One of the key tools that allows for detailed examination of malware as it is executing is the Process Explorer. This tool is made as part of the Windows Sysinternal suite of tools and provides a no cost platform for analysts to gain a sense of what each process is running, their parent process as well as examining CPU usage. Simply download the application from the following site: https://technet.microsoft.com/en-us/sysinternals/processexplorer.aspx. Extract the contents and then double-click the version of Process Explorer (32-bit or 64-bit version) that is applicable. The following window will appear:

As can be seen, there are several key pieces of information available to the analyst. The major advantage of this tool is the visual representation. As opposed to attempting to utilize either native Windows tools or other memory analysis tools after capture, analysts can quickly see if any processes look suspicious.

Analysts have the ability to send a process and associated data to VirusTotal.com for analysis. If a suspicious process is identified, Process Explorer will send the information off to the site for analysis and comparison. If a process is identified, click on it in the window. Navigate to Process and then Check VirusTotal. The results will be indicated by a number over 62.

Another key feature that Process Explorer can provide is the ability to dump the process contents in much the same way that Volatility is able to. The major difference is that the analyst is able to conduct the dump without having to acquire a memory image. To dump the memory, click on the process and navigate to Process and then Create Dump. The analyst has the option to choose from a Mini-Dump or a Full Dump. As a standard practice, it is advisable to capture a Full Dump. This dump can then be saved to a directory of choice.

One technique that can be used is to create a virtual machine with the appropriate Windows Operating System. It is best to start with a bare-bones operating system with the Microsoft Office Suite installed. Other third-party programs can be installed later if it appears that the malicious code leverages a vulnerability in those applications. Start Process Explorer and let run for a few minutes. Next, execute the suspected malware. Observe what new processes are created. From here, the analysts can compare these processes and associated DLL files with VirusTotal and then dump any of those processes for later static analysis.