Analysis of potentially malicious software samples in a virtualized environment is disclosed. One or more modifications are applied to a first virtual machine instance. The first virtual machine instance is initialized as a copy-on-write overlay associated with an original virtual machine image. Further, at least one modification includes the installation of startup instructions. The modified virtual machine instance is stared. A first set of modifications resulting from executing the first virtual machine instance is captured.