Windows process history
SCHEMA
| cmdline | string | Process command line |
| file_size | long | File size now |
| gid | long | Group ID (unsigned) of the user running the process |
| global_rep | int | The machine learning global reputation now |
| global_rep_data | string | All global reputation data |
| local_rep | int | The machine learning local reputation now |
| local_rep_data | string | All local reputation now |
| ml_score | int | The machine learning malware score now |
| ml_score_data | string | All ML score data |
| name | string | Name of the registry value entry |
| parent | long | Process parent's PID |
| parent_name | string | Parent process name |
| parent_path | string | The parent process path |
| parent_sophos_pid | string | The ID of the parent process and its start time creating a unique identifier |
| path | string | Full path to the value |
| pid | long | Process (or thread) ID |
| pua_score | int | The machine learning PUA score now |
| sha1 | string | SHA1 of the file now |
| sha256 | string | SHA256 of the file now |
| sophos_pid | string | The process ID that produced the registry event and its start time creating a unique identifier |
| time | long | Timestamp of the windows powershell event (unix epoch) |
| uid | long | The local user that owns the plugin |
| username | string | Username |
-- running_processes_windows_sophos INFO SELECT -- Device ID DETAILS meta_hostname, meta_ip_address, -- Query Details query_name, cmdline, file_size, gid, global_rep, global_rep_data, local_rep, local_rep_data, ml_score, ml_score_data, name, parent, parent_name, parent_path, parent_sophos_pid, path, pid, pua_score, sha1, sha256, sophos_pid, time, uid, username, -- Decoration meta_boot_time, meta_eid, meta_endpoint_type, meta_ip_mask, meta_mac_address, meta_os_name, meta_os_platform, meta_os_type, meta_os_version, meta_public_ip, meta_query_pack_version, meta_username, --- Generic calendar_time, counter, epoch, host_identifier, numerics osquery_action, unix_time, -- Data Lake customer_id, endpoint_id, upload_size FROM xdr_data WHERE query_name = 'running_processes_windows_sophos'
RESULTS
+-----------------+-------------------+----------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------+-------+--------------+--------------------------------------------------------------------------------------------------------------------+-------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------+----------+---------------------+--------------------------------------------------------------------------------------+--------------------------+------------------------------------------------------------------------------------------------------------------------------+-------+-------------+------------------------------------------+------------------------------------------------------------------+--------------------------+------------+-------+-----------------+------------------+--------------------------------------+----------------------+----------------+--------------------+--------------------------+--------------------+----------------+-------------------+------------------+---------------------------+-----------------+----------------------+-----------+------------+-------------------+------------------+----------------------+--------------------------------------+--------------------------------------+---------------+
| meta_hostname | meta_ip_address | query_name | cmdline | file_size | gid | global_rep | global_rep_data | local_rep | local_rep_data | ml_score | ml_score_data | name | parent | parent_name | parent_path | parent_sophos_pid | path | pid | pua_score | sha1 | sha256 | sophos_pid | time | uid | username | meta_boot_time | meta_eid | meta_endpoint_type | meta_ip_mask | meta_mac_address | meta_os_name | meta_os_platform | meta_os_type | meta_os_version | meta_public_ip | meta_query_pack_version | meta_username | calendar_time | counter | epoch | host_identifier | osquery_action | unix_time | customer_id | endpoint_id | upload_size |
|-----------------+-------------------+----------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------+-------+--------------+--------------------------------------------------------------------------------------------------------------------+-------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------+----------+---------------------+--------------------------------------------------------------------------------------+--------------------------+------------------------------------------------------------------------------------------------------------------------------+-------+-------------+------------------------------------------+------------------------------------------------------------------+--------------------------+------------+-------+-----------------+------------------+--------------------------------------+----------------------+----------------+--------------------+--------------------------+--------------------+----------------+-------------------+------------------+---------------------------+-----------------+----------------------+-----------+------------+-------------------+------------------+----------------------+--------------------------------------+--------------------------------------+---------------|
| DESKTOP-RB61UC8 | 192.168.1.173 | running_processes_windows_sophos | "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /ua /installsource scheduler | 153168 | 18 | -1 | {"expireTime":0,"lookupType":0,"reputation":-1,"reputationData":"","sampleRate":0,"version":1} | 81 | {"configVersion":"18909eb811363b0eea090c0ce6f57a57e5371ae648b1bae49f429dde030c834c","cryptoStrength":112,"lookupType":7,"reputation":81,"reputationData":{"details":{},"isSigned":true,"signerInfo":[{"cryptoAlgorithm":32772,"cryptoStrength":80,"isValid":true,"signatureLocation":0,"signer":"Google Inc","thumbprint":"ba215596c19aec4e1d25d32d284474d6f824228b74621738f6ee2ce603c9ef2f"},{"cryptoAlgorithm":32780,"cryptoStrength":112,"isValid":true,"signatureLocation":0,"signer":"Google Inc","thumbprint":"6f3223a7b87056c7c3fcb3b92fa48352d4d2e65a489ec165b86ffce29b84e711"}]},"sampleRate":100,"sfsVersion":17236689,"version":1} | 15 | {"configVersion":"8a1d0e8272c15d764b2cbeff6d0201e59f4e9a987702d6e1ac2ec8e4048ef780","expireTime":0,"peMalwareScore":15,"pePuaScore":16,"vdlFlags":0,"version":2} | GoogleUpdate.exe | 1680 | svchost.exe | C:\Windows\System32\svchost.exe | 1680:132459464089250157 | C:\Program Files (x86)\Google\Update\GoogleUpdate.exe | 17748 | 16 | ae73b2e2ea5dca80c5a98907a6786124edaa7623 | f1f67830fc3531dfbdaf5315f59422438ab9f243d89491ac75d1818e7ed98b5d | 17748:132466959538161979 | 1602222353 | 18 | SYSTEM | 1601472788 | eface84e-4db6-344f-a89d-90801856834f | computer | 255.255.255.0 | 5c:ea:1d:c1:aa:55 | Microsoft Windows 10 Pro | windows | client | 10.0.19041 | 73.69.54.187 | 1.1.12 | Admin | 2020-10-09T05:50:40Z | 23551 | 1601772041 | DESKTOP-RB61UC8 | False | 2020-10-09T05:50:40Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | feca8ee4-d46b-43f4-8ad9-0908816538f4 | 2330 |
| DESKTOP-RB61UC8 | 192.168.1.173 | running_processes_windows_sophos | "C:\WINDOWS\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe340_ Global\UsGthrCtrlFltPipeMssGthrPipe340 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" | 418816 | 18 | -1 | {"expireTime":0,"lookupType":0,"reputation":-1,"reputationData":"","sampleRate":0,"version":1} | 91 | {"configVersion":"18909eb811363b0eea090c0ce6f57a57e5371ae648b1bae49f429dde030c834c","cryptoStrength":112,"lookupType":7,"reputation":91,"reputationData":{"details":{"CompanyName":"Microsoft Corporation","FileDescription":"Microsoft Windows Search Protocol Host","FileVersion":"7.0.19041.488 (WinBuild.160101.0800)","InternalName":"SearchProtocolHost.exe","LegalCopyright":"\u00a9 Microsoft Corporation. All rights reserved.","OriginalFilename":"SearchProtocolHost.exe","ProductName":"Windows\u00ae Search","ProductVersion":"7.0.19041.488"},"isSigned":true,"signerInfo":[{"cryptoAlgorithm":32780,"cryptoStrength":112,"isValid":true,"signatureLocation":1,"signer":"Microsoft Windows","thumbprint":"26fadd5610bb56e43d61a21b42a146c6a4568d8fc21db5d78e70be0ac390e9c3"}]},"sampleRate":1000,"sfsVersion":17236689,"version":1} | 5 | {"configVersion":"8a1d0e8272c15d764b2cbeff6d0201e59f4e9a987702d6e1ac2ec8e4048ef780","expireTime":0,"peMalwareScore":5,"pePuaScore":17,"vdlFlags":0,"version":2} | SearchProtocolHost.exe | 12984 | SearchIndexer.exe | C:\Windows\System32\SearchIndexer.exe | 12984:132464552285792342 | C:\Windows\System32\SearchProtocolHost.exe | 21924 | 17 | 40c2a56cf0765307ff20ea8176ec273e0a085ba4 | 92a7c72e68e22c6564f1f5c8a3745ab807754d4976b23328a68dab5fd62cf254 | 21924:132466960699991661 | 1602222469 | 18 | SYSTEM | 1601472788 | eface84e-4db6-344f-a89d-90801856834f | computer | 255.255.255.0 | 5c:ea:1d:c1:aa:55 | Microsoft Windows 10 Pro | windows | client | 10.0.19041 | 73.69.54.187 | 1.1.12 | Admin | 2020-10-09T05:50:40Z | 23551 | 1601772041 | DESKTOP-RB61UC8 | False | 2020-10-09T05:50:40Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | feca8ee4-d46b-43f4-8ad9-0908816538f4 | 2795 |
| DESKTOP-RB61UC8 | 192.168.1.173 | running_processes_windows_sophos | "C:\WINDOWS\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 780 | 272384 | 18 | -1 | {"expireTime":0,"lookupType":0,"reputation":-1,"reputationData":"","sampleRate":0,"version":1} | 91 | {"configVersion":"18909eb811363b0eea090c0ce6f57a57e5371ae648b1bae49f429dde030c834c","cryptoStrength":112,"lookupType":7,"reputation":91,"reputationData":{"details":{"CompanyName":"Microsoft Corporation","FileDescription":"Microsoft Windows Search Filter Host","FileVersion":"7.0.19041.488 (WinBuild.160101.0800)","InternalName":"SearchFilterHost.exe","LegalCopyright":"\u00a9 Microsoft Corporation. All rights reserved.","OriginalFilename":"SearchFilterHost.exe","ProductName":"Windows\u00ae Search","ProductVersion":"7.0.19041.488"},"isSigned":true,"signerInfo":[{"cryptoAlgorithm":32780,"cryptoStrength":112,"isValid":true,"signatureLocation":1,"signer":"Microsoft Windows","thumbprint":"26fadd5610bb56e43d61a21b42a146c6a4568d8fc21db5d78e70be0ac390e9c3"}]},"sampleRate":1000,"sfsVersion":17236689,"version":1} | 5 | {"configVersion":"8a1d0e8272c15d764b2cbeff6d0201e59f4e9a987702d6e1ac2ec8e4048ef780","expireTime":0,"peMalwareScore":5,"pePuaScore":17,"vdlFlags":0,"version":2} | SearchFilterHost.exe | 12984 | SearchIndexer.exe | C:\Windows\System32\SearchIndexer.exe | 12984:132464552285792342 | C:\Windows\System32\SearchFilterHost.exe | 9440 | 17 | cecd3788a6881dd7ff1654d2eeb09c7787a76cc8 | 9d2d77f7dd153878b2ccb18d8b12a35a743efab598cb6475bfc72a539ac77a05 | 9440:132466960700315936 | 1602222470 | 18 | SYSTEM | 1601472788 | eface84e-4db6-344f-a89d-90801856834f | computer | 255.255.255.0 | 5c:ea:1d:c1:aa:55 | Microsoft Windows 10 Pro | windows | client | 10.0.19041 | 73.69.54.187 | 1.1.12 | Admin | 2020-10-09T05:50:40Z | 23551 | 1601772041 | DESKTOP-RB61UC8 | False | 2020-10-09T05:50:40Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | feca8ee4-d46b-43f4-8ad9-0908816538f4 | 2523 |
| DESKTOP-RB61UC8 | 192.168.1.173 | running_processes_windows_sophos | C:\WINDOWS\system32\svchost.exe -k wsappx -p -s AppXSvc | 57368 | 18 | -1 | {"expireTime":0,"lookupType":0,"reputation":-1,"reputationData":"","sampleRate":0,"version":1} | 91 | {"configVersion":"18909eb811363b0eea090c0ce6f57a57e5371ae648b1bae49f429dde030c834c","cryptoStrength":112,"lookupType":7,"reputation":91,"reputationData":{"details":{"CompanyName":"Microsoft Corporation","FileDescription":"Host Process for Windows Services","FileVersion":"10.0.19041.1 (WinBuild.160101.0800)","InternalName":"svchost.exe","LegalCopyright":"\u00a9 Microsoft Corporation. All rights reserved.","OriginalFilename":"svchost.exe","ProductName":"Microsoft\u00ae Windows\u00ae Operating System","ProductVersion":"10.0.19041.1"},"isSigned":true,"signerInfo":[{"cryptoAlgorithm":32780,"cryptoStrength":112,"isValid":true,"signatureLocation":0,"signer":"Microsoft Windows Publisher","thumbprint":"ee4e8d1212caec402ea6ee8c2cd33b6856be8cb51d5d70d3468bab51e529f7ea"}]},"sampleRate":1000,"sfsVersion":17236689,"version":1} | 4 | {"configVersion":"8a1d0e8272c15d764b2cbeff6d0201e59f4e9a987702d6e1ac2ec8e4048ef780","expireTime":0,"peMalwareScore":4,"pePuaScore":16,"vdlFlags":0,"version":2} | svchost.exe | 988 | services.exe | C:\Windows\System32\services.exe | 988:132459464081335424 | C:\Windows\System32\svchost.exe | 18016 | 16 | 66f5e6dade65d7dba979602830d58e53e60fdffb | 39f80b404b2fd80dc096442d77e221cbb3ef5621acf66dcd3829e8af4cc37bf0 | 18016:132466961913804135 | 1602222591 | 18 | SYSTEM | 1601472788 | eface84e-4db6-344f-a89d-90801856834f | computer | 255.255.255.0 | 5c:ea:1d:c1:aa:55 | Microsoft Windows 10 Pro | windows | client | 10.0.19041 | 73.69.54.187 | 1.1.12 | Admin | 2020-10-09T05:50:40Z | 23551 | 1601772041 | DESKTOP-RB61UC8 | False | 2020-10-09T05:50:40Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | feca8ee4-d46b-43f4-8ad9-0908816538f4 | 2489 |
| DESKTOP-RB61UC8 | 192.168.1.173 | running_processes_windows_sophos | C:\Users\kacke\AppData\Local\Microsoft\OneDrive\20.143.0716.0003\FileCoAuth.exe -Embedding | 500584 | 513 | -1 | {"expireTime":0,"lookupType":0,"reputation":-1,"reputationData":"","sampleRate":0,"version":1} | 91 | {"configVersion":"18909eb811363b0eea090c0ce6f57a57e5371ae648b1bae49f429dde030c834c","cryptoStrength":112,"lookupType":7,"reputation":91,"reputationData":{"details":{"CompanyName":"Microsoft Corporation","FileDescription":"Microsoft OneDriveFile Co-Authoring Executable","FileVersion":"20.143.0716.0003","InternalName":"Microsoft OneDrive","LegalCopyright":"\u00a9 Microsoft Corporation. All rights reserved.","OriginalFilename":"FileCoAuth.exe","ProductName":"Microsoft OneDrive","ProductVersion":"20.143.0716.0003"},"isSigned":true,"signerInfo":[{"cryptoAlgorithm":32780,"cryptoStrength":112,"isValid":true,"signatureLocation":0,"signer":"Microsoft Corporation","thumbprint":"92012f8bee801752d61b2eccbfed2a685304d33bee3289c6c98c74809d335dad"}]},"sampleRate":1000,"sfsVersion":17236689,"version":1} | 5 | {"configVersion":"8a1d0e8272c15d764b2cbeff6d0201e59f4e9a987702d6e1ac2ec8e4048ef780","expireTime":0,"peMalwareScore":5,"pePuaScore":16,"vdlFlags":0,"version":2} | FileCoAuth.exe | 1080 | svchost.exe | C:\Windows\System32\svchost.exe | 1080:132459464085155242 | C:\Users\kacke\AppData\Local\Microsoft\OneDrive\20.143.0716.0003\FileCoAuth.exe | 10528 | 16 | 57752d90fa7363e875c66a9047a153e151d15af8 | 4cf3c62d39461052fe3bb98694bf4bf58b8b3ad7e151d5e95a490e54010f92c9 | 10528:132466963354732968 | 1602222735 | 1001 | | 1601472788 | eface84e-4db6-344f-a89d-90801856834f | computer | 255.255.255.0 | 5c:ea:1d:c1:aa:55 | Microsoft Windows 10 Pro | windows | client | 10.0.19041 | 73.69.54.187 | 1.1.12 | Admin | 2020-10-09T05:55:25Z | 23566 | 1601772041 | DESKTOP-RB61UC8 | False | 2020-10-09T05:55:25Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | feca8ee4-d46b-43f4-8ad9-0908816538f4 | 2555 |
| DESKTOP-RB61UC8 | 192.168.1.173 | running_processes_windows_sophos | C:\WINDOWS\system32\wbem\WmiApSrv.exe | 208896 | 18 | -1 | {"expireTime":0,"lookupType":0,"reputation":-1,"reputationData":"","sampleRate":0,"version":1} | 91 | {"configVersion":"18909eb811363b0eea090c0ce6f57a57e5371ae648b1bae49f429dde030c834c","cryptoStrength":112,"lookupType":7,"reputation":91,"reputationData":{"details":{"CompanyName":"Microsoft Corporation","FileDescription":"WMI Performance Reverse Adapter","FileVersion":"10.0.19041.1 (WinBuild.160101.0800)","InternalName":"WmiApSrv.exe","LegalCopyright":"\u00a9 Microsoft Corporation. All rights reserved.","OriginalFilename":"WmiApSrv.exe","ProductName":"Microsoft\u00ae Windows\u00ae Operating System","ProductVersion":"10.0.19041.1"},"isSigned":true,"signerInfo":[{"cryptoAlgorithm":32780,"cryptoStrength":112,"isValid":true,"signatureLocation":1,"signer":"Microsoft Windows","thumbprint":"26fadd5610bb56e43d61a21b42a146c6a4568d8fc21db5d78e70be0ac390e9c3"}]},"sampleRate":1000,"sfsVersion":17236689,"version":1} | 3 | {"configVersion":"8a1d0e8272c15d764b2cbeff6d0201e59f4e9a987702d6e1ac2ec8e4048ef780","expireTime":0,"peMalwareScore":3,"pePuaScore":16,"vdlFlags":0,"version":2} | WmiApSrv.exe | 988 | services.exe | C:\Windows\System32\services.exe | 988:132459464081335424 | C:\Windows\System32\wbem\WmiApSrv.exe | 16544 | 16 | 5877f71c48ae3f5f36f77e78ec86e4c7a7f1fba7 | 5d51a62e14be8f6a6894e8184cfd036edafc906d958e162fc9ac48462c6b2248 | 16544:132466963505258271 | 1602222750 | 18 | SYSTEM | 1601472788 | eface84e-4db6-344f-a89d-90801856834f | computer | 255.255.255.0 | 5c:ea:1d:c1:aa:55 | Microsoft Windows 10 Pro | windows | client | 10.0.19041 | 73.69.54.187 | 1.1.12 | Admin | 2020-10-09T05:55:25Z | 23566 | 1601772041 | DESKTOP-RB61UC8 | False | 2020-10-09T05:55:25Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | feca8ee4-d46b-43f4-8ad9-0908816538f4 | 2471 |
| Victim4-Win10 | 192.168.100.162 | running_processes_windows_sophos | "C:\WINDOWS\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppXy7vb4pc2dr3kc93kfc509b1d0arkfb2x.mca | 19984 | 513 | -1 | {"expireTime":0,"lookupType":0,"reputation":-1,"reputationData":"","sampleRate":0,"version":1} | 91 | {"configVersion":"18909eb811363b0eea090c0ce6f57a57e5371ae648b1bae49f429dde030c834c","cryptoStrength":112,"lookupType":7,"reputation":91,"reputationData":{"details":{"CompanyName":"Microsoft Corporation","FileDescription":"Background Task Host","FileVersion":"10.0.18362.1 (WinBuild.160101.0800)","InternalName":"Background Task Host","LegalCopyright":"\u00a9 Microsoft Corporation. All rights reserved.","OriginalFilename":"backgroundTaskHost.exe","ProductName":"Microsoft\u00ae Windows\u00ae Operating System","ProductVersion":"10.0.18362.1"},"isSigned":true,"signerInfo":[{"cryptoAlgorithm":32780,"cryptoStrength":112,"isValid":true,"signatureLocation":0,"signer":"Microsoft Windows","thumbprint":"9b8fdf4d32972e0f17a78a6dd24b418c7b888c89cd0aac350bba0f7f5c3190a3"}]},"sampleRate":1000,"sfsVersion":17236689,"version":1} | 3 | {"configVersion":"8a1d0e8272c15d764b2cbeff6d0201e59f4e9a987702d6e1ac2ec8e4048ef780","expireTime":0,"peMalwareScore":3,"pePuaScore":16,"vdlFlags":0,"version":2} | backgroundTaskHost.exe | 832 | svchost.exe | C:\Windows\System32\svchost.exe | 832:132463842650658086 | C:\Windows\System32\backgroundTaskHost.exe | 2780 | 16 | dc27f57a3ba5d13b476b1fd0872b8972744a01f8 | 74b3323405cdfb85cfc9d5c1cd29c816c80361df154801e44f14863c9058906e | 2780:132466964317702387 | 1602222831 | 1006 | Admin | 1601910646 | 2fd10d5e-3267-4476-aa1c-182846a3eac0 | computer | 255.255.255.0 | 00:50:56:3c:c7:00 | Microsoft Windows 10 Pro | windows | client | 10.0.18363 | 73.69.54.187 | 1.1.12 | Admin | 2020-10-09T05:56:09Z | 11876 | 1601806909 | Victim4-Win10 | False | 2020-10-09T05:56:09Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | f21dd0e5-2376-4467-aac1-8182643aae0c | 2558 |
| Victim4-Win10 | 192.168.100.162 | running_processes_windows_sophos | C:\WINDOWS\system32\wbem\WmiApSrv.exe | 204288 | 18 | -1 | {"expireTime":0,"lookupType":0,"reputation":-1,"reputationData":"","sampleRate":0,"version":1} | 91 | {"configVersion":"18909eb811363b0eea090c0ce6f57a57e5371ae648b1bae49f429dde030c834c","cryptoStrength":112,"lookupType":7,"reputation":91,"reputationData":{"details":{"CompanyName":"Microsoft Corporation","FileDescription":"WMI Performance Reverse Adapter","FileVersion":"10.0.18362.1 (WinBuild.160101.0800)","InternalName":"WmiApSrv.exe","LegalCopyright":"\u00a9 Microsoft Corporation. All rights reserved.","OriginalFilename":"WmiApSrv.exe","ProductName":"Microsoft\u00ae Windows\u00ae Operating System","ProductVersion":"10.0.18362.1"},"isSigned":true,"signerInfo":[{"cryptoAlgorithm":32780,"cryptoStrength":112,"isValid":true,"signatureLocation":1,"signer":"Microsoft Windows","thumbprint":"26fadd5610bb56e43d61a21b42a146c6a4568d8fc21db5d78e70be0ac390e9c3"}]},"sampleRate":1000,"sfsVersion":17236689,"version":1} | 3 | {"configVersion":"8a1d0e8272c15d764b2cbeff6d0201e59f4e9a987702d6e1ac2ec8e4048ef780","expireTime":0,"peMalwareScore":3,"pePuaScore":16,"vdlFlags":0,"version":2} | WmiApSrv.exe | 688 | services.exe | C:\Windows\System32\services.exe | 688:132463842647650375 | C:\Windows\System32\wbem\WmiApSrv.exe | 9596 | 16 | 090436b0679559cb2d5e863ad9c9135613f38d77 | 8a221672e37fd7f30d35b3466ca9f1a473f9a77c27a5a16c6392bceeccafea6f | 9596:132466964675291613 | 1602222867 | 18 | SYSTEM | 1601910646 | 2fd10d5e-3267-4476-aa1c-182846a3eac0 | computer | 255.255.255.0 | 00:50:56:3c:c7:00 | Microsoft Windows 10 Pro | windows | client | 10.0.18363 | 73.69.54.187 | 1.1.12 | Admin | 2020-10-09T05:56:09Z | 11876 | 1601806909 | Victim4-Win10 | False | 2020-10-09T05:56:09Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | f21dd0e5-2376-4467-aac1-8182643aae0c | 2467 |
| Victim4-Win10 | 192.168.100.162 | running_processes_windows_sophos | C:\WINDOWS\system32\wbem\wmiprvse.exe -secured -Embedding | 483840 | 19 | -1 | {"expireTime":0,"lookupType":0,"reputation":-1,"reputationData":"","sampleRate":0,"version":1} | 91 | {"configVersion":"18909eb811363b0eea090c0ce6f57a57e5371ae648b1bae49f429dde030c834c","cryptoStrength":112,"lookupType":7,"reputation":91,"reputationData":{"details":{"CompanyName":"Microsoft Corporation","FileDescription":"WMI Provider Host","FileVersion":"10.0.18362.1 (WinBuild.160101.0800)","InternalName":"Wmiprvse.exe","LegalCopyright":"\u00a9 Microsoft Corporation. All rights reserved.","OriginalFilename":"Wmiprvse.exe","ProductName":"Microsoft\u00ae Windows\u00ae Operating System","ProductVersion":"10.0.18362.1"},"isSigned":true,"signerInfo":[{"cryptoAlgorithm":32780,"cryptoStrength":112,"isValid":true,"signatureLocation":1,"signer":"Microsoft Windows","thumbprint":"c6857c85920cd149a3d709a5a5a33161782e2cca73d2eefcc29dce2a6eeff8df"}]},"sampleRate":1000,"sfsVersion":17236689,"version":1} | 4 | {"configVersion":"8a1d0e8272c15d764b2cbeff6d0201e59f4e9a987702d6e1ac2ec8e4048ef780","expireTime":0,"peMalwareScore":4,"pePuaScore":16,"vdlFlags":0,"version":2} | WmiPrvSE.exe | 832 | svchost.exe | C:\Windows\System32\svchost.exe | 832:132463842650658086 | C:\Windows\System32\wbem\WmiPrvSE.exe | 6256 | 16 | 51b8646308ee0b68ad1f7f1291b85395434de49a | a75c85f3b089993e9c042fb82ecb7757e8f460ed8065fc7991caa38a6de0f50c | 6256:132466964681920092 | 1602222868 | 19 | LOCAL SERVICE | 1601910646 | 2fd10d5e-3267-4476-aa1c-182846a3eac0 | computer | 255.255.255.0 | 00:50:56:3c:c7:00 | Microsoft Windows 10 Pro | windows | client | 10.0.18363 | 73.69.54.187 | 1.1.12 | Admin | 2020-10-09T05:56:09Z | 11876 | 1601806909 | Victim4-Win10 | False | 2020-10-09T05:56:09Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | f21dd0e5-2376-4467-aac1-8182643aae0c | 2478 |
| Victim4-Win10 | 192.168.100.162 | running_processes_windows_sophos | C:\WINDOWS\system32\wbem\wmiprvse.exe -secured -Embedding | 483840 | 19 | -1 | {"expireTime":0,"lookupType":0,"reputation":-1,"reputationData":"","sampleRate":0,"version":1} | 91 | {"configVersion":"18909eb811363b0eea090c0ce6f57a57e5371ae648b1bae49f429dde030c834c","cryptoStrength":112,"lookupType":7,"reputation":91,"reputationData":{"details":{"CompanyName":"Microsoft Corporation","FileDescription":"WMI Provider Host","FileVersion":"10.0.18362.1 (WinBuild.160101.0800)","InternalName":"Wmiprvse.exe","LegalCopyright":"\u00a9 Microsoft Corporation. All rights reserved.","OriginalFilename":"Wmiprvse.exe","ProductName":"Microsoft\u00ae Windows\u00ae Operating System","ProductVersion":"10.0.18362.1"},"isSigned":true,"signerInfo":[{"cryptoAlgorithm":32780,"cryptoStrength":112,"isValid":true,"signatureLocation":1,"signer":"Microsoft Windows","thumbprint":"c6857c85920cd149a3d709a5a5a33161782e2cca73d2eefcc29dce2a6eeff8df"}]},"sampleRate":1000,"sfsVersion":17236689,"version":1} | 4 | {"configVersion":"8a1d0e8272c15d764b2cbeff6d0201e59f4e9a987702d6e1ac2ec8e4048ef780","expireTime":0,"peMalwareScore":4,"pePuaScore":16,"vdlFlags":0,"version":2} | WmiPrvSE.exe | 832 | svchost.exe | C:\Windows\System32\svchost.exe | 832:132463842650658086 | C:\Windows\System32\wbem\WmiPrvSE.exe | 9352 | 16 | 51b8646308ee0b68ad1f7f1291b85395434de49a | a75c85f3b089993e9c042fb82ecb7757e8f460ed8065fc7991caa38a6de0f50c | 9352:132466967674398458 | 1602223167 | 19 | LOCAL SERVICE | 1601910646 | 2fd10d5e-3267-4476-aa1c-182846a3eac0 | computer | 255.255.255.0 | 00:50:56:3c:c7:00 | Microsoft Windows 10 Pro | windows | client | 10.0.18363 | 73.69.54.187 | 1.1.12 | Admin | 2020-10-09T06:01:08Z | 11891 | 1601806909 | Victim4-Win10 | False | 2020-10-09T06:01:08Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | f21dd0e5-2376-4467-aac1-8182643aae0c | 2478 |
| DESKTOP-RB61UC8 | 192.168.1.173 | running_processes_windows_sophos | "C:\ProgramData\Sophos\AutoUpdate\Cache\sophos_autoupdate1.dir\SophosUpdate.exe" -ScheduledUpdate -RootPath "C:\Program Files (x86)\Sophos\AutoUpdate\" | 2439568 | 18 | -1 | {"expireTime":0,"lookupType":0,"reputation":-1,"reputationData":"","sampleRate":0,"version":1} | 91 | {"configVersion":"18909eb811363b0eea090c0ce6f57a57e5371ae648b1bae49f429dde030c834c","cryptoStrength":112,"lookupType":7,"reputation":91,"reputationData":{"details":{"CompanyName":"Sophos Limited","FileDescription":"Sophos Endpoint Updater","FileVersion":"6.6.144.0","InternalName":"SophosUpdate.exe","LegalCopyright":"Copyright 1989-2020 Sophos Limited. All rights reserved.","OriginalFilename":"SophosUpdate.exe","ProductName":"Sophos AutoUpdate","ProductVersion":"6.6"},"isSigned":true,"signerInfo":[{"cryptoAlgorithm":32780,"cryptoStrength":112,"isValid":true,"signatureLocation":0,"signer":"Sophos Ltd","thumbprint":"44e319d9e913676a311e521a671d687c16846a291bd86a83900fd425c77aca0f"}]},"sampleRate":1000,"sfsVersion":17236689,"version":1} | 6 | {"configVersion":"8a1d0e8272c15d764b2cbeff6d0201e59f4e9a987702d6e1ac2ec8e4048ef780","expireTime":0,"peMalwareScore":6,"pePuaScore":16,"vdlFlags":0,"version":2} | SophosUpdate.exe | 4868 | ALsvc.exe | C:\Program Files (x86)\Sophos\AutoUpdate\ALsvc.exe | 4868:132459464124172654 | C:\ProgramData\Sophos\AutoUpdate\Cache\sophos_autoupdate1.dir\SophosUpdate.exe | 19764 | 16 | 4d3b5b0d0b953ed83856927ad57c24babae08b96 | 9e60d01a979d84b7bed0c0691fe3d3fb73e9cc2285b6dbe94c5f52b1785fc645 | 19764:132466968171818200 | 1602223217 | 18 | SYSTEM | 1601472788 | eface84e-4db6-344f-a89d-90801856834f | computer | 255.255.255.0 | 5c:ea:1d:c1:aa:55 | Microsoft Windows 10 Pro | windows | client | 10.0.19041 | 73.69.54.187 | 1.1.12 | Admin | 2020-10-09T06:00:29Z | 23582 | 1601772041 | DESKTOP-RB61UC8 | False | 2020-10-09T06:00:29Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | feca8ee4-d46b-43f4-8ad9-0908816538f4 | 2586 |
| DESKTOP-RB61UC8 | 192.168.1.173 | running_processes_windows_sophos | "C:\Program Files (x86)\HitmanPro.Alert\hmpalert.exe" /status | 4987984 | 18 | -1 | {"expireTime":0,"lookupType":0,"reputation":-1,"reputationData":"","sampleRate":0,"version":1} | 91 | {"configVersion":"18909eb811363b0eea090c0ce6f57a57e5371ae648b1bae49f429dde030c834c","cryptoStrength":112,"lookupType":7,"reputation":91,"reputationData":{"details":{"CompanyName":"SurfRight B.V.","FileDescription":"HitmanPro.Alert","FileVersion":"3.7.17.321","InternalName":"hmpalert.exe","LegalCopyright":"\u00a9 2013-2018 SurfRight, A Sophos Company","OriginalFilename":"hmpalert.exe","ProductName":"HitmanPro.Alert","ProductVersion":"3.7.17.321"},"isSigned":true,"signerInfo":[{"cryptoAlgorithm":32780,"cryptoStrength":112,"isValid":true,"signatureLocation":0,"signer":"Sophos Ltd","thumbprint":"44e319d9e913676a311e521a671d687c16846a291bd86a83900fd425c77aca0f"}]},"sampleRate":1000,"sfsVersion":17236689,"version":1} | 11 | {"configVersion":"8a1d0e8272c15d764b2cbeff6d0201e59f4e9a987702d6e1ac2ec8e4048ef780","expireTime":0,"peMalwareScore":11,"pePuaScore":10,"vdlFlags":0,"version":2} | hmpalert.exe | 15108 | McsAgent.exe | C:\Program Files (x86)\Sophos\Management Communications System\Endpoint\McsAgent.exe | 15108:132466320783656305 | C:\Program Files (x86)\HitmanPro.Alert\hmpalert.exe | 22376 | 10 | 2190496e6a6edbacf91adeb6ced2fb9acf273c4d | 6dd27e3b99b8f82d64e7330b2addc32701ecf460f453dc80b021f47a2fba88ae | 22376:132466968925342484 | 1602223292 | 18 | SYSTEM | 1601472788 | eface84e-4db6-344f-a89d-90801856834f | computer | 255.255.255.0 | 5c:ea:1d:c1:aa:55 | Microsoft Windows 10 Pro | windows | client | 10.0.19041 | 73.69.54.187 | 1.1.12 | Admin | 2020-10-09T06:05:33Z | 23598 | 1601772041 | DESKTOP-RB61UC8 | False | 2020-10-09T06:05:33Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | feca8ee4-d46b-43f4-8ad9-0908816538f4 | 2474 |
| DESKTOP-RB61UC8 | 192.168.1.173 | running_processes_windows_sophos | "C:\Program Files (x86)\HitmanPro.Alert\hmpalert.exe" /verifypolicy="C:\ProgramData\HitmanPro.Alert\policy_20201009060132" | 4987984 | 18 | -1 | {"expireTime":0,"lookupType":0,"reputation":-1,"reputationData":"","sampleRate":0,"version":1} | 91 | {"configVersion":"18909eb811363b0eea090c0ce6f57a57e5371ae648b1bae49f429dde030c834c","cryptoStrength":112,"lookupType":7,"reputation":91,"reputationData":{"details":{"CompanyName":"SurfRight B.V.","FileDescription":"HitmanPro.Alert","FileVersion":"3.7.17.321","InternalName":"hmpalert.exe","LegalCopyright":"\u00a9 2013-2018 SurfRight, A Sophos Company","OriginalFilename":"hmpalert.exe","ProductName":"HitmanPro.Alert","ProductVersion":"3.7.17.321"},"isSigned":true,"signerInfo":[{"cryptoAlgorithm":32780,"cryptoStrength":112,"isValid":true,"signatureLocation":0,"signer":"Sophos Ltd","thumbprint":"44e319d9e913676a311e521a671d687c16846a291bd86a83900fd425c77aca0f"}]},"sampleRate":1000,"sfsVersion":17236689,"version":1} | 11 | {"configVersion":"8a1d0e8272c15d764b2cbeff6d0201e59f4e9a987702d6e1ac2ec8e4048ef780","expireTime":0,"peMalwareScore":11,"pePuaScore":10,"vdlFlags":0,"version":2} | hmpalert.exe | 15108 | McsAgent.exe | C:\Program Files (x86)\Sophos\Management Communications System\Endpoint\McsAgent.exe | 15108:132466320783656305 | C:\Program Files (x86)\HitmanPro.Alert\hmpalert.exe | 22464 | 10 | 2190496e6a6edbacf91adeb6ced2fb9acf273c4d | 6dd27e3b99b8f82d64e7330b2addc32701ecf460f453dc80b021f47a2fba88ae | 22464:132466968925774391 | 1602223292 | 18 | SYSTEM | 1601472788 | eface84e-4db6-344f-a89d-90801856834f | computer | 255.255.255.0 | 5c:ea:1d:c1:aa:55 | Microsoft Windows 10 Pro | windows | client | 10.0.19041 | 73.69.54.187 | 1.1.12 | Admin | 2020-10-09T06:05:33Z | 23598 | 1601772041 | DESKTOP-RB61UC8 | False | 2020-10-09T06:05:33Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | feca8ee4-d46b-43f4-8ad9-0908816538f4 | 2540 |
| DESKTOP-RB61UC8 | 192.168.1.173 | running_processes_windows_sophos | "C:\Program Files (x86)\HitmanPro.Alert\hmpalert.exe" /status | 4987984 | 18 | -1 | {"expireTime":0,"lookupType":0,"reputation":-1,"reputationData":"","sampleRate":0,"version":1} | 91 | {"configVersion":"18909eb811363b0eea090c0ce6f57a57e5371ae648b1bae49f429dde030c834c","cryptoStrength":112,"lookupType":7,"reputation":91,"reputationData":{"details":{"CompanyName":"SurfRight B.V.","FileDescription":"HitmanPro.Alert","FileVersion":"3.7.17.321","InternalName":"hmpalert.exe","LegalCopyright":"\u00a9 2013-2018 SurfRight, A Sophos Company","OriginalFilename":"hmpalert.exe","ProductName":"HitmanPro.Alert","ProductVersion":"3.7.17.321"},"isSigned":true,"signerInfo":[{"cryptoAlgorithm":32780,"cryptoStrength":112,"isValid":true,"signatureLocation":0,"signer":"Sophos Ltd","thumbprint":"44e319d9e913676a311e521a671d687c16846a291bd86a83900fd425c77aca0f"}]},"sampleRate":1000,"sfsVersion":17236689,"version":1} | 11 | {"configVersion":"8a1d0e8272c15d764b2cbeff6d0201e59f4e9a987702d6e1ac2ec8e4048ef780","expireTime":0,"peMalwareScore":11,"pePuaScore":10,"vdlFlags":0,"version":2} | hmpalert.exe | 15108 | McsAgent.exe | C:\Program Files (x86)\Sophos\Management Communications System\Endpoint\McsAgent.exe | 15108:132466320783656305 | C:\Program Files (x86)\HitmanPro.Alert\hmpalert.exe | 18072 | 10 | 2190496e6a6edbacf91adeb6ced2fb9acf273c4d | 6dd27e3b99b8f82d64e7330b2addc32701ecf460f453dc80b021f47a2fba88ae | 18072:132466968926217316 | 1602223292 | 18 | SYSTEM | 1601472788 | eface84e-4db6-344f-a89d-90801856834f | computer | 255.255.255.0 | 5c:ea:1d:c1:aa:55 | Microsoft Windows 10 Pro | windows | client | 10.0.19041 | 73.69.54.187 | 1.1.12 | Admin | 2020-10-09T06:05:33Z | 23598 | 1601772041 | DESKTOP-RB61UC8 | False | 2020-10-09T06:05:33Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | feca8ee4-d46b-43f4-8ad9-0908816538f4 | 2474 |
