Advanced Search
Introduction
The Advanced Search feature introduces rich metadata search capabilities on the ReversingLabs Spectra Analyze appliance, makes it easier to search across large data sets (both locally and in ReversingLabs Spectra Intelligence), and enables faster, more powerful malware discovery with increased coverage.
With 100+ keywords, 30+ anti-virus vendors, 130+ sample types and subtypes and 280+ tags, Advanced Search makes it possible to build more than 500 unique search queries using Boolean operators and keyword auto-completion.
Users can create targeted, multi-conditional queries and combine search criteria using logical operators to quickly identify potential threats.
The Advanced Search feature can be used to perform local searches without a Spectra Intelligence account. Using Advanced Search to retrieve Spectra Intelligence results is available to customers at additional cost. For more information, please contact ReversingLabs Sales Support (insidesales@reversinglabs.com).
Important notes about the Advanced Search feature
- Different search queries return results at different speeds - for some combinations of keywords and operators, it can take longer to load the results. To ensure quicker response times for long and complex queries, returned results may contain fewer samples than are available in the database; i.e., the service will only return the latest matches found within a reasonable timeframe.
To improve search query responsiveness and performance, Cloud results prioritize First Seen within the last month by default. However, this may result in zero results if users specify time ranges outside this time frame. In such cases, the results page provides links to expand the search results. If the query returns some results but there are more in the previous months, clicking the link next to the query summary under the drop-down menu filters broadens the search to encompass a wider time range. Alternatively, users can set the provided drop-down filters to the desired expanded time range.
-
Local-only keywords will not work on the Cloud tab, as local-only keywords cannot be used to search for samples in the Spectra Intelligence cloud. Only actual file submissions will be returned as results. Local-only keywords are:
filecount
,tag-user
,submission-user
,submission-time
andprocessing-status
. To perform Spectra Intelligence searches or search for extracted files, please remove any local keywords from the query. -
The maximum length of a single search query is 1024 characters. Queries longer than 1024 characters cannot be shared or added to Favorites. Attempting to submit queries longer than 1024 characters will result in an error. This does not apply to Bulk hash search queries.
-
The maximum amount of Cloud results that can be returned for a search query is 100 000. Although there may be more samples matching the query in the Spectra Intelligence cloud, the Spectra Analyze will only allow browsing through 100 000 of them.
-
Currently it is only possible to export a single page of search results. To export all results from the list, the user would have to browse pages one by one and manually export them. It is possible to adjust the amount of results displayed per page in the navigation bar, thus increasing or decreasing the number of results that will appear in the exported CSV file.
-
The *Fetch & Analyze* option for Cloud results is currently limited to downloading 100 samples at a time, with a daily limit of 10 000 samples in total. Samples that already exist on Spectra Analyze will not be downloaded again. It is not possible to fetch and analyze all samples in the Cloud results list at once.
-
Large volumes of data indexed for Advanced Search in the Spectra Intelligence cloud are constantly updated in order to return the most relevant information. During synchronization of various Spectra Intelligence services, searching for samples the cloud may return inconsistent or incorrect results in some cases. The data is updated multiple times per hour. This can cause discrepancies between the results offered on the Local and Public (Spectra Intelligence) results tabs.
How to Write Search Queries
Note
Local-only keywords will not work on the Cloud tab, as local-only keywords cannot be used to search for samples in the Spectra Intelligence cloud. Only actual file submissions will be returned as results. Local-only keywords are: filecount
, tag-user
, submission-user
, submission-time
and processing-status
. To perform Spectra Intelligence searches or search for extracted files, please remove any local keywords from the query.
Local-only keywords, when added using the drop-down menus, will not be shown in the Advanced Search box as part of the query, but they will still be applied to the results, saved to the Recent queries list, and shared using the Share query button.
To create a search query, start typing into the Advanced search box. The pull-down list with all matching search keywords or their predefined values will open. The keywords are listed alphabetically.
Every search query must contain at least one keyword and one value. Search queries are built according to the following formula.
keyword:value OPERATOR keyword2:value OPERATOR keyword3:[value1,value2,...]
The values for a keyword can be typed in manually, or if the keyword supports it, selected from the pull-down list.
Selecting a keyword that supports predefined values (for example, classification, riskscore) displays all those values in the pull-down list.
Selecting a keyword that supports date and time ranges (such as lastseen or firstseen) displays the date picker. To add a custom range to the search box, select “Custom” in the date picker and click the Apply button.
Keywords have short usage examples in the pull-down list. For a detailed overview of supported keywords and their features, refer to the Supported Search Keywords section.
Some keywords have aliases - additional forms that can be used to search for the same values. Aliases are indicated in the Supported Search Keywords section in parentheses next to keyword names, and in the interface as illustrated in the screenshot below.
To run a search query, click the Search button in the search box, or press Enter.
The following is an example of a basic search query that returns all samples classified as suspicious:
classification:suspicious
What can and cannot be included in a search query depends on the values and operators supported by the keyword, as well as on the restricted words and characters.
The maximum length of a single search query that can be entered into the Advanced search box is 1024 characters.
Restricted Words and Characters
All restricted words and characters should be escaped with double quotation marks in the search query.
Example: a query contains one of the restricted characters [, ], (, ), :
pdb:"C:\Windows*"
Example: a query contains one of the restricted words (AND, OR, NOT)
cert-subject-name:"AND"
If the search query contains spaces, use double quotation marks around it.
cert-subject-org:"microsoft corporation"
Searching for Exact Matches
For more precise results, use quotation marks in search queries, especially when looking for a specific string.
The underscore character ( _ ) is treated as a delimiter. Phrases containing the underscore should be enclosed in quotation marks to get exact matches.
For example, searching for pe-function:"Py_Initialize"
returns results that match the exact phrase, including the underscore character.
Searching for pe-function:Py_Initialize
returns results that match either “Py” or “Initialize”, or both.
Using Wildcards for Partial Matching
Some search keywords support partial matching with wildcard symbols.
The *
symbol matches any sequence of characters. The ?
symbol matches any single character.
Example: this query returns all samples that have the string “emo” anywhere in their threat name (such as Wemosis, Remora, Temonde).
av-detection: *emo*
Example: this query returns all samples with the threat name “Emotet” and any other variant where the first letter T is replaced by any other character (such as Emonet, Emoret).
av-detection: emo?et
Searching for a Range and Greater/Less-Than Values
For keywords that support searching for a range of values, the formula looks like this.
keyword:[value1 TO value2]
size:[50000 TO 70000]
To search for greater/less-than values, create an open-ended range using the wildcard symbol *
keyword:[value TO *] - for greater-than values
keyword:[* TO value] - for less-than values
This example returns all samples that have a trust factor lower than and equal to 4.
trustfactor:[* TO 4]
Searching for a List of Values
To search for any of the values in a list, the following formula is used.
keyword:[value1, value2, value3]
The values must be comma-separated.
classification:[suspicious, unknown]
av-detection:[emotet,wannacry]
sha1:[91b21fffe934d856c43e35a388c78fccce7471ea,4e8c5b9fc9a6650f541fa0dbe456731309a429e4,
66720a660761e9b3b9b071ba4c16d6ab69c442bb]
Creating Multi-keyword Search Queries
Search operators and parentheses can be used to combine multiple keywords and create advanced search queries.
The following search operators are supported: AND, OR, NOT
If an operator is not provided, AND is used as the default. Operators are case-insensitive, so the following queries all return the same results.
firstseen:2018-01-01T00:00:00Z AND classification:malicious
firstseen:2018-01-01T00:00:00Z and classification:malicious
firstseen:2018-01-01T00:00:00Z classification:malicious
The NOT operator excludes search results that match the search criteria. In the following example, malicious and suspicious files will be excluded from the results:
av-detection:*linux* NOT classification:[malicious, suspicious]
The OR operator can be used to look for any of the values supported by a single keyword:
classification:suspicious OR classification: malicious
It can also be used to look for any of the different keywords and their values:
pdb:JigsawRansomware.pdb OR uri:"http://btc.blockr.io/api/v1/"
The OR operator cannot be used instead of a comma when searching for a list of values. The following example is not a valid query:
av-detection:[emotet OR wannacry]
Parentheses can be used to combine keywords. The following two queries show how to format the same request using square brackets versus parentheses:
firstseen:2018-01-01T00:00:00Z av-detection:[trojan,wannacry]
firstseen:2018-01-01T00:00:00Z (av-detection:trojan OR av-detection:wannacry)
Apart from using parentheses with the same keyword, they can be used to combine multiple different keywords, operators, and even a range:
firstseen:2018-01-01T00:00:00Z (av-detection:trojan AND type:binary NOT positives:[* TO 3])
Saving and Sharing Search Queries
There are several ways to save search queries on the Spectra Analyze appliance.
-
Search queries can be saved as Favorites on the Spectra Analyze appliance itself. Run any query and click the star button right of the search box to save it. The query will be listed under Favorites in the Suggestions menu. It can be modified to include other search keywords and parameters, or removed from the appliance at any time. The maximum of 20 search queries can be saved in this way.
-
Search queries can be saved using the built-in bookmarking functionality of the web browser. Run any query and bookmark the results page. In this case, any active filtering parameters (such as sorting and number of results per page) are also preserved in the bookmarked URL. A search query saved in this way will only work on the Spectra Analyze instance specified in the bookmarked URL.
Similarly, search queries can be shared in several ways:
- by using the Share query option on the Spectra Analyze appliance. Type in any query and click the Share button right of the search box. The Share Query dialog opens, where recipient email addresses have to be entered. Clicking the Share button in the dialog will send the selected query to provided email addresses. The email Subject field will contain the username of the Spectra Analyze user who shared the query.
- by copying the URL of the search results page from the address bar of the browser, and sending it manually via email or other communication channel. A search query shared in this way will only work if the recipient can log into the same Spectra Analyze instance from which the query was sent.
- by copying a favorite query to the clipboard (hover over the query in the Favorites list and select the Copy option from the triple-dot menu), then sharing it manually via email or other communication channel.
Non-keyword Queries
Advanced search queries can be quickly built without using keywords. Non-keyword search is available only for a particular subset of indicators of compromise:
- SHA1, SHA256 and MD5 hashes
- URLs
- IP addresses
- domains
- emails
Non-keyword Search Queries
Non-keyword searches can be performed as standalone queries containing one or more non-keyword values, or be combined with traditional keyword searches. Email and IP (IPv4, IPv6) non-keyword queries support wildcard matching.
If a list of non-keyword search values contains invalid entries, search will respond with the message “Unrecognized nonkeyword argument” and return the first invalid non-keyword. In cases where the query contains only hashes, the response returns “Invalid value for hashes field”.
Using commas between non-keyword search values will result in an invalid query. Searching for strings containing commas and other special characters is supported by using quotation marks.
For example, IPV6 addresses or URLs containing colons, commas, or brackets must be enclosed in quotation marks:
"2001:0db8:85a3:0000:0000:8a2e:0370:7334"
"http://www.evildomain.com/gate.php?13,35869"
Single non-keyword search
This can be any one of the IOCs listed above.
Example: SHA1
0000038704cb5f0e1bd87d6a75e904529af0d6ac
Multiple non-keyword search
To combine multiple non-keyword search values, separate them by space. The whole query will be enclosed in brackets and the spaces will be interpreted as the operator OR. Other operators (AND/NOT) can be explicitly provided to build more complex queries.
Example: IPV4, IPV6 and domain
127.0.0.1 "2620:119:35::35" google.com
Example: Hashes only
0000038704cb5f0e1bd87d6a75e904529af0d6ac 2abcd3fb8b7761526d177ab007c40e74 4dea2daa9a41dd6c4cb172eb6d8d8a1d1811360e21c5fa0c8ce2e20fd6903041
Non-keyword with keyword
When combining non-keyword search values with keywords, consecutive non-keyword values will be enclosed in brackets and the spaces between them will be interpreted as the operator OR. Spaces between non-keyword search values and keywords will be interpreted using the operator AND, meaning that the order of keywords and non-keyword values in the query is important.
Example: Samples containing the provided URL that are classified as goodware
"https://hope-bd.com/googledocs.php" class:goodware
Combining queries with the NOT operator
The NOT operator excludes search results that match the defined criteria.
Example: Query using the operator NOT
NOT *@mockmail.com "https://hope-bd.com/googledocs.php" AND NOT 0000038704cb5f0e1bd87d6a75e904529af0d6ac class:MALICIOUS
Non-keyword Search Examples
Query Type | Example | Syntax | Outcome |
---|---|---|---|
Single non-keyword | 0000038704cb5f0e1bd87d6a75e904529af0d6ac | NK | NK |
Non-keyword search values combined with keywords | “https://hope-bd.com/googledocs.php” class:goodware | NK K | NK AND K |
Multiple non-keyword values (hashes only) | 0000038[…]af0d6ac 2abcd3[…]7c40e74 4dea2da[…]6903041 | NK NK NK NK | (NK OR NK OR NK OR NK) |
Multiple non-keyword values | 127.0.0.1 “2620:119:35::35” google.com | NK NK NK NK | (NK OR NK OR NK OR NK) |
Multiple non-keyword values with an AND operator | mock@mockmail.com 127.0.*.1 AND google.com “https://hope-bd.com/googledocs.php” | NK NK AND NK NK | (NK OR NK) AND (NK OR NK) |
Multiple keywords combined with multiple non-keyword values | class:MALICIOUS mock@mockmail.com google.com firstseen:2018-04-05T21:11:47Z | K NK NK K | K AND (NK OR NK) AND K |
Combining queries with the NOT operator | NOT *@mockmail.com “https://hope-bd.com/googledocs.php” AND NOT 0000038[…]af0d6ac class:MALICIOUS | NOT NK NK AND NOT NK AND K | (NOT NK OR NK) AND NOT NK AND K |
Note
The final, transformed queries will be returned in the Advanced search box and added to the Recent queries list. They can be saved as favorites by clicking the star button to the right of the search box.
Supported Search Keywords
Group keywords
When using group keywords, the provided search query will be used with all single keywords in the group's respective list. Refer to the single keyword descriptions for more information.
Keyword aliases are enclosed in parentheses.
certificate | Group keyword |
---|---|
Includes | cert-issuer-name cert-issuer-org cert-issuer-unit cert-subject-name cert-subject-org cert-subject-unit |
Examples | Case-insensitive wildcard matching is supported. Wildcard: certificate:*micr* |
certificate-country | Group keyword |
---|---|
Includes | cert-issuer-country cert-subject-country |
Examples | Case-insensitive wildcard matching is supported. List (any of the values): certificate-country:[HR, US] |
document | Group keyword |
---|---|
Includes | document-author document-subject document-title document-description |
Examples | Case-insensitive wildcard matching is supported. List (any of the values): document:[adobe, microsoft, *confidencial] Wildcard: document:*soft |
mutex | Group keyword |
---|---|
Includes | mutex-config mutex-dynamic |
Examples | The keyword is case-sensitive and doesn't accept wildcards. Exact: mutex:111c List (any of the values): mutex:[111c, 2124] |
ipv4 (ip ) | Group keyword |
---|---|
Includes | ipv4-static ipv4-dynamic |
Examples | Wildcard matching supported. Wildcard: ipv4:192.* List (any of the values): ipv4:[1.0.0.0,1.0.2.1] |
ipv6 | Group keyword |
---|---|
Includes | ipv6-static (IPv6 address strings detected by ReversingLabs Dynamic Services) |
Examples | If the address contains colons or brackets, enclose it in quotation marks. Wildcard matching supported. Wildcard: ipv6:c* Exact: ipv6:"2002::/16" List (any of the values): ipv6:["2001:db8*", "3731:54:"] |
section | Group keyword |
---|---|
Includes | pe-section-name elf-section-name macho-section-name |
Examples | Case-insensitive wildcard matching is supported. Wildcard: section:*data List (Any of the values): section:[.ndata, bss] |
segment | Group keyword |
---|---|
Includes | macho-segment macho-segment-name elf-segment-sha1 |
Examples | Case-insensitive wildcard matching is supported. Wildcard: segment:page* List (any of the values): segment:[pagezero, text] |
software | Group keyword |
---|---|
Includes | software-package software-description software-author |
Examples | The keyword does not accept wildcards. Exact: software:"James Newton-King" List (any of the values): software:[Microsoft, "This package consists of multiple activities that simplify the processes in Excel."] |
uri | Group keyword |
---|---|
Includes | uri-source uri-static uri-config uri-dynamic |
Examples | Case-insensitive wildcard matching is supported. (uri* keywords don't support IP addresses. For that, use ip* keywords.)Wildcard: uri:mozilla.org* List (any of the values): uri:[\*.tor,*.onion,*.exit] |
Single keywords
actor | |
---|---|
Description | Search for files by the organization name of the certificate issuer. Case-insensitive wildcard matching is supported. |
Examples | Wildcard: cert-issuer-org:*authority List (any of the values): cert-issuer-org:[verisign, microsoft] |
android-app-name | |
---|---|
Description | Search for Android applications by their process name. Case-insensitive wildcard matching is supported. |
Examples | Wildcard: android-app-name:*SkypeApplication* List (any of the values): android-app-name:[MainApp, *alt.ywuajgf*] |
android-features | |
---|---|
Description | Search for Android applications by their features. Case-insensitive wildcard matching is supported. |
Examples | Wildcard: android-features:*hardware.camera* List (any of the values): android-features:[camera, telephony] |
android-import | |
---|---|
Description | Search for Android applications by one or more shared libraries that the applications are linked against. Case-insensitive wildcard matching is supported. |
Examples | Wildcard: android-import:org.apache.http.legacy* List (any of the values): android-import:[sec_fe?ture, *google*] |
android-package | |
---|---|
Description | Search for Android applications by their package name. Case-insensitive wildcard matching is supported. |
Examples | Wildcard: android-package:*com.picklieapps.player* List (any of the values): android-package:[*ruckygames*, *skype.raider*] |
android-permission | |
---|---|
Description | Search for Android applications by their permissions. Case-insensitive wildcard matching is supported. |
Examples | Wildcard: android-permission:*WRITE_SETTINGS* List (any of the values): android-permission:[*storage*, *disable_keyguard*] |
appid-company-name (appid-author ) | |
---|---|
Description | Search for applications and libraries by their publisher. Case-insensitive wildcard matching is supported. |
Examples | Exact: appid-company-name:"Mozilla Foundation" List (any of the values): appid-company-name:["Mozilla Foundation", "Microsoft Corporation"] |
appid-description | |
---|---|
Description | Search for applications and libraries by their description. Case-insensitive wildcard matching is supported. |
Examples | Wildcard: appid-description:"*Firefox Plugin Hang UI*"* |
appid-product-name | |
---|---|
Description | Search for files with a matching product name. Case-insensitive wildcard matching is supported. |
Examples | Exact: appid-product-name:"Mozilla Firefox Plugin Hang UI" List (any of the values): appid-product-name:["Mozilla Firefox Plugin Hang UI", "Mozilla Firefox Helper"] |
appid-product-type (appid-category ) | |
---|---|
Description | Search for applications and libraries by their type. Case-insensitive wildcard matching is supported. |
Examples | Exact: appid-product-type:browser List (any of the values): appid-product-type:[browser, development] |
attack-tactic | |
---|---|
Description | Search for files that use a specific Mitre ATT&CK tactic. The keyword is case-sensitive and doesn't accept wildcards. |
Examples | Exact: attack-tactic:TA0007 List (any of the values): attack-tactic:[TA0007, TA0005] |
attack-technique | |
---|---|
Description | Search for files that use a specific Mitre ATT&CK technique. The keyword is case-sensitive and doesn't accept wildcards. |
Examples | Exact: attack-technique:T1222 List (any of the values): attack-technique:[T1222, T1112] |
av-count (positives , p , antivirus ) | |
---|---|
Description | The number of antivirus scanners that have detected a sample as malicious. Currently supports any integer from 0 to 46 (46 being the number of active AV scanners). |
Examples | Exact: av-count:5 Range: positives:[10 TO 20] Greater than 5: positives:[5 TO *] List (any of the values): av-count:[5,3] |
av-detection (engines ) | |
---|---|
Description | Detection string generated by the antivirus engines. Case-insensitive wildcard matching is supported. |
Examples | Wildcard: av-detection:micro* List (any of the values): av-detection:[W32.Duqu, *Vitro] |
av-<name> (<name> ) | |
---|---|
Description | Search for all samples or samples of specific malware detected by a selected antivirus vendor. Case-insensitive wildcard matching is supported. |
Examples | Wildcard: av-[vendor]:*wannacry* List (any of the values): [vendor]:[win32, emotet] |
available (in , shareable ) | |
---|---|
Description | Indicates whether a sample is available for download from the cloud. The only supported values are true and false (case-insensitive). |
Examples | available:TRUE in: false |
browser-package | |
---|---|
Description | Search for web browser extensions by their package name. Supported package formats: Chrome, Safari, Firefox. Case-insensitive wildcard matching is supported. |
Examples | Wildcard: browser-package:*Click2Save* List (any of the values): browser-package:[*priiceechOp*, *iCalc*] |
cert-issuer-country | |
---|---|
Description | Search for files by the country code in the country name property field of the issuer of the certificate used to sign the file. Case-insensitive wildcard matching is supported. |
Examples | Exact: cert-issuer-country: US List (any of the values): cert-issuer-country:[Z?,G*] |
cert-issuer-name | |
---|---|
Description | Search for files by the name of the certificate authority (CA). Case-insensitive wildcard matching is supported. |
Examples | Exact: cert-issuer-name: COMODO List (any of the values): cert-issuer-name:[microsoft,*VeriSign*] |
cert-issuer-org | |
---|---|
Description | Search for files by the organization name of the certificate issuer. Case-insensitive wildcard matching is supported. |
Examples | Wildcard: cert-issuer-org:*authority List (any of the values): cert-issuer-org:[verisign, microsoft] |
cert-issuer-unit | |
---|---|
Description | Search for files by the organizational unit name of the issuer unit of the certificate authority (CA). Case-insensitive wildcard matching is supported. |
Examples | Wildcard: cert-issuer-unit:*root* List (any of the values): cert-issuer-unit:["trust network", *root*] |
cert-serial | |
---|---|
Description | Search for a file by the serial number of the file certificate provided by the CA that issued the certificate. The keyword is case-sensitive and doesn't accept wildcards. |
Examples | Exact: cert-serial:6101CF3E00000000000F List (any of the values): cert-serial:[<value1>,<value2>] |
cert-subject-country | |
---|---|
Description | Search for files by the country code in the country name property field of the subject to which the certificate has been issued. Case-insensitive wildcard matching is supported. |
Examples | Exact: cert-subject-country:DE List (any of the values): cert-subject-country:[US, B*] |
cert-subject-name | |
---|---|
Description | Search for files by the name of the organization/system to which the certificate has been issued. Case-insensitive wildcard matching is supported. |
Examples | Exact: cert-subject-name:Piriform List (any of the values): cert-subject-name:[cinectic*, google] |
cert-subject-org | |
---|---|
Description | Search for files by the organization name of the certificate authority organization (CA). Case-insensitive wildcard matching is supported. |
Examples | Exact: cert-subject-org:apple List (any of the values): cert-subject-org:[apple, Microsoft] |
cert-subject-unit | |
---|---|
Description | Search for files by the organizational unit name inside the organization to which the certificate has been issued. Case-insensitive wildcard matching is supported. |
Examples | Exact: cert-subject-unit:"Developer Relations" List (any of the values): cert-subject-unit:[Developer*, "Trust Network"] |
cert-thumbprint | |
---|---|
Description | Search for files by their unique certificate thumbprint. A thumbprint of a file certificate is a hash value (SHA256). The keyword doesn't accept wildcards. |
Examples | Exact: cert-thumbprint:277D42[...]2A17DD List (any of the values): cert-thumbprint:[<value1>, <value2>] |
classification (class ) | |
---|---|
Description | Search for files by their Malware Presence status designation. Accepted values: malicious, known, suspicious, unknown (case-insensitive). |
Examples | Exact: classification:malicious List (any of the values): classification:[KNOWN, suspicious] |
dex-class-name | |
---|---|
Description | Search for DEX files by the names of classes they contain. Case-insensitive wildcard matching is supported. |
Examples | Wildcard: dex-class-name:android.content.DialogInterface.On* List (any of the values): dex-class-name:[android.content.DialogInterface.On*, android.support.v4.*] |
dex-method-name | |
---|---|
Description | Search for DEX files by method names their classes call to perform an action. Method names are indexed regardless of their visibility, meaning both public and private methods are searchable. Case-insensitive wildcard matching is supported. |
Examples | Wildcard: dex-method-name:unregisterCallB* List (any of the values): dex-method-name:[getLocation, invok*] |
document-author | |
---|---|
Description | Search for files by the contents of their document author metadata property. Case-insensitive wildcard matching is supported. |
Examples | List (any of the values): document-author:[adobe, microsoft] Wildcard: document-author:*soft |
document-description (doc-description ) | |
---|---|
Description | Search for files by the document description field, as provided by the document author. Case-insensitive wildcard matching is supported. |
Examples | List (any of the values): document-description:["Carta personal", *confidencial] Wildcard: document-description:*Math* |
document-pages (doc-pages ) | |
---|---|
Description | Search for files by their number of pages. In case of spreadsheet documents, this number represents the number of sheets. The keyword accepts only integer values. |
Examples | Exact: document-pages:73 Range: document-pages:[4 TO 20] More than 4: document-pages:[4 TO *] |
document-subject | |
---|---|
Description | Search for files by the contents of their document subject metadata property. Case-insensitive wildcard matching is supported. |
Examples | Wildcard: document-subject:*search List (any of the values): document-subject:[free, download] |
document-title | |
---|---|
Description | Search for files by the contents of their document title metadata property. Case-insensitive wildcard matching is supported. |
Examples | Exact: document-title:"Powered by" List (any of the values): document-title:[*free*, README] |
document-version | |
---|---|
Description | Search for files by the contents of their document version metadata property. Wildcard matching is supported. |
Examples | Wildcard: document-version:1.1* List (any of the values): document-version:[1.7, 2.*] |
domain | |
---|---|
Description | Search for files by any associated domain. Case-insensitive wildcard matching is supported. |
Examples | Wildcard: domain:mozilla.org* List (any of the values): domain:[*.tor,google.com,*.exit] |
dotnet-assembly | |
---|---|
Description | Search for .NET files by assemblies they reference. Case-insensitive wildcard matching is supported. |
Examples | Wildcard: dotnet-assembly:*mscorlib* List (any of the values): dotnet-assembly:[*iJnJWYUQA*, "NanoCore Client"] |
dotnet-method-name | |
---|---|
Description | Search for .NET files by method names their classes call to perform an action. Method names are indexed regardless of their visibility, meaning both public and private methods are searchable. Case-insensitive wildcard matching is supported. |
Examples | Wildcard: dotnet-method-name:get_Url List (any of the values): dotnet-method-name:[?oadCompl*, *HoldEnd] |
dotnet-module-id | |
---|---|
Description | Search for .NET files by IDs of modules they contain. Case-insensitive wildcard matching is supported. |
Examples | Wildcard: dotnet-module-id:*20DEC3DA-523F* List (any of the values): dotnet-module-id:[*9249F5D0-1821*, *E133ACC7-60C9*] |
dotnet-module-name | |
---|---|
Description | Search for .NET files by names of modules they contain. Case-insensitive wildcard matching is supported. |
Examples | Wildcard: dotnet-module-name:*TeSt.exe* List (any of the values): dotnet-module-name:[Posh.exe, adobe.exe] |
dotnet-pinvoke-function | |
---|---|
Description | Search for .NET files by pinvoke functions. Case-insensitive wildcard matching is supported. |
Examples | Wildcard: dotnet-pinvoke-function:EncodePointer* List (any of the values): dotnet-pinvoke-function:["EncodePointer", "DecodePointer"] |
dotnet-pinvoke-import | |
---|---|
Description | Search for .NET files by pinvoke imports. Case-insensitive wildcard matching is supported. |
Examples | Exact: dotnet-pinvoke-import:kernel32.dll List (any of the values): dotnet-pinvoke-import:["kernel32.dll", "user32.dll"] |
dotnet-resource | |
---|---|
Description | Search for .NET files by resources they contain. Case-insensitive wildcard matching is supported. |
Examples | Exact: dotnet-resource:"Hidden Tear" List (any of the values): dotnet-resource:[*Orcus*, *Clientloaderform*] |
dotnet-type-name | |
---|---|
Description | Search for .NET files by type names found in them. Case-insensitive wildcard matching is supported. |
Examples | Wildcard: dotnet-type-name:Form1* List (any of the values): dotnet-type-name:[Form1*, NetscapeRevocationUrl] |
elf-section-count | |
---|---|
Description | Search for ELF files by the amount of sections they contain. The keyword accepts only integer values. |
Examples | Exact: elf-section-count:5 Range: elf-section-count:[5 TO 15] More than 5: elf-section-count:[5 TO *] |
elf-section-name | |
---|---|
Description | Search for ELF files by names of the sections they contain. Case-insensitive wildcard matching is supported. |
Examples | Wildcard: elf-section-name:*data List (any of the values): elf-section-name:[.rodata, .ndata, .bss] |
elf-segment-sha1 (elf-segment-hash ) | |
---|---|
Description | Search for files by the SHA1 hash of their ELF segment. The keyword is case-sensitive and doesn't accept wildcards. |
Examples | Exact: elf-segment-sha1:116e279b55b58e5b9619aac80a8e85bfa9c839fc |
email-from | |
---|---|
Description | Search for files by the sender of an email associated to a file. Includes "from", "reply-to" and "sender" fields. Case-insensitive wildcard matching is supported. |
Examples | Wildcard: email-from:*@kiski.net List (any of the values): email-from:[*@domain.com, *@orbitz.com] |
email-static (email ) | |
---|---|
Description | Search for files by associated email address(es) detected by Spectra Core. Case-insensitive wildcard matching is supported. |
Examples | Wildcard: email-static:*@Compartir.es List (any of the values): email-static:[*@gmail.com, *@hotmail.com] |
email-subject | |
---|---|
Description | Search for files by the subject of an email associated to a file. Case-insensitive wildcard matching is supported. |
Examples | Wildcard: email-subject:*HackTool List (any of the values): email-subject:[Invitation*, *Nova*] |
email-to | |
---|---|
Description | Search for files by the receiver of an email associated to a file, specified in the "to" field. Case-insensitive wildcard matching is supported. |
Examples | Wildcard: email-to:*@netnook.com List (any of the values): email-to:[*@dekalb.net, *@rogers.com] |
email-x-key | |
---|---|
Description | Search for files with non-standard header fields, called X-extensions. Security vendors use X-extensions to annotate emails that have been scanned using their product. Case-insensitive wildcard matching is supported. |
Examples | Wildcard: email-x-key:*MDRemoteIP List (any of the values): email-x-key:[*Indiv, *Markup] |
email-x-value | |
---|---|
Description | Search for files by values stored in non-standard (X-extension) header fields. Case-insensitive wildcard matching is supported. Case-insensitive wildcard matching is supported. |
Examples | Wildcard: email-x-value:?HAILAND List (any of the values): email-x-value:[Produced*, BHUTAN] |
exif | |
---|---|
Description | Search for multimedia files by the contents of their EXIF metadata fields. Case-insensitive wildcard matching is supported. |
Examples | Wildcard: exif:Picasa* List (any of the values): exif:["Paint.NET v3.5.8", Picasa*] |
exploit | |
---|---|
Description | Search for samples that are exploiting a specific vulnerability, identified either by ReversingLabs or by antivirus scanners. |
Examples | Examples Wildcard: exploit:cve-2024-* *List (any of the values): exploit:["CVE-2014-0114", "CVE-2018-15982"] |
filecount | |
---|---|
Description | Search for a file by the number of unpacked files it contains (if it's a container). Accepts any integer number. Note: this keyword currently returns only Local samples as results. |
Examples | Exact: filecount:25 Range: filecount:[3 TO 10] More than 20: filecount:[20 TO *] |
filename | |
---|---|
Description | Search for a file by its full or partial file name, or by its extension. Case-insensitive wildcard matching is supported. |
Examples | Exact: filename:notepad.exe List (any of the values): filename:[*.PDF, *.epub] |
firstseen (fs ) | |
---|---|
Description | Time when a file was first analyzed by Spectra Intelligence. Supported time format is UTC timestamp. |
Examples | Exact: fs:2018-04-03T12:58:27Z Range (time period): firstseen:[2017-12-01T11:36:59Z TO 2018-03-06T11:36:59Z] |
hashes | |
---|---|
Description | Allows mixing different types of hashes in one search query, without the need to explicitly name the hash type or to group hashes by type. All hash types (MD5, SHA1, SHA256) can be used with this keyword. The maximum length of a single query is 1024 characters. The keyword is case-sensitive and doesn't support wildcards. |
Examples | Exact: hashes: <sha1> List (any of the values): hashes:[<sha1>, <sha1>, <md5>, <sha256>, <md5>] |
imphash | |
---|---|
Description | Hash based on library/API names and their specific order within the executable. Used to find similar PE files. The keyword doesn't support wildcards. |
Examples | Exact: imphash:f34d5f2d4577ed6d9ceec516c1f5a744 List (any of the values): imphash [<value1>, <value2>] |
indicators | |
---|---|
Description | Search for files by their static analysis behaviors. The keyword is case-sensitive and doesn't accept wildcards. The full list of indicator IDs and their descriptions can be found here <https://fileshare.reversinglabs.com/index.php/s/qkGBJNpKzZZitiN> _. |
Examples | Exact: indicators:"2150" List (any of the values): indicators:["2150", "2102"] |
ios-app-name | |
---|---|
Description | Search for iOS applications by their name. Case-insensitive wildcard matching is supported. |
Examples | Wildcard: ios-app-name:FruitNinja* List (any of the values): ios-app-name:[FruitNinja*, *facebook*] |
ios-author | |
---|---|
Description | Search for iOS applications by their author name. Case-insensitive wildcard matching is supported. |
Examples | Wildcard: ios-author:*halfbrick* List (any of the values): ios-author:[*halfbrick*, Apple*] |
ios-package | |
---|---|
Description | Search for iOS applications by their package name. Case-insensitive wildcard matching is supported. |
Examples | Wildcard: ios-package:*FruitNinja* List (any of the values): ios-package:[*FruitNinja*, *facebook*] |
ipv4-dynamic | |
---|---|
Description | Search for files by IPv4 address strings detected by ReversingLabs Dynamic Services. Wildcard matching supported. |
Examples | Wildcard: ipv4-dynamic:192.* List (any of the values): ipv4-dynamic:[1.0.0.0,1.0.2.1] |
ipv4-static | |
---|---|
Description | Search for files by IPv4 address strings detected by Spectra Core analysis. Wildcard matching supported. |
Examples | Wildcard: ipv4-static:192.* List (any of the values): ipv4-static:[1.0.0.0,1.0.2.1] |
ipv6-static | |
---|---|
Description | Search for files by IPv6 address strings detected by Spectra Core analysis. If the address contains colons or brackets, enclose it in quotation marks. Wildcard matching supported. |
Examples | Wildcard: ipv6-static:c* Exact: ipv6-static:"2002::/16" List (any of the values): ipv6-static:["2001:db8*", "3731:54:"] |
lastanalysis (la ) | |
---|---|
Description | Search for files by the date and time of their last AV scan. Supported time format is UTC timestamp. |
Examples | Exact: lastanalysis:2018-05-17T11:27:19Z Range (time period): lastanalysis:[2018-05-17T11:27:19Z TO 2018-05-24T11:27:19Z] |
lastseen (ls ) | |
---|---|
Description | Time when a file was last analyzed by Spectra Intelligence. Supported time format is UTC timestamp. |
Examples | Exact: ls:2018-04-03T12:58:27Z Range (time period): lastseen:[2017-12-01T11:36:59Z TO 2018-03-06T11:36:59Z] |
macho-import | |
---|---|
Description | Search for MachO files by the names of imported libraries found in them. Case-insensitive wildcard matching supported. |
Examples | Wildcard: macho-import:*/usr/lib/* List (any of the values): macho-import:[/usr/lib/libgcc_s.1.dylib, /usr/lib/libSystem.B.dylib] |
macho-section-count | |
---|---|
Description | Search for MachO files by the number of sections they contain. The keyword accepts only integer values. |
Examples | Exact: macho-section-count:10 Range: macho-section-count:[5 TO 15] More than 5: macho-section-count:[5 TO *] |
macho-section-name | |
---|---|
Description | Search for MachO files by the names of the sections they contain. Case-insensitive wildcard matching supported. |
Examples | Exact: macho-section-name:data List (any of the values): macho-section-name:[bss, common, data] |
macho-segment (macho-segment-name ) | |
---|---|
Description | Search for MachO files by their segment names. Case-insensitive wildcard matching supported. |
Examples | Exact: macho-segment:pagezero List (any of the values): macho-segment:[linkedit, pagezero, text] |
macho-segment-count | |
---|---|
Description | Search for MachO files by the count of segments they contain. The keyword accepts only integer values. |
Examples | Exact: macho-segment-count:30 Range: macho-segment-count:[2 TO 8] More than: macho-segment-count:[11 TO *] |
macho-segment-sha1 (macho-segment-hash ) | |
---|---|
Description | Search for files by the SHA1 hash of their MachO segment. The keyword is case-sensitive and doesn't accept wildcards. |
Examples | Exact: macho-segment-sha1:116e279b55b58e5b9619aac80a8e85bfa9c839fc |
macho-symbol | |
---|---|
Description | Search for MachO files by their symbol names. Case-insensitive wildcard matching supported. |
Examples | Wildcard: macho-symbol:f* List (any of the values): macho-symbol:[exit, malloc, umask] |
md5 | |
---|---|
Description | String of hexadecimal digits representing a MD5 hash of the file sample. Keyword is case-sensitive and doesn't accept wildcards. |
Examples | Exact: md5:76baa04885ec40af25294a51d8e7c006 List (any of the values): md5:[<value1>, <value2>] |
mutex-config | |
---|---|
Description | Search for files by their malware configuration mutexes detected by Spectra Core. The keyword is case-sensitive and doesn't accept wildcards. |
Examples | Exact: mutex-config:")!VoqA.I4" Exact: mutex-config:"--((Mutex))--" List (any of the values): mutex-config:[111c, 2124] |
mutex-dynamic | |
---|---|
Description | Search for files by malware configuration mutexes detected by ReversingLabs Dynamic Services. The keyword is case-sensitive and doesn't accept wildcards. |
Examples | Wildcard: mutex-dynamic:111c* List (any of the values): mutex-dynamic:[111c, 2124] |
pdb-path (pdb) | |
---|---|
Description | Search for files associated with specific PDB (program database) paths. Used to find files with the same PDB path created during file sample compilation. If the path contains restricted characters, enclose it in quotation marks. |
Examples | Exact: pdb:"D:DevTin7InstallDir" List (any of the values): pdb:["C:Windows", "c:Program FilesPerforce"] |
pe-company-name | |
---|---|
Description | Search for PE files by the contents of their company name field in the version information metadata. Case-insensitive wildcard matching supported. |
Examples | Wildcard: pe-company-name:*enix List (any of the values): pe-company-name:[microsoft, ADOBE] |
pe-copyright | |
---|---|
Description | Search for PE files by the contents of their legal copyright field in version information metadata. Case-insensitive wildcard matching supported. |
Examples | Wildcard: pe-copyright:Copyright* List (any of the values): pe-copyright:[*Corporation, regsvr32] |
pe-description | |
---|---|
Description | Search for PE files by the contents of their file description field in version information metadata. Case-insensitive wildcard matching supported. |
Examples | Wildcard: pe-description:*proged List (any of the values): pe-description:[DisplaySwitch, WizardFramework] |
pe-export (exports ) | |
---|---|
Description | Search for PE files by exported symbol names. Case-insensitive wildcard matching supported. |
Examples | Wildcard: pe-export:MS* List (any of the values): exports:[GetMemoSize, DeleteFile] |
pe-function | |
---|---|
Description | Search for PE files by the name of the function that the PE file imports. Case-insensitive wildcard matching supported. |
Examples | Wildcard: pe-function:RegEnum* List (any of the values): pe-function:[RegEnumKeyW, GetUserNameA] |
pe-import (imports) | |
---|---|
Description | Search for PE files by the name of the dynamic link library that the PE file imports. Case-insensitive wildcard matching supported. |
Examples | Exact: pe-import:URLMON.DLL List (any of the values): imports:[win*, url*] |
pe-language | |
---|---|
Description | Find PE files by languages mentioned in the PE file resources. Case-insensitive wildcard matching supported. Appendix C - Available Languages for PE and Document Formats _ |
Examples | Exact: pe-language:russian List (any of the values): pe-language:[eng*, Russian] |
pe-original-name | |
---|---|
Description | Search for PE files by the contents of their file description field in version information metadata, and any other fields using the original name of the file. The keyword can be used to investigate how the file was named during compilation. Case-insensitive wildcard matching supported. |
Examples | Wildcard: pe-original-name:crack* List (any of the values): pe-original-name:[*install.exe, "sample doc.exe"] |
pe-overlay-sha1 (pe-overlay-hash ) | |
---|---|
Description | Find PE files by the SHA1 hash calculated for their overlay part. Overlay hashes are calculated by Spectra Core to better represent the true boundary of the file region. Users should use hash values calculated by ReversingLabs products with this keyword. Keyword is case-sensitive and doesn't accept wildcards. |
Examples | Exact: pe-overlay-sha1:4b4a2436b827d42b204b1f112b45d7a6d1b7ca52 List (any of the values): pe-overlay-sha1:[<value1>, <value2>, <value3>] |
pe-product-name | |
---|---|
Description | Search for PE files by the contents of their product name field in version information metadata. Case-insensitive wildcard matching supported. |
Examples | Wildcard: pe-product-name:*shop List (any of the values): pe-product-name:[Firefox, "Microsoft Word"] |
pe-resource | |
---|---|
Description | Search for PE files by name or type of resources they contain. Case-insensitive wildcard matching supported. |
Examples | Exact: pe-resource:Properties List (any of the values): pe-resource:[Tcpview, Aboutbox] |
pe-resource-sha1 (pe-resource-hash ) | |
---|---|
Description | Find PE files by the SHA1 hash calculated for their resources part. Keyword is case-sensitive and doesn't accept wildcards. |
Examples | Exact: pe-resource-sha1:4260284ce14278c397aaf6f389c1609b0ab0ce51 List (any of the values): pe-resource-sha1:[<value1>, <value2>] |
pe-section-count | |
---|---|
Description | Search for PE files by the count of sections they contain. The keyword accepts only integer values. |
Examples | Exact: pe-section-count:15 Range: pe-section-count:[2 TO 10] More than: pe-section-count:[5 TO *] |
pe-section-name | |
---|---|
Description | Search for PE files by names of the sections they contain. The maximum section name length is 8 characters. Case-insensitive wildcard matching supported. |
Examples | Wildcard: pe-section-name:*rdata List (any of the values): pe-section-name:[.Rdata, .Ndata, *rsrc] |
pe-section-sha1 (pe-section-hash ) | |
---|---|
Description | Find PE files by the SHA1 hash calculated for their section part. Section hashes are calculated by Spectra Core to better represent the true boundary of the file region. Users should use hash values calculated by ReversingLabs products with this keyword. Keyword is case-sensitive and doesn't accept wildcards. |
Examples | Exact: pe-section-sha1:7640a007e39b487bf1dbbde6487724faa131f6a8 List (any of the values): pe-section-sha1:[<value1>, <value2>, <value3>] |
pe-timestamp (pets ) | |
---|---|
Description | Search for a PE file by the date when it was compiled. Supported time format is UTC timestamp. |
Examples | Exact: pets:2017-06-26T00:00:00Z Range (newer than): pets:[2018-03-06T10:57:29Z TO *] |
sampletype (filetype , type , format ) | |
---|---|
Description | Search for files by type as detected by Spectra Core. Case-insensitive wildcard matching supported. Appendix B - Supported Sample Types _ |
Examples | Exact: sampletype:Image/None List (any of the values): type:[elf*,macho*] |
sha1 | |
---|---|
Description | String of hexadecimal digits representing a SHA-1 hash of the file. Keyword is case-sensitive and doesn't accept wildcards. |
Examples | Exact: sha1:f1a62a7092e49577206b7361bf1a7ff0776bb6a4 List (any of the values): sha1:[<value1>, <value2>] |
sha256 | |
---|---|
Description | String of hexadecimal digits representing a SHA-256 hash of the file sample. Keyword is case-sensitive and doesn't accept wildcards. |
Examples | Exact: sha256:f35a3(...)1d2d5 List (any of the values): sha256:[<value1>, <value2>] |
signer-valid-from (cert-valid-from ) | |
---|---|
Description | Search for files that have been signed by certificates valid from a specific time. |
Examples | Range (newer than): signer-valid-from:[2018-03-06T10:57:29Z TO *] |
signer-valid-to (cert-valid-to ) | |
---|---|
Description | Search for files that have been signed by certificates valid to a specific time. |
Examples | Range (newer than): signer-valid-to:[2018-03-06T10:57:29Z TO *] |
similar-to | |
---|---|
Description | Search for files that are functionally similar to the requested file hash. Functionally similar files are defined by RHA (ReversingLabs Hashing Algorithm) that identifies code similarity between unknown samples and previously seen malware samples. All hash types (MD5, SHA1, SHA256) can be used with this keyword. Only one similar-to keyword can be used in a single query. The keyword is case-sensitive and doesn't support wildcards. |
Examples | Exact: similar-to: <sha1> |
size | |
---|---|
Description | Search for files by size (in bytes). Accepts integers up to 2147483647. |
Examples | Exact: size:30000 Range: size:[1000 TO 50000] Greater than: size:[500000 TO *] |
software-author | |
---|---|
Description | Search for software packages by their author/publisher. |
Examples | Exact: software-author:"James Newton-King" List (any of the values): software-author:["Amazon Web Services", Microsoft] |
software-description | |
---|---|
Description | Search for software packages by their description. |
Examples | Exact: software-description:"This package consists of multiple activities that simplify the processes in Excel." |
software-package | |
---|---|
Description | Search for specific software packages. The keyword is case-sensitive and doesn't accept wildcards. |
Examples | Exact: software-package:tidal List (any of the values): software-package:[tidal, "AWSSDK.WorkLink"] |
submissions | |
---|---|
Description | Search for files by the amount of times they have been submitted for analysis. The keyword accepts only integer values. |
Examples | Exact: submissions:3 Greater than: submissions:[3 TO *] Less than: submissions:[* TO 4] |
tag | |
---|---|
Description | Search for files by metadata tags generated by Spectra Core. Tags identify interesting properties of a sample, such as being packed, password-protected, or digitally signed. Appendix E - Supported Tags _ |
Examples | Exact: tag:packed List (any of the values): tag:[capability-execution, cert, crypto] |
tag-yara | |
---|---|
Description | YARA supports adding custom tags to rules. Files that match those rules get automatically tagged after analysis. This keyword looks for files tagged by YARA rules, including those that were classified by YARA tags ("malicious" and "suspicious"). Case-insensitive wildcard matching is supported. Note that changes to YARA tags are not immediately reflected in search results. For example, if a tag is removed from a YARA rule, it will still return search results until files that match the rule are reanalyzed with Spectra Core. |
Examples | Exact: tag-yara:malicious List (any of the values): tag-yara:[malicious, suspicious] |
taggant-name | |
---|---|
Description | Search for PE files by name of the packer that was used to pack them. Taggant is a technology that guarantees the packed file came from a reliable source. Case-insensitive wildcard matching supported. |
Examples | Exact: taggant-name:themida List (any of the values): taggant-name:[enigma*, vmprotect*] |
taggant-valid-from | |
---|---|
Description | Search for files by the time it was signed using taggant. |
Examples | Range (newer than): taggant-valid-from:[2018-03-06T10:57:29Z TO *] |
taggant-valid-to | |
---|---|
Description | Search for files by the expiry time provided by taggant. |
Examples | Range (newer than): taggant-valid-to:[2018-03-06T10:57:29Z TO *] |
third-party-library | |
---|---|
Description | Search for PE files by the name(s) of third-party libraries they contain. Case-insensitive wildcard matching is supported. |
Examples | Exact: third-party-library:Microsoft.WindowsAPICodePack-Core List (any of the values): third-party-library:[*oak-json*, Microsoft.Web.WebJobs*] |
third-party-publisher | |
---|---|
Description | Search for PE files by publishers of the third-party libraries found in the files. Case-insensitive wildcard matching is supported. |
Examples | Wildcard: third-party-publisher:Microsoft* List (any of the values): third-party-publisher:[Microsoft*, "Xamarin Inc."] |
threatlevel | |
---|---|
Description | Search for files by ReversingLabs scale of threat severity. Higher number indicates higher severity. Accepted values are 0-5. |
Examples | Exact: threatlevel:3 Greater than: threatlevel:[2 TO *] Range: threatlevel:[0 TO 3] List (any of the values): threatlevel:[2, 3] |
threatname | |
---|---|
Description | Search for files by malware threat name according to Appendix A - ReversingLabs Malware Naming Standard _. Case-insensitive wildcard matching supported. |
Examples | Exact: threatname:Win32.PUA.Casonline List (any of the values): threatname:["WIN32.PUA.casino eldorado", *crytex] |
trustfactor | |
---|---|
Description | Search for files by the ReversingLabs trust factor. Trust factor indicates the trustworthiness of files. Lower number means higher trust. Accepted values are 0-5. |
Examples | Exact: trustfactor:1 List (any of the values): trustfactor:[4, 5] Range: trustfactor:[1 TO 3] Greater than: trustfactor:[3 TO *] |
uri-config (c2 ) | |
---|---|
Description | Malware configuration C&C (Command & Control), extracted by Spectra Core. C&C infrastructure is used to control malware, particularly botnets. Case-insensitive wildcard matching is supported. |
Examples | Wildcard: c2:*dns* List (any of the values): uri-config:[dydns.org, hldns.ru] |
uri-dynamic | |
---|---|
Description | Search for files by URI strings (URLs, domains) detected by ReversingLabs Dynamic Services. Case-insensitive wildcard matching is supported. |
Examples | Wildcard: uri-dynamic:mozilla.org* List (any of the values): uri-dynamic:[*.tor,*.onion,*.exit] |
uri-source (itw ) | |
---|---|
Description | Search for files by the URI source from which they were downloaded. Case-insensitive wildcard matching is supported. |
Examples | Wildcard: uri-source:*warez* List (any of the values): itw:[softonic.com, *cnet.com] |
uri-static | |
---|---|
Description | Search for files by URI strings (URLs, domains) detected by Spectra Core. Case-insensitive wildcard matching is supported. |
Examples | Wildcard: uri-static:mozilla.org* List (any of the values): uri-static:[*.tor,*.onion,*.exit] |
vertical | |
---|---|
Description | Search for files by the type of vertical feed in which they were found. Case-insensitive wildcard matching is supported. |
Examples | Exact: vertical:ransomware List (any of the values): vertical:[ransomware,apt,financial] |
Supported File Types and Subtypes
Audio | MZ | PE+ |
---|---|---|
Binary | MachO32 Big | PE16 |
DEX | MachO32 Little | PE32 |
Document | MachO64 Big | PE32+ |
ELF32 Big | MachO64 Little | Text |
ELF32 Little | Media Container | Unknown |
ELF64 Big | None | Video |
ELF64 Little | PE | Image |
Audio/Archive | Image/RAS | Text/Batch |
---|---|---|
Audio/HTML | Image/TIFF | Text/CCPP |
Audio/None | Image/XCF | Text/CMake |
Audio/Unknown | Media_Container/None | Text/CSS |
Binary/Archive | MZ/DOS | Text/CSharp |
Binary/None | MachO32 Big/Bundle | Text/Clojure |
Binary/Unknown | MachO32 Big/Exe | Text/CoffeeScript |
Binary/.Net | MachO32 Big/None | Text/Common Lisp |
Binary/.Net | MachO32 Big/SO | Text/D |
Binary/.Net | MachO32 Little/Bundle | Text/Dart |
Binary/Executable | MachO32 Little/Core | Text/Eiffel |
Binary/HTML | MachO32 Little/Exe | Text/Emacs Lisp |
Binary/Relocatable | MachO32 Little/None | Text/Erlang |
Binary/SO | MachO32 Little/SO | Text/FORTRAN |
Binary/VXD | MachO64 Big/Bundle | Text/FSharp |
DEX/Exe | MachO64 Big/Exe | Text/Factor |
Document/Archive | MachO64 Big/None | Text/Go |
Document/HTML | MachO64 Big/SO | Text/Groovy |
Document/None | MachO64 Little/Bundle | Text/HTML |
Document/Unknown | MachO64 Little/Core | Text/Haskell |
ELF32 Big/Core | MachO64 Little/Exe | Text/Java |
ELF32 Big/Exe | MachO64 Little/None | Text/JavaScript |
ELF32 Big/None | MachO64 Little/SO | Text/LLVM |
ELF32 Big/Relocatable | Media Container/DOS | Text/Lua |
ELF32 Big/SO | Media Container/Dll | Text/Makefile |
ELF32 Little/Core | Media Container/Exe | Text/Matlab |
ELF32 Little/Exe | Media Container/None | Text/Nix |
ELF32 Little/None | Media Container/Unknown | Text/None |
ELF32 Little/Relocatable | None/None | Text/OCaml |
ELF32 Little/SO | None/DLL | Text/Objective-C |
ELF64 Big/Core | None/DOS | Text/PHP |
ELF64 Big/Exe | None/Exe | Text/Pascal |
ELF64 Big/None | None/HTML | Text/Perl |
ELF64 Big/Relocatable | None/Relocatable | Text/Perl6 |
ELF64 Big/SO | None/SO | Text/PowerShell |
ELF64 Little/Core | None/VXD | Text/Python |
ELF64 Little/Exe | PE+/.Net Dll | Text/R |
ELF64 Little/None | PE+/.Net Exe | Text/Ruby |
ELF64 Little/Relocatable | PE+/Dll | Text/Scala |
ELF64 Little/SO | PE+/Exe | Text/Scheme |
Image/Archive | PE/.Net Dll | Text/Shell |
Image/Dll | PE/.Net Exe | Text/Smalltalk |
Image/Exe | PE/Dll | Text/Smarty |
Image/None | PE/Exe | Text/Swift |
Image/Unknown | PE/VXD | Text/Tcl |
Image/BMP | PE16/Dll | Text/TeX |
Image/DCM | PE16/Exe | Text/TypeScript |
Image/GIF | PE32+/DLL | Text/Unknown |
Image/JNG | PE32+/Executable | Text/VBA |
Image/JPEG | PE32/DLL | Text/VHDL |
Image/MNG | PE32/Executable | Text/Verilog |
Image/PBM | PE32/VXD | Text/VimL |
Image/PCT | Text/Acrobat JavaScript | Text/Visual Basic |
Image/PGM | Text/ActionScript | Unknown/Unknown |
Image/PNG | Text/Ada | Video/Archive |
Image/PPM | Text/Archive | Video/None |
Image/PSD | Text/Assembly | Video/Unknown |
AbletonAMXD | AbyssAHX | AceAM |
---|---|---|
ActionamicsAST | AdlibA2B | AdlibA2F |
AdLibA2M | AdlibA2P | AdlibA2T |
AdLibBAM | AdLibBNK | AdvancedInputAIR |
AERO | AkaiAudioAKP | AMComposerAMC |
AmigaStudioSOUND | AMRWB | AmusicADM |
AmusicXMS | ANMAREDAMU | AppleCAF |
AProSysAPS | AtariAVR | AtariDVSM |
AtariSC68 | AtariSNDH | AtariYM |
AU | AudibleAAX | AudioBCSTM |
AudioBFSTM | AudioBONK | AudioDXM |
AudioIDSP | AudioKRAW | AudioLA |
AudioMLD | AudioSculptureADSC | AuditionABM |
AuroraBMU | AVMAPEX | AYAmadeusAMAD |
AYSTRC | AZX | BarsAndPipesGCHONE |
BarsAndPipesGCHORD | BarsAndPipesSONG | BeathovenSynthesizerBSS |
BeaverSweeperGTK | BeepolaBBSONG | BenDaglishBDS |
BeniTrackerPIS | BeRoTrackerBRT | BISWSS |
BlackAndWhiteSAD | BleeperBMM | BoomTrackerCFF |
CapcomQSOUND | CBA | CDDA |
ChipSoundAY | ChiptuneMTC | ChiptunePSG |
ChiptuneTFC | CompactCPT | CoreDesignCORE |
CreativeLabsCMF | CreativeLabsSBI | CreativeLabsVOC |
CreativeMusicORG | CreativeNVF | CreativeSC4 |
CreativeVOC | CricketCKB | CryoAPC |
CubicTinyMXM | CybertrackerC64CT | CyberTrackerCI |
DaveLoweDL | DavidHanneyDH | DavidWhittakerDW |
DeFyDTM | DelitrackerCustomCUS | DeltaMusic2DM2 |
DeltaMusicDLM | DeluxeINSTR | DFMAudio |
DiamondWareDWD | DIGIBooster | DigiBoosterXPK |
DigitalMugicianDMU | DigitalSoundDSM | DigitalSpeechDSS |
DigitrakkerIST | DigitrakkerMDL | DigitrakkerSLP |
DigitrekkerDTM | DisorderTrackerPLM | DLS |
DolbyMLP | DreamstationDSS | DrumTrakerDTL |
DSDAudio | DSMIAMF | DVF |
DynamicSynthesizerDNS | EarAcheEA | EdiusEWC2 |
EdLibD00 | ElecbyteSND | ElectronicMusicSystemEMS |
EmuEmaxsynthEZ2 | EmuEmulatorEZ3 | EncoreENC |
EnsoniqECW | EveryonePianoEOP | EveryonePianoEOPM |
ExoticXAD | ExtraSimpleXSM | ExtremeTrackerAMS |
FaceTheMusicFTM | FamiTrackerFTM | FarandoleComposerFAR |
FarandoleF2R | FarandoleFPT | FarandoleFSM |
FashionTrackerEX | FastTrackerXM | FaustMusicSNG |
FCMPackerFCM | FineArtistSND | FLAC |
FLStudioDMPTRN | FLStudioGMSYNTH | FLStudioKIK |
FMFMT | FMODFSB | ForgottenWorldsFW |
FruityloopsFLP | FuchsTrackerFUCHS | FunComISS |
FunkTrackerFNK | FutureComposerSMOD | FuturePlayerFP |
FutureVisionCMP | FuxoftFXM | GameboyGBR |
GameboyGBS | GenericHeaderGENH | GlueMonGLUE |
GoatTrackerSNG | GoatTrackerSNG | GraoumfGTK |
HalionFXB | HCOM | Headspace |
HippelHIPC | HippelSOG | HivelyTrackerHVL |
HowieDaviesHD | HudsonHES | HumanMachineHMP |
ImagoIMF | IMPlayISS | ImpulseTrackerIT |
IMY | InfinityACM | InfinityWAVC |
InStereoIS | InStereoIS20 | IvonaDAT |
IxalanceIXS | JamCrackerJAM | KandinskyKMP |
KaraBoxMKF | KatorzerKAT | KawaiSDF |
KexisKXS | KingtrackerFMK | KlystrackKI |
KlystrackKT | KonamiKSS | KorgKSF |
KorgSNG | LaytonMODS | LegglessLME |
LiquidLDS | LiquidLIQ | LiquidLQT |
LiveForSpeedENG | LiveForSpeedRAD | MacromediaSWA |
MadTrackerMT2 | MagneticSND | MarkIIMII |
MarkIIMK2 | MASIMUS | MasterTrackerMTR |
MaxonMAGICHSN | MaxTraxMXTX | MCMD |
MDC | MegastationMS | MegatrackerMGT |
MeridianOPL | MIDI | MidiMazeMZE |
MikModUNI | MiniVMINIBANK | MIOCompressorMIO |
mkwACTMKW | MlatMAD | MMF |
MMFWSND | Mod2PSG2PSGMOD | MonkeyAPE |
MonotoneMON | MoonBlasterMW | MoonDriverMDR |
MP (MP1/MP2/MP3) | MPU401MTK | MSVTrackerINS |
MSXMIO | MSXProtrackerPRO | MsxSBK |
MsxSBM | MsxSBP | MsxSBS |
MT32 | MultakMUK | MultiTrackerMTM |
MUSFile | MusicEditorMED | MusiclineML |
MusicMakerIP | MusicMakerMM8 | MusXMUSX |
MVSTrackerMUS | MVXModuleMVM | NerdTrackerNED |
NESTrackerNEST | NintendoBFSAR | NintendoChiptuneNSFE |
NintendoDS2SFLIB | NintendoNSF | NistSPH |
NoiseTrekkerNTK | NokiaXMF | NoteSOP |
NovastormMediaFile | NovoTradeNTP | NTRQSAV |
ObisynthOSP | OctaMEDMMD | OGG |
OggOpus | OktalyzerOKTA | OnyxTrackerOMF |
OokTrackerTOAST | OptimFROGOFR | OrganyaORG |
OrionSamplerOSP | PalladixPLX | PCMSOX |
PhilipsDRM | PistonCollagePTCOP | PistonCollagePTTUNE |
PlayerProMAD | PlaystationPSF | PlaystationVAB |
PlaystationVAG | PMD | PolytrackerPTM |
PowerTrackerPT | ProlinePVD | PropellerheadRBS |
PropellerheadRNS | PropellerheadRPS | PropellerheadRX2 |
ProrunnerPRU2 | ProtrackerMOD | ProTrackerPSM |
ProtrackerPT3 | ProtrackerPT36 | ProtrackerStudioPS16 |
ProTrekkr2PTK | PsionWVE | PSModulePSM |
PsyclePSY | PuavoHardPHPIMC | PuavoHardPHPIMCI |
QuadraComposerEMOD | QualcommQCP | Quartet4Q |
RA | RamTrackerTRK | RealityAdLibTrackerRAD |
RealTimeEFF | RealTimeMID | RealTrackerRTM |
ReasonSong | RenoiseTrackerRNS | RMID |
RMP3 | RolandSVD | SACDTOC |
SamplevisionSMP | SatcoSDX | SBStudioPAC |
ScreamTrackerS3M | ScreamTrackerSTM | ScrullSMF |
SegaADX | SegaGYM | SegaSGC |
SegaVGM | SequencerONE | SFK |
ShakeTrackerST | ShroomSHO | SID |
SkaleTrackerSKM | SlightAtariSAP | SndToolSNDT |
SnesSPC | SongHMI | SonicArrangerInstrument |
SonicArrangerSA | SonyOMA | SonySoundForgeSFI |
SoundBlasterIBK | SoundClubSN2 | SoundFXTrackerSFX |
SoundtrackerST26 | SpchCompSPC | SpeechLabNSP |
SpeechLabSD | SpidermanWBK | SquareCSW |
SquareEnixSCD | SquirrelSQM | Star3ST3 |
StarkosSKS | StartrekkerNT | SuntronicSUN |
SunVoxSUNSYNTH | SunvoxSUNVOX | SuperJAMBAND |
SuperJAMCHORDS | SuperJAMDRUMMAP | SuperJAMINSTRUMENT |
SuperJAMKEYBOARD | SuperJAMPATCH | SuperJAMSONG |
SurpriseAdLibSAT | SymbOSSKM | SymphonieSYMMOD |
SynderPlayerSNG | SynthesisSYN | SynTrackerSYNMOD |
TaijinTJN | TCBTrackerTCB | TechnoSoundTRACK |
TFMMusicMaker2TFE | ThePlayerP | THXTrackerINS |
TrackerAON | TrackerAST | TrackerEMOD |
TrackerGDM | TrackerpackerTP3 | TrackJOY |
TRSi | TSSAudio | TTA |
TurtleBeachPBF | TwinVQVQF | TwZTSM |
UltratrackerULT | VectordeanINS | VectordeanRJP |
VelvetStudioAMS | VentriloVRF | VGMMusicMakerVGE |
VirtualDJVDJ | VivaldiBIN | VortexVT2 |
VSamplerVSB | WAV | WaveZIPMCP |
WavPackWV | WeChatAUD | WiiBRSAR |
WiiBRSTM | WiiRSEQ | XACTXSB |
XACTXWB | XTrackerDMF | YamahaS1M |
YamahaS1V | YamahaTXW | YamahaVIC |
YamahaW9E | YMSTAudio | ZTrackerZT |
ZyxelZYX |
3DConstruction3AD | 3DConstruction3BD | 3DConstruction3FD |
---|---|---|
3DConstruction3OD | 3DConstruction3SD | 3DConstructionKWD |
3DConstructionOBJ | 3DConstructionRUN | 3Demon3DEMON |
3DXplorMathSURF | ABBYYAMD | AbilityXDB |
AbracadataAIG | AC3DGeometryAC | ACCAReaderAR |
AccelMAC | AccelPCB | AccelSCH |
ACTDocumentWPA | AdobeAFM | AdobeASE |
AdobeCFF | AdobeDimensionsDIM | AdobeFDF |
AdobeFM | AdobeJXSBIN | AdobeLST |
AdobeMIF | AdobePDX | AdobePFA |
AdobePFB | AdobePFM | AdorageSCP |
ADU | AegisPSET | AegisSET |
AffixAFF | AIBBLOG | AllenQuestQRM |
AltiumLDP | AmateurADI | AmigaguideINDEX |
AmigaKontoPREFS | AMOSSRC | AncestralPAF |
AntennaADF | AOP | ApabiXEB |
ApplauseB | ApplauseHLP | ApplauseINI |
ApplauseW | AppleNewtonPKG | ApricotKB |
ArcExplorerAEP | ArcgisE00 | ArcgisPRJ |
ArenaABK | ArtemisAPR | AshampooASHPRJ |
AskEnvREQ | ASpellRWS | AtariHYP |
AthenaATH | AtherosPRF | AutexEXP |
AutoCADSTL | AutodeskFAS | AutoPromptPMT |
AutoshadeRND | AvanquestPVN | AVGControlCTF |
AVGSTB | AvidemuxIDX2 | AvsFLD |
AWM | AxialisSSP | AzzcardfileTMP |
BackItCFG | BagpipeBWW | BBeBLRF |
BeepFXSPJ | BelltechSBPF | BeyondDOC |
BiewXLT | BioHMMER | BioRad1SC |
BiosymCAR | BiosymDMOL | BlackWidowWEB |
BluRayBDM | BlurayMPLS | BMFontFNT |
BookIMP | BoomBoxBOX | BoostTXT |
BrainBoxBBX | BrainVisionVHDR | BrainVisionVMRK |
BSWriterBSW | Cabri3DCGL | Cabri3DMAC |
CAD6MKD | CadsPlannerDRW | CAJViewerKDH |
CakewalkMAC | CakewalkOVE | CalamusATT |
CalamusCCT | CalamusCDK | CalamusCDV |
CalamusCRI | CalamusCRL | CalculuxAreaCAR |
CalculuxIndoorCIN | CalculuxRoadCRO | CarraraCAR |
CarraraCBR | CascadeBRP | CCDOPSSBIG |
CebraTeletextTTX | CelestiaTXF | CentralPointHLP |
CFASTIN | CHAOSultdGEMCHS | ChemDrawCTR |
ChemicalC3D | ChemicalCML | ChemicalCTAB |
ChemicalISTR | ChemicalRDF | ChemicalVAMAS |
CICALCCIC | CineMorphPROJECT | CirCAD |
Citect001 | CloneCDCCD | CLUSTALWALN |
CMNPhonebookPHB | CocoFlowsheetFSD | ColoFontMakerCFM |
ComicLifeCOMICDOC | CompaqCVA | CompleteGenomicsTSV |
ConceptDrawCDD | CoolPageCPG | CorelCSW |
CorelFIN | CPBackupCFG | CreateaQuizQZ |
CrimsonSRC | CrystallographicCIF | CWK |
CWorthyCWA | CytometryICS | DALayoutDIP |
DartDesktopDSK | DatabaseProDB | DatabenchMSK |
DeclanXWF | DeepBurnerDBR | DeledDMF |
DelphiDDP | DeltacadDC | DemoManiacSCRIPT |
DescribeDOC | DesktopGuitaristDTG | DexDriveGME |
DGindexD2V | DigiMemoDHW | DISGCLGCL |
DisneyXPO | DJVU | DocumentYAML |
DogwaffleOPT | DraftChoiceDCW | DRCRulesExportRUL |
DrWebLST | DuxburyDXB | DuxburyDXP |
DVDAuthorGUIDVA | DynaDocWDL | EagleEPF |
EagleUSR | EarthResourceERS | EaseCalcformCAL |
EasyCADECW | EasyCADFCD | EasyPlotEP |
EasyPrintFD2 | EclipseNOT | EDGEDiagrammerEDG |
EEDrawEED | EEDrawLIB | ElasticER |
ElectronicEBX | EmEditorESY | EnableOfficeSuite |
EncryptedBibleIDX | EndNoteENF | EndNoteENZ |
EnergyPlusEPW | EnoteBWS | EntrustEPF |
EnVisionEVP | EnvoyEVY | EphemerisE |
ErdasRAW | EurekaLogELF | ExpressCalcCAL |
ExpresswarePDF | EZSynthesizerSET | EZTEXTBIN |
FacetFACET | FanucMEM | FarallonRPL |
FastCADFCD | FastcadFCW | FastFindFFL |
FFMPEGFramehash | FiascoFCO | FIDAPFDNEUT |
FidocadFCD | FidocadFCL | FidocadFCM |
FIGfontFLC | FIGfontFLF | FinalCalcSHEET |
FinaleETF | FinaleMusicMUS | FirstChoiceSS |
FlatpakREF | FlowFCS | FLStudioTKP |
FontSpeedo | Foobar2000FPL | FormulaFRM |
FreeHideFolderFHF | FullTiltDAT | FurcadiaDS |
FusionDDS | GambitEFG | GambitNEU |
GambitNFG | GasteigerCTX | GaussianCUBE |
GdalVRT | GeDRW | GenepixATF |
GenstatGWB | GeometerGSP | GhostscriptUPP |
GimpGFIG | GimpGGR | GimpGPL |
GMSHMSH | GNUREC | GoBeProductivePVE |
GObjectTYPELIB | GoCadGOCAD | GoldenSoftwareGRD |
GoodWayGWP | GpstunerGMI | GraalOnlineNW |
GraphicWorksDVG | GraphingCalcGCF | GraphtecGDS |
GravisFBD | GreatValleyMAP2VIDEO | GSColorMapCLR |
GUEmapGMP | GuitarProGP | HamicHMC |
HangulHWP | HaptekHAP | HardDisk000 |
HarmonyCSV | HarvardCHT | HarvardGraphics |
HarvardSH3 | HarvardSHW | HausDesignWDS |
HclabHCG | HealthLevelHL7 | HelpMagicianHLX |
HelpMagicianHMP | HelpScribbleHSC | HeroQuestQST |
HexelsXML | HL7BEDGRAPH | HL7BIGBED |
HL7BIGWIG | HL7BROADPEAK | HL7GAF |
HL7GFF | HL7GPAD | HL7GPI |
HL7GTF | HL7NARROWPEAK | HL7TDF |
HL7VCF | HL7VCF4 | HLGuardZCFG |
HLP | HNSkyAST | HNSkyCMT |
HNSkyHND | HomeAccountsHA2 | HoudiniHIPNC |
HTA | HxCCFG | HxCFPF |
HydrocadHCP | HyperchemHIN | IAGE |
IBMLWP | IBMSoftcopyBKI | IBMSoftcopyBKS |
IBMSoftcopyBOO | IBMWritingDOC | ICEReaderIBK |
idMASCFG | IEEESDF | IesnaIES |
IgorProIGTX | iMovieIMOVIEPROJ | IMSMusicLST |
IncredimailIMB | INDD | Index3by5MAP |
IndianMusicOnlineMIA | InfoMagicIMR | InformativeCSF |
InnoDAT | InnovMetricPOL | InpageINP |
InputGMV | Interfile | InternetShortcut |
InterTalkPHONE | IQY | IsisDSN |
IsogenPCF | ITSFileITS | JacksumJACKSUM |
JapaneseJWP | JasspaEMF | JavaJAD |
JBuilderPME | JCreatorJCP | JwCadJWC |
KaraokeKSL | KChessKCH | KDMDESKTOP |
KDPlayerKDS | KiCadBRD | KiCadDCM |
KiCadLIB | KiCadMOD | KiCadPHO |
KiCadSCH | KindleTopazAZW1 | KlasikRES |
KlasikTAB | KlasikTTB | KlasikTXK |
KSpreadsheetSPD | LabviewLVM | LegatoLSS |
LextekLID | LightWaveENV | LightWaveLWS |
LightWaveMOT | LimboSBL | LipsyncGPO |
ListGeoLGO | LogistixMSG | Lotus123 |
LotusHLP | LotusLWP | LotusManuscriptDOC |
LotusPRE | LotusSTF | LotusWK1 |
LotusWK3 | LotusWK45 | LotusWKS |
MacromediaJSFL | MagicDrawMDR | MagicqSHW |
MathCADMCF | MathematicaNB | MathML |
MatrixMTX | MaxiDeskBOOK | MaxonWordDOK |
MechwarriorFIT | MediaforgeXMFG | MediaPlayerMPCPL |
MerrianWebsterPDB | MesaM2 | MessengerPlusPLD |
MetasequoiaMQO | MicroarrayPCL | MicroImagesGPS |
MicrosoftBLKey | MicrosoftExcel | MicrosoftIDENTIFIER |
MicrosoftMathGCW | MicrosoftPowerPoint | MicrosoftPublisher |
MicrosoftREG | MicrosoftTASK | MicrosoftWord |
MicrostationMAT | MicrostationPAL | MidasMCB |
MightyDrawMIG | MikroTikRIF | MinimigCFG |
MinitabMTP | MinitabMTW | MNITransformXFM |
MoldenOGL | MopFileMOP | MosaicHOT |
MotionBVH | MotorolaSKI | MovieMagicMMSW |
MovieSetterPROD | MoxcelMXL | MozartMZ |
MozartMZP | MSCNastranWM3 | MSeBookReaderLIT |
MSFlightCFG | MSOneNoteONE | MSQuickBasic |
MSRemoteDesktopRDP | MSXHomeCCW | MUIBuilderMUIB |
MultiBitINFO | MultiBitKEY | MusicNotationABC |
MutationMAF | NasaLBL | NascarSCN |
NativeInstrumentsNBKT | NatronNPS | NaviterCUB |
NearlyRawNRRD | NecromancerDLG | NeoBookPUB |
NeoPaintPAL | NetCDFCDL | NetfabbFABBPROJECT |
NetwareMSG | NeuratronOPT | NeutralFNF |
NextSTARTWST | NexusNEX | NHTSAUDS |
NimbleGenNDF | NimbleGenNGD | NJStarNJX |
NonoPocketNGB | NortonNCD | NovellNAB |
NTFMapFileNTF | NucleotideEMB | NUTSMAC |
OCPlayCFG | OlitextNTP | OlitextOTX |
OmniPage | ONTX | OpenColorIOOCIO |
OpenDocumentChart | OpenDocumentDatabase | OpenDocumentFormula |
OpenDocumentGraphics | OpenDocumentImage | OpenDocumentMaster |
OpenDocumentPresentation | OpenDocumentSpreadsheet | OpenDocumentText |
OpenDocumentWebPage | openEHRADL | OpenOfficeDatabase |
OpenOfficeFormula | OpenOfficeGraphics | OpenOfficeHTML |
OpenOfficeMaster | OpenOfficePresentation | OpenOfficeSpreadsheet |
OpenOfficeText | OpenZIM | OperaADR |
OpticalVMD | OPVaultFormat | OracleTRM |
orCADOPJ | OrenZGT | OS2HLP |
OsuScriptOSU | OutlookEmbeddedMSG | OvationDPD |
OziExplorerEVT | OziExplorerMAP | OziExplorerPLT |
OziExplorerPNT | OziExplorerRTE | OziExplorerWPT |
PageFocusDVE | PageStreamPGS | PaintShopProPAL |
PalmSGDAT | PanoramaDEMSET | PanoramaSET |
PaperPortFSS | PaperPortMAX | ParacadDRG |
PascalTPH | PascalU | PCTypeMAC |
PeachCalcCAL | PeakInformationFile | |
PerformFPK | PersonalFontDEF | PersonalFontMCR |
PFSWriteDOC | PGPASC | PGPPrivKey |
PGPPubKey | PGPSIG | PhotodexPSH |
PhotomergePMG | Photoparade4PP | PhredPHD |
PhysicsEditorPES | PingPlotterPPX | PiXCLPAL |
PixelformersPFCOLORS | PlatinenBIB | PlatinenMAC |
PlatinenPLA | PMDrawPMD | PocketTanksBBK |
PocketTanksEMI | PolyfilmPRF | PortableBridgePBN |
PostscriptPPD | PowerBasicPB | PowerBASICPBH |
PowerTabletTEMPLATE | PowerTranslatorMTP | PowerWindowsPW |
PremierePTL | PressWorksDTP | PrimaveraXER |
ProcessMonitorPML | ProEngineerASM | ProEngineerDRW |
ProEngineerFRM | ProEngineerPRT | ProEngineerSEC |
ProfiCADPPD | PropellerheadREMOTEMAP | ProSpacePSA |
ProtextCFG | PsionAGN | PsionSPR |
PsionTCR | PsionWRD | psitreeCONF |
PTCCreoMTL | PtcEngineerPRT | PTCIGES |
PufferAPUF | PwrDevVD | QandADOC |
QlikViewQVW | QuarkExpress | QuarkImmediaIMD |
QuartusCSF | QuartusDBINFO | QuartusFSF |
QuartusJCF | QuartusQWS | QuartusSSF |
QubicleQEF | Quick3DQ3C | QuickenQIF |
QuillDOC | RaddeveloperRAD | RaddeveloperRCS |
RagtimeRTD | RDF | RDSWarriorINT |
ReactionRD | ReactionRXN | RealArcadeRGS |
RealCADDRCAD | RealdrawRDW | RealRAM |
ReaperRPP | RebelMVS | RebelPCS |
RebelRB2 | RegCleanerRLG | RemoteKeysRKP |
ReSourceRCL | RhinoRWS | RichardsBridgePBN |
RigakuRAS | RocketbookRB | RolandRLG |
RTF | SAP2000SDB | SaxonSP |
ScreenSwiftSSP | SDIF | SDTSDDF |
SeeYouNDB | SequenceGENBANK | SequencerSRC |
SettingContent | SFXCALC | SGRIDDLER |
ShandaSNB | ShapefilePRJ | ShelxRES |
ShiftSH | SiagOfficeSIAG | SIDPLAYSID |
SiemensLOG | SietronicsCPI | SilkExplorerPEX |
SimStructureSIM | SlimShowSS | SmartCAMSMF |
SmartdrawSDR | SmartnoteNOT | smARTWORKPCB |
SNNSCFG | SNNSNET | SNNSPAT |
SNNSRES | SnoopTraceSNOOP | SoftImageXSI |
SolaceSVT | SoldatBOT | SosimapSOS |
SpaceyesSPV | SpectralSPA | SpectraSuitePROCSPEC |
SplashIDVID | SplineSFD | SQLWindowsAPT |
SSHKey | StanfordOP2 | StarLogoSLOGO |
StarLogoSLTNG | StarOffice | StarViewSVM |
StarWriterSDW | StatisticaSCR | StatisticaSTA |
StatlerQLI | StepManiaCRS | STKFN |
STKGD | StockholmSTK | StudentWritingLT |
StuntsDAT | StuntsTRACK | STWriterTXT |
SupercalcCAL | SuperTuxSTSG | SweetScape1BK |
SwordsSHIPSECTION | SYLK | SymantecGRD |
SymantecQAIDX | SymantecQAQWT | SymbOSDOX |
TagwriteTWW | TCruiseTCD | TDIFormatTXT |
TeamviewerTVC | TektronixEWFM | TektronixTPG |
TempusTWD | TextmakerTMD | TextpipeFLL |
TextPlusTXP | TheGraphicsStudioDAT | TheSpreadsheetTS1 |
ThinEdgeM15 | ThinmanagerDB | TinkerplotsTP |
TINspireTNS | TINspireTNSP | TIWorkbookTII |
TK3eBookTK3 | TkSolverTK | TNTMipsRVC |
TomTomDAT | TopocadPXY | TOPODAT |
Torrent | TotalAnnihilationFBI | TotalProjectPRJ |
TPlotPLT | TQSLCertTQ5 | TracerCADAK |
TreeDBNotesTREEDB | TreeGenerator3DTGF | TreeGeneratorTGF |
TRIMTR5 | TulipTLP | TurbiscanLAB |
TurboCDSK | TurboDebuggerTD2 | TurboPascalDSK |
TurboPascalHLP | TurboprintTPM | TurboSilverSCR |
TwistM | UCSCChain | UCSCMAF |
UCSCNET | UCSCSNP | UCSCWIG |
UniqueSMP | UniversalDataLink | URLX |
USGSDOQ2 | VBDOSBAS | vCalendarVCS |
vCardVCF | VectorFieldOOMMF | VectorMapCXF |
VideoCreatorVID | VirtualCDVBL | VirtViewerVV |
VisiCADWKF | VistaCameraSCRIPT | VistaSES |
VisualStudioDSP | VisualStudioDSW | VisualStudioPROJ |
VisualStudioSLN | VisualStudioVSZ | VivaSTORY |
VuforiaQCAR | VuzeFileVUZE | WAPBookmarkVBM |
WavefrontMTL | WeaponWEAP | WebVideoVTT |
Whisper32WSP | WillMakerWW5 | WinampLKS |
WinampM3U | WinampQ1 | WinampSPS |
WinCatCAT | WindevWDE | WindowsCPX |
WindowsNTB | WineREG | WinFlashFLS |
WingzSCZ | WingzWKZ | WinkWNK |
WinOnCDCPJ | WintecTK1 | WintecTK2 |
WintecTK3 | WintracWTF | WinUAECACHE |
WinWorks | WohnungsPlanWDS | WolfWOL |
WordPerfect | WordStar5 | WordStarTBL |
WordStarWS2 | WorkbenchEWB | WorksheetBuilderWSS |
WorldConstructionCLD | WorldConstructionOBJ | WorldConstructionPAR |
WorldConstructionPREFS | WorldConstructionPROJ | WorldConstructionWVE |
WorldMachineDEV | WorldMachinePRE | WorldMachineTMD |
WritersBlockWBK | WRL | WS |
XACTXAP | XaraWIX | XaraXWS |
XCADSFT | XemiComputersADC | XenoDreamXEP |
XilinxNGC | XilinxNPL | XMP |
XPilotXP2 | XPlaneAFL | XWindowsXPM |
XWinPlotXWP | YsFlightDNM | YsFlightFLD |
YsFlightSRF | ZBrushGOZ | ZenographicsZJS |
ZenWorksAXT | ZeroGZEG | ZeroXZCO |
ZillionsZSG | ZilogZWS | ZXEditorZXE |
ZXEditZED |
AbilityAPX | AbyssAEI | ACIS |
---|---|---|
ACRNEMA | AdexIMG | AdobeATF |
AdorageADO | AdvancedLayouterMUS | AEC |
AegisDRAWING | AegisGEO | AIC |
AIMPACS4 | AKVISSTROKES | Aladdin4D |
Aladdin4DF | ALB | AlchemyHSI |
AlibreSTL | AmapiA3D | AmapiXSH |
AmiDrawSDW | AMIGRFX | ANI |
ANIMagicMAP | AOLART | ApplauseG |
ApplauseP | ApplausePAL | AppleDFONT |
ApplixwareAG | ArchiCAD | ArmAModelP3D |
ARRIRAWARI | ArtCAMART | ArtCAMRLF |
ArtsAndLettersGED | Atari3D | AtariAPP |
AtariCCI | AtariGFB | AtariINT |
AtariMPP | AtariPIC | AtariRGB |
AtariRIP | AtariSTIC | ATFSTL |
Autodesk3DS | AutodeskCTB | AutodeskDXF |
AutodeskFBX | AutodeskSHX | AutodeskWIRE |
AVIF | AwardEPA | BCIF |
BinvoxImageBINVOX | BitmapAIPD | BitmapBTPC |
BitmapFGF | BitmapG9B | BitmapHRU |
BitmapPCO | BitmapZIF | BlitzB3D |
BlizzardBLP | BlueScanBLSC | BMP |
BPG | BrainSuiteDFS | BRLCADG |
BTF | BugbitterBGP | BYOBYSP |
Cadent3DM | CadStdCAD | Cal3DCAF |
Cal3DCMF | Cal3DCRF | Cal3DCSF |
CalamusCFN | CalamusCVG | CallOfDutyIWI |
CALS | CameraProfileDNG | CartesianCPC |
CATIA | CaxaEXB | CDR |
CEG | CGM | ChampionsCCI |
ChasysCD5 | ChasysMAT | ChemDrawCDX |
CIN | CinemaScopeSEQ | CinespaceCSP |
CloeCLO | ComputerEyesCE3 | CorelCLK |
CorelCMX | CorelDrawCDX | CorelTEX |
CosmicBLOB | CPT | CRW |
CTFMEGMRI | CubicompB8 | CUR |
CustomMaidMODEL | CWPAL | DAUBDOB |
DCM | DCX | DDS |
DeepMeshDPM | DelcamDGK | DelcamDMT |
DelcamSTL | DeluxePaintANM | DemoMakerSEQ |
DeskMateFIG | DGN | DmeshDMZ |
DogwaffleLYR | DogwaffleMIX | DPX |
DrawPlusDPP | DrawStudioDSDR | DrazlaceDRL |
DreamcastPVR | DuneGraphDC1 | DWF |
DWG | EagleBRD | EaglePRO |
eDrawings | EDRW | EggPaintTRP |
EgoPSSG | EgosoftXMF | ElectronicArtsFSH |
EMF | EOT | ErdasLAN |
ExpressGraphGRF | Expression3SKS | Expression3XPR |
EXR | ExtraCAD | EZArtEZA |
EzDrawJOY | FarbfeldFF | FastgrafPRF |
FileEMPO | FireAlpacaMDP | FITS |
FlashbackSPR | FLIRFPF | FloorPlanPlusFP |
FontLabVFB | FormZ | FractalFIF |
FrameMakerFMV | FreehandFH | FunpaintFP2 |
FurcadiaFOX | GemComGGP | GEMImg |
GeticBSP | GeticGPM | GeticGRF |
GIF | GigaScreenHLR | Godot4BT |
GOM3DG3D | GpraherSBGF | Graph2FontG2F |
GraphicWorkshopTHN | GreenfishGFI | GrigonTEX |
GRXFontFNT | GSDrawGRF | GTAYTD |
HaikuHVIF | HaikuNativeIcon | HardColorHCM |
HarvardSYM | HarvardSYW | HDR |
HEIF | HemeraHPI | HexagonHXN |
HexelsHXL | HitachiHRF | HoopsHSF |
HP49GRB | HPGRO | HPPolynomialPTM |
HSIHST | HTCSplashscreenRGB565 | IBMKIPS |
IBMStoryBoardCAP | ICDRAW | ICNS |
ICO | IFS | ILDAILD |
Image360desktop360 | ImageFLIF | ImageISS |
ImageKIF | ImageKnifeRAW | ImageSoftIMG |
ImageTCL | ImageworksSPI3D | ImgBurnIBG |
IncredimailIM3 | IndyPaintTRU | InfinityMOS |
InfinityPLT | InfinityTIS | InShapeIIM |
IpainIP | IPLBitmap | IRISSC |
JavelinModelMDL | JB2 | JBBahnScenery |
JBBahnVehicle | JeffJIF | JNG |
JollyPrintJPS | JPEG | JPEG2000Codestream |
JRALibraryJMG | KahootzKTZ | KeyShotHDZ |
KhronosKTX | KidPixKPX | KiriKiriTLG |
KissKCF | KolorKRO | KretzVOL |
KwikDrawKWK | LaserDRWLYZ | LaytonCFNT |
LaytonCIMG | LazPaintLZP | LDrawLDW |
LEADTools | LeagueOfLegendsANM | LeagueOfLegendsSKL |
LeonardoLEO | LightscapeLP | LightWaveLWO |
LiveForSpeedCMX | LogoMotionLGF | LookAndFeelLNF |
LotusFLG | LotusFreeanceDRW | LotusFreelanceCGM |
LotusPIC | LudekLDM | MacDrawDRW |
MacintoshPICT | MacKRAW | MagicaVoxelModelRSVO |
MagicaVoxelVOX | MagicaVoxelXRAW | MagicCameraMCE |
MagickMPC | MagicLanternDIFF | MagicSPR |
MagneticGFX | MakichanMAG | MalieGFMGF |
Mapletown | Maxwell | MayaIFF |
MayaMA | MayaMB | MayaSWATCHES |
MDD | MediaShowPROD | MegaPaintMPB |
MegaPaintVEK | MessiahStudioMPJ | MetasequoiaMQB |
MetasequoiaMQP | MicrografxDRW | MicroMagicMMA |
MIFF | MilkShapeMS3D | MiraMonMMZ |
MisfitMM3D | MNG | ModelDGF |
MonarchMOD | MontagneCOLOR | MonuCadMCD |
MotoRacerF3D | MrSidSID | MRW |
MSPaintMSP | MSXMIG | Multisim |
NaiveBitmap | NavisworksNWD | NeoDeskNIC |
NetImmerseNIF | NIFTINII | NintendoNANR |
NintendoNCGR | NokiaNGG | NokiaNLM |
NokiaNOL | NokiaNPM | NokiaNRW |
NokiaNSL | NomadsNTX | NTitlerNT |
NWiperNW | ObjectGraphicsOGL | OLPC565 |
OlympusORF | OS2BMP | OS2CUR |
OS2ICO | PabloPaintPA3 | PaintNETPDN |
PaintproPPP | PaintShopProPSP | PaintShopPSC |
PAL | PCF | PCLOSILK |
PCX | PebblePDC | PGF |
PhaseOneIIQ | PhoenixBMP | PhoenixDDS |
PhotoCDPCD | PhotofiltrePFI | PhotofiltrePFV |
PhotoLinePLB | PhotoLinePLD | PhotoshopCSH |
PhotoshopGRD | PhotostudioPSF | PiecewisePWC |
PIImageMOTIVI | PIImagePAL | PioneerLKD |
PixArtPIX | PixelmatorPXM | PixiaPXA |
PixieOK | PixiePXI | PlanePMBC |
PlantWalkMODEL | PlaymationSEG | PlaystationGIM |
PlaystationP3T | PMVXPM | PNG |
PNM | PolychromePRF | Polyfilm3D |
PolyominoPCF | PortfolioPGX | PowerVRTexturePVR |
PPrintCOL | PPrintFRM | PPrintIMA |
PPrintPAG | PPrintPAT | PraatPRAPIC |
PrintShopPLY | PrismPNT | ProShapePSP |
PS | PSD | PsionMBM |
PsionPIC | PsionSketch | PWM |
PWP | QuickCAD | QuickDraw3DM |
QuickDraw3DMF | QuintusANI | RAS |
RasterMRF | RAW | RawzorRWZ |
RDIB | RealworldRLI | RealworldRRI |
RedSectorVEC | RembrandtTCP | RenderWareRWX |
RGBE | Rhino3DM | RicohJ6I |
RIX | RLETRE | RobinsonRTTEX |
RolleiDCR | SandiaGFF | SatoriCVS |
SeeYouCMR | SFWBPM | SFWJPEG |
SFWJPEGType3 | SFWJPEGType4 | SGI |
SGIYAODLYDL | SGO | ShaperLUT3DL |
ShareazaDAT | SignPlotSP | SilkRoadDDJ |
Silo3DSIB | SKP | SnagitSNAG |
SomeraSGF | SonnetSGR | SourceANI |
Spazio3DS3D | SpeccySXG | SpectraPaintsSTENCIL |
SPIF | ST6AstrocameraST6 | ST6AstrocameraTBL |
STADPAC | StatisticaSTG | StrikeCommanderIFF |
SunTAAC | SVG | SxzImage |
SymbOSSGX | TaquartTIP | TerragenTGO |
TiEmuSKN | TIFF | TMF |
TommySoftwareMPG | TricksterNRI | TruevisionTGA |
TTF | TurboCADTCW | TwistedMetalDPC |
UleadPE4 | UnirastURF | UnixBDF |
UnrealUTX | ValveVTF | VectorSVF |
VectorworksVWX | VellumVLM | VeryOrdinaryVORT |
VICARMAP | VIFF | VissimV3D |
VistaBOOTSKIN | VisualSchnauzerP7 | VoxelTOX |
VoxelVXL | VoxlapANIM | VoxlapKFA |
VoxlapKV6 | VPHybridCADRVD | WaltopTOP |
WavelIWC | WEBP | WebshotsWB |
WebshotsWBC | WerescDTC | WIC |
WiiBRFNT | WiiTPL | WindowManagerCMU |
Wings3DWINGS | WinViewSPE | WMF |
WOFF | WordStarWSF | WorldStudio3DW |
X3F | XaraPGR | XaraWEB |
XaraXMS | XboxXBX | XCF |
XCUR | XFIGVectorFIG | XLPaintRAW |
YamahaVGF | YouiDrawYDR | ZBrushZTL |
ZISRAWCZI | ZmodelerZ3D | ZonerBMI |
ZonerBMI | ZonerZMF | ZXSpectrumCHR |
ZXSpectrumMG | ZXSpectrumZXP | ZZROUGHRGH |
4XM | AdobeEAP | AdobeFilmStripFLM |
---|---|---|
AegisMOT | AegisPCAM | AegisPMOT |
ALRS264 | AmigaHV | AMV |
ARMovieRPL | AstoundAWA | AVI |
BinkBIK | BizHawkBKM | BohemiaRTM |
CompleteTCA | CorruptionTMV | CryoHNM |
DigitekNXV | DiracDRC | DolphinDTM |
DOSWF | DVI | EmblazeEV2 |
EyemailEYE | EZMovie3G2 | FamtasiaFMV |
FinalBurnAlphaFR | FreeMotionSQF | FuseFMF |
FutureVisionFST | GameCubeMTH | GenetecG64 |
GremlinGDV | HannaBarberaXSH | HikvisionMP4 |
InterplayMVE | IVF | IVR |
JPCRRJRSR | KheopsKSV | LightweightLVF |
LotusSCM | MacromediaDCR | MacromediaDJR |
MacromediaDXR | MagicLanternMLV | MagixMVD |
MednafenMCM | MetaMediaVEM | MioMotionMIO |
MKV | MovieMaker3CN | MovieMaker3MM |
MovieMakerVMM | MPG | MythTVNUV |
NancyNOA | NintendoTHP | NSV |
NuppelNUV | OnlineTVROTR | PlaystationPMF |
ProVideoJOB | PsygnosisVID | QuintusANI |
R1M | RaysMDA | RedcodeR3D |
RMMP | ROQ | SavageANM |
SegaFILM | SigmaVideoSMV | SilverSRC |
StardockDREAM | StreamSTL | StuntsREPL |
SWF | SymbOSVID | TeamviewerTVS |
TimeShiftTSV | trsvidTV | TruePaintTPA |
VideoMasterVID | VideoSANM | VideoSER |
VirtuaNESVMV | VisualBoyVBM | VividasVIV |
VtechMJP | WebExARF | WebExWRF |
WebM | WestwoodVQA | WingCommanderMVE |
XDCXDV | YUV4MPEG2Y4M |
ActiveX | ASF | AutodeskFLC |
---|---|---|
AWEOMT | ConaryPackage | ContainerXFBIN |
CybikoCVC | DaisyDSY | DargonDPF |
DynamixFNT | DynamixMUS | DynamixSCR |
DynamixSND | DynamixTRK | EAGamesAV |
EkahauESS | EmulatorUEF | FLV |
GameContainerSBF | HaikuDeltaHPKG | HALHPS |
IFF | LZ4 | MediaContainerMCF |
Mobi | MobiBP | MXF |
NITF | NUT | OLE1.0 |
PalmDB | PlaystationPSARC | PsionAIF |
QuickTime | RMF | Sims2PACK |
Sims3PACK | SingleFileSystemSFS | SOL |
StarlinkSDF | TwistedMetalTPC | VbinContainerVBIN |
VivoVIV | WindowsMediaWTV | XZPContainerXZP |
ynamixBMP |
Supported Languages for PE and Document Formats
afrikaans | english belize | kannada |
---|---|---|
albanian | english can | kashmiri india |
arabic algeria | english caribbean | kashmiri sasia |
arabic bahrain | english eire | kashmiri |
arabic egypt | english jamaica | kazak |
arabic iraq | english nz | konkani |
arabic jordan | english philippines | korean |
arabic kuwait | english south africa | korean |
arabic lebanon | english trinidad | kyrgyz |
arabic libya | english uk | latvian |
arabic morocco | english us | lithuanian classic |
arabic oman | english zimbabwe | lithuanian |
arabic qatar | english | lithuanian |
arabic saudi arabia | esperanto | macedonian |
arabic syria | estonian | malay brunei darussalam |
arabic tunisia | faeroese | malay malaysia |
arabic uae | farsi | malay |
arabic yemen | finnish | malayalam |
arabic | french belgian | maltese |
armenian | french canadian | manipuri |
assamese | french luxembourg | maori |
azeri cyrillic | french monaco | marathi |
azeri latin | french swiss | mongolian |
azeri | french | nepali india |
basque | french | nepali |
belarusian | gaelic manx gaelic scottish | neutral |
bengali | gaelic | norwegian bokmal |
breton | gaelic | norwegian nynorsk |
bulgarian | galician | norwegian |
catalan | georgian | oriya |
chinese hongkong | german austrian | polish |
chinese macau | german liechtenstein | portuguese brazilian |
chinese simplified | german luxembourg | portuguese |
chinese singapore | german swiss | portuguese |
chinese traditional | german | punjabi |
chinese | german | rhaeto_romance |
cornish | greek | romanian moldavia |
croatian | gujarati | romanian |
croatian | hebrew | romanian |
czech | hindi | russian moldavia |
danish | hungarian | russian |
default | icelandic | russian |
divehi | indonesian | saami |
dutch belgian | invariant | sanskrit |
dutch surinam | italian swiss | serbian cyrillic |
dutch | italian | serbian latin |
dutch | italian | serbian |
english aus | japanese | sindhi |
slovak | spanish peru | tswana |
slovenian | spanish puerto rico | turkish |
sorbian | spanish uruguay | ukrainian |
spanish argentina | spanish venezuela | urdu india |
spanish bolivia | spanish | urdu pakistan |
spanish chile | spanish | urdu |
spanish colombia | sutu | uzbek cyrillic |
spanish costa rica | swahili | uzbek latin |
spanish dominican republic | swedish finland | uzbek |
spanish ecuador | swedish | venda |
spanish el salvador | swedish | vietnamese |
spanish guatemala | syriac | walon |
spanish honduras | sys default | welsh |
spanish mexican | tamil | xhosa |
spanish modern | tatar | zulu |
spanish nicaragua | telugu | |
spanish panama | thai | |
spanish paraguay | tsonga |
Supported Tags
Generic tags - can be applied to many file formats
access-control-information | The file contains access control descriptors such as file permissions, group memberships or similar information about a securable object |
---|---|
anonymous-email | The file contains e-mail addresses from anonymous e-mail providers |
cert-appendix | The file contains additional data after the certificate |
cert-bad-timestamp | The file is digitally signed with a certificate that has a bad timestamp |
cert-cross-signed | The file is digitally signed with Microsoft cross-certificate for kernel mode code signing |
cert-dual-signed | The file is digitally signed with two signatures that independently verify file integrity |
cert-expired | The file’s certificate chain has at least one expired certificate |
cert-impersonate | The file is digitally signed with a certificate that impersonates one of well-known entities (e.g. Microsoft or Google) |
cert-invalid | The file was signed with an invalid certificate (it didn’t pass the validation process) |
cert-malformed | The file is digitally signed with a certificate that was malformed |
cert-revoked | The file is digitally signed with a certificate that has been revoked |
cert-revoked-aa-compromise | The file is digitally signed with a certificate that has been revoked due to AA compromise |
cert-revoked-affiliation-changed | The file is digitally signed with a certificate that has been revoked due to change in affiliation |
cert-revoked-ca-compromise | The file is digitally signed with a certificate that has been revoked due to CA compromise |
cert-revoked-cert-hold | The file is digitally signed with a certificate that has been put on hold (the signer has been suspended) |
cert-revoked-cessation-of-operation | The file is digitally signed with a certificate that has been revoked because the signer has ceased its operations |
cert-revoked-key-compromise | The file is digitally signed with a certificate that has been revoked due to private key compromise |
cert-revoked-privilege-withdrawn | The file is digitally signed with a certificate that has been revoked because the signer privilege has been withdrawn |
cert-revoked-remove-from-crl | The file is digitally signed with a certificate that has been removed from the revocation list |
cert-revoked-superseded | The file is digitally signed with a certificate that has been revoked because it has been superseded |
cert-revoked-unspecified | The file is digitally signed with a certificate that has been revoked due to unspecified reason |
cert-self-signed | The file is digitally signed with a self-signed certificate (e.g. JAR or APK) |
cert-signed | The file is digitally signed with a certificate (signature may or may not be valid) |
cert-signed-after-expiration | The file was digitally counter-signed after at least one certificate in certificate chain expired |
cert-signed-after-revocation | The file is digitally signed with a certificate that has been revoked at the time of signing |
cert-untrusted | The file is digitally signed with a certificate that is valid, but its root CA certificate is not in the Spectra Core certificate store |
cert-weak-crypto | The file was digitally signed with certificates using an old hashing algorithm (e.g. MD5) or with a short key |
contains-api-key | The file contains an API key used to authenticate a user, developer, or calling program to an API |
contains-archive | The file contains one or more archive files (such as ZIP, RAR, Jar) |
contains-document | The file contains one or more document files |
contains-elf | The file contains one or more ELF (Executable and Linkable Format) files |
contains-key-secret-pair | The file contains plaintext credentials, generally used for authentication |
contains-macho | The file contains one or more Mach-O files |
contains-pe | The file contains one or more PE (Portable Executable) files |
contains-private-key-encrypted | The file contains an encrypted PKI private key |
contains-private-key-plaintext | The file contains a PKI private key |
contains-script | The file contains one or more script files |
contains-token | The file contains an access or refresh token generally used for authentication |
contains-webhook | The file contains a private webhook which may contain sensitive information |
cryptocurrency | The file has cryptocurrency-related indicators (e.g. accesses BitCoin wallet files) |
dde | The file has Dynamic Data Exchange capabilities that may be used to interact with other applications |
desktop | The file appears to be a desktop application (e.g. PE or ELF) |
email-outlook | The file has Outlook-related indicators (e.g. accesses mailbox files, credentials) |
email-pattern | The file has generic e-mail-related indicators (e.g. accesses mailbox files, credentials) |
email-thunderbird | The file has Thunderbird-related indicators (e.g. accesses mailbox files, credentials) |
encrypted | Contains encrypted files (e.g. password-protected archive) |
entropy-high | The file has unusually high entropy (i.e. entropy > 7) |
entropy-zero | The file is zero-filled (full of 00 bytes) |
exif | The file has EXIF metadata (such as camera information or GPS metadata) |
geotagging | The file has EXIF metadata containing GPS coordinates |
guid-activex-killbit | The file contains ActiveX GUIDs with the Kill-Bit flag set |
im-skype | The file has Skype-related indicators (e.g. accesses chat history, credentials) |
image-corrupt | The image is corrupt because of some format discrepancy (e.g. invalid segment size) |
image-malformed | The image is malformed (e.g. frame dimension is zero) |
image-segment-duplicate | The image has a duplicate segment |
image-segment-unexpected-location | An image segment has been found in an unexpected location |
image-segment-unknown | An unknown image segment has been encountered |
linguist | The file’s subtype was determined by a ReversingLabs machine learning model |
machine-learning | The file was classified by a ReversingLabs machine learning model |
nsis-table-invalid-offset | The NSIS installer is corrupt due to invalid table offset |
nsis-table-invalid-size | The NSIS installer is corrupt due to invalid table size |
ntfs-alternate-data-stream | The file contains data which was part of an NTFS Alternate Data Stream |
obfuscated | The file contains obfuscated code or data |
probably-packed | A heuristic method determined that the PE file may be packed |
overlay | The file has an overlay (appended data at the file’s end) - applies only to PE files |
password | The file is password-protected (e.g. a password-protected archive) |
ransomware-artifact | The file contains artifacts associated with ransomware (e.g. mail addresses, domains) |
ransomware-encrypted | The file was encrypted by known ransomware (e.g. TeslaCrypt encrypted files) |
script | The file appears to be a script (e.g. shell or Javascript) |
sql-query | The file contains generic SQL queries |
ssh-key | The file can use or modify SSH keys |
stego | The file is a result of stego extraction |
stego-compressed | The file contains compressed embedded PE files |
stego-embedded | The file contains plain embedded PE files |
stego-encoded | The file contains encoded embedded PE files |
stego-encrypted | The file contains encrypted embedded PE files |
uri-banking-website | The file contains URLs related to banking and monetary institutions |
uri-coinmining-domain | The file contains URLs related to coinmining services |
uri-credentials | The file contains URLs that embed sign-in credentials in plaintext due to protocol requirements |
uri-deceptive-file | The file contains URLs that point to executable content hidden behind double extensions |
uri-domain-blacklisted | The file contains URLs that point to a known blacklisted domain |
uri-domain-homoglyph | The file contains URLs that try to trick the user into thinking they are visiting a trusted domain |
uri-domain-punycode | The file contains URLs that try to trick the user into thinking they are visiting a trusted domain |
uri-domain-spoofed | The file contains URLs that try to trick the user into thinking they are visiting a trusted domain |
uri-domain-typosquat | The file contains URLs that try to trick the user into thinking they are visiting a trusted domain |
uri-dynamic-dns | The file contains URLs pointing to domains hosted on dynamic DNS |
uri-hostname-length | The file contains URLs pointing to domains that are unusually long |
uri-interesting-file | The file contains URLs that point to interesting files or file extensions |
uri-ip-address | The file contains URLs pointing to webservers hosted on IP addresses |
uri-malicious-redirect | The file contains URLs that redirect to malicious domains |
uri-malware-regex | The file contains URLs that match a known malware regex pattern |
uri-onion-website | The file contains URLs pointing to domains hosted on TOR network |
uri-open-redirect | The file contains URLs that redirect to other domains |
uri-path-length | The file contains URLs pointing to paths that are unusually long |
uri-path-spoofed | The file contains URLs that point to a known sign-in path but don’t reside on the trusted domain |
uri-security-website | The file contains URLs related to security product vendors |
uri-shortened | The file contains shortened URLs |
uri-subdomain-count | The file contains URLs pointing to paths that contain excessive number of subdomains |
uri-suspicious-path | The file contains URLs that contain a suspicious path section |
uri-suspicious-port | The file contains URLs that utilize non-standard ports for the specified protocol |
uri-suspicious-query | The file contains URLs that include suspicious SQL query commands |
uri-suspicious-tld | The file contains URLs pointing to domains hosted on suspicious TLDs |
Behavior tags - describe behavior of executables, documents, scripts, and mobile applications
account-settings-tamper | The file can tamper with user account settings |
---|---|
autorun | The file can tamper with autorun settings (e.g. autorun registry keys, autorun locations) |
av-disable | The file can disable services related to security products |
av-impersonate | The file can impersonate services related to security products |
av-service-detect | The file can detect services related to security products |
av-tamper | The file can tamper with services related to security products |
backup-tamper | The file can tamper with backup (e.g. erases backup copies, tampers with backup settings) |
bitlocker-tamper | The file can tamper with BitLocker settings |
data-exfiltration | The file can exfiltrate various data (e.g. stored credentials, mailbox files, configuration data) |
dns-tamper | The file can tamper with DNS configuration |
dns-use | The file can use the DNS protocol (e.g. issues DNS queries, locates network services) |
file-download | The file has the capability to download files |
file-upload | The file has the capability to upload files |
firewall-tamper | The file can tamper with firewall settings |
ftp-use | The file can use the FTP protocol (e.g. to upload files, to download files) |
hosts-modifier | The file can tamper with hosts file or registry keys |
impersonate-native | The file can impersonate native services (e.g. impersonates Windows Explorer) |
irc-use | The file can use the IRC communication protocol |
log-tamper | The file can tamper with logging configuration or log files |
netntlm-hash-leak | The file contains references to SMB resources that leak NetNTLM hashes |
network-settings-tamper | The file can tamper with network settings |
nfs-tamper | The file can tamper with NFS settings |
privacy-intrusion | The file has indicators related to privacy intrusion (e.g. takes screenshots, monitors users input) |
privilege-escalation | The file has the capability to elevate user privileges |
process-injection | The file has the capability to write into other processes |
process-termination | The file can terminate other processes |
proxy | The file can access or modify proxy settings |
registry-tamper | The file can tamper with the registry |
security-settings-tamper | The file can tamper with various security settings (e.g. security or audit policies) |
service-disable | The file can disable services |
smb-tamper | The file can tamper with the SMB protocol |
startup-tamper | The file can tamper with startup settings (e.g. Windows bootup process) |
storage-settings-tamper | The file can tamper with storage settings |
storage-tamper | The file can tamper with external storage |
uac-bypass | The file can bypass User Account Control |
update-disable | The file can disable update services |
virtualization-settings-tamper | The file can tamper with virtualization settings |
vpn-tamper | The file can tamper with VPN settings |
vpn-use | The file has the capability to use VPN |
web-request | The file has the capability to generate web requests |
wmi-use | The file can use Windows Management Instrumentation (WMI) |
Application-related tags - apply only to files with application metadata (PE, ELF, OSX, DEX, …)
arch-mips | The file’s target CPU architecture is MIPS |
---|---|
arch-powerpc | The file’s target CPU architecture is PowerPC |
arch-sparc | The file’s target CPU architecture is SPARC |
arch-x86 | The file’s target CPU architecture is x86 |
arch-x86-64 | The file’s target CPU architecture is x86-64 |
arch-arm-64 | The file’s target CPU architecture is ARM64 |
arch-arm | The file’s target CPU architecture is ARM |
codeview | The application has debugging symbols metadata |
cui | The application uses Console User Interface subsystem (applies to PE files) |
force-integrity | The file has integrity protection checks that prevent execution on change |
gui | The application uses Graphical User Interface subsystem (applies to PE files) |
installer | The file is an installer package |
installer-plugin | The file is used only temporarily to provide additional functionality during the installation procedure |
library-ad | The application contains advertising-related libraries (e.g. Adfonic) |
library-analytics | The application contains advertising and usage analytics-related libraries (e.g. Google Analytics) |
library-audio | The application contains audio playback related libraries (e.g. Vorbis) |
library-browser | The application contains browser-related libraries |
library-cloud | The application contains cloud networking-related libraries (e.g. Dropbox) |
library-compression | The application contains compression-related libraries (e.g. Zip) |
library-crypto | The application contains cryptography-related libraries (e.g. OAuth) |
library-database | The application contains database-related libraries (e.g. MySQL) |
library-development | The application contains development-related libraries |
library-driver | The application contains driver-related libraries |
library-educational | The application contains education-related libraries |
library-email | The application contains email-related libraries |
library-entertainment | The application contains entertainment-related libraries |
library-gaming | The application contains gaming-related libraries |
library-graphics | The application contains drawing or rendering libraries (e.g. Unity) |
library-messaging | The application contains network messaging-related libraries (e.g. RabbitMQ) |
library-multimedia | The application contains multimedia-related libraries (e.g. Amazon Game Circle) |
library-networking | The applications contains network communication-related libraries (e.g. curl) |
library-productivity | The application contains productivity-related libraries |
library-security | The application contains security-related libraries |
library-social | The application contains social networking-related libraries (e.g. Facebook) |
library-utility | The application contains programming utility libraries (e.g. ICU) |
library-virtualization | The application contains virtualization-related libraries |
lolbin | The file was identified as a LoLBin (living-off-the-land binary) |
plugin | The application is plugin for particular software |
protection-aslr | The file has the Address Space Layout Randomisation exploit protection enabled |
protection-dep | The file has the Data Execution Prevention exploit protection enabled |
protection-ehc | The file has the Exception Handling Continuation exploit protection enabled |
protection-cfg | The file has the Control Flow Guard exploit protection enabled |
protection-ret | The file has the Retpoline exploit protection enabled |
protection-rfg | The file has the Return Flow Guard exploit protection enabled |
protection-mpx | The file has the Intel Memory Protection guard enabled |
protection-xfg | The file has the Extreme Flow Guard exploit protection enabled |
protection-cet | The file has the Intel Control-Flow Enforcement Technology guard enabled |
protection-sdl | The file has been compiled to follow the Secure Development Lifecycle guidelines |
protection-seh | The file has safe exception handling protection enabled |
protection-stack | The file has buffer overrun exploit protection enabled |
packed | The application is packed with a known packer (e.g. with UPX) |
rich-header | The application has rich header metadata (applies to PE files) |
reproducible-build | The application has been compiled in a reproducible way which invalidates all timestamps |
sfx | The file is a self-extracting archive (an application that embeds an archive) |
taggant | The application has Taggant-related metadata |
tool-hacktool | The application is used to assist hacking |
tool-steganography | The application has steganography capabilities |
uefi | The application is designed for the UEFI subsystem (applies to PE files) |
uninstaller | The application is uninstaller for particular software |
unsupported-application | The application is deprecated and no longer supported by vendor |
updater | The application is updater for particular software |
version-info | The application has version information metadata |
vulnerable-with-cve | The application has vulnerability with assigned CVE |
vulnerable-without-cve | The application has vulnerability without assigned CVE |
xbox | The application is designed for the XBOX subsystem (applies to PE files) |
Mobile-related tags - apply only to mobile applications
android-cupcake | The mobile application uses the Android API level 3 |
---|---|
android-donut | The mobile application uses the Android API level 4 |
android-eclair | The mobile application uses the Android API levels 5 to 7 |
android-froyo | The mobile application uses the Android API level 8 |
android-gingerbread | The mobile application uses the Android API levels 9 to 10 |
android-honeycomb | The mobile application uses the Android API levels 11 to 13 |
android-ice-cream-sandwich | The mobile application uses the Android API levels 14 to 15 |
android-jelly-bean | The mobile application uses the Android API levels 16 to 18 |
android-kitkat | The mobile application uses the Android API levels 19 to 20 |
android-lollipop | The mobile application uses the Android API levels 21 to 22 |
android-marshmallow | The mobile application uses the Android API level 23 |
android-nougat | The mobile application uses the Android API levels 24 to 25 |
android-oreo | The mobile application uses the Android API levels 26 to 27 |
android-pie | The mobile application uses the Android API level 28 |
android-10 | The mobile application uses the Android API level 29 |
android-11 | The mobile application uses the Android API level 30 |
mobile | The file appears to be a mobile application (e.g. Android APK or Windows Phone applications) |
mobile-custom-permissions | The mobile application has user-defined permissions |
mobile-data-access | The mobile application can read and write to the external storage on the device |
mobile-deprecated | The mobile application can abuse permissions from deprecated APIs |
mobile-gps | The mobile application can access location services |
mobile-infostealer | The mobile application can access and read information such as call logs, contacts, calendars… |
mobile-logging | The mobile application can read and modify call logs |
mobile-settings | The mobile application can change system settings on the device |
mobile-sms | The mobile application can read, write, or receive SMS messages |
mobile-telco | The mobile application can access and use the telecom connection service |
mobile-voicemail | The mobile application can access and send voicemail messages |
Malware tags - identify malware types and refer to other malware metadata
backdoor | The malware was identified as a backdoor |
---|---|
c2 | The malware has an embedded malware/data configuration (e.g. C2 info or mutex) |
custom-packed | The file appears to be packed with a custom packer |
downloader | The malware was identified as a downloader |
keylogger | The malware was identified as a keylogger |
pos | The malware was identified as a point-of-sale malware |
ransomware | The malware was identified as ransomware |
Packer tags - refer to packer-related metadata
antidebugging | The file uses anti-debugging techniques |
---|---|
antidumping | The file uses anti-dumping techniques |
antiemulation | The file uses anti-emulation techniques |
antisandbox | The file uses anti-sandbox techniques |
antitracing | The file uses anti-tracing techniques |
fake-signature | The file uses fake signatures to thwart signature-based identification |
import-elimination | The packed file eliminates or has eliminated its import information |
import-redirection | The packed file redirects imports to make unpacking harder |
pe-compression | The file has a compressed payload/configuration |
pe-encryption | The file has an encrypted payload/configuration |
pe-encryption-rc4 | The file uses RC4 to encrypt the payload/configuration |
pe-encryption-tea | The file uses TEA to encrypt the payload/configuration |
polymorphic | The file was packed with a polymorphic packer |
remove-ep | The packed file has a stolen original entry point |
remove-header | The packed file removes the PE header during unpacking to make unpacking harder |
tamper-protection | The file checks for signs of modification to make unpacking harder |
Browser tags - refer to browser-related metadata
brave-reference | The file contains references to Brave or Brave-related data (e.g. accesses settings, contains Brave user agent strings) |
---|---|
chrome-reference | The file contains references to Chrome or Chrome-related data (e.g. accesses settings, contains Chrome user agent strings) |
chrome-tamper | The file can tamper with Chrome or Chrome-related settings (e.g. performs process injection into the Chrome executable) |
chromium-reference | The file contains references to Chromium or Chromium-related data (e.g. accesses settings, contains Chromium user agent strings) |
chromium-tamper | The file can tamper with Chromium or Chromium-related settings (e.g. performs process injection into the Chromium executable) |
edge-reference | The file contains references to Microsoft Edge or Microsoft Edge-related data (e.g. accesses settings, contains Microsoft Edge user agent strings) |
firefox-reference | The file contains references to Firefox or Firefox-related data (e.g. accesses settings, contains Firefox user agent strings) |
firefox-tamper | The file can tamper with Firefox or Firefox-related settings (e.g. performs process injection into the Firefox executable) |
internet-explorer-reference | The file contains references to Internet Explorer or Internet Explorer-related data (e.g. accesses settings, contains Internet Explorer user agent strings) |
internet-explorer-tamper | The file can tamper with Internet Explorer or Internet Explorer-related settings (e.g. performs process injection into the Internet Explorer executable) |
netscape-reference | The file contains references to Netscape or Netscape-related data (e.g. accesses settings, contains Netscape user agent strings) |
netscape-tamper | The file can tamper with Netscape or Netscape-related settings (e.g. performs process injection into the Netscape executable) |
opera-reference | The file contains references to Opera or Opera-related data (e.g. accesses settings, contains Opera user agent strings) |
opera-tamper | The file can tamper with Opera or Opera-related settings (e.g. performs process injection into the Opera executable) |
safari-reference | The file contains references to Safari or Safari-related data (e.g. accesses settings, contains Safari user agent strings) |
safari-tamper | The file can tamper with Safari or Safari-related settings (e.g. performs process injection into the Safari executable) |
seamonkey-reference | The file contains references to SeaMonkey or SeaMonkey-related data (e.g. accesses settings, contains SeaMonkey user agent strings) |
vivaldi-reference | The file contains references to Vivaldi or Vivaldi-related data (e.g. accesses settings, contains Vivaldi user agent strings) |
waterfox-reference | The file contains references to Waterfox or Waterfox-related data (e.g. accesses settings, contains Waterfox user agent strings) |
yandex-reference | The file contains references to Yandex or Yandex-related data (e.g. accesses settings, contains Yandex user agent strings) |
Classification tags - apply only to classified files
cert-blacklisted | The file was digitally signed with a blacklisted certificate |
---|---|
cert-whitelisted | The file was digitally signed with a whitelisted certificate |
cloud | The file was classified by ReversingLabs Malware Presence (e.g. the hash is a well-known threat) |
exploit | The file was classified by Spectra Core exploit detection from an unpacker or a validator (e.g. RTF) |
graylisting | The file was classified by graylisting (e.g. an archive containing only text files) |
hierarchy-analyzer | The file was classified by Spectra Core file hierarchy analysis (e.g. embedded executables within a document format) |
image-analyzer | The file was classified by Spectra Core image analyzer (e.g. suspicious data was found within an image) |
ricc | The file was classified by Spectra Core RICC (e.g. RHA classification, RICC rule classifications) |
signature | The file was classified by Spectra Core signature |
antivirus | The file was classified by an AntiVirus component |
ng-antivirus | The file was classified by a NextGen AntiVirus component |
yara | The file was classified by a YARA rule |
Capability tags - refer to capabilities of executables, documents, and mobile applications
capability-advertising | The file has advertising-related capabilities (e.g. AdMob) - applies to documents and mobile formats |
---|---|
capability-bluetooth | The file can use Bluetooth to communicate with other devices - mobile-specific tag |
capability-camera | The file has access to the camera - applies to documents and mobile formats |
capability-cryptography | The file has cryptography-related capabilities (e.g. it can encrypt or hash data and files) |
capability-deprecated | The file uses deprecated APIs |
capability-embeds | The file has other files embedded within (e.g. an iframe or an OLE object) - document-specific tag |
capability-execution | The file has execution-related capabilities (e.g. an application can spawn new processes or threads) |
capability-filesystem | The file has filesystem-related capabilities (e.g. it can open and read files) |
capability-identification | The file has access to user or device identity - mobile-specific tag |
capability-microphone | The file has access to the microphone - applies to documents and mobile formats |
capability-networking | The file has networking-related capabilities (e.g. it can open a socket and send/receive data) |
capability-nfc | The file can use Near Field Communication (NFC) to communicate with other devices - mobile-specific tag |
capability-scripting | The file uses a scripting language (e.g. a document contains and uses macros) - document-specific tag |
capability-security | The file has security-related capabilities |
capability-social | The file has access to social components or providers (e.g. Facebook) - applies to documents and mobile formats |
capability-undocumented | The file uses undocumented functions |
capability-vpn | The file can access VPNs - mobile-specific tag |
capability-wallet | The file has access to user’s wallet - mobile-specific tag |
Indicator tags - refer to indicators found in executables, documents, scripts, and mobile applications
An indicator tag will be emitted by Spectra Core only if the priority of a particular indicator is not low (i.e. priority > 3).
indicator-anomaly | The file contains unusual characteristics (e.g. contains known whitelisted executable filenames) |
---|---|
indicator-autostart | The file tampers with autostart settings (e.g. tampers with autorun locations) |
indicator-behavior | The file automatically executes activities as a user (e.g. changes username or password, prints a document) |
indicator-disable | The file disables system services (e.g. tampers with Windows Update) |
indicator-document | The file exhibits unusual activities when handling documents (e.g. PDF that creates new documents) |
indicator-evasion | The file tries to evade common debuggers, sandboxes or analysis tools (e.g. VM environment detection) |
indicator-execution | The file creates other processes or starts other applications (e.g. creates a service, installs system drivers) |
indicator-exploit | The file contains known exploits against the system |
indicator-family | The file is associated with known malicious families |
indicator-file | The file accesses other files on the filesystem in an unusual way (e.g. creates a cryptographic hash of file contents) |
indicator-flow | The file leaks sensitive information to external hosts or creates new files with sensitive data (e.g. exports PDF form fields to files) |
indicator-macro | The file contains or executes macro functions or scripts (e.g. contains UNIX shell scripts, executes actions associated with bookmarks) |
indicator-memory | The file tampers with memory of foreign processes (e.g. does process injection) |
indicator-monitor | The file has the ability to monitor host activities (e.g. accesses a list of logged on users) |
indicator-network | The file has network-related indicators (e.g. downloads a file, tampering with DNS settings) |
indicator-packer | The file contains obfuscated or encrypted code or data (e.g. base64 encoded streams) |
indicator-payload | The file extracts and launches new behavior in an unusual way (e.g. injects CSS into a page) |
indicator-permissions | The file tampers with or request additional permissions for execution (e.g. tampers with user/account privileges) |
indicator-registry | The file accesses registry and configuration files in an unusual way (e.g. tampers with Windows registry settings) |
indicator-search | The file enumerates or collects information from a system (e.g. enumerates network shares or mounted drives) |
indicator-settings | The file accesses or tampers with system settings (e.g. enumerates system information) |
indicator-signature | The file matches a known signature (e.g. contains known compression libraries, HTTP header fields) |
indicator-steal | The file steals and leaks sensitive information (e.g. accesses Outlook account information and address book) |
indicator-stealth | The file tries to hide its presence (e.g. tampers with window transparency settings, tampers with firewall settings) |
String tags - related to Spectra Core interesting strings
string-file | The file contains interesting strings related to the file URI scheme |
---|---|
string-scp | The file contains SCP-related interesting strings |
string-callto | The file contains interesting strings related to the CallTo communication protocol |
string-h323 | The file contains interesting strings related to the H.323 multimedia communication protocol |
string-webcal | The file contains interesting strings related to iCalendar files |
string-ftp | The file contains FTP-related interesting strings |
string-http | The file contains HTTP-related interesting strings |
string-https | The file contains HTTPS-related interesting strings |
string-mailto | The file contains mailto-related interesting strings |
string-sftp | The file contains SFTP-related interesting strings |
string-sip | The file contains SIP-related interesting strings |
string-ssh | The file contains SSH-related interesting strings |
string-telnet | The file contains Telnet-related interesting strings |
Compression and crypto tags - related to identified compression and crypto content
compression-brotli | The file has content related to Brotli compression algorithm |
---|---|
compression-bzip2 | The file has content related to BZip2 compression algorithm |
compression-deflate | The file has content related to Deflate compression algorithm |
compression-dicky | The file has content related to Dicky compression algorithm |
compression-gipfeli | The file has content related to Gipfeli compression algorithm |
compression-gzip | The file has content related to GZip compression |
compression-inflate | The file has content related to Inflate compression algorithm |
compression-lz4 | The file has content related to LZ4 compression algorithm |
compression-lzfse | The file has content related to LZFSE compression algorithm |
compression-lzhuf | The file has content related to LZHUF compression algorithm |
compression-lzma | The file has content related to LZMA compression algorithm |
compression-ncompress42 | The file has content related to Ncompress42 compression algorithm |
compression-pithy | The file has content related to Pithy compression algorithm |
compression-pkzip | The file has content related to PKZIP compression algorithm |
compression-pucrunch | The file has content related to Pucrunch compression algorithm |
compression-snappy | The file has content related to Snappy compression algorithm |
compression-unlzx | The file has content related to UnLZX compression algorithm |
compression-unrarlib | The file has content related to unrarlib compression algorithm |
compression-zip | The file has content related to Zip compression |
compression-zlib | The file has content related to Zlib compression algorithm |
compression-zstd | The file has content related to Zstd compression algorithm |
crypto-acss | The file has content related to ACSS algorithm |
crypto-adler-crc32 | The file has content related to Adler-32 algorithm |
crypto-base32 | The file has content related to Base32 algorithm |
crypto-base64 | The file has content related to Base64 algorithm |
crypto-base64url | The file has content related to Base64URL algorithm |
crypto-bcrypt | The file has content related to BCrypt algorithm |
crypto-bhencode | The file has content related to Bhencode algorithm |
crypto-blake | The file has content related to Blake algorithm |
crypto-blowfish | The file has content related to Blowfish algorithm |
crypto-bmw512 | The file has content related to BMW-512 algorithm |
crypto-botan | The file has content found in Botan cryptography library |
crypto-camellia | The file has content related to Camellia algorithm |
crypto-cast | The file has content related to CAST algorithm |
crypto-cast256 | The file has content related to CAST-256 algorithm |
crypto-clefia | The file has content related to CLEFIA algorithm |
crypto-collision | The file contains blocks used in SHA-1 collision attacks |
crypto-crc32 | The file has content related to CLEFIA algorithm |
crypto-cryptlib | The file has content found in Cryptlib cryptography library |
crypto-cryptopp | The file has content found in Cryptopp (Crypto++) cryptography library |
crypto-des | The file has content related to DES algorithm |
crypto-desx | The file has content related to DESX algorithm |
crypto-dsa | The file has content related to Digital Signature Algorithm (DSA) |
crypto-ecc | The file has content related to Elliptic-curve cryptography (ECC) |
crypto-frog | The file has content related to FROG algorithm |
crypto-gnupg | The file has content found in GnuPG cryptography library |
crypto-gnutls | The file has content found in GnuTLS cryptography library |
crypto-gost | The file has content related to GOST algorithm |
crypto-haval | The file has content related to HAVAL algorithm |
crypto-hmac | The file has content related to HMAC algorithm |
crypto-ike | The file has content related to Internet Key Exchange (IKE) |
crypto-kasumi | The file has content related to KASUMI algorithm |
crypto-keccak | The file has content related to Keccak algorithm |
crypto-mars | The file has content related to MARS algorithm |
crypto-md2 | The file has content related to MD2 algorithm |
crypto-md4 | The file has content related to MD4 algorithm |
crypto-md5 | The file has content related to MD5 algorithm |
crypto-md5mac | The file has content related to MD5-MAC algorithm |
crypto-misty1 | The file has content related to Misty1 algorithm |
crypto-misty2 | The file has content related to Misty2 algorithm |
crypto-nacl | The file has content found in NaCl cryptography libray |
crypto-nettle | The file has content found in Nettle cryptography library |
crypto-noekeon | The file has content related to NOEKEON algorithm |
crypto-nss | The file has content found in NSS cryptography library |
crypto-nush | The file has content related to NUSH algorithm |
crypto-openbsd-base64 | The file has content related to OpenBSD Base64 algorithm |
crypto-openssl | The file has content found in OpenSSL cryptography library |
crypto-pbkdf2 | The file has content related to PBKDF2 algorithm |
crypto-pkcs | The file has content related to Public Key Cryptography Standards (PKCS) |
crypto-rawdes | The file has content related to RawDES algorithm |
crypto-rc2 | The file has content related to RC2 algorithm |
crypto-rijndael | The file has content related to AES (Rijandel) algorithm |
crypto-ripemd128 | The file has content related to RIPEMD-128 algorithm |
crypto-ripemd160 | The file has content related to RIPEMD-160 algorithm |
crypto-ripemd256 | The file has content related to RIPEMD-256 algorithm |
crypto-ripemd320 | The file has content related to RIPEMD-320 algorithm |
crypto-rsa | The file has content related to RSA algorithm |
crypto-rtss | The file has content related to Robust Threshold Secret Sharing (RTSS) |
crypto-safer | The file has content related to SAFER algorithm |
crypto-salsa20 | The file has content related to Salsa20 algorithm |
crypto-seed | The file has content related to SEED algorithm |
crypto-serpent | The file has content related to Serpent algorithm |
crypto-sha1 | The file has content related to SHA-1 algorithm |
crypto-sha224 | The file has content related to SHA-224 algorithm |
crypto-sha256 | The file has content related to SHA-256 algorithm |
crypto-sha384 | The file has content related to SHA-384 algorithm |
crypto-sha512 | The file has content related to SHA-512 algorithm |
crypto-shark | The file has content related to Shark algorithm |
crypto-siphash | The file has content related to SipHash algorithm |
crypto-skein | The file has content related to Skein algorithm |
crypto-skipjack | The file has content related to Skipjack algorithm |
crypto-sms4 | The file has content related to SMS4 algorithm |
crypto-sosemanuk | The file has content related to Sosemanuk algorithm |
crypto-square | The file has content related to Square algorithm |
crypto-tiger | The file has content related to Tiger algorithm |
crypto-tripledes | The file has content related to TripleDES algorithm |
crypto-turing | The file has content related to Turing algorithm |
crypto-twofish | The file has content related to Twofish algorithm |
crypto-unicorn | The file has content related to Unicorn algorithm |
crypto-uuencode | The file has content related to UUencode algorithm |
crypto-wake | The file has content related to Wake algorithm |
crypto-whirlpool | The file has content related to Whirlpool algorithm |
crypto-x509 | The file has content related to X.509 standard |
crypto-xxencode | The file has content related to XXencode algorithm |
Email specific tags - related to email content
email-deceptive-sender | The display name of one of the senders contains a string resembling an email address with a domain different from the specified email address |
---|---|
email-returnpath-mismatch | The “Return-Path” header contains an email address with a domain that is different from the domain of the sender |
email-replyto-mismatch | The “Reply-To” header contains an email address with a domain that is different from the domain of the sender |
email-sender-mismatch | The “Sender” header contains an email address with a domain that is different from the domain specified in the “From” header |
email-envelopefrom-mismatch | The “X-Envelope-From” header contains an email address with a domain that is different from the domain of the sender |
email-receivedtime-mismatch | The “Date” header indicates a time that is in the future or more than 1 hour before the time specified in the “Received” header |
email-spf-fail | Headers indicate that the SPF (Sender Policy Framework) check has failed |
email-dkim-fail | Headers indicate that the DKIM (Domain Keys Identified Mail) check has failed |
email-dmarc-fail | Headers indicate that the DMARC (Domain-based Message Authentication, Reporting & Conformance) check has failed |
email-pgp | Email is signed and/or encrypted using “Pretty Good Privacy” |
email-smime | Email is signed and/or encrypted using “Secure/Multipurpose Internet Mail Extensions” |
email-attachment | Email contains at least one attachment |
email-deceptive-extension | Email attachment contains multiple extensions (eg. “file.doc.exe”) |
email-body-plain | Content of email body is available in plain text format |
email-body-rtf | Content of email body is available in RTF format |
email-body-html | Content of email body is available in HTML format |
email-impersonation | The display name of one of the senders impersonates a popular service |
email-signature-impersonation | Email contents impersonate an email commonly sent by a popular service |
email-urgency | Email contains multiple phrases that imply a sense of urgency |
email-sensitive-topic | Email contains multiple phrases related to sensitive topics |
email-hidden-text | Email contains a hidden block of text designed to trick classification systems |
email-subject-spam | Email subject contains phrases common to spam messages |
email-subject-phishing | Email subject is commonly used in phishing messages |
email-anonymous-provider | Email is sent using an anonymous email provider |
Format specific tags - apply only specific file formats
html-frame | The HTML file contains one or more IFRAME tags |
---|---|
html-form | The HTML file contains one or more FORM tags |
html-input | The HTML file contains one or more INPUT tags |
html-password | The HTML file contains one or more tags with the “password” attribute |
html-image | The HTML file contains one or more IMAGE tags |
html-canvas | The HTML file contains one or more CANVAS tags |
html-object | The HTML file contains any of the following tags: APPLET, AUDIO, EMBED, OBJECT, SOURCE, VIDEO |
html-download | The HTML file contains one or more links with the “download” attribute |
html-local-link | The HTML file contains one or more links to local files |
html-tracking | The HTML file contains one or more tracking pixels |
html-popup | The HTML file contains an A tag with target=”_blank” attribute |
html-wsffile | The HTML file contains an A tag with href=”jsffile:…” or href=”wsffile:…” or href=”wsfhile:…” |
font-embedded | The HTML file contains embedded fonts |
deceptive-link | The HTML file contains potentially deceptive links |
platform-unix | The quarantine file was created by a security solution running on a UNIX-like operating system |
platform-windows | The quarantine file was created by a security solution running on the Microsoft Windows operating system |
quarantine-manual | The quarantine file was added to the quarantine manually by a user, not as a result of an automatic detection by the security solution |
quarantine-malicious-content | The quarantine file contains any number of remediated malicious content associated with a detected threat |
quarantine-threat-metadata | The quarantine file contains metadata describing the antivirus specific threat which triggered the remediation |
version-control-artifact | The file is part of a control structure for a version control repository (e.g. an index or revision data) |