Process or resource maliciousness. Measured on a scale from 0 to 100:

Process. The unit color corresponds to the process maliciousness.

Network resource with remote access. The cloud color corresponds to the resource maliciousness.

The protocol level and the IP address of the remote resource are displayed inside the cloud.

2 clouds are displayed if a process connects to the resource 2–5 times. 3 clouds are displayed if a process connects to the resource 6 times or more. In these cases, a number of connections is also displayed inside the cloud.

Sample. The sign is used to mark the first running process.

Known threat that is contained in the Dr.Web virus databases. The sign is used to mark a process if a threat is detected in its dump.

Known threat that is contained in the Dr.Web virus databases and that is detected in a dump of a loaded module. The sign is used to mark a process that a malicious module is loaded into. If threats are detected in both process and module dumps, the process is marked only with the sign.

Process creation.

Injection into another process.

Web query.

RPC request.

PID

Process unique ID.

Full path

The path in which the process is run.

Run parameters

Special parameters for the process running. Optional field.

Behavior

The rules corresponding to tags about suspicious behavior of a process.

View the process activity

A link to the API log. Data in the log is filtered by process. To learn more about this feature, refer to API Log.

Download the dump file

Link for downloading the dump of the process.

Address

IP address of the network resource.

Port

Port number.

Protocol level

Protocol level of the OSI network model used for data transferring:

•Transport

•Application

Query

This field is displayed if Protocol level is determined as Application: DNS.

URL

This field is displayed if Protocol level is determined as Application: HTTP.