drop sysmon evtx csv · detect module stomping and process unbacking artifacts · identify attempts to prevent memory forensics from revealing malicious code · surface phantom dll loads and image-backed memory anomalies · runs locally
drop sysmon evtx csv · local only
heuristic screener · vendor schema varies · not definitive proof