How to detect malicious processes with Process Explorer and VirusTotal

Detect malicious processes in Windows It is not always obvious, and even less so when the malware They hide using advanced techniques. If you're wondering how to find them without getting lost among dozens of processes, Process Explorer and its integration with VirusTotal are a great help.

In this guide you will find a practical and very detailed tour to investigate suspicious processes with Process Explorer, activate the scan with VirusTotal, interpret the results, and complement the investigation with Autoruns, anti-rootkit tools, network monitoring, and other cleanup and reinforcement measures.

What is Process Explorer and why it's key to hunting malicious processes?

Process Explorer It is a Microsoft utility (Sysinternals collection) designed to monitor processes in depth in Windows: CPU/RAM usage, hierarchies, descriptors, loaded modules, executable paths, permissions, digital signatures, and much more. It's portable, runs without installation, and allows you to make informed decisions in seconds.

Since 2014 it incorporates integration with VirusTotal, which makes it possible compare the hash of each executable With a database of multiple antivirus engines in the cloud. This extra layer makes it easier to distinguish legitimate processes from those that don't appear to be legitimate without leaving the tool.

In a simplified way, the analysis flow with VirusTotal from Process Explorer works like this: you select the process, the tool send the hash from the executable (not the file itself) to VirusTotal, compare against your signature base and then you see the score in a dedicated column within Process Explorer.

1. Process selection: You choose the process you want to check from the list.
2. Sending hash: Process Explorer calculates and submits the binary hash to VirusTotal.
3. Analysis: VirusTotal engines compare that hash with their malware repository.
4. Results: A column appears with the added verdict (positives/engines).

Among its advantages are the quick detection of potential threats, the enriched detail that VirusTotal provides about families or matches and the usability: Everything is integrated into the Process Explorer interface, without complicated configurations.

As limitations, it is worth remembering that effectiveness depends on VirusTotal (if a malware is very new, it may not appear) and that the scanning adds consumption of resources while querying hashes, especially on modest computers or those with many simultaneous processes.

How to enable VirusTotal in Process Explorer and understand the results

Start by downloading the tool from Sysinternals, unzip it and run it. procexp64.exe as an administrator if you're using 64-bit Windows. Being portable, no installation required, which is very convenient for specific analysis.

To turn on the integration with VirusTotal, in the top bar go to Options > VirusTotal and activate the check. You will automatically see a new column which displays something like 0/70, 1/70, etc., indicating how many engines report the file as suspicious.

A 0/n usually implies that no engine has detected malicious activity associated with the queried hash. If you see some isolated positive (for example, 1/70 in red), do not rush: they are often false positivesYou can click on the result to open the VirusTotal report and review the details.

If the counter spikes (e.g., 15/70 or higher), it's a clear sign of risk. In that case, the sensible thing to do is finish the process carefully isolate the machine from the mains if necessary and pass an antimalware scan complete to identify and eliminate the source.

Manual Investigation: Process Properties, Signatures, DEP/ASLR, and Subtle Clues

Beyond VirusTotal's verdict, Process Explorer shines when you open the properties of a process (double-click or right-click > Properties). Here you can see the image path, the user it's running as, loaded modules, open descriptors, resource usage, and other detailed information.

A useful first filter is to confirm the path from which the executable was loaded. If something claiming to be system is operating from a temporary folder or user profile, bad business. You might also want to use the option of search for the file name on the Internet to see reputation, documentation, and whether other people have identified you as a threat.

Another valuable check is the digital signature verification of the binary. Process Explorer allows you to check whether the executable is signed and whether that signature is valid. A file from a reputable provider is not signed or the signature cannot be verified is a yellow flagA classic example is a customer who, despite downloading the signed installer, saw the final executable unsigned, risking being replaced by a Trojanized version.

In contrast, there are products that do appear with verified signature, which adds confidence. Note: today there are campaigns that abuse drivers signed from third parties or supply chains to sneak in malicious binaries; therefore, the signature is not an absolute guarantee, but it is an important indicator in the context.

Also note abnormal behaviors such as unjustified CPU spikes, excessive disk activity, writing to sensitive locations, or the fact that the process is without modern mitigations such as DEP or ASLR active when you might expect otherwise. It's these small signals that, when combined, help separate the normal from the suspicious.

A good habit is know by heart What processes your team typically runs, review them periodically, and document changes. The better you know your system, you will detect it sooner any element out of place.

Advanced Techniques: Autoruns, Rootkits, Network, MBR, and When to Reinstall

Process Explorer is the center of operations, but for stubborn cases it is advisable to rely on other Sysinternals utilities and on specialized tools that extend your detection and cleanup capabilities against hidden threats.

For programs that run automatically when Windows starts, Autoruns is essential. With Autoruns You will see absolutely all the entries of Boot (apps, services, extensions, scheduled tasks, etc.). You can disable the dubious, open the location or jump to the Register key corresponding to inspect. Classic routes to review include HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and equivalents per user.

If you suspect rootkits (malware that hides deep within the system), you need a different approach. Utilities like Malwarebytes Anti-Rootkit, TDSSKiller from Kaspersky or GMER (not compatible with Windows 11 (today) help to uncover what conventional antivirus software does not see.

To maximize effectiveness against rootkits, it is advisable restart in Safe Mode before scanning, so that malware has fewer opportunities to load. In the wizard of some tools, you can create a restore point, run a deep analysis and, when finished, apply the cleaning and restart when requested.

La network activity It also gives a lot away. With netstat You can discover active connections and associated processes by running in a CMD with privileges netstat -anoIf you see persistent connections to unknown IP addresses, investigate the PID maintaining that session and match it to the process in Process Explorer.

For a higher level of visibility, Wireshark allows you to capture and analyze traffic. The typical flow is simple: select the interface (Wi-Fi or Ethernet), press start capture (shark icon), identify your IP with ipconfig, apply filters like ip.addr == TU_IP or specific protocols (for example, http) and stop capturing when you have enough material to analyze origins/destinations and ports.

1. Choose the interface to monitor and capture begins.
2. Get your IP to ipconfig to filter accurately.
3. apply filters , the ip.addr == TU_IP or by protocol.
4. for the catch and examines suspicious packages in detail.

When the boot might be compromised, don't forget that some advanced malware touches the MBR (Master Boot Record) to run before Windows. With a Windows installation media you can open Startup Repair and, in the console, use bootrec /fixmbr to rebuild this critical sector. It's a surgical measure that should be applied judiciously and with backup.

If, despite everything, the infection persists or symptoms reappear, consider a clean reinstall system. Back up your documents, but avoid blindly restoring old programs or settings—they could reintroduce the problem without you realizing it.

Finally, remember that malware evolves and there are campaigns that even take advantage of signed drivers to gain persistence. This reinforces the idea of ​​combining multiple signals: VirusTotal reputation, digital signature, file location, behavior, network connections, and startup entries.

Strengthen your security: patches, layers of defense, backups, and expert help

After cleaning, it is key to close doors. Apply all the security patches Windows and installed software, especially browsers, messaging clients, and tools that interact with the Internet. An updated system reduces the attack surface and prevents known zero-day exploits.

Consider adopting one multi-layered security solutionAn antivirus with on-demand scanning and behavioral detection, a well-configured firewall, and, when appropriate, anti-rootkit utilities. The diversity of layers makes life difficult for attackers and improves your chances of stopping the intrusion in time.

Do not neglect the regular backups on external media or in the cloud. Make sure that at least one copy is offline or immutable to prevent ransomware from encrypting it and your data. Check periodically to ensure you recover your data without any issues.

If you get stuck or need to get going quickly, you always have the option to seek professional assistanceSpecialized services offer diagnostics and guided removal at moderate prices, which can save you time and headaches in critical work environments.

With all of the above you have a solid roadmap: use Process Explorer To x-ray processes and signatures, rely on VirusTotal For immediate contrast, complement with Autoruns, anti-rootkit tools y network analysis, and ends with measures of boot repair or reinstall if necessary; from there, strengthen your security with patches, defensive layers, and backups so you're caught with your homework done next time.