drop sysmon evtx csv · detect reflective dll loading patterns · identify modules loaded without corresponding file on disk · surface in-memory only dll execution · runs locally
evtx csv
drop sysmon · powershell operational evtx csv
or click
sysmon 7/17/18 · powershell 4104 — evtxecmd export
drop sysmon evtx csv · powershell 4104