Process Graph

warning_green

The section is absent in reports for Android packages.

The section contains information about suspicious processes registered on a virtual machine. The data is represented as an interactive graph with an explanatory unit for each process.

To open the graph in a new tab, click the Process graph title. To zoom in or zoom out, click 07_OverPlus or 06_OverMinus. You can also zoom in by double-clicking the graph.

Conventions

Convention

Comment

08_Scale1_1

Process or resource maliciousness. Measured on a scale from 0 to 100:

11_Scale2

Less than 20.

12_Scale2

Less than 40.

13_Scale2

Less than 60.

14_Scale2

Less than 80.

15_Scale2

Less than 100.

16_Process

Process. The unit color corresponds to the process maliciousness.

One_cloud

more_cloud

more_cloud_6

Network resource with remote access. The cloud color corresponds to the resource maliciousness.

The protocol level and the IP address of the remote resource are displayed inside the cloud.

2 clouds are displayed if a process connects to the resource 2–5 times. 3 clouds are displayed if a process connects to the resource 6 times or more. In these cases, a number of connections is also displayed inside the cloud.

i_start-process

Sample. The sign is used to mark the first running process.

i_detect-drweb

Known threat that is contained in the Dr.Web virus databases. The sign is used to mark a process if a threat is detected in its dump.

red_gear

Known threat that is contained in the Dr.Web virus databases and that is detected in a dump of a loaded module. The sign is used to mark a process that a malicious module is loaded into. If threats are detected in both process and module dumps, the process is marked only with the i_detect-drweb sign.

arr_process

Process creation.

arr_inzhect

Injection into another process.

arr_internet

Web query.

arr_RPC

RPC request.

Description

Click a process unit to show the information about a process in the description part.

Process parameters

Parameter

Description

PID

Process unique ID.

Full path

The path in which the process is run.

Run parameters

Special parameters for the process running. Optional field.

Behavior

The rules corresponding to tags about suspicious behavior of a process.

View the process activity

A link to the API log. Data in the log is filtered by process. To learn more about this feature, refer to API Log.

Download the dump file

Link for downloading the dump of the process.

Network resource parameters

Parameter

Description

Address

IP address of the network resource.

Port

Port number.

Protocol level

Protocol level of the OSI network model used for data transferring:

Transport

Application

warning_green

If the analyzer fails to determine the application level protocol, the following information will be displayed in this field:

Application: UNK

Unknown data:
{16,03,01,00,41,45…06,00,13,00,00,63,01,00}

Query

This field is displayed if Protocol level is determined as Application: DNS.

URL

This field is displayed if Protocol level is determined as Application: HTTP.