home

Procexp.exe

Process Explorer

Microsoft Corporation

It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘Process Explorer’. The file has been seen being downloaded from live.sysinternals.com and multiple other hosts.
Publisher:
Sysinternals - www.sysinternals.com  (signed by Microsoft Corporation)

Product:
Process Explorer

Description:
Sysinternals Process Explorer

Version:
16.05

MD5:
9d8a4379868618f46677dbf2b94c800a

SHA-1:
d098e2d1d8532fb9a05ee10bbfd0b98304fd4d5e

SHA-256:
be677bd5fb580ed1acf47777b34b19597feeea07d1ee90646ffa310e58232cbb

Scanner detections:
0 / 68

Status:
Clean (as of last analysis)
Whitelisted  (by digital signature)

Analysis date:
4/18/2024 3:54:14 PM UTC  (today)

File size:
2.4 MB (2,508,432 bytes)

Product version:
16.05

Copyright:
Copyright © 1998-2014 Mark Russinovich

Trademarks:
Copyright (C) 1998-2014 Mark Russinovich

Original file name:
Procexp.exe

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\procexp.exe

Digital Signature
Signed by:
Microsoft Corporation

Authority:
Microsoft Corporation

Valid from:
4/23/2014 2:39:00 AM

Valid to:
7/23/2015 2:39:00 AM

Subject:
CN=Microsoft Corporation, OU=MOPR, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

Issuer:
CN=Microsoft Code Signing PCA, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

Serial number:
33000000CA6CD5321235C4E1550001000000CA

File PE Metadata
Compilation timestamp:
5/11/2015 1:55:10 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
12.0

CTPH (ssdeep):
49152:Dr7GlciQhaohBSd3vwpCmSPOxZ0lGZM33yM:Dr7NaHotxCn

Entry address:
0x95108

Entry point:
E8, 02, AE, 00, 00, E9, 7F, FE, FF, FF, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, 51, 8D, 4C, 24, 08, 2B, C8, 83, E1, 0F, 03, C1, 1B, C9, 0B, C1, 59, E9, 5A, D6, FF, FF, 51, 8D, 4C, 24, 08, 2B, C8, 83, E1, 07, 03, C1, 1B, C9, 0B, C1, 59, E9, 44, D6, FF, FF, CC, CC, CC, CC, 8B, 4C, 24, 04, F7, C1, 03, 00, 00, 00, 74, 24, 8A, 01, 83, C1, 01, 84, C0, 74, 4E, F7, C1, 03, 00, 00, 00, 75, EF, 05, 00, 00, 00, 00, 8D, A4, 24, 00, 00, 00, 00, 8D, A4, 24, 00, 00, 00, 00, 8B, 01, BA, FF, FE, FE, 7E, 03...
 
[+]

Entropy:
6.2099

Code size:
695 KB (711,680 bytes)

2 Scheduled Tasks
Task name:
Process Explorer-AMD-FX-Maly

Trigger:
Logon (Runs on logon)

Task name:
Process Explorer-leierkasten-ii-Boss

Trigger:
Logon (Runs on logon)


2 Startup Files (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
Process Explorer

Command:
"C:\portable\sysinternalssuite\procexp.exe" \t

Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
ProcessExplorer

Command:
C:\Program Files\sysinternalssuite\procexp.exe -t


The file Procexp.exe has been discovered within the following program.

DoubleKiller Pro  by Big Bang enterprises
bigbangenterprises.de/en/doublekillerpro
About 7% of users remove it
 
Powered by Should I Remove It?

The file Procexp.exe has been seen being distributed by the following 6 URLs.

http://live.sysinternals.com/.../procexp.exe

http://diagnos.uthm.edu.my/1.exe

http://www54.zippyshare.com/d/uLHPqgdO/.../Process Explr.exe

https://live.sysinternals.com/.../procexp.exe

https://live.sysinternals.com/procexp.exe

http://live.sysinternals.com/procexp.exe

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.