This section lists the threat activities when it was executed in a controlled environment. To study different aspects of the execution flow, switch to any of the following views:

To determine a threat’s notable characteristics, the sample is executed and monitored in a sandbox environment. The threat’s interaction with the system is intercepted through inline function hooking. By detouring system calls, the sandbox can inspect input parameters and return values of system calls during run-time of the binary.

Behavior is logged throughout run-time and broken down into individual activities or specific changes made in the environment. The monitored behavior is described as a sequence of instructions, where individual execution flows of threads and processes are logged in a single report. Some events are composed of multiple identical recurring events that have been merged.