One of the key tools that allows a detailed examination of malware as it is executing is Process Explorer. This tool is made as part of the Windows Sysinternals suite of tools and provides a no-cost platform for analysts to gain a sense of what each process is running and their parent process, as well as examining CPU usage. Simply download the application from the following site: https://technet.microsoft.com/en-us/sysinternals/processexplorer.aspx.

Extract the contents, and then double-click the version of Process Explorer (32-bit or 64-bit version) that is applicable. The following window will appear:

As can be seen, there are several key pieces of information available to the analyst. The major advantage of this tool is the visual representation. As opposed to attempting to utilize either native Windows tools or other memory analysis tools after capture, analysts can quickly see if any processes look suspicious.

Analysts have the ability to send a process and associated data to https://www.virustotal.com/gui/home/upload. If a suspicious process is identified, Process Explorer will send the information off to the site, for analysis and comparison. If a process is identified, click on it in the window. Navigate to Process, and then Check VirusTotal. The results will be indicated by a number out of 70, as can be seen in the following screenshot:

Another key feature that Process Explorer can provide is the ability to dump the process contents in much the same way that Volatility is able to. The major difference is that the analyst is able to conduct the dump without having to acquire a memory image. To dump the memory, click on the process, and navigate to Process, and then Create Dump. The analyst has the option to choose from a mini-dump or a full dump. As a standard practice, it is advisable to capture a full dump. This dump can then be saved to a directory of choice.