Contents
Lookup requests
This section explains how you can use Kaspersky Threat Intelligence Portal to run lookup requests for hashes, IP addresses, domains, and web addresses. Also, the concept of zones and object lookup results are described.
Submitting hash, IP address, domain, and web address requests
By submitting a lookup request to Kaspersky Threat Intelligence Portal, you agree to our Terms of Use and the Privacy Statement.
To submit a lookup request:
- Open Kaspersky Threat Intelligence Portal at: https://opentip.kaspersky.com.
- In the Analysis (
) section, on the Lookup tab, in the Enter your request here field, enter an object or text you want to investigate in Kaspersky Threat Intelligence Portal:
- Hash (MD5, SHA1, SHA256).
- IP address (IPv4).
- Domain.
- Web address. Web address length is limited to a maximum of 2000 characters. Other characters will be ignored during a web address investigation.
- Text. In this case, the Search category is displayed on the Requests page (
), but the report is not available.
Kaspersky Threat Intelligence Portal recognizes the type of the requested object automatically.
- If you want to look up the object privately, select the Private submission check box.
For registered users, the private request results are available on the My requests tab. However, the lookup results can become public only if another user submits the same object publicly.
- Press the Enter button.
- If necessary, pass the reCAPTCHA test:
- Select the I'm not a robot check box in the reCAPTCHA widget.
- Follow the instructions to pass the reCAPTCHA test.
The request results are displayed on the report page. The page content varies depending on the requested object type.
Page topHash lookup report
After the hash lookup request is processed, available results are displayed on the report page.
A hash lookup report is consistent with a file analysis report.
In the mobile version of Kaspersky Threat Intelligence Portal, only the basic report for the hash is displayed. You can use a desktop version to view the full report.
Depending on the zone, the hash and its status (Malware, Adware and other, Clean, No threats detected, or Not categorized) are displayed on a panel in one of the following colors:
- Red—The hash can be classified as Malware.
- Yellow—The hash is classified as Adware and other (Adware, Pornware, and other programs).
- Grey—No data is available for the hash.
- Green—The executed file has Clean or No threats detected status. The No threats detected status is applied if the file was not classified by Kaspersky, but it was previously scanned and/or analyzed, and no threats were detected at the time of the analysis.
The report page contains the following:
- Overview—Displays general information about the requested hash.
- Detection names—Displays information about detects related to the requested hash and previously reported in Kaspersky statistics.
- Dynamic analysis summary—Displays the last file identified by the requested hash scan date and graphics of detects, suspicious activities, extracted files, and network interactions detected by Kaspersky expert systems.
- Dynamic analysis detects—Displays information about detects registered during the execution of a file identified by the requested hash.
- Triggered network rules—Displays information about SNORT and Suricata rules triggered during analysis of traffic from the file identified by requested hash.
- Premium content—Displays sections that contain blurred data about the requested hash. The actual data is available for users with Premium Access to Kaspersky Threat Intelligence Portal. You can request a demo version to view a full report and explore other Kaspersky Threat Intelligence Portal features.
The following tabs are available if the file identified by the requested hash was previously analyzed in Kaspersky Sandbox:
- Results tab—Displays information about dynamic analysis detects and triggered network rules. For registered users, execution map, information about suspicious activities, and screenshots are also available.
- Static analysis tab—Displays Portable Executable (PE) information and information about strings extracted during file execution.
- Tabs that are available for registered users:
- System activities tab—Displays information about activities that were registered during the file execution.
- Extracted files tab—Displays information about files that were extracted from network traffic or saved by the executed file during the execution.
- Network activities tab—Displays information about network activities that were registered during the file execution.
Overview for hash
Kaspersky Threat Intelligence Portal provides the following general information about a submitted hash and the file identified by the hash:
General information about hash and file
Field name |
Description |
---|---|
Hits |
Number of hits (popularity) of the file identified by the requested hash detected by Kaspersky expert systems. Number of hits is rounded to the nearest power of 10. |
First seen |
Date and time when the file identified by the requested hash was first detected by Kaspersky expert systems. |
Last seen |
Date and time when the file identified by the requested hash was last detected by Kaspersky expert systems. |
Format |
Type of the file identified by the requested hash. |
Size |
Size of the file identified by the requested hash. |
Signed by |
Organization that signed the hash. |
Packed by |
Packer name (if any). |
MD5 |
MD5 hash. |
SHA1 |
SHA1 hash (if available). |
SHA256 |
SHA256 hash. |
Detection names
Kaspersky Threat Intelligence Portal provides the following information about known detects related to the hash and previously reported in Kaspersky statistics:
- Color of the zone that the detect belongs to (red or yellow).
- Date and time when the detect was last detected by Kaspersky expert systems.
- Name of the detect. You can click any entry to view its description on the Kaspersky threats website.
Dynamic analysis summary
Kaspersky Threat Intelligence Portal provides the following graphical information about detected items, suspicious activities, extracted files, and network interactions detected during execution of the file identified by the requested hash:
Dynamic analysis summary for a hash
Chart name |
Description |
---|---|
Detects |
The total number of objects detected during execution of the file identified by the requested hash, and the proportion of objects with Malware (red) or Adware and other (yellow) statuses. |
Suspicious activities |
The total number of suspicious activities registered during execution of the file identified by the requested hash and the proportion of activities with High (red), Medium (yellow), or Low (grey) levels. |
Extracted files |
The total number of files that were downloaded or dropped by the file identified by the requested hash during the execution process, and the proportion of files with the status of Malicious (extracted files that can be classified as malicious, in red), Adware and other (extracted files that can be classified as Not-a-virus, in yellow), Clean (extracted files that can be classified as not malicious, in green), or Not categorized (no or not enough information about the extracted files is available to define the category, in grey). |
Network activities |
The total number of registered network activities that the file identified by the requested hash performed during the execution process and the proportion of network interactions with the status of Dangerous (requests to resources with the Dangerous status, in red), Adware and other (requests to resources with the Adware and other status, in yellow), Good (requests to resources with the Good status, in green), or Not categorized (requests to resources with the Not categorized status, in grey). |
Dynamic analysis detects
Kaspersky Threat Intelligence Portal provides the following information about detected objects related to the file identified by the requested hash. If the file identified by the requested hash was previously analyzed in Kaspersky Sandbox, this section is displayed on the Results tab.
Sandbox detection names
Field name |
Description |
---|---|
Status |
Danger zone (level) associated with object (Malware or Adware and other). |
Name |
Name of the detected object (for example, HEUR:Exploit.Script.Blocker). Each item in the list is clickable—you can click it to view its description on the Kaspersky threats website. |
Triggered network rules
Kaspersky Threat Intelligence Portal provides the following information about SNORT and Suricata rules triggered during analysis of traffic from the file identified by the requested hash. If the file identified by the requested hash was previously analyzed in Kaspersky Sandbox, this section is displayed on the Results tab.
Triggered network rules
Field name |
Description |
---|---|
Zone |
Danger zone (level) associated with the network traffic detected by the SNORT or Suricata rule (High, Medium, Low, Info). |
Rule |
SNORT or Suricata rule name. |
Information available to users with Premium Access
Kaspersky Threat Intelligence Portal provides the following detailed information about the requested hash, if available, to users with Premium Access.
Signatures and certificates tab
Information about file signatures and certificates
Table name |
Description |
Table fields |
---|---|---|
File signatures and certificates |
Information about signatures and certificates of the file identified by the requested hash. |
Status—Status of the file certificate. Vendor—Owner of the certificate. Publisher—Publisher of the certificate. Signed—Date and time when the certificate was signed. Issued—Date and time when the certificate was issued. Expires—Expiration date of the certificate. Serial number—Serial number of the certificate. |
Container signatures and certificates |
Information about signatures and certificates of the container. |
Status—Status of the container's certificate. Container MD5—MD5 hash of the container's file. Signed—Date and time when the container's certificate was signed. Issued—Date and time when the container's certificate was issued. Expires—Expiration date of the container's certificate. |
Paths tab
Information about file paths
Table name |
Description |
Table fields |
---|---|---|
File paths |
Known paths to the file on computers using Kaspersky software. |
Hits—Number of path detections by Kaspersky expert systems. Path—Path to the file on user computers identified by the requested hash. Location—Root folder or drive where the file identified by the requested hash is located on user computers. |
Names tab
Information about file names
Table name |
Description |
Table fields |
---|---|---|
File names |
Known names of the file on computers using Kaspersky software. |
Hits—Number of file name detections by Kaspersky expert systems. File name—Name of the file identified by the requested hash. |
Downloads tab
Information about web addresses from which the file was downloaded
Table name |
Description |
Table fields |
---|---|---|
File downloaded from web addresses and domains |
Web addresses and domains from which the file was downloaded. |
Status—Status of web addresses or domains used to download the file identified by the requested hash. Web address—Web addresses used to download the file identified by the requested hash. Last downloaded—Date and time when the file identified by the requested hash was last downloaded from the web address / domain. Domain—Upper domain of the web address used to download the file identified by the requested hash. IP count—Number of IP addresses that the domain resolves to. |
Web addresses tab
Information about web addresses
Table name |
Description |
Table fields |
---|---|---|
File accessed the following web addresses |
Web addresses accessed by the file identified by the requested hash. |
Status—Status of accessed web addresses. Web address—Web addresses accessed by the file identified by the requested hash. Last accessed—Date and time when the file identified by the requested hash last accessed the web address. Domain—Upper domain of the web address accessed by the file identified by the requested hash. IP count—Number of IP addresses that the domain resolves to. |
Started objects tab
Information about started objects
Table name |
Description |
Table fields |
---|---|---|
File started the following objects |
Objects started by the file identified by the requested hash. |
Status—Status of started objects. Hits—Number of times the file identified by the requested hash started the object, as detected by Kaspersky expert systems. File MD5—MD5 hash of the started object. Location—Root folder or drive where the started object is located on user computers. Path—Path to the object on user computers. File name—Name of the started object. Last started—Date and time when the object was last started by the file identified by the requested hash. Detection name—Name of the detected object (for example, HEUR:Exploit.Script.Blocker). |
File was started by the following objects |
Objects that started the file identified by the requested hash. |
Status—Status of objects that started the file identified by the requested hash. Hits—Number of times the file identified by the requested hash was started, as detected by Kaspersky expert systems. File MD5—MD5 hash of the object that started the file identified by the requested hash. Location—Root folder or drive where the object is located on user computers. Path—Path to the object on user computers. File name—Name of the object that started the file identified by the requested hash. Last started—Date and time when the file identified by the requested hash was last started. Detection name—Name of the detected object (for example, HEUR:Exploit.Script.Blocker). |
Downloaded objects tab
Information about downloaded objects
Table name |
Description |
Table fields |
---|---|---|
File downloaded the following objects |
Objects downloaded by the file identified by the requested hash. |
Status—Status of downloaded objects. Hits—Number of times the object was downloaded, as detected by Kaspersky expert systems. File MD5—MD5 hash of the downloaded object. Location—Root folder or drive where the downloaded object is located on user computers. Path—Path to the downloaded object on user computers. File name—Name of the downloaded object. Last downloaded—Date and time when the object was last downloaded by the file identified by the requested hash. Detection name—Name of the detected object (for example, HEUR:Exploit.Script.Blocker). |
File was downloaded by the following objects |
Objects that downloaded the file identified by the requested hash. |
Status—Status of objects that downloaded the file identified by the requested hash. Hits—Number of times the file identified by the requested hash was downloaded, as detected by Kaspersky expert systems. File MD5—MD5 hash of the object that downloaded the file identified by the requested hash. Location—Root folder or drive where the object is located on user computers. File name—Name of the object that downloaded the file identified by the requested hash. Path—Path to the object on user computers. Last downloaded—Date and time when the file identified by the requested hash was last downloaded. Detection name—Name of the detected object (for example, HEUR:Exploit.Script.Blocker). |
IP address lookup report
After the IP address lookup request is processed, available results are displayed on the report page.
Depending on the IP address's zone, the IP address and its status (Dangerous, Not trusted, Good, or Not categorized) are displayed on a panel in one of the following colors:
- Red—The IP address can be classified as Dangerous.
- Orange—The IP address can be classified as Not trusted and may host malicious objects.
- Yellow—The IP address is classified as Adware and other (Adware, Pornware, and other programs).
- Grey—No data is available for the IP address.
- Green—The IP address does not generate malicious activity.
The flag of the country that the requested IP address belongs to is also displayed. When you hover your mouse over the flag, a tooltip with the country name appears. For reserved IP addresses, the crossed out flag () and the Reserved IP address tooltip are displayed. For IP addresses that do not belong to any country, the flag with a question mark (
) and the No information tooltip are displayed.
The report page contains the following:
- Overview—Displays general information about the requested IP address.
- Geography—Displays the world cyber-map and lights up the country that the requested IP address originates from.
- WHOIS—Displays WHOIS information about the IP address.
- Premium content—Displays sections that contain blurred data about the requested IP address. The actual data is available for users with Premium Access to Kaspersky Threat Intelligence Portal. You can request a demo version to view a full report and explore other Kaspersky Threat Intelligence Portal features.
Overview for IP address
Kaspersky Threat Intelligence Portal provides the following general information about a submitted IP address:
General information about IP address
Field name |
Description |
---|---|
Hits |
Hit number (popularity) of the requested IP address. Hit number is rounded to the nearest power of 10. |
First seen |
Date and time when the requested IP address first appeared in Kaspersky expert systems statistics, according to your computer local time zone. |
Created |
Date when the requested IP address was registered. |
Updated |
Date when information about the requested IP address was last updated. |
Categories |
Categories of the requested IP address. If the IP address does not belong to any of the defined categories, the General category is displayed. |
Geography
Kaspersky Threat Intelligence Portal displays the world cyber-map and lights up the country that the requested IP address originates from.
The cyber-map is displayed only for IP addresses that belong to one known country. Also, the cyber-map is not displayed if the IP address belongs to a reserved range.
Page topWHOIS
Kaspersky Threat Intelligence Portal provides WHOIS information about the requested IP address.
WHOIS information about IP address
Field name |
Description |
---|---|
IP range |
Range of IP addresses in the network that the requested IP address belongs to. |
Net name |
Name of the network that the requested IP address belongs to. |
Net description |
Description of the network that the requested IP address belongs to. |
Created |
Date when the requested IP address was registered. |
Changed |
Date when information about the requested IP address was last updated. |
AS description |
Autonomous system description. |
ASN |
Autonomous system number. |
Information available to users with Premium Access
Kaspersky Threat Intelligence Portal provides the following detailed information about the requested IP address, if available, to users with Premium Access.
DNS resolutions tab
Information about DNS resolutions
Table name |
Description |
Table fields |
---|---|---|
DNS resolutions for IP address |
pDNS information for the requested IP address. |
Status—Status of domains. Hits—Number of times that the domain resolved to the requested IP address. Domain—Domain that resolves to the requested IP address. First resolved—Date and time when the domain first resolved to the requested IP address. Last resolved—Date and time when the domain last resolved to the requested IP address. Peak date—Date of maximum number of domain resolutions to the requested IP address. Daily peak—Maximum number of domain resolutions to the requested IP address per day. |
Related files tab
Information about related files
Table name |
Description |
Table fields |
---|---|---|
Files related to IP address |
MD5 hashes of files downloaded from web addresses containing domains that resolve to the requested IP address. |
Status—Status of downloaded files. Hits—Number of times that a file was downloaded from the requested IP address, as detected by Kaspersky expert systems. File MD5—MD5 hash of the downloaded file. Detection name—Name of the detected object (for example, HEUR:Exploit.Script.Blocker). Web address—Web addresses used to download the file. Last seen—Date and time that the file was last downloaded from the requested IP address. First seen—Date and time the file was first downloaded from the requested IP address. |
Hosted web addresses tab
Information about hosted web addresses
Table name |
Description |
Table fields |
---|---|---|
Hosted web addresses |
Web addresses of the domain that resolves to the requested IP address. |
Status—Status of web addresses and domains. Hits—Number of web address detections by Kaspersky expert systems. Web address—Detected web address. First seen—Date and time when the web address was first detected. Last seen—Date and time when the web address was last detected. |
Web address masks tab
Information about web address masks
Table name |
Description |
Table fields |
---|---|---|
Web address masks |
Masks of detected by Kaspersky expert systems addresses that contain the IP addresses and web addresses of the domain that resolves to the requested IP address. |
Status—Status of web addresses covered by the corresponding mask (Dangerous or Adware and other). Type—Type of the mask. Mask—Web address mask. Feeds—Threat Data Feeds that contain the web address mask. |
Domain and web address lookup report
After the domain or web address lookup request is processed, available results are displayed on the report page.
A domain lookup report is consistent with a web address lookup report.
In the mobile version of Kaspersky Threat Intelligence Portal, only the following sections are available for the domain or web address: Overview, WHOIS, Dynamic analysis summary, and Sandbox detection names. You can use a desktop version to view the full report.
Depending on the zone of the domain or web address, the requested object and its status (Dangerous, Adware and other, Good, or Not categorized) are displayed on a panel in one of the following colors:
- Red—There are malicious objects related to the domain or web address.
- Orange—The domain or web address can be classified as Not trusted and may host malicious objects.
- Yellow—There are objects related to the domain or web address, which can be classified as Not-a-virus.
- Grey—No data is available for a domain or web address.
- Green—The domain or web address cannot be classified as Dangerous.
The report page contains the following:
- Overview—Displays general information about the requested domain or web address.
- WHOIS—Displays the WHOIS information about the requested domain or web address.
- Premium content—Displays sections that contain blurred data about the requested domain or web address. The actual data is available for users with Premium Access to Kaspersky Threat Intelligence Portal. You can request a demo version to view a full report and explore other Kaspersky Threat Intelligence Portal features.
The following tabs are available if the web address was previously analyzed in Kaspersky Sandbox:
- Detection names—Displays detected items that were registered during the web address analysis.
- Triggered network rules—Displays SNORT and Suricata rules that were triggered during the web address traffic analysis.
- Connected hosts—Displays IP addresses that were accessed in all HTTP and HTTPS requests after the FQDN resolved.
- Suspicious activities—Displays suspicious activities that were registered during the web address analysis.
- HTTP(S) requests—Displays HTTP and HTTPS requests that were registered during the web address analysis.
- DNS requests—Displays DNS requests that were registered during the web address analysis.
- Screenshots—Displays a set of screenshots that were taken during the web address analysis.
Overview for domain or web address
Kaspersky Threat Intelligence Portal provides the following general information about a submitted domain or web address:
General information about domain or web address
Field name |
Description |
---|---|
IPv4 count |
Number of known IP addresses that the requested domain or web address resolves to. |
Files count |
Number of known malicious files related to the requested web address. |
Created |
Requested domain or web address creation date. |
Expires |
Requested domain or web address expiration date. /Name of the upper-level domain. /Name of the registration organization. /Name of the domain name registrar. |
Categories |
Categories of the requested domain or web address. If the domain or web address does not belong to any of the defined categories, the General category is displayed. |
WHOIS
Kaspersky Threat Intelligence Portal provides WHOIS information about the host of the requested web address.
A host may be specified by a fully qualified domain name (FQDN) or by an IP address in dot-decimal notation.
Kaspersky Threat Intelligence Portal does not process web addresses if the host is specified by a local, private, or service IP address. In this case, the lookup results should be interpreted with caution.
Host specified by FQDN
WHOIS section for FQDN as a host
Field name |
Description |
---|---|
Domain name |
Name of the domain for the analyzed web address. |
Domain status |
Status of the domain for the analyzed web address. |
Created |
Date when the domain for the analyzed web address was registered. |
Updated |
Date when the registration information about the domain for the analyzed web address was last updated. |
Paid until |
Expiration date of the prepaid domain registration term. |
Registrar info |
Name of the domain registrar for the analyzed web address. |
IANA ID |
IANA ID of the domain registrar. |
Name servers |
List of domain name servers for the analyzed web address. |
Host specified by IP address
WHOIS section for IP address as a host
Field name |
Description |
---|---|
IP range |
Range of IP addresses in the network that the host belongs to. Also, the flag of the country that the IP address belongs to is displayed. When you hover your mouse over the flag, a tooltip with the country name appears. |
Net name |
Name of the network that the IP address belongs to. |
Net description |
Description of the network that the IP address belongs to. |
Created |
Date when the IP address was registered. |
Changed |
Date when information about the IP address was last updated. |
AS description |
Autonomous system description. |
ASN |
Autonomous system number according to RFC 1771 and RFC 4893. |
Information available to users with Premium Access
Kaspersky Threat Intelligence Portal provides the following detailed information about the requested domain or web address, if available, to users with Premium Access.
DNS resolutions tab
Information about DNS resolutions
Table name |
Description |
Table fields |
---|---|---|
DNS resolutions for domain/web address |
IP addresses that the requested domain or web address resolves to. |
Status—Status of IP address. Threat score—Probability that the IP address will be dangerous (0 to 100). Hits—Number of IP address detections by Kaspersky expert systems. IP—IP addresses. First resolved—Date and time when the requested domain / web address first resolved to the IP address. Last resolved—Date and time when the requested domain / web address last resolved to the IP address. Peak date—Date of maximum number of requested domain / web address resolutions to the IP address. Daily peak—Maximum number of requested domain / web address resolutions to the IP address per day. |
Downloaded files tab
Information about downloaded files
Table name |
Description |
Table fields |
---|---|---|
Files downloaded from requested domain / web address |
MD5 hashes of files that were downloaded from the requested domain or web address. |
Status—Status of files that were downloaded. Hits—Number of file downloads from the requested domain / web address, as detected by Kaspersky expert systems. File MD5—MD5 hash of the downloaded file. Last seen—Date and time when the file was last downloaded from the requested domain / web address. First seen—Date and time when the file was first downloaded from the requested domain / web address. Web address—Web addresses used to download the file. Detection name—Name of the detected object (for example, HEUR:Exploit.Script.Blocker). |
Accessed files tab
Information about accessed files
Table name |
Description |
Table fields |
---|---|---|
Files accessed requested domain/web address |
MD5 hashes of files that accessed the requested domain or web address. |
Status—Status of files that accessed the requested domain / web address. Hits—Number of times the file accessed the requested domain / web address. File MD5—MD5 hash of the file that accessed the requested domain / web address. Last seen—Date and time when the file last accessed the requested domain / web address. First seen—Date and time when the file first accessed the requested domain / web address. Detection name—Name of the detected object (for example, HEUR:Exploit.Script.Blocker). |
Subdomains tab
Information about subdomains
Table name |
Description |
Table fields |
---|---|---|
Subdomains |
Subdomains for the requested domains. |
Status—Status of subdomains. Subdomain name—Name of the detected subdomain. Web address count—Number of web addresses related to the subdomain. Hosted files—Number of files hosted on the detected subdomain. First seen—Date and time when the subdomain was first detected. |
Referrals tab
Information about referrals
Table name |
Description |
Table fields |
---|---|---|
Referrals to domain/web address |
Web addresses that refer to the requested domain or web address. |
Status—Status of web addresses that refer to the requested domain / web address. Web address—Web address that refers to the requested domain or web address. Last reference—Date and time when the requested domain / web address was last referred to by listed web addresses. |
Domain referrals tab
Information about domain referrals
Table name |
Description |
Table fields |
---|---|---|
Domain referred to the following web addresses |
Web addresses that the requested domain links, forwards, or redirects to. |
Status—Status of web addresses that the requested domain links, forwards, or redirects to. Web address—Web address accessed by the requested domain. Last reference—Date and time when the requested domain last linked, forwarded, or redirected to listed web addresses. |
Web address masks tab
Information about web address masks
Table name |
Description |
Table fields |
---|---|---|
Web address masks |
Masks of the requested web address's domain, which were detected by Kaspersky expert systems. |
Status—Status of web addresses covered by the corresponding mask (Dangerous or Adware and other). Type—Type of the mask. Mask—Requested domain / web address mask. Feeds—Threat Data Feeds that contain the requested domain mask. |
About zones and statuses
All investigated objects are assigned to zones. A zone indicates the danger level of the object. All related objects are assigned to their own zones. Their zones and the zone of the investigated object may not match.
The list of zones is common for all types of objects, but not all zones can be applied to all types of objects.
Each type of object has its own set of statuses that most accurately describe the danger of objects of this type.
The relationships between the zones and statuses for all object types are provided in the table below.
Zones and statuses
Zone |
Danger level |
Hash status |
IP address status |
Domain status |
Web address status |
---|---|---|---|---|---|
Red |
High |
Malware |
Dangerous |
Dangerous |
Dangerous |
Orange |
Medium |
n/a* |
Not trusted |
Not trusted |
Not trusted |
Yellow |
Medium |
Adware and other |
Adware and other |
Adware and other |
Adware and other |
Grey |
Info |
Not categorized |
Not categorized |
Not categorized |
Not categorized |
Green |
Low |
Clean / No threats detected |
Good / No threats detected |
Good / No threats detected |
Good / No threats detected |
* n/a – Not applicable
Page top