drop sysmon evtx csv or 4688 evtx csv · detect process hollowing indicators · identify processes with suspicious memory allocation patterns · surface unmapped PE sections and known hollowing tool signatures · runs locally
evtx csv · memory strings
drop sysmon · security evtx csv · strings output
or click
sysmon 1/8/10/25 · security 4688 · optional memory strings dump
drop sysmon evtx csv · 4688 · memory strings