File Name Lookup

Searches for information about native Windows executable files and DLLs. Provides details about file name, path, description, product name, company name and runtime window title if they've been indexed across a variety of Windows OS versions, service packs and editions.

File Name Lookup

API Endpoint

POST /analysis/lookup

HTTP Headers

Content-Type: application/json
X-Cursed-Api-Token: API token for authentication

Request Method

POST

Parameters

Request Body (JSON):

Parameter	Type	Required	Description
`search`	string	Yes	Keyword to search for
`module`	string	Yes	Must be "file_name" for this endpoint
`filter`	array	No	Array of filter criteria objects
`page`	integer	No	Page number for pagination (1-10, default: 1)
`show`	integer	No	Number of results per page (1-100, default: 10)

Filter Criteria Schema

{
  "field": "string",
  "operator": "string",
  "value": "string"
}

Supported Filter Operators

Operator	Description
`equals`	Exact match
`not_equals`	Not equal to
`contains`	Contains substring
`does_not_contain`	Does not contain substring
`starts_with`	Starts with substring
`ends_with`	Ends with substring

Supported Fields

Field
`File Name`
`File Path`
`Description`
`Product Name`
`Company Name`
`Runtime Window Title`

Request Body Schema

{
  "search": "string",
  "module": "file_name",
  "filter": [
    {
      "field": "string",
      "operator": "string",
      "value": "string"
    }
  ],
  "page": 1,
  "show": 10
}

Response Format

Success Response (200 OK):

{
  "columns": ["Column1", "Column2", "Column3", ...],
  "rows": [
    ["value1", "value2", "value3", ...],
    ["value1", "value2", "value3", ...],
    ...
  ]
}

Response Schema

The response contains tabular data where:

columns: Array of column names describing the data fields
rows: Array of arrays containing the actual data values

Error Response (400 Bad Request):

Unknown lookup module

Error Response (401 Unauthorized):

Unauthorized

Error Response (422 Unprocessable Entity):

Validation failed

Error Codes

HTTP Status	Description
200	Success - Results retrieved successfully
400	Bad Request - Invalid module name or search parameters
401	Unauthorized - Authentication required
422	Unprocessable Entity - Validation failed
500	Internal Server Error - Server processing error

Example cURL Commands

Basic File Name Search

curl -X POST https://api.cursedtools.com/analysis/lookup \
  -H "Content-Type: application/json" \
  -H "X-Cursed-Api-Token: your_api_token" \
  -d '{
    "search": "svchost.exe",
    "module": "file_name",
    "page": 1,
    "show": 10
  }'

Search with Filters

curl -X POST https://api.cursedtools.com/analysis/lookup \
  -H "Content-Type: application/json" \
  -H "X-Cursed-Api-Token: your_api_token" \
  -d '{
    "search": "notepad",
    "module": "file_name",
    "filter": [
      {
        "field": "Company Name",
        "operator": "equals",
        "value": "Microsoft Corporation"
      },
      {
        "field": "File Path",
        "operator": "contains",
        "value": "System"
      }
    ],
    "page": 1,
    "show": 25
  }'

Example Response

{
    "columns": [
        "File Name",
        "File Path",
        "Description",
        "Product Name",
        "Company Name",
        "Runtime Window Title"
    ],
    "rows": [
        [
            "subst.exe",
            "c:\\windows\\syswow64\\subst.exe",
            "Subst Utility",
            "Microsoft Windows Operating System",
            "Microsoft Corporation",
            "Microsoft-Windows-MiscellaneousCommandLineUtilities"
        ],
        [
            "wininetlui.dll",
            "c:\\windows\\syswow64\\wininetlui.dll",
            "Provides legacy UI for wininet",
            "Microsoft Windows Operating System",
            "Microsoft Corporation",
            "Microsoft-Windows-IE-ClientNetworkProtocolImplementation##Microsoft-Windows-IE-ClientNetworkProtocolImplementationLegacyUI"
        ],
        [
            "mspatcha.dll",
            "c:\\windows\\system32\\mspatcha.dll",
            "Microsoft File Patch Application API",
            "Microsoft Windows Operating System",
            "Microsoft Corporation",
            "Microsoft-Windows-ImageBasedSetup-Media-Legacy-base##Microsoft-Windows-DeltaCompressionEngine##Microsoft-Windows-ServicingStack"
        ],
        [
            "lxdnwavs.exe",
            "c:\\windows\\system32\\driverstore\\filerepository\\lxdnprc.inf<arch><uid>\\common\\danish\\lxdnwavs.exe",
            "",
            "",
            "",
            ""
        ],
}

Notes

Authentication is optional but affects rate limiting and priority execution
Search is case-insensitive
Supports partial file name matching
Results windows executable (exe and dll) files that have come packaged up with Windows OS
The module should not serve as confirmation if a file is malicious or not, as that is context dependent
Some of the fields may be empty, as publishers are not required to submit metadata with executable files
Some files may have multiple observed fields, observed over different OS versions or builds, which are separated by "##"
Pagination helps manage large result sets
Filters can be combined for more precise searches

Event ID Lookup

Searches for information about Windows Event IDs. Provides details about event purposes, provider, OS version and log format version, as well as available data fields to help incident responders, detection engineers, threat hunters or system administrators get enriched context.

Parse Windows Event Logs (EVTX)

Parses Windows Event Log (.evtx) files and extracts structured forensic data for analysis. Optionally runs Sigma rules against the extracted events for threat detection.