windows_startup_programs_md5
SCHEMA
| core_file_info | string | Core file info |
| file_size | long | File size now |
| global_rep | int | The machine learning global reputation now |
| global_rep_data | string | All global reputation data |
| local_rep | int | The machine learning local reputation now |
| local_rep_data | string | All local reputation now |
| ml_score | int | The machine learning malware score now |
| ml_score_data | string | All ML score data |
| mod_path | string | Path to the startup item |
| name | string | Name of the registry value entry |
| path | string | Full path to the value |
| pua_score | int | The machine learning PUA score now |
| sha1 | string | SHA1 of the file now |
| sha256 | string | SHA256 of the file now |
| status | string | The reason the logon failed |
| type | string | Type of the registry value |
| username | string | Username |
-- windows_startup_programs_md5 INFO SELECT -- Device ID DETAILS meta_hostname, meta_ip_address, -- Query Details query_name, core_file_info, file_size, global_rep, global_rep_data, local_rep, local_rep_data, ml_score, ml_score_data, mod_path, name, path, pua_score, sha1, sha256, status, type, username, -- Decoration meta_boot_time, meta_eid, meta_endpoint_type, meta_ip_mask, meta_mac_address, meta_os_name, meta_os_platform, meta_os_type, meta_os_version, meta_public_ip, meta_query_pack_version, meta_username, --- Generic calendar_time, counter, epoch, host_identifier, numerics osquery_action, unix_time, -- Data Lake customer_id, endpoint_id, upload_size FROM xdr_data WHERE query_name = 'windows_startup_programs_md5'
RESULTS
+-----------------+-------------------+------------------------------+-------------------------------------------------+-------------+--------------+--------------------------------------------------------------------------------------------------------------------+-------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------------------------------------------------+---------------------+-------------------------------------------------------------------------------+-------------+------------------------------------------+------------------------------------------------------------------+----------+--------------+------------+------------------+--------------------------------------+----------------------+----------------+--------------------+------------------------------+--------------------+----------------+-------------------+------------------+---------------------------+-----------------+----------------------+-----------+------------+-------------------+------------------+----------------------+--------------------------------------+--------------------------------------+---------------+
| meta_hostname | meta_ip_address | query_name | core_file_info | file_size | global_rep | global_rep_data | local_rep | local_rep_data | ml_score | ml_score_data | mod_path | name | path | pua_score | sha1 | sha256 | status | type | username | meta_boot_time | meta_eid | meta_endpoint_type | meta_ip_mask | meta_mac_address | meta_os_name | meta_os_platform | meta_os_type | meta_os_version | meta_public_ip | meta_query_pack_version | meta_username | calendar_time | counter | epoch | host_identifier | osquery_action | unix_time | customer_id | endpoint_id | upload_size |
|-----------------+-------------------+------------------------------+-------------------------------------------------+-------------+--------------+--------------------------------------------------------------------------------------------------------------------+-------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------------------------------------------------+---------------------+-------------------------------------------------------------------------------+-------------+------------------------------------------+------------------------------------------------------------------+----------+--------------+------------+------------------+--------------------------------------+----------------------+----------------+--------------------+------------------------------+--------------------+----------------+-------------------+------------------+---------------------------+-----------------+----------------------+-----------+------------+-------------------+------------------+----------------------+--------------------------------------+--------------------------------------+---------------|
| Victim1-EDR | 192.168.100.164 | windows_startup_programs_md5 | {"isSavWinPE":false,"isWinPE":true,"version":2} | 1465952 | 0 | | 91 | {"configVersion":"72369f0be2933ffa66a5c1675ca640aa178bc0eecf1f1d1671bb109f3b1edba9","cryptoStrength":112,"lookupType":7,"reputation":91,"reputationData":{"details":{},"isSigned":true,"signerInfo":[{"cryptoAlgorithm":32780,"cryptoStrength":112,"isValid":true,"signatureLocation":0,"signer":"Sophos Ltd","thumbprint":"44e319d9e913676a311e521a671d687c16846a291bd86a83900fd425c77aca0f"}]},"sampleRate":1000,"sfsVersion":17236689,"version":1} | 6 | {"configVersion":"34e70ee9f4748024619d2ea8b607e99f04ced7b4e3b74ed9efbad297f733072d","expireTime":0,"peMalwareScore":6,"pePuaScore":15,"vdlFlags":0,"version":2} | C:\Program Files\Sophos\Sophos UI\Sophos UI.exe | Sophos UI.exe | C:\Program Files\Sophos\Sophos UI\Sophos UI.exe | 15 | 75fd78dbc69963d5dcefc44379a6ebd6f3828806 | 3c6104ea716abbd2d2cff49bf09349d675bd6fecc07038ea2e4ea6e0c0a66701 | enabled | Startup Item | SYSTEM | 1601905070 | 3d5d8411-6066-04f4-4872-ec787ed9b973 | computer | 255.255.255.0 | 00:50:56:25:94:3c | Microsoft Windows 7 Ultimate | windows | client | 6.1.7601 | 73.69.54.187 | 1.1.12 | test | 2020-10-14T15:00:27Z | 0 | 1602319950 | Victim1-EDR | False | 2020-10-14T15:00:27Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | d3d54811-0666-404f-8427-ce87e79d9b37 | 1838 |
| Victim1-EDR | 192.168.100.164 | windows_startup_programs_md5 | {"isSavWinPE":true,"isWinPE":true,"version":2} | 86488 | 0 | | 81 | {"configVersion":"18909eb811363b0eea090c0ce6f57a57e5371ae648b1bae49f429dde030c834c","cryptoStrength":112,"lookupType":7,"reputation":81,"reputationData":{"details":{"CompanyName":"VMware, Inc.","FileDescription":"VMware Tools Core Service","FileVersion":"11.0.5.17716","InternalName":"vmtoolsd","LegalCopyright":"Copyright \u00a9 1998-2020 VMware, Inc.","OriginalFilename":"vmtoolsd.exe","ProductName":"VMware Tools","ProductVersion":"11.0.5 build-15389592"},"isSigned":true,"signerInfo":[{"cryptoAlgorithm":32772,"cryptoStrength":80,"isValid":true,"signatureLocation":0,"signer":"VMware, Inc.","thumbprint":"f9c221fe9367bed93ae0b5c0f737dea64b619a6003eb9349205a3b4a2c63983f"},{"cryptoAlgorithm":32780,"cryptoStrength":112,"isValid":true,"signatureLocation":0,"signer":"VMware, Inc.","thumbprint":"91aeb991c77ce6d1ea02e1876518e400463485cea8c835a02c981702b8d2c24d"}]},"sampleRate":100,"sfsVersion":17236689,"version":1} | 4 | {"configVersion":"d38fc0782b2278da06a7babf2373f70d66af922960a61aff40300b4c7695062d","expireTime":0,"peMalwareScore":4,"pePuaScore":12,"vdlFlags":0,"version":2} | C:\Program Files\VMware\VMware Tools\vmtoolsd.exe | VMware User Process | C:\Program Files\VMware\VMware Tools\vmtoolsd.exe | 12 | 305a9c7ed3ea60625c1dd11e38e707f5779b7df8 | 623f8aac9f1e110cecbd3ab18a63d372da842e875ad55e2d3f3279791e1a1c63 | enabled | Startup Item | SYSTEM | 1601905070 | 3d5d8411-6066-04f4-4872-ec787ed9b973 | computer | 255.255.255.0 | 00:50:56:25:94:3c | Microsoft Windows 7 Ultimate | windows | client | 6.1.7601 | 73.69.54.187 | 1.1.12 | test | 2020-10-14T15:00:27Z | 0 | 1602319950 | Victim1-EDR | False | 2020-10-14T15:00:27Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | d3d54811-0666-404f-8427-ce87e79d9b37 | 2374 |
| Victim1-EDR | 192.168.100.164 | windows_startup_programs_md5 | {"isSavWinPE":false,"isWinPE":true,"version":2} | 1465952 | 0 | | 91 | {"configVersion":"72369f0be2933ffa66a5c1675ca640aa178bc0eecf1f1d1671bb109f3b1edba9","cryptoStrength":112,"lookupType":7,"reputation":91,"reputationData":{"details":{},"isSigned":true,"signerInfo":[{"cryptoAlgorithm":32780,"cryptoStrength":112,"isValid":true,"signatureLocation":0,"signer":"Sophos Ltd","thumbprint":"44e319d9e913676a311e521a671d687c16846a291bd86a83900fd425c77aca0f"}]},"sampleRate":1000,"sfsVersion":17236689,"version":1} | 6 | {"configVersion":"34e70ee9f4748024619d2ea8b607e99f04ced7b4e3b74ed9efbad297f733072d","expireTime":0,"peMalwareScore":6,"pePuaScore":15,"vdlFlags":0,"version":2} | C:\Program Files\Sophos\Sophos UI\Sophos UI.exe | Sophos UI.exe | C:\Program Files\Sophos\Sophos UI\Sophos UI.exe | 15 | 75fd78dbc69963d5dcefc44379a6ebd6f3828806 | 3c6104ea716abbd2d2cff49bf09349d675bd6fecc07038ea2e4ea6e0c0a66701 | enabled | Startup Item | SYSTEM | 1601905070 | 3d5d8411-6066-04f4-4872-ec787ed9b973 | computer | 255.255.255.0 | 00:50:56:25:94:3c | Microsoft Windows 7 Ultimate | windows | client | 6.1.7601 | 73.69.54.187 | 1.1.12 | test | 2020-10-07T14:28:45Z | 0 | 1601805150 | Victim1-EDR | False | 2020-10-07T14:28:45Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | d3d54811-0666-404f-8427-ce87e79d9b37 | 1838 |
| Victim1-EDR | 192.168.100.164 | windows_startup_programs_md5 | {"isSavWinPE":true,"isWinPE":true,"version":2} | 86488 | 0 | | 81 | {"configVersion":"cb89f02f0e1c42a057a1264416d35768d5b8c9e4aab0db2f97c75779e27d14d1","cryptoStrength":112,"lookupType":7,"reputation":81,"reputationData":{"details":{"CompanyName":"VMware, Inc.","FileDescription":"VMware Tools Core Service","FileVersion":"11.0.5.17716","InternalName":"vmtoolsd","LegalCopyright":"Copyright \u00a9 1998-2020 VMware, Inc.","OriginalFilename":"vmtoolsd.exe","ProductName":"VMware Tools","ProductVersion":"11.0.5 build-15389592"},"isSigned":true,"signerInfo":[{"cryptoAlgorithm":32772,"cryptoStrength":80,"isValid":true,"signatureLocation":0,"signer":"VMware, Inc.","thumbprint":"f9c221fe9367bed93ae0b5c0f737dea64b619a6003eb9349205a3b4a2c63983f"},{"cryptoAlgorithm":32780,"cryptoStrength":112,"isValid":true,"signatureLocation":0,"signer":"VMware, Inc.","thumbprint":"91aeb991c77ce6d1ea02e1876518e400463485cea8c835a02c981702b8d2c24d"}]},"sampleRate":100,"sfsVersion":17236689,"version":1} | 4 | {"configVersion":"d0fcdf880c38244da5736b94b900c93f7a7e59c4c2dcfbbeb40874d4911a0cc1","expireTime":0,"peMalwareScore":4,"pePuaScore":12,"vdlFlags":0,"version":2} | C:\Program Files\VMware\VMware Tools\vmtoolsd.exe | VMware User Process | C:\Program Files\VMware\VMware Tools\vmtoolsd.exe | 12 | 305a9c7ed3ea60625c1dd11e38e707f5779b7df8 | 623f8aac9f1e110cecbd3ab18a63d372da842e875ad55e2d3f3279791e1a1c63 | enabled | Startup Item | SYSTEM | 1601905070 | 3d5d8411-6066-04f4-4872-ec787ed9b973 | computer | 255.255.255.0 | 00:50:56:25:94:3c | Microsoft Windows 7 Ultimate | windows | client | 6.1.7601 | 73.69.54.187 | 1.1.12 | test | 2020-10-07T14:28:45Z | 0 | 1601805150 | Victim1-EDR | False | 2020-10-07T14:28:45Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | d3d54811-0666-404f-8427-ce87e79d9b37 | 2374 |
| Victim3-EDR | 192.168.100.143 | windows_startup_programs_md5 | {"isSavWinPE":true,"isWinPE":true,"version":2} | 86488 | 0 | | 81 | {"configVersion":"18909eb811363b0eea090c0ce6f57a57e5371ae648b1bae49f429dde030c834c","cryptoStrength":112,"lookupType":7,"reputation":81,"reputationData":{"details":{"CompanyName":"VMware, Inc.","FileDescription":"VMware Tools Core Service","FileVersion":"11.0.5.17716","InternalName":"vmtoolsd","LegalCopyright":"Copyright \u00a9 1998-2020 VMware, Inc.","OriginalFilename":"vmtoolsd.exe","ProductName":"VMware Tools","ProductVersion":"11.0.5 build-15389592"},"isSigned":true,"signerInfo":[{"cryptoAlgorithm":32772,"cryptoStrength":80,"isValid":true,"signatureLocation":0,"signer":"VMware, Inc.","thumbprint":"f9c221fe9367bed93ae0b5c0f737dea64b619a6003eb9349205a3b4a2c63983f"},{"cryptoAlgorithm":32780,"cryptoStrength":112,"isValid":true,"signatureLocation":0,"signer":"VMware, Inc.","thumbprint":"91aeb991c77ce6d1ea02e1876518e400463485cea8c835a02c981702b8d2c24d"}]},"sampleRate":100,"sfsVersion":17236689,"version":1} | 4 | {"configVersion":"8a1d0e8272c15d764b2cbeff6d0201e59f4e9a987702d6e1ac2ec8e4048ef780","expireTime":0,"peMalwareScore":4,"pePuaScore":12,"vdlFlags":0,"version":2} | C:\Program Files\VMware\VMware Tools\vmtoolsd.exe | VMware User Process | C:\Program Files\VMware\VMware Tools\vmtoolsd.exe | 12 | 305a9c7ed3ea60625c1dd11e38e707f5779b7df8 | 623f8aac9f1e110cecbd3ab18a63d372da842e875ad55e2d3f3279791e1a1c63 | enabled | Startup Item | SYSTEM | 1601905066 | 07343bcf-3fb4-34bb-58a0-75ea91b4d569 | computer | 255.255.255.0 | 00:50:56:2a:3a:13 | Microsoft Windows 7 Ultimate | windows | client | 6.1.7601 | 73.69.54.187 | 1.1.12 | test | 2020-10-14T05:23:08Z | 3 | 1602320453 | Victim3-EDR | False | 2020-10-14T05:23:08Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | 7043b3fc-f34b-43bb-850a-57ae194b5d96 | 2376 |
| Victim3-EDR | 192.168.100.143 | windows_startup_programs_md5 | {"isSavWinPE":true,"isWinPE":true,"version":2} | 86488 | 0 | | 81 | {"configVersion":"18909eb811363b0eea090c0ce6f57a57e5371ae648b1bae49f429dde030c834c","cryptoStrength":112,"lookupType":7,"reputation":81,"reputationData":{"details":{"CompanyName":"VMware, Inc.","FileDescription":"VMware Tools Core Service","FileVersion":"11.0.5.17716","InternalName":"vmtoolsd","LegalCopyright":"Copyright \u00a9 1998-2020 VMware, Inc.","OriginalFilename":"vmtoolsd.exe","ProductName":"VMware Tools","ProductVersion":"11.0.5 build-15389592"},"isSigned":true,"signerInfo":[{"cryptoAlgorithm":32772,"cryptoStrength":80,"isValid":true,"signatureLocation":0,"signer":"VMware, Inc.","thumbprint":"f9c221fe9367bed93ae0b5c0f737dea64b619a6003eb9349205a3b4a2c63983f"},{"cryptoAlgorithm":32780,"cryptoStrength":112,"isValid":true,"signatureLocation":0,"signer":"VMware, Inc.","thumbprint":"91aeb991c77ce6d1ea02e1876518e400463485cea8c835a02c981702b8d2c24d"}]},"sampleRate":100,"sfsVersion":17236689,"version":1} | 4 | {"configVersion":"d38fc0782b2278da06a7babf2373f70d66af922960a61aff40300b4c7695062d","expireTime":0,"peMalwareScore":4,"pePuaScore":12,"vdlFlags":0,"version":2} | C:\Program Files\VMware\VMware Tools\vmtoolsd.exe | VMware User Process | C:\Program Files\VMware\VMware Tools\vmtoolsd.exe | 12 | 305a9c7ed3ea60625c1dd11e38e707f5779b7df8 | 623f8aac9f1e110cecbd3ab18a63d372da842e875ad55e2d3f3279791e1a1c63 | enabled | Startup Item | SYSTEM | 1601905066 | 07343bcf-3fb4-34bb-58a0-75ea91b4d569 | computer | 255.255.255.0 | 00:50:56:2a:3a:13 | Microsoft Windows 7 Ultimate | windows | client | 6.1.7601 | 73.69.54.187 | 1.1.12 | test | 2020-10-14T05:23:08Z | 3 | 1602320453 | Victim3-EDR | False | 2020-10-14T05:23:08Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | 7043b3fc-f34b-43bb-850a-57ae194b5d96 | 2374 |
| Victim3-EDR | 192.168.100.143 | windows_startup_programs_md5 | {"isSavWinPE":false,"isWinPE":true,"version":2} | 1465952 | 0 | | 91 | {"configVersion":"72369f0be2933ffa66a5c1675ca640aa178bc0eecf1f1d1671bb109f3b1edba9","cryptoStrength":112,"lookupType":7,"reputation":91,"reputationData":{"details":{},"isSigned":true,"signerInfo":[{"cryptoAlgorithm":32780,"cryptoStrength":112,"isValid":true,"signatureLocation":0,"signer":"Sophos Ltd","thumbprint":"44e319d9e913676a311e521a671d687c16846a291bd86a83900fd425c77aca0f"}]},"sampleRate":1000,"sfsVersion":17236689,"version":1} | 6 | {"configVersion":"34e70ee9f4748024619d2ea8b607e99f04ced7b4e3b74ed9efbad297f733072d","expireTime":0,"peMalwareScore":6,"pePuaScore":15,"vdlFlags":0,"version":2} | C:\Program Files\Sophos\Sophos UI\Sophos UI.exe | Sophos UI.exe | C:\Program Files\Sophos\Sophos UI\Sophos UI.exe | 15 | 75fd78dbc69963d5dcefc44379a6ebd6f3828806 | 3c6104ea716abbd2d2cff49bf09349d675bd6fecc07038ea2e4ea6e0c0a66701 | enabled | Startup Item | SYSTEM | 1601905066 | 07343bcf-3fb4-34bb-58a0-75ea91b4d569 | computer | 255.255.255.0 | 00:50:56:2a:3a:13 | Microsoft Windows 7 Ultimate | windows | client | 6.1.7601 | 73.69.54.187 | 1.1.12 | test | 2020-10-10T13:00:40Z | 0 | 1602320453 | Victim3-EDR | False | 2020-10-10T13:00:40Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | 7043b3fc-f34b-43bb-850a-57ae194b5d96 | 1838 |
