,"pePuaScore":16,"vdlFlags":0,"version":2} | C:\Users\Admin\AppData\Local\Temp\0AC7B65A-CF94-47E9-A205-10E7EAFB2DE3\AppxProvider.dll | 16 | b5b4633a49c38893c143386ffbb0a9a258e9c064 | ea9c0fdc4a20996771c25312bd261cf9a318f07da1ee1ef6a1f419a3e188e6a1 | 1601910607 | 099242c2-3595-94e0-891c-51a7ee2659c8 | computer | 255.255.255.0 | 00:0c:29:56:e8:01 | Microsoft Windows 10 Pro | windows | client | 10.0.18363 | 73.69.54.187 | 1.1.12 | Admin | 2020-10-07T17:12:54Z | 365 | 1601898679 | Victim5-Win10 | False | 2020-10-07T17:12:54Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | 9029242c-5359-490e-98c1-157aee62958c | 2211 |
| Victim5-Win10 | 192.168.100.129 | changed_files_windows_sophos | {"isSavWinPE":true,"isWinPE":true,"version":2} | 1602090661 | 114488 | AssocProvider.dll | 0 | | 91 | {"configVersion":"cb89f02f0e1c42a057a1264416d35768d5b8c9e4aab0db2f97c75779e27d14d1","cryptoStrength":112,"lookupType":7,"reputation":91,"reputationData":{"details":{"CompanyName":"Microsoft Corporation","FileDescription":"DISM Assoc Provider","FileVersion":"10.0.18362.900 (WinBuild.160101.0800)","InternalName":"AssocProvider.dll","LegalCopyright":"\u00a9 Microsoft Corporation. All rights reserved.","OriginalFilename":"AssocProvider.dll","ProductName":"Microsoft\u00ae Windows\u00ae Operating System","ProductVersion":"10.0.18362.900"},"isSigned":true,"signerInfo":[{"cryptoAlgorithm":32780,"cryptoStrength":112,"isValid":true,"signatureLocation":0,"signer":"Microsoft Windows","thumbprint":"26fadd5610bb56e43d61a21b42a146c6a4568d8fc21db5d78e70be0ac390e9c3"}]},"sampleRate":1000,"sfsVersion":17236689,"version":1} | 3 | {"configVersion":"d0fcdf880c38244da5736b94b900c93f7a7e59c4c2dcfbbeb40874d4911a0cc1","expireTime":0,"peMalwareScore":3,"pePuaScore":13,"vdlFlags":0,"version":2} | C:\Users\Admin\AppData\Local\Temp\0AC7B65A-CF94-47E9-A205-10E7EAFB2DE3\AssocProvider.dll | 13 | f0d97222a187ac9620e6f34a653c5ea49f0f6835 | 988e40bba7990d1fa6b59fa710a9182ca80e1e19ff72e557755a92234bcf2e7a | 1601910607 | 099242c2-3595-94e0-891c-51a7ee2659c8 | computer | 255.255.255.0 | 00:0c:29:56:e8:01 | Microsoft Windows 10 Pro | windows | client | 10.0.18363 | 73.69.54.187 | 1.1.12 | Admin | 2020-10-07T17:12:54Z | 365 | 1601898679 | Victim5-Win10 | False | 2020-10-07T17:12:54Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | 9029242c-5359-490e-98c1-157aee62958c | 2201 |
| Victim5-Win10 | 192.168.100.129 | changed_files_windows_sophos | {"isSavWinPE":true,"isWinPE":true,"version":2} | 1602090661 | 841016 | CbsProvider.dll | 0 | | 91 | {"configVersion":"cb89f02f0e1c42a057a1264416d35768d5b8c9e4aab0db2f97c75779e27d14d1","cryptoStrength":112,"lookupType":7,"reputation":91,"reputationData":{"details":{"CompanyName":"Microsoft Corporation","FileDescription":"DISM Package Provider","FileVersion":"10.0.18362.900 (WinBuild.160101.0800)","InternalName":"CbsProvider.dll","LegalCopyright":"\u00a9 Microsoft Corporation. All rights reserved.","OriginalFilename":"CbsProvider.dll","ProductName":"Microsoft\u00ae Windows\u00ae Operating System","ProductVersion":"10.0.18362.900"},"isSigned":true,"signerInfo":[{"cryptoAlgorithm":32780,"cryptoStrength":112,"isValid":true,"signatureLocation":0,"signer":"Microsoft Windows","thumbprint":"26fadd5610bb56e43d61a21b42a146c6a4568d8fc21db5d78e70be0ac390e9c3"}]},"sampleRate":1000,"sfsVersion":17236689,"version":1} | 3 | {"configVersion":"d0fcdf880c38244da5736b94b900c93f7a7e59c4c2dcfbbeb40874d4911a0cc1","expireTime":0,"peMalwareScore":3,"pePuaScore":15,"vdlFlags":0,"version":2} | C:\Users\Admin\AppData\Local\Temp\0AC7B65A-CF94-47E9-A205-10E7EAFB2DE3\CbsProvider.dll | 15 | c91fd3359411db33538ea1cef0c98a9750518726 | 80de3b857cb9e8b16eed351f2cbdd2ce4eeddbe95d77ddd2ff649abb10c54a0b | 1601910607 | 099242c2-3595-94e0-891c-51a7ee2659c8 | computer | 255.255.255.0 | 00:0c:29:56:e8:01 | Microsoft Windows 10 Pro | windows | client | 10.0.18363 | 73.69.54.187 | 1.1.12 | Admin | 2020-10-07T17:12:54Z | 365 | 1601898679 | Victim5-Win10 | False | 2020-10-07T17:12:54Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | 9029242c-5359-490e-98c1-157aee62958c | 2195 |
| Victim5-Win10 | 192.168.100.129 | changed_files_windows_sophos | {"isSavWinPE":true,"isWinPE":true,"version":2} | 1602090661 | 389432 | DismCore.dll | 0 | | 91 | {"configVersion":"cb89f02f0e1c42a057a1264416d35768d5b8c9e4aab0db2f97c75779e27d14d1","cryptoStrength":112,"lookupType":7,"reputation":91,"reputationData":{"details":{"CompanyName":"Microsoft Corporation","FileDescription":"DISM Core Framework","FileVersion":"10.0.18362.900 (WinBuild.160101.0800)","InternalName":"DismCore.dll","LegalCopyright":"\u00a9 Microsoft Corporation. All rights reserved.","OriginalFilename":"DismCore.dll","ProductName":"Microsoft\u00ae Windows\u00ae Operating System","ProductVersion":"10.0.18362.900"},"isSigned":true,"signerInfo":[{"cryptoAlgorithm":32780,"cryptoStrength":112,"isValid":true,"signatureLocation":0,"signer":"Microsoft Windows","thumbprint":"26fadd5610bb56e43d61a21b42a146c6a4568d8fc21db5d78e70be0ac390e9c3"}]},"sampleRate":1000,"sfsVersion":17236689,"version":1} | 3 | {"configVersion":"d0fcdf880c38244da5736b94b900c93f7a7e59c4c2dcfbbeb40874d4911a0cc1","expireTime":0,"peMalwareScore":3,"pePuaScore":16,"vdlFlags":0,"version":2} | C:\Users\Admin\AppData\Local\Temp\0AC7B65A-CF94-47E9-A205-10E7EAFB2DE3\DismCore.dll | 16 | ce939f6b14ae13e1860016d4ebdd6dadaaf9e7e2 | 155f42eb7a362a7b8d2f2cdc550a935f243e38017b1e102c7120994b0dc7544f | 1601910607 | 099242c2-3595-94e0-891c-51a7ee2659c8 | computer | 255.255.255.0 | 00:0c:29:56:e8:01 | Microsoft Windows 10 Pro | windows | client | 10.0.18363 | 73.69.54.187 | 1.1.12 | Admin | 2020-10-07T17:12:54Z | 365 | 1601898679 | Victim5-Win10 | False | 2020-10-07T17:12:54Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | 9029242c-5359-490e-98c1-157aee62958c | 2181 |
| Victim5-Win10 | 192.168.100.129 | changed_files_windows_sophos | {"isSavWinPE":true,"isWinPE":true,"version":2} | 1602090661 | 181288 | DismCorePS.dll | 0 | | 91 | {"configVersion":"cb89f02f0e1c42a057a1264416d35768d5b8c9e4aab0db2f97c75779e27d14d1","cryptoStrength":112,"lookupType":7,"reputation":91,"reputationData":{"details":{"CompanyName":"Microsoft Corporation","FileDescription":"DismCore Proxy Stub","FileVersion":"10.0.18362.1 (WinBuild.160101.0800)","InternalName":"DismProvPS.dll","LegalCopyright":"\u00a9 Microsoft Corporation. All rights reserved.","OriginalFilename":"DismProvPS.DLL","ProductName":"Microsoft\u00ae Windows\u00ae Operating System","ProductVersion":"10.0.18362.1"},"isSigned":true,"signerInfo":[{"cryptoAlgorithm":32780,"cryptoStrength":112,"isValid":true,"signatureLocation":0,"signer":"Microsoft Windows","thumbprint":"9b8fdf4d32972e0f17a78a6dd24b418c7b888c89cd0aac350bba0f7f5c3190a3"}]},"sampleRate":1000,"sfsVersion":17236689,"version":1} | 1 | {"configVersion":"d0fcdf880c38244da5736b94b900c93f7a7e59c4c2dcfbbeb40874d4911a0cc1","expireTime":0,"peMalwareScore":1,"pePuaScore":16,"vdlFlags":0,"version":2} | C:\Users\Admin\AppData\Local\Temp\0AC7B65A-CF94-47E9-A205-10E7EAFB2DE3\DismCorePS.dll | 16 | 5e64cbf111c555975baa906e96e2b8b1262d4f8e | 686abf941aa328a138344b1c2c449c0d9e28ae4835f4b0d6c50f3fa20d107ca1 | 1601910607 | 099242c2-3595-94e0-891c-51a7ee2659c8 | computer | 255.255.255.0 | 00:0c:29:56:e8:01 | Microsoft Windows 10 Pro | windows | client | 10.0.18363 | 73.69.54.187 | 1.1.12 | Admin | 2020-10-07T17:12:54Z | 365 | 1601898679 | Victim5-Win10 | False | 2020-10-07T17:12:54Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | 9029242c-5359-490e-98c1-157aee62958c | 2185 |
| Victim5-Win10 | 192.168.100.129 | changed_files_windows_sophos | {"isSavWinPE":true,"isWinPE":true,"version":2} | 1602090661 | 136712 | DismHost.exe | 0 | | 91 | {"configVersion":"cb89f02f0e1c42a057a1264416d35768d5b8c9e4aab0db2f97c75779e27d14d1","cryptoStrength":112,"lookupType":7,"reputation":91,"reputationData":{"details":{"CompanyName":"Microsoft Corporation","FileDescription":"Dism Host Servicing Process","FileVersion":"10.0.18362.1 (WinBuild.160101.0800)","InternalName":"dismhost","LegalCopyright":"\u00a9 Microsoft Corporation. All rights reserved.","OriginalFilename":"DismHost.exe","ProductName":"Microsoft\u00ae Windows\u00ae Operating System","ProductVersion":"10.0.18362.1"},"isSigned":true,"signerInfo":[{"cryptoAlgorithm":32780,"cryptoStrength":112,"isValid":true,"signatureLocation":0,"signer":"Microsoft Windows","thumbprint":"9b8fdf4d32972e0f17a78a6dd24b418c7b888c89cd0aac350bba0f7f5c3190a3"}]},"sampleRate":1000,"sfsVersion":17236689,"version":1} | 4 | {"configVersion":"d0fcdf880c38244da5736b94b900c93f7a7e59c4c2dcfbbeb40874d4911a0cc1","expireTime":0,"peMalwareScore":4,"pePuaScore":16,"vdlFlags":0,"version":2} | C:\Users\Admin\AppData\Local\Temp\0AC7B65A-CF94-47E9-A205-10E7EAFB2DE3\DismHost.exe | 16 | 6d2bb75f77fa1fa5071d88eb147f7ee30a006510 | 5108587a0713975bbd79a0e1a56b0dd0d0e63d89d7b681d1e0bf7979e21080b0 | 1601910607 | 099242c2-3595-94e0-891c-51a7ee2659c8 | computer | 255.255.255.0 | 00:0c:29:56:e8:01 | Microsoft Windows 10 Pro | windows | client | 10.0.18363 | 73.69.54.187 | 1.1.12 | Admin | 2020-10-07T17:12:54Z | 365 | 1601898679 | Victim5-Win10 | False | 2020-10-07T17:12:54Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | 9029242c-5359-490e-98c1-157aee62958c | 2181 |
| Victim5-Win10 | 192.168.100.129 | changed_files_windows_sophos | {"isSavWinPE":true,"isWinPE":true,"version":2} | 1602090661 | 248120 | DismProv.dll | 0 | | 91 | {"configVersion":"cb89f02f0e1c42a057a1264416d35768d5b8c9e4aab0db2f97c75779e27d14d1","cryptoStrength":112,"lookupType":7,"reputation":91,"reputationData":{"details":{"CompanyName":"Microsoft Corporation","FileDescription":"DISM Provider Store","FileVersion":"10.0.18362.900 (WinBuild.160101.0800)","InternalName":"DismProv.dll","LegalCopyright":"\u00a9 Microsoft Corporation. All rights reserved.","OriginalFilename":"DismProv.dll","ProductName":"Microsoft\u00ae Windows\u00ae Operating System","ProductVersion":"10.0.18362.900"},"isSigned":true,"signerInfo":[{"cryptoAlgorithm":32780,"cryptoStrength":112,"isValid":true,"signatureLocation":0,"signer":"Microsoft Windows","thumbprint":"26fadd5610bb56e43d61a21b42a146c6a4568d8fc21db5d78e70be0ac390e9c3"}]},"sampleRate":1000,"sfsVersion":17236689,"version":1} | 3 | {"configVersion":"d0fcdf880c38244da5736b94b900c93f7a7e59c4c2dcfbbeb40874d4911a0cc1","expireTime":0,"peMalwareScore":3,"pePuaScore":16,"vdlFlags":0,"version":2} | C:\Users\Admin\AppData\Local\Temp\0AC7B65A-CF94-47E9-A205-10E7EAFB2DE3\DismProv.dll | 16 | 0334b5eae7de67e772948f94913f190cdd4c0075 | b2430ecf003606cfdfeb008f987d1d1cbf9d016a616fd04918c6815ffa07ffb8 | 1601910607 | 099242c2-3595-94e0-891c-51a7ee2659c8 | computer | 255.255.255.0 | 00:0c:29:56:e8:01 | Microsoft Windows 10 Pro | windows | client | 10.0.18363 | 73.69.54.187 | 1.1.12 | Admin | 2020-10-07T17:12:54Z | 365 | 1601898679 | Victim5-Win10 | False | 2020-10-07T17:12:54Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | 9029242c-5359-490e-98c1-157aee62958c | 2181 |
| Victim5-Win10 | 192.168.100.129 | changed_files_windows_sophos | {"isSavWinPE":true,"isWinPE":true,"version":2} | 1602090661 | 411456 | DmiProvider.dll | 0 | | 91 | {"configVersion":"cb89f02f0e1c42a057a1264416d35768d5b8c9e4aab0db2f97c75779e27d14d1","cryptoStrength":112,"lookupType":7,"reputation":91,"reputationData":{"details":{"CompanyName":"Microsoft Corporation","FileDescription":"DISM Driver Provider","FileVersion":"10.0.18362.900 (WinBuild.160101.0800)","InternalName":"DmiProvider.dll","LegalCopyright":"\u00a9 Microsoft Corporation. All rights reserved.","OriginalFilename":"DmiProvider.dll","ProductName":"Microsoft\u00ae Windows\u00ae Operating System","ProductVersion":"10.0.18362.900"},"isSigned":true,"signerInfo":[{"cryptoAlgorithm":32780,"cryptoStrength":112,"isValid":true,"signatureLocation":0,"signer":"Microsoft Windows","thumbprint":"26fadd5610bb56e43d61a21b42a146c6a4568d8fc21db5d78e70be0ac390e9c3"}]},"sampleRate":1000,"sfsVersion":17236689,"version":1} | 3 | {"configVersion":"d0fcdf880c38244da5736b94b900c93f7a7e59c4c2dcfbbeb40874d4911a0cc1","expireTime":0,"peMalwareScore":3,"pePuaScore":15,"vdlFlags":0,"version":2} | C:\Users\Admin\AppData\Local\Temp\0AC7B65A-CF94-47E9-A205-10E7EAFB2DE3\DmiProvider.dll | 15 | e48e7090d67c9f3f87d62de7ae8d14b8d7920f04 | 938ccb4962c7086379952fcc83c04f92a14cf499a391356f576a8d0ecde0db81 | 1601910607 | 099242c2-3595-94e0-891c-51a7ee2659c8 | computer | 255.255.255.0 | 00:0c:29:56:e8:01 | Microsoft Windows 10 Pro | windows | client | 10.0.18363 | 73.69.54.187 | 1.1.12 | Admin | 2020-10-07T17:12:54Z | 365 | 1601898679 | Victim5-Win10 | False | 2020-10-07T17:12:54Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | 9029242c-5359-490e-98c1-157aee62958c | 2194 |
