Process Monitor is part of the Sysinternals Suite and can be downloaded from here:
http://download.sysinternals.com/Files/ProcessMonitor.zip
It is a very useful tool that shows all file system, registry, and process/thread activity taking place on a computer in real time.
It can be especially helpful in the initial investigation of a malware infection. Let's look at some of the possibilities:
First, you notice in Task Manager that a suspicious process is running:
Let's run Process Monitor to see what activity is generated by our suspicious process:
We can see that our suspicious executable is querying a registry key, creating files, and loading a DLL
In order to see all activity by this suspicious process, we can filter by process name.
In order to do this, right-click on the process's (QQukQS.exe) name and go to Include >> Process Name
Now we will get a better idea of the activity taking place by this process. We can see that it created a total of 4,120 events before terminating:
Now, the process of going through the log begins in order to determine if this process is truly malicious or not.
I can tell you that this particular process was malicious. It was a new variant of InfoStealer.Gampass that caused minor problems on our network for about 36 hours. By using process monitor, we were able to create a custom removal tool to aid in the removal process.