For details on how to perform searches, get some .

ElasticSearch queries do not use a prefix. ie: '*windows.*' would match 'time.windows.com'

For MD5, SHA1, SHA3 SHA256 and SHA512 no prefix is needed(will match any file generated by this analysis as binary/dropped/CAPEdump/etc).

Prefix Description
target_sha256: sha256
configs: Family name
id: task_id, Example: id:1
ids: task_ids, Example: ids:1,2,3,4,5
options: x=y, Example: options:function=DllMain
tags_tasks: my_tag, Example: tags_tasks:mytag
package: package, Example: package:ps1
name: File name pattern
type: File type/format
ssdeep: Fuzzy hash
crc32: CRC32 hash
imphash: Search for PE Imphash
iconhash: Search for exact hash of the icon associated with the PE
iconfuzzy: Search for hash designed to match on similar-looking icons
file: Open files matching the pattern
command: Executed commands matching the pattern
resolvedapi: APIs resolved at runtime matching the pattern
key: Open registry keys matching the pattern
mutex: Open mutexes matching the pattern
sport: Source port. Ex: sport:X
dport: Destination port. Ex: dport:443
port: Search in Source and Destination ports. Ex port:x
ip: Contact the specified IP address
domain: Contact the specified domain
url: Search for CAPE Sandbox URL analysis
signame: Search for CAPE Sandbox signatures through signature names
signature: Search for CAPE Sandbox signatures through signature descriptions
detections: Search for samples associated with malware family
surimsg: Search for Suricata Alerts MSG
surialert: Search for Suricata Alerts
surisid: Search for Suricata Alerts SID
suriurl: Search for URL in Suricata HTTP Logs
suriua: Search for User-Agent in Suricata HTTP Logs
surireferrer: Search for Referrer in Suricata HTTP Logs
surihhost: Search for Host in Suricata HTTP Logs
suritlssubject: Search for TLS Subject in Suricata TLS Logs
suritlsissuerdn: Search for TLS Issuer DN in Suricata TLS Logs
suritlsfingerprint: Search for TLS Fingerprint in Suricata TLS Logs
suritls: Search for Suricata TLS
surihttp: Search for Suricata HTTP
ja3_string: Search for ja3 string
ja3_hash: Search for ja3 hash
clamav: Local ClamAV detections
yaraname: Yara Rule Name for analysis samples (from binary folder)
capeyara: Yara Rule Name for CAPE Yara hits (from cape folder)
procdumpyara: Yara Rule Name for process dumps
procmemyara: Yara Rule Name for process memory dumps
virustotal: Virus Total Detected Name
machinename: Name of the Target Machine
machinelabel: Label of the Target Machine
custom: Custom data
shrikemsg: Shrike Suri Alert MSG
shrikesid: Shrike Suri Alert Sid (exact int)
shrikeurl: Shrike url before mangling
shrikerefer: Shrike Referrer
comment: Search for Analysis Comments
malscore: Search for Malscore greater than the value
ttp: TTP id, Ex: T1053
dhash: hash
die: keyboard, Ex die:obsidium
extracted_tool: keyboard, Ex extracted_tool:InnoExtract. See file_extra_info.py for the rest of the tool names
asn: AS ID, Ex asn:AS15169
asn_name: ASN name, Ex: asn_name:Google LLC

Term yaraname:vmdetect

Search Results

ID Timestamp Package Filename Target Detections SuriAlert VT Status
153 2025-06-13 11:51:00 exe HostedNetworkStarter.exe 2a56b915e662087e71af30ea8d404f33 0 None reported
150 2025-06-13 10:17:58 exe HostedNetworkStarter.exe 2a56b915e662087e71af30ea8d404f33 0 None reported
120 2025-06-12 19:00:14 exe BluetoothLogView.exe 0dd1ede1018e0b309bbf7aaab0703b59 0 1/76 reported
110 2025-06-12 13:50:05 exe WNetWatcher.exe 4c4266123dd3488754d3aa35747393e4 0 None reported
93 2025-06-12 05:03:15 exe WhoIsConnectedSniffer.exe 1ae9ea61f5e01c0067c4ff1797b0aec1 0 None reported
89 2025-06-12 02:59:30 exe WakeMeOnLan.exe 949cf1b3632efea36610721b5e35d115 0 None reported
88 2025-06-12 02:28:27 exe WakeMeOnLan.exe 949cf1b3632efea36610721b5e35d115 0 None reported
37 2025-06-11 15:23:54 exe IPNeighborsView.exe 4b844eb46a430edc2b2f03d4fa52e6fd 0 None reported
5 2025-02-17 14:07:34 JetBrains_PyCharmPro.zip 22404113afcacd5996ab0810f1f5cfcd 0 None reported