What is MALWARE triage and what artifacts would you examine first?

Malware triage is the rapid, initial assessment to determine what happened, what the malware is doing, and what to preserve for deeper analysis. The first artifacts to examine are volatile memory and the processes running in memory, because memory contains the actual code being executed and can reveal code injection, loaded modules, and suspicious network activity associated with those processes. You then look at network activity tied to those processes to understand communication patterns or C2 callbacks. Finally, you assess changes to the filesystem and persistence mechanisms that were set up during execution—such as new or modified files, registry autostarts, startup folders, services, and scheduled tasks—to understand how the malware maintains access and what to contain next. Starting with encrypted volumes or hashing files alone doesn’t reveal how the malware operates in real time or its persistence, and examining registry hives in isolation misses the dynamic behavior observed in memory and network activity.