Viewing the activity tree

The starting point of the event tree is the launch of the detected file. In the event tree, this process is indicated by an icon titled Run sample. To the right of it, the first spawned process and all the processes that this process has spawned are displayed. Each process displayed to the right of the parent is a child process.

You can view detailed information about a process by clicking the KATA_icon_SB_activity_tree button in its card.

When viewing the process card, you need to take into account the following special considerations involved in information display:

The card can display information for multiple processes at the same time if their activity type, process ID (the "pid" field in the card), and ID of the parent process (the "Parent_pid" field in the card) are the same. In this case, the card displays an icon with the number of aggregated activities: .
For processes that we recommend to pay attention to, the card displays the and icons.

If necessary, you can center the activity tree, expand or collapse all process cards, zoom in and out, and maximize the window using the toolbar in the lower-right corner of the window.

Page top