Malicious behavior of a computer program is detected using an emulation engine, an event detector and an event analyzer. The emulation engine includes a system emulator configured to emulate, in an isolated computer environment, at least a part of a computer system and a program emulator configured to emulate in the isolated computer environment execution of the computer program, including execution of a plurality of executable components of the computer program, such as execution processes and threads. The event detector is configured to monitor events being generated by two or more of the executable components. The event analyzer is configured to determine, substantially in real time, based at least on one or more events generated by each of two or more of the plurality of executable components whether or not the computer program exhibits malicious behavior, wherein individually one or more of the plurality of executable components may exhibit benign behavior.