> ## Documentation Index
> Fetch the complete documentation index at: https://docs.blinkops.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Get File Behaviour Report From Sandbox

Get a File behaviour report from a sandbox.

<Note>
  External Documentation

  To learn more, visit the [VirusTotal documentation](https://docs.virustotal.com/reference/get-file-behaviour-id).
</Note>

## Parameters

<div className="integrations-table">
  | Parameter              | Description                            |
  | ---------------------- | -------------------------------------- |
  | Analysed File's SHA256 | The analysed file's SHA256 identifier. |
  | Sandbox Name           | The name of the required sandbox.      |
</div>

## Example Output

```json theme={"dark"}
{
	"data": {
		"id": "9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08_Zenbox",
		"type": "file_behaviour",
		"links": {
			"self": "https://mock-api.example.com/v3/file_behaviours/mock-behaviour-id-1"
		},
		"attributes": {
			"behash": "25d02ca094be83575d9f51298b3448ba",
			"last_modification_date": 1712589429,
			"analysis_date": 1712589367,
			"processes_tree": [
				{
					"process_id": "7456",
					"name": "C:\\Windows\\System32\\wscript.exe C:\\Windows\\System32\\WScript.exe "
				}
			],
			"has_evtx": true,
			"memory_dumps": [
				{
					"file_name": "00000001.00000003.1028472294.0000018726DDD000.00000004.00000020.00020000.00000000.sdmp",
					"process": "C:\\Windows\\System32\\wscript.exe",
					"size": "77824",
					"base_address": "1679984283648",
					"stage": "MEM_STAGE_FREE"
				}
			],
			"mitre_attack_techniques": [
				{
					"id": "T1064",
					"severity": "IMPACT_SEVERITY_INFO",
					"signature_description": "Found WSH timer for Javascript or VBS script (likely evasive script)",
					"refs": [
						{
							"ref": "#signature_matches",
							"value": "839"
						}
					]
				},
				{
					"id": "T1082",
					"severity": "IMPACT_SEVERITY_INFO",
					"signature_description": "Queries the cryptographic machine GUID",
					"refs": [
						{
							"ref": "#signature_matches",
							"value": "285"
						}
					]
				},
				{
					"id": "T1082",
					"severity": "IMPACT_SEVERITY_INFO",
					"signature_description": "Reads software policies",
					"refs": [
						{
							"ref": "#signature_matches",
							"value": "509"
						}
					]
				}
			],
			"processes_terminated": [
				"C:\\Windows\\System32\\wscript.exe"
			],
			"dns_lookups": [
				{
					"hostname": "mock.example.com",
					"resolved_ips": [
						"192.0.2.71",
						"192.0.2.73",
						"192.0.2.68",
						"192.0.2.2",
						"192.0.2.67",
						"192.0.2.23",
						"192.0.2.4",
						"192.0.2.74"
					]
				}
			],
			"tags": [
				"IDLE",
				"LONG_SLEEPS"
			],
			"files_opened": [
				"C:\\Users\\user\\Desktop\\sample.js",
				"C:\\Users\\user\\Desktop\\sample.js\\",
				"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls",
				"C:\\Windows\\SYSTEM32\\USERENV.dll",
				"C:\\Windows\\SYSTEM32\\WLDP.DLL",
				"C:\\Windows\\SYSTEM32\\amsi.dll"
			],
			"registry_keys_opened": [
				"HKEY_CURRENT_USERSoftwarePoliciesMicrosoftWindowsSaferCodeIdentifiers0UrlZones",
				"HKEY_LOCAL_MACHINESOFTWAREMicrosoftCryptographyOIDEncodingType 0CryptSIPDllGetSignedDataMsg{0F5F58B3-AADE-4B9A-A434-95742D92ECEB}",
				"HKEY_LOCAL_MACHINESOFTWAREMicrosoftCryptographyOIDEncodingType 0CryptSIPDllPutSignedDataMsg{000C10F1-0000-0000-C000-000000000046}"
			],
			"verdict_confidence": 100,
			"processes_created": [
				"C:\\Windows\\System32\\wscript.exe C:\\Windows\\System32\\WScript.exe \"C:\\Users\\user\\Desktop\\sample.js",
				"\n]",
				"verdicts",
				":",
				[
					"CLEAN"
				],
				"has_memdump",
				": true",
				"signature_matches",
				":",
				[
					{
						"id": "507",
						"description": "Uses an in-process (OLE) Automation server",
						"match_data": [
							"HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}InprocServer32"
						],
						"severity": "IMPACT_SEVERITY_INFO"
					}
				],
				"sandbox_name",
				":",
				"Zenbox",
				"has_html_report",
				": true",
				"has_pcap",
				": true"
			]
		}
	}
}
```

## Workflow Library Example

[Get File Behaviour Report from Sandbox with Virustotal and Send Results Via Email](https://library.blinkops.com/workflows/get-file-behaviour-report-from-sandbox-with-virustotal-and-send-results-via-email)

<div className="iframe-wrapper">
  <div className="iframe-media">
    <img src="https://mintcdn.com/blinkops-2/ojHYuDeYX5FWuN8a/img/Icons/play-box.svg?fit=max&auto=format&n=ojHYuDeYX5FWuN8a&q=85&s=b8af968e71438a9499c3223c9bd29fb2" alt="Workflow Library" width="16" height="16" data-path="img/Icons/play-box.svg" />

    Preview this Workflow on desktop
  </div>

  <iframe className="iframe" src="https://library.blinkops.com/workflows/get-file-behaviour-report-from-sandbox-with-virustotal-and-send-results-via-email/canvas" />
</div>
