drop memory dump strings output · evtx csv · registry exports · extract process-injected code indicators · identify fileless payload artifacts · powershell fileless patterns · wmi fileless persistence · runs locally
artifact files
drop evtx csv · registry · memory strings
powershell 4104 export · Run/RunOnce .reg · strings / procmon output
evtx 4104: -enc · DownloadString+IEX · Add-Type · Assembly::Load · reflective PE · TCPClient · registry Run -enc · mshta javascript: · memory VirtualAllocEx / WriteProcessMemory
drop memory strings · evtx csv · registry exports