A security agent may be configured to: (i) execute on an electronic device at a level below all of the operating systems of the electronic device accessing a memory or processor resources of the electronic device; (ii) trap attempted accesses to the memory or the processor resources associated with function calls for thread synchronization objects associated with creation, suspension, or termination of one thread by another thread; (iii) in response to trapping each attempted access, record information associated with the attempted access in a history, the information including one or more identities of threads associated with the attempted access; (iv) determine whether a particular thread is affected by malware; and (iv) in response to a determining that the particular thread is affected by malware, analyze information in the history associated with the particular memory location or processor resource to determine one or more threads related to the particular thread.