File Intelligence - Security Analysis & Investigation Guides

alg.exe - Application Layer Gateway Security Analysis

alg.exe (Application Layer Gateway Service) provides support for third-party protocol plug-ins f...

WindowsAbusedLegit

audiodg.exe - Windows Audio Device Graph Isolation [2026]

audiodg.exe (Windows Audio Device Graph Isolation) processes audio in an isolated process. Low abuse...

Windows

Sysinternals Autoruns - Windows Startup Analysis Tool [2026]

Autoruns is a Sysinternals tool for viewing and managing Windows startup programs. Legitimate diagno...

Windows

backgroundTaskHost.exe - UWP Background Task Host [2026]

backgroundTaskHost.exe hosts background tasks for UWP applications. May be impersonated or indicate ...

Windows

bitsadmin.exe - BITS Admin LOLBin Security Analysis

bitsadmin.exe is the Background Intelligent Transfer Service command-line tool and a **notorious...

WindowsAbusedLegit

brave.exe - Brave Browser Security Analysis

brave.exe is the Brave Browser, a privacy-focused Chromium-based browser with built-in ad blocki...

WindowsAbusedLegit

certutil.exe - Certificate Utility LOLBin Security Analysis

certutil.exe is a Windows certificate management utility and one of the most **notorious LOLBins...

WindowsAbusedLegit

chrome.exe - Google Chrome Browser Security Analysis

chrome.exe is the Google Chrome web browser, the most widely-used browser globally. Chrome's ext...

WindowsAbusedLegit

cmd.exe - Windows Command Interpreter Security Analysis

cmd.exe is the Windows Command Interpreter providing command-line access to the operating system...

WindowsAbusedLegit

cmstp.exe - Connection Manager LOLBin Security Analysis

cmstp.exe (Microsoft Connection Manager Profile Installer) is a Windows utility for installing conne...

WindowsAbusedLegit

conhost.exe - Console Host Security Analysis

conhost.exe (Console Host) provides the graphical interface for console applications (cmd.exe, Power...

WindowsAbusedLegit

conhost.exe - Console Window Host Process Analysis [2026]

conhost.exe (Console Window Host) provides console window functionality. May be impersonated by malw...

Windows

consent.exe - Windows UAC Consent Dialog [2026]

consent.exe is the Windows UAC consent UI that prompts for elevation. May be impersonated for creden...

Windows

csrss.exe - Windows Client/Server Runtime Security Analysis

csrss.exe (Client/Server Runtime Subsystem) is a critical Windows system process responsible for...

WindowsAbusedLegit

ctfmon.exe - CTF Loader Process Security Analysis

ctfmon.exe (CTF Loader) manages the Alternative User Input Text Input Processor (TIP) and Micros...

WindowsAbusedLegit

curl.exe - Windows Curl Utility Security Analysis

curl.exe is a command-line URL transfer tool now built into Windows 10/11. It is increasingly us...

WindowsAbusedLegit

discord.exe - Discord Application Security Analysis

discord.exe is the Discord communication platform client, widely used for gaming and communities...

WindowsAbusedLegit

dism.exe - Deployment Image Servicing Security Analysis

dism.exe (Deployment Image Servicing and Management) is a Windows utility for **servicing Windows im...

WindowsAbusedLegit

dllhost.exe - COM Surrogate Process Security Analysis [2026]

dllhost.exe (COM Surrogate) is a Windows process that hosts COM objects. Frequently abused by malwar...

Windows

dllhost.exe - COM Surrogate Security Analysis

dllhost.exe (COM Surrogate) hosts COM objects out-of-process. Multiple instances are normal. Malware...

WindowsAbusedLegit

dropbox.exe - Dropbox Cloud Storage Security Analysis

dropbox.exe is the Dropbox cloud storage client for file synchronization. Attackers abuse Dropbo...

WindowsAbusedLegit

dwm.exe - Desktop Window Manager Security Analysis

dwm.exe (Desktop Window Manager) is a critical Windows process responsible for visual effects, w...

WindowsAbusedLegit

Everything Search - Fast File Search Utility [2026]

Everything is a fast file search utility by Voidtools. Attackers may use it for rapid file discovery...

Windows

EXCEL.EXE - Microsoft Excel Security Analysis

EXCEL.EXE is Microsoft Excel, the spreadsheet application and a **primary malware delivery vecto...

WindowsAbusedLegit

explorer.exe - Windows Shell Security Analysis

explorer.exe is the Windows Shell providing the desktop, taskbar, Start menu, and file browsing....

WindowsAbusedLegit

ExpressVPN - Commercial VPN Client Analysis [2026]

ExpressVPN is a commercial VPN service client. While legitimate for privacy, it can be abused for C2...

Windows

firefox.exe - Mozilla Firefox Browser Security Analysis

firefox.exe is the Mozilla Firefox web browser, a popular open-source browser. Attackers target ...

WindowsAbusedLegit

fontdrvhost.exe - Font Driver Host Security Analysis

fontdrvhost.exe (Usermode Font Driver Host) handles font rendering in user mode rather than kern...

WindowsAbusedLegit

HitmanPro - Portable Anti-Malware Scanner [2026]

HitmanPro is a portable anti-malware scanner from Sophos. It uses cloud-based behavioral analysis to...

Windows

iexplore.exe - Internet Explorer Security Analysis

iexplore.exe is Microsoft Internet Explorer, a legacy browser officially retired but still prese...

WindowsAbusedLegit

java.exe - Java Runtime Security Analysis

java.exe is the Java Runtime Environment launcher, executing Java applications on Windows. Java ...

WindowsAbusedLegit

keepass.exe - KeePass Password Manager Security Analysis

keepass.exe is the KeePass password manager, storing credentials in encrypted databases. As a **...

WindowsAbusedLegit

Kodi Media Center - Entertainment Hub Analysis [2026]

Kodi is an open-source media center application. While primarily for entertainment, malicious add-on...

Windows

lsaiso.exe - Credential Guard Isolated LSA Process [2026]

lsaiso.exe is the Credential Guard isolated LSA process that protects credentials using virtualizati...

Windows

lsass.exe Explained: Credential Theft Target or Legitimate Windows Process? [2026]

lsass.exe (Local Security Authority Subsystem Service) is the core Windows authentication process th...

WindowsAbusedLegit

makecab.exe - Cabinet Maker LOLBin Security Analysis

makecab.exe is a Windows utility for creating cabinet (.cab) archive files. It can be abused as ...

WindowsAbusedLegit

mbam.exe - Malwarebytes Security Analysis

mbam.exe is the Malwarebytes Anti-Malware executable. Malwarebytes is a popular security tool fo...

WindowsLegit

mdm.exe - Machine Debug Manager Security Analysis

mdm.exe (Machine Debug Manager) enables script debugging in web browsers and Microsoft Office ap...

WindowsAbusedLegit

minerd.exe - CPU Cryptocurrency Miner (Cryptominer) [2026]

minerd.exe is a CPU-based cryptocurrency miner. Almost always indicates unauthorized cryptomining ac...

Windows

MoUsoCoreWorker - Windows Update Orchestrator Worker [2026]

MoUsoCoreWorker.exe is a Windows Update Orchestrator component that manages update operations. Legit...

Windows

MpCmdRun.exe - Windows Defender CLI Security Analysis

MpCmdRun.exe is the Windows Defender command-line interface. While legitimate for scanning and m...

WindowsAbusedLegit

msedge.exe - Microsoft Edge Browser Security Analysis

msedge.exe is Microsoft Edge, the default Chromium-based browser on Windows 10/11. As the succes...

WindowsAbusedLegit

mshta.exe - HTML Application Host Security Analysis

mshta.exe executes HTML Applications (.HTA files). It is a critical LOLBin abused for executing ...

WindowsAbusedLegit

msiexec.exe - Windows Installer LOLBin Security Analysis

msiexec.exe is the Windows Installer executable for installing, modifying, and removing MSI pack...

WindowsAbusedLegit

msinfo32.exe - Microsoft System Information Tool [2026]

msinfo32.exe is the Windows System Information utility. May be used by attackers for system reconnai...

Windows

MsMpEng.exe - Windows Defender Antimalware Engine Security Analysis

MsMpEng.exe is the Windows Defender Antimalware Service Executable, the core engine of Windows S...

WindowsAbusedLegit

mstsc.exe - Remote Desktop Client Security Analysis

mstsc.exe is the Microsoft Remote Desktop Connection client for RDP sessions. It is heavily used...

WindowsAbusedLegit

net.exe - Windows Net Command Security Analysis

net.exe is a Windows utility for managing users, groups, shares, and services. Attackers use net...

WindowsAbusedLegit

netsh.exe - Network Shell Security Analysis

netsh.exe (Network Shell) configures Windows network settings. Attackers abuse netsh for **firew...

WindowsAbusedLegit

node.exe - Node.js Runtime Security Analysis

node.exe is the Node.js JavaScript runtime. Attackers abuse Node.js for script-based attacks...

WindowsAbusedLegit