evtx csv + registry · vssadmin wmic bcdedit wbadmin · shadow events · ransomware prep score · runs locally
sources
drop evtx csv · registry .reg
or click
events 8222 · 7 · 524 · vssadmin delete · wmic shadowcopy · powershell shadow delete
drop evtx csv and/or .reg exports