Interesting files written to disk during execution.
files_dropped contains a list of all files are files specifically created and written to during an execution recording. These might be the result of downloading content from the Internet and writing it to a file, unpacking a given file from the execution subject's body, dumping some content to a file, etc.
The object contains a list of dictionaries, each one containing the following subfields:
path<string> required. Full path, file name included.sha256<string> required. File's SHA-256 hash.
{
"data": {
"attributes": {
"files_dropped": [
{
"path": "<string>",
"sha256": "<string>"
},...
]
}
}
}
{
"data": {
"attributes": {
"files_dropped": [
{
"path": "C:\\Users\\FD1HVy\\AppData\\Roaming\\33D770D0-06BC-47C5-8714-222CDAC43A71\\run.dat",
"sha256": "120a4d5404d43646744c849425741a42f4d0b444541245df4d4c44654c44e3e1"
},
{
"path": "C:\\Program Files (x86)\\blablabla\\blablabla.exe",
"sha256": "c88c5915b968b51bff55155c51d15ef85558c65655c5c31a59bd565b85f57424"
}
]
}
}
}