Executables are generally not renamed, thus a given hash of an executable should only have ever one name. Identifying instances where multiple process names share the same hash may find cases where tools are copied by attackers to different folders or hosts to avoid detection.
A list of hashes and the different executables associated with each one
|Technique||Tactic||Level of Coverage|
Although this analytic was initially based on MD5 hashes, it is equally applicable to any hashing convention.
Data Model References