drop 4688 or sysmon evtx csv · detect malware anti-analysis behaviors · identify sleep-based and environment-check evasion patterns · surface processes that checked for vm or debugger presence · runs locally
sysmon 1/12/13 · security 4688 · powershell 4104 — evtxecmd export
drop sysmon · security 4688 · powershell evtx csv