adobe v.20200522
(NTUSER.DAT) Gets user's Adobe app cRecentFiles values

Could not access Software\Adobe\Adobe Acrobat\\AVGeneral\cRecentFiles

Could not access Software\Adobe\Acrobat Reader\\AVGeneral\cRecentFiles

----------------------------------------
allowedenum v.20200511
(NTUSER.DAT, Software) Extracts AllowedEnumeration values to determine hidden special folders

Software\Microsoft\Windows\CurrentVersion\Explorer\AllowedEnumeration not found.
Microsoft\Windows\CurrentVersion\Explorer\AllowedEnumeration not found.
----------------------------------------
appassoc v.20200515
- Gets contents of user's ApplicationAssociationToasts key

Software\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts not found.
----------------------------------------
appcompatflags v.20200525
(NTUSER.DAT, Software) Extracts AppCompatFlags for Windows.


Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted
  C:\Users\IEUser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VYV2J9YG\TreeSizeFreeSetup[1].exe
----------------------------------------
appkeys v.20200517
(NTUSER.DAT, Software) Extracts AppKeys entries.

----------------------------------------
applets v.20200525
(NTUSER.DAT) Gets contents of user's Applets key

Applets
Software\Microsoft\Windows\CurrentVersion\Applets
LastWrite Time 2015-09-21 09:48:32Z

Software\Microsoft\Windows\CurrentVersion\Applets\Paint\Recent File List not found.

Software\Microsoft\Windows\CurrentVersion\Applets\Regedit
LastWrite Time 2015-09-23 11:04:18Z
RegEdit LastKey value -> Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Setup\11.0
----------------------------------------
apppaths v.20200511
(NTUSER.DAT,Software) Gets content of App Paths subkeys

----------------------------------------
Software\Microsoft\IntelliPoint\AppSpecific not found.
----------------------------------------
appx v.20200427
(NTUSER.DAT, USRCLASS.DAT) Checks for persistence via Universal Windows Platform Apps

----------------------------------------
arpcache v.20200515
(NTUSER.DAT) Retrieves CurrentVersion\App Management\ARPCache entries

Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache not found.
----------------------------------------
attachmgr v.20200525
(NTUSER.DAT) Checks user's keys that manage the Attachment Manager functionality

Software\Microsoft\Windows\CurrentVersion\Policies\Associations not found.

Software\Microsoft\Windows\CurrentVersion\Policies\Attachments not found.

----------------------------------------
cached v.20200525
(NTUSER.DAT) Gets cached Shell Extensions from NTUSER.DAT hive

Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached
LastWrite Time 2021-01-14 07:28:17Z

2015-09-21 09:17:33Z  First Load: {D9144DCD-E998-4ECA-AB6A-DCD83CCBA16D} (IShellIconOverlayIdentifier)
2015-09-21 09:17:33Z  First Load: {4E77131D-3629-431C-9818-C5679DC83E81} (IShellIconOverlayIdentifier)
2015-09-21 09:17:33Z  First Load: {08244EE6-92F0-47F2-9FC9-929BAA2E7235} (IShellIconOverlayIdentifier)
2015-09-21 09:21:11Z  First Load: {DFFACDC5-679F-4156-8947-C5C76BC0B67F} (IDelegateFolder)
2015-09-21 09:21:11Z  First Load: {896664F7-12E1-490F-8782-C0835AFD98FC} (IDelegateFolder)
2015-09-21 09:21:14Z  First Load: {D34A6CA6-62C2-4C34-8A7C-14709C1AD938} (IDelegateFolder)
2015-09-21 09:21:15Z  First Load: {871C5380-42A0-1069-A2EA-08002B30309D} (IShellFolder)
2015-09-21 09:21:16Z  First Load: {C2B136E2-D50E-405C-8784-363C582BF43E} (IDelegateFolder)
2015-09-21 09:21:17Z  First Load: {ED228FDF-9EA8-4870-83B1-96B02CFE0D52} (IShellFolder)
2015-09-21 09:21:17Z  First Load: {1F3427C8-5C10-4210-AA03-2EE45287D668} (IShellFolder)
2015-09-21 09:21:19Z  First Load: {F02C1A0D-BE21-4350-88B0-7367FC96EF3C} (IShellFolder)
2015-09-21 09:21:19Z  First Load: {14074E0B-7216-4862-96E6-53CADA442A56} (IExtractIconW)
2015-09-21 09:21:24Z  First Load: {2227A280-3AEA-1069-A2DE-08002B30309D} (IShellFolder)
2015-09-21 09:23:58Z  First Load: {9C73F5E5-7AE7-4E32-A8E8-8D23B85255BF} (IShellFolder)
2015-09-21 09:24:04Z  First Load: {40DD6E20-7C17-11CE-A804-00AA003CA9F6} (IShellCopyHookW)
2015-09-21 09:44:39Z  First Load: {11DBB47C-A525-400B-9E80-A54615A090C0} (IExecuteCommand)
2015-09-21 09:44:39Z  First Load: {35786D3C-B075-49B9-88DD-029876E11C01} (IDelegateFolder)
2015-09-21 09:44:39Z  First Load: {9113A02D-00A3-46B9-BC5F-9C04DADDD5D7} (IDelegateFolder)
2015-09-21 09:44:39Z  First Load: {B155BDF8-02F0-451E-9A26-AE317CFD7779} (IDelegateFolder)
2015-09-21 09:44:39Z  First Load: {CC55EE92-FE67-43C9-95E7-E646918A4A04} (IExplorerCommand)
2015-09-21 09:46:30Z  First Load: {2854F705-3548-414C-A113-93E27C808C85} (IContextMenu)
2015-09-21 09:46:31Z  First Load: {7B4A83B6-F704-4B77-8E3D-C6087E3A21D2} (IExplorerCommandState)
2015-09-21 09:46:38Z  First Load: {FF393560-C2A7-11CF-BFF4-444553540000} (IShellFolder)
2015-09-21 09:47:28Z  First Load: {DAF95313-E44D-46AF-BE1B-CBACEA2C3065} (IShellFolder)
2015-09-21 09:47:28Z  First Load: {04731B67-D933-450A-90E6-4ACD2E9408FE} (IDelegateFolder)
2015-09-21 09:47:29Z  First Load: {BD7A2E7B-21CB-41B2-A086-B309680C6B7E} (IShellFolder)
2015-09-21 09:47:29Z  First Load: {9E175B8B-F52A-11D8-B9A5-505054503030} (IDBProperties)
2015-09-21 09:47:29Z  First Load: {B2952B16-0E07-4E5A-B993-58C52CB94CAE} (IShellFolder)
2015-09-21 09:47:29Z  First Load: {11016101-E366-4D22-BC06-4ADA335C892B} (IShellFolder)
2015-09-21 09:47:48Z  First Load: {596AB062-B4D2-4215-9F74-E9109B0A8153} (IContextMenu)
2015-09-21 09:47:48Z  First Load: {474C98EE-CF3D-41F5-80E3-4AAB0AB04301} (IContextMenu)
2015-09-21 09:47:48Z  First Load: {F81E9010-6EA4-11CE-A7FF-00AA003CA9F6} (IContextMenu)
2015-09-21 09:47:48Z  First Load: {888DCA60-FC0A-11CF-8F0F-00C04FD7D062} (IDropTarget)
2015-09-21 09:47:48Z  First Load: {85BBD920-42A0-1069-A2E4-08002B30309D} (IContextMenu)
2015-09-21 09:47:48Z  First Load: {9E56BE61-C50F-11CF-9A2C-00A0C90A90CE} (IDropTarget)
2015-09-21 09:47:49Z  First Load: {ECF03A32-103D-11D2-854D-006008059367} (IDropTarget)
2015-09-21 09:47:49Z  First Load: {9E56BE60-C50F-11CF-9A2C-00A0C90A90CE} (IDropTarget)
2015-09-21 09:48:39Z  First Load: {BB06C0E4-D293-4F75-8A90-CB05B6477EEE} (IShellFolder)
2015-09-21 09:48:42Z  First Load: {F0152790-D56E-4445-850E-4F3117DB740C} ({000214E9-0000-0000-C000-000000000046})
2015-09-21 09:49:45Z  First Load: {A38B883C-1682-497E-97B0-0A3A9E801682} ({886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99})
2015-09-21 09:52:01Z  First Load: {7007ACC7-3202-11D1-AAD2-00805FC1270E} (IShellFolder)
2015-09-21 09:53:37Z  First Load: {36EEF7DB-88AD-4E81-AD49-0E313F0C35F8} (IShellFolder)
2015-09-22 05:24:06Z  First Load: {0BF754AA-C967-445C-AB3D-D8FDA9BAE7EF} (IContextMenu)
2015-09-22 05:24:06Z  First Load: {6B9228DA-9C15-419E-856C-19E768A13BDC} (IContextMenu)
2015-09-22 05:24:15Z  First Load: {C555438B-3C23-4769-A71F-B6D3D9B6053A} (IShellFolder)
2015-09-22 05:24:15Z  First Load: {C6D7AB70-3D91-433D-8D9E-E1B52035C47F} ({05B2F74E-2712-46BA-BCA3-F65A46BF0E00})
2015-09-21 22:21:42Z  First Load: {8E908FC9-BECC-40F6-915B-F4CA0E70D03D} (IShellFolder)
2015-09-21 22:21:55Z  First Load: {1D27F844-3A1F-4410-85AC-14651078412D} (IContextMenu)
2015-09-21 22:30:30Z  First Load: {0A88C858-7D0C-4549-9499-7DB05F0CB0BF} (IExplorerCommand)
2015-09-21 22:30:30Z  First Load: {1A0391BF-9564-4294-B0A4-06C298929EF9} (IExplorerCommand)
2015-09-22 08:08:32Z  First Load: {D6791A63-E7E2-4FEE-BF52-5DED8E86E9B8} (IContextMenu)
2015-09-22 08:08:32Z  First Load: {59099400-57FF-11CE-BD94-0020AF85B590} (IContextMenu)
2015-09-22 08:10:26Z  First Load: {D20EA4E1-3957-11D2-A40B-0C5020524153} (IShellFolder)
2015-09-22 08:10:26Z  First Load: {BD84B380-8CA2-1069-AB1D-08000948F534} (IShellFolder)
2015-09-22 17:44:02Z  First Load: {F81E9010-6EA4-11CE-A7FF-00AA003CA9F6} ({000214E9-0000-0000-C000-000000000046})
2015-09-22 17:44:02Z  First Load: {1F2E5C40-9550-11CE-99D2-00AA006E086C} ({000214E9-0000-0000-C000-000000000046})
2015-09-22 17:44:02Z  First Load: {4A7DED0A-AD25-11D0-98A8-0800361B1103} ({000214E9-0000-0000-C000-000000000046})
2015-09-22 17:44:02Z  First Load: {55B3A0BD-4D28-42FE-8CFB-FA3EDFF969B8} ({000214E9-0000-0000-C000-000000000046})
2015-09-22 17:44:02Z  First Load: {596AB062-B4D2-4215-9F74-E9109B0A8153} ({000214E9-0000-0000-C000-000000000046})
2015-09-22 17:44:02Z  First Load: {7988B573-EC89-11CF-9C00-00AA00A14F56} ({000214E9-0000-0000-C000-000000000046})
2015-09-22 17:44:02Z  First Load: {ECCDF543-45CC-11CE-B9BF-0080C87CDBA6} ({000214E9-0000-0000-C000-000000000046})
2015-09-22 17:44:02Z  First Load: {85BBD920-42A0-1069-A2E4-08002B30309D} ({000214E9-0000-0000-C000-000000000046})
2015-09-22 17:44:02Z  First Load: {7EFA68C6-086B-43E1-A2D2-55A113531240} ({000214E9-0000-0000-C000-000000000046})
2015-09-22 18:49:23Z  First Load: {FBF23B40-E3F0-101B-8488-00AA003E56F8} ({00021500-0000-0000-C000-000000000046})
2015-09-23 09:45:08Z  First Load: {E7E4BC40-E76A-11CE-A9BB-00AA004AE837} (IShellFolder)
2015-09-23 09:45:08Z  First Load: {E88DCCE0-B7B3-11D1-A9F0-00AA0060FA31} (IShellFolder)
2015-09-23 09:45:49Z  First Load: {2559A1F3-21D7-11D4-BDAF-00C04F60B9F0} (IContextMenu)
2015-09-23 10:14:38Z  First Load: {7B81BE6A-CE2B-4676-A29E-EB907A5126C5} (IShellFolder)
2015-09-23 11:16:58Z  First Load: {9343812E-1C37-4A49-A12E-4B2D810D956B} (IShellFolder)
2015-09-23 11:17:05Z  First Load: {C7657C4A-9F68-40FA-A4DF-96BC08EB3551} ({E357FCCD-A995-4576-B01F-234630154E96})
2019-08-29 11:03:59Z  First Load: {C58C4893-3BE0-4B45-ABB5-A63E4B8C8651} (IShellFolder)
2019-08-29 11:03:59Z  First Load: {D8F0F5E7-11C5-4E95-BBFF-0F110C0221C4} ({05B2F74E-2712-46BA-BCA3-F65A46BF0E00})
2019-08-29 11:32:41Z  First Load: {7BD29E01-76C1-11CF-9DD0-00A0C9034933} (IShellFolder)
2019-08-29 11:34:15Z  First Load: {8D80504A-0826-40C5-97E1-EBC68F953792} ({886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99})
2021-01-14 06:24:39Z  First Load: {CFBFAE00-17A6-11D0-99CB-00C04FD64497} ({AC60F6A0-0FD9-11D0-99CB-00C04FD64497})
2021-01-14 06:27:00Z  First Load: {A3C3D402-E56C-4033-95F7-4885E80B0111} (IDelegateFolder)
2021-01-14 06:57:09Z  First Load: {BD472F60-27FA-11CF-B8B4-444553540000} (IContextMenu)
2021-01-14 07:28:17Z  First Load: {513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8} ({000214E9-0000-0000-C000-000000000046})
2021-01-14 07:28:17Z  First Load: {7444C719-39BF-11D1-8CD9-00C04FC29D45} ({000214E9-0000-0000-C000-000000000046})
2021-01-14 07:28:17Z  First Load: {3EA48300-8CF6-101B-84FB-666CCB9BCD32} ({000214E9-0000-0000-C000-000000000046})
----------------------------------------
cmdproc v.20200515
(NTUSER.DAT) Autostart - get Command Processor\AutoRun value from NTUSER.DAT hive

Software\Microsoft\Command Processor
LastWrite Time 2015-09-21 09:17:32Z
AutoRun value not found.
----------------------------------------
comdlg32 v.20200517

Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32
LastWrite Time 2019-08-29 11:49:54Z
CIDSizeMRU
LastWrite: 2019-08-29 11:50:05Z
Note: All value names are listed in MRUListEx order.

  iexplore.exe
  NOTEPAD.EXE
  mmc.exe

FirstFolder
LastWrite time: 2015-09-22 08:14:05Z
Note: All value names are listed in MRUListEx order.

  C:\Windows\system32\mmc.exe c:\drivers 

LastVisitedPidlMRU
LastWrite time: 2019-08-29 11:50:05Z
Note: All value names are listed in MRUListEx order.

  iexplore.exe - Users

OpenSavePidlMRU
LastWrite time: 2019-08-29 11:49:54Z
OpenSavePidlMRU\*
LastWrite Time: Thu Aug 29 11:50:05 2019
Note: All value names are listed in MRUListEx order.

  Users\agent.py
  Users\get-pip.py

OpenSavePidlMRU\py
LastWrite Time: Thu Aug 29 11:50:05 2019
Note: All value names are listed in MRUListEx order.

  Users\agent.py
  Users\get-pip.py


----------------------------------------
compdesc v.20200511
(NTUSER.DAT) Gets contents of user's ComputerDescriptions key

Software\Microsoft\Windows\CurrentVersion\Explorer\ComputerDescriptions not found.
----------------------------------------
DDO v.20140414
(NTUSER.DAT) Gets user's DeviceDisplayObjects key contents

Software\Microsoft\Windows NT\CurrentVersion\DeviceDisplayObjects not found.
----------------------------------------
disablemru v.20190924
(NTUSER.DAT, Software) Checks settings disabling user's MRUs

----------------------------------------
environment v.20200512
(System, NTUSER.DAT) Get environment vars from NTUSER.DAT & System hives

Environment
LastWrite Time: 2019-08-29 11:38:24Z

TEMP                      %USERPROFILE%\AppData\Local\Temp                  
TMP                       %USERPROFILE%\AppData\Local\Temp                  
----------------------------------------
featureusage v.20200511
(NTUSER.DAT) Extracts user's FeatureUsage data.

Software\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage not found.
----------------------------------------
[-] SOFTWARE\HeidiSQL not found.
[-] SOFTWARE\HeidiSQL\Servers not found.

----------------------------------------
----------------------------------------
identities v.20200525
(NTUSER.DAT) Extracts values from Identities key; NTUSER.DAT

Identities
LastWrite Time 2015-09-21 09:21:04Z

Identity Ordinal                         1                             
Migrated7                                1                             
Last Username                            Main Identity                 
Last User ID                             {A32463F1-EACB-4163-B08F-F74E5D25977C}
Identity Login                           622675                        
Default User ID                          {A32463F1-EACB-4163-B08F-F74E5D25977C}

----------------------------------------
injectdll64 v.20200427
(NTUSER.DAT, Software) Retrieve values set to weaken Chrome security

Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls not found.
Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls not found.
----------------------------------------
jumplistdata v.20200517
Gets contents of user's JumpListData key

Software\Microsoft\Windows\CurrentVersion\Search\JumpListData not found.
----------------------------------------
knowndev v.20200515
(NTUSER.DAT) Gets user's KnownDevices key contents

Software\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\KnownDevices not found.
----------------------------------------
listsoft v.20200517
(NTUSER.DAT) Lists contents of user's Software key

List the contents of the Software key in the NTUSER.DAT hive
file, in order by LastWrite time.

2021-05-18 10:24:42Z 	Microsoft
2021-01-14 06:25:05Z 	Cygwin
2015-09-22 18:52:20Z 	Sysinternals
2015-09-21 10:03:49Z 	AppDataLow
2015-09-21 09:17:37Z 	Winternals
2015-09-21 09:17:32Z 	Policies
----------------------------------------
load v.20200517
(NTUSER.DAT) Gets load and run values from user hive

load
Software\Microsoft\Windows NT\CurrentVersion\Windows
LastWrite Time 2015-09-21 09:17:33Z

load value not found.
run value not found.
----------------------------------------
logonstats v.20200517
Gets contents of user's LogonStats key

Software\Microsoft\Windows\CurrentVersion\Explorer\LogonStats not found.
----------------------------------------
lxss v.20200511
(NTUSER.DAT) Gets WSL config.

Software\Microsoft\Windows\CurrentVersion\Lxss not found.
----------------------------------------
mixer v.20200517
(NTUSER.DAT) Checks user's audio mixer settings

----------------------------------------
mmc v.20200517
(NTUSER.DAT) Get contents of user's MMC\Recent File List key

MMC - Recent File List
Software\Microsoft\Microsoft Management Console\Recent File List
LastWrite Time 2019-08-29 12:00:52Z
  File1 -> C:\Windows\system32\WF.msc
  File2 -> C:\Windows\system32\compmgmt.msc
----------------------------------------
mmo v.20200517
(NTUSER.DAT) Checks NTUSER for Multimedia\Other values [malware]

Software\Microsoft\Multimedia\Other not found.
Software\Microsoft\CTF\LangBarAddIn not found.
----------------------------------------
mndmru v.20200517
(NTUSER.DAT) Get contents of user's Map Network Drive MRU

Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU not found.
----------------------------------------
mp2 v.20200526
(NTUSER.DAT) Gets user's MountPoints2 key contents

MountPoints2
Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
LastWrite Time 2021-01-14 06:20:19Z

Remote Drives:
2021-01-14 06:20:19Z
  ##vboxsrv#share

Volumes:
2015-09-22 17:43:43Z
  {762f4ebc-60ea-11e5-83af-806e6f6e6963}
2015-09-21 22:21:32Z
  {8358fe6d-60fa-11e5-bb4a-806e6f6e6963}
2015-09-21 09:44:39Z
  {a5b8a980-608c-11e5-a266-806e6f6e6963}
  {a5b8a983-608c-11e5-a266-806e6f6e6963}

Drives:
2015-09-21 09:19:50Z - CPC

Unique MAC Addresses:
80:6E:6F:6E:69:63

Analysis Tip: Correlate the Volume entries to those found in the MountedDevices
entries that begin with "\??\Volume".
----------------------------------------
mpmru v.20200517
(NTUSER.DAT) Gets user's Media Player RecentFileList values

Software\Microsoft\MediaPlayer\Player\RecentFileList not found.
----------------------------------------
msoffice v.20200518

----------------------------------------
muicache v.20200525
(NTUSER.DAT,USRCLASS.DAT) Gets EXEs from user's MUICache key

Software\Microsoft\Windows\ShellNoRoam\MUICache not found.

Local Settings\Software\Microsoft\Windows\Shell\MUICache not found.
----------------------------------------
nation v.20200517
(ntuser.dat) Gets region information from HKCU

Nation Information Check
Control Panel\International\Geo
LastWrite time: 2015-09-21 09:17:32Z

The Region value is : 244
The Country Is: United States
For more information please visit the link below:
https://msdn.microsoft.com/en-us/library/aa723531.aspx

----------------------------------------
oisc v.20091125
(NTUSER.DAT) Gets contents of user's Office Internet Server Cache

Office Version: 
Software\Microsoft\Office\\Common\Internet\Server Cache not found.
----------------------------------------
onedrive v.20200515
(NTUSER.DAT) Gets contents of user's OneDrive key

Software\Microsoft\OneDrive not found.
----------------------------------------
OSVersion
Software\Microsoft
LastWrite Time 2021-05-18 10:24:42Z

OSVersion value not found.
----------------------------------------
outlookhomepage v.20201002
(NTUSER.DAT, Software) Retrieve values set to attack Outlook WebView Homepage

Looking for webview homepage modifications. If this value is pointing
to a URL outside the corporate domain it may be a malicious site.

Looking for key values associated with security.
If you see:
[Example]  EnableRoamingFolderHomepages : 1
[Example]  NonDefaultStoreScript : 1
[Example]  EnableUnsafeClientMailRules : 1
You may have a security vulnerability that allows attackers to hijack the URL

----------------------------------------
pendinggpos v.20200427
NTUSER.DAT - Gets contents of user's PendingGPOs key

Software\Microsoft\IEAK\GroupPolicy\PendingGPOs not found.
----------------------------------------
profiler v.20200525
(NTUSER.DAT, System) Environment profiler information

Environment
LastWrite Time 2019-08-29 11:38:24Z

TEMP -> %USERPROFILE%\AppData\Local\Temp
TMP -> %USERPROFILE%\AppData\Local\Temp

----------------------------------------
pslogging v.20200515
(NTUSER.DAT, Software) Extracts PowerShell logging settings

Software\Policies\Microsoft\Windows\PowerShell not found.
Policies\Microsoft\Windows\PowerShell not found.
----------------------------------------
----------------------------------------
putty v.20200515
(NTUSER.DAT) Extracts the saved SshHostKeys for PuTTY.

Software\SimonTatham\PuTTY\SshHostKeys not found.

----------------------------------------
recentapps v.20200515
- Gets contents of user's RecentApps key

Software\Microsoft\Windows\CurrentVersion\Search\RecentApps not found.
----------------------------------------
recentdocs v.20200427
(NTUSER.DAT) Gets contents of user's RecentDocs key

RecentDocs
**All values printed in MRUList\MRUListEx order.
Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
LastWrite Time: 2021-01-14 06:48:06Z
  9 = Network and Internet
  14 = Downloads
  15 = agent.py
  13 = get-pip.py
  3 = System and Security
  12 = Troubleshooting
  5 = System32
  4 = eula.txt
  11 = 32Bit
  10 = Readme.txt
  8 = Display
  7 = Windows Update
  1 = Floppy Disk Drive (A:)
  6 = post-win-updates.ps1
  0 = OPENSSH.PS1
  2 = preprovisioner.ps1

Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.PS1
LastWrite Time 2015-09-21 10:07:13Z
MRUListEx = 2,0,1
  2 = post-win-updates.ps1
  0 = OPENSSH.PS1
  1 = preprovisioner.ps1

Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.py
LastWrite Time 2019-08-29 11:50:05Z
MRUListEx = 1,0
  1 = agent.py
  0 = get-pip.py

Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.txt
LastWrite Time 2015-09-23 09:46:19Z
MRUListEx = 0,1
  0 = eula.txt
  1 = Readme.txt

Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\Folder
LastWrite Time 2021-01-14 06:48:06Z
MRUListEx = 5,8,1,7,2,6,4,3,0
  5 = Network and Internet
  8 = Downloads
  1 = System and Security
  7 = Troubleshooting
  2 = System32
  6 = 32Bit
  4 = Display
  3 = Windows Update
  0 = Floppy Disk Drive (A:)

----------------------------------------
run v.20200511
(Software, NTUSER.DAT) [Autostart] Get autostart key contents from Software hive

Software\Microsoft\Windows\CurrentVersion\Run
LastWrite Time 2015-09-21 09:21:20Z
Software\Microsoft\Windows\CurrentVersion\Run has no values.
Software\Microsoft\Windows\CurrentVersion\Run has no subkeys.

Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run not found.

Software\Microsoft\Windows\CurrentVersion\RunOnce
LastWrite Time 2015-09-21 09:21:19Z
Software\Microsoft\Windows\CurrentVersion\RunOnce has no values.
Software\Microsoft\Windows\CurrentVersion\RunOnce has no subkeys.

Software\Microsoft\Windows\CurrentVersion\RunServices not found.

Software\Microsoft\Windows\CurrentVersion\RunServicesOnce not found.

Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run not found.

Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunOnce not found.

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run not found.

Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run not found.

Software\Microsoft\Windows\CurrentVersion\StartupApproved\Run not found.

Software\Microsoft\Windows\CurrentVersion\StartupApproved\Run32 not found.

Software\Microsoft\Windows\CurrentVersion\StartupApproved\StartupFolder not found.

----------------------------------------
runmru v.20200525
(NTUSER.DAT) Gets contents of user's RunMRU key

RunMru
Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
LastWrite Time 2021-01-14 06:24:58Z
MRUList = cba
a   F:\\1
b   powershell F:\\1
c   cmd F:\\1
----------------------------------------
runvirtual v.20200427
(NTUSER.DAT, Software) Gets RunVirtual entries

----------------------------------------
searchscopes v.20200517
- Gets contents of user's SearchScopes key

SearchScopes
Software\Microsoft\Internet Explorer\SearchScopes
DefaultScope: {0633EE93-D776-472f-A0FF-E1416B8B2E3A}

{0633EE93-D776-472f-A0FF-E1416B8B2E3A} [2015-09-23 11:16:01Z]
DisplayName: Bing

----------------------------------------
sevenzip v.20210329
- Gets records of histories from 7-Zip keys

Software\7-Zip not found.
Software\Wow6432Node\7-Zip not found.
----------------------------------------
shc v.20200427
(NTUSER.DAT) Gets SHC entries from user hive

Software\Microsoft\Windows\CurrentVersion\UFH\SHC not found.
----------------------------------------
shellfolders v.20200515
Gets user's shell folders values

Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
LastWrite Time 2015-09-21 09:21:12Z
StartUp folder : C:\Users\IEUser\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
LastWrite Time 2015-09-21 09:17:32Z
StartUp folder : %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
----------------------------------------
speech v.20200427
(NTUSER.DAT) Get values from user's Speech key

Software\Microsoft\Speech
----------------------------------------
SysInternals
Software\SysInternals
LastWrite Time 2015-09-22 18:52:20Z
BGInfo [2015-09-21 09:17:37Z]
  EulaAccepted: 1

Junction [2015-09-21 09:50:47Z]
  EulaAccepted: 1

SDelete [2015-09-22 18:52:20Z]
  EulaAccepted: 1

----------------------------------------
Launching tsclient v.20200518
(NTUSER.DAT) Displays contents of user's Terminal Server Client\Default key

Software\Microsoft\Terminal Server Client\Default not found.

Software\Microsoft\Terminal Server Client\Servers not found.
----------------------------------------
typedpaths v.20200526
(NTUSER.DAT) Gets contents of user's typedpaths key

Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths
LastWrite Time 2015-09-23 11:17:37Z

url1     C:\Users\IEUser\AppData       
----------------------------------------
typedurls v.20200526
(NTUSER.DAT) Returns contents of user's TypedURLs key.

TypedURLs
Software\Microsoft\Internet Explorer\TypedURLs
LastWrite Time 2021-01-14 07:13:35Z
  url1 -> http://192.168.178.253/adm
  url2 -> http://192.168.178.253/
  url3 -> http://10.10.0.8:8000/
  url4 -> 10.10.0.9:8000
  url5 -> https://bootstrap.pypa.io/get-pip.py
  url6 -> http://google.de/
  url7 -> https://www.python.org/getit
  url8 -> https://www.python.org/
  url9 -> http://go.microsoft.com/fwlink/?LinkId=69157
----------------------------------------
typedurlstime v.20200526
(NTUSER.DAT) Returns contents of user's TypedURLsTime key.

Software\Microsoft\Internet Explorer\TypedURLsTime not found.
----------------------------------------
uninstall v.20200525
(Software, NTUSER.DAT) Gets contents of Uninstall keys from Software, NTUSER.DAT hives

Uninstall
----------------------------------------
UserAssist
Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist
LastWrite Time 2015-09-21 09:21:16Z

{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}
2021-05-18 10:25:07Z
  C:\Users\IEUser\Desktop\RegistryChangesView.exe (1)
2021-01-14 07:46:55Z
  {D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\rundll32.exe (1)
2021-01-14 07:38:31Z
  {D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\WindowsPowerShell\v1.0\powershell.exe (7)
2021-01-14 07:36:27Z
  C:\Users\IEUser\Desktop\tools\registrychangesview\RegistryChangesView.exe (1)
2021-01-14 07:33:04Z
  {F38BF404-1D43-42F2-9305-67DE0B28FC23}\hh.exe (1)
2021-01-14 07:32:42Z
  {D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\cmd.exe (12)
2021-01-14 07:32:28Z
  {D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\taskmgr.exe (1)
2021-01-14 07:28:24Z
  C:\Users\IEUser\Desktop\tools\ProcessMonitor\Procmon.exe (1)
2021-01-14 06:45:05Z
  Microsoft.InternetExplorer.Default (19)
2021-01-14 06:25:57Z
  Microsoft.AutoGenerated.{3FF063FA-5909-6285-41A9-E4C7DF085FC5} (7)
2021-01-14 06:22:51Z
  {F38BF404-1D43-42F2-9305-67DE0B28FC23}\explorer.exe (8)
2019-08-29 11:59:29Z
  {D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\WF.msc (1)
2019-08-29 11:36:44Z
  {D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\msconfig.exe (1)
2019-08-29 11:35:31Z
  {D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\msiexec.exe (2)
2019-08-29 10:47:38Z
  {D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\control.exe (1)
2015-09-23 11:13:45Z
  {D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\wuapp.exe (16)
2015-09-23 11:03:59Z
  {F38BF404-1D43-42F2-9305-67DE0B28FC23}\regedit.exe (3)
2015-09-23 11:02:20Z
  {D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\SystemPropertiesComputerName.exe (2)
2015-09-23 10:13:50Z
  {D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\notepad.exe (12)
2015-09-23 09:48:26Z
  Microsoft.AutoGenerated.{5B29B9AE-8060-1960-9833-2F50C0175C01} (1)
2015-09-23 09:46:31Z
  C:\Users\IEUser\Desktop\compact.bat (2)
2015-09-21 22:30:38Z
  {D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\CompMgmtLauncher.exe (2)
2015-09-21 09:47:50Z
  {D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\WindowsPowerShell\v1.0\powershell_ise.exe (1)
2015-09-21 09:19:29Z
  Microsoft.Windows.GettingStarted (14)
  {D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\displayswitch.exe (13)
  Microsoft.Windows.RemoteDesktop (12)
  Microsoft.Windows.StickyNotes (11)
  {D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\SnippingTool.exe (10)
  {D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\calc.exe (9)
  {D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\mspaint.exe (8)
  {D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\xpsrchvw.exe (7)
  {D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\WFS.exe (6)
  {D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\magnify.exe (5)

Value names with no time stamps:
  UEME_CTLCUACount:ctor
  Microsoft.Windows.Shell.RunDialog
  Microsoft.Windows.ControlPanel
  {7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\OpenSSH\bin\ssh-keygen.exe
  {7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\OpenSSH\bin\mv.exe
  {F38BF404-1D43-42F2-9305-67DE0B28FC23}\SoftwareDistribution\Download\Install\EnableTask.exe
  C:\BGinfo\BGINFO.EXE
  D:\VBOXWINDOWSADDITIONS-X86.EXE
  {7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Oracle\VirtualBox Guest Additions\VBoxDrvInst.exe
  {D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\SystemPropertiesAdvanced.exe
  {D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\rstrui.exe
  Microsoft.AutoGenerated.{935761F8-94E4-FFA7-A8C0-F1AB2CDEC750}
  {D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\msdt.exe
  Microsoft.Windows.ControlPanel.Taskbar
  {D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\cleanmgr.exe
  Microsoft.Windows.WindowsInstaller
  {7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\JAM Software\TreeSize Free\unins000.exe
  {D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\wscript.exe
  {D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\slui.exe

{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}
2021-01-14 07:38:31Z
  {0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Accessories\Windows PowerShell\Windows PowerShell.lnk (4)
2021-01-14 06:45:05Z
  {9E3995AB-1F9C-4F13-B827-48B24B6C7174}\TaskBar\Internet Explorer.lnk (19)
2021-01-14 06:26:04Z
  {A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\Accessories\Command Prompt.lnk (5)
2021-01-14 06:25:57Z
  {0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Administrative Tools\Windows PowerShell Modules.lnk (7)
2021-01-14 06:22:51Z
  {9E3995AB-1F9C-4F13-B827-48B24B6C7174}\TaskBar\Windows Explorer.lnk (8)
2019-08-29 11:59:29Z
  {0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Administrative Tools\Windows Firewall with Advanced Security.lnk (1)
2019-08-29 11:36:44Z
  {0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Administrative Tools\System Configuration.lnk (1)
2015-09-23 11:13:45Z
  C:\ProgramData\Microsoft\Windows\Start Menu\Windows Update.lnk (16)
2015-09-23 09:48:26Z
  {0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\TreeSize Free\TreeSize Free.lnk (1)
2015-09-23 09:46:19Z
  C:\Users\IEUser\Desktop\eula.lnk (3)
2015-09-21 09:19:29Z
  {0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Accessories\Welcome Center.lnk (14)
  {0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Accessories\displayswitch.lnk (13)
  {0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Accessories\Remote Desktop Connection.lnk (12)
  {0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Accessories\Sticky Notes.lnk (11)
  {0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Accessories\Snipping Tool.lnk (10)
  {0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Accessories\Calculator.lnk (9)
  {0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Accessories\Paint.lnk (8)
  {0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\XPS Viewer.lnk (7)
  {0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Windows Fax and Scan.lnk (6)
  {A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\Accessories\Accessibility\Magnify.lnk (5)

Value names with no time stamps:
  UEME_CTLCUACount:ctor

----------------------------------------
wc_shares v.20200515
- Gets contents of user's WorkgroupCrawler/Shares subkeys

Software\Microsoft\Windows\CurrentVersion\Explorer\WorkgroupCrawler\Shares not found.
----------------------------------------
winrar v.20200526
(NTUSER.DAT) Get WinRAR\ArcHistory entries

Software\WinRAR\ArcHistory not found.
----------------------------------------
winscp v.20201227
(NTUSER.DAT) Gets user's WinSCP 2 data

Software\Martin Prikryl\WinSCP 2 not found.
----------------------------------------
winzip v.20200526
(NTUSER.DAT) Get WinZip extract and filemenu values

Software\Nico Mak Computing\WinZip not found.
----------------------------------------
wordwheelquery v.20200823
(NTUSER.DAT) Gets contents of user's WordWheelQuery key

Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery not found.
----------------------------------------
