drop memory dump strings or process list exports from multiple sources · compare eprocess pspcidtable and handle table views · surface hidden processes · dkom rootkit detection · runs locally
process list sources
drop volatility / tasklist exports
pslist · psscan · pspcid · handles · tasklist
cross-view: in psscan but not pslist = DKOM · orphan PPID · svchost without -k · system binary wrong path
drop pslist · psscan · pspcid · handle table csv/text exports (multiple files OK)