ReaQta-Hive integration with VirusTotal includes a partial implementation of our platform’s behavioural tree that helps to understand and assess a threat’s risk and impact level. We use an icon-based language to identify and define the most common behaviours identified during the analysis. Below is a table describing the meaning of each icon shown within VirusTotal.
ICON | DESCRIPTION |
![]() |
A circle represent a process running on the endpoint, the number inside is the process ID. If coloured, the color of the circle indicates the risk level associated to that specific process:
|
![]() |
A blue circle indicates a process that triggered one of the detection engines. We call this process: trigger point, a process chain can have more than one trigger point. |
![]() |
A hexagon indicates a behaviour or action initiated by a process, If coloured, the color of the hexagon indicates the impact assessment:
|
![]() |
Parent-child relationship between two processes. |
![]() |
Behaviours linked to a process. |
![]() |
Network connection established by the analysed process. |
![]() |
The process created a persistent object in the system’s registry. |
![]() |
The process created a persistent filesystem object. |
![]() |
The process analysed has created a new executable object. |
![]() |
The process analysed injected code in another application. |
![]() |
The process analysed ran a privilege escalation. |
![]() |
The process analysed has been showing keylogging behavior. |
![]() |
The process analysed took a screenshot. |
![]() |
The process analysed performed a process-hollowing (dynamic process impersonation). |
![]() |
The process analysed duplicated itself in another location. |
![]() |
The process analysed is using a forged digital signature. |
![]() |
The process analysed executed an access token stealing (kernel exploit). |
![]() |
The process analysed exhibited an anomalous behaviour outside the infrastructural baseline. |
![]() |
The process analysed exhibited a ransomware-like behavior. |