Video Screencast Help

Using Process Monitor to filter on suspicious processes

Created: 13 Dec 2010 • Updated: 29 Dec 2010 | 1 comment
Brɨan's picture
+7 7 Votes
Login to vote

Process Monitor is part of the Sysinternals Suite and can be downloaded from here:

http://download.sysinternals.com/Files/ProcessMoni...

It is a very useful tool that shows all file system, registry, and process/thread activity taking place on a computer in real time.

It can be especially helpful in the initial investigation of a malware infection. Let's look at some of the possibilities:

First, you notice in Task Manager that a suspicious process is running:

Let's run Process Monitor to see what activity is generated by our suspicious process:

We can see that our suspicious executable is querying a registry key, creating files, and loading a DLL

In order to see all activity by this suspicious process, we can filter by process name.

In order to do this, right-click on the process's (QQukQS.exe) name and go to Include >> Process Name

Now we will get a better idea of the activity taking place by this process. We can see that it created a total of 4,120 events before terminating:

Now, the process of going through the log begins in order to determine if this process is truly malicious or not.

I can tell you that this particular process was malicious. It was a new variant of InfoStealer.Gampass that caused minor problems on our network for about 36 hours. By using process monitor, we were able to create a custom removal tool to aid in the removal process.

Comments 1 CommentJump to latest comment

AjinBabu's picture

HI, 

That is a nice tool.

Reagrds

Ajin

+1
Login to vote