BuildingaSandbox·Chapter3 69 temporary files, which often are used as a source for encryption and then contain the plain text of data, which is transmitted only in an obfuscated version over the network. Furthermore this includes copies of all downloaded files, which may contain code updates or other malware files. The second option enables a functionality that creates process dumps of all monitored processes shortly before they are terminated or suspended. So, if a malware sample is compressed or encrypted, you will get a decompressed and decrypted version of the binary code by that. All process dumps are also stored in the mentioned .cab file. W arning Please keep in mind that the main purpose of CWSandbox is to monitor and not to block the actions of the analyzed file. This means that your local system as well as other remote systems may be infected by it and that sensitive data may be retrieved and sent to the malware operator. Furthermore there may remain active malicious code also after the analysis process has finished. The sandbox tries to terminate all created processes and to stop all malicious threads that have been injected into running system services. But as this is