Each folder at the root level, with an SHA-1 hash value as its name, is associated with one object. More than one folder of this type will only exist if the first object is an archive file or an email message.

Associated with a sandbox image that analyzed the object.

Contains a list of the files that were generated or modified during analysis.

Contains the raw memory dump after the process was launched into memory.

Contains captured network data that can be used to extract payloads. The file does not exist If no network data was generated.

Contains the final analysis report for a single object for a specific image.

Contains a list of all suspicious objects detected during analysis. This file is empty if no suspicious objects were detected during analysis.

Contains technical characteristics that identify attacker’s tactics, techniques and procedures or other evidence of compromise.

A screenshot of a UI event that occurred during analysis. The file does not exist if no UI events occurred during analysis.

Contains files that are common amongst all of the samples.

Generated or modified during analysis.

The submitted sample.

Extracted from the sample during analysis.

The final analysis report for all objects.

Contains files related to the sandbox image that analyzed the object.

Contains additional details about the sandbox image that analyzed the object.

\%SHA1%\%imageID%\strings

Contains files related to the sandbox image that analyzed the object.

\%SHA1%\%imageID%\strings\%SHA1%.string

Contains string dump retrieved from the object during the analysis in the sandbox image.

\%SHA1%.ioc

The IOC file.

The STIX IOC file.

\%SHA1%_so.stix

The STIX SO file.

The STIX2 SO file.

The STIX2 IOC file.