Module
Return the information about the current module
| Property | Type | Description | Example | 
|---|---|---|---|
| SignerName | String | Name of the signer, if any | "Microsoft Windows" | 
| CompanyName | String | From version info, name of the company that produced the file | "Microsoft Corporation" | 
| FileDescription | String | From version info, file description shown to users | "Microsoft Windows Resource Leak Diagnostic" | 
| FileOrigin | Int/Symbols | File delivered through RDP | Possible values are: •RDP—0 | 
| ProductName | String | From version info, name of the product with which the file is distributed | "Microsoft Windows Operating System" | 
| FileVersion | String | From version info, the version number of the file | "10.0.14393.0" | 
| ProductVersion | String | From version info, the version number of the product with which the file is distributed | "10.0.14393" | 
| InternalName | String | From version info, internal name of the file | "RdrLeakDiag.exe" | 
| OriginalFileName | String | From version info, original name of the file | "RdrLeakDiag.exe" | 
| PackerName1 | String | Name of the packer | "UPX" | 
| SFXName | String | Name of the sfx packer | "Zip" | 
| Sha1 | Hash | sha1 hash of the executable | fa7ebffd41bc44c47ea1b11928ee368c19f6d6a2 | 
| MD5 | Hash | md5 hash of the executable | 
 | 
| Sha256 | Hash | sha256 hash of the executable | 
 | 
| SignatureType | Int/Symbols | Signature type of the executable | Possible values are: •Trusted—90—the signature is trusted by Endpoint •Valid—80—the signature is trusted by the OS •Adhoc—75—the certificate is self signed •None—70—there is no signature in the file •Invalid—60—the signature is not valid/corrupted/revoked •Unknown—50—failed to verify certificate •Present—50—the signature is present, but the certificate status is unknown | 
| Whitelist | Int/Symbols | Whitelist type of the executable | Possible values are: •None—no whitelisting for this file •Authoritative—the file is whitelisted by EndPoint •LiveGrid—the file is whitelisted from LiveGrid •Certificate—the file certificate is whitelisted | 
| EmulationStatus | Int | The status of the file emulation (if the file was emulated by advanced heuristics) | 0—Was not emulated 1—Was emulated | 
| FileSize | Long | Filesize in bytes | 41984 | 
| IsElf | Bool | The file is an ELF file | true/false | 
| IsExe | Bool | The file is a Windows executable | true/false | 
| IsDLL | Bool | The file is a PE DLLs | true/false | 
| IsNative | Bool | The file is a native PE executable | true/false | 
| DaysSinceLastNearMiss | Int | Number of days since the file was recognized as nearmiss. Nearmiss—the detection is triggered due to malware, but it may be a false positive (we cannot guarantee it is malware) | 
 | 
| MachoSignatureId | String | Identifier of a Mach-O file present in the signature | "com.apple.ls" | 
| IsMacho | Bool | Defines whether a file is a Mach-O (macOS) file or not | 
 | 
| MachoUserId | String | Unique developer ID assigned by Apple | 
 | 
| MachoSignerCns | String | Set of common names from certificates in Mach-O file | 
 | 
| MachoIsProtected | Bool | Module is a protected Mach-O executable | 
 | 
| Tags | String | Allows a user to filter by a module that has a specified tag attached | 
 | 
| 1Names of packers may change in the future. Therefore we recommend using isnotempty or isempty value for the condition. | 
Supported Operations and their components:
| 
 | Module | 
|---|---|
| CreateProcess | X | 
| LoadDLL | X | 
| LoadDriver | X | 
| CodeInjection | X | 
| ModuleDrop | X |