ReaQta-Hive integration with VirusTotal includes a partial implementation of our platform’s behavioural tree that helps to understand and assess a threat’s risk and impact level. We use an icon-based language to identify and define the most common behaviours identified during the analysis. Below is a table describing the meaning of each icon shown within VirusTotal.

ICON DESCRIPTION
A circle represent a process running on the endpoint, the number inside is the process ID. If coloured, the color of the circle indicates the risk level associated to that specific process:

  • Green: low risk
  • Yellow: medium risk
  • Red: high risk
A blue circle indicates a process that triggered one of the detection engines. We call this process: trigger point, a process chain can have more than one trigger point.
A hexagon indicates a behaviour or action initiated by a process, If coloured, the color of the hexagon indicates the impact assessment:

  • Green: low impact
  • Yellow: medium impact
  • Red: high impact
Parent-child relationship between two processes.
Behaviours linked to a process.
Network connection established by the analysed process.
The process created a persistent object in the system’s registry.
The process created a persistent filesystem object.
The process analysed has created a new executable object.
The process analysed injected code in another application.
The process analysed ran a privilege escalation.
The process analysed has been showing keylogging behavior.
The process analysed took a screenshot.
The process analysed performed a process-hollowing (dynamic process impersonation).
The process analysed duplicated itself in another location.
The process analysed is using a forged digital signature.
The process analysed executed an access token stealing (kernel exploit).
The process analysed exhibited an anomalous behaviour outside the infrastructural baseline.
The process analysed exhibited a ransomware-like behavior.