uberAgent

Image Load Event Properties

The following event properties can be used with image load events in uAQL queries (event type Image.Load). In addition to the properties listed here, the common properties are applicable, too.

Property name uAQL Data Type Description
Image.Name String The image’s file name (e.g., userenv.dll)
Image.Path String The image’s full path including the image file name
Image.Hash.MD5 String MD5 hash of the image
Image.Hash.SHA1 String SHA1 hash of the image
Image.Hash.SHA256 String SHA256 hash of the image
Image.Hash.IMP String Import-table hash of the image
Image.Hashes String All enabled hashes for image are output comma-separated, e.g.: MD5=CFCD208495D565EF66E7DFF9F98764DA,SHA1=B6589FC6AB0DC82CF12099D1C2D40AB994E8410C
Image.IsSigned Boolean Is the image signed? This evaluates to true even if the certificate was revoked or is expired.
Image.IsSignedByOSVendor Boolean Is the image signed by the vendor of the operating system (e.g. Microsoft)? This evaluates to true even if the certificate was revoked or is expired.
Image.Signature String The signer name.
Image.SignatureStatus String Evaluates to Valid for a valid certificate and Invalid for an invalid certificate. It is empty if the image is not signed.
Image Load Event Properties

In this article