drop mft csv and prefetch or shimcache csv · detect missing startup folder entries for processes known to have run at startup · identify startup folder clearing · surface execution evidence without corresponding startup artifacts · runs locally
user + programdata startup paths · deleted mft rows · early execution without startup/Run · LNK target analysis · persistence-then-cleanup
drop mft csv · prefetch or shimcache · optional registry autorun export