qprocess.exe
- File Path:
C:\WINDOWS\system32\qprocess.exe - Description: Query Process Utility
Hashes
| Type | Hash |
|---|---|
| MD5 | 98924C0CFEEA13254DEAE0845FBF2A9A |
| SHA1 | B6A9155835A3F7F3615F70D5EA96D966F8248C08 |
| SHA256 | 8D85A115E5D285003790D14CCE8D4A48C407C1A77560B803A5056B0B424DFA08 |
| SHA384 | 55A9032136D561FC7E9A5D67F4EAE4C20793C3ECE4F4D7891AB37C87570A6378006C03DE7E4090350BFEA879C0117A5D |
| SHA512 | 6813638CDEA524A7EACD045EAEFE7C6DBC86DAD8CA2788E1D695671E6A7F9011D9B5E852AD88DA359D51BCCCAD22A7788D08176E86BDD04211D84B76B5345F5D |
| SSDEEP | 768:UH/j7CKAlRLonyimerRSgnMQU4sm5tjo:UH/j7YlRxOwg6Uo |
| IMP | 2C6064FDDA8E2B58540E4729A999BB69 |
| PESHA1 | 7A47C3CDEA3B0302B4DE4859A7B0E062612ADEA3 |
| PE256 | AA224FBF2F35B0228EF5CF975A799998C005F06C317EFE60AA5428074A8B033F |
Runtime Data
Usage (stdout):
Displays information about processes.
QUERY PROCESS [* | processid | username | sessionname | /ID:nn | programname]
[/SERVER:servername]
* Display all visible processes.
processid Display process specified by processid.
username Display all processes belonging to username.
sessionname Display all processes running at sessionname.
/ID:nn Display all processes running at session nn.
programname Display all processes associated with programname.
/SERVER:servername The Remote Desktop Session Host server to be queried.
Usage (stderr):
Invalid parameter(s)
Displays information about processes.
QUERY PROCESS [* | processid | username | sessionname | /ID:nn | programname]
[/SERVER:servername]
* Display all visible processes.
processid Display process specified by processid.
username Display all processes belonging to username.
sessionname Display all processes running at sessionname.
/ID:nn Display all processes running at session nn.
programname Display all processes associated with programname.
/SERVER:servername The Remote Desktop Session Host server to be queried.
Loaded Modules:
| Path |
|---|
| C:\WINDOWS\System32\KERNEL32.DLL |
| C:\WINDOWS\System32\KERNELBASE.dll |
| C:\WINDOWS\SYSTEM32\ntdll.dll |
| C:\WINDOWS\system32\qprocess.exe |
Signature
- Status: Signature verified.
- Serial:
33000002ED2C45E4C145CF48440000000002ED - Thumbprint:
312860D2047EB81F8F58C29FF19ECDB4C634CF6A - Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
File Metadata
- Original Filename: qprocess.exe.mui
- Product Name: Microsoft Windows Operating System
- Company Name: Microsoft Corporation
- File Version: 10.0.22000.1 (WinBuild.160101.0800)
- Product Version: 10.0.22000.1
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
- Machine Type: 64-bit
File Scan
- VirusTotal Detections: 0/73
- VirusTotal Link: https://www.virustotal.com/gui/file/8d85a115e5d285003790d14cce8d4a48c407c1a77560b803a5056b0b424dfa08/detection
Possible Misuse
The following table contains possible examples of qprocess.exe being misused. While qprocess.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
| Source | Source File | Example | License |
|---|---|---|---|
| sigma | proc_creation_win_susp_commands_recon_activity.yml | - qprocess |
DRL 1.0 |
| signature-base | gen_suspicious_strings.yar | $ = “qprocess” | CC BY-NC 4.0 |
Additional Info*
*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.
qprocess
Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
Displays information about processes that are running on a Remote Desktop Session Host server. To find out what’s new in the latest version, see What’s New in Remote Desktop Services in Windows Server.
[!NOTE] This command is the same as the query process command.
Additional References
MIT License. Copyright (c) 2020-2021 Strontic.