Install and use Sysmon for malware investigation
Download Sysmon here . Install Sysmon by going to the directory containing the Sysmon executable. The default configuration [only -i switch] includes the following events: Process create (with SHA1) Process terminate. Driver loaded. File creation time changed. RawAccessRead. CreateRemoteThread.
A Sysmon Event ID Breakdown
Event ID 28: File Block Shredding. This is the latest event ID added to Sysmon and was designed to deny shredding tools like sdelete from thrashing files on disk. As an example shown below, we see the adversary trying to shred the malicious Firefox Installer.exe file from the downloads directory.
Sysmon: How To Setup, Configure, and Analyze the System …
To open the channel and view the logs, you can: Open "eventvwr.msc". On the left panel, open up "Applications and Services". Open "Microsoft". Open "Windows". Head to "Sysmon" and under that — the Operational log. If you've installed Sysmon's service successfully, all logs should be updated there.