Analysis report: Timeline tab

The Timeline tab displays the activities of the sample as it was run in the VMware NSX Network Detection and Response sandbox. This tab only appears for executable files. It displays the Filename, Arguments, and File Info.

The Stack depth control allows you to filter for activities directly invoked by the process under analysis depending on the depth of the call-stack. The depth parameter indicates how deeply a call to a library API or native system function may be nested from code of the analyzed process. For example, if function NtCreateFile is called directly from process memory of the analyzed program, the depth of this call would be 0. If the program calls a library function, such as CreateFileA the following occurs: CreateFileA normally calls CreateFileW, which may call something else, which then calls NtCreateFile. The stack depth in this case is greater than 0. If the analysis system is unable to reconstruct the call-stack, no depth is available for the action. You can decide whether to include or hide this type of action.

Timeline list

The timeline list allows you to examine the execution of the sample in fine-grain detail.

The quick search field above the list provides fast, as-you-type search. It filters the rows in the list, displaying only those rows that have text, in any field, that matches the query string.

The columns to be displayed in the list can be customized by clicking the additional content icon.

Each row is a summary of a sample time slice. Click the plus icon (or anywhere on an entry row) to expand the segment. The expanded view displays the Category, Action, and other data depending on the action.

The list is sorted by timestamp and includes the following fields:

Timestamp (Min:Sec)

The timestamp of the sample time slice.

Thread

The thread being executed at the sample time slice.

Click the sort icon in the list header to sort the accounts by thread.

Subject

The process running at the sample time slice.

Click the sort icon in the list header to sort the accounts by subject.

Subject name

The name of the process running at the sample time slice.

Click the sort icon in the list header to sort the accounts by subject name.

Action name

The action the process is executing at the sample time slice.

Click the sort icon in the list header to sort the accounts by action name.

Summary

A summary of the process at the sample time slice. The summary may be a count of files searched, the name of a file, a registry entry, etc.

Click the sort icon in the list header to sort the accounts by summary.