Windows.Memory.DotnetDumper

https://docs.velociraptor.app/exchange/artifacts/pages/dotnetdumper/

Response artifact to triage Windows .NET processes and collect .NET assemblies from memory using DotnetDumper. Collected output includes recovered .NET assemblies, suspicious managed strings, full managed string listings, loaded module details, and patch detection findings. These results support DFIR workflows focused on inspecting potentially malicious or tampered managed code executing in memory. The original process dump can optionally be uploaded. NOTE: this artifact writes a process dump to the Velociraptor temporary directory before analysis. Dump files may be large, similar to standard Velociraptor process dump collection.