Yup, as I've suspected, CyberCapture isn't just behavioral analysis system, but involves a list of checks through which each sample goes during analysis. I mean, it's pointless to perform demanding real-time execution and behavior observation if one of the less demanding systems can already spot something as malware. I'm assuming behavior analysis always come at the very end if all the other checks don't raise an alarm already.