Files Loaded by Suspicious Executable
MDE Loaded Files
Query
let InputSHA1 = "035833d4d9673fd767b3a73e5943abe0cb88b122";
let LoadedFiles = DeviceImageLoadEvents
| where InitiatingProcessSHA1 =~ InputSHA1
| summarize LoadedFiles = make_set(SHA1);
union DeviceNetworkEvents, DeviceProcessEvents, DeviceEvents
| where InitiatingProcessSHA1 in~ (InputSHA1)About this query
Files Loaded by Suspicious Executable
Query Information
Description
This query is designed to list the files that have been loaded by a suspicious executable. Often malware loads dlls to properly function, these dlls can be identified by giving the SHA1 hash of the malicious executable as InputSHA1.
Risk
A malicious image is loaded into an executable and performs activities.
Defender XDR
Sentinel
let InputSHA1 = "035833d4d9673fd767b3a73e5943abe0cb88b122";
let LoadedFiles = DeviceImageLoadEvents
| where InitiatingProcessSHA1 =~ InputSHA1
| summarize LoadedFiles = make_set(SHA1);
union DeviceNetworkEvents, DeviceProcessEvents, DeviceEvents
| where InitiatingProcessSHA1 in~ (InputSHA1)
Explanation
This query is designed to identify and list files that have been loaded by a potentially malicious executable. Here's a simple breakdown of what the query does:
-
InputSHA1: The query starts by defining a specific SHA1 hash (
035833d4d9673fd767b3a73e5943abe0cb88b122) which represents the suspicious executable you are investigating. -
Loaded Files Identification: It looks into
DeviceImageLoadEventsto find all files (like DLLs) that have been loaded by processes initiated by the executable with the given SHA1 hash. It collects these file hashes into a set calledLoadedFiles. -
Event Union: The query then combines data from three different event tables:
DeviceNetworkEvents,DeviceProcessEvents, andDeviceEvents. It filters these events to include only those initiated by the same suspicious executable.
Overall, the query helps in tracking the activities of a suspicious executable by listing the files it loads and examining related network, process, and other device events. This can be useful for identifying potential malicious behavior and understanding the impact of the executable on the system.
Details

Bert-Jan Pals
Released: April 30, 2025
Tables
Keywords
Operators