drop file listing and optional sysmon imageload csv · dlls loaded from unexpected paths · known hijack targets · csv export · runs locally
dir /s /b export · MFTECmd · or any csv with path column
ImageLoaded column · event id 7 · dll loaded outside system32
drop file listing csv (required) · optional sysmon event 7 imageload csv